Dan Goodin wrote:
Hello,Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 -------- Original Message -------- Subject: Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference Date: Sun, 13 Sep 2009 10:49:33 +0200 From: Przemyslaw Frasunek <veng...@freebsd.lublin.pl> Organization: frasunek.com To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com References: <4a9028ac.9080...@freebsd.lublin.pl> Przemyslaw Frasunek pisze:FreeBSD <= 6.1 suffers from classical check/use race condition on SMPThere is yet another kqueue related vulnerability. It affects 6.x, up to 6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no response until now, so I won't publish any details. Sucessful exploitation yields local root and allows to exit from jail. For now, you can see demo on: http://www.vimeo.com/6554787
You need to contact the Security Officer to get the official position. That's security-offi...@freebsd.org I don't know why you seem to think this should have been reported to the FreeBSD Foundation. They aren't the responsible parties. What to do is clearly explainedon this web page: http://www.freebsd.org/security/security.html (which Przemyslaw for one seems to have read).
Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature