From owner-freebsd-security  Wed Jun 26 11:26:17 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 579C537B62B
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 11:23:54 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id MAA13263;
	Wed, 26 Jun 2002 12:23:34 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020626121804.022dc1b0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 26 Jun 2002 12:23:18 -0600
To: Andrew Kenneth Milton <akm@theinternet.com.au>
From: Brett Glass <brett@lariat.org>
Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was:
  The "race" that Theo sought to avoid...)
Cc: Bosko Milekic <bmilekic@unixdaemons.com>,
	freebsd-security@FreeBSD.ORG
In-Reply-To: <20020627041540.U89115@zeus.theinternet.com.au>
References: <4.3.2.7.2.20020626115517.022108b0@localhost>
 <4.3.2.7.2.20020626101626.02274c80@localhost>
 <200206261452.AAA26617@caligula.anu.edu.au>
 <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
 <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca>
 <4.3.2.7.2.20020626101626.02274c80@localhost>
 <20020626132416.A42340@unixdaemons.com>
 <4.3.2.7.2.20020626115517.022108b0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 12:15 PM 6/26/2002, Andrew Kenneth Milton wrote:

>Au contraire. An upgrade to 3.4 is mandatory iff a security advisory is
>released by the freebsd-security team indicating it is.

The FreeBSD security team does not have an exclusive monopoly on good 
advice.

And while it has done some good things, it has also failed to do
many things that are necessary for good security. For example, it has 
not ensured that binary packages are updated when the corresponding 
ports are changed to correct security flaws. This leaves the many
people who do network installs vulnerable to old security flaws
when they install binary packages (as they're encouraged to do by the 
FreeBSD installer).

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message