Date: Mon, 14 Sep 2009 23:01:47 -0400 From: Michael Powell <nightrecon@hotmail.com> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <h8n01k$r5e$1@ger.gmane.org> References: <4AAE95B2.5050409@sitpub.com> <A4D00AA2-BB73-4767-8054-F8E0B9112C53@olivent.com> <4AAEB763.6060709@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > Mikel King wrote: > >> Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to >> be released either later this month or early next, and 6.x will be >> officially retired at that time, is it possible that this was >> overlooked? Personally I don't think it's ever good to overlook >> security, especially in the case of a root exploit. > > Nope. 6.3 (RELENG_6_3) will be supported until at least 31 January 2010 > while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at > least 30 November 2010 by the Security team. > > There are no more releases planned from the RELENG_6 branch, but that's > not the same as 'unsupported' -- patches and advisories will be issued > until the dates listed, and quite usually beyond that. > Quoted from ~freebsd.security.general: "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability." So if the bug no longer exists in the non-EOL 6.3/6.4 there is nothing to fix. Seems to me this is more about not getting due credit and a writer who doesn't grok. The posting to security was a forward done by another individual, since the original discoverer notified the FreeBSD Foundation instead of the security team. Since the FreeBSD foundation is largely administrative and not the correct entity to notify, it is not surprising they did not reply. The writer sounds like he is attempting to spin the SNAFU into a "they knew about a security vulnerability and did nothing..." story. Self serving for him, headline grabbing and sensationalist for sure, but not true as it was quickly addressed at the time. This is water under the bridge and a writer flogging a dead horse. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?h8n01k$r5e$1>