From owner-freebsd-security  Tue Oct 10 18:55:25 2000
Delivered-To: freebsd-security@freebsd.org
Received: from blues.jpj.net (blues.jpj.net [204.97.17.146])
	by hub.freebsd.org (Postfix) with ESMTP id 1BF2637B503
	for <freebsd-security@FreeBSD.ORG>; Tue, 10 Oct 2000 18:55:23 -0700 (PDT)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (right/backatcha) with ESMTP id e9B1tF609930;
	Tue, 10 Oct 2000 21:55:15 -0400 (EDT)
Date: Tue, 10 Oct 2000 21:55:15 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Mike Silbersack <silby@silby.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ncurses buffer overflows (fwd)
In-Reply-To: <Pine.BSF.4.21.0010101908580.4266-100000@achilles.silby.com>
Message-ID: <Pine.BSI.4.21.0010102142590.8787-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Well, the advisory states that ncurses 5.0 and before are vulnerable.  It
> looks like 5.1-prerelease is what 4.1+ are using.  So, until we here more
> from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is
> safe.

The fixes were applied in ncurses-20001007.  We have ncurses-20000701.

I'm attempting to prepare ncurses-20001009 for importing:  
http://people.freebsd.org/~trevor/ncurses/ .  I've mentioned it to Peter
Wemm.  It needs more testing though (I haven't even done a "make world").
-- 
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message