From owner-freebsd-stable@FreeBSD.ORG Mon May 22 07:27:23 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1919E16A424; Mon, 22 May 2006 07:27:23 +0000 (UTC) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA9343D55; Mon, 22 May 2006 07:27:19 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Mon, 22 May 2006 09:27:14 +0200 Message-ID: From: "Constant, Benjamin" To: 'Colin Percival' Date: Mon, 22 May 2006 09:27:10 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd security , FreeBSD Stable Subject: RE: FreeBSD Security Survey X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 07:27:23 -0000 Hi, We don't use binary update as we use custom kernels. We're using portaudit for security flaw with the installed ports but I don't think there is any equivalent for the base and kernel? I'm subscribed and I'm monitoring the FreeBSD Security Advisories mailing-list but there is (as far as I know) no easy system like portaudit to compare you installed base and kernel source tree against security advisories. Are there best practices in this area knowing that all my system are not running the same level of patches and non of them are running something else then -STABLE? I'll probably switch from -STABLE to -RELENG in the future (was not possible in the beginning as features we're looking for were only in -STABLE) and apply security fixes but I think it won't change the amount of work to perform compared to a non source based operating system. Regards, Benjamin Constant > -----Original Message----- > From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd- > stable@freebsd.org] On Behalf Of Colin Percival > Sent: lundi 22 mai 2006 5:55 > To: freebsd security; FreeBSD Stable > Subject: FreeBSD Security Survey > > Dear FreeBSD users and system administrators, > > While the FreeBSD Security Team has traditionally been very good at > investigating and responding to security issues in FreeBSD, this only > solves half of the security problem: Unless users and administrators > of FreeBSD systems apply the security patches provided, the advisories > issued accomplish little beyond alerting potential attackers to the > presence of vulnerabilities. > > The Security Team has been concerned for some time by anecdotal reports > concerning the number of FreeBSD systems which are not being promptly > updated or are running FreeBSD releases which have passed their End of > Life dates and are no longer supported. In order to better understand > which FreeBSD versions are in use, how people are (or aren't) keeping > them updated, and why it seems so many systems are not being updated, I > have put together a short survey of 12 questions. The information gathered > will inform the work done by the Security Team, as well as my own personal > work on FreeBSD this summer. > > If you administrate system(s) running FreeBSD (in the broad sense of "are > responsible for keeping system(s) secure and up to date"), please visit > http://people.freebsd.org/~cperciva/survey.html > and complete the survey below before May 31st, 2006. > > Thanks, > Colin Percival > FreeBSD Security Officer > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.