[1205] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] libc 5.4.7

daemon@ATHENA.MIT.EDU (David Holland)
Sat Oct 12 07:40:55 1996

From: David Holland <dholland@eecs.harvard.edu>
To: florian@jurix.jura.uni-sb.de (Florian La Roche)
Date: Wed, 9 Oct 1996 17:42:35 -0400 (EDT)
Cc: dholland@eecs.harvard.edu, potato@dsnet.com, linux-gcc@vger.rutgers.edu,
        linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610091947.VAA04900@knorke.saar.de> from "Florian La Roche" at Oct 9, 96 09:47:20 pm

 > > It's been two months. You can read any file trivially on an unpatched
 > > Slackware system without logging in. You can get a root shell with a
 > > bit more effort. This is not acceptable.
 > 
 > Slackware has been unacceptable for a long time and probably won't change
 > in the future...

That's true, but a lot of people are running it and they need to be
made aware of the hazard.

I haven't put out a bulletin urgently advising everyone to upgrade to
netkit-b-0.08 because in order to explain why I need to talk about the
libc problems, and until now there hasn't been a public release of a
fixed libc.

 > I am jus afraid, that 5.4.x is not yet tested enough and that some
 > people would have to downgrade again.

So am I. I don't know what else we can do. We're already approaching
typical vendor turnaround time on this security hole. :(

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

home help back first fref pref prev next nref lref last post