Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What happened to the syslog bug ?

From: martinh () mailhost emap co uk (martinh () mailhost emap co uk)
Date: Wed, 26 Jun 1996 08:20:57 +0000

On Tue, 25 Jun 1996, Mike Kienenberger wrote:


On Tue, 25 Jun 1996, Joe Rhett wrote:

In August last year 8LGM released an advisory warning about a syslog
vulnerability. Something to do with a buffer overflow and passing commands
to a remote site. The advisory said that exploit would not be released
yet, in order to give time to vendors to issue patches. Now I understand
that some vendors are pretty slow in acknowledging security problems but
it sounds like they had enough time by now.


Sun, HP, IBM, SGI, and SCO had patches available within 2 weeks. I've
had the patches installed for over 3 months on our systems ... what
other kind of "response" are you looking for?


I don't know about the other vendors, but SGI's patch only covered
sendmail's interaction with syslog, and not the actual syslog bug itself.
If I remember correctly, to fix the bug in syslog required replacing the
libc library which was a major change.


BSDI's patch for 2.0.1 was a full replace-libc fix.

M.

##################################################################
# Martin Hargreaves (martin () datamodl demon co uk)  Computational #
# Director, Datamodel Ltd                                Chemist #
# Contract Unix system admin/Unix security              Sysadmin #
##################################################################
Previous By Date Next
Previous By Thread Next

Current thread: