Bugtraq mailing list archives
Re: OpenBSD remote root
From: David Damerell <djsd100 () cam ac uk>
Date: Wed, 20 Dec 2000 09:08:04 +0000
On Mon, 18 Dec 2000, Emre wrote:
On Sunday 17 December 2000 23:26, Typo Princep wrote:Now the funny thing is that 2 weeks have passed since the initial bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile seems to have put OpenBSDs bugfix into cvs. But noone has made the userbase aware of the security problems nor has any further discussion taken place on obsd-bugs.From http://www.openbsd.org/plus.html: SECURITY FIX: Fix buffer overflow in ftpd A patch is available. [Applied to stable] For us, who check the daily changelog, this isn't new. I dont believe it's OpenBSD's responsibility to notify every user of EVERY bug they fix. It's your (the user's) responsibility to keep up with patches and such. If you really care about your security, you should check the webpage more often.
There's a very fundamental difference between an alerting mechanism that emails interested users and one that requires them to check a Web page - or between the general classes of mechanisms that alert you when there's a change and those you have to be constantly checking. The latter is - well, I hesitate to say not acceptable, but suboptimal; even the OS vendors one thinks of as having a rotten track record on security can manage to run a security alerts mailing list. -- David Damerell, Computer Officer, Department of Chemistry, Cambridge Work: djsd100 () cam ac uk Personal: damerell () chiark greenend org uk These are my opinions, not those of the Department as a whole.
Current thread:
- OpenBSD remote root Typo Princep (Dec 18)
- Re: OpenBSD remote root joshua stein (Dec 19)
- Re: OpenBSD remote root Emre (Dec 19)
- Re: OpenBSD remote root Dan Harkless (Dec 20)
- Re: OpenBSD remote root Jose Nazario (Dec 20)
- Re: OpenBSD remote root Dan Harkless (Dec 21)
- listing of vendor's security-announcement lists Matt Power (Dec 22)
- Re: OpenBSD remote root Dan Harkless (Dec 20)
- Re: OpenBSD remote root David Damerell (Dec 20)
- <Possible follow-ups>
- Re: OpenBSD remote root Theo de Raadt (Dec 21)