> > > Platforms: Vulnerable: > > > > > > AIX: 4.0, 4.1, 4.2, 4.3 > > > HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x > > > SunOS: 4.1.3, 4.1.4 > > > Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6 > > > Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1 > > > Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5 > > > OSF: 3.2 > > > > > > OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite > > what it says up there. Why? Because neither TL nor RH 5.1 even include > > rpc.pcnfsd (checked by querying every RPM package in both distributions, > > grepping for 'pcnfs' -- no matches). > > Did you look carefully on sunsite? > > /pub/Linux/system/network/sunacm/Other/pcnfsd/pcnsfd-140.tar.gz > > Notice there is a typo there. "pcnsfd" It looks to me like the PCNFSD package wasn't included in any of the official Red Hat distributions (or, based on Scott's comments, official TurboLinux distributions). If that's the case, why would Red Hat be listed as a "vulnerable platform"? First of all, as a vendor, Red Hat should only be held accountable for the packages they include in the "official" distribution. Second, it's not even "Red Hat Linux" or "Slackware Linux" that's vulnerable -- it's the PCNFSD package. I'm not trying to say this specifically in defense of Red Hat -- it's more a general concern. If the package isn't part of the Frobnitz Linux distribution, then saying that "the Frobnitz Linux distribution is vulnerable" is incorrect and misleading. It would be much more accurate (and much less work for testing labs like RSI) to say something like, "The Linux PCNFSD package is vulnerable (tested under Frobnitz Linux 3.2.5)." (It's also extremely advisable to give extra information identifying the package(s), because (especially with Linux) there are often several packages that try to meet the same need. In this case, there are the linux_pcnfsd2.tgz package and the pcnsfd-140.tar.gz.) On the other hand, if a package (such as bind) that _is_ part of the Frobnitz Linux distribution is found vulnerable, then I want to hear about it in the advisory. One more point... If Slackware includes the PCNFSD package as part of the official distribution, that might explain why Mr. Volkerding was so helpful; Red Hat doesn't include it as part of their official distribution, and that might explain why they were so disinterested. (Does anyone from Slackware and/or Red Hat want to comment?) Joe Vornehm jvornehmat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:06 PDT