Date: Thu, 11 Jan 2001 23:52:49 +0100 From: Berend de Boer <berend@pobox.com> To: Mikhail Kruk <meshko@cs.brandeis.edu> Cc: Trevor Johnson <trevor@jpj.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, security@FreeBSD.ORG, Jordan Hubbard <jkh@winston.osd.bsdi.com> Subject: Re: CERT advisory: "Interbase Server Contains Compiled-in Back D oor Account" Message-ID: <3A5E3941.4040407@pobox.com> References: <Pine.LNX.4.30.0101102022150.20113-100000@daedalus.cs.brandeis.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Kruk wrote: >> The backdoor is not documented in the pkg-descr file for the port. If the >> port is not fixed or forbidden, and it has the backdoor, the fact should >> at least be documented there. > > > I don't see how such a backdoor can be left in the package, even if there > is a warning in pkg_descr. > This is a potential remote exploit after all. Hello All, What do you think about this message when someone attempt to fetch the port: make fetch Sorry, this package cannot be fetched automagically. Point your browser to http://iblinux.rios.co.jp/intl/dloadfb/. And put the package in /usr/ports/distfiles. IMPORTANT NOTE: a security comprise has been detected for this package. Don't install this package on a server connected to the Internet or in insecure environments. Read http://www.cert.org/advisories/CA-2001-01.html for more information. Would this enough to remove the FORBIDDEN flag? I'm attempting to get the patch for the FreeBSD platform, so this is just an intermediate solution. I'm also attempting to make an InterBase 6 firebird port as a more secure InterBase 6. Groetjes, Berend. (-: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A5E3941.4040407>