From owner-freebsd-security Sat Sep 30 19:12:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7059337B503 for ; Sat, 30 Sep 2000 19:12:39 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id WAA49025 for security@freebsd.org; Sat, 30 Sep 2000 22:12:38 -0400 (EDT) (envelope-from str) Date: Sat, 30 Sep 2000 22:12:38 -0400 (EDT) From: Igor Roshchin Message-Id: <200010010212.WAA49025@giganda.komkon.org> To: security@freebsd.org Subject: advisory suggestion Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I remember there was a discussion 1-2 years ago, on how to state in advisories which versions of FreeBSD are vulnerable. Unfortunately I don't remember what was the final consensus, but may I make a suggestion based on the recent advisory? Sometimes, it is difficult to recall when a particular release was rolled out. So, say, if I have a box running 3.5.1 - and I start thinkin if that one is affected, I'd have to go to an ftp server and check the dates of the release, which makes it not very convenient. Well, 4.1.1 is out just a few days ago, so it is easier to recall that date, but if another advisory would come out a month from now, and would have the fix date of September 30, I wouldn't remember if it was before or after 4.1.1 was out. Otherwise, I think the current format is very clear. So, my suggestion is: when there are additional releases in N.K-STABLE (or N.K-CURRENT) branch (or to be more exact the particular N.K version of the branch) besides N.K-RELEASE (such as N.K.1-RELEASE), it would be nice to have a clause in there: Affects: FreeBSD..... ... including 3.5.1-RELEASE Corrected: .... (including 4.1.1-RELEASE [and later]) Regards, Igor > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory: FreeBSD-SA-00:53.catopen > Date: Wed, 27 Sep 2000 17:48:35 -0700 (PDT) > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:53 Security Advisory > FreeBSD, Inc. > > Topic: catopen() may pose security risk for third party code > > Category: core > Module: libc > Announced: 2000-09-27 > Affects: FreeBSD 5.0-CURRENT, 4.x and 3.x prior to the correction date. > Corrected: Problem 1: 2000-08-06 (FreeBSD 5.0-CURRENT) > 2000-08-22 (FreeBSD 4.1-STABLE) > 2000-09-07 (FreeBSD 3.5-STABLE) > Problem 2: 2000-09-08 (FreeBSD 5.0-CURRENT, 4.1-STABLE and > 3.5-STABLE) <..> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message