From owner-freebsd-security Tue May 12 19:24:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22784 for freebsd-security-outgoing; Tue, 12 May 1998 19:24:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22765 for ; Tue, 12 May 1998 19:24:11 -0700 (PDT) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id XAA05007 for FreeBSD.ORG!freebsd-security; Tue, 12 May 1998 23:22:40 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.5/8.8.5) id WAA00418; Wed, 13 May 1998 22:28:09 -0300 (ARST) From: "Fernando P. Schapachnik" Message-Id: <199805140128.WAA00418@localhost.schapachnik.com.ar> Subject: Re: Why aren't security fixes posted to security-announce? To: guido@gvr.org (Guido van Rooij) Date: Wed, 13 May 1998 22:28:08 -0300 (ARST) Cc: fpscha@schapachnik.com.ar, freebsd-security@FreeBSD.ORG In-Reply-To: <199805121925.VAA19992@gvr.gvr.org> from Guido van Rooij at "May 12, 98 09:25:05 pm" Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk En un mensaje anterior Guido van Rooij escribi˘: > Fernando P. Schapachnik wrote: > > Hello: > > I like to know if there is a good reason for not posting to > > announce or security-announce those bugs/fixes mailed to security. > > > > I'm not talking about open issues that may help an attacker, but > > about those which has a fix or workaround. In this situation we can find > > Niall Smart's "Vulnerability in OpenBSD, FreeBSD-stable lprm", Dima > > Ruban's patch to BIND related with "Re: Any news on this?: CA-98.05 > > Multiple Vulnerabilities in BIND" and Vasim Valejev's "Example of > > RFC-1644 attack", just to quote a few I received in the past few weeks. > > In general, security related patches are first applied to -current. > After about a week or so, they are brought to -stable. The an > advisory will be sent out. Why? Because an advisory without a decently > tested patch would upset users. I agree with this as a policy, but it is not what I see happening. For example, I haven't seen an advisory about "Vulnerability in OpenBSD, FreeBSD-stable lprm" and it has been posted 3 weeks ago. Please don't get me wrong. I'll be happy and willing to help if the answer is "we don't have enough time". On the other hand, how much "security feedback" you obtain from your "vendor" affects directly how secure you can keep your system (eg, Solaris has _very_bad_ security policy because although we payed the u$s 30000+ for a server, we can't have them sending us security info. Only way out: keep an eye on rootshell.com. And they do have time!). > In general, when a part of the system is affected that we import from > another source, e.g. XFree or sendmail, I think it is not wise to reissue > a FreeBSD specific advisory as it might confuse more then it helps. > We do try to give feedback to users in these cases by providing a vendor > specific section. > > -Guido > Kind regards! Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message