From owner-freebsd-security Fri Aug 11 7:39:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.pythonvideo.com (mail.pythonvideo.com [207.164.115.15]) by hub.freebsd.org (Postfix) with ESMTP id ED8DF37BAE3; Fri, 11 Aug 2000 07:39:24 -0700 (PDT) (envelope-from joe@webkrew.com) Received: from joe (joe.pythonvideo.com [209.226.29.94]) by mail.pythonvideo.com (8.9.3/8.9.3) with SMTP id KAA88385; Fri, 11 Aug 2000 10:38:52 -0400 (EDT) (envelope-from joe@webkrew.com) From: "Joe Oliveiro" To: "System Administrator" , "Warner Losh" Cc: "Kris Kennaway" , "Vladimir Mencl, MK, susSED" , Subject: RE: suidperl exploit Date: Fri, 11 Aug 2000 10:37:19 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <39940DF7.B33BC951@chemcomp.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I personally think a website would be a great idea. With all the current exploits around it would make sense to compile a list of what is / isnt fbsd open to and have it online somewhere.. Question is who is willing to do the work? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of System Administrator Sent: August 11, 2000 10:30 AM To: Warner Losh Cc: Kris Kennaway; Vladimir Mencl, MK, susSED; freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit Would it be appropriate to have a part of the website dedicated to the publishing of current security vulnerabilities and how FreeBSD is *not* affected? :) -advocacy, I guess... but I think it would be a good idea since we have a lot of people showing up on the lists saying "is FBSD vulnerable for this?" I guess a website is a bit an overkill... A. Warner Losh wrote: > > In message Kris Kennaway writes: > : Non-vulnerability alerts like some of the Linux vendors have started > : issuing are stupid. If there's no problem, there's no problem, and as long > : as you provide a reliable service when there *are* problems, there's no > : need to publicize the negative result. The few people who have heard about > : it through other channels and want specific reassurance can easily be > : accomodated individually through other means (e.g. this list) with much > : less effort and without the confusion from people who misinterpet the > : contents of the "advisory" as meaning they have to take some action. > > Yes. I agree completely. If that load gets too high, then we can put > up an notice on a web site. Such notice might not be a bad idea > anyway, but we don't have a good mechanism for that. > > It also would artificially bloat the advisory numbers in bugtraq too, > which we wouldn't want to do. We want to spend those chits on real > problems. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Antoine Beaupre System Administrator Chemical Computing Group, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message