Re: Latency of security notifications

From: Kris Kennaway (kris@obsecurity.org)
Date: 04/18/01


Date: Tue, 17 Apr 2001 18:17:10 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Michael Bryan <fbsd-secure@ursine.com>


On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote:

> Bottom line, I think a -lot- of people would be happier if the
> FreeBSD SAs could go out as soon as possible after a security hole
> is disclosed publicly in some other forum, even if all they say is
> words to the effect of "Be aware that this security problem exists,
> here's a workaround (if any), and we'll be updating this advisory
> when official patch information is available."
>
> That way people can get rapid notification of potential problems
> without having to read all of freebsd-security, and instead pick it
> up via -announce, presumably with pager notification if they so
> desire. Kris, what do you think about this?

I think it would result in a flood of support questions about "how do
I fix this?"/"What does this mean?" and end up causing the security
officer team a lot more work if it came from us, even as some kind of
unofficial statement (especially if it was a very brief statement,
which it would have to be to get immediately released upon third party
disclosure of a vulnerability, because none of us have enough free
time to actively pre-empt whatever else we're doing to go and write
something comprehensive).

Other people usually send copies of third party advisories to this
forum for serious issues as soon as they're published (on bugtraq or
wherever), and the community takes care of the interim support: that
seems like a much better solution to me.

> And I realize that part of the delay for the recent advisories
> (ntpd, ipfilter, ftpd) was because Kris was out of town for two
> weeks. But when I heard that, I was surprised, as I didn't realize
> he had no "backup". In the future, I think it would be a good idea
> to try and have a second/backup person available who could send out
> at least the initial SA if Kris isn't available for that task, if at
> all possible.

There are a number of others who are part of the security officer
team, and in fact the ntpd advisory was written and released by Chris
Faulhaber during my absence; it just so happens that we're all going
through a busy time right now with our daytime lives and so the
latency of released advisories has increased recently. Hopefully that
will improve.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • Re: Doubles of security advisories
    ... >> I always get two copies of the advisories, ... > One goes to security (actually security-notifications or something like ... Kris ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Update utility
    ... >> I usually do a cvsup to update the list of the ports tree, ... Below is from a post to security@. ... >> facilitates security patch updating on FreeBSD. ... >> advisories, easy setup and use of CVSUP for source and ports tree ...
    (freebsd-questions)
  • Re: [Full-Disclosure] Secunia Advisory: URL Spoofing
    ... we do not want to take credit from anyone; ... appreciate the work done by everyone in the security community. ... We will change certain parts of our advisories no later than next week ... By exploiting this vulnerability, known as a URL-spoofing ...
    (NT-Bugtraq)
  • Re: [Full-Disclosure] Secunia Advisory: URL Spoofing
    ... we do not want to take credit from anyone; ... appreciate the work done by everyone in the security community. ... We will change certain parts of our advisories no later than next week ... By exploiting this vulnerability, known as a URL-spoofing ...
    (Full-Disclosure)
  • Re: SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure
    ... 2000@stake modified their Bugtraq postings to include a small amount ... website only and not serve as content for for-profit advertising supported ... grounds that it contained minimal security information. ... Symantec should post its full advisories to ...
    (Bugtraq)