From owner-freebsd-security Tue Aug 6 4:49:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8A1C37B400 for ; Tue, 6 Aug 2002 04:49:45 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF26743E75 for ; Tue, 6 Aug 2002 04:49:41 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 1DAFD95; Tue, 6 Aug 2002 06:49:41 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g76Bnevd094894; Tue, 6 Aug 2002 06:49:40 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g76Bnegu094893; Tue, 6 Aug 2002 06:49:40 -0500 (CDT) Date: Tue, 6 Aug 2002 06:49:40 -0500 From: "Jacques A. Vidrine" To: Anatole Shaw Cc: Dag-Erling Smorgrav , freebsd-security@freebsd.org Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <20020806114939.GF94762@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Anatole Shaw , Dag-Erling Smorgrav , freebsd-security@freebsd.org References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <20020806053237.A49851@kagnew.autoloop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020806053237.A49851@kagnew.autoloop.com> X-Url: http://www.nectar.cc/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 06, 2002 at 05:32:37AM -0400, Anatole Shaw wrote: > As a result, there were just about 3 days during which the security patch > circulated with no explanation. Those were three days for blackhats to > examine the patch, and for exploits to emerge and circulate, before most > admins were aware of the bug or its impact. The bug fix in question was actually in the -CURRENT and -STABLE branches as many as 6 weeks ago. The commit to the security branches on July 31 would have been the first indication that there would be an advisory for the issue. Adding the patch to the FTP site didn't disclose any further information. > On the same day, Ache@ forwarded an unrelated CVS commit on setlocale.c to > this list, adding nonchalantly, "That original BSD code bug can be > exploitable." The advisory for this one is still in the works, I guess. He made a mistake (two, actually): = he meant to mail security-officer@freebsd.org, rather than security@freebsd.org = he was wrong ... there was no security issue > I'm all for full-disclosure, but something is very wrong in these 2 cases. > Known security problems are being released in fragments without any > coordination. It seems that a basic Vulnerability Coordination function > is broken or missing, and surely we can fix this. I don't think is anything wrong, other than a bit of back-seat driving. I make plenty of Actual Mistakes for you to pick on if you like --- this was not one of them. :-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message