Date: Mon, 23 Nov 1998 18:52:01 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: jdp@polstra.com (John Polstra) Cc: tlambert@primenet.com, hackers@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811231852.LAA21705@usr02.primenet.com> In-Reply-To: <199811200316.TAA17171@vashon.polstra.com> from "John Polstra" at Nov 19, 98 07:16:13 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > Someone should now go through the Sun CERT and other security > > advisories; I think at last count there were 40 some-odd that > > involved PAM. > > Per your suggestion back around August, I looked through them. I > didn't find anything relevant to us. The advisories were either > very old or they applied to modules that we don't use. > > Of course, it's entirely possible I missed an important one. So > anyone else is also encouraged to look for reports and see whether > the problems exist in the code I imported. You need to look at Bugtraq as well; go to: http://www.geek-girl.com/bugtraq/search.html And search for "PAM". Kick the "Maximum number of files returned" up to 1000; you'll need it. Also, I think the point of PAM is to let people use modules other than the ones that we use... so that argument is rather pointless. Here is a bug that will be common in network applications like ftpd linked to use PAM: http://geek-girl.com/bugtraq/1998_1/0111.html I don't know if you are using the rhost module, but if so, this may be relevent: http://geek-girl.com/bugtraq/1997_4/0000.html Also, PAM can become vulnerable based on libc implementation, since it is a consumer of libc; here's one example: http://geek-girl.com/bugtraq/1997_2/0228.html Of course, the list os so huge that I can't post it all here... Also, is our qpopper port still vulnerable to: http://geek-girl.com/bugtraq/1998_2/0657.html ??? I know that it violates the POP3 RFC on an APOP auth failure by not waiting for the "QUIT\r\n" after the "-ERR" before putting up "+OK" and shutting down the connection, so it's pretty old... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811231852.LAA21705>