|
On Tue, 25 Apr 2000 10:16:14 -0400, Joseph Mack wrote:
>Its interesting that we have to find these stories ourselves
>Joe
>
>http://www.zdnet.com/zdnn/stories/news/0,4586,2554978,00.html?&_ref=1870958635
Sorry about not posting about this here. ISS has made my life hell and
I've been rather busy because of it. There is no backdoor in piranha,
there is only the front door. There are two problems that were
discovered by ISS. First, instead of the http user piranha having no
password initially, it was somehow set to "q". This was build cruft
that somehow worked its way into the final packages. Obviously, this
made it impossible to use piranha from the web GUI, but is by no means
a "backdoor". The other bug that came from this was the fact that we
allowed shell expansions to happen during password change processing.
This is the security hole and was a dumb mistake on our part. We have
since corrected both of these problems and new piranha packages are
available on ftp.redhat.com.
Sorry again for not posting about this here.
Mike
-----------------------------------------------------------------------
Mike Wangsmo Red Hat, Inc
"I think qmail got mad, took its ball and went home." - Steve Wills
|
