From owner-freebsd-current@freebsd.org Wed Feb 17 17:23:40 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 51C5DAAB401 for ; Wed, 17 Feb 2016 17:23:40 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 138DC1355; Wed, 17 Feb 2016 17:23:39 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.15.2/8.15.2) with ESMTPS id u1HHNcaK004318 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 17 Feb 2016 10:23:39 -0700 (MST) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.15.2/8.15.2/Submit) with ESMTP id u1HHNcni004311; Wed, 17 Feb 2016 10:23:38 -0700 (MST) (envelope-from wblock@wonkity.com) Date: Wed, 17 Feb 2016 10:23:38 -0700 (MST) From: Warren Block To: Kubilay Kocak cc: Eric van Gyzen , Kurt Jaeger , Shawn Webb , "O. Hartmann" , freebsd-current Subject: Re: CVE-2015-7547: critical bug in libc In-Reply-To: <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org> Message-ID: References: <20160217142410.18748906@freyja.zeit4.iv.bundesimmobilien.de> <20160217134003.GB57405@mutt-hardenedbsd> <20160217135028.GR26283@home.opsec.eu> <56C496AC.8000200@FreeBSD.org> <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Wed, 17 Feb 2016 10:23:39 -0700 (MST) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 17:23:40 -0000 On Thu, 18 Feb 2016, Kubilay Kocak wrote: > On 18/02/2016 3:51 AM, Warren Block wrote: >> On Wed, 17 Feb 2016, Eric van Gyzen wrote: >> >>> On 02/17/2016 08:19, Warren Block wrote: >>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote: >>>> >>>>> A short note on the www.freebsd.org website would probably be helpful, >>>>> as this case will produce a lot of noise. >>>> >>>> Maybe a short article like we did for leap seconds? >>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html >>>> >>>> >>> >>> Articles are permanent, which makes sense for the recurring issue of >>> leap seconds. This vulnerability is transient, so I would suggest a >>> news item. >> >> Yes, but news items are usually just links. For the amount of >> information we have so far, an article seems like the easiest way to do >> this. Or maybe an addition to the security part of the web site? >> >> For now, I'll collect the information as just text. > > Don't we also want our sec teams to investigate/confirm it anyway, > independent of how it's communicated? Absolutely. > If so, doesn't a security advisory (with secteam and/or ports-secteam as > appropriate) make the most sense here, given the scope of vulnerability > for base/linux emulation/ports is yet to be completely established and > is still to be investigated properly? Have there been security advisories for unconfirmed or not-actually-a-problem events before? My impression was that they have only been announced when a problem exists and action needs to be taken. However, a real problem *does* exist for Linux VMs and applications on FreeBSD, so it could be addressed that way. A "we are investigating" advisory right now could do some good, if the protocols allow it. > Finally, would users expect a news item, an article or a heads up from > our security teams for something like this, even in the case where it's > only a "confirmed we're not affected" ? A news item linking to a "it's not us!" advisory would be no problem. People have to go looking for that. Those who are subscribed to the security mailing list will receive those notices directly, and because those are expected to be problems that need to be addressed immediately, it might cause some initial palpitations as if it were an actual problem with FreeBSD.