Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 30 Sep 2000 22:12:38 -0400 (EDT)
From:      Igor Roshchin <str@giganda.komkon.org>
To:        security@freebsd.org
Subject:   advisory suggestion
Message-ID:  <200010010212.WAA49025@giganda.komkon.org>
next in thread | raw e-mail | index | archive | help 

I remember there was a discussion 1-2 years ago,
 on how to state in advisories which versions of FreeBSD are vulnerable. 
Unfortunately I don't remember what was the final consensus,
but may I make a suggestion based on the recent advisory?

Sometimes, it is difficult to recall when a particular release was 
rolled out. So, say, if I have a box running 3.5.1 - and I start
thinkin if that one is affected, I'd have to go to an ftp server
and check the dates of the release, which makes it not very convenient.
Well, 4.1.1 is out just a few days ago, so it is easier to recall that date,
but if another advisory would come out a month from now, and would have
the fix date of September 30, I wouldn't remember if it was before
or after 4.1.1 was out.
Otherwise, I think the current format is very clear.

So, my suggestion is:
when there are additional releases in N.K-STABLE (or N.K-CURRENT) branch
(or to be more exact the particular N.K version of the branch) 
besides N.K-RELEASE (such as N.K.1-RELEASE), it would be nice
to have a clause in there:

Affects: FreeBSD.....
... including 3.5.1-RELEASE

Corrected: ....
     (including 4.1.1-RELEASE [and later])

Regards,

Igor


> From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
> To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:53.catopen
> Date: Wed, 27 Sep 2000 17:48:35 -0700 (PDT)
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> FreeBSD-SA-00:53                                            Security Advisory
>                                                                 FreeBSD, Inc.
>
> Topic:          catopen() may pose security risk for third party code
>
> Category:       core
> Module:         libc
> Announced:      2000-09-27
> Affects:        FreeBSD 5.0-CURRENT, 4.x and 3.x prior to the correction date.
> Corrected:      Problem 1: 2000-08-06 (FreeBSD 5.0-CURRENT)
>                            2000-08-22 (FreeBSD 4.1-STABLE)
>                            2000-09-07 (FreeBSD 3.5-STABLE)
>                 Problem 2: 2000-09-08 (FreeBSD 5.0-CURRENT, 4.1-STABLE and
>                                        3.5-STABLE)
<..>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010212.WAA49025>