From owner-freebsd-current Tue Feb 4 17:25:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA07486 for current-outgoing; Tue, 4 Feb 1997 17:25:47 -0800 (PST) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA07471 for ; Tue, 4 Feb 1997 17:25:44 -0800 (PST) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.8.5/8.8.4) with SMTP id RAA16820; Tue, 4 Feb 1997 17:21:50 -0800 (PST) Message-ID: <32F7E044.7DE14518@whistle.com> Date: Tue, 04 Feb 1997 17:20:04 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: Karl Denninger CC: "Jordan K. Hubbard" , current@FreeBSD.ORG Subject: Re: Question: 2.1.7? References: <199702042244.QAA03172@Jupiter.Mcs.Net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Karl Denninger wrote: > If the 'sploit is so well known, then could you giv eus MORE info? I really hate not knowing what the problem is: I would go as far as saying: probably a 2.1.6.2 should be made. the cdroms that are shipped after right now should have a sticker stuck on them saying: "before rnning this on a system connected to the internet, check www.freebsd.org for a program to run to fix a known security hole" and leave it at that... a new cdrom can come out with the fix in time and we should ACTIVELY push a script that "Patches" the problem files and does whatever is needed. I'm talking from a point of view of what we'd probably do in places where I've worked.. I think that a notice should be put in the FTP site about the problem but that we shouldn't PULL it yet.. what we SHOULD do is RAELLY MAKE IT KNOWN that there is 1/ a problem 2/ a fix please both of you.. go back to your corners. you are BOTH acting in a manner I think you should seriously look at. think about what you can do to IMPROVE this, TAKING THE OTHER INTO ACCOUNT. If it doesn't help, then don't do/say it. about to launch thousands of 2.2 boxes.. does this affect 2.2? and how? We don't allow any logins on the boxes.. direct or indirect is there still a risk? julian