From owner-freebsd-security Sat Jul 15 23:41:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 2EE2037B5DA; Sat, 15 Jul 2000 23:41:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA06831; Sun, 16 Jul 2000 00:40:57 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <397159C8.76E5E29@softweyr.com> Date: Sun, 16 Jul 2000 00:44:24 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Robert Watson , Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: <4.3.2.7.2.20000713132400.04b73af0@localhost> <4.3.2.7.2.20000713135632.04b63890@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Personally, I'm very glad for the advisories -- you may recall > that I returned from my honeymoon to find a system rooted due > to a QPopper exploit. I only wish that the CDs were updated > quickly enough to prevent more copies of exploitable ports > from going out! (People who install from the CDs often don't > know how to pick up new ports, and it's not obvious from the > sysinstall UI.) But if the advisory said: > > Security Advisory: Remote root exploit in wu-ftpd (FreeBSD-SA-00:29) > > it'd produce fewer calls from nervous clients. This looks like a good proposal to me. In order to do this, we must first verify the vulnerability is in the ported application, wu-ftpd in this case, and not in the FreeBSD-specific modifications (patches etc.), but I can see that this does tie the problem more closely to wu-ftpd and less closely to FreeBSD in the eyes of someone scanning the advisories. I'm not sure, Brett, that this would really help your situation that much. From the way you describe your clients, it seems they're probably not capable of discerning the difference unless you spoon-feed it to them. Maybe you could make a bar graph or a pie chart for them? ;^) If your clients aren't clueful enough to know how to upgrade something like qpopper or wu-ftpd from ports, they should be clueful enough to pay you a few hundred dollars to do it for them. If they've been warned and chose to ignore the warnings, that's their choice. They paid their money, now they get to collect their prize. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message