FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
Peter Jeremy
PeterJeremy at optushome.com.au
Mon Aug 4 03:11:37 PDT 2003
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:
>Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> and 5.0-RELEASE
> FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
...
>V. Solution
>
>1) Upgrade your vulnerable system to 4.8-STABLE
>or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
>(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
>dated after the respective correction dates.
I found the reference to RELENG_5_1 in the "Solutions" section but no
reference to 5.1-RELEASE in the "Affects" section somewhat confusing.
This is compounded by the failure to mention RELENG_5_0 in the
"Solutions" section. I gather that 5.1-RELEASE is not vulnerable due
to the realpath() rewrite in 1.14.
May I suggest that in future, when a release is not vulnerable due to
code rewrites or similar, this fact be explicitly mentioned. IMHO,
it's far better to err on the side of caution when dealing with
security issues.
Peter
More information about the freebsd-security
mailing list