Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Feb 2016 05:21:09 +1100
From:      Kubilay Kocak <koobs@FreeBSD.org>
To:        Warren Block <wblock@wonkity.com>
Cc:        Eric van Gyzen <vangyzen@FreeBSD.org>, Kurt Jaeger <lists@opsec.eu>, Shawn Webb <shawn.webb@hardenedbsd.org>, "O. Hartmann" <ohartman@zedat.fu-berlin.de>, freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: CVE-2015-7547: critical bug in libc
Message-ID:  <2a6f9be2-fe6c-f844-6fec-dcdbb5f7da0d@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.20.1602171004130.44372@wonkity.com>
References:  <20160217142410.18748906@freyja.zeit4.iv.bundesimmobilien.de> <20160217134003.GB57405@mutt-hardenedbsd> <20160217135028.GR26283@home.opsec.eu> <alpine.BSF.2.20.1602170713560.44372@wonkity.com> <56C496AC.8000200@FreeBSD.org> <alpine.BSF.2.20.1602170919240.44372@wonkity.com> <0a7bd64c-59c5-8298-3773-660d832d7cde@FreeBSD.org> <alpine.BSF.2.20.1602171004130.44372@wonkity.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 18/02/2016 4:23 AM, Warren Block wrote:
> On Thu, 18 Feb 2016, Kubilay Kocak wrote:
> 
>> On 18/02/2016 3:51 AM, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
>>>
>>>> On 02/17/2016 08:19, Warren Block wrote:
>>>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>>>
>>>>>> A short note on the www.freebsd.org website would probably be
>>>>>> helpful,
>>>>>> as this case will produce a lot of noise.
>>>>>
>>>>> Maybe a short article like we did for leap seconds?
>>>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>>>
>>>>>
>>>>>
>>>>
>>>> Articles are permanent, which makes sense for the recurring issue of
>>>> leap seconds.  This vulnerability is transient, so I would suggest a
>>>> news item.
>>>
>>> Yes, but news items are usually just links.  For the amount of
>>> information we have so far, an article seems like the easiest way to do
>>> this.  Or maybe an addition to the security part of the web site?
>>>
>>> For now, I'll collect the information as just text.
>>
>> Don't we also want our sec teams to investigate/confirm it anyway,
>> independent of how it's communicated?
> 
> Absolutely.
> 
>> If so, doesn't a security advisory (with secteam and/or ports-secteam as
>> appropriate) make the most sense here, given the scope of vulnerability
>> for base/linux emulation/ports is yet to be completely established and
>> is still to be investigated properly?
> 
> Have there been security advisories for unconfirmed or
> not-actually-a-problem events before?  My impression was that they have
> only been announced when a problem exists and action needs to be taken.

This "No SA, no problem" pattern is reasonable for default case, and the
vast majority of issues. This glibc issue, like heartbleed and others
may be sufficiently high-profile to warrant special treatment, even if
not in "SA" form.

> However, a real problem *does* exist for Linux VMs and applications on
> FreeBSD, so it could be addressed that way.  A "we are investigating"
> advisory right now could do some good, if the protocols allow it.
> 
>> Finally, would users expect a news item, an article or a heads up from
>> our security teams for something like this, even in the case where it's
>> only a "confirmed we're not affected" ?
> 
> A news item linking to a "it's not us!" advisory would be no problem.
> People have to go looking for that.
> 
> Those who are subscribed to the security mailing list will receive those
> notices directly, and because those are expected to be problems that
> need to be addressed immediately, it might cause some initial
> palpitations as if it were an actual problem with FreeBSD.

Yup, and let me make clear an out-there-in-the-world distinction between
'an advisory by freebsd security people ' and a FreeBSD "SA" the
implementation format.

./koobs



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2a6f9be2-fe6c-f844-6fec-dcdbb5f7da0d>