tech-security: Re: What to do about unfixed vulnerabilities?

Subject: Re: What to do about unfixed vulnerabilities?
To: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
From: Trevor Johnson <trevor@jpj.net>
List: tech-security
Date: 10/23/2000 14:33:59

  by mail.netbsd.org with SMTP; 23 Oct 2000 18:34:34 -0000
	by blues.jpj.net (right/backatcha) with ESMTP id e9NIXxq08289;
	Mon, 23 Oct 2000 14:33:59 -0400 (EDT)
Date: Mon, 23 Oct 2000 14:33:59 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
cc: Paul Hoffman <phoffman@proper.com>, tech-pkg@netbsd.org,
   tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities?
In-Reply-To: <Pine.GSO.4.21.0010231818540.2541-100000@rfhpc8320.fh-regensburg.de>
Message-ID: <Pine.BSI.4.21.0010231430490.7996-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hubert Feyrer wrote:

> On Mon, 23 Oct 2000, Paul Hoffman wrote:
> >      Package pine-4.21 has a denial-of-service vulnerability,
> >      see http://www.securityfocus.com/advisories/2646
> > 
> > Yes, but pine-4.21 is the current version of pine.
> 
> IIRC the problem is fixed in pine-4.21nb1.

I notice this in FreeBSD's ports/mail/pine4/Makefile,v:

1.43
log
@Mark FORBIDDEN: known buffer overflows exploitable by remote email.
Parenthetically, no software which uses 4299 sprintf/strcpy/strcat
calls can possibly be safe - I don't expect to remove this FORBIDDEN
tag any time soon. :-(
-- 
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt