Subject: Re: What to do about unfixed vulnerabilities?
To: Matthew Orgass <>
From: Alistair Crooks <>
List: tech-pkg
Date: 10/24/2000 04:48:48
On Mon, 23 Oct 2000 19:57:30 -0400 (EDT), Matthew Orgass wrote:

>  On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>  > More to the point, the general thrust of the comment -- that any 
>  > program with that many uses of known-dangerous functions -- is unlikely

>  > to be correct applies on any host.
>    Further, warning only about a denial of service attack when there is a
>  known remote exploit is very misleading.  Pine builds should be disabled
>  until there is some reason to believe that it is safe to use (as the
>  comment says, not likely anytime soon). The security notice should say
>  "don't use pine" and refer to as
>  well as the comment.

I disagree - I am in no position to tell people what programs they must, or
must not, use. I am in a position to advise them on bad practices, however,
and that's why displays a warning when a vulnerable package is
installed, or the audit-packages script is run.

And to come to the defence of Hubert, the advisory he put in our
vulnerabilities file covered simply the Denial of Service one
(, not the buffer overflow one
that you reference. I should have found that one in my trawl through recent
advisories on the Security Focus web site when I was populating the
vulnerabilities file, but it evidently fell through my net. Apologies, mea
culpa, it's a fair cop, guv, you've got me bang to rights. 


PS. This whole pine thing has shown me one thing - the need for a package
like audit-packages, and a wish that we'd implemented something like this
long ago.

Alistair Crooks (

Say Bye to Slow Internet!