Date: Tue, 15 Sep 2009 13:03:50 -0400 From: Jerry <gesbbb@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <20090915130350.226fcf65@scorpio.seibercom.net> In-Reply-To: <20090915111331.4fdfa964.wmoran@potentialtech.com> References: <4AAE95B2.5050409@sitpub.com> <d7195cff0909141413g3f835bbeq4dc4d7b23872e043@mail.gmail.com> <20090914214642.GA12828@Grumpy.DynDNS.org> <200909150122.43566.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> <20090915071826.a273c4fa.wmoran@potentialtech.com> <20090915104912.1cac505a@scorpio.seibercom.net> <20090915111331.4fdfa964.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran <wmoran@potentialtech.com> wrote: > In response to Jerry <gesbbb@yahoo.com>: > > > On Tue, 15 Sep 2009 07:18:26 -0400 > > Bill Moran <wmoran@potentialtech.com> wrote: > > > > > Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> wrote: > > > > > > > > On Monday 14 September 2009 23:46:42 David Kelly wrote: > > > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai@gmail.com > > > > > wrote: > > > > > > Am 2009/9/14 Dan Goodin <dgoodin@sitpub.com> writhed: > > > > > > > Hello, > > > > > > > > > > > > > > Dan Goodin, a reporter at technology news website The > > > > > > > Register. Security researcher Przemyslaw Frasunek says > > > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He > > > > > > > says he notified the FreeBSD Foundation on August 29 and > > > > > > > never got a response. We'll be writing a brief article > > > > > > > about this. Please let me know ASAP if someone cares to > > > > > > > comment. > > > > > > > > > > > > Has anyone submitted a PR about this? > > > > > > > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a > > > > > PR is not submitted then one has *not* informed the Powers > > > > > That Be. > > > > > > > > Wrong. Security bugs should be reported to the security team, > > > > not PR'd. > > > > > > It's typical for security issues to be kept hushed until a fix is > > > ready. As a result, there are usually no PRs, and in the case > > > where the person who discovered the problem is amenable, there is > > > no public discussion at all until a fix is available. > > > > > > Apparently, Mr. Frasunek started out down that path, which is > > > admirable. It seems as if he doesn't have much patience, however, > > > since he thinks that only 2 weeks is enough time to fix a security > > > problem and QA the fix. > > > > I usually discover security problems with updates I receive from > > <http://www.us-cert.gov/>. Aren't FreeBSD security problems > > reported to their site? If not, why? IMHO, keeping users in the > > dark to known security problems is not a serviceable protocol. > > Because releasing security advisories before there is a fix available > is not responsible use of the information, and (as is being > discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. Being keep ignorant of a security problem is as foolish a theory as "Security through Obscurity". I find the <http://www.us-cert.gov/>; updates invaluable. The fact that apparently FBSD does not encompass them I find discomforting. BTW, please do not CC: me. I am subscribe to the list and do not need multiple copies of the same post. -- Jerry gesbbb@yahoo.com There is no sin but ignorance. Christopher Marlowe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090915130350.226fcf65>