Re: multiple vulnerabilities in the cvs server code
From: Dmitry Pryanishnikov (dmitry_at_atlantis.dp.ua)
Date: 09/14/04
- Previous message: Xin LI: "Re: multiple vulnerabilities in the cvs server code"
- In reply to: Xin LI: "Re: multiple vulnerabilities in the cvs server code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Sep 2004 17:32:35 +0300 (EEST) To: Xin LI <delphij@frontfree.net>
On Tue, 14 Sep 2004, Xin LI wrote:
>> Also, it would be nice if such an advisories advance kern.osreldate,
>> so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11,
>> which isn't vulnerable to this problem, but kern.osreldate is still 490000
>> there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't
>> bump src/sys/sys/param.h?
>
> I think it is not applicable to bump param.h, as it represents an ABI change,
> which a security update should not introduce. (just my $0.02 :-)
Then it should be another possibility to get release "patch level" - maybe
by parsing kern.osrelease? In any case, it would be nice to add such a
check, so portaudit won't complain when base system isn't vulnerable.
Sincerely, Dmitry
-- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Xin LI: "Re: multiple vulnerabilities in the cvs server code"
- In reply to: Xin LI: "Re: multiple vulnerabilities in the cvs server code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
