Date: Tue, 21 Nov 2000 02:53:43 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <Pine.BSI.4.21.0011210233230.17837-100000@blues.jpj.net> In-Reply-To: <20001120035146.0020937B479@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Due to the frequent difficulties encountered in fixing the old code > contained in FreeBSD 3.x, we will no longer be requiring security > problems to be fixed in that branch prior to the release of an > advisory that also pertains to FreeBSD 4.x. In recent months this > requirement has led to delays in the release of advisories, which > negatively impacts users of the current FreeBSD release branch > (FreeBSD 4.x). IMO an advisory can be useful even when no fix is available, because it alerts the sysadmin to the fact that something is unsafe. Usually some defensive action can be taken. The problems with ncurses were reported on Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed version was not available until October. IMO that is too long a wait. Therefore I suggest making this new policy of not waiting a general one, rather than just for RELENG_3. Does the FreeBSD Project have a 3.x box for testing? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0011210233230.17837-100000>