Subject: Re: What to do about unfixed vulnerabilities?
To: Matthew Orgass <darkstar@pgh.net>
From: Alistair Crooks <AlistairCrooks@excite.com>
List: tech-pkg
Date: 10/24/2000 04:48:48
On Mon, 23 Oct 2000 19:57:30 -0400 (EDT), Matthew Orgass wrote:

>  On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>  
>  > More to the point, the general thrust of the comment -- that any 
>  > program with that many uses of known-dangerous functions -- is unlikely

>  > to be correct applies on any host.
>  
>    Further, warning only about a denial of service attack when there is a
>  known remote exploit is very misleading.  Pine builds should be disabled
>  until there is some reason to believe that it is safe to use (as the
>  comment says, not likely anytime soon). The security notice should say
>  "don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>  well as the comment.

I disagree - I am in no position to tell people what programs they must, or
must not, use. I am in a position to advise them on bad practices, however,
and that's why bsd.pkg.mk displays a warning when a vulnerable package is
installed, or the audit-packages script is run.

And to come to the defence of Hubert, the advisory he put in our
vulnerabilities file covered simply the Denial of Service one
(http://www.securityfocus.com/advisories/2646), not the buffer overflow one
that you reference. I should have found that one in my trawl through recent
advisories on the Security Focus web site when I was populating the
vulnerabilities file, but it evidently fell through my net. Apologies, mea
culpa, it's a fair cop, guv, you've got me bang to rights. 

Regards,
Alistair

PS. This whole pine thing has shown me one thing - the need for a package
like audit-packages, and a wish that we'd implemented something like this
long ago.

--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html