[172] in linux-security and linux-alert archive
DFN-CERT and Linux bugs (was: Somebody else to report bugs to)
daemon@ATHENA.MIT.EDU (Wolfgang Ley)
Thu Mar 16 13:41:12 1995
From: Wolfgang Ley <ley@cert.dfn.de>
To: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
Date: Thu, 16 Mar 1995 14:14:57 +0100 (MET)
Cc: linux-security@tarsier.cv.nrao.edu (linux-security),
dfncert-request@cert.dfn.de (DFN-CERT (Anfragen etc.))
Reply-To: dfncert-request@cert.dfn.de (DFN-CERT (Anfragen etc.))
In-Reply-To: <199503141858.TAA00758@mvmampc66.ciw.uni-karlsruhe.de> from "Thomas Koenig" at Mar 14, 95 07:58:54 pm
-----BEGIN PGP SIGNED MESSAGE-----
Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) said:
> If you have a Linux security bug report, I'd recommend you also send a
> CC: of whatever you send anywhere else to DFN-CERT, dfncert@cert.dfn.de,
> the CERT equivalent of the DFN, the German research network.
*Please* do NOT do that. Read on...
> Unlike CERT, who seem to drop Linux security reports into the bit bucket
> as soon as they receive them, DFN-CERT
>
> - do listen to Linux security bug reports
>
> - do keep you informed of what's happening with a bug you reported
> (which does give you a nice feeling ;-)
>
> - do fully disclose bugs to their security contacts at sites
>
> - may oneday persuade other CERTs to listen to Linux bug reports
This is our policy, yes. However the DFN-CERT is (you already said this)
the CERT for the *German* research network (DFN). We are not able to handle
all vulnerability reports for the complete Internet. We do not have
the time and staff for doing Linux vulnerability analysis (in fact our
resources are eaten up by the other work like incident handling and proactive
work writing bulletins, offering security workshops etc.).
We are working together with other CERTs all over the world. The DFN-CERT
is a member of FIRST (Forum of Incident Response and Security Teams).
For further information on FIRST see http://www.first.org/first/
Our information-services are available at
http://www.cert.dfn.de/ (german)
http://www.cert.dfn.de/eng/ (english)
ftp://ftp.cert.dfn.de/pub/
It is also necessary to understand, that CERTs are willing to deal with
Linux-security problems but that Linux is not the only OS they have to take
care of. Today we see a big difference between highly motivated Linux users
who do a lot of their work on their own systems and can fix problems very
fast and commercial usage of computer systems on the other hand. It makes
a difference if you are only responsible for your own machine or a small
subnet or if you have to deal with a lot of different OS-types in a large
organization. We can't simply publish a patch that only works for Linux
and don't care about the other ones. It is important to know who else is
or may be affected by this bug (other systems are sometimes based on the same
sources) and if there is a patch or workaround for those systems available,
too. If this can't be solved in a timely fashion, we have to decide on every
single vulnerability how we deal with this problem. If it helps to prevent
attacks we are willing to publish this information even if there is no
official patch available...
The DFN-CERT would also like to work together with the developers of the
Linux implementations. If we do know that a fix is coming from the original
author of a package (e.g. it is PGP signed and other people can convince us,
that the given author is really responsible for that part of software) we
would like to forward this information to out site security contacts and
to the other FIRST members (like CERT/CC). Every input and ideas how
to handle Linux problems is appreciated.
> --
> [Mod: Looking at my subscription files, I found that the following two
> addresses have already been subscribed to these lists:
>
> linux-security@cert.dfn.de
> linux-alert@cert.dfn.de
>
> It seems that, not only do they listen to Linux bug reports, they've
> taken a bit of an active interest in both Linux and the
> discussions/alerts on these lists. That being the case, CC:'ing
> dfncert@cert.dfn.de on messages to this list may be an unnecessary
> duplication. (If I'm wrong on this, I invite corrections from the
> cert.dfn.de subscribers.) --Jeff.]
Yes - we do listen to Linux security reports as well as to bugtraq, 8lgm
etc. However we don't have the resources to pick up all vulnerability
reports from those lists. Please report them directly to the CERT/CC at
cert@cert.org. They will ask us (and other FIRST teams) if they need help.
Please remember that nearly all existing CERTs do have a very high work-
load and that a special Linux vulnerability may not have that high
priority compared to an ongoing attack or another bug that effects all
vendors. So please accept if your particular bug report is not processed
within 24 hours. Of course you should ask for an acknowledgment of your
mail if you don't receive any feedback within a week or so...
Bye,
Wolfgang Ley (DFN-CERT).
- --
- ----------------------------------------------------------------------
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de
Phone: +49 40 54715-262 Fax: +49 40 54715-241
PGP-Key available via finger ley@concert.cert.dfn.de or any key-server
-----BEGIN PGP SIGNATURE-----
Version: 2.6.i
iQCVAgUBL2g5dQQmfXmOCknRAQFtTAP/WN2l4MdVvlgKaFR3MBDx8kdtg8i+4T8f
rR+j4ZC1I169FfzmIsRd8qdBMw144NWuKRo2cexjESSCVOxbKlaAIaPMT8FtZ+wo
e1lnVoM0FaFsFv3cxWyjR+403erKSpPv3SRBMYN+eJ3gYZw2a7y5YKLwGuku9Zh5
grYRyOwx2fU=
=ONqd
-----END PGP SIGNATURE-----
