From owner-freebsd-security Tue Apr 10 16:20: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 955BF37B424; Tue, 10 Apr 2001 16:19:54 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBLNGF00.UL4; Tue, 10 Apr 2001 16:19:27 -0700 Message-ID: <3AD39518.CFE8CB46@globalstar.com> Date: Tue, 10 Apr 2001 16:19:52 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Nicole Harrington Cc: Ben Smithurst , freebsd-security@FreeBSD.ORG, Michael Bryan , Michael Nottebrock Subject: Re: Security Announcements? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington wrote: [snip] > As someone who runs many production level servers here is what I would want > In order: > > 1) A notice that there is problem - So I can tcpwrap or shutdown said service > until a patch is available. A classic debate/flamewar, should the vendor notify before the fix is available? Been discussed to death a zillion times, and I will not start it again, but most vendors (Sun, Cisco, Microsoft) do not release notices until a solution is available. In extreme cases, a notice /may/ be put out if the vulnerability is publically disclosed, very serious, and some workaround is available. > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. The FreeBSD team would love to do this, but has said many times that they simply do not have the resources to produce binary patches. > 3) A patch that everyone agrees works in an email or other notification that > says, here's were you can get the patch, this works, here's what to do with > it. When the official FreeBSD advisories do come out, that's in there. > From my perspective it took days for people to stop discussing what patch > was best for ntpd and I still never heard a full resolution on the mailing > list. No official blessing of a patch other than what I would get via CVSUP. I > have production servers, I can't run a CVsup everyday, let alone a make world. I am not sure what is holding up an official notice on that one, but it would be nice if the maintainers of ntpd itself would make an official patch which could be merged back into -STABLE and -CURRENT. > Yes I may have missed a few mails or something. But expecting people to spend > their days tracking down patches and notices abt problems kinda negates the > whole idea of a security mailing and notification. > The process seemed much better in the past, but lately, it has been much less > than optimal. I think the issue lately has mainly been that a string of security problems were publically released before vendors had a chance to respond. Take a look back at security notifications you were happy with. Frequently, a security bug no one (or very few) had ever heard about had been patched in the code weeks before the release of the notice, but since there was no uproar on -security with people lamenting the slowness of patches, things seemed just great. For ntpd, the entire world was introduced to the bug at once (I guess someone at security-officer told me they got a whole half-hour or so warning) from Bugtraq and chaos ensued. (You think FreeBSD secrurity is rough? On Bugtraq, I was first to point out that aiming the exploit at a Solaris xntpd crashed it, so now I am getting emails from around the globe, like I'm an xntpd expert, asking how to fix it since no one will hear a single peep from Sun until they have a patch for every single supported OS, platform, and have gone through all of their regression testing.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message