Re: [suse-security] WU-FTPD vunrability
Gentlmen, Well about this whining, I think the problem is that this mailing list should not be a bugtraq replacment! If you want to know about wuftpd security holes, and patches, then that's where to get them from. Otherwise only SUSE specific stuff should be posted here!! It's a waste of time getting messages that ask about a specific piece of software, when you can go to the software's home page and download the patches yourself!!! AND PS. This happens to be the most sorted out Linux distribution out there, well.. so far! By the power of /sbin/init.d :) May you all live long and prospor...
I think you missed the point of the complaint. The question wasn't about whether wu-ftpd was vulnerable. It was vulnerable and the information was widely announced. The fix was announced right away, too. All major distributions had the fixed versions available in a day or two, too. The question was, when would SuSe supply the fixed version. Yes, I can go get it and compile. But, what's the point of having rpm's then. If I start compiling and replacing all the packages how much time will it take the next time I want to do a major system upgrade. Another and more important point is the general trust I have in SuSe's handling of security issues. I have recently switched to SuSe. For the time being, I am running the ftp server behind a firewall internally. So, it isn't a real problem yet. But, I am evaluating to switch my other servers which are open to the outside with SuSe, too. And, things like this doesn't give me a lot of confidence. In short, this is SuSe specific. Regards, Selcuk
Gentlmen, Well about this whining, I think the problem is that this mailing list should not be a bugtraq replacment! If you want to know about wuftpd security holes, and patches, then that's where to get them from. Otherwise only SUSE specific stuff should be posted here!!
It's a waste of time getting messages that ask about a specific piece of software, when you can go to the software's home page and download the patches yourself!!!
AND PS. This happens to be the most sorted out Linux distribution out there, well.. so far!
By the power of /sbin/init.d :) May you all live long and prospor...
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=> < Selcuk Ozturk <+> > < MIS Deputy Director <+> > <=============================<#>===================================> < Phone : (301)883-2482 <+> FDCH > < Fax : (301)883-9754 <+> 1100 Mercantile Lane, Ste 119 > < E-mail : sozturk@fdch.com <+> Largo, MD 20774 > <=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>
I wholeheartedly DISagree with that statement. SuSE, like many Linux vendors, pre-patches lots of their stuff before it goes out the door. Just because BugTraq announces a bug in CyberWidget 2.0.1 doesn't mean that the CyberWidget 2.0.1 that I got from SuSE contains that bug, because frequently they'll have patched the bug BEFORE it got pressed to their disks. Also, applications such as Apache, where SuSE includes added functionality, would be lost in that manner (since it wouldn't have all the mod_* stuff added if I just fetch it from Apache). I understand your point, and it is well taken (people should be subscribed to BugTraq as well), but SuSE should - when a BugTraq item appears in a SuSE distribution - post something to the effect of: This program is/is-not affected. The newest RPM with the bugfix (and with any SuSE-specific patches/enhancements) can be found at <url>. My $0.02 worth... D At 06:10 PM 11/9/99 +0000, Omar Al-Sakka wrote:
Gentlmen, Well about this whining, I think the problem is that this mailing list should not be a bugtraq replacment! If you want to know about wuftpd security holes, and patches, then that's where to get them from. Otherwise only SUSE specific stuff should be posted here!!
It's a waste of time getting messages that ask about a specific piece of software, when you can go to the software's home page and download the patches yourself!!!
AND PS. This happens to be the most sorted out Linux distribution out there, well.. so far!
By the power of /sbin/init.d :) May you all live long and prospor...
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 9 Nov 1999, Derek Balling wrote:
I understand your point, and it is well taken (people should be subscribed to BugTraq as well), but SuSE should - when a BugTraq item appears in a SuSE distribution - post something to the effect of: This program is/is-not affected. The newest RPM with the bugfix (and with any SuSE-specific patches/enhancements) can be found at <url>.
I agree. I believe that SuSE should release details about vulnerabilities
affecting SuSE installations. And I thought that was what this mailing
list was. If SuSE won't do this, then perhaps, we should get together as
users, and create a list that does what we want. Could someone from SuSE
please inform me of the purpose of this list if it is not to inform users
about security problems affecting them.
cog
-- ,------------------------------,
,==================| S H U N A N T I O N L I N E |=================,
| David M. Webster '------------------------------' (aka cogNiTioN) |
|===| I use Linux everyday to up my productivity - so up yours! |===|
|=================|-| PGP KeyID: 0x 45 FA C2 83 |-|=================|
|
cogNiTioN wrote:
I agree. I believe that SuSE should release details about vulnerabilities affecting SuSE installations. And I thought that was what this mailing list was. If SuSE won't do this, then perhaps, we should get together as users, and create a list that does what we want. Could someone from SuSE please inform me of the purpose of this list if it is not to inform users about security problems affecting them. cog quite new to this list, eh? from a mail i got from this list on 1st of sept.
looks like it was exactely what you were craving - it's a pity that
nowadays noone cares for netiquette or tries to inform himself about
things _before_ talking about them ... if i ever withdraw from the
internet that would be a good reason why ...
---snip---
Subject:
[suse-security] SuSE Security Announcement
Date:
1 Sep 1999 11:33:57 +0200
From:
"Thomas Biege"
On Wed, 10 Nov 1999, Johann G. Hautzinger wrote:
quite new to this list, eh? from a mail i got from this list on 1st of sept.
looks like it was exactely what you were craving - it's a pity that nowadays noone cares for netiquette or tries to inform himself about things _before_ talking about them ... if i ever withdraw from the internet that would be a good reason why ...
I am well aware that some announcements are posted to this list, I was
just curious as to why details about the fix for the "WU-FTPD vunrability"
was not posted, as I thought that was one of the purposes of this list.
In his post Thomas Biege says this problem has been fixed, and won't
happen again. That is a good enough solution for me.
I am curious to know what, exactly, what I did that violates any agreed
netiquette rules.
A message was posted to this list indicating that an announcement had not
been made on the "WU-FTPD vunrability", and since when I signed up for
this list (around August time), the web page gave me the impression that
security announcements would be made here, I queried if this was still
being done. It now seems that the WU_FTPD was an anomaly, not the norm.
While on the subject of netiquette, I think any further 'flames' (if they
can be called that) for my post should be taken off list, as it appears
this problem has been resolved.
cog
-- ,------------------------------,
,==================| S H U N A N T I O N L I N E |=================,
| David M. Webster '------------------------------' (aka cogNiTioN) |
|===| I use Linux everyday to up my productivity - so up yours! |===|
|=================|-| PGP KeyID: 0x 45 FA C2 83 |-|=================|
|
Hi,
I understand your point, and it is well taken (people should be subscribed to BugTraq as well), but SuSE should - when a BugTraq item appears in a SuSE distribution - post something to the effect of: This program is/is-not affected. The newest RPM with the bugfix (and with any SuSE-specific patches/enhancements) can be found at <url>.
I agree. I believe that SuSE should release details about vulnerabilities affecting SuSE installations. And I thought that was what this mailing list was. If SuSE won't do this, then perhaps, we should get together as users, and create a list that does what we want. Could someone from SuSE please inform me of the purpose of this list if it is not to inform users about security problems affecting them.
The main purpose of this list is let users discuss security stuff releated to SuSE linux (or other dist.s). We post out announcements on suse-security-announce@, this lis and sometimes on bugtraq. The Security Team don't released the wu-ftpd advisory, because of an internal decission. I'm not happy with this but fortunately this won't happen again. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (6)
-
cogNiTioN -
Derek Balling -
Johann G. Hautzinger -
Omar Al-Sakka -
Selcuk Ozturk -
Thomas Biege