tech-security: Re: What to do about unfixed vulnerabilities?

Subject: Re: What to do about unfixed vulnerabilities?
To: Matthew Orgass <darkstar@pgh.net>
From: Alistair Crooks <AlistairCrooks@excite.com>
List: tech-security
Date: 10/24/2000 04:48:48
  by mail.netbsd.org with SMTP; 24 Oct 2000 11:52:03 -0000
          (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP
          id <20001024114848.EBOB17063.kuku.excite.com@prickles>;
          Tue, 24 Oct 2000 04:48:48 -0700
Message-ID: <11412767.972388128047.JavaMail.imail@prickles>
Date: Tue, 24 Oct 2000 04:48:48 -0700 (PDT)
From: Alistair Crooks <AlistairCrooks@excite.com>
Reply-To:  <agc@pkgsrc.org>
To: Matthew Orgass <darkstar@pgh.net>, 
 "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: What to do about unfixed vulnerabilities?
Cc: tech-pkg@netbsd.org, tech-security@netbsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


On Mon, 23 Oct 2000 19:57:30 -0400 (EDT), Matthew Orgass wrote:

>  On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>  
>  > More to the point, the general thrust of the comment -- that any 
>  > program with that many uses of known-dangerous functions -- is unlikely

>  > to be correct applies on any host.
>  
>    Further, warning only about a denial of service attack when there is a
>  known remote exploit is very misleading.  Pine builds should be disabled
>  until there is some reason to believe that it is safe to use (as the
>  comment says, not likely anytime soon). The security notice should say
>  "don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>  well as the comment.

I disagree - I am in no position to tell people what programs they must, or
must not, use. I am in a position to advise them on bad practices, however,
and that's why bsd.pkg.mk displays a warning when a vulnerable package is
installed, or the audit-packages script is run.

And to come to the defence of Hubert, the advisory he put in our
vulnerabilities file covered simply the Denial of Service one
(http://www.securityfocus.com/advisories/2646), not the buffer overflow one
that you reference. I should have found that one in my trawl through recent
advisories on the Security Focus web site when I was populating the
vulnerabilities file, but it evidently fell through my net. Apologies, mea
culpa, it's a fair cop, guv, you've got me bang to rights. 

Regards,
Alistair

PS. This whole pine thing has shown me one thing - the need for a package
like audit-packages, and a wish that we'd implemented something like this
long ago.

--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html