*BSD News Article 88548


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!newsfeeds.sol.net!feed1.news.erols.com!news.bbnplanet.com!cpk-news-hub1.bbnplanet.com!worldnet.att.net!arclight.uoregon.edu!super.zippo.com!zdc!szdc!szdc-e!news
From: "John S. Dyson" <dyson@freebsd.org>
Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc
Subject: Re: Linux vs BSD
Date: Fri, 07 Feb 1997 10:01:53 -0500
Organization: John S. Dyson's home machine
Lines: 43
Message-ID: <32FB43E1.41C67EA6@freebsd.org>
References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386)
Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:82711 comp.unix.bsd.misc:2335 comp.os.linux.misc:156668

Nick Kralevich wrote:
> 
> In article <KETIL-ytqbu9yfheu.fsf@imr.no>, Ketil Z Malde  <ketil@imr.no> wrote:
> >Except for a couple of emulations?  Perhaps BSD is bug free, and has
> >always been so.
> 
> I'm suprised that no one has mentioned that all current FreeBSD releases
> have a bug that allows ANY suid program to be used to gain root access.
> 
> Or the fact that FreeBSD security holes aren't even posted to the
> FreeBSD newsgroup.
> 

Yes, there is a problem.  As we have always said, please refer to the
mailing lists, as those are the most effective support mechanism.  We
just learned of the problem 2-3 days ago, and have had to develop a
coherent response to the problem.  This response includes the fix,
and developing the best way to present the problem so that the
maximum number of people can get the fix ASAP, without alerting
more wannabe hackers.  We have been in contact with various
ISPs about this problem, and if anyone who has the need for special
help, please contact one of the core team members, or email to
questions@freebsd.org, and someone will help you.  I am not
able to post the fix here (because it would likely give a hint
to alot of wannabe hackers.)  As I said, contact the FreeBSD
group if you need the fix ASAP.  It isn't generally a problem
unless you have shell accounts for potential hacker-users,
but there are other, less effective utilizations of the exploit also.

So, if you are running FreeBSD, please subscribe to the mailing lists,
for up-to-date info on this problem and others as they might arise.  Our
involvement on USENET is much more casual, and mostly a secondary,
informal channel.  We have a process that includes CERT, AUSCERT, and
perhaps notification of certain law enforcement agencies.  That
process is being followed as rapidly and efficiently as possible.
(We are MUCH faster than most commercial organizations.)

(I suspect a more formal announcement will be forthcoming, but please
 use the mailing lists as your support channel!!!)

John
dyson@freebsd.org