Date: Fri, 04 Mar 2005 14:28:15 +0100 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: mike@sentex.net, deraadt@cvs.openbsd.org, freebsd-security@freebsd.org, security-officer@dragonflybsd.org Subject: Re: Fwd: FreeBSD hiding security stuff Message-ID: <1109942895.3926.71.camel@localhost.localdomain>
next in thread | raw e-mail | index | archive | help
On Fri, 2005-03-04 at 07:58 -0500, Mike Tancsa wrote: > FYI > > > >To: misc@openbsd.org > >Subject: FreeBSD hiding security stuff > >Date: Fri, 04 Mar 2005 03:51:42 -0700 > >From: Theo de Raadt <deraadt@cvs.openbsd.org> > > > >A few FreeBSD developers apparently have found some security issue > >of some sort affecting i386 operating systems in some cases. > > > >They have refused to give us real details. > > > >A promise is now being made. > > > >If a bug is found in OpenSSH, which we believe to have security > >consequences, we wil inform FreeBSD last. > > > >Fair is fair. > > > >I really wish it was not this way, but after a week of trying to get the > >policy to be fixed, we are changing our policy as well. > > > >Without immediate action from them to repair their polcy, and a public > >apology for this, that policy will stand. DragonFly received this email as well, we were also not given details, which is somewhat disturbing, to be honest. I haven't said anything about this until now because I didn't want to cause a disturbance, but obviously one has been caused. Everyone who knows me from DragonFly knows that I am quite the DragonFly diplomat: I really don't tolerate FUD about FreeBSD. As a person who also contributes to FreeBSD (yes, I contribute to both projects), I really have to say that I find this strange. It would be okay if we were given a timeframe, but there was no information. The `advisory' consisted of the following: `On May 13th at BSDCan <http://www.bsdcan.org/> I will be publishing a local information-disclosure vulnerability which affects multiple operating systems running on x86 hardware. I'm not sure if your OS is affected; can you tell me the state of your SMP support on the x86 platform?' Matt (Dillon) replied stating that the aforementioned `advisory' wasn't enough information to ``go on.'' We (security-officer@dragonflybsd.org) were told that we'd receive the paper after it was confirmed that DragonFly is affected. Matt asked if it was related to a certain issue. The response was ``No.'' This seems vague. This `advisory' was received by us last Saturday. So, before we get a huge ruckus about Theo being totally unreasonable, lets have a little bit of information about why this vulnerability isn't being disclosed to the security teams of other projects. I think that it's pretty unreasonable that we're not getting more information. We can't even confirm that we're affected because we have nothing to go on. For these reasons, I don't think Theo is being terribly unreasonable. I don't want to start a holy war here, just present the facts before a million misinformed subscribers to security@ start flaming OpenBSD and Theo. Kind regards, Devon H. O'Dell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1109942895.3926.71.camel>