|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: OpenBSD remote root
From: Dan Harkless (dan-bugtraq
DILVISH.SPEED.NET)Date: Tue Dec 19 2000 - 19:50:01 CST
- Next message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] [DSA-007-1] insufficient protection for zope Image and File objects"
- Previous message: Linux Mandrake Security Team: "MDKSA-2000:086 - Zope update"
- Next in thread: Jose Nazario: "Re: OpenBSD remote root"
- Next in thread: Theo de Raadt: "Re: OpenBSD remote root"
- Maybe reply: Dan Harkless: "Re: OpenBSD remote root"
- Reply: Jose Nazario: "Re: OpenBSD remote root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Emre <emreSRENGINEERING.COM> writes:
> On Sunday 17 December 2000 23:26, Typo Princep wrote:
>
> > Now the funny thing is that 2 weeks have passed since the initial
> > bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile
> > seems to have put OpenBSDs bugfix into cvs.
> >
> > But noone has made the userbase aware of the security problems nor has any
> > further discussion taken place on obsd-bugs.
>
> >From http://www.openbsd.org/plus.html:
>
> SECURITY FIX: Fix buffer overflow in ftpd
> A patch is available.
> [Applied to stable]
>
> For us, who check the daily changelog, this isn't new. I dont believe it's
> OpenBSD's responsibility to notify every user of EVERY bug they fix. It's
> your (the user's) responsibility to keep up with patches and such. If you
> really care about your security, you should check the webpage more often.
This has been argued before, but many think that OpenBSD's policy of not
having a specific security announcement mailing list is rash and is poor
security policy. It's great to say that someone should "check the webpage
more often", but obviously not everyone can watch it every instant. There
are plenty of times when one is too busy to actively check something, but if
it were announced to them in a "push" format, they'd make time to deal with
it. This way you wouldn't have to waste time continuously checking and
finding no update -- you'd simply get updated when there was an update
available.
True, one could write some kind of script to continuously check the
appropriate web page(s) and grep for certain keywords in diffs vs. previous
versions, but this is error-prone and wouldn't be necessary if the OpenBSD
team just acted like almost every other vendor on the planet and provided a
security announcement list.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraqdilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
- Next message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] [DSA-007-1] insufficient protection for zope Image and File objects"
- Previous message: Linux Mandrake Security Team: "MDKSA-2000:086 - Zope update"
- Next in thread: Jose Nazario: "Re: OpenBSD remote root"
- Next in thread: Theo de Raadt: "Re: OpenBSD remote root"
- Maybe reply: Dan Harkless: "Re: OpenBSD remote root"
- Reply: Jose Nazario: "Re: OpenBSD remote root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]