Re: Latency of security notifications

From: Michael Bryan (fbsd-secure@ursine.com)
Date: 04/18/01


Date: Tue, 17 Apr 2001 16:44:03 -0700
From: Michael Bryan <fbsd-secure@ursine.com>
To: freebsd-security@FreeBSD.ORG


Marcus Reid wrote:
>
> I saw the ftpd/glob() vulnerability on bugtraq yesterday, and the
> vulnerability report came out this afternoon. The ntpd vulnerability
> says Announced: 2001-04-06 but I got the report 2001-04-12. I think
> it's admirable that the reports come with patches and background, but
> I'd like to know to disable ntpd as soon as possible while waiting for
> details.

Yeah, this was mentioned in the (lengthy) recent threads about security
notifications and binary patches.

Bottom line, I think a -lot- of people would be happier if the FreeBSD SAs
could go out as soon as possible after a security hole is disclosed publicly
in some other forum, even if all they say is words to the effect of "Be
aware that this security problem exists, here's a workaround (if any), and
we'll be updating this advisory when official patch information is available."

That way people can get rapid notification of potential problems without having
to read all of freebsd-security, and instead pick it up via -announce, presumably
with pager notification if they so desire. Kris, what do you think about this?

And I realize that part of the delay for the recent advisories (ntpd, ipfilter, ftpd)
was because Kris was out of town for two weeks. But when I heard that, I was
surprised, as I didn't realize he had no "backup". In the future, I think it would
be a good idea to try and have a second/backup person available who could send out
at least the initial SA if Kris isn't available for that task, if at all possible.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • [oCERT-2010-003] Free Simple CMS path sanitization errors
    ... Free Simple CMS, an open source content management system, suffers from ... remote file inclusion vulnerabilities. ... vulnerability report received from Evan Pitstick, ...
    (Bugtraq)
  • [Full-disclosure] e107 CMS Multiple Vulnerabilities
    ... Vulnerability Report ... Description of Vulnerability: ... e107 is a PHP/MySQL based content management system. ... administrator viewed the approval queue at e107_admin/newspost.php?sn. ...
    (Full-Disclosure)
  • Re: Public disclosure of discovered vulnerabilities
    ... vulnerability, surely I have an awful lot of control over whether the ... vulnerability report one month after reporting it to a vendor, ... The point is that the extremes ("publicize immediately, with no vendor ... vulnerability handling strategies. ...
    (sci.crypt)