From owner-freebsd-security@freebsd.org Fri Aug 14 19:58:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A2F89BA502 for ; Fri, 14 Aug 2015 19:58:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 514F11C89 for ; Fri, 14 Aug 2015 19:58:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 4EBC421E05 for ; Fri, 14 Aug 2015 15:58:42 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Fri, 14 Aug 2015 15:58:42 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=n73oalzrXl+b1AM pE/HhDCMIGH4=; b=gHDhpnt6f9nfcY7x0C4LmMZ9+DgeNMdZFiLB7HjtGb+iIZh 4PV2F+NBCfwDZCXDyOxY+/aOlV/UuuAateww61/W6/KaGVL52iAsVac3dU6y0EUJ xkTThKRnjtozGUfVa5FJNPO4TAvHGp9AY0RIw4ezua8quRuNBUGvnITPfssU= Received: by web3.nyi.internal (Postfix, from userid 99) id 0898E10659A; Fri, 14 Aug 2015 15:58:40 -0400 (EDT) Message-Id: <1439582320.3498403.356545865.7274D82A@webmail.messagingengine.com> X-Sasl-Enc: z2leptcbZ1BcVtfq5pFlenETjMXj6ApwBSEm+ph0OsdA 1439582320 From: Mark Felder To: Mason Loring Bliss Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4fee8ba5 In-Reply-To: <20150814173142.GK4093@blisses.org> References: <20150813202007.GC4093@blisses.org> <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com> <20150814173142.GK4093@blisses.org> Subject: Re: Quarterly packages and security updates... Date: Fri, 14 Aug 2015 14:58:40 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 19:58:45 -0000 On Fri, Aug 14, 2015, at 12:31, Mason Loring Bliss wrote: > > > The packages are there, so I don't understand how you observe these > > packages to still be vulnerable. > > How about, two of them were vulnerable until I wrote to the list with the > dismaying thought that we were going to ship vulnerable packages, at > which > point someone with the ability to push packages around decided to fix > them...? > My mistake, I didn't notice they were published after your initial email. Looking at the timestamps for Firefox 40.0,1 getting committed: HEAD r393690 Fri Aug 7 12:02:41 2015 UTC 2015Q3 r393958 Tue Aug 11 18:29:59 2015 UTC Ok, that took much longer than usual. The MFH requests are usually processed quickly. I checked my emails an the MFH request was processed & approved a few hours after the commit. Now to add further complications, Firefox 40.0,1 received a lot of complaints about very frequent crashing (PR 202174). It wasn't until a bit later that it was fixed at r393805 on Sunday. Basically, 2015Q3 users didn't receive Firefox 40.0 until several changes went into HEAD. They could have received the update same day for the sake of security, but I'm not sure what good it would have been if the browser was unusable. I'm not going to make excuses -- I wish it could have been pushed out faster. I just hope this helps clear up what was going on with this incident, though. We will continue to push forward and learn from mistakes. > That said, I will happily use the mechanisms you noted if I see this sort > of > situation in the future, and I am sincerely, deeply grateful that the > high- > profile stuff I pointed out was fixed so rapidly in response to my > pointing > it out. >