Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What happened to the syslog bug ?

From: mkienenb () arsc edu (Mike Kienenberger)
Date: Tue, 25 Jun 1996 14:47:05 -0800

On Tue, 25 Jun 1996, Joe Rhett wrote:

In August last year 8LGM released an advisory warning about a syslog
vulnerability. Something to do with a buffer overflow and passing commands
to a remote site. The advisory said that exploit would not be released
yet, in order to give time to vendors to issue patches. Now I understand
that some vendors are pretty slow in acknowledging security problems but
it sounds like they had enough time by now.
Anyone considering posting details on this full disclosure list ?


Sun, HP, IBM, SGI, and SCO had patches available within 2 weeks. I've
had the patches installed for over 3 months on our systems ... what
other kind of "response" are you looking for?


I don't know about the other vendors, but SGI's patch only covered
sendmail's interaction with syslog, and not the actual syslog bug itself.
If I remember correctly, to fix the bug in syslog required replacing the
libc library which was a major change.
---
Mike Kienenberger               Arctic Region Supercomputing Center
Systems Analyst                 (907) 474-6842
mkienenb () arsc edu               http://www.arsc.edu
Previous By Date Next
Previous By Thread Next

Current thread: