Date: 1 Dec 99 13:02:57 MST From: Brock Tellier <btellier@usa.net> To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, Bill Swingle <unfurl@dub.net> Cc: security@FreeBSD.ORG, btellier@usa.net Subject: Re: [Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] ] Message-ID: <19991201200257.17312.qmail@nwcst313.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
"Jordan K. Hubbard" <jkh@zippy.cdrom.com> wrote: > FreeBSD vulnerabilities are few and far between, and even fewer are > published on Bugtraq. Having something as simple as this get past us is= > really embarassing. It says to the security community at large that > we're not even concerned enough with security to fix these small holes.= > We all know that's not true. = The problem is that they're often not even posted to the correct source. In this case, for example, the holes aren't "part of FreeBSD" proper, they're part of our 2794 entry ports collection and Mr. Tellier posted his report to the security officer. It would be simply impossible for one or two people to track security over all of FreeBSD and 2,700 3rd party packages (a certain percentage of which aren't even testable at any given time due to patch creep, tarball fennerization, bitrot, etc) and I don't blame the security officer for wondering why these issues weren't brought up directly with the ports team and/or the individual maintainers for these ports. Being able to divide labor into reasonable (read: even marginally sane) pieces is why we have a ports collection and ports maintainers. Any bug which is found with a port, be it a security issue or a full-on crash, should be reported to the relevant maintainer so that he or she can quickly commit a patch to the ports' patches directory and get everyone past the issue as quickly as possible. - Jordan ----- Personally, I don't think it is at all unreasonable to do a full 2700 por= t install via sysinstall and audit the 200 or so suid-programs. Sure, it's= important that the others be free from symlink problems and in a few case= s, buffer overflows, but focusing, as I did, on the suids wouldn't be ridiculously difficult. More than 50% of these programs could safely los= e their suid-bit. Considering the number of people who will actually need "xmindpath" suid vs. the number of people who just do a full install beca= use they don't want to miss anything, I'd say you're pretty safe. -brock ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991201200257.17312.qmail>