Date: Sat, 25 Nov 2000 21:09:23 -0500 From: "Brian F. Feldman" <green@FreeBSD.org> To: obrien@FreeBSD.org Cc: "Brian F. Feldman" <green@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c Message-ID: <200011260209.eAQ29N572833@green.dyndns.org> In-Reply-To: Message from "David O'Brien" <obrien@FreeBSD.org> of "Sat, 25 Nov 2000 13:22:49 PST." <20001125132249.A2361@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"David O'Brien" <obrien@FreeBSD.org> wrote: > On Sat, Nov 25, 2000 at 09:15:21AM -0500, Brian F. Feldman wrote: > > > What's going on here? And why was it MFC'd already? > > > > It can expose up to 16 bytes of wheel-readable data. That's bad! > > That's not such a bad vulnerability that you shouldn't have waited at > least 1-2 days for this to sit in -CURRENT to give people a chance to > comment. I don't think I did something wrong. I am not saying this to be argumentative. I honestly believe if there's any type of security problem and the fix 1) doesn't break anything and 2) is simple enough, there isn't any inherent problem with initiating a fix in both branches. I know it doesn't break anything because I've tested it (also for the degenerative cases). Where's the harm done by committing a fix, even were it incomplete, when it doesn't make the problem any worse? I'm honestly very curious what reasons people would have not to want something done as soon as feasible. Fear that people may update and assume the problem is completely fixed? -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011260209.eAQ29N572833>