Re: reporter on deadline seeks comment about reported security bug in FreeBSD

2009-09-18 Thread Przemyslaw Frasunek 
Reko Turja pisze:
> As someone who has manipulated moving picture for fun and profit, having
> a video of something is a proof of nothing. For all what it's worth the
> OS in video might be FreeBSD - or even loonix made to look like FreeBSD,
> made vulnerable on purpose of tarring the project.
> 
> Until the security team gives their official response and patches, I
> read the entire story with a grain of salt, especially as the originator
> was so keen on getting his discovery into news websites...

Actually, the 6.4 vulnerability was confirmed by Xin Li on freebsd-secur...@.
The patch along with advisory will be out very soon.

You might be also interested in reading statement on my webpage, regarding both
6.4 and 7.2 vulnerabilities.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

2009-09-15 Thread Przemyslaw Frasunek 
Giorgos Keramidas wrote:
> Przemyslaw should email security-officer with any details he thinks are
> relevant.  Then the security team will make sure to fix the bug for all
> affected releases of FreeBSD, release a patch with the fix, issue an
> advisory through the usual channels, and post the details online at our
> security information web pages at .

I see that I received a lot of criticism after disclosing 6.4 vulnerability.
Please read some facts:

I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly
to security officer. None of them were responded. I haven't filled any PRs,
because it would disclose details of vulnerability to the public and allow
blackhats to exploit it.

I won't publish anything more than video, before official security advisory. The
exploit is private to me and it won't be given to the "community".

Michael Powell wrote:
> Quoted from ~freebsd.security.general:
> "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
> was not recognized as security vulnerability."

This is another bug. The former one affected only 6.1, this one affects
everything up to 6.4-STABLE.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"