From owner-freebsd-stable@FreeBSD.ORG Fri Dec 23 17:05:46 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E8C01065670 for ; Fri, 23 Dec 2011 17:05:46 +0000 (UTC) (envelope-from karl@denninger.net) Received: from FS.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) by mx1.freebsd.org (Postfix) with ESMTP id 17B418FC12 for ; Fri, 23 Dec 2011 17:05:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by FS.denninger.net (8.14.4/8.13.1) with ESMTP id pBNGreF2035545 for ; Fri, 23 Dec 2011 10:53:41 -0600 (CST) (envelope-from karl@denninger.net) Received: from [127.0.0.1] [192.168.1.40] by Spamblock-sys (LOCAL); Fri Dec 23 10:53:40 2011 Message-ID: <4EF4B214.2070106@denninger.net> Date: Fri, 23 Dec 2011 10:53:40 -0600 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: John Baldwin References: <4EF4A75C.2040609@my.gd> <201112231139.26613.jhb@freebsd.org> In-Reply-To: <201112231139.26613.jhb@freebsd.org> X-Enigmail-Version: 1.3.4 X-Antivirus: avast! (VPS 111223-0, 12/23/2011), Outbound message X-Antivirus-Status: Clean Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 17:05:46 -0000 I happen to APPLAUD the FreeBSD Security team for doing this. I WANT security fixes out as soon as reasonably possible. You're NOT telling the bad guys anything they don't already know, but you ARE making it possible for the good guys to raise shields. A "remote root" problem is about as bad as it gets. -- Karl Denninger /The Market Ticker/ On 12/23/2011 10:39 AM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release advisories on > Wednesdays in order to maximize the number of system administrators who will be > at work already; and we try very hard to avoid issuing advisories any time close > to holidays for the same reason. The start of the Christmas weekend -- in some > parts of the world it's already Saturday -- is absolutely not when we want to be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a > rather messy fix involving adding a new interface to libc; this has the awkward > side effect of causing the sizes of some "symbols" (aka. functions) in libc to > change, resulting in cascading changes into many binaries. The long list of > updated files is irritating, but isn't a sign that anything in freebsd-update > went wrong. > >