From owner-freebsd-security Tue Mar 19 7:56:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0EB2137B404 for ; Tue, 19 Mar 2002 07:56:12 -0800 (PST) Received: by gw.nectar.cc (Postfix, from userid 1001) id 8505E9; Tue, 19 Mar 2002 09:56:11 -0600 (CST) Date: Tue, 19 Mar 2002 09:56:11 -0600 From: "Jacques A. Vidrine" To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: TCP connections on broadcast address - why no advisory? Message-ID: <20020319155611.GB44569@hellblazer.nectar.cc> References: <785082402.20020319134231@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <785082402.20020319134231@internethelp.ru> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 01:42:31PM +0300, Nickolay A. Kritsky wrote: > Hello, freebsd-security. > > On the Bugtraq I have read report by Christ J. Clark about TCP > connections on broadcast address. It can be found on > http://online.securityfocus.com/archive/1/262733 . In this advisories > I've read following: > > > I committed changes to FreeBSD 5-CURRENT on Feburary 25th (CVS > revision 1.148) and to 4-STABLE on February 28th (revision > 1.107.2.21). After discussion with the FreeBSD security-officer@ team, > these changes will not be incorporated into the RELENG_4_{3,4,5} > security-fix branches nor will an advisory be released. > > > Why no advisory will be released? Because the fix will not be incorporated into the security fix branches, and in general we don't make changes to those branches without an advisory. It was not incorporated into the security fix branches, because this is more a theoretical problem rather than a real risk. As with the weak IS versus strong IS debate, it seems that only systems with already broken security policies would be affected. In other words, I believe this bug affects none of our user community. This doesn't mean that Crist's post to BUGTRAQ is not interesting --- it is, and well-written, too! --- it just didn't pass the taste test for an important security fix. > What if I wasn't subscribed to > BUGTRAQ? How would I know about this bug? Maybe I missed something. > Sorry then. How do you know about any bugs? Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message