Date: Sat, 25 Nov 2000 19:01:46 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: "Brian F. Feldman" <green@FreeBSD.org> Cc: obrien@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c Message-ID: <20001125190146.Q8051@fw.wintelcom.net> In-Reply-To: <200011260209.eAQ29N572833@green.dyndns.org>; from green@FreeBSD.org on Sat, Nov 25, 2000 at 09:09:23PM -0500 References: <obrien@FreeBSD.org> <200011260209.eAQ29N572833@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Brian F. Feldman <green@FreeBSD.org> [001125 18:09] wrote: > "David O'Brien" <obrien@FreeBSD.org> wrote: > > On Sat, Nov 25, 2000 at 09:15:21AM -0500, Brian F. Feldman wrote: > > > > What's going on here? And why was it MFC'd already? > > > > > > It can expose up to 16 bytes of wheel-readable data. That's bad! > > > > That's not such a bad vulnerability that you shouldn't have waited at > > least 1-2 days for this to sit in -CURRENT to give people a chance to > > comment. > > I don't think I did something wrong. I am not saying this to be > argumentative. I honestly believe if there's any type of security problem > and the fix 1) doesn't break anything and 2) is simple enough, there isn't > any inherent problem with initiating a fix in both branches. I know it > doesn't break anything because I've tested it (also for the degenerative > cases). > > Where's the harm done by committing a fix, even were it incomplete, when it > doesn't make the problem any worse? I'm honestly very curious what reasons > people would have not to want something done as soon as feasible. Fear that > people may update and assume the problem is completely fixed? Because your "fix" was a gross hack on top of the gross hack already in place. Security concerns should be discussed with the security officer so that he can contact us with a background in such matters about fixing it. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001125190146.Q8051>