Date: Tue, 21 Nov 2000 00:34:06 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Trevor Johnson <trevor@jpj.net> Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <20001121003406.A95525@citusc17.usc.edu> In-Reply-To: <Pine.BSI.4.21.0011210233230.17837-100000@blues.jpj.net>; from trevor@jpj.net on Tue, Nov 21, 2000 at 02:53:43AM -0500 References: <20001120035146.0020937B479@hub.freebsd.org> <Pine.BSI.4.21.0011210233230.17837-100000@blues.jpj.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, Nov 21, 2000 at 02:53:43AM -0500, Trevor Johnson wrote: > > Due to the frequent difficulties encountered in fixing the old code > > contained in FreeBSD 3.x, we will no longer be requiring security > > problems to be fixed in that branch prior to the release of an > > advisory that also pertains to FreeBSD 4.x. In recent months this > > requirement has led to delays in the release of advisories, which > > negatively impacts users of the current FreeBSD release branch > > (FreeBSD 4.x). > > IMO an advisory can be useful even when no fix is available, because it > alerts the sysadmin to the fact that something is unsafe. Usually some > defensive action can be taken. The problems with ncurses were reported on > Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed > version was not available until October. IMO that is too long a > wait. Therefore I suggest making this new policy of not waiting a general > one, rather than just for RELENG_3. This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, which is about the time it hit bugtraq, it was fixed 7 days later by the vendor and we imported it 2 days after that. You must be referring to some other problem. However, your general point is taken and it's something we'll consider. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaM34ACgkQWry0BWjoQKX5rQCbBV211YeOuTOehM7o5uiadBuq R6sAnRBZuuc6zy4bW0VOKlIPfAIX6cHs =pSVJ -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001121003406.A95525>