Date: Sat, 27 Dec 2014 01:06:20 +0100 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Message-ID: <549DF7FC.10109@obluda.cz> In-Reply-To: <549DE2B4.4080806@bluerosetech.com> References: <20141223233310.098C54BB6@nine.des.no> <549C4D71.6030704@bluerosetech.com> <25260C1A-8230-47BD-9FAF-585D2B560303@FreeBSD.org> <549DE2B4.4080806@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/26/14 23:35, Darren Pilgrim: >>>> IV. Workaround >>>> No workaround is available, >> We talk explicitly about the base system, not about ports. We never >> mentioned them and I do not see a reason to start doing so. > I don't understand why you wouldn't. Hm ... We can turn off vulnerable service. We can replace vulnerable software by another, non vulnerable. We can leave vulnerable service running, but block access to it. Security advisory is advisory. An administrator should make own decisions based on it. I'm pretty sure the system administrators are recognizing those obvious things despite not mentioned explicitly. It require basic skills only. I disagree that obvious things should be enumerated in SA. The SA should be short and readable. In advance, Security Officer should not recommend other software as secure replacement unless he consider it secure. Such analysis take a lot of time and it will cause unacceptable delay of SA. Just my $0.02 Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?549DF7FC.10109>