Date: Tue, 14 Sep 2004 17:32:35 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Xin LI <delphij@frontfree.net> Cc: Volker Stolz <vs@freebsd.org> Subject: Re: multiple vulnerabilities in the cvs server code Message-ID: <20040914172844.X96954@atlantis.atlantis.dp.ua> In-Reply-To: <20040914141820.GA1728@frontfree.net> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> <20040914141820.GA1728@frontfree.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Sep 2004, Xin LI wrote: >> Also, it would be nice if such an advisories advance kern.osreldate, >> so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11, >> which isn't vulnerable to this problem, but kern.osreldate is still 490000 >> there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't >> bump src/sys/sys/param.h? > > I think it is not applicable to bump param.h, as it represents an ABI change, > which a security update should not introduce. (just my $0.02 :-) Then it should be another possibility to get release "patch level" - maybe by parsing kern.osrelease? In any case, it would be nice to add such a check, so portaudit won't complain when base system isn't vulnerable. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040914172844.X96954>