Date: Thu, 6 Feb 1997 00:08:55 -0500 (EST) From: Jamie Bowden <jamie@inna.net> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: dg@root.com, spork@super-g.com, tqbf@enteract.com, freebsd-chat@freebsd.org, current@freebsd.org Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! Message-ID: <Pine.BSF.3.91.970206000755.2597D-100000@tyger.inna.net> In-Reply-To: <26186.855196650@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
So what is this 'threat'? And how severe is it? I mean, sendmail has delivered remote root on demand in the last three releases, so how bad can this really be? Jamie Bowden Network Administrator, TBI Ltd. On Wed, 5 Feb 1997, Jordan K. Hubbard wrote: > > You made it VERY clear that either I play by YOUR rules or forget playing > > at all. You represented this as the position of the ENTIRE core team. > > > >You lied about John Dyson's position on the issues; I talked to him > >IMMEDIATELY after you hung up. He said in no uncertain terms that he > > I could respond to Karl on this, but I won't as it's obviously more > than pointless by now. Suffice it to say that I never even mentioned > John Dyson during our phone conversation and did not claim to speak > for all of core, so those who are wondering whether I've gone and > crowned myself King can stop wondering. Karl's summary of our phone > conversation bears no resemblance to the reality of what actually took > place and I rather wish I'd recorded it myself. In any case... > > Here is a summary of the *technical* situation at this time: > > A 2.1.6 emergency machine has been built and is now rolling a 2.1.7 > release. I'm also in the process of sending out a CERT advisory with > fixes and David has already stayed up all night getting them into all > 3 branches, so I think we're now in pretty good shape where this is > concerned but will have more news tomorrow after the 2.1.7 build has > finished (or not). > > There is also a general security audit now underway, spearheaded > by Paul Traina, and he's done a sign-up sheet for people willing to > take a piece of /usr/src away and look at it for security problems > (others who wish to cull the *BSD PR databases or investigate other > sources also being more than welcome to take that approach). > > Once it's finished being passed around in -core and some folks have > signed up for various things, I'll post the roster here and we can > search for volunteers to cover the missing bases. > > I also think that a complete walk-through of our codebase is probably > long overdue anyway, and this is a good chance for everyone to prove > the old maxim that security begins at home (or was that charity? :-). > Talk to me or security-officer@freebsd.org if you'd like to jump on > board. > > Thanks! > > Jordan >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970206000755.2597D-100000>