Date: Fri, 11 Aug 2000 10:50:11 -0400 From: Mike Tancsa <mike@sentex.net> To: joe@webkrew.com Cc: freebsd-security@FreeBSD.ORG Subject: RE: suidperl exploit Message-ID: <4.3.2.7.0.20000811104321.00e77900@marble.sentex.ca> In-Reply-To: <PHEKLIMKOGMILIEBJCOGCEBADIAA.joe@webkrew.com> References: <39940DF7.B33BC951@chemcomp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:37 AM 8/11/00 -0400, Joe Oliveiro wrote: >I personally think a website would be a great idea. With all the current >exploits around it would make sense to compile a list of what is / isnt >fbsd open to and have it online somewhere.. Question is who is willing to do >the work? This sounds like a duplication of efforts... Why not just update the info on the securityfocus website for the particular exploit listed there saying FreeBSD is not vulnerable to exploit xxx... e.g. http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1547 It seems Bugtraq/securityfocus has become the defacto Security clearing house. If there is one site/list people follow, its proably that one, and any updates as to what is and what is not vulnerable will get the lionshare of viewers. ---Mike >-----Original Message----- >From: owner-freebsd-security@FreeBSD.ORG >[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of System >Administrator >Sent: August 11, 2000 10:30 AM >To: Warner Losh >Cc: Kris Kennaway; Vladimir Mencl, MK, susSED; >freebsd-security@FreeBSD.ORG >Subject: Re: suidperl exploit > > >Would it be appropriate to have a part of the website dedicated to the >publishing of current security vulnerabilities and how FreeBSD is *not* >affected? :) > >-advocacy, I guess... but I think it would be a good idea since we have >a lot of people showing up on the lists saying "is FBSD vulnerable for >this?" > >I guess a website is a bit an overkill... > >A. > >Warner Losh wrote: > > > > In message <Pine.BSF.4.21.0008102034410.95874-100000@freefall.freebsd.org> >Kris Kennaway writes: > > : Non-vulnerability alerts like some of the Linux vendors have started > > : issuing are stupid. If there's no problem, there's no problem, and as >long > > : as you provide a reliable service when there *are* problems, there's no > > : need to publicize the negative result. The few people who have heard >about > > : it through other channels and want specific reassurance can easily be > > : accomodated individually through other means (e.g. this list) with much > > : less effort and without the confusion from people who misinterpet the > > : contents of the "advisory" as meaning they have to take some action. > > > > Yes. I agree completely. If that load gets too high, then we can put > > up an notice on a web site. Such notice might not be a bad idea > > anyway, but we don't have a good mechanism for that. > > > > It also would artificially bloat the advisory numbers in bugtraq too, > > which we wouldn't want to do. We want to spend those chits on real > > problems. > > > > Warner > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Antoine Beaupre >System Administrator >Chemical Computing Group, Inc. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.0.20000811104321.00e77900>