Date: Wed, 15 May 2002 10:37:49 -0600 From: Brett Glass <brett@lariat.org> To: Makoto Matsushita <matusita@jp.FreeBSD.org> Cc: security@FreeBSD.org Subject: Re: Patch/Announcement for DHCPD remote root hole? Message-ID: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> In-Reply-To: <20020515105453K.matusita@jp.FreeBSD.org> References: <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I think you misunderstood my message. Yes, the port is updated, but the package is not. In fact, if you use /stand/sysinstall to list the packages for 4.5-RELEASE on ftp.freebsd.org, you see an entry for isc-dhcp3-3.0.1.r4, which is quite old. This is a major security problem. Users who install FreeBSD (either over the Net or from a CD-ROM) and use /stand/sysinstall to bring in the package (which the program encourages them to do!), will instantly make their systems vulnerable. Whenever a port is updated due to a security problem, the package on the FTP server and mirrors should be rebuilt at the same time. Otherwise, every new install -- even over the Net! -- is likely to be vulnerable. This is not good for users, for the Net, or for FreeBSD's reputation. --Brett At 07:54 PM 5/14/2002, Makoto Matsushita wrote: >brett> Are a patch and an announcement for the ISC DHCPD format string >brett> vulnerability/remote root hole imminent? > >>From FreeBSD-SN-02:02: > >> Port name: isc-dhcp3 >> Affected: versions < dhcp-3.0.1.r8_1 >> Status: Fixed >> Format string vulnerability when logging DNS-update request transactions. >> <URL:http://www.cert.org/advisories/CA-2002-12.html>; >> <URL:http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt>; > >Is it what you want? ports/net/isc-dhcp3 is already fixed, updating >to dhcp-3.0.1.r9. > >-- - >Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020515101500.00e7fee0>