[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
- To: "kernelclue@xxxxxxxxxxxx" <kernelclue@xxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
- From: Nigel Houghton <nigel@xxxxxxxxxxxxxx>
- Date: Wed, 17 Sep 2003 10:13:46 -0400 (EDT)
Around Yesterday kernelclue@xxxxxxxxxxxx said:
k :OpenSSH runs on a number of platforms, Windows included. To say this
k :reflects on GNU/Linux or any Linux distro is just nonsense.
I don't think that's the point. Hopefully he's complaining in a humorous
manner about the number of notices sent to the list from various vendors
each time they fix a port/package or any other issue with the os.
I too get annoyed with these people, they should run their own security
notifications/announcements lists and inform their users they should sign
up to get notified of fixes/updates. Why any of them should need to spam
this list is beyond me, I have never seen an official M$ or *BSD security
update mail sent here. It's not just this list either, they send to quite
a number, Bugtraq being a prime example.
I would prefer they cease this practice, it would cut down on noise. Now
after contributing to the noise on the list, I'll shut up now.
k :
k :On Tue, 16 Sep 2003 11:29:30 -0700 Dave Monk <dave@xxxxxxxxxxxxxxx> wrote:
k :>Recent security advisories featuring the operating system known as
k :>'GNU/Linux' (formerly minix) has had a negative effect on the
k :>listserv.
k :>
k :>The problem stems from the polymorphic, virus-like phenomenon also
k :>known as the 'Linux distro', the Linux distro allows any single
k :>permutation of a base Linux install (such as location of the mail
k :>spool) to actually qualify and require an entire new operating
k :>system distribution. At this point in time there are over 50
k :>distros out there.
k :>
k :>The cascade failure effect is that the minute a hole or flaw in
k :>a
k :>base Linux subsystem such as the kernel or system tools immediately
k :>causes a flood of 'vendor' emails sent to bugtraq describing each
k :>way to disable/upgrade the broken feature on their OS.
k :>
k :>The effect is that the 'signal to stupid-linux-bug ratio' on the
k :>lists gets completely out of whack thereby diluting the utility
k :>of the list.
k :>
k :>Solutions:
k :>
k :> None. (how do you expect to stop a tidal wave of suicidal VC money?)
k :>
k :>Workarounds:
k :>
k :>1) All advisories should be filtered through RMS, which would achieve
k :> the desired effect of delaying their posting indefinitely.
k :>2) All such advisories should be prefixed by '[YASLB]' in the subject
k :>line
k :> (yet another stupid linux bug) so I can filter this stupid crap.
k :>
k :>thanks,
k :>everyone
k :>
k :>
k :>bugzilla@xxxxxxxxxx (bugzilla@xxxxxxxxxx) wrote:
k :>> -----BEGIN PGP SIGNED MESSAGE-----
k :>> Hash: SHA1
-------------------------------------------------------------
Nigel Houghton Security Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister
Message dated: Sep 17
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html