Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!newsfeeds.sol.net!feed1.news.erols.com!news.bbnplanet.com!cpk-news-hub1.bbnplanet.com!worldnet.att.net!arclight.uoregon.edu!super.zippo.com!zdc!szdc!szdc-e!news From: "John S. Dyson" <dyson@freebsd.org> Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: Fri, 07 Feb 1997 10:01:53 -0500 Organization: John S. Dyson's home machine Lines: 43 Message-ID: <32FB43E1.41C67EA6@freebsd.org> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386) Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:82711 comp.unix.bsd.misc:2335 comp.os.linux.misc:156668 Nick Kralevich wrote: > > In article <KETIL-ytqbu9yfheu.fsf@imr.no>, Ketil Z Malde <ketil@imr.no> wrote: > >Except for a couple of emulations? Perhaps BSD is bug free, and has > >always been so. > > I'm suprised that no one has mentioned that all current FreeBSD releases > have a bug that allows ANY suid program to be used to gain root access. > > Or the fact that FreeBSD security holes aren't even posted to the > FreeBSD newsgroup. > Yes, there is a problem. As we have always said, please refer to the mailing lists, as those are the most effective support mechanism. We just learned of the problem 2-3 days ago, and have had to develop a coherent response to the problem. This response includes the fix, and developing the best way to present the problem so that the maximum number of people can get the fix ASAP, without alerting more wannabe hackers. We have been in contact with various ISPs about this problem, and if anyone who has the need for special help, please contact one of the core team members, or email to questions@freebsd.org, and someone will help you. I am not able to post the fix here (because it would likely give a hint to alot of wannabe hackers.) As I said, contact the FreeBSD group if you need the fix ASAP. It isn't generally a problem unless you have shell accounts for potential hacker-users, but there are other, less effective utilizations of the exploit also. So, if you are running FreeBSD, please subscribe to the mailing lists, for up-to-date info on this problem and others as they might arise. Our involvement on USENET is much more casual, and mostly a secondary, informal channel. We have a process that includes CERT, AUSCERT, and perhaps notification of certain law enforcement agencies. That process is being followed as rapidly and efficiently as possible. (We are MUCH faster than most commercial organizations.) (I suspect a more formal announcement will be forthcoming, but please use the mailing lists as your support channel!!!) John dyson@freebsd.org