Date: Wed, 05 Feb 1997 12:57:58 -0800 From: "Justin T. Gibbs" <gibbs@narnia.plutotech.com> To: Karl Denninger <karl@Mcs.Net> Cc: gibbs@plutotech.com (Justin T. Gibbs), jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702052057.MAA00563@narnia.plutotech.com> In-Reply-To: Your message of "Wed, 05 Feb 1997 14:36:11 CST." <199702052036.OAA12786@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> >The FIX is the go through setlocale() and fix the holes in the code! >> >Nothing else is adequate, and every other path is a LOT more work. >> >> Every method for fixing this, and numerous other potential problems with >> 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, >> a review process, and documentation. To do otherwise is to open us to a >> recurring cycle of security whole/quick fix/security whole/quick fix. Core >> has already determined a course of action on these issues and a statement >> regarding the entire issue will be released once it has passed final review. > >I was told that this release would be posted LAST NIGHT. > >Its 15 hours beyond "last night". No information has been posted. Why? All security announcements go to the CERT first-teams list before public announcement. This has been true of all recent security announcements made about FreeBSD. We have a well established set of guidlines for dealing with security issues, and notifying CERT first is one of them. >I've now provided a patch. Either commit it or get off the pot. Your patch isn't sufficient. >> This will only serve to confuse our userbase about what the exact problem >> is, which releases and binaries are affected, and how to address the problem >> completly. During Core's investigation of this problem, much more informati >on >> then you provided has surfaced all of which will be communicated in our >> announcement. > >That's false. The setlocale() problem is fixable with a patch to >setlocale(). And which binaries must you rebuild in order for that patch to be fully effective? How do you address third party software that is only availible in binary form? Your analysis of this problem doesn't scratch the surface of the kind of information our user base needs in order to be protected. >> >2.2 is ALSO affected. That's being IGNORED right now. >> >> Not true. Simply because you are not privy to the discussions about this >> issue does not mean that we are ignoring anything. Our announcement will >> have information on *all* versions of FreeBSD that have this problem. > >Keeping the discussion private (ie: "not privvy") means you believe there's >something to hide. I disagree. Either discourse in public or it doesn't >count in my book. The discussion was kept private in order to not disseminate misinformation to our userbase. Last nights flurry of mail on this issue began with speculation on several problems, followed by investigation and much work on providing the proper patches and documentation. If this entire dialog was made public, which includes many references to "non-problems", would only serve to confuse the issue. Our goal was to collect the correct information and only to make it public once we verified the full scope of the problem. >Again, the talkd bug handling is what got me going on this generic issue >with FreeBSD. Now we have a much more serious one. People are human. >> Your attitude has not been one of, "Here is the problem, how can I direct >> the resources at my disposal to help the project correct it." Instead, >> you have pronounced yourself the "unsung hero" of security that will create >> a solution of your own liking and publish whatever (dis)information you >> see fit. As I mentioned before, this only adds to the confusion. > >Bullshit. I have now published a patch which corrects the problem in >setlocale(). Your patch is not enough. We are currently looking at fixing a number of related problems in the source tree before releasing 2.1.7. There's a nice sign-up sheet if you want to really be of help. Our course of action will require a considerable number of man hours and we want to complete the task as quickly as possible. >> If you have the resources to contribute to fixing this problem, all you need >> to do is promise to cooperate in a controlled effort and we'll happily accep >t >> your help. Right now, you look like a loaded gun with the safety off and we > >> cannot afford that kind of instability while we work to handle this delicate > >> situation. > >CORE created the loaded gun by mishandling the talkd problem. I think you are again confusing the actions of one or two people with the actions of Core. >You further >exacerbated it with this mess. Now you have a patch in hand. We had several patches in had long before yours showed up. >> Then quit confusing them with your comments and wait for our pending >> security announcement which will have all of the facts straight and give >> proper guidlines for securing an affected system. > >In a pig's eye. THAT goal could have been accomplished within hours. Not true. Do you know this problem affects systems prior to 2.1.6? Do you know which snapshots and Beta/GAMMA releases are affected? How about which types of statically linked binaries must be replaced before you are safe. Answering all of those questions, and many others, takes time. >I waited for the promised announcement last night. It never came. As I explained before, we are following our security policy on this issue and your actions wont change that. >Now I've coded a patch to fix the problem. Its been posted, and I'm >verifying it. Oh great. You posted an un-verified patch. That would be an unacceptable action for Core to officially take. >If it passes my inspection I want it committed, or a damn >good reason why it won't be. > >NOW. As I said before, Core will continue to take action in this matter as it sees fit regardless of your actions or threats. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Interna >l -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations ===========================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052057.MAA00563>