From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 13:44:45 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B895516A41F for ; Wed, 12 Oct 2005 13:44:45 +0000 (GMT) (envelope-from roth@droopy.unibe.ch) Received: from mailhub03.unibe.ch (mailhub03.unibe.ch [130.92.9.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DBE743D46 for ; Wed, 12 Oct 2005 13:44:44 +0000 (GMT) (envelope-from roth@droopy.unibe.ch) Received: from localhost (scanhub03.unibe.ch [130.92.254.67]) by mailhub03.unibe.ch (Postfix) with ESMTP id A25332187F; Wed, 12 Oct 2005 15:44:42 +0200 (CEST) Received: from mailhub03.unibe.ch ([130.92.9.70]) by localhost (scanhub03.unibe.ch [130.92.254.67]) (amavisd-new, port 10024) with LMTP id 19100-19-94; Wed, 12 Oct 2005 15:44:40 +0200 (CEST) Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub03.unibe.ch (Postfix) with ESMTP id D233F213BF; Wed, 12 Oct 2005 15:44:40 +0200 (CEST) Received: from droopy.unibe.ch (droopy [130.92.64.20]) by asterix.unibe.ch (8.12.10+Sun/8.12.10) with ESMTP id j9CDiedB018218; Wed, 12 Oct 2005 15:44:40 +0200 (MEST) Received: (from roth@localhost) by droopy.unibe.ch (8.12.10+Sun/8.12.9/Submit) id j9CDieLc017865; Wed, 12 Oct 2005 15:44:40 +0200 (MEST) Date: Wed, 12 Oct 2005 15:44:40 +0200 From: Tobias Roth To: jere Message-ID: <20051012134440.GA17517@droopy.unibe.ch> Mail-Followup-To: jere , freebsd-security@freebsd.org References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <434CE0F1.6090400@htnet.hr> User-Agent: Mutt/1.4i X-message-flag: Warning! Using Outlook is insecure and promotes virus distribution. Please use a different email client. X-Virus-checked: by University of Berne Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 13:44:45 -0000 On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote: [snip] > And there lies another problem. In large environments it is also > difficult to manage packages security issues. The problem is updated > port tree not just necessariliy fix the security issue - it often also > bumps version of affected package - something not always needed in > production and most often avoided. The first concern of production > (enterprise or not) should be stability. If your primary concern is stability, don't upgrade the port. If your primary concern is security, then upgrade it. If you want both, be prepared to do extra work (i.e. testing the upgrade on a staging system before deployment). > For example, one can use build > server to quickly build new packages but that package may be > automatically bumped to newer version - with patched security issue and > new features added. Currently FreeBSD admins don't have a clear chioce > to manage only ports security issues but I think it's primarily due to > lack of port maintainers. You cannot expect a system where all security fixes can be automatically applied without disrupting the stability of the environment. If you want to be sure nothing breaks, you will have to test it in your specific environment, period. And you cannot expect the port maintainers to backport security fixes if the upstream provider chose to release the fix only together with a new version. cheers, t.