Your message could not be delivered to
'herbert@gondor.apana.org.au (host: gondor.apana.org.au) (queue: smtp)' for the following
reason: ' mail from 206.191.157.124 rejected: administrative prohibition'
Your message follows:
Received: from nwmagic.net ( pc-203.nwmagic.net [192.168.1.203] )
by sapphire.mail.nwmagic.net id aa23678
for <herbert@gondor.apana.org.au>; 10 Apr 2004 15:25 -0700
Message-ID: <40787447.8080501@nwmagic.net>
Date: Sat, 10 Apr 2004 15:25:11 -0700
From: Christine Jamison <getty-info@nwmagic.net>
Organization: SPECTRA Software, Inc.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: getty_ps
References: [🔎] E1BC6tZ-00028D-00@gondolin.me.apana.org.au"><[🔎] E1BC6tZ-00028D-00@gondolin.me.apana.org.au>
Content-Type: multipart/alternative;
boundary="------------000804070602090608050302"
--------------000804070602090608050302
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Dear Herbert,
(I assume it's OK to call you that - I hear that blokes from Oz are
informal. <smile>) It was nice to hear back from you so promptly! I
will look up the references to "ps_getty" in the next week or so, and
pass them along. I have reviewed the reported security vunerability,
and it does indeed exist, but *only* if the package was compiled with
SYSLOG_DEBUG *not* defined, which should *not* be the case in production
versions. (The vunerability is caused by a debug file.) The *simplest*
fix is to check the source code (file "tune.h"), for "#define SYSLOG"
and "#define SYSLOG_DEBUG". If present, then this vunerabilty does
*not* exist, as the code that creates the file in question is disabled.
If *not* present, then include these in the tune.h file, re-compile,
and re-install. These 2 are defined by default in releases 2.0.8,
2.0.9, and 2.1.0, btw.
A patched release will be 2.1.0b, and the patch will be in all future
releases (2.0.10c or higher, or the scheduled 2.0.11). The fix should be
released in the next 7 days, and I will advise you when I release it.
Please note that this vulnerablity exists in all previous releases that
I have copies of (going back to 2.0.4), and I assume all the way back
from there.
Lastly, if you have any patches that have not found their way back into
the "official" (non-Debian) package, I'd appreciate having a copy, so I
can incorporate them into the original package.
Please feel free to contact me if you have any further questions. Thank
you for your time and effort in this matter.
Sincerely,
Christine Jamison
Herbert Xu wrote:
>Christine Jamison <getty-info@mail.nwmagic.net> wrote:
>
>
>>I am the official maintainer of "getty_ps", which several of your web
>>pages refer to as "ps_getty". I think it would be nice if you referred
>>to it by the correct name, so as not to confuse people. This is just a
>>friendly suggestion. <nice smile>
>>
>>
>
>Thanks. Can you please point me to the URLs of the pages with
>the incorrect references?
>
>
>
>>Also, please note that the latest release of getty_ps is 2.1.0, and this
>>
>>
>
>Please keep in mind that Debian has a release cycle longer than that of
>the Linux kernel itself. Therefore looking at the current stable Debian
>release is always going to result in ancient versions.
>
>Debian unstable on the other hand has had 2.1.0 for two years.
>
>
>
>>Also, reciently a security bug has been discovered in this package, and
>>a patch will be forthcoming. If you would like notification when this
>>patch is available, please provide me with contact info, and Iwill be
>>*most* happy to contact you. You can get copies of getty_ps at
>>"ftp.ibiblio.org", or my web site "ftp.nwmagic.net".
>>
>>
>
>Please contact me about this since I'm the Debian maintainer of this
>package.
>
>Cheers,
>
>
--------------000804070602090608050302
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
Dear Herbert,<br>
(I assume it's OK to call you that - I hear that blokes from Oz are informal.
<smile>) It was nice to hear back from you so promptly! I will look
up the references to "ps_getty" in the next week or so, and pass them along.
I have reviewed the reported security vunerability, and it does indeed exist,
but *only* if the package was compiled with SYSLOG_DEBUG *not* defined,
which should *not* be the case in production versions. (The vunerability
is caused by a debug file.) The *simplest* fix is to check the source code
(file "tune.h"), for "#define SYSLOG" and "#define SYSLOG_DEBUG". If present,
then this vunerabilty does *not* exist, as the code that creates the file
in question is disabled. If *not* present, then include these in the tune.h
file, re-compile, and re-install. These 2 are defined by default in releases
2.0.8, 2.0.9, and 2.0.10, btw.<br>
<br>
A patched release will be 2.0.10a, and the patch will be in all future releases
(2.0.10b or higher, or the scheduled 2.0.11). The fix should be released
in the next 7 days, and I will advise you when I release it.<br>
<br>
Please note that this vulnerablity exists in all previous releases that I
have copies of (going back to 2.0.4), and I assume all the way back from
there.<br>
<br>
Lastly, if you have any patches that have not found their way back into the
"official" (non-Debian) package, I'd appreciate having a copy, so I can incorporate
them into the original package.<br>
<br>
Please feel free to contact me if you have any further questions. Thank
you for your time and effort in this matter.<br>
<br>
Sincerely,<br>
Christine Jamison <br>
<br>
<br>
Herbert Xu wrote:<br>
<blockquote type="cite"
cite="" class="moz-txt-link-rfc2396E"
href="mailto:midE1BC6tZ-00028D-00@gondolin.me.apana.org.au">"midE1BC6tZ-00028D-00@gondolin.me.apana.org.au">
<pre wrap="">Christine Jamison <a class="moz-txt-link-rfc2396E" href=""
class="moz-txt-link-rfc2396E" href="mailto:getty-info@mail.nwmagic.net">"mailto:getty-info@mail.nwmagic.net"><getty-info@mail.nwmagic.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am the official maintainer of "getty_ps", which several of your web
pages refer to as "ps_getty". I think it would be nice if you referred
to it by the correct name, so as not to confuse people. This is just a
friendly suggestion. <nice smile>
</pre>
</blockquote>
<pre wrap=""><!---->
Thanks. Can you please point me to the URLs of the pages with
the incorrect references?
</pre>
<blockquote type="cite">
<pre wrap="">Also, please note that the latest release of getty_ps is 2.1.0, and this
</pre>
</blockquote>
<pre wrap=""><!---->
Please keep in mind that Debian has a release cycle longer than that of
the Linux kernel itself. Therefore looking at the current stable Debian
release is always going to result in ancient versions.
Debian unstable on the other hand has had 2.1.0 for two years.
</pre>
<blockquote type="cite">
<pre wrap="">Also, reciently a security bug has been discovered in this package, and
a patch will be forthcoming. If you would like notification when this
patch is available, please provide me with contact info, and Iwill be
*most* happy to contact you. You can get copies of getty_ps at
"<a class="moz-txt-link-abbreviated" href=""
class="moz-txt-link-rfc2396E" href="ftp://ftp.ibiblio.org">"ftp://ftp.ibiblio.org">ftp.ibiblio.org</a>", or my web site "<a class="moz-txt-link-abbreviated" href=""
class="moz-txt-link-rfc2396E" href="ftp://ftp.nwmagic.net">"ftp://ftp.nwmagic.net">ftp.nwmagic.net</a>".
</pre>
</blockquote>
<pre wrap=""><!---->
Please contact me about this since I'm the Debian maintainer of this
package.
Cheers,
</pre>
</blockquote>
<br>
</body>
</html>
--------------000804070602090608050302--