From owner-freebsd-security@FreeBSD.ORG Fri Mar 4 13:40:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27B9B16A4CE for ; Fri, 4 Mar 2005 13:40:50 +0000 (GMT) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D88EE43D39 for ; Fri, 4 Mar 2005 13:40:49 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd5mr3so.prod.shaw.ca (pd5mr3so-qfe3.prod.shaw.ca [10.0.141.144]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0ICT003Q4XZMDW80@l-daemon> for freebsd-security@freebsd.org; Fri, 04 Mar 2005 06:40:34 -0700 (MST) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd5mr3so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0ICT00FB6XZMC940@pd5mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 04 Mar 2005 06:40:34 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Fri, 04 Mar 2005 06:40:34 -0700 (MST) Date: Fri, 04 Mar 2005 05:40:33 -0800 From: Colin Percival To: freebsd-security@freebsd.org Message-id: <42286551.30301@wadham.ox.ac.uk> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime User-Agent: Mozilla Thunderbird 1.0 (X11/20050302) Subject: [Fwd: Re: FW:FreeBSD hiding security stuff] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 13:40:50 -0000 Well, I *tried* to CC: freebsd-security... I'm forwarding this to get around the "posting from wrong address" filter. -------- Original Message -------- Subject: Re: FW:FreeBSD hiding security stuff Date: Fri, 04 Mar 2005 04:42:48 -0800 From: Colin Percival To: Jonathan Weiss CC: freebsd-security@freebsd.org, FreeBSD-Hackers References: [I'm adding a CC: to freebsd-security, since I'm sure this thread will get reposted there if I don't. For those not subscribed to -hackers: Jonathan forwarded the an email Theo wrote to openbsd-misc: http://marc.theaimsgroup.com/?l=openbsd-misc&m=110993373705509&w=2 ] Jonathan Weiss wrote: > Whats the intention behind the FreeBSD developers policy? Quoting from secteam's TODO list for advisories: 1. Check if security officers need to be contacted at OpenBSD, NetBSD, OS X, or DragonFlyBSD. Yes, that's item #1 on our list. :-) In this case, I wasn't sure if OpenBSD was affected, so I emailed Theo asking for certain details which would allow me to make this determination. Theo wrote: > A few FreeBSD developers apparently have found some security issue > of some sort affecting i386 operating systems in some cases. s/A few FreeBSD developers/One FreeBSD developer/ I discovered this issue in December; until a few days ago I was working on it to determine whether it could be exploited. > They have refused to give us real details. Theo, in one of several replies, indicated that I should provide the details to Ted Unangst (tedu@). I contacted Ted and provided him with the details; he agreed with me about how and when it should be handled by OpenBSD. > A promise is now being made. > > If a bug is found in OpenSSH, which we believe to have security > consequences, we wil inform FreeBSD last. > > Fair is fair. > > I really wish it was not this way, but after a week of trying to get the > policy to be fixed, we are changing our policy as well. > > Without immediate action from them to repair their polcy, and a public > apology for this, that policy will stand. The policy of the FreeBSD security team is to notify other vendors and work with them to co-ordinate a disclosure schedule. It is also the policy of the FreeBSD security team to avoid disclosing security issues to anyone who does not need to know about them (i.e., anyone other than other affected vendors, admins@, and in some cases re@). I will make no apology for either of these, and I doubt anyone else (either from the security team, or the security officer himself) will do so either. Colin Percival _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"