From owner-freebsd-security Thu Jul 13 14:10:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id 8015737C5EF; Thu, 13 Jul 2000 14:10:04 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 13CqF5-0001Uf-00; Thu, 13 Jul 2000 21:09:59 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp3.email.verio.net with smtp (Exim 3.15 #4) id 13CqF4-0003V8-00; Thu, 13 Jul 2000 21:09:58 +0000 Message-Id: <3.0.5.32.20000713141242.0093fbc0@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 13 Jul 2000 14:12:42 -0700 To: Robert Watson From: Bengt Richter Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000713132400.04b73af0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 15:42 2000-07-13 -0400 Robert Watson wrote: [...] >Here's a recent sample: > >Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd > >What information could we add here that would improve things? Teaching >someone the distinction between "FreeBSD Ports Security Advisory" and >"FreeBSD Security Advisory" should not be that difficult, as the >distinction between the base system and ports is important. The >difference manifests in degree of support, integration with the base >system, security auditing level, and install/update mechanism. >Understanding that distinction is essentialy to day-to-day management of >the system. The advisory is careful to identify precisely the software >that is vulnerable, how to tell if you are vulnerable, and available >fixes, work-arounds, etc. I'm not sure we can really ask much more. > (1) How about some simple categorization in the subject line, e.g., Subject: FreeBSD Ports(SysUtil) Security Advisory: FreeBSD-SA-00:29.wu-ftpd vs Subject: FreeBSD Ports(Game) Security Advisory: FreeBSD-SA-...some-game etc. (2) Also, perhaps s/Ports/Optional Port/ to reinforce the idea that ports are not a part of FreeBSD per se (and that a particular advisory is talking about a particular port in the singular), for the panic-prone folks described, who don't get to the disclaimer etc. before it's too late. (3) If you want to get fancy, add tagged lines in the advisory itself tailored for automatic extraction and (safe :) use in facilitating scripted verification of whether the receiving system had the vulnerable software installed, or had the problem patched and fixed. With system log entry, and optional email emitted about the check performed. Seems like an SA-Evaluation daemon job, acting on emails filtered to it? Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message