Date: Wed, 26 Apr 2000 11:40:02 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: freebsd-ports@FreeBSD.org Subject: Re: ports/18208: Reported Vulnerability in ncurses Message-ID: <200004261840.LAA65496@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/18208; it has been noted by GNATS. From: Kris Kennaway <kris@FreeBSD.org> To: smedina@idefense.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: ports/18208: Reported Vulnerability in ncurses Date: Wed, 26 Apr 2000 11:35:05 -0700 (PDT) -----BEGIN PGP SIGNED MESSAGE----- On Tue, 25 Apr 2000 smedina@idefense.com wrote: > The purpose of this email is twofold: 1) to inform you of a reported > vulnerability by a third party, not myself, involving one of your > products, and 2) to obtain confirmation/clarification and knowledge of > any measures taken to address this in the event it is viable. Thanks for the notification. Unfortunately the security officers only found out about the bug at the same time the rest of the world did (when it was announced on Bugtraq), but it was fixed in -stable as of last night. I'm working on an advisory at present. The impact of the bug was much less severe than the bugtraq report would lead you to believe: it IS a security issue, but it doesn't pose a threat to anything in the base system, and only poses a major threat to certain badly-coded ports (the only one we know of at the moment which allows a local root exploit is an old version of the net/mtr port, which was already the subject of FreeBSD Advisory 00:09 and was fixed a month and a half ago after a separate vulnerability was discovered). For future reference, a more appropriate forum to send security concerns is security-officer@FreeBSD.org which reaches the FreeBSD Security Officer team, or security@freebsd.org which is a general-audience mailing list for discussion of FreeBSD security. Thanks for your report! Kris - ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.74 Charset: noconv iQCVAwUBOQc231UuHi5z0oilAQEPdAP/cqX+EKIbW0y4x2kX+A5/h/bsviYzkPQK jyqixdhvSSwGTBC6S1wxfGNC0f6h4Wfa9JLGbl/XOk+VUF4HGvZ3Op/DdwwZXkjP 6pzpwTzgwjlyH7y3mVt4sE9dF2pzB1TWGZm0m4dXeE6v74NG0fx0YnZlD3p5ui2E VldKF3ViPow= =4NEC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004261840.LAA65496>