From owner-freebsd-security Fri Feb 9 9:15: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.logilune.com (hermes.logilune.com [195.154.174.37]) by hub.freebsd.org (Postfix) with ESMTP id 3D93737B76C for ; Fri, 9 Feb 2001 08:44:59 -0800 (PST) Received: from [192.168.1.2] (talisker.logilune.com [192.168.1.2]) by hermes.logilune.com (Postfix) with ESMTP id 877DF175F4B for ; Fri, 9 Feb 2001 17:44:55 +0100 (CET) Date: Fri, 09 Feb 2001 17:44:45 +0100 From: Eric Cholet To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Message-ID: <2488141552.981740685@[192.168.1.2]> In-Reply-To: <200102082014.PAA29877@vws3.interlog.com> X-Mailer: Mulberry/2.0.5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I received the following, what worries me is that the PGP signature verified, and it's not April 1st. WTF ?? --On 08/02/01 15:14 -0500 FreeBSD Security Advisories mumbled: > ========================================================================= > ==== FreeBSD-SA-01:INSERT_NUMBER_HERE Security > Advisory FreeBSD, Inc. > > Topic: FreeBSD on record to set most advisory releases for > year 2001 > > Category: All > Announced: 2001-02-07 > Credits: sil@loopback.antioffline.com http://www.antioffline.com > Vendor status: Developers sleeping right now > FreeBSD only: Yes > > I. Background > > FreeBSD is the most robust chopperating sysdumb in the world and we > mean it. Our TCP stack will kick your TCP stacks hynee. Currently we > are releasing an advisory every 1.95 days which means we are bound > to surpass Microsoft. > > II. Problem Description > > We normally do not assess security when creating the ports distribution > often allowing anyone to build any program we decide to run in the ports > directory. Recently we have noticed that we can no longer fool users > into thinking because we provide checksumming for the programs, that > they will be secure. > > Unlinke other operating systems and the developers of them who audit > their ports, we feel it is not our problem if someone accessess your > system because we're too lazy to do things right the first time. > > > III. Impact > > Obviously anyone can end up control your machine or worse. > > IV. Workaround > > We will not be mentioning the ultra secure OpenBSD operating system > since we feel it is not our problem and does not help to promote a > better OS than our own. > > V. Solution > > One of the following: > > 1) Rub a magic lamp and wait for the security genie to fix it. > > 2) Download NSA Linux so you too can have miniscule backdoors in it > which you won't see. > > 3) Pray to the hacker god Kevin Mitnick for assistance. > > 4) Install a more secure O(penBSD)S > > NOTE: FreeBSD developers are now red faced > > VI. Shouts > > Hard Lee Strange > Mike Hunt > Ivana Swallows > Mike Hock > Dick Famous > Kathie Lee Gifford > > > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message