Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Apr 2001 16:19:52 -0700
From:      "Crist Clark" <crist.clark@globalstar.com>
To:        Nicole Harrington <nmh@daemontech.com>
Cc:        Ben Smithurst <ben@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG, Michael Bryan <fbsd-secure@ursine.com>, Michael Nottebrock <michaelnottebrock@gmx.net>
Subject:   Re: Security Announcements?
Message-ID:  <3AD39518.CFE8CB46@globalstar.com>
References:  <XFMail.010410154347.nmh@daemontech.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Nicole Harrington wrote:

[snip]

>  As someone who runs many production level servers here is what I would want
>  In order:
> 
>  1) A notice that there is problem - So I can tcpwrap or shutdown said service
> until a patch is available.

A classic debate/flamewar, should the vendor notify before the fix
is available? Been discussed to death a zillion times, and I will not
start it again, but most vendors (Sun, Cisco, Microsoft) do not release 
notices until a solution is available. In extreme cases, a notice /may/
be put out if the vulnerability is publically disclosed, very serious,
and some workaround is available.

>  2) A binary patch.  Similiar to the Linux RPM.s  and the BSDi patches.
>   Just download and run. No compiles no installs.

The FreeBSD team would love to do this, but has said many times that
they simply do not have the resources to produce binary patches.

>  3) A patch that everyone agrees works in an email or other notification that
> says, here's were you can get the patch, this works, here's what to do with
> it.

When the official FreeBSD advisories do come out, that's in there.

>  From my perspective it took days for people to stop discussing what patch
> was best for ntpd and I still never heard a full resolution on the mailing
> list. No official blessing of a patch other than what I would get via CVSUP.  I
> have production servers, I can't run a CVsup everyday, let alone a make world.

I am not sure what is holding up an official notice on that one, but
it would be nice if the maintainers of ntpd itself would make an
official patch which could be merged back into -STABLE and -CURRENT.
 
>  Yes I may have missed a few mails or something. But expecting people to spend
> their days tracking down patches and notices abt problems kinda negates the
> whole idea of a security mailing and notification.
>  The process seemed much better in the past, but lately, it has been much less
> than optimal.

I think the issue lately has mainly been that a string of security 
problems were publically released before vendors had a chance to 
respond. Take a look back at security notifications you were happy 
with. Frequently, a security bug no one (or very few) had ever heard 
about had been patched in the code weeks before the release of the 
notice, but since there was no uproar on -security with people 
lamenting the slowness of patches, things seemed just great. For ntpd, 
the entire world was introduced to the bug at once (I guess someone at 
security-officer told me they got a whole half-hour or so warning) 
from Bugtraq and chaos ensued.

(You think FreeBSD secrurity is rough? On Bugtraq, I was first to 
point out that aiming the exploit at a Solaris xntpd crashed it, 
so now I am getting emails from around the globe, like I'm an xntpd 
expert, asking how to fix it since no one will hear a single peep 
from Sun until they have a patch for every single supported OS, 
platform, and have gone through all of their regression testing.)
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD39518.CFE8CB46>