Date: Wed, 15 May 2002 15:22:29 -0600 From: Brett Glass <brett@lariat.org> To: Jeff Palmer <scorpio@drkshdw.org>, security@FreeBSD.ORG Subject: Re: Patch/Announcement for DHCPD remote root hole? Message-ID: <4.3.2.7.2.20020515145747.03240a90@nospam.lariat.org> In-Reply-To: <5.1.0.14.0.20020515154731.00b5e870@mail.drkshdw.org> References: <4.3.2.7.2.20020515132552.0313bbb0@nospam.lariat.org> <20020515120324.E69211@switchblade.cyberpunkz.org> <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <20020515105453K.matusita@jp.FreeBSD.org> <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:51 PM 5/15/2002, Jeff Palmer wrote: >If CVSup is a programmers tool, and not an administrators tool.. >How is one supposed to keep his system updated and secure AFTER the initial install? That's been exactly my point in earlier discussions. It should not be necessary to download and recompile the world to get a patch. New users aren't ready for that, nor should they be expected to be. And admins, who have many responsibilities and are virtually always overloaded, should not be burdened with that task. Even more importantly, it shouldn't be the policy of the FreeBSD Project -- or the default behavior of its software -- to release software that, by default, installs on your machine software with known security holes. I've been playing with /stand/sysinstall to see if it is even POSSIBLE for someone who installs FreeBSD to get the latest version of a port as a package. I used isc-dhcpd as my test case, since the lack of an updated package required me to do several rebuilds from source for clients. (They can install packages themselves, but don't understand how to rebuild from source.) It turns out that if you go to the "Options" item on the menu, you can set a release name that governs where /stand/sysinstall looks for packages. Alas, for i386 releases, it's limited to ftp://<ftp-server-you-picked>/pub/FreeBSD/releases/i386/<release-name>/ Now, if you go to ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ you'll notice that there are only a few releases there, and that NONE of them has a DHCPD package that is new enough to have the latest bug fixes. No matter how you set the release string, you can't get to one. You're guaranteed to have a vulnerable system after an FTP install. I then checked out the Japanese snapshot server, at snapshots.jp.freebsd.org. Its packages had been updated more recently; it had isc-dhcp3-3.0.1.r8 instead of .r6. Trouble is, the root hole was fixed in .r9. I couldn't find any way to direct /stand/sysinstall to a place where there was a package containing .r9, even though the bug has now been fully public for more than a week. This is simply not right. New installs should not get old, buggy software by default... and in this case they not only get it by default but have no choice. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020515145747.03240a90>