----- Mensaje original ----- > This notice is in reference to a reported root hole in the FreeBSD port of > perdition and more specifically the library vanessa_logger that it > requires. > > http://www.securityfocus.org/archive/1/247148 > > First I would like to express great dismay that this was published on a > public list (BugTraq) without prior consultation with the author (myself) > or to my knowledge the maintainer of the FreeBSD port, Konstantinos > Konstantinidis. > > There is a string format bug in vanessa_logger 0.0.1 which is what the post > to BugTraq makes reference to. FreeBSD, was at the time of the posting > shipping this vulnerable version. > > vanessa_logger 0.0.2, released on the 29th of June 2001, is not vulnerable > to this exploit. FreeBSD have released a patched version of vanessa_logger > 0.0.1 which is also not vulnerable. Users should upgrade to either of > these. > > vanessa_logger 0.0.2 is available from > ftp://ftp.vergenet.net/pub/vanessa/vanessa_logger/0.0.2 > > At this time I would also like to highlight the importance of running > perdition as a non-root user. The --username and --group options enable > perdition to run as non-root for most of a processes life. If these options > are used then the potential risk from any exploits stemming from the string > format bug in vanessa_logger are significantly reduced. > > For more information on perdition please see > http://vergenet.net/linux/perdition/ > > -- > Horms > Author of perdition and vanessa_logger
