From owner-freebsd-security@freebsd.org Thu Jun 22 22:30:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6B31D95955 for ; Thu, 22 Jun 2017 22:30:34 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E5E367B1C for ; Thu, 22 Jun 2017 22:30:33 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id v5MMTaKg066870 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 23 Jun 2017 08:29:42 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id v5MMTUx9094542 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 23 Jun 2017 08:29:30 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id v5MMTUZR094541; Fri, 23 Jun 2017 08:29:30 +1000 (AEST) (envelope-from peter) Date: Fri, 23 Jun 2017 08:29:30 +1000 From: Peter Jeremy To: Michelle Sullivan Cc: "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170622222930.GA36405@server.rulingia.com> References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.8.2 (2017-04-18) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 22:30:34 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2017-Jun-22 13:14:33 +0200, Michelle Sullivan wrote: >I know, but with potentially serious issues even M$ issue patches for=20 >older release... To my knowledge, Microsoft has issued a patch on one occasion for an especialy critical vulnerabilicy on an unsupported release. I've seen no indication that the Stack Clash vulnerability can be compared in severity to WannaCry. >hardware.... I have 9.x servers that 10.x/11.x and even 12.x are=20 >unbootable (and given the nature of the hardware I expect people to say=20 >'too old, you should replace the hardware' - not my call, and currently=20 >not possible.) FreeBSD is a volunteer project. Supporting old releases requires effort that increases as the release gets older. The Project as a whole has published a support policy that is intended to strike a balance between requiring customers to upgrade (we realise that upgrading incurs a cost) and spending volunteer effort on maintaining old releases. Note that I am referring to _free_ support here. Unlike Microsoft, FreeBSD is open source. If the level of free support provided by the Project is insufficient for your needs, you always have the option of paying someone to provide whatever level of support you want. With respect to your 9.x servers, no-one is saying you must replace the hardware, just that the FreeBSD Project will not continue to provide you with free support whilst you choose to run 9.x on them. Note that 10.0 was released in January 2014, so you have had 3=BD years to resolve the problem that your servers aren't compatible with 10.x. >Not asking for new versions or new releases.. just patches applied for=20 >previous -STABLE trees.... As has been stated, the FreeBSD project will patch the supported -STABLE trees. --=20 Peter Jeremy --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJZTETKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs06pQP/0N82xrfn0JHvgZbR6dz/icL Ad/DyBvkScmpcfB2Y/ZglCJiKUsXnn/3AMwMO119/y2HGiRmlTQ10jLcn52IDHCX FNMGGP0SrD80x9JV31Sij0wlyxI7hGchOM9uGQ/WcijvZHLfeLURk2dmUqGf11fZ y+A+omDAFvdIBeUr8I4kxJRE65zEV0ciG01zg17QSybS1YL/U3ZpMOQCPVoUxFV6 hF8yve9wVODzC+cyC0yhycXnGXaokWiZfgS3fW0EfG7i4SEKUdEDMMDTC4CXjRrH QsN857fEnDwrT8PiUTa1zpSZHwDKSVczzRvbEC+IiEnRobh9F27J0Blnqqvv7viM fFYxb3ai2jNVRaoMgHFTqLwizM8olQ4r4gtfZPQBVaSp9P4c+ywLFaz3pHyu+blY lC/dwuyPIndXFqJQTVExWQbCDEzND2kNM7qNQ3lpaA7dzBElrS7EAm7WkQdspJAw wSrxHT6CwwKljjW3qBKYOC0Qjm2BcZKeqoA2ht7xXlOz0OtqZTJ7oF2zDqWFjmWJ vQu8bT7i3H8hXwmAoRUXj6Sbyqbp6eCdQKcb91KwWrdvipW+l2ztDBMIxZ/4g5Sz G7aBws1zpQk+IcgEaj555nY19q4y0sCdJVb3LkKYXcqbNHZt2TJbm5RDsDcknTg2 McBDBtqpFcFrSJkuMg0Q =P3Cs -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH--