Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Mak Kolybabi wrote: On 2009-09-14 12:12, Dan Goodin wrote: We'll be writing a brief article about this. I didn't notice anyone link the finished article yet, so here it is: http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ -- Matthew Anthony Kolybabi (Mak) m...@kolybabi.com () ASCII Ribbon Campaign | Against HTML e-mail /\ www.asciiribbon.org | Against proprietary extensions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org http://www.vimeo.com/6580991 The article says that Versions 7.1 and and beyond are not vulnerable. That video contradicts that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
http://www.vimeo.com/6580991 The article says that Versions 7.1 and and beyond are not vulnerable. That video contradicts that. As someone who has manipulated moving picture for fun and profit, having a video of something is a proof of nothing. For all what it's worth the OS in video might be FreeBSD - or even loonix made to look like FreeBSD, made vulnerable on purpose of tarring the project. Until the security team gives their official response and patches, I read the entire story with a grain of salt, especially as the originator was so keen on getting his discovery into news websites... If the discovery is real, the patch will come when it will come, until then the publicity is just negligible buzz. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Reko Turja pisze: As someone who has manipulated moving picture for fun and profit, having a video of something is a proof of nothing. For all what it's worth the OS in video might be FreeBSD - or even loonix made to look like FreeBSD, made vulnerable on purpose of tarring the project. Until the security team gives their official response and patches, I read the entire story with a grain of salt, especially as the originator was so keen on getting his discovery into news websites... Actually, the 6.4 vulnerability was confirmed by Xin Li on freebsd-secur...@. The patch along with advisory will be out very soon. You might be also interested in reading statement on my webpage, regarding both 6.4 and 7.2 vulnerabilities. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV * ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Przemyslaw Frasunek wrote: Giorgos Keramidas wrote: Przemyslaw should email security-officer with any details he thinks are relevant. Then the security team will make sure to fix the bug for all affected releases of FreeBSD, release a patch with the fix, issue an advisory through the usual channels, and post the details online at our security information web pages at http://www.FreeBSD.org/security/. I see that I received a lot of criticism after disclosing 6.4 vulnerability. Please read some facts: I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly to security officer. None of them were responded. I haven't filled any PRs, because it would disclose details of vulnerability to the public and allow blackhats to exploit it. I won't publish anything more than video, before official security advisory. The exploit is private to me and it won't be given to the community. Michael Powell wrote: Quoted from ~freebsd.security.general: The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. This is another bug. The former one affected only 6.1, this one affects everything up to 6.4-STABLE. Please allow me to express my appreciation for your efforts in this matter. Your work will only improve FreeBSD and I would like to thank you kindly for that. I apologize if any, or all, of my comments appeared critical of your work. I was trying to express criticism of the writer whose only imperative was to generate a sensationalist headline. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Jerry ges...@yahoo.com wrote: Waiting until someone is harmed is tantamount to being an accomplice to the act. And providing details of a currently-undefendable vulnerability to a black hat who did not previously know about it, thereby enabling the black hat to perpetrate harm that would otherwise not have occurred, isn't? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 23:47:10 -0700 per...@pluto.rain.com wrote: Jerry ges...@yahoo.com wrote: Waiting until someone is harmed is tantamount to being an accomplice to the act. And providing details of a currently-undefendable vulnerability to a black hat who did not previously know about it, thereby enabling the black hat to perpetrate harm that would otherwise not have occurred, isn't? The simple act of publishing the fact that a know exploit exists for a given program compromises nothing. Example: WARN: The following program(s) have known exploits. PROGRAM: prog-name PROGRAM VERSION: 2.4 OS: FreeBSD-7.2+ EXPLOIT: Potential to render HD inaccessible PATCH: NONE AVAILABLE SUGGESTION: If prog-name is not imperative to system performance, remove it and consider using a similar product by another author. A simple solution that affords the end user the right to make an informed decision. I realize that governments, especially socialistic/fascists ones use the terms 'censorship' and 'secret' with the term 'For their own good' interchangeable. I would hate to see the open-source community, especially FBSD embracing that philosophy. -- Jerry ges...@yahoo.com Progress is impossible without change, and those who cannot change their minds cannot change anything. George Bernard Shaw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry ges...@yahoo.com wrote: On Tue, 15 Sep 2009 23:47:10 -0700 per...@pluto.rain.com wrote: Jerry ges...@yahoo.com wrote: Waiting until someone is harmed is tantamount to being an accomplice to the act. And providing details of a currently-undefendable vulnerability to a black hat who did not previously know about it, thereby enabling the black hat to perpetrate harm that would otherwise not have occurred, isn't? The simple act of publishing the fact that a know exploit exists for a given program compromises nothing. Example: WARN: The following program(s) have known exploits. PROGRAM: prog-name PROGRAM VERSION: 2.4 OS: FreeBSD-7.2+ EXPLOIT: Potential to render HD inaccessible PATCH: NONE AVAILABLE SUGGESTION: If prog-name is not imperative to system performance, remove it and consider using a similar product by another author. A simple solution that affords the end user the right to make an informed decision. I realize that governments, especially socialistic/fascists ones use the terms 'censorship' and 'secret' with the term 'For their own good' interchangeable. I would hate to see the open-source community, especially FBSD embracing that philosophy. Are you really serious? What you posted (your example) does absolutely no good for the average user. What are you going to do? Stop using the program? And how can you possibly make an informed decision when you know nothing other than the fact that something is wrong? OTOH, it's all an attacker needs to start digging around and successfully break in. Think about this. A guy wants to find a pot of gold. He goes to a field and finds 12,000 pots. Where does he start? Along comes someone who believes in freedom of speech and says, Well, I don't know where the gold is, but that pot over there is a good place to look. I happen to know that it was put there recently and there was a lot of secrecy surrounding it. Or an attacker approaches a seemingly impenetrable castle, trying to figure out how to defeat the army inside. He knows he's going to have probe every area and lose many men in the process in order to find a weakness he can exploit. Then one soldier, believing in freedom sends them a message that there's a weakness on the north face of the wall. He doesn't tell them exactly where, but he's managed to focus their efforts on the area most likely to allow them to breach the wall and defeat the army inside, he's reduced the attacker's efforts by three fourths and reduced their losses as well. You clearly don't understand the advantage that hackers have over the average user. Rather than censorship, how the FreeBSD team handles issues like this is good stewardship. They have a responsibility to the community to protect them. They do that by not irresponsibly trumpeting known weaknesses before a solution is available to the end users. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Giorgos Keramidas wrote: Przemyslaw should email security-officer with any details he thinks are relevant. Then the security team will make sure to fix the bug for all affected releases of FreeBSD, release a patch with the fix, issue an advisory through the usual channels, and post the details online at our security information web pages at http://www.FreeBSD.org/security/. I see that I received a lot of criticism after disclosing 6.4 vulnerability. Please read some facts: I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly to security officer. None of them were responded. I haven't filled any PRs, because it would disclose details of vulnerability to the public and allow blackhats to exploit it. I won't publish anything more than video, before official security advisory. The exploit is private to me and it won't be given to the community. Michael Powell wrote: Quoted from ~freebsd.security.general: The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. This is another bug. The former one affected only 6.1, this one affects everything up to 6.4-STABLE. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Wrong. Security bugs should be reported to the security team, not PR'd. It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tuesday 15 September 2009 09:58:31 Przemyslaw Frasunek wrote: Giorgos Keramidas wrote: Przemyslaw should email security-officer with any details he thinks are relevant. Then the security team will make sure to fix the bug for all affected releases of FreeBSD, release a patch with the fix, issue an advisory through the usual channels, and post the details online at our security information web pages at http://www.FreeBSD.org/security/. I see that I received a lot of criticism after disclosing 6.4 vulnerability. Please read some facts: FWIW, I think some people here read with their eyes closed and I'm wondering myself, why security@ did not at least respond with a we're looking into it, please hold on, as we're busy with 8.0 release.. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 09:58:31 +0200, Przemyslaw Frasunek przemys...@frasunek.com wrote: Giorgos Keramidas wrote: Przemyslaw should email security-officer with any details he thinks are relevant. Then the security team will make sure to fix the bug for all affected releases of FreeBSD, release a patch with the fix, issue an advisory through the usual channels, and post the details online at our security information web pages at http://www.FreeBSD.org/security/. I see that I received a lot of criticism after disclosing 6.4 vulnerability. Please read some facts: I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly to security officer. None of them were responded. I haven't filled any PRs, because it would disclose details of vulnerability to the public and allow blackhats to exploit it. I won't publish anything more than video, before official security advisory. The exploit is private to me and it won't be given to the community. Hi Przemyslaw, What I wrote is not criticism for what you have or might have not done. I now know (after posting the initial message) that the security officer is preparing a fix and an advisory, so my response was more like ``this is the usual way of handling this sort of thing''. The wording was a bit careful to avoid implying that you didn't know or were not prepared to do what is appropriate :) pgp6EjWT4Gvtk.pgp Description: PGP signature
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 07:18:26 -0400 Bill Moran wmo...@potentialtech.com wrote: Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Wrong. Security bugs should be reported to the security team, not PR'd. It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. -- Jerry ges...@yahoo.com If there is a possibility of several things going wrong, the one that will cause the most damage will be the one to go wrong. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 2009-09-15 at 10:49 -0400, Jerry wrote: On Tue, 15 Sep 2009 07:18:26 -0400 Bill Moran wmo...@potentialtech.com wrote: Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: snip I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Jerry, point your aggregator to http://www.freebsd.org/security/advisories.rdf There have only been 12 security advisories put out this year, as far as I can tell. Nothing about this one, though. lane ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
In response to Jerry ges...@yahoo.com: On Tue, 15 Sep 2009 07:18:26 -0400 Bill Moran wmo...@potentialtech.com wrote: Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Wrong. Security bugs should be reported to the security team, not PR'd. It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Because releasing security advisories before there is a fix available is not responsible use of the information, and (as is being discussed) the fix is still in the works. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran wmo...@potentialtech.com wrote: In response to Jerry ges...@yahoo.com: On Tue, 15 Sep 2009 07:18:26 -0400 Bill Moran wmo...@potentialtech.com wrote: Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Wrong. Security bugs should be reported to the security team, not PR'd. It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Because releasing security advisories before there is a fix available is not responsible use of the information, and (as is being discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. Being keep ignorant of a security problem is as foolish a theory as Security through Obscurity. I find the http://www.us-cert.gov/ updates invaluable. The fact that apparently FBSD does not encompass them I find discomforting. BTW, please do not CC: me. I am subscribe to the list and do not need multiple copies of the same post. -- Jerry ges...@yahoo.com There is no sin but ignorance. Christopher Marlowe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 13:03:50 -0400 Jerry ges...@yahoo.com wrote: On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran wmo...@potentialtech.com wrote: In response to Jerry ges...@yahoo.com: I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Because releasing security advisories before there is a fix available is not responsible use of the information, and (as is being discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. This is a stupid and non-relevant comparison. A better comparison would be if I realized that you'd left your car door unlocked in a less than safe neighborhood. Would you rather I told you discreetly, or just started shouting it out loud to the neighborhood? Wait, I know the answer, if I see _your_ car unlocked, I'll just start shouting. Being keep ignorant of a security problem is as foolish a theory as Security through Obscurity. No, it's not. And I don't even want to hear your ill-fitting metaphor for how you arrived at that conclusion. I find the http://www.us-cert.gov/ updates invaluable. The fact that apparently FBSD does not encompass them I find discomforting. You're missing the fact that FreeBSD's security issues _are_ listed there, when appropriate. Your obvious ignorance of how things operate absolves you of any right to complain. BTW, please do not CC: me. I am subscribe to the list and do not need multiple copies of the same post. Whine me a river, for crying out loud. List policy on this list since the Dawn of Time has been to CC the list and the poster. I'm not going to check with everyone on the list to see if they're subscribed or not. Don't like it? Get off the list. -Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 13:18:29 -0400 Bill Moran wmo...@potentialtech.com wrote: On Tue, 15 Sep 2009 13:03:50 -0400 Jerry ges...@yahoo.com wrote: On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran wmo...@potentialtech.com wrote: In response to Jerry ges...@yahoo.com: I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Because releasing security advisories before there is a fix available is not responsible use of the information, and (as is being discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. This is a stupid and non-relevant comparison. A better comparison would be if I realized that you'd left your car door unlocked in a less than safe neighborhood. Would you rather I told you discreetly, or just started shouting it out loud to the neighborhood? Wait, I know the answer, if I see _your_ car unlocked, I'll just start shouting. The fact is, that you do in fact notify me. Keeping important security information secret benefits no one, except for possibly those responsible for the problem to begin with who do not want the knowledge of the problem to become public. A multitude of software, such as Mozilla, publish known security holes in their software. The ramifications of allowing a user to actively use a piece of software when a known bug/exploit/etc. exists within it is grossly negligent. Being keep ignorant of a security problem is as foolish a theory as Security through Obscurity. No, it's not. And I don't even want to hear your ill-fitting metaphor for how you arrived at that conclusion. I find the http://www.us-cert.gov/ updates invaluable. The fact that apparently FBSD does not encompass them I find discomforting. You're missing the fact that FreeBSD's security issues _are_ listed there, when appropriate. Your obvious ignorance of how things operate absolves you of any right to complain. BTW, please do not CC: me. I am subscribe to the list and do not need multiple copies of the same post. Whine me a river, for crying out loud. List policy on this list since the Dawn of Time has been to CC the list and the poster. I'm not going to check with everyone on the list to see if they're subscribed or not. Don't like it? Get off the list. I just check the FreeBSD list web page, http://lists.freebsd.org/mailman/listinfo/freebsd-questions and failed to find any indication that CC:ing was the desired posting response. In fact, except for a few, perhaps one or two others, I am not aware of any perpetual CC:'s on this list. Then again, I doubt that they feel as threatened when their beliefs are questioned. Perhaps you should seek professional help for your anger issues. Now, if you don't like that, KISS MY ASS. -Bill -- Jerry ges...@yahoo.com If it doesn't smell yet, it's pretty fresh. Dave Johnson, on dead seagulls ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tuesday 15 September 2009 20:13:17 Jerry wrote: On Tue, 15 Sep 2009 13:18:29 -0400 Bill Moran wmo...@potentialtech.com wrote: On Tue, 15 Sep 2009 13:03:50 -0400 Jerry ges...@yahoo.com wrote: On Tue, 15 Sep 2009 11:13:31 -0400 Bill Moran wmo...@potentialtech.com wrote: In response to Jerry ges...@yahoo.com: I usually discover security problems with updates I receive from http://www.us-cert.gov/. Aren't FreeBSD security problems reported to their site? If not, why? IMHO, keeping users in the dark to known security problems is not a serviceable protocol. Because releasing security advisories before there is a fix available is not responsible use of the information, and (as is being discussed) the fix is still in the works. I disagree. If I have a medical problem, or what ever, I expect to be informed of it. The fact that there is no known cure, fix, etc. is immaterial, if in fact not grossly negligent. This is a stupid and non-relevant comparison. A better comparison would be if I realized that you'd left your car door unlocked in a less than safe neighborhood. Would you rather I told you discreetly, or just started shouting it out loud to the neighborhood? Wait, I know the answer, if I see _your_ car unlocked, I'll just start shouting. The fact is, that you do in fact notify me. Keeping important security information secret benefits no one, except for possibly those responsible for the problem to begin with who do not want the knowledge of the problem to become public. A multitude of software, such as Mozilla, publish known security holes in their software. The ramifications of allowing a user to actively use a piece of software when a known bug/exploit/etc. exists within it is grossly negligent. Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Jerry wrote: Now, if you don't like that, KISS MY ASS. I love IT mail lists! So classy. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 20:51:40 +0200 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. Assume that I have discovered a vulnerability in a widely used, or even marginal for arguments sake, program. I now start to exploit that vulnerability. Now assume that you are responsible for maintaining, that program. Use any job description that suits you for this purpose. Are you claiming that since it may take several months to fix, it is better to let users be exploited rather than inform them that there is an exploitable problem in said software? I fine that extremely disturbing. As you can no doubt tell, I am not a believer in the Ignorance is bliss theory. -- Jerry ges...@yahoo.com In the days of old, When Knights were bold, And women were too cautious; Oh, those gallant days, When women were women, And men were really obnoxious. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Jerry wrote: On Tue, 15 Sep 2009 20:51:40 +0200 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. Assume that I have discovered a vulnerability in a widely used, or even marginal for arguments sake, program. I now start to exploit that vulnerability. Now assume that you are responsible for maintaining, that program. Use any job description that suits you for this purpose. Are you claiming that since it may take several months to fix, it is better to let users be exploited rather than inform them that there is an exploitable problem in said software? I fine that extremely disturbing. As you can no doubt tell, I am not a believer in the Ignorance is bliss theory. I believe the point that others are trying to make is this. Your example requires that the exploit is known to the blackhats and in use currently. Their example assumes that exploit is only known to those who discovered it. This particular exploit is not believed to be known to the black hats, and not known to be in use currently. Is it better for an exploit to remain a secret and not is use, protecting those that may not get their systems patched in time (as the blackhats *will* most certainly put the exploit to use as soon as they are told about it). Or, let the exploit remain a secret until it is either fixed and a patch made available or discovered in use by blackhats. I think you are both right. If the exploit is not being used, keep it a secret and let the developers design a permanent fix. If the exploit is discovered publicly before the fix is out, warn everyone loudly and provide a workaround. I believe all software I am aware of handles exploits with that method. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tuesday 15 September 2009 21:14:25 Jerry wrote: On Tue, 15 Sep 2009 20:51:40 +0200 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. Assume that I have discovered a vulnerability in a widely used, or even marginal for arguments sake, program. I now start to exploit that vulnerability. Now assume that you are responsible for maintaining, that program. Use any job description that suits you for this purpose. Are you claiming that since it may take several months to fix, it is better to let users be exploited rather than inform them that there is an exploitable problem in said software? I fine that extremely disturbing. Then I suggest you cancel your internet account(s). Also, it helps to read what people are writing. But for the corner case where you are the person reporting me this vulnerability, telling me you won't exploit it, then do it anyway, there is no guard in place, other then that sooner or later, you'll compromise a machine administered by someone able to retrace what happened and it'll come back to me and I'd move up the timetable, cook up a work around and publish the details. There is some level of trust between reporter and fixer, whether it be good or bad, it's simply a fact of life and not likely to change. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Tue, 15 Sep 2009 15:28:59 -0400 DAve dave.l...@pixelhammer.com wrote: Jerry wrote: On Tue, 15 Sep 2009 20:51:40 +0200 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. Assume that I have discovered a vulnerability in a widely used, or even marginal for arguments sake, program. I now start to exploit that vulnerability. Now assume that you are responsible for maintaining, that program. Use any job description that suits you for this purpose. Are you claiming that since it may take several months to fix, it is better to let users be exploited rather than inform them that there is an exploitable problem in said software? I fine that extremely disturbing. As you can no doubt tell, I am not a believer in the Ignorance is bliss theory. I believe the point that others are trying to make is this. Your example requires that the exploit is known to the blackhats and in use currently. Their example assumes that exploit is only known to those who discovered it. This particular exploit is not believed to be known to the black hats, and not known to be in use currently. Is it better for an exploit to remain a secret and not is use, protecting those that may not get their systems patched in time (as the blackhats *will* most certainly put the exploit to use as soon as they are told about it). Or, let the exploit remain a secret until it is either fixed and a patch made available or discovered in use by blackhats. I think you are both right. If the exploit is not being used, keep it a secret and let the developers design a permanent fix. If the exploit is discovered publicly before the fix is out, warn everyone loudly and provide a workaround. I believe all software I am aware of handles exploits with that method. I am not aware of any infallible method of determining if an exploit is in use. By the time the exploit become common knowledge it is usually too late. Lacking same, I believe in the For Warned is For Armed policy. Waiting until someone is harmed is tantamount to being an accomplice to the act. -- Jerry ges...@yahoo.com Never buy from a rich salesman. Goldenstern ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? -- -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to be released either later this month or early next, and 6.x will be officially retired at that time, is it possible that this was overlooked? Personally I don't think it's ever good to overlook security, especially in the case of a root exploit. http://www.freebsd.org/releases/6.4R/announce.html Regards, Mikel King CEO, Olivent Technologies Senior Editor, Daemon News Columnist, BSD Magazine 6 Alpine Court, Medford, NY 11763 skype:mikel.king http://olivent.com http://mikelking.com http://twitter.com/mikelking ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Dan Goodin wrote: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 Original Message Subject: Re: [Full-disclosure] FreeBSD = 6.1 kqueue() NULL pointer dereference Date: Sun, 13 Sep 2009 10:49:33 +0200 From: Przemyslaw Frasunek veng...@freebsd.lublin.pl Organization: frasunek.com To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com References: 4a9028ac.9080...@freebsd.lublin.pl Przemyslaw Frasunek pisze: FreeBSD = 6.1 suffers from classical check/use race condition on SMP There is yet another kqueue related vulnerability. It affects 6.x, up to 6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no response until now, so I won't publish any details. Sucessful exploitation yields local root and allows to exit from jail. For now, you can see demo on: http://www.vimeo.com/6554787 You need to contact the Security Officer to get the official position. That's security-offi...@freebsd.org I don't know why you seem to think this should have been reported to the FreeBSD Foundation. They aren't the responsible parties. What to do is clearly explained on this web page: http://www.freebsd.org/security/security.html (which Przemyslaw for one seems to have read). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Mon, Sep 14, 2009 at 05:21:48PM -0400, Mikel King thus spake: On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to be released either later this month or early next, and 6.x will be officially retired at that time, is it possible that this was overlooked? Personally I don't think it's ever good to overlook security, especially in the case of a root exploit. http://www.freebsd.org/releases/6.4R/announce.html Looks like the EOL will be: November 30, 2010 http://security.freebsd.org/ Regards, Mikel King CEO, Olivent Technologies Senior Editor, Daemon News Columnist, BSD Magazine 6 Alpine Court, Medford, NY 11763 skype:mikel.king http://olivent.com http://mikelking.com http://twitter.com/mikelking ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Mikel King wrote: Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to be released either later this month or early next, and 6.x will be officially retired at that time, is it possible that this was overlooked? Personally I don't think it's ever good to overlook security, especially in the case of a root exploit. Nope. 6.3 (RELENG_6_3) will be supported until at least 31 January 2010 while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at least 30 November 2010 by the Security team. There are no more releases planned from the RELENG_6 branch, but that's not the same as 'unsupported' -- patches and advisories will be issued until the dates listed, and quite usually beyond that. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Mon, Sep 14, 2009 at 05:21:48PM -0400, Mikel King wrote: On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 Hasn't 6.x been End Of Lifed? Not at all. The 6.2 and earlier releases have been EOL'd, but 6.3 and 6.4 are still supported by the security team. 6.4 (and 6.x in general) will be supported until November 2010, which is more than a year away. (See http://security.freebsd.org/ for official EOL information.) I mean considering that 8.0 is expected to be released either later this month or early next, and 6.x will be officially retired at that time, is it possible that this was overlooked? Personally I don't think it's ever good to overlook security, especially in the case of a root exploit. http://www.freebsd.org/releases/6.4R/announce.html -- Insert your favourite quote here. Erik Trulsson ertr1...@student.uu.se ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Having said that, for all I know there is a PR in the system that has been given restricted access until its dealt with. IIRC there is an option where one may request privacy when submitting a PR, perhaps that is the case here? Why is this in -questions? Seems -chat is more appropriate. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On Monday 14 September 2009 23:46:42 David Kelly wrote: On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: Am 2009/9/14 Dan Goodin dgoo...@sitpub.com writhed: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Has anyone submitted a PR about this? Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not submitted then one has *not* informed the Powers That Be. Wrong. Security bugs should be reported to the security team, not PR'd. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Matthew Seaman wrote: Mikel King wrote: Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to be released either later this month or early next, and 6.x will be officially retired at that time, is it possible that this was overlooked? Personally I don't think it's ever good to overlook security, especially in the case of a root exploit. Nope. 6.3 (RELENG_6_3) will be supported until at least 31 January 2010 while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at least 30 November 2010 by the Security team. There are no more releases planned from the RELENG_6 branch, but that's not the same as 'unsupported' -- patches and advisories will be issued until the dates listed, and quite usually beyond that. Quoted from ~freebsd.security.general: The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. So if the bug no longer exists in the non-EOL 6.3/6.4 there is nothing to fix. Seems to me this is more about not getting due credit and a writer who doesn't grok. The posting to security was a forward done by another individual, since the original discoverer notified the FreeBSD Foundation instead of the security team. Since the FreeBSD foundation is largely administrative and not the correct entity to notify, it is not surprising they did not reply. The writer sounds like he is attempting to spin the SNAFU into a they knew about a security vulnerability and did nothing... story. Self serving for him, headline grabbing and sensationalist for sure, but not true as it was quickly addressed at the time. This is water under the bridge and a writer flogging a dead horse. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
On 2009-09-14 12:12, Dan Goodin wrote: We'll be writing a brief article about this. I didn't notice anyone link the finished article yet, so here it is: http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ -- Matthew Anthony Kolybabi (Mak) m...@kolybabi.com () ASCII Ribbon Campaign | Against HTML e-mail /\ www.asciiribbon.org | Against proprietary extensions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Hi Dan, The right place to report security problems with FreeBSD is to the Security Officer team. A PGP signed email to the email address of the security team at security-offi...@freebsd.org is enough to get the attention of the FreeBSD Project. Przemyslaw should email security-officer with any details he thinks are relevant. Then the security team will make sure to fix the bug for all affected releases of FreeBSD, release a patch with the fix, issue an advisory through the usual channels, and post the details online at our security information web pages at http://www.FreeBSD.org/security/. Regards, Giorgos On Mon, 14 Sep 2009 12:12:50 -0700, Dan Goodin dgoo...@sitpub.com wrote: Hello, Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD has a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment. Kind regards, Dan Goodin 415-495-5411 Original Message Subject: Re: [Full-disclosure] FreeBSD = 6.1 kqueue() NULL pointer dereference Date: Sun, 13 Sep 2009 10:49:33 +0200 From: Przemyslaw Frasunek veng...@freebsd.lublin.pl Organization: frasunek.com To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com References: 4a9028ac.9080...@freebsd.lublin.pl Przemyslaw Frasunek pisze: FreeBSD = 6.1 suffers from classical check/use race condition on SMP There is yet another kqueue related vulnerability. It affects 6.x, up to 6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no response until now, so I won't publish any details. Sucessful exploitation yields local root and allows to exit from jail. For now, you can see demo on: http://www.vimeo.com/6554787 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org