Dire warnings, what is the problem?

jerrypr

Active Member
Jan 12, 2004
28
0
151
Hi,

I'm as security aware as the next person, and I actually pay attention to security. However, the "RED BOX" warnings leave lots to be desired as far as information is concerned.

"A Security hole has been discovered..." No further info, no way to assess what the threat is, or how serious. No real info whatsoever, actually. A click box shows up and the "upgrade" will fix it.

Maybe I'm just an old school admin, but shouldn't there be a clickable link telling you what is up there? I like to know what the problem is, really.

Just wondering if anybody else had comments or suggestions about this.

Thanks,
J.
 

jerrypr

Active Member
Jan 12, 2004
28
0
151
Originally posted by thaphantom
look at the change log
I'm not sure where I'd look for this, to be honest.

However, for software that I pay for, I expect that the people I'm paying can provide a little more explanation then what is in the blurb right now, which is none at all. Even a "more details" line linked to the changelog would be appreciated.

I'm not asking for huge bells and whistles, but a link to a paragraph or two would be much more helpful.

I'm not even unwilling to dig a bit, but until your post back I didn't even realize there _was_ a changelog publicly available. And I don't think that digging should be needed ... there is plenty of info on bugfixes, just not security issues.

Thanks for your pointer though.

J.
 

jerrypr

Active Member
Jan 12, 2004
28
0
151
Originally posted by thaphantom
:-/ the changelog is on the front page of your WHM...
Ah, ok. No info there for security problems. :(

All it says is that there is a problem. It could be a DOS, a remote root exploit, or something much less severe, but I can't even guess. If my OS has a problem, they fill out a detailed CERT report, as well as a mailing that goes to a mailing list, telling me what the compromise is, what it does, what needs to be patched, and what version is ok to run. This is software written as Open Source and maintained by volunteers; I would hope that a commercial offering, that this would be the minimum that would be done.
 

jerrypr

Active Member
Jan 12, 2004
28
0
151
Originally posted by thaphantom
It really depends on the issue. If they explaij the exploit there anyone can get it and start cracking cpanel servers... not a good idea.
Hmm. Sounds like "security by obscurity" to me.
I've heard this arguement before, but having run lots of software and having had lots of CERT alerts and critical patches that I've applied, I'd say the arguement is pretty ineffectual. There are technical and business decisions that have to be made about when and how to apply patches, and without good information it's hard to assess what needs to be done.


Doing dumb crap ass like that Rob Brown and releasing info to the public just creates panic and gets servers hacked. If you look in the change log there is always a small ver of what was changed:

Resolve a secuity problem with mod_php (apache recompile required)
Wouldn't it be nice if someone actually emailed [email protected]
before posting to bugtraq?

or an older one:

CRITICAL exim security update

It lets you know what was effected, but not direct details.
While I agree the developers should be given a heads up, what your saying is that this information above actually contains information?

I recall that "CRITICAL" exim secruity update. I went to CERT, nothing there; I visited the EXIM website, no recent updates. It doesn't take a genius to figure out that this is cPanel configuration or customization related.

After a patch has been put together, it is very important that users ACTUALLY KNOW what the severity of the problem is. If bind, apache, exim, mailman, or any number of other underlying pieces of software have a security problem, I can find out EXACTLY what the issue is, and determine a course of action. Not a high level summary, not "critical bugfix in bind".

Something like "Bind has a vulnerability which opens it to attack from a local user running the rndc binary. This allows them to take on the privleges of the bind user, and typically write to the bind files". This provides detailed information about the problem, without providing a roadmap of what to do. It also allows for a few courses of action, if updating isn't possible for whatever reason immediately.

Thanks,
J.