|
Bugtraq
mailing list archives
Re: Debian not vulnerable to recent cron buffer overflow
From: peter () NETPLEX COM AU (Peter Wemm)
Date: Wed, 1 Sep 1999 15:25:52 +0800
Marc Merlin wrote:
[..]
Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
covering a buffer overflow in the vixie cron package. Debian has
discovered this bug two years ago and fixed it. Therefore versions in
both, the stable and the unstable, distributions of Debian are not
vulnerable to this problem..
Does anyone know if Debian never sent the fix to Paul Vixie, or if it was
sent and Paul "missed it"?
I'm not sure what or how it happened, but in FreeBSD at least this problem
was solved differently, and quite some time ago. FreeBSD's cron doesn't
supply the arguments to sendmail, it uses sendmail -t and prints the
recipient name in the To: header, letting sendmail decide if it's a valid
recipient address or not.
revision 1.3
date: 1995/04/14 21:54:16; author: ache; state: Exp; lines: +3 -2
Fix MAILTO hole by passing -t to sendmail
Submitted by: Mike Pritchard <pritc003 () maroon tc umn edu>
Cheers,
-Peter
--
Peter Wemm - peter () FreeBSD org; peter () yahoo-inc com; peter () netplex com au
 By Date 
By Thread
Current thread:
- Re: Debian not vulnerable to recent cron buffer overflow Peter Wemm (Sep 01)
|
Intro
