From owner-freebsd-security Tue Mar 19 14:29: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id F10F437B400 for ; Tue, 19 Mar 2002 14:28:58 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020319222858.PBHC1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 19 Mar 2002 22:28:58 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2JMSuF67972; Tue, 19 Mar 2002 14:28:56 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Mar 2002 14:28:56 -0800 From: "Crist J. Clark" To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: TCP connections on broadcast address - why no advisory? Message-ID: <20020319142856.A67739@blossom.cjclark.org> References: <785082402.20020319134231@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <785082402.20020319134231@internethelp.ru>; from nkritsky@internethelp.ru on Tue, Mar 19, 2002 at 01:42:31PM +0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 01:42:31PM +0300, Nickolay A. Kritsky wrote: > Hello, freebsd-security. > > On the Bugtraq I have read report by Christ J. Clark about TCP > connections on broadcast address. It can be found on > http://online.securityfocus.com/archive/1/262733 . In this advisories > I've read following: > > > I committed changes to FreeBSD 5-CURRENT on Feburary 25th (CVS > revision 1.148) and to 4-STABLE on February 28th (revision > 1.107.2.21). After discussion with the FreeBSD security-officer@ team, > these changes will not be incorporated into the RELENG_4_{3,4,5} > security-fix branches nor will an advisory be released. > > > Why no advisory will be released? What if I wasn't subscribed to > BUGTRAQ? How would I know about this bug? Maybe I missed something. > Sorry then. There was a fairly long discussion on freebsd-net@. Also there was the original discussion on freebsd-bugs@ when I came across the PR. Obviously, the commit messages went out on cvs-all@ for the pactches to both branches. In addition, there were several side threads in which I was involved that didn't take place on lists (the discussions with security-officer@ for example). What I am saying is that after all of the FreeBSD related email I sent and received on the topic, from my point of view, it seemed like anyone one who follows anything FreeBSD security or network related would have already heard about this issue. But reviewing everything now, I guess there may be an audience on freebsd-security@ that could have managed to miss all of that. I thought one of the threads on the issue had spilled over onto -security, but it looks like that was not an accurate recollection. I should have probably CCed the BugTraq report here. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message