> On 22 Jun 2017, at 03:10, Michelle Sullivan <miche...@sorbs.net> wrote: > > Ed Maste wrote: >> On 20 June 2017 at 16:22, Ed Maste <ema...@freebsd.org> wrote: >>> On 20 June 2017 at 04:13, Vladimir Terziev <vterz...@gvcgroup.com> wrote: >>>> Hi, >>>> >>>> I assume FreeBSD security team is already aware about the Stack Clash >>>> vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. >>> Yes, the security team is aware of this. Improvements in stack >>> handling are in progress (currently in review). >> I would like to provide some additional background on this issue. >> First I'd like to thank Qualys for their detailed and thorough >> investigation, which is contributing directly to improving FreeBSD. >> >> The FreeBSD security team is aware of and is monitoring this issue, >> but is not directly developing in the changes that are in progress. >> The issue under discussion is a limitation in a vulnerability >> mitigation technique. Changes to improve the way FreeBSD manages stack >> growth, and mitigate the issue demonstrated by Qualys' >> proof-of-concept code, are in progress by FreeBSD developers >> knowledgeable in the VM subsystem. These changes are expected to be >> committed to FreeBSD soon, and from there they will be merged to >> stable branches and into updates for supported releases. > > One would hope considering the nature and potential threat this would be one > of those fixes back ported to previous -STABLE trees as well. >
Hi Michelle, On a general note: When we fix issues, they go to the supported branches / releases. 7.x for example is no longer supported and is not likely to receive this care and attention unless someone is willing to support such a change to that branch. For supported branches, such a change is likely to be merged to those branches and also to supported releases depending on the determination. E.g. A Security Advisory (SA) or Errata Notice (EN) will be merged to affected -RELEASES as well. If an issue does not get one of those two markers, the issue will not be merged to -RELEASES but can be merged to -STABLE branches. The above is a general note and not specifically pointed towards “The Stack Clash” documents, so this can support potential future questions in the same area as well :-) Cheers Remko > > -- > Michelle Sullivan > http://www.mhix.org/ <http://www.mhix.org/> > > _______________________________________________ > freebsd-security@freebsd.org <mailto:freebsd-security@freebsd.org> mailing > list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > <https://lists.freebsd.org/mailman/listinfo/freebsd-security> > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > <mailto:freebsd-security-unsubscr...@freebsd.org>"
signature.asc
Description: Message signed with OpenPGP
