Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20021213140343.96066.qmail@web9605.mail.yahoo.com>
Date: Fri, 13 Dec 2002 06:03:43 -0800 (PST)
From: Steve G <linux_4ever@...oo.com>
To: Solar Designer <solar@...nwall.com>
Cc: "Dmitry V. Levin" <ldv@...linux.org>, xvendor@...ts.openwall.com
Subject: Re: [Fwd: [RHSA-2002:196-09] Updated xinetd packages fix denial of service vulnerability]

Hello,

>Perhaps you're aware of whether this is fixed 
>in development versions and what the fix was?

Yes there this was a problem but is now fixed. There
is one other serious problem fixed in the current
development version where descriptors were being
played with fast and loose. It the latter case, xinetd
mixed up its descriptors and sent log entries to
stdout....not good.

RedHat has rolled out 2 updates for xinetd so far and
they will be rolling out another. They are not
coordinating with anyone on the mailing list and I
think they are shooting themselves in the foot badly.
Because they are not coordinating, they are just
grabbing development snapshots that aren't complete or
fully tested.

The current development snapshot 20021209.tar.gz in
the xinetd.org/devel folder is stable and will become
release 2.3.10 in the next day or two. Rob felt like
we could release 2.3.10 this week.

Here's a link to the e-mail that I posted to the group
when I discovered the cause of the leaked descriptors:
http://marc.theaimsgroup.com/?l=xinetd&m=103767881425253&w=2

And here's a link to an e-mail where someone else
explained what he discovered about the descriptors
being mixed up:
http://marc.theaimsgroup.com/?l=xinetd&m=103893604709367&w=2

And here's a test script he supplied:
http://marc.theaimsgroup.com/?l=xinetd&m=103893602009155&w=2

Look for 2.3.10 to be released any day now. If you
want to be ahead of the game, look at the 1209 release
and then diff the final against it to make sure there
were no last minute surprises.

-Steve Grubb


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.