tech-security: Re: OpenSSL incident tracking...

Subject: Re: OpenSSL incident tracking...
To: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Sean Davis <dive@endersgame.net>
List: tech-security
Date: 08/02/2002 22:35:50
I don't think I would go so far as to say the NetBSD project does not care
about security. I do believe the delay in releasing security advisories is
worthy of criticism if other systems put out advisories within hours,
however.

On Fri, Aug 02, 2002 at 04:18:46PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> Same old story with "security? who cares?!" that I had criticized
> some time ago here...
> 
> 
> Just read the timestamps.
> 
> 
> 
> ### Announcements:
> 
> Date: Tue, 30 Jul 2002 13:53:04 +0200
> To: ..., cryptography@wasabisystems.com, ...
> Subject: Announcement: OpenSSL 0.9.6e (Security related upgrade)
> 
> 
> Date: Tue, 30 Jul 2002 13:45:39 -0400
> From: CERT Advisory <cert-advisory@cert.org>
> To: cert-advisory@cert.org
> Subject: CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSS
> 
> 
> 
> ### Debian GNU/Linux patch package available
> ### within less than one hour
> 
> Date: Tue, 30 Jul 2002 14:47:05 +0200
> From: Wichert Akkerman <wichert@wiggy.net>
> To: debian-security-announce@lists.debian.org
> Subject: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
> ...
> Obtaining updates:
> With apt:
>      deb http://security.debian.org/ stable/updates main
>          added to /etc/apt/sources.list will provide security updates
> 
> ### OpenBSD
> 
> 013: SECURITY FIX: July 30, 2002
> Several remote buffer overflows can occur in the SSL2 server and SSL3 
> client of the ssl(8) library, as in the ASN.1 parser code in the 
> crypto(3) library, all of them being potentially remotely exploitable.
> A source code patch exists which remedies the problem. 
> <ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/013_ssl.patch>
> 
> ### FreeBSD
> 
> FreeBSD-SA-02:33.openssl
> Announced:      2002-07-31
> Corrected:      2002-07-30 22:04:59 UTC (RELENG_4)
>                 2002-07-31 02:54:36 UTC (RELENG_4_6)
>                 2002-07-31 14:04:45 UTC (RELENG_4_5)
>                 2002-07-31 16:40:30 UTC (RELENG_4_4)
> 
> 
> ### ...but NetBSD?
> 
> Date: Fri, 2 Aug 2002 09:59:10 -0400
> From: NetBSD Security Officer <security-officer@netbsd.org>
> To: netbsd-announce@netbsd.org
> Subject: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in 
> OpenSSL code
> 
> 
> 
> 
> 
> In other words: the essential library that takes control over vital 
> applications as OpenSSH or Apache-SSL/Apache+mod_ssl can be broken for 
> circa 4 days, because who cares of the business. NetBSD is just a 
> playground of geeks somewhere in CPU laboratories.
> 
> 

-- 
/~\ The ASCII                         Sean Davis
\ / Ribbon Campaign                    aka dive
 X  Against HTML
/ \ Email!                   http://endersgame.net/~dive/