From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 08:23:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F2337B401 for ; Thu, 7 Aug 2003 08:23:21 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9B2ED43F75 for ; Thu, 7 Aug 2003 08:23:19 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5835 invoked from network); 7 Aug 2003 15:14:54 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 Aug 2003 15:14:54 -0000 Received: (qmail 50596 invoked by uid 1000); 7 Aug 2003 15:23:17 -0000 Date: Thu, 7 Aug 2003 18:23:17 +0300 From: Peter Pentchev To: freebsd@critesclan.com Message-ID: <20030807152317.GB49999@straylight.oblivion.bg> Mail-Followup-To: freebsd@critesclan.com, "Freebsd-Security@Freebsd. Org" References: <20030807125705.GO358@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: "Freebsd-Security@Freebsd. Org" Subject: Re: versions and up-to-date... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 15:23:22 -0000 --V0207lvV8h4k8FAm Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 07, 2003 at 09:49:42AM -0500, freebsd@critesclan.com wrote: > On Thu, Aug 07, 2003 at some time lost in the quoting, I wrote: > > On Thu, Aug 07, 2003 at 08:50:56AM -0400, Francisco Reyes wrote: > > > On Wed, 6 Aug 2003, Jacques A. Vidrine wrote: > > > > > > > Sounds like you cvsup'd RELENG_4, not RELENG_4_8. > > > > > > > > > I went back to the handbook to read the difference between these two. > > > If I understand correct RELENG_4 is basically the latest of the 4.X > > > branch. The RELENG_# are basically only security patches for a partic= ular > > > 4.# release. Do I understand it correctly? > >=20 > > If you meant RELENG_4_# where you said RELENG_#, then yes, this is > > correct. The RELENG_4 branch was not affected, since shortly after > > FreeBSD 4.8-RELEASE was out, a new version of realpath(3) was imported > > into the tree, and it did not have this problem. > >=20 > > Thus, if you have a reasonably recent -STABLE (you seem to, since you > > mention realpath.c rev. 1.9.2.2), there's nothing to fear - not for > > this problem, at least. >=20 > This is not really a security related issue, but since we're talking about > releases and such, it kind of ties in. I do a CVSup every week, using the > "tag=3D." method. It is my assumption that I am getting the > latest-and-greatest version, so I'm on the bleeding edge of the 5.X syste= m. > Is that correct? Yes, that is correct; of course, this also means that you are liable to get hit at any time by any temporary instability in the couple of hours or days before it is fixed (this is -CURRENT, after all), but I'd say that the new features, development and bugfixes kind of offset that danger.. most of the time :) > Further, I assume that as soon as any security patch is > available, I will get it as well, since I'm keeping up-to-date with the > latest-and-greatest. Yes. Actually, if you update your system regularly, you'll probably get the fix well *before* the time it is announced. This is in some degree also true for those who track -STABLE (RELENG_4 for the present, RELENG_4 and RELENG_5 in the near future): security fixes are backported relatively quickly, and are given some (not much, but still some time) to be "shaken out" - tested by the early adopters around the world - before they are merged into the real security branches and announced. This time is usually on the order of a day or three, sometimes only a couple of hours, and sometimes it may be more, depending on the particular problem and the way its disclosure is coordinated with the other OS and software vendors. This is just my opinion as a FreeBSD user. Maybe I should not really be the one to comment on this - if I've messed things up horribly, the Security Officer team should feel free to put me straight :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Thit sentence is not self-referential because "thit" is not a word. --V0207lvV8h4k8FAm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/Mm7l7Ri2jRYZRVMRArfYAJ4iFhmfhs1HiT6hCw5rov3qtJXgkwCgiYHs hjnkEirro5QTsslGyMBd0oo= =wXqx -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm--