Date: Wed, 23 Mar 2005 09:06:16 -0600 From: Jacques Vidrine <nectar@FreeBSD.org> To: John Nemeth <jnemeth@victoria.tc.ca> Cc: freebsd-hackers@freebsd.org Subject: Re: security or lack thereof Message-ID: <424185E8.4000305@FreeBSD.org> In-Reply-To: <200503230304.j2N34R97020359@vtn1.victoria.tc.ca> References: <200503230304.j2N34R97020359@vtn1.victoria.tc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/22/05 9:04 PM, John Nemeth wrote: > So, is it FreeBSD policy to ignore security bug reports? I sent > the following bug report to security@freebsd.org on Feb. 19th, 2005 and > it still hasn't been acted on. This total lack of action on an > extremely simple (and silly) three year old bug doesn't give one the > warm fuzzies. Heck, it took 48 hours to get a response from a security > officer, and another 24 hours to get something from the guilty > developer. Hi John, I'm sorry for the delay. I could give you a list of excuses, but suffice it to say that the "simple (and silly)" bug had lower priority than several other issues in our queue. We should have sent you a status update, though: that's my fault. Better late than never, I hope? Initially we believed the bug was more serious than you had reported, since it has an evil side-effect (sets pw_uid to 0). However, we discovered that due to a second bug the impact was limited. Saved by dumb luck (^_^). Anyway, as you might know, we are in a code freeze for 5.4. Coincidentally, just yesterday we asked the Release Engineering team for (and received) permission to apply a fix for 5.4-RELEASE. So you will see the issue addressed shortly. The correct fix is a bit more subtle than that suggested in your original message. I guess I should also mention that we've discussed removing rexec/rexecd entirely (for 6.x releases), since it has been deprecated for over 6 years, and the documentation has discouraged its use for over 11 years. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?424185E8.4000305>