Bugtraq mailing list archives

Re: OpenBSD remote root

From: joshua stein <jcs () RT FM>
Date: Mon, 18 Dec 2000 22:19:34 -0600

Typo Princep wrote:

But noone has made the userbase aware of the security problems nor has any
further discussion taken place on obsd-bugs.


http://openbsd.rt.fm/plus.html shows IN BIG RED LETTERS:

  "SECURITY FIX: Fix buffer overflow in ftpd"

with a link to the patch.

http://openbsd.rt.fm/errata.html shows IN BIG LETTERS:

  "SECURITY FIX: Dec 4, 2000
   OpenBSD 2.8's ftpd contains a one-byte overflow in the replydirname()
   function."

also, with a link to the patch.

The fix was merged into -STABLE.  A patch was written for 2.7 and 2.8
and released on the FTP mirrors.

On December 5th, Todd Miller sent an announcement to security-announce@
explaining the problem and where to get the patch.

The problem was acknowledged, a patch was released, the user base was
notified by the proper mailing lists and web pages.  The problem was
also announced on www.deadly.org and daily.daemonnews.org, two fairly
common websites among the OpenBSD community.

With all this, how can you say that the user base was never made aware
of the problem?

Current thread:

OpenBSD remote root Typo Princep (Dec 18)
- Re: OpenBSD remote root joshua stein (Dec 19)
- Re: OpenBSD remote root Emre (Dec 19)
  - Re: OpenBSD remote root Dan Harkless (Dec 20)
    - Re: OpenBSD remote root Jose Nazario (Dec 20)
    - Re: OpenBSD remote root Dan Harkless (Dec 21)
    - listing of vendor's security-announcement lists Matt Power (Dec 22)
  - Re: OpenBSD remote root David Damerell (Dec 20)
- <Possible follow-ups>
- Re: OpenBSD remote root Theo de Raadt (Dec 21)