From owner-freebsd-ports Wed Apr 26 11:40: 6 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9863337B72A for ; Wed, 26 Apr 2000 11:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA65496; Wed, 26 Apr 2000 11:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Wed, 26 Apr 2000 11:40:02 -0700 (PDT) Message-Id: <200004261840.LAA65496@freefall.freebsd.org> To: freebsd-ports@FreeBSD.org Cc: From: Kris Kennaway Subject: Re: ports/18208: Reported Vulnerability in ncurses Reply-To: Kris Kennaway Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR ports/18208; it has been noted by GNATS. From: Kris Kennaway To: smedina@idefense.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: ports/18208: Reported Vulnerability in ncurses Date: Wed, 26 Apr 2000 11:35:05 -0700 (PDT) -----BEGIN PGP SIGNED MESSAGE----- On Tue, 25 Apr 2000 smedina@idefense.com wrote: > The purpose of this email is twofold: 1) to inform you of a reported > vulnerability by a third party, not myself, involving one of your > products, and 2) to obtain confirmation/clarification and knowledge of > any measures taken to address this in the event it is viable. Thanks for the notification. Unfortunately the security officers only found out about the bug at the same time the rest of the world did (when it was announced on Bugtraq), but it was fixed in -stable as of last night. I'm working on an advisory at present. The impact of the bug was much less severe than the bugtraq report would lead you to believe: it IS a security issue, but it doesn't pose a threat to anything in the base system, and only poses a major threat to certain badly-coded ports (the only one we know of at the moment which allows a local root exploit is an old version of the net/mtr port, which was already the subject of FreeBSD Advisory 00:09 and was fixed a month and a half ago after a separate vulnerability was discovered). For future reference, a more appropriate forum to send security concerns is security-officer@FreeBSD.org which reaches the FreeBSD Security Officer team, or security@freebsd.org which is a general-audience mailing list for discussion of FreeBSD security. Thanks for your report! Kris - ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.74 Charset: noconv iQCVAwUBOQc231UuHi5z0oilAQEPdAP/cqX+EKIbW0y4x2kX+A5/h/bsviYzkPQK jyqixdhvSSwGTBC6S1wxfGNC0f6h4Wfa9JLGbl/XOk+VUF4HGvZ3Op/DdwwZXkjP 6pzpwTzgwjlyH7y3mVt4sE9dF2pzB1TWGZm0m4dXeE6v74NG0fx0YnZlD3p5ui2E VldKF3ViPow= =4NEC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message