[2819] in bugtraq
Re: What happened to the syslog bug ?
daemon@ATHENA.MIT.EDU (martinh@mailhost.emap.co.uk)
Wed Jun 26 13:55:06 1996
Date: Wed, 26 Jun 1996 08:20:57 +0000
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: martinh@mailhost.emap.co.uk
X-To: Mike Kienenberger <mkienenb@arsc.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <9606252247.AA11969@fdiv>
On Tue, 25 Jun 1996, Mike Kienenberger wrote:
> On Tue, 25 Jun 1996, Joe Rhett wrote:
> > > In August last year 8LGM released an advisory warning about a syslog
> > > vulnerability. Something to do with a buffer overflow and passing commands
> > > to a remote site. The advisory said that exploit would not be released
> > > yet, in order to give time to vendors to issue patches. Now I understand
> > > that some vendors are pretty slow in acknowledging security problems but
> > > it sounds like they had enough time by now.
> >
> > Sun, HP, IBM, SGI, and SCO had patches available within 2 weeks. I've
> > had the patches installed for over 3 months on our systems ... what
> > other kind of "response" are you looking for?
>
> I don't know about the other vendors, but SGI's patch only covered
> sendmail's interaction with syslog, and not the actual syslog bug itself.
> If I remember correctly, to fix the bug in syslog required replacing the
> libc library which was a major change.
BSDI's patch for 2.0.1 was a full replace-libc fix.
M.
##################################################################
# Martin Hargreaves (martin@datamodl.demon.co.uk) Computational #
# Director, Datamodel Ltd Chemist #
# Contract Unix system admin/Unix security Sysadmin #
##################################################################
