Re: multiple vulnerabilities in the cvs server code

• Previous message: Dan Langille: "Re: Kerberos 5 Security Alert?"
• In reply to: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Next in thread: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Reply: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 14 Sep 2004 22:18:20 +0800
To: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>

On Tue, Sep 14, 2004 at 04:37:10PM +0300, Dmitry Pryanishnikov wrote:
> As I read in this SA, this vulnerability was fixed on 2004-05-20, before
> 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit

Yes, 4.10 is not vulnerable.

> still complains about FreeBSD-491000. Probably, wrong check in auditfile?
> Also, it would be nice if such an advisories advance kern.osreldate,
> so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11,
> which isn't vulnerable to this problem, but kern.osreldate is still 490000
> there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't
> bump src/sys/sys/param.h?

I think it is not applicable to bump param.h, as it represents an ABI change,
which a security update should not introduce. (just my $0.02 :-)

Cheers,

-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

• application/pgp-signature attachment: stored

• Previous message: Dan Langille: "Re: Kerberos 5 Security Alert?"
• In reply to: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Next in thread: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Reply: Dmitry Pryanishnikov: "Re: multiple vulnerabilities in the cvs server code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]