From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 23 15:06:31 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B73416A4CE for ; Wed, 23 Mar 2005 15:06:31 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA06143D5C for ; Wed, 23 Mar 2005 15:06:30 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from gw.celabo.org (localhost [127.0.0.1]) by internal.gw.celabo.org (Postfix) with ESMTP id F09593E2C26; Wed, 23 Mar 2005 09:06:17 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id E8A9E3E2C24; Wed, 23 Mar 2005 09:06:17 -0600 (CST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id 3B88D666AB2; Wed, 23 Mar 2005 09:06:17 -0600 (CST) Message-ID: <424185E8.4000305@FreeBSD.org> Date: Wed, 23 Mar 2005 09:06:16 -0600 From: Jacques Vidrine Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 Thunderbird/1.0 Mnenhy/0.7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Nemeth References: <200503230304.j2N34R97020359@vtn1.victoria.tc.ca> In-Reply-To: <200503230304.j2N34R97020359@vtn1.victoria.tc.ca> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellblazer.celabo.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 cc: freebsd-hackers@freebsd.org Subject: Re: security or lack thereof X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2005 15:06:31 -0000 On 3/22/05 9:04 PM, John Nemeth wrote: > So, is it FreeBSD policy to ignore security bug reports? I sent > the following bug report to security@freebsd.org on Feb. 19th, 2005 and > it still hasn't been acted on. This total lack of action on an > extremely simple (and silly) three year old bug doesn't give one the > warm fuzzies. Heck, it took 48 hours to get a response from a security > officer, and another 24 hours to get something from the guilty > developer. Hi John, I'm sorry for the delay. I could give you a list of excuses, but suffice it to say that the "simple (and silly)" bug had lower priority than several other issues in our queue. We should have sent you a status update, though: that's my fault. Better late than never, I hope? Initially we believed the bug was more serious than you had reported, since it has an evil side-effect (sets pw_uid to 0). However, we discovered that due to a second bug the impact was limited. Saved by dumb luck (^_^). Anyway, as you might know, we are in a code freeze for 5.4. Coincidentally, just yesterday we asked the Release Engineering team for (and received) permission to apply a fix for 5.4-RELEASE. So you will see the issue addressed shortly. The correct fix is a bit more subtle than that suggested in your original message. I guess I should also mention that we've discussed removing rexec/rexecd entirely (for 6.x releases), since it has been deprecated for over 6 years, and the documentation has discouraged its use for over 11 years. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org