From owner-freebsd-security Thu Aug 10 20:38:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C91B637BB96; Thu, 10 Aug 2000 20:38:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA96281; Thu, 10 Aug 2000 20:38:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 10 Aug 2000 20:38:25 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit In-Reply-To: <200008110330.VAA31484@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Aug 2000, Warner Losh wrote: > So no advisory is needed. This is a case where we need a > non-vulnerabilty alert :-). Of course, such an alert is likely to > cause more problems than it would solve.... Non-vulnerability alerts like some of the Linux vendors have started issuing are stupid. If there's no problem, there's no problem, and as long as you provide a reliable service when there *are* problems, there's no need to publicize the negative result. The few people who have heard about it through other channels and want specific reassurance can easily be accomodated individually through other means (e.g. this list) with much less effort and without the confusion from people who misinterpet the contents of the "advisory" as meaning they have to take some action. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message