, <da@securityfocus.com>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 05/08/2002 21:43:56
On Wed, 8 May 2002, Paul Hoffman wrote:
> >Probably the changes are very little when compared to official 3.0 Beta 2
> >Patchlevel 24.
>
> So you are saying we forked and stopped?
Just like other programs under /usr/src/dist, they get updated when
someone dedicates the time to review the official code and have time to
integrate it.
> >Just because a syslog formatting was improved doesn't mean that a security
> >issue was fixed. Probably the vulnerability wasn't even known.
>
> Sorry, I can't parse that. Do you mean that we did a sweep, found
> some suspicious-looking stuff, fixed it, but didn't report the
> suspicious-looking stuff to ISC? If so, that doesn't seem like a good
> thing for everyone else on the Internet...
It probably was not "suspicious". And anyways I don't know if the
patches were sent to ISC.
On Wed, 8 May 2002, Dave Ahmad wrote:
> Well, it was found during a 'sweep', was it not? And I think it's a safe
> assumption that this format string sweep was carried out to find
> possible security problems.
I would not assume it was done to "find" security problems.
I would guess that hundreds and maybe thousands of string formatting
improvements have been done with the code this past few years.
Just like another BSD says: they don't try to find exploits for the code
and they don't have time to report every little fix -- especially since
most probably aren't ever exploitable.
> I found the NetBSD response in the CERT advisory a little strange myself
> -- it seems to me that a bug discovered in ISC dhcpd would
Who says that NetBSD fixed a bug?
They were just routine format string cleanups.
Jeremy C. Reed
http://bsd.reedmedia.net/