From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 08:17:12 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3473B1065670 for ; Tue, 15 Sep 2009 08:17:12 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [193.138.118.3]) by mx1.freebsd.org (Postfix) with ESMTP id E865B8FC18 for ; Tue, 15 Sep 2009 08:17:11 +0000 (UTC) Received: from [193.138.118.99] (ip-193-138-118-99.nette.pl [193.138.118.99]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id B32FAC54C11 for ; Tue, 15 Sep 2009 09:59:51 +0200 (CEST) Message-ID: <4AAF4927.3070203@frasunek.com> Date: Tue, 15 Sep 2009 09:58:31 +0200 From: Przemyslaw Frasunek Organization: frasunek.com User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 08:17:12 -0000 Giorgos Keramidas wrote: > Przemyslaw should email security-officer with any details he thinks are > relevant. Then the security team will make sure to fix the bug for all > affected releases of FreeBSD, release a patch with the fix, issue an > advisory through the usual channels, and post the details online at our > security information web pages at . I see that I received a lot of criticism after disclosing 6.4 vulnerability. Please read some facts: I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly to security officer. None of them were responded. I haven't filled any PRs, because it would disclose details of vulnerability to the public and allow blackhats to exploit it. I won't publish anything more than video, before official security advisory. The exploit is private to me and it won't be given to the "community". Michael Powell wrote: > Quoted from ~freebsd.security.general: > "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but > was not recognized as security vulnerability." This is another bug. The former one affected only 6.1, this one affects everything up to 6.4-STABLE.