From owner-freebsd-security Sun Nov 19 19:52: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 0020937B479; Sun, 19 Nov 2000 19:51:46 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: New security policy for FreeBSD 3.x Reply-To: security-advisories@freebsd.org Message-Id: <20001120035146.0020937B479@hub.freebsd.org> Date: Sun, 19 Nov 2000 19:51:46 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- The FreeBSD Security Officer would like to announce a change in policy regarding security support for the FreeBSD 3.x branch. Due to the frequent difficulties encountered in fixing the old code contained in FreeBSD 3.x, we will no longer be requiring security problems to be fixed in that branch prior to the release of an advisory that also pertains to FreeBSD 4.x. In recent months this requirement has led to delays in the release of advisories, which negatively impacts users of the current FreeBSD release branch (FreeBSD 4.x). Security fixes which are committed to FreeBSD 3.5.1-STABLE prior to the advisory release will be included in the advisory, but the advisory release will not be delayed awaiting a fix in the 3.x branch when a fix is already in place in FreeBSD 4.x. Serious vulnerabilities will result in a reissue of the advisory once the problem is corrected in 3.5.1-STABLE. For less serious vulnerabilities a notification will be sent to the freebsd-security@FreeBSD.org mailing list only, to reduce overall subscriber traffic on the freebsd-security-notifications and freebsd-announce mailing lists. We will continue endeavouring to ensure that applicable security fixes are merged back to the 3.x branch by FreeBSD developers, and to work with them to develop or merge the appropriate fix prior to the advisory release, however as the 3.x branch is approaching end of life we anticipate that there may be an increasing time lag between the time of fix of a vulnerability in 4.x and when it is backported to 3.x. Given this reality, users are encouraged to consider plans to migrate security-critical systems to the 4.x branch over the coming months. FreeBSD committers who are interested in providing security support for older branches of FreeBSD should contact the Security Officer and they will be kept informed of fixes which require merging to the older branches. Comments on this policy are welcomed - please reply to security-officer@FreeBSD.org. Regards, Kris Kennaway FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhifmlUuHi5z0oilAQHnBQP9ETb9xz1UGvU3JxbuvnKXlw6yFFQN15tN 7uwWdmA07FdoiLslK2O9zuR43pHv0HIprbdZVkXBSe4nOfBBaEgarcD/1kW+NVCr AjOuQQGUl/OjsdyzY524gWylSOg1aI7Lkf+RsUQWOS7Epe1kNCTJzC72SMtk70DH LMnQGgcDMpo= =I6rL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message