[18177] in bugtraq
Re: OpenBSD remote root
daemon@ATHENA.MIT.EDU (joshua stein)
Tue Dec 19 17:08:01 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001218221934.M10720@rt.fm>
Date: Mon, 18 Dec 2000 22:19:34 -0600
Reply-To: joshua stein <jcs@RT.FM>
From: joshua stein <jcs@RT.FM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001218062617.A18409@boehm.org>; from typo@SCENE.AT on Mon,
Dec 18, 2000 at 06:26:17AM +0100
Typo Princep wrote:
> But noone has made the userbase aware of the security problems nor has any
> further discussion taken place on obsd-bugs.
http://openbsd.rt.fm/plus.html shows IN BIG RED LETTERS:
"SECURITY FIX: Fix buffer overflow in ftpd"
with a link to the patch.
http://openbsd.rt.fm/errata.html shows IN BIG LETTERS:
"SECURITY FIX: Dec 4, 2000
OpenBSD 2.8's ftpd contains a one-byte overflow in the replydirname()
function."
also, with a link to the patch.
The fix was merged into -STABLE. A patch was written for 2.7 and 2.8
and released on the FTP mirrors.
On December 5th, Todd Miller sent an announcement to security-announce@
explaining the problem and where to get the patch.
The problem was acknowledged, a patch was released, the user base was
notified by the proper mailing lists and web pages. The problem was
also announced on www.deadly.org and daily.daemonnews.org, two fairly
common websites among the OpenBSD community.
With all this, how can you say that the user base was never made aware
of the problem?
