From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 17:03:52 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29A70106566B for ; Tue, 15 Sep 2009 17:03:52 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from smtp103.prem.mail.ac4.yahoo.com (smtp103.prem.mail.ac4.yahoo.com [76.13.13.42]) by mx1.freebsd.org (Postfix) with SMTP id C36218FC12 for ; Tue, 15 Sep 2009 17:03:51 +0000 (UTC) Received: (qmail 7716 invoked from network); 15 Sep 2009 17:03:51 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Received:Date:From:To:Subject:Message-ID:In-Reply-To:References:Organization:X-Mailer:Face:Mime-Version:Content-Type:Content-Transfer-Encoding; b=vcH4Gtj+/AizNk/4VoMntpjw6v+HAzPMY+l/QDj23IANLhDb1GKqNSRcIvQbHKLFHFi/7Y2oGrQVnzeenPkK9a6TUk0J0dyzMEepS26yhJFGx2J5ZLsX7Fj0DyClDkCMtYom9oz6Ib1EHahOQHCkCgH7COO1ZqSwhbDjMwtqYeM= ; Received: from c-67-189-183-172.hsd1.ny.comcast.net (gesbbb@67.189.183.172 with login) by smtp103.prem.mail.ac4.yahoo.com with SMTP; 15 Sep 2009 10:03:50 -0700 PDT X-Yahoo-SMTP: yeAAMgKswBATCul4lSbCWspvTA-- X-YMail-OSG: bi3vQKQVM1nJzZxB_Z7cTD5klAQZK2JosEvxIbcPcQOMVUrmnsEFMFxbXr5StbxaO18YKAfj8VXuL4iRapolE7EbEaDedBGJNUOnM5IQL_dlha.T2s81hdaJ7d.T1WJc3Tgt1KJWlWLRDxBBn40yI3I3.Ej2YnMZlbHDxSHrXMv1hE.1PLklQPGsgLJnZ6GaxRfFYYwz4EVibNfRSDUhAZ.bh1qKkyJyybMswN10VgZ_y9d900pznljH6LBVXWKLCRRLvbbEyzjmbm81yhmPKnm2Pjsd7Zvn62CLLnGTASRH24e769yrMM5bkdScTN8uxxExuEl9v.1TQyMM9iZhQtP4cjJiUg-- X-Yahoo-Newman-Property: ymail-3 Received: from scorpio.seibercom.net (scorpio.seibercom.net [192.168.1.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: gesbbb@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 92EB42280B for ; Tue, 15 Sep 2009 13:03:50 -0400 (EDT) Date: Tue, 15 Sep 2009 13:03:50 -0400 From: Jerry To: freebsd-questions@freebsd.org Message-ID: <20090915130350.226fcf65@scorpio.seibercom.net> In-Reply-To: <20090915111331.4fdfa964.wmoran@potentialtech.com> References: <4AAE95B2.5050409@sitpub.com> <20090914214642.GA12828@Grumpy.DynDNS.org> <200909150122.43566.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915071826.a273c4fa.wmoran@potentialtech.com> <20090915104912.1cac505a@scorpio.seibercom.net> <20090915111331.4fdfa964.wmoran@potentialtech.com> Organization: seibercom.net X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 17:03:52 -0000 On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran wrote: > In response to Jerry : > > > On Tue, 15 Sep 2009 07:18:26 -0400 > > Bill Moran wrote: > > > > > Mel Flynn wrote: > > > > > > > > On Monday 14 September 2009 23:46:42 David Kelly wrote: > > > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai@gmail.com > > > > > wrote: > > > > > > Am 2009/9/14 Dan Goodin writhed: > > > > > > > Hello, > > > > > > > > > > > > > > Dan Goodin, a reporter at technology news website The > > > > > > > Register. Security researcher Przemyslaw Frasunek says > > > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He > > > > > > > says he notified the FreeBSD Foundation on August 29 and > > > > > > > never got a response. We'll be writing a brief article > > > > > > > about this. Please let me know ASAP if someone cares to > > > > > > > comment. > > > > > > > > > > > > Has anyone submitted a PR about this? > > > > > > > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a > > > > > PR is not submitted then one has *not* informed the Powers > > > > > That Be. > > > > > > > > Wrong. Security bugs should be reported to the security team, > > > > not PR'd. > > > > > > It's typical for security issues to be kept hushed until a fix is > > > ready. As a result, there are usually no PRs, and in the case > > > where the person who discovered the problem is amenable, there is > > > no public discussion at all until a fix is available. > > > > > > Apparently, Mr. Frasunek started out down that path, which is > > > admirable. It seems as if he doesn't have much patience, however, > > > since he thinks that only 2 weeks is enough time to fix a security > > > problem and QA the fix. > > > > I usually discover security problems with updates I receive from > > . Aren't FreeBSD security problems > > reported to their site? If not, why? IMHO, keeping users in the > > dark to known security problems is not a serviceable protocol. > > Because releasing security advisories before there is a fix available > is not responsible use of the information, and (as is being > discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. Being keep ignorant of a security problem is as foolish a theory as "Security through Obscurity". I find the updates invaluable. The fact that apparently FBSD does not encompass them I find discomforting. BTW, please do not CC: me. I am subscribe to the list and do not need multiple copies of the same post. -- Jerry gesbbb@yahoo.com There is no sin but ignorance. Christopher Marlowe