|Subject:||Re: another TCPDump update question (going slightly off-topic)|
|From:||D J Hawkey Jr (hawk...@visi.com)|
|Date:||Mar 24, 2003 9:02:00 am|
On Mar 24, at 10:00 AM, Jacques A. Vidrine wrote:
On Mon, Mar 24, 2003 at 09:30:21AM -0600, D J Hawkey Jr wrote:
On Mar 24, at 09:14 AM, Jacques A. Vidrine wrote:
You didn't miss anything. There won't be a security advisory for this issue.
Without insulting anyone, may I ask why not? tcpdump is included in the base/standard OS, afterall, and so is libpcap, which appears to be related.
IIRC, there have been SAs for DOS vulnerabilities before. What or where is the line for what is or is not eligible for a SA?
Well, there are no hard-n-fast rules. It's a judgement call. We generally limit SAs to those issues that we deem `important', so as not to devalue them. (c.f. The Boy Who Cried Wolf)
I can appreciate this, yes. Might it not be worth a SN, though?
You're right: there have been SAs for remote DoSs before. In this case, both the cirumstances that could lead to this remote DoS, and especially the impact of the bug are so minimal as to not be worth updating your system.
I'll defer to your judgement on this; I don't know how easy this hole is to exploit. But if you'll indulge me, I'm thinking of a larger picture that this might illustrate:
www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump. They don't say a vulnerability was in libpcap, but if so, a quick scan of userland shows that pppd is linked to libpcap. By inference, I would think kernel-mode PPP falls in line with this, too. Now, there's a rather big "if" here, but if true, would this then qualify as worthy of a SA? As an aside, isn't BPF also tied to libpcap?
I guess what my bigger concern is, is how much should a diligent SysAdmin have to scan external entities to be up on vulnerabilities of utilities that are part of the base/standard OS? My gut feeling is, "None, The Project should inform the user base.", but that may be too high a bar for what is esentially a for-free product. If my feeling is wrong, then I have to wonder if these utilities that are not "truly BSD" shouldn't be in the ports collection, and removed from the base?
Having said all this, I do in fact applaud you and your team for what you do provide, considering it's all done gratis.
Thanks for listening, Dave
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message