note to whois maintainer
Lapo Luchini
lapo@lapo.it
Tue Sep 13 17:58:00 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher Faylor wrote:
> I can't duplicate the problem myself (and at least one respondent was
> also unable to duplicate it
Neither did I (trying up to a screenful of As).
> It has been a while since the last whois release. Is there a
> newer version available?
The version of whois we're currently using, the one made by my
compatriot Marco d'Itri and included in Debian and other Linux distros,
seems to have reached version 4.7.8 (while we still ship 4.6.14):
http://ftp.debian.org/debian/pool/main/w/whois/
Reading the "man" that kind of attack seems to be expected:
> BUGS
> The program has many buffer overflows when parsing the command line
> parameters: be sure to not pass untrusted data to it. It will be
> rewritten to use a dynamic strings library.
but, as the file says "3 December 1999" I wonder if this is still true.
Trying both the "whois" we ship and the one that FreeBSD ships I noticed
that the latter contains many more command line options and a better
"man" page (and is BSD licensed) while the one we now ship seems to
respond more completly to some queries such as the ones to the 6bone.
(asking for a .com or a .it gives the very same exact results)
Lapo
UPDATE: I just checked with the author in ICQ, that paragraph is
actually still true.
- --
L a p o L u c h i n i
l a p o @ l a p o . i t
w w w . l a p o . i t /
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iEYEARECAAYFAkMnE0oACgkQaJiCLMjyUvszvgCg+01uDKKLUfa8bAsTrmgCdeup
48UAn2MG9t1hO6wnjdNkO2uA9apknzJB
=CUgL
-----END PGP SIGNATURE-----
More information about the Cygwin-apps
mailing list