The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dire warnings, what is the problem?

Discussion in 'General Discussion' started by jerrypr, Jun 24, 2004.

  1. jerrypr

    jerrypr Active Member

    Joined:
    Jan 12, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I'm as security aware as the next person, and I actually pay attention to security. However, the "RED BOX" warnings leave lots to be desired as far as information is concerned.

    "A Security hole has been discovered..." No further info, no way to assess what the threat is, or how serious. No real info whatsoever, actually. A click box shows up and the "upgrade" will fix it.

    Maybe I'm just an old school admin, but shouldn't there be a clickable link telling you what is up there? I like to know what the problem is, really.

    Just wondering if anybody else had comments or suggestions about this.

    Thanks,
    J.
     
  2. picoyak

    picoyak Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
  3. jerrypr

    jerrypr Active Member

    Joined:
    Jan 12, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I'm not sure where I'd look for this, to be honest.

    However, for software that I pay for, I expect that the people I'm paying can provide a little more explanation then what is in the blurb right now, which is none at all. Even a "more details" line linked to the changelog would be appreciated.

    I'm not asking for huge bells and whistles, but a link to a paragraph or two would be much more helpful.

    I'm not even unwilling to dig a bit, but until your post back I didn't even realize there _was_ a changelog publicly available. And I don't think that digging should be needed ... there is plenty of info on bugfixes, just not security issues.

    Thanks for your pointer though.

    J.
     
  4. jerrypr

    jerrypr Active Member

    Joined:
    Jan 12, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Ah, ok. No info there for security problems. :(

    All it says is that there is a problem. It could be a DOS, a remote root exploit, or something much less severe, but I can't even guess. If my OS has a problem, they fill out a detailed CERT report, as well as a mailing that goes to a mailing list, telling me what the compromise is, what it does, what needs to be patched, and what version is ok to run. This is software written as Open Source and maintained by volunteers; I would hope that a commercial offering, that this would be the minimum that would be done.
     
  5. jerrypr

    jerrypr Active Member

    Joined:
    Jan 12, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hmm. Sounds like "security by obscurity" to me.
    I've heard this arguement before, but having run lots of software and having had lots of CERT alerts and critical patches that I've applied, I'd say the arguement is pretty ineffectual. There are technical and business decisions that have to be made about when and how to apply patches, and without good information it's hard to assess what needs to be done.

    While I agree the developers should be given a heads up, what your saying is that this information above actually contains information?

    I recall that "CRITICAL" exim secruity update. I went to CERT, nothing there; I visited the EXIM website, no recent updates. It doesn't take a genius to figure out that this is cPanel configuration or customization related.

    After a patch has been put together, it is very important that users ACTUALLY KNOW what the severity of the problem is. If bind, apache, exim, mailman, or any number of other underlying pieces of software have a security problem, I can find out EXACTLY what the issue is, and determine a course of action. Not a high level summary, not "critical bugfix in bind".

    Something like "Bind has a vulnerability which opens it to attack from a local user running the rndc binary. This allows them to take on the privleges of the bind user, and typically write to the bind files". This provides detailed information about the problem, without providing a roadmap of what to do. It also allows for a few courses of action, if updating isn't possible for whatever reason immediately.

    Thanks,
    J.
     
Loading...

Share This Page