From owner-freebsd-security Tue Apr 10 10:19:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id B033B37B424 for ; Tue, 10 Apr 2001 10:19:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA11294; Tue, 10 Apr 2001 11:19:37 -0600 (MDT) Message-Id: <4.3.2.7.2.20010410111026.045afcc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Apr 2001 11:19:33 -0600 To: Walter Hop From: Brett Glass Subject: Re: Will fixes for these FTP holes be MFC'ed in before release? Cc: freebsd-security@freebsd.org In-Reply-To: <15983947780.20010410185428@binity.com> References: <4.3.2.7.2.20010410102556.04595560@localhost> <4.3.2.7.2.20010410102556.04595560@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:54 AM 4/10/2001, Walter Hop wrote: >Yes. http://www.cert.org/advisories/CA-2001-07.html says, > >"FreeBSD, Inc. > > FreeBSD is vulnerable to the glob-related bugs. We have corrected > these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they > will not be present in FreeBSD 4.3-RELEASE." I did notice this. However, when I look back at the CVS respository, I see that the most recently changed file is popen.c, which was changed 3 weeks ago. The change was related to globbing, but doesn't seem to cover all of the routines mentioned in http://www.pgp.com/research/covert/advisories/048.asp All of the other mods are significantly older. So it probably pays to double-check and make sure that there are not still holes. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message