advisory coordination (Re: SA-02:35)
From: Anatole Shaw (shaw@autoloop.com)
Date: 08/06/02
- Next message: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Previous message: Eric Masson: "Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...]"
- In reply to: Dag-Erling Smorgrav: "Re: SA-02:35"
- Next in thread: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Reply: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Reply: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 Aug 2002 05:32:37 -0400 From: Anatole Shaw <shaw@autoloop.com> To: Dag-Erling Smorgrav <des@ofug.org>
On Tue, Aug 06, 2002 at 01:19:22AM +0200, Dag-Erling Smorgrav wrote:
> Oleg Derevenetz <oleg@vsi.ru> writes:
> > I recently visited ftp.freebsd.org, and found directory SA-02:35 in
> > CERT/patches without corresponding advisory in CERT/advisories.
> SA-02:35 is due out today. We release patches early to make sure
> they've propagated to all the mirrors by the time we release the
> advisory.
In May, I had an exchange with two FreeBSD Security Officers about the
release of advisory SA-02:25, which referenced patches that didn't yet
exist on the FTP site. I recommended that patches and advisories be made
available together. One SO told me that, in the future, patch propagation
would be assured prior to advisory release, but that attaching patches to
advisories was passe.
It seems that this piecemeal bit of change is now in force, with the
obvious results. On or before August 2nd, the same problem occured in
reverse -- a patch for SA-02:35 (the FFS filesize bug) was propagated
without a corresponding advisory, as noted by Oleg above.
As a result, there were just about 3 days during which the security patch
circulated with no explanation. Those were three days for blackhats to
examine the patch, and for exploits to emerge and circulate, before most
admins were aware of the bug or its impact.
On the same day, Ache@ forwarded an unrelated CVS commit on setlocale.c to
this list, adding nonchalantly, "That original BSD code bug can be
exploitable." The advisory for this one is still in the works, I guess.
I'm all for full-disclosure, but something is very wrong in these 2 cases.
Known security problems are being released in fragments without any
coordination. It seems that a basic Vulnerability Coordination function
is broken or missing, and surely we can fix this.
-- Anatole Shaw Autoloop Security Consulting http://www.autoloop.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Previous message: Eric Masson: "Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...]"
- In reply to: Dag-Erling Smorgrav: "Re: SA-02:35"
- Next in thread: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Reply: Dag-Erling Smorgrav: "Re: advisory coordination (Re: SA-02:35)"
- Reply: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
