So, is it FreeBSD policy to ignore security bug reports? I sent the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and it still hasn't been acted on. This total lack of action on an extremely simple (and silly) three year old bug doesn't give one the warm fuzzies. Heck, it took 48 hours to get a response from a security officer, and another 24 hours to get something from the guilty developer.
Hi John,
I'm sorry for the delay. I could give you a list of excuses, but suffice it to say that the "simple (and silly)" bug had lower priority than several other issues in our queue. We should have sent you a status update, though: that's my fault. Better late than never, I hope?
Initially we believed the bug was more serious than you had reported, since it has an evil side-effect (sets pw_uid to 0). However, we discovered that due to a second bug the impact was limited. Saved by dumb luck (^_^). Anyway, as you might know, we are in a code freeze for 5.4. Coincidentally, just yesterday we asked the Release Engineering team for (and received) permission to apply a fix for 5.4-RELEASE. So you will see the issue addressed shortly. The correct fix is a bit more subtle than that suggested in your original message.
I guess I should also mention that we've discussed removing rexec/rexecd entirely (for 6.x releases), since it has been deprecated for over 6 years, and the documentation has discouraged its use for over 11 years.
Cheers, -- Jacques A Vidrine / NTT/Verio [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
_______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"