Xref: utzoo comp.unix.wizards:25296 alt.security:2384
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!olivea!uunet!snorkelwacker.mit.edu!paperboy!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <2897:May117:10:5691@kramden.acf.nyu.edu>
Date: 1 May 91 17:10:56 GMT
References: <14683@ulysses.att.com> <1991Apr30.164646.11693@pcserver2.naitc.com> <1991May1.010657.281@lokkur.dexter.mi.us>
Organization: IR
Lines: 17

In article <1991May1.010657.281@lokkur.dexter.mi.us> scs@lokkur.dexter.mi.us (Steve Simmons) writes:
> Some CERT person may correct me, but I believe that CERT only
> makes public announcements when a fix or workaround is already
> available.

May I remind you that a fix *is* available? It's not a plug 'n' play
patch, but it does the job, and I'm perfectly willing to help people
implement it if something isn't clear in the original description. I
went to quite a bit of effort to put part 3 together, so it's rather
depressing to see someone say that the fixes don't exist.

I expect that CERT will announce when binary patches are available to
fix these holes on some machine. Sites that want to speed this process
should complain to their vendors. Sites that have modified their systems
can still apply the fixes I've explained.

---Dan