From owner-freebsd-security Tue Nov 21 0:33:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9157637B4CF; Tue, 21 Nov 2000 00:33:10 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAL8Y7595661; Tue, 21 Nov 2000 00:34:07 -0800 (PST) (envelope-from kris) Date: Tue, 21 Nov 2000 00:34:06 -0800 From: Kris Kennaway To: Trevor Johnson Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <20001121003406.A95525@citusc17.usc.edu> References: <20001120035146.0020937B479@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Tue, Nov 21, 2000 at 02:53:43AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 21, 2000 at 02:53:43AM -0500, Trevor Johnson wrote: > > Due to the frequent difficulties encountered in fixing the old code > > contained in FreeBSD 3.x, we will no longer be requiring security > > problems to be fixed in that branch prior to the release of an > > advisory that also pertains to FreeBSD 4.x. In recent months this > > requirement has led to delays in the release of advisories, which > > negatively impacts users of the current FreeBSD release branch > > (FreeBSD 4.x). >=20 > IMO an advisory can be useful even when no fix is available, because it > alerts the sysadmin to the fact that something is unsafe. Usually some > defensive action can be taken. The problems with ncurses were reported on > Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed > version was not available until October. IMO that is too long a > wait. Therefore I suggest making this new policy of not waiting a general > one, rather than just for RELENG_3. This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, which is about the time it hit bugtraq, it was fixed 7 days later by the vendor and we imported it 2 days after that. You must be referring to some other problem. However, your general point is taken and it's something we'll consider. Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaM34ACgkQWry0BWjoQKX5rQCbBV211YeOuTOehM7o5uiadBuq R6sAnRBZuuc6zy4bW0VOKlIPfAIX6cHs =pSVJ -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message