From owner-freebsd-current@FreeBSD.ORG  Fri Oct  3 23:26:06 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3CAB16A4B3
	for <current@freebsd.org>; Fri,  3 Oct 2003 23:26:05 -0700 (PDT)
Received: from harmony.village.org (rover.bsdimp.com [204.144.255.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1177443FAF
	for <current@freebsd.org>; Fri,  3 Oct 2003 23:26:05 -0700 (PDT)
	(envelope-from imp@bsdimp.com)
Received: from localhost (warner@rover2.village.org [10.0.0.1])
	by harmony.village.org (8.12.9p1/8.12.9) with ESMTP id h946Q2AD042029;
	Sat, 4 Oct 2003 00:26:02 -0600 (MDT)
	(envelope-from imp@bsdimp.com)
Date: Sat, 04 Oct 2003 00:26:05 -0600 (MDT)
Message-Id: <20031004.002605.65822565.imp@bsdimp.com>
To: barney@databus.com
From: "M. Warner Losh" <imp@bsdimp.com>
In-Reply-To: <20031004021041.GA33705@pit.databus.com>
References: <20031004014527.GB32411@pit.databus.com>
	<20031004015404.GW72999@procyon.firepipe.net>
	<20031004021041.GA33705@pit.databus.com>
X-Mailer: Mew version 2.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: current@freebsd.org
Subject: Re: [security-advisories@freebsd.org: [FreeBSD-Announce] FreeBSD
 Security Advisory FreeBSD-SA-03:17.procfs]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2003 06:26:06 -0000

In message: <20031004021041.GA33705@pit.databus.com>
            Barney Wolff <barney@databus.com> writes:
: On Fri, Oct 03, 2003 at 06:54:04PM -0700, Will Andrews wrote:
: > On Fri, Oct 03, 2003 at 09:45:27PM -0400, Barney Wolff wrote:
: > > I'm finally motivated to ask, why don't security advisories contain
: > > the equivalent revs for -head?  Surely I can't be the only person
: > > following -current who doesn't build every day.
: > 
: > Simply because the SO does not support -CURRENT.
: 
: Does this mean that the situation can ever arise where a security bug
: is corrected in the advisory's announced releases but not in -current?

Typically yes.  However, see below.

: Or, can we assume that as of the time of the security announcement
: the vulnerability has *always* been corrected in -current?

Standard operating proceedure is to commit to head, then to the
branches.

However, it is theoretically possible that a bug exists in current
that is exploitable in the same way that an advisory addresses.  I
think we've had this issue only once in the project's history.  The
code was in the kernel and the then-current -current was so different
from stable that patches to stable didn't fix the problem on current
and it took a while to realize that there was a problem and to fix
it.

Warner