Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!news.intersurf.net!www.nntp.primenet.com!nntp.primenet.com!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!worldnet.att.net!hunter.premier.net!uunet!in2.uu.net!207.113.159.49!news.gv.tsc.tdk.com!news7.crl.com!nexp.crl.com!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: Fri, 07 Feb 1997 18:13:49 -0800 Organization: Walnut Creek CDROM Lines: 25 Message-ID: <32FBE15D.41C67EA6@FreeBSD.org> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386) To: Nick Kralevich <nickkral@cal.alumni.berkeley.edu> Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83058 comp.unix.bsd.misc:2414 comp.os.linux.misc:157156 Nick Kralevich wrote: > I'm suprised that no one has mentioned that all current FreeBSD releases > have a bug that allows ANY suid program to be used to gain root access. > > Or the fact that FreeBSD security holes aren't even posted to the > FreeBSD newsgroup. You must not be following other public sources of information then (and one was sent to CERT and the first-teams on the 5th of February). Not our fault. This has been WIDELY reported and talked about, and if you even just subscribed to the freebsd-security mailing list then you would have heard all about this already. The FreeBSD project has published fixes for 2.1.6 and is in the process of creating a 2.1.7 release just because of this problem. We also responded to the first report and generated the advisory within 48 hours of receiving word, after taking some time to discuss and assess the full extent of the compromise. I'd say that's generally more than one could hope for from any commercial UNIX vendor, and there will *always* be security holes in every version of UNIX on the planet - sendmail accomplishes that just by itself. What makes all the difference is how willing the vendor is to respond to such problems once they are detected. -- - Jordan Hubbard