Subject: Re: Not really an advocacy :-(
To: Ing.,BcA. Ivan Dolezal <>
From: Alistair Crooks <>
List: tech-security
Date: 06/21/2002 20:36:07
On Fri, Jun 21, 2002 at 06:34:53PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> Hello,
> >>- "Package apache-1.3.24 has a remote-root-shell vulnerability"
> >> message from audit-packages
> >>Am I missing something?
> >
> >You're missing something - you quoted it above - the message from
> >audit-packages.
> >
> Unfortunately, I wasn't missing this - that's how I found out... I was 
> quoting my "daily insecurity report".
> My /etc/security.local surely contains:
> export ftp_proxy=
> if [ -x /usr/pkg/sbin/download-vulnerability-list ]; then
>         /usr/pkg/sbin/download-vulnerability-list
> fi
> if [ -x /usr/pkg/sbin/audit-packages ]; then
>         /usr/pkg/sbin/audit-packages
> fi
> My point was that at the moment when I found out about the problem, 
> Debian Linux people had already automatically installed DEB packages 
> with fixed SW... because they put apt-get update && apt-get upgrade in 
> their crontabs. *sigh*

I'm impressed that the Debian people managed to fix the hole quite so
quickly, especially because the fix, as published on bugtraq, didn't
close the hole. We had to wait for the official apache fix for the
hole to be closed.

As to the automatic installation of packages, I'd rather not go there.
(Admittedly, it sounds like you don't want to go there either)

I'm perfectly happy with the audit-packages script that we have, and
the vulnerability list, and would like to take this opportunity to
thank itojun for looking after this one in such a professional manner.