FWD: Author of rp-pppoe responds
Pekka Savola
pekkas at netcore.fi
Thu Nov 17 16:04:09 UTC 2005
On Thu, 17 Nov 2005, David Eisenstein wrote:
> Should we upgrade our release of rp-pppoe, per David Skoll's advice, then?
This hardly seems worth the effort at this point; if a security update
is needed for other reasons, maybe this could be re-evaluated then.
> Message forwarded from gmane.comp-security.bugtraq:
> ---------------------------------------------------
>
> Subject: Re: [FLSA-2005:152794] Updated rp-pppoe package fixes security issue
> From: "David F. Skoll" <devnull at roaringpenguin.com>
> Newsgroups: gmane.comp.security.full-disclosure,gmane.comp.security.bugtraq
> Message-ID: <437A2DC8.9020401 at roaringpenguin.com>
> Date: Tue, 15 Nov 2005 13:49:44 -0500
>
> Marc Deslauriers wrote:
>
>> Synopsis: Updated rp-pppoe package fixes security issue
>> Advisory ID: FLSA:152794
>
> This is a totally bogus vulnerability, as I wrote in my response on
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0564
>
> In fact, this so-called "fix" might tempt people to run rp-pppoe
> SUID-root, which is a Bad Thing, because there are probably tons of other
> reasons why a SUID-root rp-pppoe is dangerous.
>
> rp-pppoe 3.6 was released a while ago. It has a proper fix for SUID-ness.
> I recommend people use that instead of distro versions with dubious
> "security patches"
>
> NOTE: I have set the return path to <devnull at roaringpenguin.com> to avoid
> hundreds of responses from Bugtraq readers' broken auto-responders. To
> reply to me, reply to <dfs at roaringpenguin.com>
>
> Regards,
>
> David.
>
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-legacy-list
mailing list