Re: TCP timestamp vulnerability

看板FB_security作者時間20年前 (2005/06/22 02:26), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/2 (看更多)
Jacques Vidrine wrote: > > On May 19, 2005, at 5:53 AM, Christian Brueffer wrote: > >> fixes for the vulnerability described in http://www.kb.cert.org/ >> vuls/id/637934 >> were checked in to CURRENT and RELENG_5 by ps in April. >> >> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c >> >> Revisions 1.270 and 1.252.2.16 >> >> He didn't commit it to RELENG_5_4 for some reason, so 5.4 shipped with >> it. >> >> My guess is that he didn't notify you guys either. >> >> I stumbled upon this through a Heise News article at >> http://www.heise.de/newsticker/meldung/59672. Sent them an update about >> the fixed branches, but they'd like to know why this wasn't communicated >> back to US-CERT yadda yadda yadda. > > Thanks, Christian. No, ps@ didn't point it out. It gets a little > confusing too, since I see that the work was submitted by multiple > folks, one of which reported another related vulnerability to us on May > 18 (7 days after that commit). Now to try to untangle what is what ... My boss asked me to check on whether this problem was fixed for FreeBSD 4.10. I didn't see any advisories related to this, and FreeBSD is still showing as vulnerable on the CERT web site. It doesn't look like a fix for this has been committed to any of the 4.X branches. Any word on this? Thanks for the help. Richard Coleman rcoleman@criticalmagic.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 rcoleman. 的文章
文章代碼(AID): #12k5l000 (FB_security)
更多 rcoleman. 的文章
文章代碼(AID): #12k5l000 (FB_security)