From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 14:19:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47B0416A4CE for ; Tue, 14 Sep 2004 14:19:36 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F36943D2F for ; Tue, 14 Sep 2004 14:19:35 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 83647 invoked by uid 0); 14 Sep 2004 14:15:50 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 14 Sep 2004 14:15:50 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id AEEE8130C48; Tue, 14 Sep 2004 22:18:34 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00375-07; Tue, 14 Sep 2004 22:18:21 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id BE9C313219B; Tue, 14 Sep 2004 22:18:20 +0800 (CST) Date: Tue, 14 Sep 2004 22:18:20 +0800 From: Xin LI To: Dmitry Pryanishnikov Message-ID: <20040914141820.GA1728@frontfree.net> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> <20040914162407.J77824@atlantis.atlantis.dp.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline In-Reply-To: <20040914162407.J77824@atlantis.atlantis.dp.ua> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-delphij FreeBSD 5.3-delphij #4: Mon Sep 13 12:44:05 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-security@freebsd.org cc: Volker Stolz Subject: Re: multiple vulnerabilities in the cvs server code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 14:19:36 -0000 --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 14, 2004 at 04:37:10PM +0300, Dmitry Pryanishnikov wrote: > As I read in this SA, this vulnerability was fixed on 2004-05-20, before > 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit Yes, 4.10 is not vulnerable. > still complains about FreeBSD-491000. Probably, wrong check in auditfile? > Also, it would be nice if such an advisories advance kern.osreldate, > so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11= ,=20 > which isn't vulnerable to this problem, but kern.osreldate is still 49000= 0=20 > there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't= =20 > bump src/sys/sys/param.h? I think it is not applicable to bump param.h, as it represents an ABI chang= e, which a security update should not introduce. (just my $0.02 :-) Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD4DBQFBRv2sOfuToMruuMARApKXAJ9B3PCDTo2y3atGWdmZVZwC8PVvhgCVHxxn 9INVyv8mozpV04jh1wpRMg== =WMHi -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs--