From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 14:49:14 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA40F1065672 for ; Tue, 15 Sep 2009 14:49:14 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from smtp104.prem.mail.ac4.yahoo.com (smtp104.prem.mail.ac4.yahoo.com [76.13.13.43]) by mx1.freebsd.org (Postfix) with SMTP id 4E53E8FC13 for ; Tue, 15 Sep 2009 14:49:14 +0000 (UTC) Received: (qmail 85028 invoked from network); 15 Sep 2009 14:49:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Received:Date:From:To:Subject:Message-ID:In-Reply-To:References:Reply-To:Organization:X-Mailer:Face:Mime-Version:Content-Type:Content-Transfer-Encoding; b=luAqnHhldIevGVA0SrRPnWaX7gHVhoKNZcZgt6nmnk2AVhfoOzxRAFnUCi0pzdt1jy/mZlZetVqhb4hnZiRRNrGfFf1TIQLua1Fnb2H7KtstmFy9w2DCRYCA+bj/GW+bZfgABSGWqMNtoqQKbiUO2AjYAxUIDkCHCf4cH2Bax1E= ; Received: from c-67-189-183-172.hsd1.ny.comcast.net (gesbbb@67.189.183.172 with login) by smtp104.prem.mail.ac4.yahoo.com with SMTP; 15 Sep 2009 07:49:13 -0700 PDT X-Yahoo-SMTP: yeAAMgKswBATCul4lSbCWspvTA-- X-YMail-OSG: 6zW5ylIVM1mmihSVJPx2nOykn8ccEAlX09oJLQLfbse4lc8asNyKDVzOcsB7VfmSHgeIFjCQw46bpkiZIDMsmGYmUE3XBpaDnN8W7fZ7hMPbOyvqDQZhv8Crw14dMezX7y9IouT13VzJ.xA3Br7WLODbtnGBMQQ0dMAGhrk_987_aPnYIhsFd62e6GbVRGmw6LvFVS3dHlfpmx935BR4DA9Ng2FnGdDVFGcm24FVi09IxOChhnStuQtsz32nL_y4GI4JYbMe_wSVEZR50fcqINXeogAMBMkek_QAxefEMbiQW0OhoH2puvuuK5WaJn35vEzAGRrwI9ccv0en2XClCkSDiIFE1w-- X-Yahoo-Newman-Property: ymail-3 Received: from scorpio.seibercom.net (scorpio.seibercom.net [192.168.1.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: gesbbb@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 07D3F22849 for ; Tue, 15 Sep 2009 10:49:13 -0400 (EDT) Date: Tue, 15 Sep 2009 10:49:12 -0400 From: Jerry To: freebsd-questions@freebsd.org Message-ID: <20090915104912.1cac505a@scorpio.seibercom.net> In-Reply-To: <20090915071826.a273c4fa.wmoran@potentialtech.com> References: <4AAE95B2.5050409@sitpub.com> <20090914214642.GA12828@Grumpy.DynDNS.org> <200909150122.43566.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915071826.a273c4fa.wmoran@potentialtech.com> Organization: seibercom.net X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 14:49:14 -0000 On Tue, 15 Sep 2009 07:18:26 -0400 Bill Moran wrote: > Mel Flynn wrote: > > > > On Monday 14 September 2009 23:46:42 David Kelly wrote: > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai@gmail.com wrote: > > > > Am 2009/9/14 Dan Goodin writhed: > > > > > Hello, > > > > > > > > > > Dan Goodin, a reporter at technology news website The > > > > > Register. Security researcher Przemyslaw Frasunek says > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He > > > > > says he notified the FreeBSD Foundation on August 29 and > > > > > never got a response. We'll be writing a brief article about > > > > > this. Please let me know ASAP if someone cares to comment. > > > > > > > > Has anyone submitted a PR about this? > > > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR > > > is not submitted then one has *not* informed the Powers That Be. > > > > Wrong. Security bugs should be reported to the security team, not > > PR'd. > > It's typical for security issues to be kept hushed until a fix is > ready. As a result, there are usually no PRs, and in the case where > the person who discovered the problem is amenable, there is no public > discussion at all until a fix is available. > > Apparently, Mr. Frasunek started out down that path, which is > admirable. It seems as if he doesn't have much patience, however, > since he thinks that only 2 weeks is enough time to fix a security > problem and QA the fix. I usually discover security problems with updates I receive from . Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. -- Jerry gesbbb@yahoo.com If there is a possibility of several things going wrong, the one that will cause the most damage will be the one to go wrong.