From owner-freebsd-security  Wed Jul 11 15:49: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP
	id A136337B405; Wed, 11 Jul 2001 15:48:56 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: from hornet.unixfreak.org (hornet [63.198.170.140])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id B97183E31; Wed, 11 Jul 2001 15:48:52 -0700 (PDT)
To: Kris Kennaway <kris@obsecurity.org>
Cc: "Jacques A. Vidrine" <n@nectar.com>,
	Jason DiCioccio <jdicioccio@epylon.com>,
	"'security@freebsd.org'" <security@freebsd.org>, kris@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: 
In-Reply-To: <20010711114459.B86556@xor.obsecurity.org>; from kris@obsecurity.org on "Wed, 11 Jul 2001 11:44:59 -0700"
Date: Wed, 11 Jul 2001 15:48:52 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010711224852.B97183E31@bazooka.unixfreak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Kris Kennaway <kris@obsecurity.org> writes:
> On Wed, Jul 11, 2001 at 10:46:09AM -0500, Jacques A. Vidrine wrote:
> > On Tue, Jul 10, 2001 at 06:59:57PM -0700, Dima Dorfman wrote:
> > > Jason DiCioccio <jdicioccio@epylon.com> writes:
> > > > So then I'm guessing this has been 3.5-STABLE is not vulnerable?
> > > > Just want to be sure :-)
> > >
> > > What makes you say that?  The necessary fix isn't present in RELENG_3,
> > > and I doubt that there's something else which hides the issue. 
> >
> > I haven't  double-checked, but it looks  like this bug was  enabled by
> > revision  1.54  of  src/sys/kern/kern_fork.c (allowing  shared  signal
> > handlers  with  rfork).   That   would  include  3.1-RELEASE  and  all
> > following releases.
> 
> As was announced several months ago, we are no longer requiring
> security fixes for locally exploitable vulnerabilities under RELENG_3,
> only network-exploitable vulnerabilities.

Right, I saw the announcement and totally agree with it; you have
enough work to do as it is.  Does this mean, however, that individual
developers or contributers can't fix the holes after the advisory?
I.e., is there any reason why I shouldn't apply the patch to RELENG_3?

					Dima Dorfman
					dima@unixfreak.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message