On Fri, 13 Feb 1998, Jason Thorpe wrote:

> On Fri, 13 Feb 1998 14:43:00 -0800 
>  Greg Wohletz <greg@duke.CS.UNLV.EDU> wrote:
> 
>  > From:
>  > 
>  > http://www.cert.org/pub/advisories/CA-97.26.statd.html
>  > 
>  > 
>  > The NetBSD project
>  > 
>  > NetBSD is not vulnerable to the statd buffer overflow. It does not ship
>  > with NFS locking programs (statd/lockd).
>  > 
>  > 
>  > 
>  > What exactly does this mean?  My netbsd 1.3 systems certainly all have
>  > lockd/statd.  Are they vunerable to this buffer overrun bug or not?
> 
> As of the latest release at the time the announcement was made, NetBSD
> did not have statd/lockd.  The statd/lockd that NetBSD 1.3 ships with
> are NOT vulnerable to the overflow described in the report.

Could we amend the statement to reflect 1.3's shipping with a NOT
vulnerable statd/lockd?

Take care,

Bill