From owner-freebsd-security Tue Apr 17 16:44:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id EB3BB37B423 for ; Tue, 17 Apr 2001 16:44:13 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3HNi3T52238 for ; Tue, 17 Apr 2001 16:44:03 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3ADCD543.8AB7B426@ursine.com> Date: Tue, 17 Apr 2001 16:44:03 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marcus Reid wrote: > > I saw the ftpd/glob() vulnerability on bugtraq yesterday, and the > vulnerability report came out this afternoon. The ntpd vulnerability > says Announced: 2001-04-06 but I got the report 2001-04-12. I think > it's admirable that the reports come with patches and background, but > I'd like to know to disable ntpd as soon as possible while waiting for > details. Yeah, this was mentioned in the (lengthy) recent threads about security notifications and binary patches. Bottom line, I think a -lot- of people would be happier if the FreeBSD SAs could go out as soon as possible after a security hole is disclosed publicly in some other forum, even if all they say is words to the effect of "Be aware that this security problem exists, here's a workaround (if any), and we'll be updating this advisory when official patch information is available." That way people can get rapid notification of potential problems without having to read all of freebsd-security, and instead pick it up via -announce, presumably with pager notification if they so desire. Kris, what do you think about this? And I realize that part of the delay for the recent advisories (ntpd, ipfilter, ftpd) was because Kris was out of town for two weeks. But when I heard that, I was surprised, as I didn't realize he had no "backup". In the future, I think it would be a good idea to try and have a second/backup person available who could send out at least the initial SA if Kris isn't available for that task, if at all possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message