OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Todd C. Miller (Todd.Millercourtesan.com)
Date: Tue Mar 20 2001 - 18:12:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    As reported elsewhere, A patch is now available that forces readline
    history files to be created with a restrictive file mode
    (readable/writable only by owner). This matches the behavior of
    the current version of readline (readline 4.1, which will ship with
    OpenBSD 2.9).

    From errata.html:
        The readline library shipped with OpenBSD allows history files
        creation with a permissive umask. This can lead to the leakage
        of sensitive information in applications that use passwords and
        the like during user interaction (one such application is mysql).

    Patch for OpenBSD 2.8:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/024_readline.patch

    Patch for OpenBSD 2.7:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/040_readline.patch

    The 2.7 patch also includes a change made after 2.7 was released.
    Previously, if the HOME environment variable was not set, readline
    would read from / write to a history file in the current working.
    The new behavior is to disable the history file if HOME is not set.

     - todd