From owner-freebsd-security Mon Nov 20 23:53:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 563AB37B4D7; Mon, 20 Nov 2000 23:53:49 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAL7rhQ18847; Tue, 21 Nov 2000 02:53:43 -0500 (EST) Date: Tue, 21 Nov 2000 02:53:43 -0500 (EST) From: Trevor Johnson To: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x In-Reply-To: <20001120035146.0020937B479@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Due to the frequent difficulties encountered in fixing the old code > contained in FreeBSD 3.x, we will no longer be requiring security > problems to be fixed in that branch prior to the release of an > advisory that also pertains to FreeBSD 4.x. In recent months this > requirement has led to delays in the release of advisories, which > negatively impacts users of the current FreeBSD release branch > (FreeBSD 4.x). IMO an advisory can be useful even when no fix is available, because it alerts the sysadmin to the fact that something is unsafe. Usually some defensive action can be taken. The problems with ncurses were reported on Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed version was not available until October. IMO that is too long a wait. Therefore I suggest making this new policy of not waiting a general one, rather than just for RELENG_3. Does the FreeBSD Project have a 3.x box for testing? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message