From owner-freebsd-current@freebsd.org  Wed Feb 17 17:02:36 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B09DCAAAB38
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Wed, 17 Feb 2016 17:02:36 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com
 [IPv6:2607:f8b0:400e:c03::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7E6F515AF;
 Wed, 17 Feb 2016 17:02:36 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pa0-x231.google.com with SMTP id fy10so14255800pac.1;
 Wed, 17 Feb 2016 09:02:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:reply-to:subject:references:to:cc:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-type
 :content-transfer-encoding;
 bh=4Ir3Ts/AeJDS29HHig3c21pchxtUSP6Jek46Y3ygxKE=;
 b=cSg2Ws9SEKnWhjRr/KVEFwBDtuP+9gNE+Aro2lAHK64I9w87vtXDbDkAHNIe+tCq/7
 2psKe7PctLa9zSmWM7mjuQCQWbIl1/NexgKe28jZV9ZCVGMgx2bEavUB7IrCnxt1EJIH
 8NB37RlBJMICZPjbK6n8nGZZ6a9LDEqO4wPz4TThUqM4cJwh5pyax3avCLDNJxX3x8jL
 ho5EBqQRm9S4nYTw7U3oz4FA3cX0QSf5PowbsotWRVKtlg5YHKuZc113BRk10e9N+h1X
 ZKQAtUCiC+FudaBf+mXoEkWHsb4gTFt1MTJ3jlLbjF9hmPkCziiGO9cp0izxQNjrn7M1
 91Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:sender:reply-to:subject:references:to:cc:from
 :message-id:date:user-agent:mime-version:in-reply-to:content-type
 :content-transfer-encoding;
 bh=4Ir3Ts/AeJDS29HHig3c21pchxtUSP6Jek46Y3ygxKE=;
 b=F1otDn4J+64Rl/KPK/pXgBGN+ewgH+VJyTWpSHhKcg2bKJJyTBrLZ/yknZAWii2oyU
 vkG7fOpK2w+IzCwdez8dZ0SkpkpbyMygh5333uiEIMRJOIuhgjGfbAIFsohDKeCt8WEO
 oIbvjkO/ClhP0CHyrK1wZJNLJH8x2jTnI5VvQFglo6Elub7TAwkHbUTctT0YJjgRVFO+
 Kul2dw1T056SgHMzOWnnk2foXyuIrQOqNvAcC8v30KHMUST0oXpidE5Zlv/ds1GoV0Fd
 wurFOqXLbV566BX5RgUFba9eM5v799M9zU5EePVlYNO42A/ttIW73FuOjkB+FQxOMVDO
 PqEQ==
X-Gm-Message-State: AG10YOTW6Dzjhdh3VB0pUPAP85wHHuxLm3SaUztpAkYxwCFQRAb3SCskgfYdBSgDZ4WowA==
X-Received: by 10.66.141.71 with SMTP id rm7mr3603940pab.106.1455728555930;
 Wed, 17 Feb 2016 09:02:35 -0800 (PST)
Received: from ?IPv6:2001:44b8:31ae:7b01:59b2:e9e6:6067:a08f?
 (2001-44b8-31ae-7b01-59b2-e9e6-6067-a08f.static.ipv6.internode.on.net.
 [2001:44b8:31ae:7b01:59b2:e9e6:6067:a08f])
 by smtp.gmail.com with ESMTPSA id tp6sm3934841pab.25.2016.02.17.09.02.32
 (version=TLSv1/SSLv3 cipher=OTHER);
 Wed, 17 Feb 2016 09:02:35 -0800 (PST)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: CVE-2015-7547: critical bug in libc
References: <20160217142410.18748906@freyja.zeit4.iv.bundesimmobilien.de>
 <20160217134003.GB57405@mutt-hardenedbsd>
 <20160217135028.GR26283@home.opsec.eu>
 <alpine.BSF.2.20.1602170713560.44372@wonkity.com>
 <56C496AC.8000200@FreeBSD.org>
 <alpine.BSF.2.20.1602170919240.44372@wonkity.com>
To: Warren Block <wblock@wonkity.com>, Eric van Gyzen <vangyzen@FreeBSD.org>
Cc: Kurt Jaeger <lists@opsec.eu>, Shawn Webb <shawn.webb@hardenedbsd.org>,
 "O. Hartmann" <ohartman@zedat.fu-berlin.de>,
 freebsd-current <freebsd-current@freebsd.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
Message-ID: <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org>
Date: Thu, 18 Feb 2016 04:02:26 +1100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1602170919240.44372@wonkity.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 17:02:36 -0000

On 18/02/2016 3:51 AM, Warren Block wrote:
> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
> 
>> On 02/17/2016 08:19, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>
>>>> A short note on the www.freebsd.org website would probably be helpful,
>>>> as this case will produce a lot of noise.
>>>
>>> Maybe a short article like we did for leap seconds?
>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>
>>>
>>
>> Articles are permanent, which makes sense for the recurring issue of
>> leap seconds.  This vulnerability is transient, so I would suggest a
>> news item.
> 
> Yes, but news items are usually just links.  For the amount of
> information we have so far, an article seems like the easiest way to do
> this.  Or maybe an addition to the security part of the web site?
> 
> For now, I'll collect the information as just text.

Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?

If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?

Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?

./koobs