Date: Wed, 4 Oct 2000 00:24:19 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Matt Heckaman <matt@ARPA.MAIL.NET> Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org Subject: Re: Fwd: BSD chpass Message-ID: <Pine.BSF.4.21.0010040022390.35602-100000@achilles.silby.com> In-Reply-To: <Pine.BSF.4.21.0010040116090.79727-100000@epsilon.lucida.qc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Oct 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've confirmed this to work on 3.5-STABLE as of Sep 21. It did NOT work on > my 4.1-STABLE or 4.1.1-RELEASE machines, but they could still be > vulnerable in a method outside the scope of the posted exploit. I just > found out about this 5 minutes and ran to turn off the suid bit :P Unless the nsswitch changes fixed it, 4.1.1 should still be vulnerable - there are no messages in the cvs logs for chpass indicating any security-related changes recently. (For both FreeBSD and OpenBSD.) Looks like the guy didn't want to talk to vendors before posting. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010040022390.35602-100000>