From owner-freebsd-security Fri Jan 28 17:24:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id CB7CC155CC; Fri, 28 Jan 2000 17:24:43 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA13361; Fri, 28 Jan 2000 18:24:41 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA65757; Fri, 28 Jan 2000 18:24:55 -0700 (MST) Message-Id: <200001290124.SAA65757@harmony.village.org> To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Subject: Re: Re[2]: delegate buffer overflow (ports) Cc: Kris Kennaway , Masafumi NAKANE , serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG In-reply-to: Your message of "Fri, 28 Jan 2000 13:52:56 +0300." <18578.000128@sandy.ru> References: <18578.000128@sandy.ru> <200001280936.CAA60674@harmony.village.org> Date: Fri, 28 Jan 2000 18:24:55 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <18578.000128@sandy.ru> 3APA3A writes: : Another one quite good solution may be to maintain the page on : FreeBSD.ORG with current security status for every port (known bugs, : potential bugs, known exploits, known accidents, both confirmed and : unconfirmed and risk level for local and remote security, latest : releases and patches). Of cause it makes a lot of additional work for : FreeBSD team, but IMHO if some port is included in FreeBSD : distribution, FreeBSD team should have some response for this port, : and this fact should eliminate including of unchecked software. Users : should be recommended to check the status of the port before : installing. Ports with high security risk shouldn't be included at : all. Kris and I have talked about doing something like this, and he'll likely start on something like this after 4.0-R is golden. I'm not sure exactly what form it will take, but Kris will certainly know. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message