Re: Latency of security notifications

From: Michael Bryan (fbsd-secure@ursine.com)
Date: 04/18/01


Date: Tue, 17 Apr 2001 16:44:03 -0700
From: Michael Bryan <fbsd-secure@ursine.com>
To: freebsd-security@FreeBSD.ORG


Marcus Reid wrote:
>
> I saw the ftpd/glob() vulnerability on bugtraq yesterday, and the
> vulnerability report came out this afternoon. The ntpd vulnerability
> says Announced: 2001-04-06 but I got the report 2001-04-12. I think
> it's admirable that the reports come with patches and background, but
> I'd like to know to disable ntpd as soon as possible while waiting for
> details.

Yeah, this was mentioned in the (lengthy) recent threads about security
notifications and binary patches.

Bottom line, I think a -lot- of people would be happier if the FreeBSD SAs
could go out as soon as possible after a security hole is disclosed publicly
in some other forum, even if all they say is words to the effect of "Be
aware that this security problem exists, here's a workaround (if any), and
we'll be updating this advisory when official patch information is available."

That way people can get rapid notification of potential problems without having
to read all of freebsd-security, and instead pick it up via -announce, presumably
with pager notification if they so desire. Kris, what do you think about this?

And I realize that part of the delay for the recent advisories (ntpd, ipfilter, ftpd)
was because Kris was out of town for two weeks. But when I heard that, I was
surprised, as I didn't realize he had no "backup". In the future, I think it would
be a good idea to try and have a second/backup person available who could send out
at least the initial SA if Kris isn't available for that task, if at all possible.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message