Has this been rectified:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5710
--
Jerry ♔
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__
On 9/30/2013 10:05, Jerry wrote:
Has this been rectified:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5710
Yes.
http://www.freebsd.org/security/advisories/FreeBSD-SA-13:13.nullfs.asc
http://svnweb.freebsd.org/base?view=revisionrevision=255442
--
staticsafe
O ascii ribbon campaign
Jerry je...@seibercom.net writes:
Has this been rectified:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5710
If you read the page at that link, you will find the answer.
___
freebsd-questions@freebsd.org mailing list
This was announced on security-advisor...@freebsd.org on September 10th,
2013.
The relevant commits, as taken from the announcement, are:
Branch/path Revision
- -
I am working on an older machine that has postgresql-client-8.2.23
installed. I have the following information regarding the program:
$ pkg_info -R postgresql-client-8.2.23
Information for postgresql-client-8.2.23:
Required by:
koffice-kde4-2.3.3_7
postgresql-libpqxx-3.0.2
Attempting to build
On 13/04/2012 12:23, Carmel wrote:
I am working on an older machine that has postgresql-client-8.2.23
installed. I have the following information regarding the program:
$ pkg_info -R postgresql-client-8.2.23
Information for postgresql-client-8.2.23:
Required by:
koffice-kde4-2.3.3_7
On Fri, Apr 13, 2012 at 5:41 PM, Matthew Seaman matt...@freebsd.org wrote:
On 13/04/2012 12:23, Carmel wrote:
I am working on an older machine that has postgresql-client-8.2.23
installed. I have the following information regarding the program:
$ pkg_info -R postgresql-client-8.2.23
On 01/10/2010 21:59:40, Jerry wrote:
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
You must have missed
http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
patches for 6, 7, and 8 are available there, and freebsd-update has
fixed
I have seen several notices on other forums regarding the update of
bzip2 to correct a potential security problem. From the bzip2 web site:
quote
The current version is 1.0.6, released 20 Sept 2010.
Version 1.0.6 removes a potential security vulnerability,
CVE-2010-0405, so all users
vulnerability,
CVE-2010-0405, so all users are recommended to upgrade immediately.
/quote
The version supplied on FreeBSD-8.1/amd64 is version 1.0.5,
10-Dec-2007. Are there any plans to update this supplied version?
You must have missed
http://security.freebsd.org/advisories/FreeBSD-SA-10:08
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
You must have missed
http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
patches for 6, 7, and 8 are available there, and freebsd-update has
fixed binaries if you use that.
Never saw it. So I
On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
You must have missed
http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
patches for 6, 7, and 8 are available there, and freebsd-update
On Fri, 1 Oct 2010 14:00:16 -0700
Jason jhelf...@e-e.com wrote:
On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
You must have missed
On Fri, 1 Oct 2010 14:00:16 -0700
Jason jhelf...@e-e.com articulated:
On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
You must have missed
On Fri, 1 Oct 2010 22:23:16 +0100
Bruce Cran br...@cran.org.uk articulated:
On Fri, 1 Oct 2010 14:00:16 -0700
Jason jhelf...@e-e.com wrote:
On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson dnel...@allantgroup.com articulated:
On Fri, 1 Oct 2010 17:49:29 -0400
Jerry freebsd.u...@seibercom.net wrote:
OK, I just updated my sources; however, this notation from the
UPDATING file does NOT appear in the UPDATING file on my machine:
20100920: p1 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length
Jerry wrote:
[snip].
OK, I just updated my sources; however, this notation from the UPDATING
file does NOT appear in the UPDATING file on my machine:
20100920: p1 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
I am
with a security patch?
It sounds like it.
Is there a way to compile without the security updated/patched tree?
# make DISABLE_VULNERABILITIES=yes install clean
Before doing that, make sure that the vulnerability portaudit reports
isn't going to leave you open to compromise. Portaudit should give you
Krb5-1.8.1 is object of a security warning,and I am not able to compile
it.It tells me to update the ports tree
and try again,which I have done several times but the same warning stands.
Is this port not yet security updated with a security patch?
Is there a way to compile without the security
On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote:
On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:
Your installed version of Java is vulnerable to a
[Sorry for resending: I didn't get any replies]
Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:
Your installed version of Java is vulnerable to a severe remote
exploit (remote code execution!). You must upgrade to at
On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:
Your installed version of Java is vulnerable to a severe remote
exploit (remote code execution!). You must
Greg Lewis writes:
Your installed version of Java is vulnerable to a severe remote
exploit (remote code execution!). You must upgrade to at least Java
5 update 20 or Java 6 update 15 as soon as possible. Freenet has
disabled any plugins handling XML for the time being, but
Hi Greg,
Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:
Your installed version of Java is vulnerable to a severe remote
exploit (remote code execution!). You must upgrade to at least Java
5 update 20 or Java 6 update
Hi All,
I was sent this by a friend, could someone confirm if this exploit is
really existant?
http://www.vimeo.com/6580991 (requires flash)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
look for this subject on the maillist reporter on deadline seeks
comment about reported security bug in FreeBSD
You will find an almost 50 chained... topic about this...
;o)
btw, yes, it does.
2009/9/18 Alex R a...@mailinglist.ahhyes.net:
Hi All,
I was sent this by a friend, could someone
Hi all,
I'm starting my career as a security analyst and I'd like to know if
there are any vulnerability scanners -Blackbox or Whitebox- available for
FreeBSD, in
particular for Java applications.
There are some softwares out there, e.g. HailStorm or SourceScope
however most of them
On Thu, 25 Oct 2007 14:29:40 +0330
Bahman M. [EMAIL PROTECTED] wrote:
Hi all,
I'm starting my career as a security analyst and I'd like to know if
there are any vulnerability scanners -Blackbox or Whitebox- available for
FreeBSD, in
particular for Java applications.
There are some
was checking your website where advisiories are present and i could not
find any risk level alloted to the vulnerability
It is difficult to analyse them without that , I just wanted to know is
there any particular reason for this
Thank you and
Best regards
darshan
useful to parse this information for analysis
i was checking your website where advisiories are present and i could not
find any risk level alloted to the vulnerability
It is difficult to analyse them without that , I just wanted to know is
there any particular reason for this
Did you miss
interest to you might be this list:
http://lists.freebsd.org/mailman/listinfo/freebsd-security
Top-posting is also generally frowned apon.
I also wanted to know what features to you consider when publishing the
vulnerability
Information about how the security team operates is here:
http
In response to Colin Percival [EMAIL PROTECTED]:
Bill Moran wrote:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
Following the links around, it seems that you would have to mount a
corrupt or
malicious filesystem in order to exploit this vulnerability.
Yes, NIST claims
-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference:
http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html
I see that ruby is only required by portupgrade. Anyone know if there going to
be a fix for this vulnerability any time soon? Anyone asked
Hi Jeff,
On 13/11/2006 16:35, Jeff Dickens wrote:
Regarding the following vulnerabilities as detected by portaudit:
Affected package: ruby-1.8.4_4,1
Type of problem: ruby -- cgi.rb library Denial of Service.
Reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
Following the links around, it seems that you would have to mount a corrupt or
malicious filesystem in order to exploit this vulnerability.
Yes, NIST claims there is no authentication required to exploit? Are new
versions
of FreeBSD suddenly
Bill Moran wrote:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
Following the links around, it seems that you would have to mount a corrupt
or
malicious filesystem in order to exploit this vulnerability.
Yes, NIST claims there is no authentication required to exploit? Are new
Josh Carroll wrote:
So - what's the point? I mean updating the port to a newer port with the
same or newer known vulnerabilities?
# portaudit
0 problem(s) in your installed packages found.
# pkg_info| grep firefox
firefox-2.0_2,1 Web browser based on the browser portion of Mozilla
Seems
Hi:
I updated my ports tree a few days ago, and again today (right now). The
firefox port was updated. I then updated the vulnerability database - or
so I thought with portaudit. But building firefox complain about
remaining vulnerabilities.
So - what's the point? I mean updating the port
So - what's the point? I mean updating the port to a newer port with the
same or newer known vulnerabilities?
# portaudit
0 problem(s) in your installed packages found.
# pkg_info| grep firefox
firefox-2.0_2,1 Web browser based on the browser portion of Mozilla
Seems ok to me. Which
I have a 4.11-RELEASE system.
Prior to doing some minor portupdates, I had this portaudit report:
Checking for packages with security vulnerabilities:
Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference:
http://www.FreeBSD.org/ports
In response to Colin Percival [EMAIL PROTECTED]:
Bill Moran wrote:
Colin Percival [EMAIL PROTECTED] wrote:
This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
^^^
That was what I expected. Section III seems to hint that it could
This report seems pretty vague. I'm unsure as to whether the alleged
bug gives the user any more permissions than he'd already have? Anyone
know any details?
FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
iDefense Security Advisory 10.10.06
http://www.idefense.com/intelligence
Bill Moran wrote:
This report seems pretty vague. I'm unsure as to whether the alleged
bug gives the user any more permissions than he'd already have? Anyone
know any details?
This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
and RELENG_6. There is no opportunity
Colin Percival [EMAIL PROTECTED] wrote:
Bill Moran wrote:
This report seems pretty vague. I'm unsure as to whether the alleged
bug gives the user any more permissions than he'd already have? Anyone
know any details?
This is a local denial of service bug, which was fixed 6 weeks ago in
Bill Moran wrote:
Colin Percival [EMAIL PROTECTED] wrote:
This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
^^^
That was what I expected. Section III seems to hint that it could be
used by an unprivilidged user to crash or lock a
:
Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
Type of problem: jdk -- jar directory traversal vulnerability.
Reference: http://www.FreeBSD.org/ports/portaudit/18e5428f-
ae7c-11d9-837d-000e0c2e438a.html Many thanks,
David
Hello david,
I corrected the entry, it should be fixed within little
Hi everyone,
Are there any workaround or a patch for this security problem?
FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for
FreeBSD 6.1/i386:
Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
Type of problem: jdk -- jar directory traversal vulnerability.
Reference:
http
vulnerability.
Reference:
http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html
Many thanks,
David
Hello david,
I corrected the entry, it should be fixed within little notice :)
Thanks for the report!
--
Kind regards,
Remko Lodder ** [EMAIL PROTECTED
of problem: jdk -- jar directory traversal vulnerability.
Reference: http://www.FreeBSD.org/ports/portaudit/18e5428f-
ae7c-11d9-837d-000e0c2e438a.html Many thanks,
David
Hello david,
I corrected the entry, it should be fixed within little notice :)
Hey, hold on a second... are you sure this has
Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
On 03/08/06 Dave said:
Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
I believe that the vulnerability is ruby itself, is it not?
Mike
--
Michael P. Soulier [EMAIL PROTECTED]
Any intelligent
]
03.08.2006 16:08
Please respond to
Dave [EMAIL PROTECTED]
To
freebsd-questions@freebsd.org
cc
Subject
portupgrade ruby vulnerability
Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave
On Thu, Aug 03, 2006 at 09:08:03AM -0400, Dave wrote:
Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave.
cvsup your ports tree and rebuild ruby18. Some patches for ruby18 went
On 8/3/06, Dave [EMAIL PROTECTED] wrote:
Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave.
i had these warnings too, just use portupgrade or portmanager to upgrade
your ports
for smbclient in /usr/ports/net/samba
=== samba-2.2.12_2 has known vulnerabilities:
= samba -- integer overflow vulnerability.
Reference:
http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html
= Please update your ports tree and try again.
*** Error code 1
Stop in /usr/ports
-2.2.12_2 has known vulnerabilities:
= samba -- integer overflow vulnerability.
Reference:
http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html
= Please update your ports tree and try again.
*** Error code 1
Stop in /usr/ports/net/samba.
*** Error code 1
Stop in /usr
install for smbclient in /usr/ports/net/samba
=== samba-2.2.12_2 has known vulnerabilities:
= samba -- integer overflow vulnerability.
Reference:
http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html
= Please update your ports tree and try again.
*** Error code 1
Michael C. Shultz [EMAIL PROTECTED] writes:
On Sunday 30 October 2005 22:45, you wrote:
G'day.
[...]
I can't work out how to tell portaudit to stop bothering me about
[a single] particular vulnerability, though.
Can I ask it to exclude a vulnerability, or (ever better) a
vulnerability
G'day. I am relatively new to FreeBSD, but failed to find an answer to
this question in the handbook, manual pages, or other references about
portaudit:
At the moment, portaudit is reporting one vulnerability on my system,
with the 'p5-Crypt-OpenPGP' package.
There isn't, apparently
On Sunday 30 October 2005 22:45, you wrote:
G'day. I am relatively new to FreeBSD, but failed to find an answer to
this question in the handbook, manual pages, or other references about
portaudit:
At the moment, portaudit is reporting one vulnerability on my system,
with the 'p5-Crypt
Hi,
Does anybody know a command to tell which options I have compiled into
my openssl?
Is there a way to tell if I have SSL_OP_MSIE_SSLV2_RSA_PADDING in there
before I go unnecessarily rebuilding and reinstall world on all my servers?
Thanks,
DW
And more importantly, does anyone care to start an informal list of quote
any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.
~BAS
On Tue, 11 Oct 2005, DW wrote:
Hi,
Does anybody know a
this vulnerability by our network security person,
read it over, and thought that it might be a legitimate exploit. I even
picked up on the fact that Microsoft had already patched it in the
service pack 2, which may mean that it was under wraps for a while, and
was suspicious. So, after doing a little
and I assumed wrong. But I will point out
that you said absolutely nothing
in your first post about who you are, what you are doing, why you even give
a shit about this issue. If you
had simply opened your first post with I was shown this vulnerability by
our network security person
and I have
. If you
had simply opened your first post with I was shown this vulnerability by
our network security person
and I have to respond to him in some fashion or something like that, it
would have gone a long way towards
establishing credibility as to why you cared about this. If even better you
had done
20, 2005 9:33 AM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability
Ted,
you just can't stop being a dickhead, can you ???
I admitted what I did wrong (unlike you), and yes, I posted
this to the
wrong list. Big deal. A lot of things get posted to this list
PROTECTED] Behalf Of Tim Traver
Sent: Friday, May 20, 2005 9:33 AM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability
Ted,
you just can't stop being a dickhead, can you ???
I admitted what I did wrong (unlike you), and yes, I posted
this to the
wrong list. Big deal. A lot
Hi all,
ok, this article was just published about a PAWS TCP DOS vulnerability,
and lists freeBSD 4.x as affected.
http://www.securityfocus.com/bid/13676/info/
Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
and is 5.4 affected too ?
Tim
.
* NOTE that the test is modified according to the latest
* proposal of the [EMAIL PROTECTED] list (Braden
1993/04/26).
+* NOTE2 additional check added as a result of PAWS
vulnerability
+* documented in Cisco security notice
cisco-sn
the timestamp.
* NOTE that the test is modified according to the latest
* proposal of the [EMAIL PROTECTED] list (Braden
1993/04/26).
+* NOTE2 additional check added as a result of PAWS
vulnerability
+* documented in Cisco security
OSs. I would therefore assume that the release
of this so-called vulnerability was carefully timed to take place
AFTER Microsoft had got it's ass covered, to make them look good,
and everyone else look bad. I continue therefore to assume that this
is a political security hole, not an actual
On Mar 10, 2005, at 10:44 PM, Anthony Atkielski wrote:
Kris Kennaway writes:
Isn't this a non-problem if you use ntpd?
Unfortunately, no, because the TCP stacks on most systems don't use the
disciplined clock provided by NTP for the timestamps. Instead they use
a clock based directly on the RTC,
Bart Silverstrim writes:
Wouldn't the skew resolution necessary for this tracking technique
become useless with temperature variations, humidity, etc. that can
affect most systems over the course of the day/week/year?
That's one of my questions, too. A technique that could identify 100
How vulnerable is FreeBSD to the recently announced technique for
individually identifying computers by the clock slew apparent in TCP
packets? If it is vulnerable to this, will there be any plans to
address the vulnerability?
--
Anthony
___
freebsd
Is this technically a vulnerability, or is it just a side-effect of how
computers operate? I was of the impression that this is quite an
unavoidable issue, given how it seems to apply to any computer
regardless of OS, but I haven't researched the issue much myself.
Interesting question
On Fri, Mar 11, 2005 at 03:45:39AM +0100, Anthony Atkielski wrote:
How vulnerable is FreeBSD to the recently announced technique for
individually identifying computers by the clock slew apparent in TCP
packets? If it is vulnerable to this, will there be any plans to
address the vulnerability
Bnonn writes:
Is this technically a vulnerability, or is it just a side-effect of how
computers operate?
It's a vulnerability in the sense that it can leak confidential
information about a system's identity. It's not a side-effect of how
computers operate, but rather a side-effect of how most
Kris Kennaway writes:
Isn't this a non-problem if you use ntpd?
Unfortunately, no, because the TCP stacks on most systems don't use the
disciplined clock provided by NTP for the timestamps. Instead they use
a clock based directly on the RTC, which reveals a characteristic skew
that is unique
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Anthony
Atkielski
Sent: Thursday, March 10, 2005 6:46 PM
To: freebsd-questions@freebsd.org
Subject: Clock slew vulnerability in FreeBSD?
How vulnerable is FreeBSD to the recently announced technique for
individually identifying
I just read about Linux's vulernability WRT SMBFS. Does FreeBSD suffer
from the same vulnerability?
--
-- Skylar Thompson ([EMAIL PROTECTED])
-- http://www.os2.dhs.org/~skylar/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman
Hello,
I started seeing this in late 5.1 and now in 5.2 as well. When i am
compiling a port the first message is get is Vulnerability check disabled
What is this? Should i be worried about it?
Thanks.
Dave.
___
[EMAIL PROTECTED] mailing list
http
On Sun, Feb 15, 2004 at 01:22:51AM -0500, dave wrote:
Hello,
I started seeing this in late 5.1 and now in 5.2 as well. When i am
compiling a port the first message is get is Vulnerability check disabled
What is this? Should i be worried about it?
See /usr/ports/CHANGES
Kris
pgp0
Hello,
Hope I'm not missing something obvious, but since today morning, I've
been getting wierd warnings when running make in the ports:
[madras!/usr/ports/www/apache13]# make fetch-recursive
=== Fetching all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability check disabled
On Wed, Feb 04, 2004 at 07:31:27PM +1100, Gautam Gopalakrishnan wrote:
Hello,
Hope I'm not missing something obvious, but since today morning, I've
been getting wierd warnings when running make in the ports:
Ports questions should be asked on ports@
Kris
pgp0.pgp
Description: PGP
all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability check disabled
[madras!/usr/ports/www/apache13]# cd ../mod_php4
[madras!/usr/ports/www/mod_php4]# make fetch
!/usr/ports/www/apache13]# make fetch-recursive
=== Fetching all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability check disabled
[madras!/usr/ports/www/apache13]# cd
been getting wierd warnings when running make in the ports:
[madras!/usr/ports/www/apache13]# make fetch-recursive
=== Fetching all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability check disabled
morning, I've
been getting wierd warnings when running make in the ports:
[madras!/usr/ports/www/apache13]# make fetch-recursive
=== Fetching all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability check disabled
=== Vulnerability check disabled
=== Vulnerability
.fetchaudit
To test:
cd /usr/ports/security/vulnerability-test-port
make INSTALLATION_DATE=`date -u -v-14d +%Y.%m.%d` install
A message like this should appear:
=== vulnerability-test-port-2004.01.14 has known vulnerabilities:
Not vulnerable, just a test port (database: 2004-01-28
,
Hope I'm not missing something obvious, but since today morning, I've
been getting wierd warnings when running make in the ports:
[madras!/usr/ports/www/apache13]# make fetch-recursive
=== Fetching all distfiles for apache-1.3.29_1 and dependencies
=== Vulnerability
On Sat, Nov 08, 2003 at 08:23:25PM -0500, kirt wrote:
is this a known issue? i didn't search to hard for a fix or anything since i
quickly
fixed it myself, but i thought that a situation like that could make for some
interesting
(read *bad*) situations.
It's certainly possible to
On Sat, Nov 08, 2003 at 10:49:35PM -0800, Derrick Ryalls wrote:
while recently cvsup'ing my box here at home, i had a weird
thing happen...
i had already built world, built and installed the kernel,
installed world (including all
appropriate reboots), and when i brought it back
while recently cvsup'ing my box here at home, i had a weird thing happen...
i had already built world, built and installed the kernel, installed world (including
all
appropriate reboots), and when i brought it back up, but prior to running mergemaster,
i
popped the jumper on the circuit the
while recently cvsup'ing my box here at home, i had a weird
thing happen...
i had already built world, built and installed the kernel,
installed world (including all
appropriate reboots), and when i brought it back up, but
prior to running mergemaster, i
popped the jumper on the
I believe I have found a security vulnerability in dump, which, under the
right conditions, allows any user with shell-access to gain root-privileges.
When dumping to a file, dump writes this file chmod 644. When the
root-partition is being backed-up, this leaves the dump-file vulnerable
Today Mark wrote:
I believe I have found a security vulnerability in dump, which, under the
right conditions, allows any user with shell-access to gain root-privileges.
When dumping to a file, dump writes this file chmod 644. When the
root-partition is being backed-up, this leaves the dump
Today Mark wrote:
I believe I have found a security vulnerability in dump, which, under the
right conditions, allows any user with shell-access to gain root-privileges.
When dumping to a file, dump writes this file chmod 644. When the
root-partition is being backed-up, this leaves the dump
- Original Message -
From: Andrew Prewett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 07, 2003 6:06 PM
Subject: Re: security vulnerability in dump
Today Mark wrote:
I believe I have found a security vulnerability in dump, which, under
the right conditions, allows
Mark [EMAIL PROTECTED] writes:
There may be a lot more files one wishes not to be world-readable. :) And
excluding them all from the dump may not be the answer. Especially since it
would be very little trouble to adjust dump's code in such a way that it
writes chmod 600 to begin with.
This
Lowell Gilbert wrote:
[ ... ]
This is silly. Just set umask properly, and you'll be all set.
This should not be something for individual programs (like
dump) to worry about.
Disagree. Most individual programs do not create world-readable files
containing root's view of the filesystem data.
1 - 100 of 113 matches
Mail list logo