Date: Wed, 26 Apr 2000 11:40:02 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: freebsd-ports@FreeBSD.org Subject: Re: ports/18208: Reported Vulnerability in ncurses Message-ID: <200004261840.LAA65496@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/18208; it has been noted by GNATS.
From: Kris Kennaway <kris@FreeBSD.org>
To: smedina@idefense.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/18208: Reported Vulnerability in ncurses
Date: Wed, 26 Apr 2000 11:35:05 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 25 Apr 2000 smedina@idefense.com wrote:
> The purpose of this email is twofold: 1) to inform you of a reported
> vulnerability by a third party, not myself, involving one of your
> products, and 2) to obtain confirmation/clarification and knowledge of
> any measures taken to address this in the event it is viable.
Thanks for the notification. Unfortunately the security officers only
found out about the bug at the same time the rest of the world did (when
it was announced on Bugtraq), but it was fixed in -stable as of last
night. I'm working on an advisory at present.
The impact of the bug was much less severe than the bugtraq report would
lead you to believe: it IS a security issue, but it doesn't pose a threat
to anything in the base system, and only poses a major threat to certain
badly-coded ports (the only one we know of at the moment which allows a
local root exploit is an old version of the net/mtr port, which was
already the subject of FreeBSD Advisory 00:09 and was fixed a month and
a half ago after a separate vulnerability was discovered).
For future reference, a more appropriate forum to send security concerns
is security-officer@FreeBSD.org which reaches the FreeBSD Security Officer
team, or security@freebsd.org which is a general-audience mailing list for
discussion of FreeBSD security.
Thanks for your report!
Kris
- ----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Made with pgp4pine 1.74
Charset: noconv
iQCVAwUBOQc231UuHi5z0oilAQEPdAP/cqX+EKIbW0y4x2kX+A5/h/bsviYzkPQK
jyqixdhvSSwGTBC6S1wxfGNC0f6h4Wfa9JLGbl/XOk+VUF4HGvZ3Op/DdwwZXkjP
6pzpwTzgwjlyH7y3mVt4sE9dF2pzB1TWGZm0m4dXeE6v74NG0fx0YnZlD3p5ui2E
VldKF3ViPow=
=4NEC
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004261840.LAA65496>