*BSD News Article 88766


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!news.intersurf.net!www.nntp.primenet.com!nntp.primenet.com!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!worldnet.att.net!hunter.premier.net!uunet!in2.uu.net!207.113.159.49!news.gv.tsc.tdk.com!news7.crl.com!nexp.crl.com!usenet
From: "Jordan K. Hubbard" <jkh@FreeBSD.org>
Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc
Subject: Re: Linux vs BSD
Date: Fri, 07 Feb 1997 18:13:49 -0800
Organization: Walnut Creek CDROM
Lines: 25
Message-ID: <32FBE15D.41C67EA6@FreeBSD.org>
References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu>
NNTP-Posting-Host: time.cdrom.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386)
To: Nick Kralevich <nickkral@cal.alumni.berkeley.edu>
Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83058 comp.unix.bsd.misc:2414 comp.os.linux.misc:157156

Nick Kralevich wrote:
> I'm suprised that no one has mentioned that all current FreeBSD releases
> have a bug that allows ANY suid program to be used to gain root access.
> 
> Or the fact that FreeBSD security holes aren't even posted to the
> FreeBSD newsgroup.

You must not be following other public sources of information then (and
one was sent to CERT and the first-teams on the 5th of February).  Not
our fault.  This has been WIDELY reported and talked about, and if you
even just subscribed to the freebsd-security mailing list then you would
have heard all about this already.

The FreeBSD project has published fixes for 2.1.6 and is in the process
of creating a 2.1.7 release just because of this problem.  We also
responded to the first report and generated the advisory within 48 hours
of receiving word, after taking some time to discuss and assess the full
extent of the compromise.  I'd say that's generally more than one could
hope for from any commercial UNIX vendor, and there will *always* be
security holes in every version of UNIX on the planet - sendmail
accomplishes that just by itself.  What makes all the difference is how
willing the vendor is to respond to such problems once they are
detected.
-- 
- Jordan Hubbard