From owner-freebsd-security  Tue Jun 10 10:07:51 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA17173
          for security-outgoing; Tue, 10 Jun 1997 10:07:51 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id KAA17166
          for <freebsd-security@freebsd.org>; Tue, 10 Jun 1997 10:07:48 -0700 (PDT)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 1.60 #1)
	id 0wbUOS-0001Fz-00; Tue, 10 Jun 1997 11:07:40 -0600
To: Guy Helmer <ghelmer@cs.iastate.edu>
Subject: Re: Security problem with FreeBSD 2.2.1 default installation 
Cc: freebsd-security@freebsd.org
In-reply-to: Your message of "Tue, 03 Jun 1997 10:44:33 CDT."
		<Pine.HPP.3.96.970603103342.16150G-100000@sunfire.cs.iastate.edu> 
References: <Pine.HPP.3.96.970603103342.16150G-100000@sunfire.cs.iastate.edu>  
Date: Tue, 10 Jun 1997 11:07:40 -0600
From: Warner Losh <imp@village.org>
Message-Id: <E0wbUOS-0001Fz-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.HPP.3.96.970603103342.16150G-100000@sunfire.cs.iastate.edu> Guy Helmer writes:
: I just checked the bugtraq archives and found an exploit for sperl4.036
: and sperl 5.00x on FreeBSD was posted April 21!
: 
: I guess no one watches bugtraq?!?

Sigh.

Yes.  I watch bug track.  I also have a full time job.  It takes me
about a week to get to the bugtraq bugs, and then up to two to four
weeks to get them fixed due to other time commitments that I have.  If
no one else has the time, then the only way that is going to get
better will be if I'm paid to watch for these things and paid to spend
the time to fix them.

I might also point out that the Bugtraq mail had no patches at all for
4.x perl.  I had to develop them on my own.

Yes, it is important.  However, there is only so much that can be done
given the resources that we have.

Warner