On Thu, 28 Oct 2004 10:31:38 +1000
Tarragon Allen <tarragon@onthe.net.au> wrote:
On Tuesday 26 October 2004 10:37, infamous41md@hotpop.com wrote:
Subject:
Debian dhcpd package.
http://packages.debian.org/stable/net/dhcp
It is vulnerable to the '02 format string bug.
http://www.cert.org/advisories/CA-2002-12.html
Firstly, good etiquette would have been for you to actually report the bug
with Debian. I don't see any bugs raised against any of the appropriate
packages regarding this.
I've tried contacting the person in charge of the debian security audit project
numerous times to try and co-ordinate audits, and he doesn't respond. I have
better things to do with my time. I don't provide notice when people disregard
my emails. If you don't like, I don't care. My mother already taught me all
the etiquette I need, but thanks for the moral support. Btw, is it salad fork
left, or dinner fork left?
Secondly, the advisory you refer to is only mentioning DHCP 3.0+. The Debian
package you referred to is 2.0pl5. Perhaps you are referring to:
http://packages.debian.org/stable/net/dhcp3-server
No, I gave a link to the package I was talking about.
Which is presently at 3.0.1rc9. The CERT advisory refers to 3.01 to 3.01r8
inclusive.
Are you saying the CERT advisory applies to other versions of DHCP?
I'm saying, grep -rn syslog * | grep -v \". Soon after I found that, I googled
and found the CERT detailing a format string in logging code. I assumed it was
the exact same thing I just found. I spoke with some debian person about this
yesterday, or day before, and they can release an advisory to clear it up.
t
--
http://moto-coda.org/public.gpg.key
--
-sean
