Date: Tue, 12 May 1998 21:25:05 +0200 (MET DST) From: Guido van Rooij <guido@gvr.org> To: fpscha@schapachnik.com.ar Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why aren't security fixes posted to security-announce? Message-ID: <199805121925.VAA19992@gvr.gvr.org> In-Reply-To: <199805032118.SAA00317@localhost.schapachnik.com.ar> from "Fernando P. Schapachnik" at "May 3, 98 06:18:04 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Fernando P. Schapachnik wrote: > *** A similar message has already been posted some days before. As I > didn't received it, I assume nobody has. Sorry if this is not the case. *** > > Hello: > I like to know if there is a good reason for not posting to > announce or security-announce those bugs/fixes mailed to security. > > I'm not talking about open issues that may help an attacker, but > about those which has a fix or workaround. In this situation we can find > Niall Smart's "Vulnerability in OpenBSD, FreeBSD-stable lprm", Dima > Ruban's patch to BIND related with "Re: Any news on this?: CA-98.05 > Multiple Vulnerabilities in BIND" and Vasim Valejev's "Example of > RFC-1644 attack", just to quote a few I received in the past few weeks. In general, security related patches are first applied to -current. After about a week or so, they are brought to -stable. The an advisory will be sent out. Why? Because an advisory without a decently tested patch would upset users. In general, when a part of the system is affected that we import from another source, e.g. XFree or sendmail, I think it is not wise to reissue a FreeBSD specific advisory as it might confuse more then it helps. We do try to give feedback to users in these cases by providing a vendor specific section. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805121925.VAA19992>