From owner-freebsd-security@freebsd.org Thu Aug 13 21:15:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15BBC9B89EC for ; Thu, 13 Aug 2015 21:15:31 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 04435AF4; Thu, 13 Aug 2015 21:15:31 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 8959C12FE; Thu, 13 Aug 2015 21:15:30 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Thu, 13 Aug 2015 21:15:29 +0000 From: Glen Barber To: Mason Loring Bliss Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813211528.GK24069@FreeBSD.org> References: <20150813202007.GC4093@blisses.org> <20150813204023.GJ24069@FreeBSD.org> <20150813210129.GF4093@blisses.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="T4Djgzn3z2HSNnx0" Content-Disposition: inline In-Reply-To: <20150813210129.GF4093@blisses.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 21:15:31 -0000 --T4Djgzn3z2HSNnx0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 13, 2015 at 05:01:29PM -0400, Mason Loring Bliss wrote: > On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: >=20 > > [info@ removed, not sure why that email address was included.] >=20 > I'm hoping for pressure from above, as this is an important step that's > evidently being taken without quarterly branch security being bumped up in > priority. It seems to come as a surprise to many folks, and certainly I > wasn't aware of it until last week. (Also, board@ is now deprecated.) >=20 "Putting pressure" isn't the role of the Foundation. Quarterly package builds happen every few days (two, if I remember correctly), and as I was writing this reply, and updated package set for 10.x i386 was made available. So the appropriate steps are to contact the committer that resolved a vulnerable port in the latest branch to remind them to also fix it in the quarterly branch, and failing that, contact ports-secteam@ (similar to how one would report an issue in the base system to secteam@). Glen --T4Djgzn3z2HSNnx0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVzQjsAAoJEAMUWKVHj+KTyFsP/iz2w4uocBIzJteNZUIzepS3 F80czix3utU/9dLKzqEXPu+6fV9zSpSe9y3PWYa6uJHvXPSC+sARt0/BSmDIAzBN AlzEfNqvbNclvr2q8hW3OZvySrbalqYa8djpwXF9WMjEH1yLNGICoPwSzWM3waDv GlbKluTJ3hmxQmNUVeC6h6146+AftxFilibS+myZ/9WrR6dymV8ybPrSHl7aE4xx u8HOCp+8OXg4NGZlc0BMTlt7n98urJCtQx9tjC4naruhxrJySQ3k3OVJes3NeuLY fIGBQsoGdkQwpMjB9tc4gLmGxG7zUEPMP5wiOk/pYWZtRFGMJVcD5echpkZye08f iB6cbCA+jCWR3GPsawIgWjKsZVcqPLkyQcJ0J3yrz/KFJ1lL8AspWcLcTGuSO6RD pOYMT+AhBwQLYsmShWZC1g8K4Fr4lDwmHNOk4V8RYWD4iRb+dbJbDVbAqPZZRLTe IbBBKczH7v+VHnGqvxd33CMcca0SKaAwU2tFSvhRlPIBEq/+9KjyxMuf+f5YE7OJ LAa6OfFUh99LHyhWt8CpP9cJ0eilNDKPGcNIqnkb5G4EHNmSBDWuJ4v6RPntMVuX 99U2l5gTJq3FZQUdEf831QUTzyNBldDAhtOdbgqHtzmQMoU1+42+L91cW2iqQfc8 n6tMYHfygWPSEwZghsCc =JZDq -----END PGP SIGNATURE----- --T4Djgzn3z2HSNnx0--