Date: Mon, 4 Aug 2003 20:11:30 +1000 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: FreeBSD Security <FreeBSD-Security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath Message-ID: <20030804101130.GA51954@cirb503493.alcatel.com.au> In-Reply-To: <200308040004.h7404VVL030671@freefall.freebsd.org> References: <200308040004.h7404VVL030671@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC ... >V. Solution > >1) Upgrade your vulnerable system to 4.8-STABLE >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches >dated after the respective correction dates. I found the reference to RELENG_5_1 in the "Solutions" section but no reference to 5.1-RELEASE in the "Affects" section somewhat confusing. This is compounded by the failure to mention RELENG_5_0 in the "Solutions" section. I gather that 5.1-RELEASE is not vulnerable due to the realpath() rewrite in 1.14. May I suggest that in future, when a release is not vulnerable due to code rewrites or similar, this fact be explicitly mentioned. IMHO, it's far better to err on the side of caution when dealing with security issues. Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030804101130.GA51954>