From owner-freebsd-security  Tue May 12 12:25:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA06281
          for freebsd-security-outgoing; Tue, 12 May 1998 12:25:45 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA06248
          for <freebsd-security@FreeBSD.ORG>; Tue, 12 May 1998 12:25:30 -0700 (PDT)
          (envelope-from guido@gvr.org)
Received: (from guido@localhost)
	by gvr.gvr.org (8.8.8/8.8.5) id VAA19992;
	Tue, 12 May 1998 21:25:05 +0200 (MET DST)
From: Guido van Rooij <guido@gvr.org>
Message-Id: <199805121925.VAA19992@gvr.gvr.org>
Subject: Re: Why aren't security fixes posted to security-announce?
In-Reply-To: <199805032118.SAA00317@localhost.schapachnik.com.ar> from "Fernando P. Schapachnik" at "May 3, 98 06:18:04 pm"
To: fpscha@schapachnik.com.ar
Date: Tue, 12 May 1998 21:25:05 +0200 (MET DST)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Fernando P. Schapachnik wrote:
> *** A similar message has already been posted some days before. As I 
> didn't received it, I assume nobody has. Sorry if this is not the case. ***
> 
> Hello:
> 	I like to know if there is a good reason for not posting to 
> announce or security-announce those bugs/fixes mailed to security.
> 
> 	I'm not talking about open issues that may help an attacker, but 
> about those which has a fix or workaround. In this situation we can find 
> Niall Smart's "Vulnerability in OpenBSD, FreeBSD-stable lprm", Dima 
> Ruban's patch to BIND related with "Re: Any news on this?: CA-98.05 
> Multiple Vulnerabilities in BIND" and Vasim Valejev's "Example of 
> RFC-1644 attack", just to quote a few I received in the past few weeks.

In general, security related patches are first applied to -current.
After about a week or so, they are brought to -stable. The an
advisory will be sent out. Why? Because an advisory without a decently
tested patch would upset users.
In general, when a part of the system is affected that we import from
another source, e.g. XFree or sendmail, I think it is not wise to reissue
a FreeBSD specific advisory as it might confuse more then it helps.
We do try to give feedback to users in these cases by providing a vendor
specific section.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message