I happen to APPLAUD the FreeBSD Security team for doing this. I WANT security fixes out as soon as reasonably possible. You're NOT telling the bad guys anything they don't already know, but you ARE making it possible for the good guys to raise shields.
A "remote root" problem is about as bad as it gets. -- Karl Denninger /The Market Ticker/ On 12/23/2011 10:39 AM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. > From an e-mail sent to security@ from the security officer: > > <quote> > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your > eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release advisories > on > Wednesdays in order to maximize the number of system administrators who will > be > at work already; and we try very hard to avoid issuing advisories any time > close > to holidays for the same reason. The start of the Christmas weekend -- in > some > parts of the world it's already Saturday -- is absolutely not when we want to > be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot > has a > rather messy fix involving adding a new interface to libc; this has the > awkward > side effect of causing the sizes of some "symbols" (aka. functions) in libc to > change, resulting in cascading changes into many binaries. The long list of > updated files is irritating, but isn't a sign that anything in freebsd-update > went wrong. > </quote> > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
