I contacted you at this e-mail address a couple of days ago, about getty_ps. I receieved an e-mail from Herbert Xu in response; however, when I attempt to reply to Herbert, I get a bounced mail. Please let Herbert know, and have someone advise me how to reply to him!
Thank you for your time and effort in this matter.
My reply to Herbert (that bounced):
Your message could not be delivered to '[EMAIL PROTECTED] (host: gondor.apana.org.au) (queue: smtp)' for the following reason: ' mail from 206.191.157.124 rejected: administrative prohibition'Your message follows: Received: from nwmagic.net ( pc-203.nwmagic.net [192.168.1.203] ) by sapphire.mail.nwmagic.net id aa23678 for <[EMAIL PROTECTED]>; 10 Apr 2004 15:25 -0700 Message-ID: <[EMAIL PROTECTED]> Date: Sat, 10 Apr 2004 15:25:11 -0700 From: Christine Jamison <[EMAIL PROTECTED]> Organization: SPECTRA Software, Inc. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Herbert Xu <[EMAIL PROTECTED]> Subject: Re: getty_ps References: <[EMAIL PROTECTED]> Content-Type: multipart/alternative; boundary="------------000804070602090608050302" --------------000804070602090608050302 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Dear Herbert, (I assume it's OK to call you that - I hear that blokes from Oz are informal. <smile>) It was nice to hear back from you so promptly! I will look up the references to "ps_getty" in the next week or so, and pass them along. I have reviewed the reported security vunerability, and it does indeed exist, but *only* if the package was compiled with SYSLOG_DEBUG *not* defined, which should *not* be the case in production versions. (The vunerability is caused by a debug file.) The *simplest* fix is to check the source code (file "tune.h"), for "#define SYSLOG" and "#define SYSLOG_DEBUG". If present, then this vunerabilty does *not* exist, as the code that creates the file in question is disabled. If *not* present, then include these in the tune.h file, re-compile, and re-install. These 2 are defined by default in releases 2.0.8, 2.0.9, and 2.1.0, btw. A patched release will be 2.1.0b, and the patch will be in all future releases (2.0.10c or higher, or the scheduled 2.0.11). The fix should be released in the next 7 days, and I will advise you when I release it. Please note that this vulnerablity exists in all previous releases that I have copies of (going back to 2.0.4), and I assume all the way back from there. Lastly, if you have any patches that have not found their way back into the "official" (non-Debian) package, I'd appreciate having a copy, so I can incorporate them into the original package. Please feel free to contact me if you have any further questions. Thank you for your time and effort in this matter. Sincerely, Christine Jamison Herbert Xu wrote:Christine Jamison <[EMAIL PROTECTED]> wrote:I am the official maintainer of "getty_ps", which several of your web pages refer to as "ps_getty". I think it would be nice if you referred to it by the correct name, so as not to confuse people. This is just a friendly suggestion. <nice smile>Thanks. Can you please point me to the URLs of the pages with the incorrect references?Also, please note that the latest release of getty_ps is 2.1.0, and thisPlease keep in mind that Debian has a release cycle longer than that of the Linux kernel itself. Therefore looking at the current stable Debian release is always going to result in ancient versions. Debian unstable on the other hand has had 2.1.0 for two years.Also, reciently a security bug has been discovered in this package, and a patch will be forthcoming. If you would like notification when this patch is available, please provide me with contact info, and Iwill be *most* happy to contact you. You can get copies of getty_ps at "ftp.ibiblio.org", or my web site "ftp.nwmagic.net".Please contact me about this since I'm the Debian maintainer of this package. Cheers,--------------000804070602090608050302 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body> Dear Herbert,<br> (I assume it's OK to call you that - I hear that blokes from Oz are informal. <smile>) It was nice to hear back from you so promptly! I will look up the references to "ps_getty" in the next week or so, and pass them along. I have reviewed the reported security vunerability, and it does indeed exist, but *only* if the package was compiled with SYSLOG_DEBUG *not* defined, which should *not* be the case in production versions. (The vunerability is caused by a debug file.) The *simplest* fix is to check the source code (file "tune.h"), for "#define SYSLOG" and "#define SYSLOG_DEBUG". If present, then this vunerabilty does *not* exist, as the code that creates the file in question is disabled. If *not* present, then include these in the tune.h file, re-compile, and re-install. These 2 are defined by default in releases 2.0.8, 2.0.9, and 2.0.10, btw.<br> <br> A patched release will be 2.0.10a, and the patch will be in all future releases (2.0.10b or higher, or the scheduled 2.0.11). The fix should be released in the next 7 days, and I will advise you when I release it.<br> <br> Please note that this vulnerablity exists in all previous releases that I have copies of (going back to 2.0.4), and I assume all the way back from there.<br> <br> Lastly, if you have any patches that have not found their way back into the "official" (non-Debian) package, I'd appreciate having a copy, so I can incorporate them into the original package.<br> <br> Please feel free to contact me if you have any further questions. Thank you for your time and effort in this matter.<br> <br> Sincerely,<br> Christine Jamison <br> <br> <br> Herbert Xu wrote:<br> <blockquote type="cite" cite="" class="moz-txt-link-rfc2396E" href="mailto:[EMAIL PROTECTED]">"[EMAIL PROTECTED]"> <pre wrap="">Christine Jamison <a class="moz-txt-link-rfc2396E" href="" class="moz-txt-link-rfc2396E" href="mailto:[EMAIL PROTECTED]">"mailto:[EMAIL PROTECTED]"><[EMAIL PROTECTED]></a> wrote: </pre> <blockquote type="cite"> <pre wrap="">I am the official maintainer of "getty_ps", which several of your web pages refer to as "ps_getty". I think it would be nice if you referred to it by the correct name, so as not to confuse people. This is just a friendly suggestion. <nice smile> </pre> </blockquote> <pre wrap=""><!----> Thanks. Can you please point me to the URLs of the pages with the incorrect references? </pre> <blockquote type="cite"> <pre wrap="">Also, please note that the latest release of getty_ps is 2.1.0, and this </pre> </blockquote> <pre wrap=""><!----> Please keep in mind that Debian has a release cycle longer than that of the Linux kernel itself. Therefore looking at the current stable Debian release is always going to result in ancient versions. Debian unstable on the other hand has had 2.1.0 for two years. </pre> <blockquote type="cite"> <pre wrap="">Also, reciently a security bug has been discovered in this package, and a patch will be forthcoming. If you would like notification when this patch is available, please provide me with contact info, and Iwill be *most* happy to contact you. You can get copies of getty_ps at "<a class="moz-txt-link-abbreviated" href="" class="moz-txt-link-rfc2396E" href="ftp://ftp.ibiblio.org">"ftp://ftp.ibiblio.org">ftp.ibiblio.org</a>", or my web site "<a class="moz-txt-link-abbreviated" href="" class="moz-txt-link-rfc2396E" href="ftp://ftp.nwmagic.net">"ftp://ftp.nwmagic.net">ftp.nwmagic.net</a>". </pre> </blockquote> <pre wrap=""><!----> Please contact me about this since I'm the Debian maintainer of this package. Cheers, </pre> </blockquote> <br> </body> </html> --------------000804070602090608050302--
