From owner-freebsd-security  Tue Jul 21 09:19:18 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA19599
          for freebsd-security-outgoing; Tue, 21 Jul 1998 09:19:18 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19576
          for <security@freebsd.org>; Tue, 21 Jul 1998 09:19:15 -0700 (PDT)
          (envelope-from jer@jorsm.com)
Received: from localhost (jer@localhost)
	by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id LAA09133;
	Tue, 21 Jul 1998 11:18:39 -0500 (CDT)
Date: Tue, 21 Jul 1998 11:18:38 -0500 (CDT)
From: Jeremy Shaffner <jer@jorsm.com>
To: Brett Glass <brett@lariat.org>
cc: "Matthew N. Dodd" <winter@jurai.net>,
        "Christopher G. Petrilli" <petrilli@dworkin.amber.org>,
        "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack?
In-Reply-To: <199807202352.RAA27271@lariat.lariat.org>
Message-ID: <Pine.BSF.3.95q.980721110446.1666H-100000@mercury.jorsm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 20 Jul 1998, Brett Glass wrote:

> Thousands (maybe tens or hundreds of thousands) of systems have been
> potentially compromised because that code was in the FreeBSD Ports
> library. I'd find it hard to believe that such a scheme would do
> anything but improve the odds that the hole would be closed.

How does "have been potentially" work?
 
> And, no, CVSup is not an answer. 

Isn't it?  See below.

> On production machines, you don't want to CVSup to the latest version --
> you just want to pick up known good patches for significant problems. 
> 
> --Brett

Pardon my ignorance, since I haven't used CVS, but isn't that what the
"ports" are? A skeleton with the necessary patches and a Makefile that
fetches the distfile if you don't already have it?  Like I said before,
Jordan had an updated -stable port the same day.  And if you get that new
port by downloading it manually, or by letting CVSup do it
"Automagically" does it really matter?  It's the same either way.

Sure sounds like an answer to me.


-===================================================================-
Jeremy Shaffner					JORSM Internet
Senior Technical Support 		  Northwest Indiana's Premium
jer@jorsm.com				   Internet Service Provider	
support@jorsm.com			     http://www.jorsm.com	
-===================================================================-


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message