>> OB CERT bash - They still have not issued a warning about this.
>Um, excuse me? What's this? Please note the attached CERT advisory.
(CERT advisory about SUN being vunerable to lpd attack)
The problem is that is is a generic bug, not a sun specific one. The machines
at this site which we broken were not suns.
If you are running an LPD which is older that BSD 4.3-Reno, then you are
vunerable. Upgrade now!
>It's bad enough that people have this misguided attitude about CERT, but
>even worse when folks say disparaging things without even checking the
>archives first. Sheesh.
When I phoned CERT, telling them detailed symptoms and probable causes,
they said 'That is interesting, please keep us informed, we know of no
problems in that area'. When I spoke to them two days later, giving
exact details they said 'Oh yes, that old one, the major vendors are
silently fixing that one'. I would not like to guess how many sites fell
in those two days.
You might note that Sun are now up to version 14 of the patch, not the 6
which is quoted as being 'the result of that lengthy test cycle'. I stand
by my remark that putting the lpr commands into a chrooted environment is
a bad idea.