From owner-freebsd-security@freebsd.org  Fri Nov  4 08:41:19 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 272DCC2D666
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri,  4 Nov 2016 08:41:19 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com
 [IPv6:2607:f8b0:400e:c00::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E7B1810FA;
 Fri,  4 Nov 2016 08:41:18 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pf0-x22e.google.com with SMTP id n85so48180595pfi.1;
 Fri, 04 Nov 2016 01:41:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:reply-to:subject:to:references:from:cc:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=BTiwNbHyLwkFVq1zpbOcPrBs1fsv8QT2hfVQ9EXawe8=;
 b=bhMDnbgaW8ZYcMm6WlrRZUbVIN2oCwyE8gXL/uoB/yhh7oMI+VsDLmcKfrwiqd1tfu
 ogShzP1CXy2rIPrwP+nA6PV8T/2pgs6+v+08mVw6EArmi5pLGfqMA9LT/RVNLtnDpbnC
 7056xuO/CMhN2voWuzbEO8RoU6ImbPvziAc7hqC/wwN40RESyEIMI054loUrDG4FiR6y
 bzylCqN4xFLEhIprwwV4AUTFY3EKQBt2ICwLkPLYxPalijA5EKp+hqTsUaF2ALT6RzeO
 GEebcF+MuYEBoeLdcaxnN44ebDSKFfKR4bl4E+e1cb1CIgOA/5KIXwrkaDvR41sp78cO
 AMtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:sender:reply-to:subject:to:references:from:cc
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=BTiwNbHyLwkFVq1zpbOcPrBs1fsv8QT2hfVQ9EXawe8=;
 b=AMtmWYS8Ypg8duKnPKRMBkuyMYXT+f+E2yBjzNMCgdTCX5NiHGDAXoVoJAqkhxyl74
 8uq4syv9qpeojaFNerPrUtJeZa9GsVNlzgxVXmyWwgpqEQWUxHDWTmRehm69xV6a3gsM
 YyWiKxMRygi9Oj11DNRMU4CrIdsjGEaaYhoh+bfVaHezaVGSqyAyfuqay24Cm9wVN1bI
 2z1GsMBd91SzF3Cf2lxjEf4g/9dl6weBDPR1DCdnKS6R8yBHgkwfOM+TEgrhxLWsuHVB
 P9y1zzvqsMWmj+vbMqN+AQ5PPUKz8BQYftT0E5zF7pBZK4t5lbCX6RJDPM3Zf1Dl1TOV
 iw0w==
X-Gm-Message-State: ABUngvetU5y1TH6Rra6lI05iwpvmdmJC7A6QYjsa5QBUdGsdxaaZvyHc6/59nKx+gVODoA==
X-Received: by 10.98.68.90 with SMTP id r87mr24833317pfa.19.1478248878084;
 Fri, 04 Nov 2016 01:41:18 -0700 (PDT)
Received: from ?IPv6:2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf?
 (2001-44b8-31ae-7b01-1c1a-5103-265d-bfaf.static.ipv6.internode.on.net.
 [2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf])
 by smtp.gmail.com with ESMTPSA id l7sm18335082pfg.35.2016.11.04.01.41.16
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 04 Nov 2016 01:41:17 -0700 (PDT)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh
To: freebsd-security@freebsd.org
References: <20161102075533.8BBA114B5@freefall.freebsd.org>
 <201611021357.uA2DvHMW003088@higson.cam.lispworks.com>
 <CA+7WWSc+_Jjf+StVb2n367+7YSCw-RnGMTbT4nbaE88d_n57+g@mail.gmail.com>
 <b8dcb2aa-4149-89ad-e519-8ce68922d0a8@FreeBSD.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
Cc: FreeBSD Security Team <secteam@freebsd.org>
Message-ID: <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org>
Date: Fri, 4 Nov 2016 19:39:53 +1100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101
 Thunderbird/51.0a2
MIME-Version: 1.0
In-Reply-To: <b8dcb2aa-4149-89ad-e519-8ce68922d0a8@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-AU
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 08:41:19 -0000

On 3/11/2016 9:36 PM, Matthew Seaman wrote:
> On 2016/11/03 09:41, Kimmo Paasiala wrote:
>> Both 10.1 and 10.2 are going to be unsupported by the end of this 
>> year, that's probably the reason the fix was not included in them.
>> 
>> https://www.freebsd.org/security/#sup
>> 
> 
> Yes, but 10.1 and 10.2 are still supported for the next two months. 
> That means they should get security patches where warranted until
> Dec 31st.  There's no point in stating an EoL date if the end of the
> support lifetime is effectively a few months before that...
> 
> If and advisory hasn't been issued for 10.1 and 10.2 that's because
> the Security Team currently don't think the problem applies to those 
> versions.  It's possible SecTeam are mistaken and will need to
> update the advisory, but SecTeam are usually pretty accurate about
> these things.
> 
> Cheers,
> 
> Matthew 
> 
> 

But everyone should always feel comfortable asking questions,
particularly in matters of security and especially if things are left
unsaid, unstated, implicit, or remain ambiguous.

Security advisories should state explicitly when otherwise supported
versions are not vulnerable. It's surprising this isn't already the case.

How might this be improved for the future?

./koobs