Re: [cobalt-security] [cobalt-users] Bind 8 rpms for RaQ2

Mon, 05 Feb 2001 13:44:41 -0800 



On Mon, 5 Feb 2001, Gerald Waugh wrote:

> "Rene Hendrix" <[EMAIL PROTECTED]> wrote
> > As promised we are releaseing the Bind 8 rpms for Raq2.
> > These RPMS have not been throughly tested by Quality Assurance, and
> > it is reccomended that you do not install these if you are not
> > familiar with rpm.
> >
> > Again, we expect these to be available in pkg format shortly.
> >
> > Location:
> > ***  Please note that these rpms are not for the Qube2,
> > ***  these will be release shortly
> > ftp://ftp/cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-8.2.3-C1.mips.rpm
> >
> ftp://ftp/cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-devel-8.2.3-C1.mips
> .rpm
> >
> ftp://ftp/cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-utils-8.2.3-C1.mips
> .rpm
> >
>
> The above URLs are defective Click-ON these instead, gee, maybe one day
> Cobalt/Sun will
> give us some good information.
>
> ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-8.2.3-C1.mips.rpm
> ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-devel-8.2.3-C1.mips
> .rpm
> ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-utils-8.2.3-C1.mips
> .rpm

> What is
different about these RPMs versus the ones that were released a few days
> ago?????
> Gerald [EMAIL PROTECTED]

Yeah - wasn't exactly the same message sent to the list a few days ago by
somebody else, or am I seeing things?

Also, I'm still amused to see;

220 ProFTPD 1.2.0pre9 Server (ProFTPD) [ftp.cobaltnet.com]
220 ProFTPD 1.2.0pre8 Server (ProFTPD) [ftp.cobalt.com]

I don't really plan to keep downloading these patches from Cobalts FTP
servers if they run completely ownable FTP sites.

>From bugtraq:

"
                Advisory: misc. bugs
                Programname: proftpd
                Versions: 1.2.0 <= pre10
                Vendor: proftpd.net
                Severity: high (root shell) and low
                Contact: [EMAIL PROTECTED]


Bug1:
  void set_proc_title(char *fmt,...) in src/main.c

  <snip>

  setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
  This makes it vulnerable for formatattacks. By carefully outlining the
  attackbuffer it's possible to gain root priviledges.
"

Even Cobalt supply patches, they just haven't installed them on their own
network yet.

Gossi.

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to