From owner-freebsd-stable@FreeBSD.ORG Fri Dec 23 17:19:12 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 262AB106566B; Fri, 23 Dec 2011 17:19:12 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id D7EB28FC1A; Fri, 23 Dec 2011 17:19:11 +0000 (UTC) Received: by iadj38 with SMTP id j38so17543656iad.13 for ; Fri, 23 Dec 2011 09:19:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8AeuF+DzEDEAhAhpXSNZCpwU+A1G8L61Q4G9U+pkhjo=; b=NbubMqR+ow7lqMBOLC2pDdlHnpcj+rShp/b1HHOK/B/T4bSE1gRVs2wWHy9lu56XT7 7rNcJZjU5g1zlN+LNXnJZvK6BZ2dp2F0IXfhgmF6geRbS98tmR09E0L9RIKc5dftJJ/H 26tA3Kd4J9ZJ+RiSe42I4eyi5zQuOshYUuDEM= MIME-Version: 1.0 Received: by 10.50.181.197 with SMTP id dy5mr14675785igc.13.1324659411688; Fri, 23 Dec 2011 08:56:51 -0800 (PST) Received: by 10.42.166.201 with HTTP; Fri, 23 Dec 2011 08:56:51 -0800 (PST) In-Reply-To: <201112231139.26613.jhb@freebsd.org> References: <4EF4A75C.2040609@my.gd> <201112231139.26613.jhb@freebsd.org> Date: Fri, 23 Dec 2011 11:56:51 -0500 Message-ID: From: Mehmet Erol Sanliturk To: John Baldwin Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 17:19:12 -0000 On Fri, Dec 23, 2011 at 11:39 AM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: > > Hey up list, > > > > > > > > Look, just a rant here. > > > > > > Who in *HELL* thought it would be a cool idea to release no less than > > FOUR security advisories today ? > > > > I mean, couldn't this have waited and remained undisclosed until monday ? > > > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > > and tomorrow ! > > > > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > > production changes. > > > > > > Seriously, this is just irritating. > > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your > eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release > advisories on > Wednesdays in order to maximize the number of system administrators who > will be > at work already; and we try very hard to avoid issuing advisories any time > close > to holidays for the same reason. The start of the Christmas weekend -- in > some > parts of the world it's already Saturday -- is absolutely not when we want > to be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues > (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the > wild; > bugs really don't come any worse than this. On the positive side, most > people > have moved past telnet and on to SSH by now; but this is still not an > issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot > has a > rather messy fix involving adding a new interface to libc; this has the > awkward > side effect of causing the sizes of some "symbols" (aka. functions) in > libc to > change, resulting in cascading changes into many binaries. The long list > of > updated files is irritating, but isn't a sign that anything in > freebsd-update > went wrong. > > > -- > John Baldwin > These vulnerabilities are known many days before in other distributions . Thank you very much . Mehmet Erol Sanliturk