Date: Tue, 14 Sep 2004 22:18:20 +0800 From: Xin LI <delphij@frontfree.net> To: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> Cc: Volker Stolz <vs@freebsd.org> Subject: Re: multiple vulnerabilities in the cvs server code Message-ID: <20040914141820.GA1728@frontfree.net> In-Reply-To: <20040914162407.J77824@atlantis.atlantis.dp.ua> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> <20040914162407.J77824@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 14, 2004 at 04:37:10PM +0300, Dmitry Pryanishnikov wrote: > As I read in this SA, this vulnerability was fixed on 2004-05-20, before > 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit Yes, 4.10 is not vulnerable. > still complains about FreeBSD-491000. Probably, wrong check in auditfile? > Also, it would be nice if such an advisories advance kern.osreldate, > so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11= ,=20 > which isn't vulnerable to this problem, but kern.osreldate is still 49000= 0=20 > there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't= =20 > bump src/sys/sys/param.h? I think it is not applicable to bump param.h, as it represents an ABI chang= e, which a security update should not introduce. (just my $0.02 :-) Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD4DBQFBRv2sOfuToMruuMARApKXAJ9B3PCDTo2y3atGWdmZVZwC8PVvhgCVHxxn 9INVyv8mozpV04jh1wpRMg== =WMHi -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040914141820.GA1728>