From owner-freebsd-security Tue Apr 17 21:21: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 86F3C37B422 for ; Tue, 17 Apr 2001 21:21:02 -0700 (PDT) (envelope-from dlacroix@cowpie.acm.vt.edu) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.11.3/8.11.3) id f3I4KQW98885; Wed, 18 Apr 2001 00:20:26 -0400 (EDT) (envelope-from dlacroix) From: David La Croix Message-Id: <200104180420.f3I4KQW98885@cowpie.acm.vt.edu> Subject: Re: Latency of security notifications To: kris@obsecurity.org (Kris Kennaway) Date: Tue, 17 Apr 2001 23:20:26 -0500 (CDT) Cc: freebsd-security@freebsd.org In-Reply-To: <20010417181710.A12757@xor.obsecurity.org> from "Kris Kennaway" at Apr 17, 2001 06:17:10 PM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On the topic of "early notification" how about adding a custom header (which any user active on the list and/or had read the appropriate guidelines on posting could add on any appropriate "early-warning" alert type messages/SAs) The custom header could be checked for by the mail filter, and used to separate out the announcements from the discussion. I am not an expert on Majordomo, (or other list managment services), so I'm not sure if it's possible to stick an X-Freebsd-security: Alert header in there and have Majordomo send it on, but I think that might be the magic to help those who don't have time to filter through the messages, and don't want to miss an important advisory/warning. Perhaps only a Security officer might have access to post with the new headers. (I haven't spent that much time thinking about it ... I'm on vacation. :) Another thought might be to setup a second moderated mailing list -- which sets the reply-to address to be the normal list and shares the same subscription list as freebsd-security. (then people could forward mails based on the addressee to their pagers/phones/911 mail folder. We could also have suggested usage for the "importance/priority" (sorry, can't think which it is) heading to bring into play when someone posts a broad warning such as "NTP has a buffer overflow exploit". On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote: > > > Bottom line, I think a -lot- of people would be happier if the > > FreeBSD SAs could go out as soon as possible after a security hole > > is disclosed publicly in some other forum, even if all they say is > > words to the effect of "Be aware that this security problem exists, > > here's a workaround (if any), and we'll be updating this advisory > > when official patch information is available." > > > > That way people can get rapid notification of potential problems > > without having to read all of freebsd-security, and instead pick it > > up via -announce, presumably with pager notification if they so > > desire. Kris, what do you think about this? > > I think it would result in a flood of support questions about "how do > I fix this?"/"What does this mean?" and end up causing the security > officer team a lot more work if it came from us, even as some kind of > unofficial statement (especially if it was a very brief statement, > which it would have to be to get immediately released upon third party > disclosure of a vulnerability, because none of us have enough free > time to actively pre-empt whatever else we're doing to go and write > something comprehensive). > > Other people usually send copies of third party advisories to this > forum for serious issues as soon as they're published (on bugtraq or > wherever), and the community takes care of the interim support: that > seems like a much better solution to me. > > > And I realize that part of the delay for the recent advisories > > (ntpd, ipfilter, ftpd) was because Kris was out of town for two > > weeks. But when I heard that, I was surprised, as I didn't realize > > he had no "backup". In the future, I think it would be a good idea > > to try and have a second/backup person available who could send out > > at least the initial SA if Kris isn't available for that task, if at > > all possible. > > There are a number of others who are part of the security officer > team, and in fact the ntpd advisory was written and released by Chris > Faulhaber during my absence; it just so happens that we're all going > through a busy time right now with our daytime lives and so the > latency of released advisories has increased recently. Hopefully that > will improve. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message