On 2005.05.15 22:55:44 +0200, Jesper Wallin wrote:
> About a week ago, right after 5.4-RELEASE was released, I received a
> mail from Gentoo Linux's security announcement list about a flaw in
> tcpdump and gzip. Since none of them are operating system related, I
> assumed a -p1 and -p2 of the 5.4-RELEASE. Instead, we got a patch for
> the HTT security issue so I wonder, is the FreeBSD version of tcpdump
> and/or gzip are secured or simply forgotten/ignored?
I'm rather sure that FreeBSD is vulnerable to the tcpdump issue (since
I don't see any reason we should not be), but unfortunately the
proof-of-concept code does not work on FreeBSD, so I have not yet been
able to verify the problem. That said, an advisory is upcomming, but
I cannot give you a date yet.
It should be noted that the tcpdump issue is DoS, not remote code
execution.
I do not know the status of the gzip issue, but I will look into it.
Both tcpdump and gzip issues are certainly not ignored, but preparing
an advisory (and all the related tasks) takes some time.
--
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050517/5db42a94/attachment.bin