[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Brian McKerr <brian at mckerrs dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Security Announcements
 Date:  Fri, 27 Aug 2004 02:19:36 -0400
It should probably be made standard practice (and it may already be)
that a mailing goes out to the -announce list for any security
vulnerabilities in the system.

If this is the policy, IMHO, it should be stated on the website.  And
I think it would be good to put a recommendation to subscribe to the
list on the download page.

Fred is right, the vast majority of security problems are not going to
be applicable to this system because of the way it is implemented and
used.  It doesn't have a whole lot of packages on it, and most every
FreeBSD security problem of late is only exploitable if you are logged
in locally.  Since you can't really get a full blown shell on
m0n0wall, that almost certainly eliminates those problems.  (and if
somebody managed to hack in and get a shell on your firewall, you have
more way problems than a locally exploitable DoS)

I really think this should be made a policy because a decent portion
of m0n0wall users may not be able to determine how a vulnerability
affects the distribution, if at all, like many of the rest of us can.

-Chris  


On Fri, 27 Aug 2004 14:52:04 +1000, Brian McKerr <brian at mckerrs dot net> wrote:
> Hello all,
> 
>     I've searched the archives list and could not find anything related
> to this.
> 
> my questions are.......
> 
> how does the m0n0wall community get notified of any security fixes ?
> how are these fixes/patches released etc, are we expected to use the
> beta versions in production ? if that is where the patches are applied.
> As m0n0 is based on FreeBSD are we (users) expected to keep up to date
> with those security announcments and determine if they are applicable ?
> If so, thats cool.
> 
> I am slightly surprised that there are apparently no bugs in m0n0 or at
> least none have been announced.
> 
> Brian.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>