From owner-freebsd-security Sun May 12 4:50:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id BD07337B40F for ; Sun, 12 May 2002 04:50:07 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 8986F1366F; Sun, 12 May 2002 07:50:01 -0400 (EDT) Date: Sun, 12 May 2002 07:50:01 -0400 From: Chris Faulhaber To: Brett Glass Cc: security@freebsd.org Subject: Re: DHCPD bug Message-ID: <20020512115001.GA9166@peitho.fxp.org> References: <200205112302.RAA15457@forum.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline In-Reply-To: <200205112302.RAA15457@forum.lariat.org> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 11, 2002 at 05:02:00PM -0600, Brett Glass wrote: > There's a nasty bug in ISC's DHCPD -- a remote root hole -- that affects > the versions that have been provided as ports and packages in recent > releases. See >=20 > http://www.extremetech.com/article/0,3396,apn=3D2&s=3D1024&a=3D26709&ap= =3D1,00.asp >=20 > for a description of the problem. The version of the port that's online > has been updated to close the hole, but the package hasn't -- which means I assume you first emailed portmgr@FreeBSD.org (since they work the packages) or perhaps admins@FreeBSD.org or hub@FreeBSD.org (who maintain the various FreeBSD machines) and you received no response so you are trying to contact them using the -security list. > that users installing FreeBSD who grab the daemon via /stand/sysinstall > will find themselves vulnerable. Also, no advisory has been issued.... > One should be. >=20 As Jacques stated, a Security Notice is in the works for this and other recently-vulnerable ports/packages. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --0F1p//8PRICkK4MW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE83lboObaG4P6BelARAvr7AJ9A7VhflW7/1QGJdh6retFArIFDgwCgkDSY l4n9OIovwRABesKbA5GW5hg= =94Is -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message