Date: Wed, 11 Jul 2001 15:48:52 -0700 From: Dima Dorfman <dima@unixfreak.org> To: Kris Kennaway <kris@obsecurity.org> Cc: "Jacques A. Vidrine" <n@nectar.com>, Jason DiCioccio <jdicioccio@epylon.com>, "'security@freebsd.org'" <security@freebsd.org>, kris@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <20010711224852.B97183E31@bazooka.unixfreak.org> In-Reply-To: <20010711114459.B86556@xor.obsecurity.org>; from kris@obsecurity.org on "Wed, 11 Jul 2001 11:44:59 -0700"
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@obsecurity.org> writes: > On Wed, Jul 11, 2001 at 10:46:09AM -0500, Jacques A. Vidrine wrote: > > On Tue, Jul 10, 2001 at 06:59:57PM -0700, Dima Dorfman wrote: > > > Jason DiCioccio <jdicioccio@epylon.com> writes: > > > > So then I'm guessing this has been 3.5-STABLE is not vulnerable? > > > > Just want to be sure :-) > > > > > > What makes you say that? The necessary fix isn't present in RELENG_3, > > > and I doubt that there's something else which hides the issue. > > > > I haven't double-checked, but it looks like this bug was enabled by > > revision 1.54 of src/sys/kern/kern_fork.c (allowing shared signal > > handlers with rfork). That would include 3.1-RELEASE and all > > following releases. > > As was announced several months ago, we are no longer requiring > security fixes for locally exploitable vulnerabilities under RELENG_3, > only network-exploitable vulnerabilities. Right, I saw the announcement and totally agree with it; you have enough work to do as it is. Does this mean, however, that individual developers or contributers can't fix the holes after the advisory? I.e., is there any reason why I shouldn't apply the patch to RELENG_3? Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010711224852.B97183E31>