From owner-freebsd-security Tue Apr 10 13:23:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 536E237B422 for ; Tue, 10 Apr 2001 13:23:45 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: (qmail 14558 invoked by uid 0); 10 Apr 2001 20:23:43 -0000 Received: from pd950a1c0.dip.t-dialin.net (HELO lofizwei) (217.80.161.192) by mail.gmx.net (mp008-rz3) with SMTP; 10 Apr 2001 20:23:43 -0000 Message-ID: <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> From: "Michael Nottebrock" To: "Michael Bryan" , References: <3AD33218.FE8D7ACD@ursine.com> Subject: Re: Security Announcements? Date: Tue, 10 Apr 2001 22:23:43 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Michael Bryan" To: Sent: Tuesday, April 10, 2001 6:17 PM Subject: Security Announcements? > > What's up (or not up) with security announcements these days? > It's been some time since the NTP vulnerability came to light, > and many other affected systems/products have made their > announcements, but nothing official from FreeBSD yet. Now we > have an FTP vulnerability hitting the streets too. > > [And the published list of advisories jumps from FreeBSD-SA-01:25 > to FreeBSD-SA-01:30, so it looks like 26-29 are in the pipeline?] > [...] I agree that there is need for improvement. Let's just see what the other OS's security people are doing about the recent ftpd-issue: NetBSD: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000 -018.txt.asc OpenBSD: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/025_glob.patch FreeBSD: Absolutely nothing, not even an official statement or some kind of notification anywhere on the website. The fix is apparently done, but nobody (well, okay, at least my very dumb own self) seems to know where to get it or how to apply it. Is this due to 4.3-Release stress? It certainly is starting to irritate people running 4.2-Release. I really do not want to piss on anybody's legs here, but, there _are_ quite a few sites running FreeBSD ftp-servers, aren't they? Greetings, Michael Nottebrock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message