From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 13:54:22 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EECE106566B for ; Tue, 15 Sep 2009 13:54:22 +0000 (UTC) (envelope-from keramida@freebsd.org) Received: from poseidon.ceid.upatras.gr (poseidon.ceid.upatras.gr [150.140.141.169]) by mx1.freebsd.org (Postfix) with ESMTP id 080BD8FC15 for ; Tue, 15 Sep 2009 13:54:21 +0000 (UTC) Received: from mail.ceid.upatras.gr (unknown [10.1.0.143]) by poseidon.ceid.upatras.gr (Postfix) with ESMTP id C9716EB5124; Tue, 15 Sep 2009 16:54:20 +0300 (EEST) Received: from localhost (europa.ceid.upatras.gr [127.0.0.1]) by mail.ceid.upatras.gr (Postfix) with ESMTP id A53E645148; Tue, 15 Sep 2009 16:54:20 +0300 (EEST) X-Virus-Scanned: amavisd-new at ceid.upatras.gr Received: from mail.ceid.upatras.gr ([127.0.0.1]) by localhost (europa.ceid.upatras.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id objZFMSn8nGj; Tue, 15 Sep 2009 16:54:20 +0300 (EEST) Received: from kobe.laptop (cm35.psi155.maxonline.com.sg [58.146.155.35]) by mail.ceid.upatras.gr (Postfix) with ESMTP id 9F55B4512A; Tue, 15 Sep 2009 16:54:19 +0300 (EEST) Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id n8FDsE9C039514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Sep 2009 21:54:15 +0800 (SGT) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id n8FDsC5d039513; Tue, 15 Sep 2009 21:54:12 +0800 (SGT) (envelope-from keramida@freebsd.org) From: Giorgos Keramidas To: Przemyslaw Frasunek References: <4AAF4927.3070203@frasunek.com> Date: Tue, 15 Sep 2009 21:54:11 +0800 In-Reply-To: <4AAF4927.3070203@frasunek.com> (Przemyslaw Frasunek's message of "Tue, 15 Sep 2009 09:58:31 +0200") Message-ID: <877hw0mhz0.fsf@kobe.laptop> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Cc: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 13:54:22 -0000 --=-=-= On Tue, 15 Sep 2009 09:58:31 +0200, Przemyslaw Frasunek wrote: > Giorgos Keramidas wrote: >> Przemyslaw should email security-officer with any details he thinks are >> relevant. Then the security team will make sure to fix the bug for all >> affected releases of FreeBSD, release a patch with the fix, issue an >> advisory through the usual channels, and post the details online at our >> security information web pages at . > > I see that I received a lot of criticism after disclosing 6.4 vulnerability. > Please read some facts: > > I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly > to security officer. None of them were responded. I haven't filled any PRs, > because it would disclose details of vulnerability to the public and allow > blackhats to exploit it. > > I won't publish anything more than video, before official security advisory. The > exploit is private to me and it won't be given to the "community". Hi Przemyslaw, What I wrote is not criticism for what you have or might have not done. I now know (after posting the initial message) that the security officer is preparing a fix and an advisory, so my response was more like ``this is the usual way of handling this sort of thing''. The wording was a bit careful to avoid implying that you didn't know or were not prepared to do what is appropriate :) --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkqvnIMACgkQ1g+UGjGGA7ZoeQCgpHS8dr+byGF0IRMnX0upHRp5 gesAniaVBvLXGSVhrzu1RBXc9EIVD6Ei =04jA -----END PGP SIGNATURE----- --=-=-=--