Date: Tue, 21 Nov 2000 00:34:06 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Trevor Johnson <trevor@jpj.net> Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <20001121003406.A95525@citusc17.usc.edu> In-Reply-To: <Pine.BSI.4.21.0011210233230.17837-100000@blues.jpj.net>; from trevor@jpj.net on Tue, Nov 21, 2000 at 02:53:43AM -0500 References: <20001120035146.0020937B479@hub.freebsd.org> <Pine.BSI.4.21.0011210233230.17837-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 21, 2000 at 02:53:43AM -0500, Trevor Johnson wrote: > > Due to the frequent difficulties encountered in fixing the old code > > contained in FreeBSD 3.x, we will no longer be requiring security > > problems to be fixed in that branch prior to the release of an > > advisory that also pertains to FreeBSD 4.x. In recent months this > > requirement has led to delays in the release of advisories, which > > negatively impacts users of the current FreeBSD release branch > > (FreeBSD 4.x). >=20 > IMO an advisory can be useful even when no fix is available, because it > alerts the sysadmin to the fact that something is unsafe. Usually some > defensive action can be taken. The problems with ncurses were reported on > Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed > version was not available until October. IMO that is too long a > wait. Therefore I suggest making this new policy of not waiting a general > one, rather than just for RELENG_3. This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, which is about the time it hit bugtraq, it was fixed 7 days later by the vendor and we imported it 2 days after that. You must be referring to some other problem. However, your general point is taken and it's something we'll consider. Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaM34ACgkQWry0BWjoQKX5rQCbBV211YeOuTOehM7o5uiadBuq R6sAnRBZuuc6zy4bW0VOKlIPfAIX6cHs =pSVJ -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001121003406.A95525>