[1205] in linux-security and linux-alert archive
Re: [linux-security] libc 5.4.7
daemon@ATHENA.MIT.EDU (David Holland)
Sat Oct 12 07:40:55 1996
From: David Holland <dholland@eecs.harvard.edu>
To: florian@jurix.jura.uni-sb.de (Florian La Roche)
Date: Wed, 9 Oct 1996 17:42:35 -0400 (EDT)
Cc: dholland@eecs.harvard.edu, potato@dsnet.com, linux-gcc@vger.rutgers.edu,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610091947.VAA04900@knorke.saar.de> from "Florian La Roche" at Oct 9, 96 09:47:20 pm
> > It's been two months. You can read any file trivially on an unpatched
> > Slackware system without logging in. You can get a root shell with a
> > bit more effort. This is not acceptable.
>
> Slackware has been unacceptable for a long time and probably won't change
> in the future...
That's true, but a lot of people are running it and they need to be
made aware of the hazard.
I haven't put out a bulletin urgently advising everyone to upgrade to
netkit-b-0.08 because in order to explain why I need to talk about the
libc problems, and until now there hasn't been a public release of a
fixed libc.
> I am jus afraid, that 5.4.x is not yet tested enough and that some
> people would have to downgrade again.
So am I. I don't know what else we can do. We're already approaching
typical vendor turnaround time on this security hole. :(
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino