Subject: Re: What to do about unfixed vulnerabilities?
To: Matthew Orgass <firstname.lastname@example.org>
From: Alistair Crooks <AlistairCrooks@excite.com>
Date: 10/24/2000 04:48:48
On Mon, 23 Oct 2000 19:57:30 -0400 (EDT), Matthew Orgass wrote:
> On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
> > More to the point, the general thrust of the comment -- that any
> > program with that many uses of known-dangerous functions -- is unlikely
> > to be correct applies on any host.
> Further, warning only about a denial of service attack when there is a
> known remote exploit is very misleading. Pine builds should be disabled
> until there is some reason to believe that it is safe to use (as the
> comment says, not likely anytime soon). The security notice should say
> "don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
> well as the comment.
I disagree - I am in no position to tell people what programs they must, or
must not, use. I am in a position to advise them on bad practices, however,
and that's why bsd.pkg.mk displays a warning when a vulnerable package is
installed, or the audit-packages script is run.
And to come to the defence of Hubert, the advisory he put in our
vulnerabilities file covered simply the Denial of Service one
(http://www.securityfocus.com/advisories/2646), not the buffer overflow one
that you reference. I should have found that one in my trawl through recent
advisories on the Security Focus web site when I was populating the
vulnerabilities file, but it evidently fell through my net. Apologies, mea
culpa, it's a fair cop, guv, you've got me bang to rights.
PS. This whole pine thing has shown me one thing - the need for a package
like audit-packages, and a wish that we'd implemented something like this
Alistair Crooks (email@example.com)
Say Bye to Slow Internet!