From owner-freebsd-security Tue Aug 6 3:34: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD42C37B400 for ; Tue, 6 Aug 2002 03:34:01 -0700 (PDT) Received: from pd3mo1so.prod.shaw.ca (h24-71-223-10.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19EAF43E65 for ; Tue, 6 Aug 2002 03:34:01 -0700 (PDT) (envelope-from Colin_Percival@sfu.ca) Received: from pd5mr2so.prod.shaw.ca (pd5mr2so-qfe3.prod.shaw.ca [10.0.141.233]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F007D540OOP@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 04:34:00 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca (pn2ml10so-qfe0.prod.shaw.ca [10.0.121.80]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F008HL40O12@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 04:34:00 -0600 (MDT) Received: from piii600.sfu.ca (h24-79-84-133.vc.shawcable.net [24.79.84.133]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F00K9H40O0O@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 04:34:00 -0600 (MDT) Date: Tue, 06 Aug 2002 03:33:59 -0700 From: Colin Percival Subject: Re: advisory coordination (Re: SA-02:35) In-reply-to: X-Sender: cperciva@popserver.sfu.ca To: Dag-Erling Smorgrav , Anatole Shaw Cc: freebsd-security@FreeBSD.ORG Message-id: <5.0.2.1.1.20020806031941.01febf28@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca References: <20020806053237.A49851@kagnew.autoloop.com> <1028312148.3d4acc54c5eef@webmail.vsi.ru> <20020806053237.A49851@kagnew.autoloop.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:08 06/08/2002 +0200, Dag-Erling Smorgrav wrote: >Anatole Shaw writes: > > I'm all for full-disclosure, but something is very wrong in these 2 > cases. > > Known security problems are being released in fragments without any > > coordination. It seems that a basic Vulnerability Coordination function > > is broken or missing, and surely we can fix this. > >What do you propose? It wouldn't be a panacea, but if the mirrors could be set to update automatically when a security issue arises (instead of operating on their normal schedule) then the issue of advisories coming out before relevant files were mirrored would not be a danger. I can't see that this would cause any problems, since any blackhats looking for unannounced patches would be looking on the main ftp server anyway. Apart from that... is there anything wrong with issuing a preliminary notice and following up with full details later? I think everyone knows you're volunteering -- and is very happy with everything you're doing -- and would not complain if you miss a few details in order to send out a warning sooner. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message