Return to BSD News archive
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!bunyip.cc.uq.oz.au!munnari.oz.au!constellation!convex!insosf1.infonet.net!newshost.marcam.com!usc!howland.reston.ans.net!agate!violet.berkeley.edu!jkh From: jkh@violet.berkeley.edu (Jordan K. Hubbard) Newsgroups: comp.os.386bsd.bugs Subject: Re: Nasty bug in FreeBSD-2.0 chfn/chpass Date: 12 Feb 1995 09:16:57 GMT Organization: University of California, Berkeley Lines: 19 Message-ID: <3hkjm9$m1c@agate.berkeley.edu> References: <3himpp$bu4@tyrell.s.bawue.de> NNTP-Posting-Host: violet.berkeley.edu In article <3himpp$bu4@tyrell.s.bawue.de>, Rodney Volz <rodney@tyrell.s.bawue.de> wrote: >Hello, > >I just discovered a bad bug in FreeBSD-2.0 chfn/login. When >a password has expired for an ordinary user, login execs >passwd and lets that user change the root password (!!). Gee, thanks for broadcasting this one so widely! :-) This has been fixed in FreeBSD-current for some time, and is fixed in all the snapshots.. Unlike Intel, we've known about this bug for some time and DID talk about it publically in the mailing lists. :-) It was fixed less than 2 weeks after 2.0R was released, and anyone out there using password expiry is strongly encouraged to upgrade (if they haven't already - this bug report is the first repetition I've seen for some time). Jordan