Great Circle Associates Firewalls
(September 1993)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Serious security bug in MorningStar PPP
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Fri, 24 Sep 1993 09:03:22 -0700
To: Firewalls @ GreatCircle . COM

This notice just came out from MorningStar Technologies this morning.  I
thought it was important enough to forward to the Firewalls mailing list.

I have great confidence in MorningStar; I think they make a good product,
and I think they provide good customer support.  I think they have acted
very admirably in publicizing this bug and the fix, rather than quietly
sweeping it under the rug and fixing it in a future release.  I wish I
could say the same about all the other vendors in this market.

Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Forwarded Message:

    Date: Fri, 24 Sep 93 09:39:58 -0400
    From: Karl Fox <karl @
 MorningStar .
    Message-Id: <9309241339 .
 AA26072 @
 remora .
 MorningStar .
    To: ppp-users @
 MorningStar .
    Subject: Serious Security Problem in MST PPP
    Organization: Morning Star Technologies, Inc.

    Every version of Morning Star PPP built since November 6, 1991 has a
    bug in the Filter file parser that causes phrases like


    to act instead like


    when `domain' has ambiguous /etc/services like this:

	domain  53/udp
	domain  53/tcp

    Check your Filter file immediately for such clauses and change them to
    the equivalent `53/tcp' (or whatever is appropriate).  You can change
    it back once you've fetched and installed the newest 1.4Beta MST PPP

Indexed By Date Previous: Security Risk Assessment (was Re: Access control for SMTP?)
From: nagler @ olsen . ch (Rob Nagler)
Next: Re: DIAL BACK MODEM software?
From: Brad Huntting <huntting @ advtech . uswest . com>
Indexed By Thread Previous: Re: Security Risk Assessment (was Re: Access control for SMTP?)
From: charisse @ Smallworks . COM (Charisse Castagnoli)
Next: Looks secure, must be secure.
From: "Spencer (P.S.) Dawkins" <dawkins @ bnr . ca>

Search Internet Search