From owner-freebsd-security Fri Sep 3 16:36:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id D81F914CC9 for ; Fri, 3 Sep 1999 16:36:50 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id QAA67512; Fri, 3 Sep 1999 16:36:39 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: spork Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Alerts In-reply-to: Your message of "Fri, 03 Sep 1999 13:44:42 EDT." Date: Fri, 03 Sep 1999 16:36:39 -0700 Message-ID: <67508.936401799@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So what I'm wondering is whether the project is in need of someone to > digest, discuss, and regurgitate some of these things into security > advisories. I personally can appreciate the fact that an ordinary user or > admin might not be able to follow every bug that comes up on bugtraq or on More than actually generating advisories, something which our security officers do a pretty reasonable job on, what we *really* need is someone to test the existing advisories/random reports/etc and figure out which exploits or DoS attacks are actually genuine. Quite a bit of stuff gets sent to the security list and quite a bit of it often has no applicability whatsoever to FreeBSD, leading to a situation where security officers put it on the "test this at some point" pile and that pile can get pretty deep. When faced with a "this has been tested and the following releases of FreeBSD are vulnerable" sort of message, however, they know that it's clearly a matter for immediate attention and it gets "escallated" quite a bit. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message