Date: Tue, 17 Apr 2001 23:20:26 -0500 (CDT) From: David La Croix <dlacroix@cowpie.acm.vt.edu> To: kris@obsecurity.org (Kris Kennaway) Cc: freebsd-security@freebsd.org Subject: Re: Latency of security notifications Message-ID: <200104180420.f3I4KQW98885@cowpie.acm.vt.edu> In-Reply-To: <20010417181710.A12757@xor.obsecurity.org> from "Kris Kennaway" at Apr 17, 2001 06:17:10 PM
next in thread | previous in thread | raw e-mail | index | archive | help
On the topic of "early notification" how about adding a custom header (which any user active on the list and/or had read the appropriate guidelines on posting could add on any appropriate "early-warning" alert type messages/SAs) The custom header could be checked for by the mail filter, and used to separate out the announcements from the discussion. I am not an expert on Majordomo, (or other list managment services), so I'm not sure if it's possible to stick an X-Freebsd-security: Alert header in there and have Majordomo send it on, but I think that might be the magic to help those who don't have time to filter through the messages, and don't want to miss an important advisory/warning. Perhaps only a Security officer might have access to post with the new headers. (I haven't spent that much time thinking about it ... I'm on vacation. :) Another thought might be to setup a second moderated mailing list -- which sets the reply-to address to be the normal list and shares the same subscription list as freebsd-security. (then people could forward mails based on the addressee to their pagers/phones/911 mail folder. We could also have suggested usage for the "importance/priority" (sorry, can't think which it is) heading to bring into play when someone posts a broad warning such as "NTP has a buffer overflow exploit". On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote: > > > Bottom line, I think a -lot- of people would be happier if the > > FreeBSD SAs could go out as soon as possible after a security hole > > is disclosed publicly in some other forum, even if all they say is > > words to the effect of "Be aware that this security problem exists, > > here's a workaround (if any), and we'll be updating this advisory > > when official patch information is available." > > > > That way people can get rapid notification of potential problems > > without having to read all of freebsd-security, and instead pick it > > up via -announce, presumably with pager notification if they so > > desire. Kris, what do you think about this? > > I think it would result in a flood of support questions about "how do > I fix this?"/"What does this mean?" and end up causing the security > officer team a lot more work if it came from us, even as some kind of > unofficial statement (especially if it was a very brief statement, > which it would have to be to get immediately released upon third party > disclosure of a vulnerability, because none of us have enough free > time to actively pre-empt whatever else we're doing to go and write > something comprehensive). > > Other people usually send copies of third party advisories to this > forum for serious issues as soon as they're published (on bugtraq or > wherever), and the community takes care of the interim support: that > seems like a much better solution to me. > > > And I realize that part of the delay for the recent advisories > > (ntpd, ipfilter, ftpd) was because Kris was out of town for two > > weeks. But when I heard that, I was surprised, as I didn't realize > > he had no "backup". In the future, I think it would be a good idea > > to try and have a second/backup person available who could send out > > at least the initial SA if Kris isn't available for that task, if at > > all possible. > > There are a number of others who are part of the security officer > team, and in fact the ntpd advisory was written and released by Chris > Faulhaber during my absence; it just so happens that we're all going > through a busy time right now with our daytime lives and so the > latency of released advisories has increased recently. Hopefully that > will improve. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104180420.f3I4KQW98885>