home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20000824-20010305
/
000143_news@columbia.edu _Thu Dec 21 16:12:22 2000.msg
< prev
next >
Wrap
Internet Message Format
|
2001-03-05
|
2KB
Return-Path: <news@columbia.edu>
Received: from watsun.cc.columbia.edu (watsun.cc.columbia.edu [128.59.39.2])
by uhaligani.cc.columbia.edu (8.9.3/8.9.3) with ESMTP id QAA15685
for <kermit.misc@cpunix.cc.columbia.edu>; Thu, 21 Dec 2000 16:12:21 -0500 (EST)
Received: from newsmaster.cc.columbia.edu (newsmaster.cc.columbia.edu [128.59.59.30])
by watsun.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id QAA16808
for <kermit.misc@watsun.cc.columbia.edu>; Thu, 21 Dec 2000 16:12:21 -0500 (EST)
Received: (from news@localhost)
by newsmaster.cc.columbia.edu (8.9.3/8.9.3) id PAA06385
for kermit.misc@watsun.cc.columbia.edu; Thu, 21 Dec 2000 15:45:14 -0500 (EST)
X-Authentication-Warning: newsmaster.cc.columbia.edu: news set sender to <news> using -f
From: fdc@columbia.edu (Frank da Cruz)
Subject: Re: Sec. Vulnerability in kermit(1)
Date: 21 Dec 2000 20:45:11 GMT
Organization: Columbia University
Message-ID: <91tq4n$67e$1@newsmaster.cc.columbia.edu>
To: kermit.misc@columbia.edu
In article <91tmo8$f0r$2@web1.cup.hp.com>,
Security Alert <security-alert@hp.com> wrote:
: ----------------------------------------------------------------------
: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0135, 21 Dec '00
: ----------------------------------------------------------------------
: ISSUE: Kermit communications software contains a buffer overflow.
:
This same problem was also reported to Linux Bugtraq a while back. Like
many long-lived programs, C-Kermit contains its share of sprintf's,
strcpy's, etc. An extensive audit was performed after C-Kermit 7.0 was
released in January 2000 and the next release, 7.1, has all known memory
leaks and buffer vulnerabilities plugged.
While it is advisable to patch the current release, the real solution to
this problem is to download and test C-Kermit 7.1 Alpha.01, which was
announced here two weeks ago. You can find it here:
http://www.columbia.edu/kermit/ck71.txt
and when the testing phase over, to install it in place of C-Kermit 6.0,
which is what /bin/kermit is today on HP-UX 10.00 and later.
C-Kermit 7.1 also has hundreds of other improvements and new features
listed here (C-Kermit 7.0):
http://www.columbia.edu/kermit/ckermit.html
and here (C-Kermit 7.1):
http://www.columbia.edu/kermit/ck71.html
Frank da Cruz
The Kermit Project
Columbia University
http://www.columbia.edu/kermit/