Date: Thu, 11 Jan 2001 19:33:36 +0100 From: Berend de Boer <berend@pobox.com> To: Mikhail Kruk <meshko@cs.brandeis.edu>, Ann Harrison <aharrison@ibphoenix.com> Cc: Trevor Johnson <trevor@jpj.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, security@FreeBSD.ORG Subject: Re: CERT advisory: "Interbase Server Contains Compiled-in Back D oor Account" Message-ID: <3A5DFC80.6060208@pobox.com> References: <Pine.LNX.4.30.0101102022150.20113-100000@daedalus.cs.brandeis.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Kruk wrote: >> The backdoor is not documented in the pkg-descr file for the port. If the >> port is not fixed or forbidden, and it has the backdoor, the fact should >> at least be documented there. > > > I don't see how such a backdoor can be left in the package, even if there > is a warning in pkg_descr. > This is a potential remote exploit after all. The InterBase package cannot be installed without explicitly downloading it. The Makefile request you to the directory where you have to download it yourself. I think a message stating this, would be sufficient. I attempt to submit a patch tonight. In the mean time I attempt to contact Ann Harrison (with this message), that I'm willing to help the security patch for InterBase 4 for FreeBSD. Groetjes, Berend. (-: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A5DFC80.6060208>