Date: Fri, 13 Dec 2002 06:03:43 -0800 (PST) From: Steve G <linux_4ever@...oo.com> To: Solar Designer <solar@...nwall.com> Cc: "Dmitry V. Levin" <ldv@...linux.org>, xvendor@...ts.openwall.com Subject: Re: [Fwd: [RHSA-2002:196-09] Updated xinetd packages fix denial of service vulnerability] Hello, >Perhaps you're aware of whether this is fixed >in development versions and what the fix was? Yes there this was a problem but is now fixed. There is one other serious problem fixed in the current development version where descriptors were being played with fast and loose. It the latter case, xinetd mixed up its descriptors and sent log entries to stdout....not good. RedHat has rolled out 2 updates for xinetd so far and they will be rolling out another. They are not coordinating with anyone on the mailing list and I think they are shooting themselves in the foot badly. Because they are not coordinating, they are just grabbing development snapshots that aren't complete or fully tested. The current development snapshot 20021209.tar.gz in the xinetd.org/devel folder is stable and will become release 2.3.10 in the next day or two. Rob felt like we could release 2.3.10 this week. Here's a link to the e-mail that I posted to the group when I discovered the cause of the leaked descriptors: http://marc.theaimsgroup.com/?l=xinetd&m=103767881425253&w=2 And here's a link to an e-mail where someone else explained what he discovered about the descriptors being mixed up: http://marc.theaimsgroup.com/?l=xinetd&m=103893604709367&w=2 And here's a test script he supplied: http://marc.theaimsgroup.com/?l=xinetd&m=103893602009155&w=2 Look for 2.3.10 to be released any day now. If you want to be ahead of the game, look at the 1209 release and then diff the final against it to make sure there were no last minute surprises. -Steve Grubb __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Powered by blists - more mailing lists
Please check out the xvendor mailing list charter.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ