From owner-freebsd-security@FreeBSD.ORG Fri Mar 4 13:28:21 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1644316A4D4 for ; Fri, 4 Mar 2005 13:28:21 +0000 (GMT) Received: from smtpq3.home.nl (smtpq3.home.nl [213.51.128.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E02343D3F for ; Fri, 4 Mar 2005 13:28:20 +0000 (GMT) (envelope-from dodell@sitetronics.com) Received: from [213.51.128.136] (port=57519 helo=smtp5.home.nl) by smtpq3.home.nl with esmtp (Exim 4.30) id 1D7Cqn-0003fb-TS; Fri, 04 Mar 2005 14:28:17 +0100 Received: from cc740438-a.deven1.ov.home.nl ([82.72.18.239]:33782 helo=192.168.1.104) by smtp5.home.nl with esmtp (Exim 4.30) id 1D7Cqm-0000OM-CB; Fri, 04 Mar 2005 14:28:16 +0100 From: "Devon H. O'Dell" To: mike@sentex.net, deraadt@cvs.openbsd.org, freebsd-security@freebsd.org, security-officer@dragonflybsd.org Content-Type: text/plain Organization: SiteTronics Date: Fri, 04 Mar 2005 14:28:15 +0100 Message-Id: <1109942895.3926.71.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit X-AtHome-MailScanner-Information: Please contact support@home.nl for more information X-AtHome-MailScanner: Found to be clean Subject: Re: Fwd: FreeBSD hiding security stuff X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 13:28:21 -0000 On Fri, 2005-03-04 at 07:58 -0500, Mike Tancsa wrote: > FYI > > > >To: misc@openbsd.org > >Subject: FreeBSD hiding security stuff > >Date: Fri, 04 Mar 2005 03:51:42 -0700 > >From: Theo de Raadt > > > >A few FreeBSD developers apparently have found some security issue > >of some sort affecting i386 operating systems in some cases. > > > >They have refused to give us real details. > > > >A promise is now being made. > > > >If a bug is found in OpenSSH, which we believe to have security > >consequences, we wil inform FreeBSD last. > > > >Fair is fair. > > > >I really wish it was not this way, but after a week of trying to get the > >policy to be fixed, we are changing our policy as well. > > > >Without immediate action from them to repair their polcy, and a public > >apology for this, that policy will stand. DragonFly received this email as well, we were also not given details, which is somewhat disturbing, to be honest. I haven't said anything about this until now because I didn't want to cause a disturbance, but obviously one has been caused. Everyone who knows me from DragonFly knows that I am quite the DragonFly diplomat: I really don't tolerate FUD about FreeBSD. As a person who also contributes to FreeBSD (yes, I contribute to both projects), I really have to say that I find this strange. It would be okay if we were given a timeframe, but there was no information. The `advisory' consisted of the following: `On May 13th at BSDCan I will be publishing a local information-disclosure vulnerability which affects multiple operating systems running on x86 hardware. I'm not sure if your OS is affected; can you tell me the state of your SMP support on the x86 platform?' Matt (Dillon) replied stating that the aforementioned `advisory' wasn't enough information to ``go on.'' We (security-officer@dragonflybsd.org) were told that we'd receive the paper after it was confirmed that DragonFly is affected. Matt asked if it was related to a certain issue. The response was ``No.'' This seems vague. This `advisory' was received by us last Saturday. So, before we get a huge ruckus about Theo being totally unreasonable, lets have a little bit of information about why this vulnerability isn't being disclosed to the security teams of other projects. I think that it's pretty unreasonable that we're not getting more information. We can't even confirm that we're affected because we have nothing to go on. For these reasons, I don't think Theo is being terribly unreasonable. I don't want to start a holy war here, just present the facts before a million misinformed subscribers to security@ start flaming OpenBSD and Theo. Kind regards, Devon H. O'Dell