From owner-freebsd-security  Wed Dec  1 10:55:59 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP
	id 44A5B15015; Wed,  1 Dec 1999 10:55:51 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com (mailhub [198.206.181.70])
	by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id KAA18730;
	Wed, 1 Dec 1999 10:54:09 -0800 (PST)
X-Origination-Site: <ind.alcatel.com>
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id KAA12212; Wed, 1 Dec 1999 10:54:08 -0800
Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL]))
	id AA15780; Wed, 1 Dec 99 10:54:03 PST
Message-Id: <38456ED0.D25139C7@softweyr.com>
Date: Wed, 01 Dec 1999 11:54:08 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
Mime-Version: 1.0
To: Bill Swingle <unfurl@dub.net>
Cc: security@FreeBSD.ORG, Jordan Hubbard <jkh@FreeBSD.ORG>
Subject: Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities]
References: <19991201093242.A71817@dub.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Bill Swingle wrote:
> 
> Ok, so I know these are all vulnerabilities in third party software, and
> that the actual problem with each program is not really ours to fix but
> each of these problems can be avoided with small changes to the
> respective ports.
> 
> FreeBSD vulnerabilities are few and far between, and even fewer are
> published on Bugtraq. Having something as simple as this get past us is
> really embarassing. It says to the security community at large that
> we're not even concerned enough with security to fix these small holes.
> We all know that's not true.
> 
> I'm not sure who dropped the ball here, and I'm not pointing fingers. I
> just hope that we can pull together in the future to avoid more of this.

Before we go hopping around yammering about "not caring about security" or
"dropping the ball" it might be effective to ask "has anyone ever reported
these problems before?"  *I* haven't seen any of them reported, and I've
been on this mail list for 3 or 4 years.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message