There are three topics in this post:
1) I recently decided to use CERT advisories on a regular basis to maintain
security at my site, and a question immediately arose: advisories are
published via email or news; what prevents any cracker to publish a fake
advisory, giving a recommendation that when applied will in fact weaken
security (e.g. binary patch removing authentication from a server)?
2) I just realized that my SunOS 4.1.3 tar restores file owners that were
used in creating the archive; this allows any user to create whatever
root-owned file he wants in his directories. (suid bits aren't restored,
though!). Is this known as a security problem? It does provides a "chown"
capability to unprivileged users, which I really don't like...
3) When I found the problem, I went to a CERT ftp archive, searched old
advisory titles for the string "tar", and found nothing. I there any
other archive I should consult?
Thanks in advance!