From owner-freebsd-stable@FreeBSD.ORG Fri Dec 23 16:39:28 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16004106568B for ; Fri, 23 Dec 2011 16:39:28 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id E112F8FC2F for ; Fri, 23 Dec 2011 16:39:27 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 8CA6846B3F; Fri, 23 Dec 2011 11:39:27 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 231DFB93F; Fri, 23 Dec 2011 11:39:27 -0500 (EST) From: John Baldwin To: freebsd-stable@freebsd.org Date: Fri, 23 Dec 2011 11:39:26 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <4EF4A75C.2040609@my.gd> In-Reply-To: <4EF4A75C.2040609@my.gd> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201112231139.26613.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Fri, 23 Dec 2011 11:39:27 -0500 (EST) Cc: Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 16:39:28 -0000 On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: > Hey up list, >=20 >=20 >=20 > Look, just a rant here. >=20 >=20 > Who in *HELL* thought it would be a cool idea to release no less than > FOUR security advisories today ? >=20 > I mean, couldn't this have waited and remained undisclosed until monday ? >=20 > I for one do *NOT* relish the idea of updating 50+ boxes this evening > and tomorrow ! >=20 >=20 > Not to mention a whole lot of merchants and banks have toggled IT Freeze > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > production changes. >=20 >=20 > Seriously, this is just irritating. =46rom an e-mail sent to security@ from the security officer: Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your = eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisorie= s on Wednesdays in order to maximize the number of system administrators who wil= l be at work already; and we try very hard to avoid issuing advisories any time = close to holidays for the same reason. The start of the Christmas weekend -- in = some parts of the world it's already Saturday -- is absolutely not when we want = to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telne= td) is a remote root vulnerability which is being actively exploited in the wil= d; bugs really don't come any worse than this. On the positive side, most peo= ple have moved past telnet and on to SSH by now; but this is still not an issue= we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot = has a rather messy fix involving adding a new interface to libc; this has the awk= ward side effect of causing the sizes of some "symbols" (aka. functions) in libc= to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-upda= te went wrong. =2D-=20 John Baldwin