From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:50:54 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8EDF1065677 for ; Fri, 23 Dec 2011 15:50:54 +0000 (UTC) (envelope-from bounces+73574-54df-freebsd-security-notifications=freebsd.org@sendgrid.me) Received: from o2.shared.sendgrid.net (o2.shared.sendgrid.net [74.63.235.152]) by mx1.freebsd.org (Postfix) with SMTP id 921DC8FC1C for ; Fri, 23 Dec 2011 15:50:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:reply-to:mime-version:to:subject :content-type:content-transfer-encoding; s=smtpapi; bh=SK7mqlrTn ixksJfJB7zKsN2/OdA=; b=FxutWxp9g1lJaioaXAHW3Cr5NWfH1v89rLCNzvuBo OwMIFG1a78MNrK6S7iwS5hGVAPjbF/Yas+UMMXyfttaFdYAJwX4P78JNRJE2E64e nmMRYGvW50NQeIiIy6v9t0GIx7K0k9kiB9TfOU0Uv/JsoAsIkNwioDv9xJIY41ep lA= Received: by 10.16.69.78 with SMTP id mf38.3046.4EF4A0DC4 Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: from mail.tarsnap.com (unknown [10.9.180.5]) by mi1 (SG) with ESMTP id 4ef4a0dc.79b.8c0fdf for ; Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: (qmail 74089 invoked from network); 23 Dec 2011 15:39:30 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 23 Dec 2011 15:39:30 -0000 Received: (qmail 60827 invoked from network); 23 Dec 2011 15:39:21 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Dec 2011 15:39:21 -0000 Message-ID: <4EF4A0A8.3000707@freebsd.org> Date: Fri, 23 Dec 2011 07:39:20 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111112 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org, freebsd-security-notifications@freebsd.org X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: 5qVSvszVOIE6PbdhSmXigGLd1c13rH5IBNEtlWQdcjG5ouU+B6ozhR+ku4loRYi89sxqLHtxeawi7SBibu5lWkmGBnz7ScCOZPgWDkRPy8hvHC/5XJCXmyzOVvGDGGNB8BWtxx8sCthbSWEo1BWt8Utq+kNEG3cOn6+Cdo56izHeJ8BaKRln+Y/G/+cD6e86 X-Mailman-Approved-At: Fri, 23 Dec 2011 15:55:07 +0000 Cc: Subject: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:50:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70oKgACgkQFdaIBMps37IsdACgh01CeO+zVGe3o9dn2cLvhh70 ISoAoJCeLUAbJ+0ibyfbVM4fYxpiEfo0 =vt5I -----END PGP SIGNATURE-----