Subject: Re: Security Issues
To: None <itojun@iijlab.net>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 08/01/2002 08:02:57
In message <20020801081449.30DB54B22@coconut.itojun.org>, itojun@iijlab.net wri
tes:
>>I've seen last days three security advisories from FreeBSD (problems with
>>OpenSSL, pppd and rpc) but none from NetBSD. Is NetBSD unaffected by these
>>three bugs ?
>
> yes for all, and advisories are under preparation.
>
It would be a good idea, I think, to try to get out very early warning
notices in such cases. The NetBSD community should know of possible
vulnerabilities that appear to apply, even before fixes are ready.
That way, people can turn off services, block ports, etc., as
necessary. (As an example -- I just saw a pointer to
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
(though I know nothing more about it). From a quick 'find' on my
system, updated yesterday to 1-6beta6, I don't *think* NetBSD is
currently affected -- but I needed to know about that in order to do
the scan.)
A more complete advisory, when the fix is ready (or found not to be
needed) is still necessary, of course.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)