Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 16 Jul 2000 00:44:24 -0600
From:      Wes Peters <wes@softweyr.com>
To:        Brett Glass <brett@lariat.org>
Cc:        Robert Watson <rwatson@FreeBSD.ORG>, Susie Ward <sward@voltage.net>, security@FreeBSD.ORG
Subject:   Re: Two kinds of advisories?
Message-ID:  <397159C8.76E5E29@softweyr.com>
References:  <4.3.2.7.2.20000713132400.04b73af0@localhost> <4.3.2.7.2.20000713135632.04b63890@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
Brett Glass wrote:
> 
> Personally, I'm very glad for the advisories -- you may recall
> that I returned from my honeymoon to find a system rooted due
> to a QPopper exploit. I only wish that the CDs were updated
> quickly enough to prevent more copies of exploitable ports
> from going out! (People who install from the CDs often don't
> know how to pick up new ports, and it's not obvious from the
> sysinstall UI.) But if the advisory said:
> 
> Security Advisory: Remote root exploit in wu-ftpd (FreeBSD-SA-00:29)
> 
> it'd produce fewer calls from nervous clients.

This looks like a good proposal to me.  In order to do this, we must first
verify the vulnerability is in the ported application, wu-ftpd in this case,
and not in the FreeBSD-specific modifications (patches etc.), but I can
see that this does tie the problem more closely to wu-ftpd and less
closely to FreeBSD in the eyes of someone scanning the advisories.

I'm not sure, Brett, that this would really help your situation that much.
From the way you describe your clients, it seems they're probably not
capable of discerning the difference unless you spoon-feed it to them.
Maybe you could make a bar graph or a pie chart for them?  ;^)

If your clients aren't clueful enough to know how to upgrade something
like qpopper or wu-ftpd from ports, they should be clueful enough to pay
you a few hundred dollars to do it for them.  If they've been warned and
chose to ignore the warnings, that's their choice.  They paid their money,
now they get to collect their prize.



-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397159C8.76E5E29>