[18229] in bugtraq
Re: OpenBSD remote root
daemon@ATHENA.MIT.EDU (David Damerell)
Wed Dec 20 17:01:30 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <E148fEC-0001Tt-00@virgo.cus.cam.ac.uk>
Date: Wed, 20 Dec 2000 09:08:04 +0000
Reply-To: djsd100@cam.ac.uk
From: David Damerell <djsd100@CAM.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00121822132300.00955@buttercup>
On Mon, 18 Dec 2000, Emre wrote:
>On Sunday 17 December 2000 23:26, Typo Princep wrote:
>>Now the funny thing is that 2 weeks have passed since the initial
>>bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile
>>seems to have put OpenBSDs bugfix into cvs.
>>But noone has made the userbase aware of the security problems nor has any
>>further discussion taken place on obsd-bugs.
>From http://www.openbsd.org/plus.html:
> SECURITY FIX: Fix buffer overflow in ftpd
> A patch is available.
> [Applied to stable]
>For us, who check the daily changelog, this isn't new. I dont believe it's
>OpenBSD's responsibility to notify every user of EVERY bug they fix. It's
>your (the user's) responsibility to keep up with patches and such. If you
>really care about your security, you should check the webpage more often.
There's a very fundamental difference between an alerting mechanism
that emails interested users and one that requires them to check a Web
page - or between the general classes of mechanisms that alert you
when there's a change and those you have to be constantly checking.
The latter is - well, I hesitate to say not acceptable, but
suboptimal; even the OS vendors one thinks of as having a rotten track
record on security can manage to run a security alerts mailing list.
--
David Damerell, Computer Officer, Department of Chemistry, Cambridge
Work: djsd100@cam.ac.uk Personal: damerell@chiark.greenend.org.uk
These are my opinions, not those of the Department as a whole.
