I thought you guys should know about this. (Yes, I'm aware that this message will go to the publically-available archive.) -Geoff ---------- Forwarded message ---------- Date: Tue, 02 Feb 99 22:32:43 EST From: "CERT(R) Coordination Center" <[EMAIL PROTECTED]> To: Geoff Hutchison <[EMAIL PROTECTED]> Cc: "CERT(R) Coordination Center" <[EMAIL PROTECTED]> Subject: Re: Vunerability in ht://Dig: htnotify/VU#8258 -----BEGIN PGP SIGNED MESSAGE----- Geoff Hutchison <[EMAIL PROTECTED]> writes: >That's pretty close. To be completely precise, you can run arbitrary >commands with the account running ht://Dig. (OK, I'm splitting > hairs.) Splitting hairs is fine by us. :-) >See http://www.htdig.org/uses.html for some sites that use it. I would guess >a lot of sites use it beyond those we know. It's in all the Linux >distributions and available on sunsite, etc. The sites that deploy it are a >rather heterogenous bunch. They range from corporate users to univerities to >the FSF itself! Okay; thanks for the pointer. I'll go check it out. >I have posted public notices to the ht://Dig mailing list at >[EMAIL PROTECTED], in part because we released a version (3.1.0b4) that fixed >the bug. The publically-available release notes mention the bug, though it >does not give specific details. I have heard of no exploits based on this >vulnerability. We haven't gotten any incident reports that seem to involve it in any way. >In the next week, we expect to release the final 3.1.0 release, which is >also free from this bug. If the CERT advisory comes out after the 3.1.0 >release, we'd naturally advise all users to upgrade to that release. Okay; when I'm back in the office (I'm at home now) I'll check our calendar, and send you a possible schedule. My guess is that Tuesday the 15th or Wednesday the 16th would be good. How does that sound? Generally, we like to contact the OS vendors who may distribute the vulnerable software as well as the maintainers and distributors of the package itself. To your knowledge, what vendors distribute ht::/Dig? Based on your comments above, I'll assume most of the Linux vendors do. Do you know if any of the commercial vendors do? Is there a version for NT, MacOS, OS/2, Novell, or other operating systems? Finally, do you have a PGP key we can use to encrypt our communications with? Thanks, Shawn - -- Shawn V. Hernan CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNrfFenVP+x0t4w7BAQFHKwP/bocYm/A7VvaVJtHzm2HsUoa96B4/OTqK aDea+6lGhmbDh/pNcAos0fSOsvsetXgRPO+wvnXvzkx/dkZdVEnJimzv7bhYd3bf 7Bz4IIS3+5JV+za0T6KNDhaBrrFOL6ATNaBvc0dIICy+MF+3Gjd0wOfctG9UFRjD 0s53fV+s/zg= =MWiZ -----END PGP SIGNATURE----- ------------------------------------ To unsubscribe from the htdig3-dev mailing list, send a message to [EMAIL PROTECTED] containing the single word "unsubscribe" in the SUBJECT of the message.
