[19478] in bugtraq
Re: /usr/bin/Mail buffer 0verfl0w
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Mon Mar 5 15:20:35 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010305112019.A30732@caldera.de>
Date: Mon, 5 Mar 2001 11:20:19 +0100
Reply-To: Marcus Meissner <Marcus.Meissner@CALDERA.DE>
From: Marcus Meissner <Marcus.Meissner@CALDERA.DE>
X-To: Blue Boar <BlueBoar@THIEVCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3AA06E2F.E9C104FA@thievco.com>; from BlueBoar@THIEVCO.COM on
Fri, Mar 02, 2001 at 08:08:15PM -0800
On Fri, Mar 02, 2001 at 08:08:15PM -0800, Blue Boar wrote:
> I noticed Caldera released a patch for mail today on Bugtraq.
>
> "This security fix closes Caldera's internal Problem Report 9327."
> http://www.securityfocus.com/archive/1/166232
>
> Quite the coincidence.
There is none actually. We reacted on the bug he reported.
Our solution was just to drop the setgid mail bit, which we have been
shipping /bin/mail with.
> Here's the vuln-dev thread:
>
> http://securityfocus.com/templates/archive.pike?fromthread=1&list=82&threads=1&mid=165918&end=2001-03-03&start=2001-02-25&
>
> Seems that perhaps SosPiro should have been mentioned. I realize that
> vuln-dev doesn't exactly give vendors advanced notice due to the
> way it works, but still...
I am sorry we missed giving credit this time.
Ciao, Marcus
--
_____ ___
/ __/____/ / Caldera (Deutschland) GmbH
/ /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen
/_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de
==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
Caldera OpenLinux
