Hi, Well, when a post has the title "redhat: the saga continues", I feel obliged to respond in case public opinion is being influenced. The reason for the recent slew of RedHat errata updates, is a new _proactive_ search for security holes, headed by some rather clueful people of the LSAP (Linux Security Audit Project). [see below] Of especial note, most of the holes we find are _generic holes_, affecting most Linux distributions. Some holes are _very_ generic holes, affecting *BSD (including sometimes OpenBSD), and Sun's Solaris appears to be affected by a lot of stuff we find. We welcome feedback from any other systems! RedHat should be praised for their rapid security updates. For example I don't see other vendors rushing to release official updates for the commonly used bootp and dhcp packages, both of which have remote root holes in them. Before anyone levels accusations of hoarding security fixes to ourselves... please note that co-ordinating this audit beast is tricky. The project is young and still a bit disorganised. No-one has the "official" role of trying to get our finds publicised. However a few of us appear to have good communications going with OpenBSD, Debian linux, and possibly even a contact in Sun. Of course, most of our holes found (with clearly segregated patches too, aren't you lucky) are elaborated on in RedHat's errata update packages. I'm sure people/organisations will agree the minor time needed to check these updates, usually clearly labelled "SECURITY", is nothing compared with risking shipping very vulnerable daemons, etc. Just to emphasize the point I'll grumble at the people who accused OpenBSD of not sharing security fixes, when they have their uptodate CVS tree completely browseable on the web! Finally I'll risk telling you the address of our audit mailing list. Before even _thinking_ of subscribing, know that it's fairly high volume, and is NOT packed with sploits/holes. It's more general discussion. We like to post and discuss bits of dubious code and/or principles. We also like to discuss which open-source packages need a bit of source auditing, then get someone to volunteer to take a look. First, the _unsubscribe_ address. The amount of morons that can't work our unsubscribe is amazing. security-audit-unsubscribeat_private To subscribe: security-audit-subscribeat_private To post: security-auditat_private And finally, again, _please_ don't join unless you're actually interested in improving security through better coding practices or analysing/fixing up code. We're an audit list not a "sploit of the day" or "help how do i secure/hack/fix a system" list. Cheers Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:03 PDT