Date: Sat, 04 Oct 2003 00:26:05 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: barney@databus.com Cc: current@freebsd.org Subject: Re: [security-advisories@freebsd.org: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:17.procfs] Message-ID: <20031004.002605.65822565.imp@bsdimp.com> In-Reply-To: <20031004021041.GA33705@pit.databus.com> References: <20031004014527.GB32411@pit.databus.com> <20031004015404.GW72999@procyon.firepipe.net> <20031004021041.GA33705@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20031004021041.GA33705@pit.databus.com>
Barney Wolff <barney@databus.com> writes:
: On Fri, Oct 03, 2003 at 06:54:04PM -0700, Will Andrews wrote:
: > On Fri, Oct 03, 2003 at 09:45:27PM -0400, Barney Wolff wrote:
: > > I'm finally motivated to ask, why don't security advisories contain
: > > the equivalent revs for -head? Surely I can't be the only person
: > > following -current who doesn't build every day.
: >
: > Simply because the SO does not support -CURRENT.
:
: Does this mean that the situation can ever arise where a security bug
: is corrected in the advisory's announced releases but not in -current?
Typically yes. However, see below.
: Or, can we assume that as of the time of the security announcement
: the vulnerability has *always* been corrected in -current?
Standard operating proceedure is to commit to head, then to the
branches.
However, it is theoretically possible that a bug exists in current
that is exploitable in the same way that an advisory addresses. I
think we've had this issue only once in the project's history. The
code was in the kernel and the then-current -current was so different
from stable that patches to stable didn't fix the problem on current
and it took a while to realize that there was a problem and to fix
it.
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031004.002605.65822565.imp>