From owner-freebsd-security Wed Dec 1 11:10:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by hub.freebsd.org (Postfix) with SMTP id A4586151CC for ; Wed, 1 Dec 1999 11:10:50 -0800 (PST) (envelope-from unfurl@magnesium.net) Received: (qmail 74594 invoked by uid 1001); 1 Dec 1999 19:09:43 -0000 Date: 1 Dec 1999 11:09:43 -0800 Date: Wed, 1 Dec 1999 11:08:32 -0800 From: Bill Swingle To: Wes Peters Subject: Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] Message-ID: <19991201110832.A74323@dub.net> References: <19991201093242.A71817@dub.net> <38456ED0.D25139C7@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <38456ED0.D25139C7@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 01, 1999 at 11:54:08AM -0700, Wes Peters wrote: > Bill Swingle wrote: > > > > Ok, so I know these are all vulnerabilities in third party software, and > > that the actual problem with each program is not really ours to fix but > > each of these problems can be avoided with small changes to the > > respective ports. > > > > FreeBSD vulnerabilities are few and far between, and even fewer are > > published on Bugtraq. Having something as simple as this get past us is > > really embarassing. It says to the security community at large that > > we're not even concerned enough with security to fix these small holes. > > We all know that's not true. > > > > I'm not sure who dropped the ball here, and I'm not pointing fingers. I > > just hope that we can pull together in the future to avoid more of this. > > Before we go hopping around yammering about "not caring about security" or > "dropping the ball" it might be effective to ask "has anyone ever reported > these problems before?" *I* haven't seen any of them reported, and I've > been on this mail list for 3 or 4 years. Wes, the post to bugtraq indicated that they had notified whoever is in charge of security. If you take a look at the page that's linked off the "Security" link at www.freebsd.org it specificly states that bug reports should be sent to security-officer@freebsd.org. This would be why you've not seen reports of these things here. I don't want to just whine about this. I'd really like to see this process improved. How can we help the team of ppl behind the security-officer address? Is there anything that I/we can do? -Bill -- -=| --- B i l l S w i n g l e --- http://www.dub.net/ -=| unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com -=| Different all twisty a of in maze are you, passages little To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message