From owner-freebsd-current Wed Feb 5 01:37:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA00526 for current-outgoing; Wed, 5 Feb 1997 01:37:27 -0800 (PST) Received: from perki0.connect.com.au (perki0.connect.com.au [192.189.54.85]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA00504 for ; Wed, 5 Feb 1997 01:37:20 -0800 (PST) Received: from nemeton.UUCP (Unemeton@localhost) by perki0.connect.com.au with UUCP id UAA00738 (8.7.6h/IDA-1.6); Wed, 5 Feb 1997 20:33:47 +1100 (EST) X-Authentication-Warning: perki0.connect.com.au: Unemeton set sender to giles@nemeton.com.au using -f Received: from localhost.nemeton.com.au (localhost.nemeton.com.au [127.0.0.1]) by nemeton.com.au (8.8.5/8.8.5) with SMTP id UAA12156; Wed, 5 Feb 1997 20:28:17 +1100 (EST) Message-Id: <199702050928.UAA12156@nemeton.com.au> To: Karl Denninger cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), jkh@time.cdrom.com, current@freebsd.org Subject: Re: Question: 2.1.7? In-reply-to: <199702050002.SAA05789@Jupiter.Mcs.Net> Date: Wed, 05 Feb 1997 20:28:16 +1100 From: Giles Lean Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 4 Feb 1997 18:02:09 -0600 (CST) Karl Denninger wrote: > The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP > servers and make a PUBLIC announcement that the vulnerability has been > found. An timely announcement will be nice. I don't agree that the time for this to occur has yet passed. I want *accurate* information when I get it, and not some quick-and-nearly-accurate information immediately. The removal of the executables is uncalled for; many systems run without users. Many run without Internet connections. While anyone running in production *should* have a copy of some installation media handy, what if someone doesn't? (Help -- I can't reinstall; the OS isn't available anymore?!) Removing all the executables *also* prevents anyone ftping them to checksum in the case of an unrelated local security incident. The known problems in 2.1.6 make it about as insecure as most of the commercial systems I see; this is unfortunate but probably isn't be the end of the world. Finally, it is unreasonable to *hold* the free software community to higher standards than the commercial community manage. (Sure, we can hope. :) The fastest commercial advisory I've seen was 3-4 days after an exploit was posted and that was for a single utility buffer overrun. The normal delay is much greater. Regards, Giles