On Tue, 25 Jun 1996, Mike Kienenberger wrote:
> On Tue, 25 Jun 1996, Joe Rhett wrote:
> > > In August last year 8LGM released an advisory warning about a syslog
> > > vulnerability. Something to do with a buffer overflow and passing commands
> > > to a remote site. The advisory said that exploit would not be released
> > > yet, in order to give time to vendors to issue patches. Now I understand
> > > that some vendors are pretty slow in acknowledging security problems but
> > > it sounds like they had enough time by now.
> >
> > Sun, HP, IBM, SGI, and SCO had patches available within 2 weeks. I've
> > had the patches installed for over 3 months on our systems ... what
> > other kind of "response" are you looking for?
>
> I don't know about the other vendors, but SGI's patch only covered
> sendmail's interaction with syslog, and not the actual syslog bug itself.
> If I remember correctly, to fix the bug in syslog required replacing the
> libc library which was a major change.
BSDI's patch for 2.0.1 was a full replace-libc fix.
M.
##################################################################
# Martin Hargreaves (martin_at_datamodl.demon.co.uk) Computational #
# Director, Datamodel Ltd Chemist #
# Contract Unix system admin/Unix security Sysadmin #
##################################################################
Received on Jun 26 1996
Intro
