Ports scheduled for removal on Nov 7
Alexander Leidinger
Alexander at Leidinger.net
Fri Aug 8 04:30:35 PDT 2003
On Thu, 7 Aug 2003 21:53:34 -0700
Kris Kennaway <kris at obsecurity.org> wrote:
> The following ports are scheduled for removal on November 7 if they
> are still broken at that time and no PRs have been submitted to fix
> databases/firebird firebird-1.0.2 chris at aims.com.au
> databases/firebird-devel firebird-1.0.r2 chris at aims.com.au
I've marked them FORBIDDEN because of an posting on bugtraq. I've talked
with the maintainer and he explained, that the developers focus on the
development of the next version and don't seem to be interested in
fixing this vulnerability.
The description of the bug can be found at
http://packetstormsecurity.nl/0305-exploits/dsr-adv001.txt. It's a
getenv() overflow, so you need an account on the machine. As long as you
are confident, that there's no possibility to exploit this flaw (e.g.
dedicated DBS machine with no local accounts), there's no problem.
Do we really need to remove it? If yes, is it ok to just print a big
warning instead of marking it as forbidden?
Bye,
Alexander.
--
The dark ages were caused by the Y1K problem.
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
More information about the freebsd-ports
mailing list