From owner-freebsd-bugs Fri Aug 16 12:30: 9 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAD3037B400 for ; Fri, 16 Aug 2002 12:30:04 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3043943E7B for ; Fri, 16 Aug 2002 12:30:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7GJU4JU055808 for ; Fri, 16 Aug 2002 12:30:04 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7GJU3fw055807; Fri, 16 Aug 2002 12:30:03 -0700 (PDT) Date: Fri, 16 Aug 2002 12:30:03 -0700 (PDT) Message-Id: <200208161930.g7GJU3fw055807@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: John Polstra Subject: Re: kern/41552: TCP timers' sysctl's overflow Reply-To: John Polstra Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR kern/41552; it has been noted by GNATS. From: John Polstra To: serkoon@thedarkside.nl Cc: bug-followup@freebsd.org Subject: Re: kern/41552: TCP timers' sysctl's overflow Date: Fri, 16 Aug 2002 12:21:58 -0700 (PDT) In article <200208152100.g7FL04jL011288@freefall.freebsd.org>, serkoon wrote: > >Note, I don't think the fix referenced in this PR should be merged > >into the security branches anyway, since it is not security related. > > Imo a bug which makes a host vulnerable to a DoS-attack by using up > all available sockets/filedescriptors -is- a security-bug. I guess you'll > agree on that. Yes, but this one only happens when you use a rather unusual kernel configuration. You could set NMBCLUSTERS to 5, and that would open up a DoS attack too. But I don't think FreeBSD's urgent-security-fixes branch should address either of those potential problems. > Then, why don't you feel that way in this particular ocassion? Is it that > there just aren't many people around with HZ set at 1000 or up, so this > bug, although it may be a security-bug, isn't that important because > there are many higher prioritized things to fix? It's not a matter of priorities. It's just that the purpose of the security branches is to achieve maximum stability by including only the most essential security-related fixes. The more stuff you put into those branches, the less stable they will become. We have seen that in real life in the -stable branches, and in fact that is the reason the security branches were created in the first place. In this case I believe you should either maintain the patch locally until 4.7 comes out (October 1), or else follow the -stable branch rather than the security branch. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message