Date: Wed, 13 May 1998 22:28:08 -0300 (ARST) From: "Fernando P. Schapachnik" <fpscha@localhost.schapachnik.com.ar> To: guido@gvr.org (Guido van Rooij) Cc: fpscha@schapachnik.com.ar, freebsd-security@FreeBSD.ORG Subject: Re: Why aren't security fixes posted to security-announce? Message-ID: <199805140128.WAA00418@localhost.schapachnik.com.ar> In-Reply-To: <199805121925.VAA19992@gvr.gvr.org> from Guido van Rooij at "May 12, 98 09:25:05 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior Guido van Rooij escribi˘: > Fernando P. Schapachnik wrote: > > Hello: > > I like to know if there is a good reason for not posting to > > announce or security-announce those bugs/fixes mailed to security. > > > > I'm not talking about open issues that may help an attacker, but > > about those which has a fix or workaround. In this situation we can find > > Niall Smart's "Vulnerability in OpenBSD, FreeBSD-stable lprm", Dima > > Ruban's patch to BIND related with "Re: Any news on this?: CA-98.05 > > Multiple Vulnerabilities in BIND" and Vasim Valejev's "Example of > > RFC-1644 attack", just to quote a few I received in the past few weeks. > > In general, security related patches are first applied to -current. > After about a week or so, they are brought to -stable. The an > advisory will be sent out. Why? Because an advisory without a decently > tested patch would upset users. I agree with this as a policy, but it is not what I see happening. For example, I haven't seen an advisory about "Vulnerability in OpenBSD, FreeBSD-stable lprm" and it has been posted 3 weeks ago. Please don't get me wrong. I'll be happy and willing to help if the answer is "we don't have enough time". On the other hand, how much "security feedback" you obtain from your "vendor" affects directly how secure you can keep your system (eg, Solaris has _very_bad_ security policy because although we payed the u$s 30000+ for a server, we can't have them sending us security info. Only way out: keep an eye on rootshell.com. And they do have time!). > In general, when a part of the system is affected that we import from > another source, e.g. XFree or sendmail, I think it is not wise to reissue > a FreeBSD specific advisory as it might confuse more then it helps. > We do try to give feedback to users in these cases by providing a vendor > specific section. > > -Guido > Kind regards! Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805140128.WAA00418>