From owner-freebsd-stable@FreeBSD.ORG Fri Dec 23 16:42:17 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D42891065686 for ; Fri, 23 Dec 2011 16:42:17 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 6F8D78FC1B for ; Fri, 23 Dec 2011 16:42:16 +0000 (UTC) Received: by wgbdr11 with SMTP id dr11so17830717wgb.31 for ; Fri, 23 Dec 2011 08:42:15 -0800 (PST) Received: by 10.227.206.4 with SMTP id fs4mr14970184wbb.21.1324658535494; Fri, 23 Dec 2011 08:42:15 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id en10sm10355513wbb.11.2011.12.23.08.42.14 (version=SSLv3 cipher=OTHER); Fri, 23 Dec 2011 08:42:14 -0800 (PST) Message-ID: <4EF4AF65.7010404@my.gd> Date: Fri, 23 Dec 2011 17:42:13 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: John Baldwin References: <4EF4A75C.2040609@my.gd> <201112231139.26613.jhb@freebsd.org> In-Reply-To: <201112231139.26613.jhb@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 16:42:17 -0000 On 12/23/11 5:39 PM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. > > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release advisories on > Wednesdays in order to maximize the number of system administrators who will be > at work already; and we try very hard to avoid issuing advisories any time close > to holidays for the same reason. The start of the Christmas weekend -- in some > parts of the world it's already Saturday -- is absolutely not when we want to be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a > rather messy fix involving adding a new interface to libc; this has the awkward > side effect of causing the sizes of some "symbols" (aka. functions) in libc to > change, resulting in cascading changes into many binaries. The long list of > updated files is irritating, but isn't a sign that anything in freebsd-update > went wrong. > > At least they're aware the timing sucks completely and feel as sorry as us. Ty John.