[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

FWD: Author of rp-pppoe responds

From: David Eisenstein <deisenst gtw net>
To: fedora-legacy-list redhat com
Subject: FWD: Author of rp-pppoe responds
Date: Thu, 17 Nov 2005 08:17:23 -0600 (CST)

Should we upgrade our release of rp-pppoe, per David Skoll's advice, then?

	-David E.

Message forwarded from gmane.comp-security.bugtraq:
---------------------------------------------------

Subject:      Re: [FLSA-2005:152794] Updated rp-pppoe package	fixes security issue
From:         "David F. Skoll" <devnull roaringpenguin com>
Newsgroups:   gmane.comp.security.full-disclosure,gmane.comp.security.bugtraq
Message-ID:   <437A2DC8 9020401 roaringpenguin com>
Date:         Tue, 15 Nov 2005 13:49:44 -0500

Marc Deslauriers wrote:

> Synopsis:          Updated rp-pppoe package fixes security issue
> Advisory ID:       FLSA:152794

This is a totally bogus vulnerability, as I wrote in my response on
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0564

In fact, this so-called "fix" might tempt people to run rp-pppoe
SUID-root, which is a Bad Thing, because there are probably tons of other
reasons why a SUID-root rp-pppoe is dangerous.

rp-pppoe 3.6 was released a while ago.  It has a proper fix for SUID-ness.
I recommend people use that instead of distro versions with dubious
"security patches"

NOTE: I have set the return path to <devnull roaringpenguin com> to avoid
hundreds of responses from Bugtraq readers' broken auto-responders.  To
reply to me, reply to <dfs roaringpenguin com>

Regards,

David.

Follow-Ups:
- Re: FWD: Author of rp-pppoe responds
  - From: Eric Rostetter
- Re: FWD: Author of rp-pppoe responds
  - From: Pekka Savola

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]