Date: Fri, 4 Nov 2016 19:39:53 +1100 From: Kubilay Kocak <koobs@FreeBSD.org> To: freebsd-security@freebsd.org Cc: FreeBSD Security Team <secteam@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh Message-ID: <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> In-Reply-To: <b8dcb2aa-4149-89ad-e519-8ce68922d0a8@FreeBSD.org> References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <CA%2B7WWSc%2B_Jjf%2BStVb2n367%2B7YSCw-RnGMTbT4nbaE88d_n57%2Bg@mail.gmail.com> <b8dcb2aa-4149-89ad-e519-8ce68922d0a8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/11/2016 9:36 PM, Matthew Seaman wrote: > On 2016/11/03 09:41, Kimmo Paasiala wrote: >> Both 10.1 and 10.2 are going to be unsupported by the end of this >> year, that's probably the reason the fix was not included in them. >> >> https://www.freebsd.org/security/#sup >> > > Yes, but 10.1 and 10.2 are still supported for the next two months. > That means they should get security patches where warranted until > Dec 31st. There's no point in stating an EoL date if the end of the > support lifetime is effectively a few months before that... > > If and advisory hasn't been issued for 10.1 and 10.2 that's because > the Security Team currently don't think the problem applies to those > versions. It's possible SecTeam are mistaken and will need to > update the advisory, but SecTeam are usually pretty accurate about > these things. > > Cheers, > > Matthew > > But everyone should always feel comfortable asking questions, particularly in matters of security and especially if things are left unsaid, unstated, implicit, or remain ambiguous. Security advisories should state explicitly when otherwise supported versions are not vulnerable. It's surprising this isn't already the case. How might this be improved for the future? ./koobs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a>