I'm confused - I run 3.3.7 of dip is there a new version? Or an update to
this version?
JAM
On Thu, 11 Jul 1996, Larry Doolittle wrote:
> Date: Thu, 11 Jul 1996 10:20:18 -0400 (EDT)
> From: Larry Doolittle <doolitt@recycle.cebaf.gov>
> To: linux-users@CEBAF.GOV
> Subject: Security announcement: dip
>
> >From doolitt Thu Jul 11 10: 20:21 1996 remote from recycle
>
> Hello, everyone who maintains a Linux machine at CEBAF (I hope):
>
> If you have not done so already, please turn off the suid-bit
> on dip. This program has a security problem that can allow
> an unprivileged user on the machine to become root.
>
> In particular: su to root yourself, then do the following:
> chmod u-s /usr/sbin/dip
> If you don't have a /usr/sbin/dip, check other possible locations,
> like /sbin or /usr/local/bin. It is possible you will not find
> any dip program, in which case there is nothing to do or fix.
>
> Most people should not have any use for this program on CEBAF
> (oops, I mean TJNAF) computers. If you do use this program,
> get a fresh copy of the source
> ftp://sunsite.unc.edu/pub/Linux/system/Network/serial/dip/dip337o-uri.tgz
> and build it without the security hole.
>
> CERT recently announced this security hole, and the announcement
> is already widely distributed (but hasn't yet made it to cebaf's
> comp.os.linux.announce news queue).
>
> - Larry Doolittle ldoolitt@cebaf.gov
>