Date: Wed, 05 Feb 1997 20:28:16 +1100 From: Giles Lean <giles@nemeton.com.au> To: Karl Denninger <karl@mcs.net> Cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), jkh@time.cdrom.com, current@freebsd.org Subject: Re: Question: 2.1.7? Message-ID: <199702050928.UAA12156@nemeton.com.au> In-Reply-To: <199702050002.SAA05789@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Feb 1997 18:02:09 -0600 (CST) Karl Denninger wrote: > The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP > servers and make a PUBLIC announcement that the vulnerability has been > found. An timely announcement will be nice. I don't agree that the time for this to occur has yet passed. I want *accurate* information when I get it, and not some quick-and-nearly-accurate information immediately. The removal of the executables is uncalled for; many systems run without users. Many run without Internet connections. While anyone running in production *should* have a copy of some installation media handy, what if someone doesn't? (Help -- I can't reinstall; the OS isn't available anymore?!) Removing all the executables *also* prevents anyone ftping them to checksum in the case of an unrelated local security incident. The known problems in 2.1.6 make it about as insecure as most of the commercial systems I see; this is unfortunate but probably isn't be the end of the world. Finally, it is unreasonable to *hold* the free software community to higher standards than the commercial community manage. (Sure, we can hope. :) The fastest commercial advisory I've seen was 3-4 days after an exploit was posted and that was for a single utility buffer overrun. The normal delay is much greater. Regards, Giles
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702050928.UAA12156>