Path: utzoo!attcan!uunet!husc6!psuvax1!schwartz@shire.cs.psu.edu From: schwartz@shire.cs.psu.edu (Scott Schwartz) Newsgroups: news.sysadmin Subject: the how and why of plugging holes Message-ID: <4113@psuvax1.cs.psu.edu> Date: 11 Nov 88 00:38:08 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <2279@looking.UUCP> <27203@tut.cis.ohio-state.edu> Sender: news@psuvax1.cs.psu.edu Reply-To: schwartz@shire.cs.psu.edu (Scott Schwartz) Distribution: na Organization: Pennsylvania State University, Computer Science Lines: 30 In-reply-to: karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste) In article <27203@tut.cis.ohio-state.edu>, karl@triceratops writes: >I submit as an example, yet again, the recent discovery of a security >hole in ftpd. > o The fix was made public via a posting in ...ucb-fixes so > that everyone with a C compiler can upgrade NOW and not > wait for slow-as-molasses vendors to decide that it's > worth getting around to. And I think it's important to > note that not all vendors are slow-as-molasses, either; I > sent a copy of what I initially received to Pyramid and > had the attention of csg@pyramid FAST - they began a > distribution of their fix within (I think) 2 days. A C compiler and a unix source licence, you mean. One thing you bring up is really important, and I hope lots of people get the point: SOME vendors don't do diddly squat about sending out patches for this kind of stuff; so all those sites without sources are dead meat, most of the time. Maybe after customers start delivering bug reports via anonymous ftp... :-) For systems with sources, the current mechanisms are not bad. But I really worry about the rest of them out there. At the very least, I hope that all vendors of unix systems monitor ucb-fixes, and the security mailing list, and just for fun, do something about what they find there. -- Scott Schwartz