Subject: Re: What to do about unfixed vulnerabilities?
To: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
From: Trevor Johnson <trevor@jpj.net>
List: tech-pkg
Date: 10/23/2000 14:33:59
Hubert Feyrer wrote:
> On Mon, 23 Oct 2000, Paul Hoffman wrote:
> > Package pine-4.21 has a denial-of-service vulnerability,
> > see http://www.securityfocus.com/advisories/2646
> >
> > Yes, but pine-4.21 is the current version of pine.
>
> IIRC the problem is fixed in pine-4.21nb1.
I notice this in FreeBSD's ports/mail/pine4/Makefile,v:
1.43
log
@Mark FORBIDDEN: known buffer overflows exploitable by remote email.
Parenthetically, no software which uses 4299 sprintf/strcpy/strcat
calls can possibly be safe - I don't expect to remove this FORBIDDEN
tag any time soon. :-(
--
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt