From owner-freebsd-current Wed Feb 5 20:54:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA06994 for current-outgoing; Wed, 5 Feb 1997 20:54:50 -0800 (PST) Received: from tyger.inna.net (root@tyger.inna.net [206.151.66.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA06983; Wed, 5 Feb 1997 20:54:46 -0800 (PST) Received: from tyger.inna.net (jamie@tyger.inna.net [206.151.66.1]) by tyger.inna.net (8.8.3/8.7.3) with SMTP id AAA06910; Thu, 6 Feb 1997 00:08:55 -0500 (EST) Date: Thu, 6 Feb 1997 00:08:55 -0500 (EST) From: Jamie Bowden To: "Jordan K. Hubbard" cc: dg@root.com, spork@super-g.com, tqbf@enteract.com, freebsd-chat@freebsd.org, current@freebsd.org Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! In-Reply-To: <26186.855196650@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk So what is this 'threat'? And how severe is it? I mean, sendmail has delivered remote root on demand in the last three releases, so how bad can this really be? Jamie Bowden Network Administrator, TBI Ltd. On Wed, 5 Feb 1997, Jordan K. Hubbard wrote: > > You made it VERY clear that either I play by YOUR rules or forget playing > > at all. You represented this as the position of the ENTIRE core team. > > > >You lied about John Dyson's position on the issues; I talked to him > >IMMEDIATELY after you hung up. He said in no uncertain terms that he > > I could respond to Karl on this, but I won't as it's obviously more > than pointless by now. Suffice it to say that I never even mentioned > John Dyson during our phone conversation and did not claim to speak > for all of core, so those who are wondering whether I've gone and > crowned myself King can stop wondering. Karl's summary of our phone > conversation bears no resemblance to the reality of what actually took > place and I rather wish I'd recorded it myself. In any case... > > Here is a summary of the *technical* situation at this time: > > A 2.1.6 emergency machine has been built and is now rolling a 2.1.7 > release. I'm also in the process of sending out a CERT advisory with > fixes and David has already stayed up all night getting them into all > 3 branches, so I think we're now in pretty good shape where this is > concerned but will have more news tomorrow after the 2.1.7 build has > finished (or not). > > There is also a general security audit now underway, spearheaded > by Paul Traina, and he's done a sign-up sheet for people willing to > take a piece of /usr/src away and look at it for security problems > (others who wish to cull the *BSD PR databases or investigate other > sources also being more than welcome to take that approach). > > Once it's finished being passed around in -core and some folks have > signed up for various things, I'll post the roster here and we can > search for volunteers to cover the missing bases. > > I also think that a complete walk-through of our codebase is probably > long overdue anyway, and this is a good chance for everyone to prove > the old maxim that security begins at home (or was that charity? :-). > Talk to me or security-officer@freebsd.org if you'd like to jump on > board. > > Thanks! > > Jordan >