Date: Fri, 3 Jul 1998 23:22:58 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: SECURITY: RedHat: The saga continues
Hi,
Well, when a post has the title "redhat: the saga continues", I feel
obliged to respond in case public opinion is being influenced.
The reason for the recent slew of RedHat errata updates, is a new
_proactive_ search for security holes, headed by some rather clueful
people of the LSAP (Linux Security Audit Project). [see below]
Of especial note, most of the holes we find are _generic holes_, affecting
most Linux distributions. Some holes are _very_ generic holes, affecting
*BSD (including sometimes OpenBSD), and Sun's Solaris appears to be
affected by a lot of stuff we find. We welcome feedback from any other
systems!
RedHat should be praised for their rapid security updates. For example I
don't see other vendors rushing to release official updates for the
commonly used bootp and dhcp packages, both of which have remote root
holes in them.
Before anyone levels accusations of hoarding security fixes to
ourselves... please note that co-ordinating this audit beast is tricky.
The project is young and still a bit disorganised. No-one has the
"official" role of trying to get our finds publicised. However a few of us
appear to have good communications going with OpenBSD, Debian linux, and
possibly even a contact in Sun.
Of course, most of our holes found (with clearly segregated patches too,
aren't you lucky) are elaborated on in RedHat's errata update packages.
I'm sure people/organisations will agree the minor time needed to check
these updates, usually clearly labelled "SECURITY", is nothing compared
with risking shipping very vulnerable daemons, etc. Just to emphasize the
point I'll grumble at the people who accused OpenBSD of not sharing
security fixes, when they have their uptodate CVS tree completely
browseable on the web!
Finally I'll risk telling you the address of our audit mailing list.
Before even _thinking_ of subscribing, know that it's fairly high volume,
and is NOT packed with sploits/holes. It's more general discussion. We
like to post and discuss bits of dubious code and/or principles. We also
like to discuss which open-source packages need a bit of source auditing,
then get someone to volunteer to take a look.
First, the _unsubscribe_ address. The amount of morons that can't work our
unsubscribe is amazing.
security-audit-unsubscribe@ferret.lmh.ox.ac.uk
To subscribe:
security-audit-subscribe@ferret.lmh.ox.ac.uk
To post:
security-audit@ferret.lmh.ox.ac.uk
And finally, again, _please_ don't join unless you're actually interested
in improving security through better coding practices or analysing/fixing
up code. We're an audit list not a "sploit of the day" or "help how do i
secure/hack/fix a system" list.
Cheers
Chris
