Date: Fri, 13 Dec 2002 06:03:43 -0800 (PST)
From: Steve G <linux_4ever@...oo.com>
To: Solar Designer <solar@...nwall.com>
Subject: Re: [Fwd: [RHSA-2002:196-09] Updated xinetd packages fix denial of service vulnerability]

Hello,

>Perhaps you're aware of whether this is fixed 
>in development versions and what the fix was?

Yes there this was a problem but is now fixed. There
is one other serious problem fixed in the current
development version where descriptors were being
played with fast and loose. It the latter case, xinetd
mixed up its descriptors and sent log entries to
stdout....not good.

RedHat has rolled out 2 updates for xinetd so far and
they will be rolling out another. They are not
coordinating with anyone on the mailing list and I
think they are shooting themselves in the foot badly.
Because they are not coordinating, they are just
grabbing development snapshots that aren't complete or
fully tested.

The current development snapshot 20021209.tar.gz in
the xinetd.org/devel folder is stable and will become
release 2.3.10 in the next day or two. Rob felt like
we could release 2.3.10 this week.

Here's a link to the e-mail that I posted to the group
when I discovered the cause of the leaked descriptors:
http://marc.theaimsgroup.com/?l=xinetd&m=103767881425253&w=2

And here's a link to an e-mail where someone else
explained what he discovered about the descriptors
being mixed up:
http://marc.theaimsgroup.com/?l=xinetd&m=103893604709367&w=2

And here's a test script he supplied:
http://marc.theaimsgroup.com/?l=xinetd&m=103893602009155&w=2

Look for 2.3.10 to be released any day now. If you
want to be ahead of the game, look at the 1209 release
and then diff the final against it to make sure there
were no last minute surprises.

-Steve Grubb


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Please check out the xvendor mailing list charter.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux