From owner-freebsd-security Tue Nov 21 1: 2:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id E3C0537B4CF; Tue, 21 Nov 2000 01:02:14 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAL92EJ21702; Tue, 21 Nov 2000 04:02:14 -0500 (EST) Date: Tue, 21 Nov 2000 04:02:13 -0500 (EST) From: Trevor Johnson To: Kris Kennaway Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x In-Reply-To: <20001121003406.A95525@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, > which is about the time it hit bugtraq, it was fixed 7 days later by > the vendor and we imported it 2 days after that. You must be referring > to some other problem. It was only meant as an example, but: a buffer overflow bug in libncurses, which had to do with malicious settings of the TERMCAP environment variable, was reported in April on Bugtraq (http://www.securityfocus.com/archive/1/56721), and FreeBSD was said to be affected. I assumed that the recent ncurses advisory was supposed to cover it. > However, your general point is taken and it's something we'll > consider. Thank you. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message