[1188] in linux-security and linux-alert archive
[linux-security] Re: A SERIOUS security problem!!!!
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Oct 3 17:18:28 1996
Date: Thu, 3 Oct 1996 12:09:23 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: lilo <lilo@linpeople.org>
cc: "Brian A. Lantz" <brian@lantz.com>, linux-security@tarsier.cv.nrao.edu,
"Peter T. Breuer" <ptb@dit.upm.es>
In-Reply-To: <19961003150744.24133.qmail@capek.linpeople.org>
On Thu, 3 Oct 1996, lilo wrote:
> > people don't read, it's their problem. Are you going to re-announce the
> > LD_LIBRARY_PATH hole (and a dozen other holes) every 6 months for all the
> > clueless people who don't read?
>
> Or weren't running Linux six months ago.
That's a reasonably good point. Why not encourage linux.org or the LDP
(is that still being maintained?) to maintain (or house and let others
maintain) a linux security FAQ WWW page that lists every known hole and
the fix (and perhaps the exploit).
Such a page might even exist already. Anyone know of one?
[Mod: Alex Yuriev tries to keep up with these things at
"http://bach.cis.temple.edu/linux/linux-security/". It's not a
comprehensive archive, but it does outline most of the high (low?)
points so far. --Jeff.]
All the major distributions could then add something to their install
routine that says something like "if you intend to network this system or
care about security, check out the Linux Security FAQ at
http://www.linux.org/LSF/, for the latest breaking security holes and
fixes.
I still think linux-kernel and Linus's personal address are the WRONG
places to report such things. Those addresses are busy enough.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______