OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: OpenBSD remote root
From: Theo de Raadt (deraadtCVS.OPENBSD.ORG)
Date: Wed Dec 20 2000 - 15:33:11 CST

>On Mon, 18 Dec 2000, Emre wrote:
>>On Sunday 17 December 2000 23:26, Typo Princep wrote:
>>>Now the funny thing is that 2 weeks have passed since the initial
>>>bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile
>>>seems to have put OpenBSDs bugfix into cvs.
>>>But noone has made the userbase aware of the security problems nor has any
>>>further discussion taken place on obsd-bugs.
>>From http://www.openbsd.org/plus.html:
>> SECURITY FIX: Fix buffer overflow in ftpd
>> A patch is available.
>> [Applied to stable]
>>For us, who check the daily changelog, this isn't new. I dont believe it's
>>OpenBSD's responsibility to notify every user of EVERY bug they fix. It's
>>your (the user's) responsibility to keep up with patches and such. If you
>>really care about your security, you should check the webpage more often.
>
>There's a very fundamental difference between an alerting mechanism
>that emails interested users and one that requires them to check a Web
>page - or between the general classes of mechanisms that alert you
>when there's a change and those you have to be constantly checking.

What are you yammering about?

>The latter is - well, I hesitate to say not acceptable, but
>suboptimal; even the OS vendors one thinks of as having a rotten track
>record on security can manage to run a security alerts mailing list.

And we do have such a list.

And notification of this did get sent to there.

Twice.

And it even got mentioned on various other security mailing lists.

And on bugtraq.

BEFORE exploitability was confirmed.

Boy, you'd swear this was a spanish inquisition.

Get your facts right, or maybe just learn to relax..