Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Feb 2016 10:23:38 -0700 (MST)
From:      Warren Block <wblock@wonkity.com>
To:        Kubilay Kocak <koobs@FreeBSD.org>
Cc:        Eric van Gyzen <vangyzen@FreeBSD.org>, Kurt Jaeger <lists@opsec.eu>, Shawn Webb <shawn.webb@hardenedbsd.org>, "O. Hartmann" <ohartman@zedat.fu-berlin.de>, freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: CVE-2015-7547: critical bug in libc
Message-ID:  <alpine.BSF.2.20.1602171004130.44372@wonkity.com>
In-Reply-To: <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org>
References:  <20160217142410.18748906@freyja.zeit4.iv.bundesimmobilien.de> <20160217134003.GB57405@mutt-hardenedbsd> <20160217135028.GR26283@home.opsec.eu> <alpine.BSF.2.20.1602170713560.44372@wonkity.com> <56C496AC.8000200@FreeBSD.org> <alpine.BSF.2.20.1602170919240.44372@wonkity.com> <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Feb 2016, Kubilay Kocak wrote:

> On 18/02/2016 3:51 AM, Warren Block wrote:
>> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
>>
>>> On 02/17/2016 08:19, Warren Block wrote:
>>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>>
>>>>> A short note on the www.freebsd.org website would probably be helpful,
>>>>> as this case will produce a lot of noise.
>>>>
>>>> Maybe a short article like we did for leap seconds?
>>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>>
>>>>
>>>
>>> Articles are permanent, which makes sense for the recurring issue of
>>> leap seconds.  This vulnerability is transient, so I would suggest a
>>> news item.
>>
>> Yes, but news items are usually just links.  For the amount of
>> information we have so far, an article seems like the easiest way to do
>> this.  Or maybe an addition to the security part of the web site?
>>
>> For now, I'll collect the information as just text.
>
> Don't we also want our sec teams to investigate/confirm it anyway,
> independent of how it's communicated?

Absolutely.

> If so, doesn't a security advisory (with secteam and/or ports-secteam as
> appropriate) make the most sense here, given the scope of vulnerability
> for base/linux emulation/ports is yet to be completely established and
> is still to be investigated properly?

Have there been security advisories for unconfirmed or 
not-actually-a-problem events before?  My impression was that they have 
only been announced when a problem exists and action needs to be taken.

However, a real problem *does* exist for Linux VMs and applications on 
FreeBSD, so it could be addressed that way.  A "we are investigating" 
advisory right now could do some good, if the protocols allow it.

> Finally, would users expect a news item, an article or a heads up from
> our security teams for something like this, even in the case where it's
> only a "confirmed we're not affected" ?

A news item linking to a "it's not us!" advisory would be no problem. 
People have to go looking for that.

Those who are subscribed to the security mailing list will receive those 
notices directly, and because those are expected to be problems that 
need to be addressed immediately, it might cause some initial 
palpitations as if it were an actual problem with FreeBSD.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1602171004130.44372>