Date: Mon, 15 May 2000 13:17:39 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Visigoth <visigoth@telemere.net> Cc: freebsd-security@freebsd.org Subject: Re: qpopper discussion on BUGTRAQ Message-ID: <Pine.BSF.4.21.0005151314410.79374-100000@freefall.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0005150922270.70154-100000@shell.telemere.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 May 2000, Visigoth wrote:
> I was just curious as to what the freebsd stance on the possible
> qpopper-2.53 vuln as is being discussed on BUGTRAQ. Has this vuln been
> tested with the freebsd port? Are there known issues? I am going to
> (hopefully) be taking a look at the "exploitability" of the freebsd port
> for qpopper-2.53 but I was wondering if someone had already done all the
> work. I under stand that the exploit posted on bugtraq would need to be
> modified, but I am wondering if the security/ports team have taken care of
> the offending piece of code already (which is so often the case)...
I'm not sure which of the reported vulnerabilities you're referring to,
but in either case I know of the answer is "Blah blah blah, NOT
vulnerable..."
* BSD systems dont have the tempfile creation problems which can deny
service to a user's mailbox (only SYSV directory semantics)
* FreeBSD fixed the "fgets() wraparound" bug prior to the release of the
bugtraq advisory.
It's been on my plate to release an advisory about this since it was
fixed, but I've been sidetracked with other issues. My apologies - I'll ty
and get my backlog cleared this week.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005151314410.79374-100000>