From owner-freebsd-security  Wed Jul 22 01:38:52 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA11891
          for freebsd-security-outgoing; Wed, 22 Jul 1998 01:38:52 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA11783
          for <security@FreeBSD.ORG>; Wed, 22 Jul 1998 01:38:25 -0700 (PDT)
          (envelope-from netadmin@fastnet.co.uk)
Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA03510;
	Wed, 22 Jul 1998 09:38:01 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA02024;
	Wed, 22 Jul 1998 09:38:02 +0100 (BST)
Date: Wed, 22 Jul 1998 09:38:02 +0100 (BST)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: Jon Hamilton <hamilton@pobox.com>
cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack? 
In-Reply-To: <199807220004.RAA16588@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.980722093509.1949N-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| } A security team formed for that purpose. A group of people who DO hang on
| } ever Bugtraq message (if not individually, then collectively). As for 
| } "-current won't compile" problems -- they're unlikely to occur because
| } the patches will likely be to small bits of the OS.

The patches are more likely to be parts of libexec, suid programs or
anything that's running as a daemon or suid-root. I myself have
modified many of the packages and daemons running on our 
servers so there's no way a patch can be installed autonomously
without me getting the original source, patching that and
then re-integrating all my new code into it!

| } >Wave your hands some more.  Are you _really_ sure that you trust your
| } >local copy of pgp (or whatever other method you want to use)?
| } 
| } As much as I trust CVSupping to close a hole. And, yes, I do place a high
| } level of trust in strong crypto. As must all of us.
| 
| All the world doesn't look like your installation, and solutions that
| work just fine and make good sense for your installation may simply
| not fit elsewhere.  

I agree - there will be always be servers out there that are too heavily
patched by the admins own code that it's just not feasible to install
every new security fix that comes out .. which brings us back to
the band-aid problem :(

Regards,

Jay Tribick
--
[| Network Administrator | FastNet International | http://fast.net.uk/ |]
[|        Finger netadmin@fastnet.co.uk for contact information        |]
[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message