Date: Thu, 18 Feb 2016 04:02:26 +1100 From: Kubilay Kocak <koobs@FreeBSD.org> To: Warren Block <wblock@wonkity.com>, Eric van Gyzen <vangyzen@FreeBSD.org> Cc: Kurt Jaeger <lists@opsec.eu>, Shawn Webb <shawn.webb@hardenedbsd.org>, "O. Hartmann" <ohartman@zedat.fu-berlin.de>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: CVE-2015-7547: critical bug in libc Message-ID: <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org> In-Reply-To: <alpine.BSF.2.20.1602170919240.44372@wonkity.com> References: <20160217142410.18748906@freyja.zeit4.iv.bundesimmobilien.de> <20160217134003.GB57405@mutt-hardenedbsd> <20160217135028.GR26283@home.opsec.eu> <alpine.BSF.2.20.1602170713560.44372@wonkity.com> <56C496AC.8000200@FreeBSD.org> <alpine.BSF.2.20.1602170919240.44372@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18/02/2016 3:51 AM, Warren Block wrote: > On Wed, 17 Feb 2016, Eric van Gyzen wrote: > >> On 02/17/2016 08:19, Warren Block wrote: >>> On Wed, 17 Feb 2016, Kurt Jaeger wrote: >>> >>>> A short note on the www.freebsd.org website would probably be helpful, >>>> as this case will produce a lot of noise. >>> >>> Maybe a short article like we did for leap seconds? >>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html >>> >>> >> >> Articles are permanent, which makes sense for the recurring issue of >> leap seconds. This vulnerability is transient, so I would suggest a >> news item. > > Yes, but news items are usually just links. For the amount of > information we have so far, an article seems like the easiest way to do > this. Or maybe an addition to the security part of the web site? > > For now, I'll collect the information as just text. Don't we also want our sec teams to investigate/confirm it anyway, independent of how it's communicated? If so, doesn't a security advisory (with secteam and/or ports-secteam as appropriate) make the most sense here, given the scope of vulnerability for base/linux emulation/ports is yet to be completely established and is still to be investigated properly? Finally, would users expect a news item, an article or a heads up from our security teams for something like this, even in the case where it's only a "confirmed we're not affected" ? ./koobs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0a7bd64c-59c5-8298-3773-660d832d7cde>