by redmail.netbsd.org with SMTP; 18 Oct 1999 08:08:10 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id KAA15905;
	Mon, 18 Oct 1999 10:08:07 +0200 (MEST)
Date: Mon, 18 Oct 1999 10:08:07 +0200
From: Manuel Bouyer <bouyer@asim.lip6.fr>
To: itojun@iijlab.net
Cc: "Brian C. Grayson" <bgrayson@marvin.ece.utexas.edu>,
        tech-security@netbsd.org
Subject: Re: libwrap (was Re: amd vulnerability: patch for 1.3.3)
Message-ID: <19991018100807.G21070@antioche.lip6.fr>
References: <19991017232534.A14455@marvin.ece.utexas.edu> <2544.940227908@coconut.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <2544.940227908@coconut.itojun.org>; from itojun@iijlab.net on Mon, Oct 18, 1999 at 03:25:08PM +0900

On Mon, Oct 18, 1999 at 03:25:08PM +0900, itojun@iijlab.net wrote:
> 	Looking at src/usr.sbin/portmap, it will only able to filter 
> 	connection to "portmap", not to "amd".  This can be filtered
> 	under service name "portmap".
> 	So the configuration line would be:
> 		portmap: ALL EXCEPT localhost k9
> 	but I'm not quite sure if this is what you want.

And I'm not sure this will prevent the security problem. You can't get the
port amd is bind to using portmap but I guess a simple UDP scan will give
enouth infos to guess it.
The safe way is really to upgrade. If you can't upgrade the whole system at
last upgrade amd with the -current (or -release if you're running 1.4.1 or
the release branch) sources.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--