From owner-freebsd-security  Fri Aug 11  7:30:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from smtp13.bellglobal.com (smtp13.bellglobal.com [204.101.251.52])
	by hub.freebsd.org (Postfix) with ESMTP
	id 30F7337BAF6; Fri, 11 Aug 2000 07:30:38 -0700 (PDT)
	(envelope-from admin@chemcomp.com)
Received: from hermes.chemcomp.com (ppp11084.qc.bellglobal.com [206.172.146.37])
	by smtp13.bellglobal.com (8.8.5/8.8.5) with ESMTP id KAA12422;
	Fri, 11 Aug 2000 10:34:58 -0400 (EDT)
Received: from chemcomp.com (sky.chemcomp.com [192.1.1.62])
	by hermes.chemcomp.com (Postfix) with ESMTP
	id D0FBC1682F; Fri, 11 Aug 2000 10:30:15 -0400 (EDT)
Message-ID: <39940DF7.B33BC951@chemcomp.com>
Date: Fri, 11 Aug 2000 10:30:15 -0400
From: System Administrator <admin@chemcomp.com>
Organization: Chemical Computing Group, Inc.
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-RELEASE i386)
X-Accept-Language: fr-CA, fr, en
MIME-Version: 1.0
To: Warner Losh <imp@village.org>
Cc: Kris Kennaway <kris@FreeBSD.org>,
	"Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>,
	freebsd-security@FreeBSD.org
Subject: Re: suidperl exploit
References: <Pine.BSF.4.21.0008102034410.95874-100000@freefall.freebsd.org> <200008110345.VAA31632@harmony.village.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Would it be appropriate to have a part of the website dedicated to the
publishing of current security vulnerabilities and how FreeBSD is *not*
affected? :)

-advocacy, I guess... but I think it would be a good idea since we have
a lot of people showing up on the lists saying "is FBSD vulnerable for
this?"

I guess a website is a bit an overkill...

A.

Warner Losh wrote:
> 
> In message <Pine.BSF.4.21.0008102034410.95874-100000@freefall.freebsd.org> Kris Kennaway writes:
> : Non-vulnerability alerts like some of the Linux vendors have started
> : issuing are stupid. If there's no problem, there's no problem, and as long
> : as you provide a reliable service when there *are* problems, there's no
> : need to publicize the negative result. The few people who have heard about
> : it through other channels and want specific reassurance can easily be
> : accomodated individually through other means (e.g. this list) with much
> : less effort and without the confusion from people who misinterpet the
> : contents of the "advisory" as meaning they have to take some action.
> 
> Yes.  I agree completely.  If that load gets too high, then we can put
> up an notice on a web site.  Such notice might not be a bad idea
> anyway, but we don't have a good mechanism for that.
> 
> It also would artificially bloat the advisory numbers in bugtraq too,
> which we wouldn't want to do.  We want to spend those chits on real
> problems.
> 
> Warner
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Antoine Beaupre
System Administrator
Chemical Computing Group, Inc.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message