From owner-freebsd-security@freebsd.org Fri Jun 23 09:00:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DDD7D9FFFF for ; Fri, 23 Jun 2017 09:00:25 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (gandalf.elvandar.org [149.210.225.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EC4997DAA3 for ; Fri, 23 Jun 2017 09:00:22 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 133B74707B0; Fri, 23 Jun 2017 11:00:12 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id B428C1FED2; Fri, 23 Jun 2017 11:00:08 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: The Stack Clash vulnerability Date: Fri, 23 Jun 2017 11:00:31 +0200 In-Reply-To: Cc: Peter Jeremy , "freebsd-security@freebsd.org" To: Michelle Sullivan References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> <20170622222930.GA36405@server.rulingia.com> X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 133B74707B0 X-Spamd-Result: default: False [2.70 / 15.00] RCVD_VIA_SMTP_AUTH(0.00)[] IP_SCORE(1.23)[ip: (1.42), ipnet: 80.56.0.0/16(1.48), asn: 6830(3.43), country: AT(-0.17)] TO_DN_SOME(0.00)[] TO_DN_EQ_ADDR_SOME(0.00)[] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] RCVD_TLS_ALL(0.00)[] HAS_ATTACHMENT(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] FROM_EQ_ENVFROM(0.00)[] R_SPF_SOFTFAIL(0.00)[~all] DMARC_NA(0.00)[FreeBSD.org] ONCE_RECEIVED(0.10)[] RCVD_COUNT_ONE(0.00)[1] FROM_HAS_DN(0.00)[] MV_CASE(0.50)[] TO_MATCH_ENVRCPT_ALL(0.00)[] ARC_NA(0.00)[] MID_RHS_MATCH_FROM(0.00)[] BAYES_HAM(-2.93)[99.69%] RCPT_COUNT_THREE(0.00)[3] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] X-Rspamd-Server: mx1.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2017 09:00:25 -0000 --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 23 Jun 2017, at 01:19, Michelle Sullivan = wrote: >=20 > Peter, >=20 > Peter Jeremy wrote: >>=20 >> paying someone to provide whatever level of support you want. With >> respect to your 9.x servers, no-one is saying you must replace the >> hardware, just that the FreeBSD Project will not continue to provide >> you with free support whilst you choose to run 9.x on them. Note = that >>=20 > You mistake me for someone who needs or is asking for support. >=20 > I already have the proposed patch available to me on my servers, I'm = not convinced it solves the issue, merely making it a *lot* more = difficult to exploit, however that was my 'first look' I have a lot more = to understand and think about and there are many more people of higher = intelligence looking at it than me. >=20 > That said, I'm suggesting that given the amount of time this issue has = been around and that it was supposedly fixed many years ago, that one = should consider a special case backport for those that are not capable = of creating their own patches... and before throwing accusations around = you should consider how many times I have ever suggested that a = particular bug gets backported... If you can't be bothered to check, = this is the first since I started using FreeBSD in 2003. Okay, lets cool this thread down. There are no accusations in this = thread, and they are not needed nor welcome either. I am going to make a general note below, this is not something that is = aimed at _you_ personally. My general note is about the policy we maintain to update supported = systems. Once we are ready with the currently supported branches, it = might be =E2=80=9Csimple=E2=80=9D for =E2=80=9Csomeone=E2=80=9D (not the = FreeBSD Security Team) to back port those changes into older -STABLE = branches. I am stating that we not perse will do that. But if someone = has time and effort to support such a change, it will be done. People = like hps@ merge periodically to older branches that are officially no = longer supported. That does not mean that they cannot do that, but that = they have an interest in doing so, which is perfectly fine (ofcourse). So; if the patch is applicable for older branches as well (stable I = mean), someone needs to find a committer that can vouch for it and also = import it into the stable branches. He or She has to understand that it = might cause problems and they need to be investigated by that person in = that case. If someone, who is commercially using our Operating System, has an = urgent need to have this in a -STABLE branch, I am sure that a few bucks = here and there can make it worth someone=E2=80=99s (free) time to = support that. That=E2=80=99s the way it works, we volunteer for this project, and we = do understand that people are using our product and even in a commercial = sense where people make a -lot- of money with =E2=80=9Cour=E2=80=9D = work. That is perfectly fine. But we have to draw a line in what we can = and will support. We also have families, hobby=E2=80=99s, other work = that obviously also costs time and generate our income(s). Even with = that we are happy to work on the project, and thus the =E2=80=9Cproduct=E2= =80=9D that we ship. But there is a line. There is no more hours in a = day then 24. We have to devide that in all those regions we are active = in. That is where the support policy comes in, we accept the fact that = we maintain and support releases and stable branches after we created = them. We do that for a limited amount of time, so that we can have a = good division between new products, and our other activities. So if = someone wants to keep a committer/programmer active while he could have = been playing with his kids, it should be worth his/her while (in = addition to the work he/she already does for the project) and it=E2=80=99s= for the committer to decide whether that is indeed worth the while. = Perhaps a committer is already being payed by someone to do this and he = or she will just do it =E2=80=9Cfor free=E2=80=9D, then everyone = benefits and we have to thank the sponsor for that. So given the above, and now I am responding to your request, I do not = think we should break our tradition. There are many things that are not = fixed in older branches, OpenSSL comes to mind, we simply have to make a = choice in what we can and cannot do, and be open about that. Branches = that are no longer supported, will not get official fixes anymore. A = committer is free to do so, with the note that it -might- cost a few = bucks to get that going. I hope the above is making it a bit more clear on why we have to draw a = line somewhere, and what it might take to get it in the STABLE branches. = It can be done, but you need to find someone who can do that, with = potential consequences. Thanks, Remko >=20 > -- > Michelle Sullivan > http://www.mhix.org/ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIbBAEBCgAGBQJZTNiwAAoJEHE1jtY/d0B5dlEP+Jfa57bjtk9t7JTC3ShsPldB NdXyFJ2jyazSCsS0utlko16KC1c5EPb0vYgEuoUtj+C/WiWub9SeOlKoORIR2NCz ORMuT0CJMLjTVAjPA/VfKICCleJdG7hV9DsDsxdGzA4a7KI3kGIhwiB96TcjoX8Z ZrOIjfle44OeIKPSCS2AoZ+r4r5nBj5J6JEgWJv/S43NT7lokFfCF02US2ZfZEZy W3wSofOxdqmZmQThD8f/Acn95E4R0jA5270/z0g7wesVpzom4ATiFzOLFbJykKUv veNLq9fEBy4Zh8ePObLq9vcRlDgiTSRL9YTEIvHkAvSNApFqP8HDiyYYP9nWMLFy n5NcYledDG5J7sgMf4Ls33piOSfsYQHrcFsobXxlQn2MnJ/d4uTD+tny999PMOgn eibiiGl7vzRv/6xY9xeRACiR702Lyg0s908L8Fc/AmvcrW64KsHcLcQmTUCiku1y OwQmZj8BAf8XbrY4SiWgKGvr+ZkOdavcPdCtFjT+1eYDpiABjTAFzWv1PXjR9tcZ CmqYc9iLOc2o8LR6Pl8uMQd+pEfh17qpnOT7oN0tmb2p0NYn89QoTXkxyLZd9GGx 7jt0RQI1+L5NZmys57jVaEcXsV1jaM/AHajk+Zw0LFKgfsd3cAH8cb3Dvu8VlkLh MKkltEPfK3wSsBcm5FA= =ItKw -----END PGP SIGNATURE----- --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764--