Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Michael Powell]

Przemyslaw Frasunek wrote:

> Giorgos Keramidas wrote:
>> Przemyslaw should email security-officer with any details he thinks are
>> relevant.  Then the security team will make sure to fix the bug for all
>> affected releases of FreeBSD, release a patch with the fix, issue an
>> advisory through the usual channels, and post the details online at our
>> security information web pages at .
> 
> I see that I received a lot of criticism after disclosing 6.4
> vulnerability. Please read some facts:
> 
> I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep
> directly to security officer. None of them were responded. I haven't
> filled any PRs, because it would disclose details of vulnerability to the
> public and allow blackhats to exploit it.
> 
> I won't publish anything more than video, before official security
> advisory. The exploit is private to me and it won't be given to the
> "community".
> 
> Michael Powell wrote:
>> Quoted from ~freebsd.security.general:
>> "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
>> was not recognized as security vulnerability."
> 
> This is another bug. The former one affected only 6.1, this one affects
> everything up to 6.4-STABLE.
> 

Please allow me to express my appreciation for your efforts in this matter. 
Your work will only improve FreeBSD and I would like to thank you kindly for 
that. I apologize if any, or all, of my comments appeared critical of your 
work. 

I was trying to express criticism of the writer whose only imperative was to 
generate a sensationalist headline. 

-Mike
   


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Przemyslaw Frasunek]

Reko Turja pisze:
> As someone who has manipulated moving picture for fun and profit, having
> a video of something is a proof of nothing. For all what it's worth the
> OS in video might be FreeBSD - or even loonix made to look like FreeBSD,
> made vulnerable on purpose of tarring the project.
> 
> Until the security team gives their official response and patches, I
> read the entire story with a grain of salt, especially as the originator
> was so keen on getting his discovery into news websites...

Actually, the 6.4 vulnerability was confirmed by Xin Li on freebsd-secur...@.
The patch along with advisory will be out very soon.

You might be also interested in reading statement on my webpage, regarding both
6.4 and 7.2 vulnerabilities.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Reko Turja]

http://www.vimeo.com/6580991

The article says that "Versions 7.1 and and beyond are not 
vulnerable." That video contradicts that.


As someone who has manipulated moving picture for fun and profit, 
having a video of something is a proof of nothing. For all what it's 
worth the OS in video might be FreeBSD - or even loonix made to look 
like FreeBSD, made vulnerable on purpose of tarring the project.


Until the security team gives their official response and patches, I 
read the entire story with a grain of salt, especially as the 
originator was so keen on getting his discovery into news websites...


If the discovery is real, the patch will come when it will come, until 
then the publicity is just negligible buzz.


-Reko 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Alex R]

Mak Kolybabi wrote:

On 2009-09-14 12:12, Dan Goodin wrote:
  

We'll be writing a brief article about this.



I didn't notice anyone link the finished article yet, so here it is:
http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/

--
Matthew Anthony Kolybabi (Mak)


() ASCII Ribbon Campaign | Against HTML e-mail
/\  www.asciiribbon.org  | Against proprietary extensions

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

  


http://www.vimeo.com/6580991

The article says that "Versions 7.1 and and beyond are not vulnerable." 
That video contradicts that.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Paul Schmehl]

--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry  
wrote:




On Tue, 15 Sep 2009 23:47:10 -0700
per...@pluto.rain.com wrote:


Jerry  wrote:
> Waiting until someone is harmed is tantamount to being an
> accomplice to the act.

And providing details of a currently-undefendable vulnerability
to a black hat who did not previously know about it, thereby
enabling the black hat to perpetrate harm that would otherwise
not have occurred, isn't?


The simple act of publishing the fact that a know exploit exists for a
given program compromises nothing. Example:

WARN: The following program(s) have known exploits.

PROGRAM: prog-name
PROGRAM VERSION: 2.4
OS:  FreeBSD-7.2+
EXPLOIT: Potential to render HD inaccessible
PATCH:   NONE AVAILABLE
SUGGESTION:  If prog-name is not imperative to system
 performance, remove it and consider using a similar
 product by another author.

A simple solution that affords the end user the right to make an
informed decision. I realize that governments, especially
socialistic/fascists ones use the terms 'censorship' and 'secret' with
the term 'For their own good' interchangeable. I would hate to see the
open-source community, especially FBSD embracing that philosophy.



Are you really serious?  What you posted (your example) does absolutely no good 
for the average user.  What are you going to do?  Stop using the program?  And 
how can you possibly make an "informed decision" when you know nothing other 
than the fact that something is wrong?


OTOH, it's all an attacker needs to start digging around and successfully break 
in.


Think about this.  A guy wants to find a pot of gold.  He goes to a field and 
finds 12,000 pots.  Where does he start?  Along comes someone who believes in 
"freedom of speech" and says, "Well, I don't know where the gold is, but that 
pot over there is a good place to look.  I happen to know that it was put there 
recently and there was a lot of secrecy surrounding it."


Or an attacker approaches a seemingly impenetrable castle, trying to figure out 
how to defeat the army inside.  He knows he's going to have probe every area 
and lose many men in the process in order to find a weakness he can exploit.


Then one soldier, believing in "freedom" sends them a message that there's a 
weakness on the north face of the wall.  He doesn't tell them exactly where, 
but he's managed to focus their efforts on the area most likely to allow them 
to breach the wall and defeat the army inside, he's reduced the attacker's 
efforts by three fourths and reduced their losses as well.


You clearly don't understand the advantage that hackers have over the average 
user.


Rather than censorship, how the FreeBSD team handles issues like this is good 
stewardship.  They have a responsibility to the community to protect them. 
They do that by not irresponsibly trumpeting known weaknesses before a solution 
is available to the end users.


--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 23:47:10 -0700
per...@pluto.rain.com wrote:

> Jerry  wrote:
> > Waiting until someone is harmed is tantamount to being an
> > accomplice to the act.
> 
> And providing details of a currently-undefendable vulnerability
> to a black hat who did not previously know about it, thereby
> enabling the black hat to perpetrate harm that would otherwise
> not have occurred, isn't?

The simple act of publishing the fact that a know exploit exists for a
given program compromises nothing. Example:

WARN: The following program(s) have known exploits.

PROGRAM: prog-name
PROGRAM VERSION: 2.4
OS:  FreeBSD-7.2+
EXPLOIT: Potential to render HD inaccessible
PATCH:   NONE AVAILABLE
SUGGESTION:  If prog-name is not imperative to system
 performance, remove it and consider using a similar
 product by another author.

A simple solution that affords the end user the right to make an
informed decision. I realize that governments, especially
socialistic/fascists ones use the terms 'censorship' and 'secret' with
the term 'For their own good' interchangeable. I would hate to see the
open-source community, especially FBSD embracing that philosophy.

-- 
Jerry
ges...@yahoo.com

Progress is impossible without change, and those who
cannot change their minds cannot change anything.

George Bernard Shaw
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[perryh]

Jerry  wrote:
> Waiting until someone is harmed is tantamount to being an
> accomplice to the act.

And providing details of a currently-undefendable vulnerability
to a black hat who did not previously know about it, thereby
enabling the black hat to perpetrate harm that would otherwise
not have occurred, isn't?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 15:28:59 -0400
DAve  wrote:

> Jerry wrote:
> > On Tue, 15 Sep 2009 20:51:40 +0200
> > Mel Flynn  wrote:
> > 
> >> Please inform yourself properly before assuming you're right.
> >> Mozilla does not by default publish vulnerabilities before a fix
> >> is known. In some cases publishing has been delayed by months. The
> >> exception is when exploits are already in the wild and a work
> >> around is available, while a real fix will take more work.
> >>
> >> This is also why vulnerabilities are typically not disclosed till a
> >> fix is known, because it does not protect the typical user, but
> >> puts him in harms way, which is exactly what you don't want.
> >>
> >> In theory, if I know the details of this particular exploit, I can
> >> patch my 6.4 machines myself, but more realistically, if developers
> >> take all this time to come up with a solution that doesn't break
> >> functionality the chances that I and more casual users can do this
> >> are slim. Meanwhile, the exploit will be coded into the usual
> >> rootkits and internet scanners and casualties will be made. That
> >> doesn't help anyone.
> > 
> > Assume that I have discovered a vulnerability in a widely used, or
> > even marginal for arguments sake, program. I now start to exploit
> > that vulnerability. Now assume that you are responsible for
> > maintaining, that program. Use any job description that suits you
> > for this purpose. Are you claiming that since it may take several
> > months to fix, it is better to let users be exploited rather than
> > inform them that there is an exploitable problem in said software?
> > I fine that extremely disturbing.
> > 
> > As you can no doubt tell, I am not a believer in the "Ignorance is
> > bliss" theory.
> > 
> 
> I believe the point that others are trying to make is this. Your
> example requires that the exploit is known to the blackhats and in
> use currently. Their example assumes that exploit is only known to
> those who discovered it.
> 
> This particular exploit is not believed to be known to the black
> hats, and not known to be in use currently.
> 
> Is it better for an exploit to remain a secret and not is use, 
> protecting those that may not get their systems patched in time (as
> the blackhats *will* most certainly put the exploit to use as soon as
> they are told about it). Or, let the exploit remain a secret until it
> is either fixed and a patch made available or discovered in use by
> blackhats.
> 
> I think you are both right. If the exploit is not being used, keep it
> a secret and let the developers design a permanent fix. If the
> exploit is discovered publicly before the fix is out, warn everyone
> loudly and provide a workaround.
> 
> I believe all software I am aware of handles exploits with that
> method.

I am not aware of any infallible method of determining if an exploit is
in use. By the time the exploit become common knowledge it is usually
too late. Lacking same, I believe in the "For Warned is For Armed"
policy. Waiting until someone is harmed is tantamount to being an
accomplice to the act.

-- 
Jerry
ges...@yahoo.com

Never buy from a rich salesman.

Goldenstern
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 21:14:25 Jerry wrote:
> On Tue, 15 Sep 2009 20:51:40 +0200
> 
> Mel Flynn  wrote:

> > The exception is
> > when exploits are already in the wild and a work around is available,
> > while a real fix will take more work.

> Assume that I have discovered a vulnerability in a widely used, or even
> marginal for arguments sake, program. I now start to exploit that
> vulnerability. Now assume that you are responsible for maintaining,
> that program. Use any job description that suits you for this purpose.
> Are you claiming that since it may take several months to fix, it is
> better to let users be exploited rather than inform them that there is
> an exploitable problem in said software? I fine that extremely
> disturbing.

Then I suggest you cancel your internet account(s). Also, it helps to read 
what people are writing.

But for the corner case where you are the person reporting me this 
vulnerability, telling me you won't exploit it, then do it anyway, there is no 
guard in place, other then that sooner or later, you'll compromise a machine 
administered by someone able to retrace what happened and it'll come back to 
me and I'd move up the timetable, cook up a work around and publish the 
details.
There is some level of trust between reporter and fixer, whether it be good or 
bad, it's simply a fact of life and not likely to change.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[DAve]

Jerry wrote:

On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn  wrote:


Please inform yourself properly before assuming you're right. Mozilla
does not by default publish vulnerabilities before a fix is known. In
some cases publishing has been delayed by months. The exception is
when exploits are already in the wild and a work around is available,
while a real fix will take more work.

This is also why vulnerabilities are typically not disclosed till a
fix is known, because it does not protect the typical user, but puts
him in harms way, which is exactly what you don't want.

In theory, if I know the details of this particular exploit, I can
patch my 6.4 machines myself, but more realistically, if developers
take all this time to come up with a solution that doesn't break
functionality the chances that I and more casual users can do this
are slim. Meanwhile, the exploit will be coded into the usual
rootkits and internet scanners and casualties will be made. That
doesn't help anyone.


Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely
disturbing.

As you can no doubt tell, I am not a believer in the "Ignorance is
bliss" theory.



I believe the point that others are trying to make is this. Your example 
requires that the exploit is known to the blackhats and in use 
currently. Their example assumes that exploit is only known to those who 
discovered it.


This particular exploit is not believed to be known to the black hats, 
and not known to be in use currently.


Is it better for an exploit to remain a secret and not is use, 
protecting those that may not get their systems patched in time (as the 
blackhats *will* most certainly put the exploit to use as soon as they 
are told about it). Or, let the exploit remain a secret until it is 
either fixed and a patch made available or discovered in use by blackhats.


I think you are both right. If the exploit is not being used, keep it a 
secret and let the developers design a permanent fix. If the exploit is 
discovered publicly before the fix is out, warn everyone loudly and 
provide a workaround.


I believe all software I am aware of handles exploits with that method.

DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn  wrote:

> Please inform yourself properly before assuming you're right. Mozilla
> does not by default publish vulnerabilities before a fix is known. In
> some cases publishing has been delayed by months. The exception is
> when exploits are already in the wild and a work around is available,
> while a real fix will take more work.
> 
> This is also why vulnerabilities are typically not disclosed till a
> fix is known, because it does not protect the typical user, but puts
> him in harms way, which is exactly what you don't want.
> 
> In theory, if I know the details of this particular exploit, I can
> patch my 6.4 machines myself, but more realistically, if developers
> take all this time to come up with a solution that doesn't break
> functionality the chances that I and more casual users can do this
> are slim. Meanwhile, the exploit will be coded into the usual
> rootkits and internet scanners and casualties will be made. That
> doesn't help anyone.

Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely
disturbing.

As you can no doubt tell, I am not a believer in the "Ignorance is
bliss" theory.

-- 
Jerry
ges...@yahoo.com

In the days of old,
When Knights were bold,
And women were too cautious;
Oh, those gallant days,
When women were women,
And men were really obnoxious.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[DAve]

Jerry wrote:


Now, if you don't like that, "KISS MY ASS".


I love IT mail lists! So classy.

DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 20:13:17 Jerry wrote:
> On Tue, 15 Sep 2009 13:18:29 -0400
> 
> Bill Moran  wrote:
> > On Tue, 15 Sep 2009 13:03:50 -0400
> >
> > Jerry  wrote:
> > > On Tue, 15 Sep 2009 11:13:31 -0400
> > >
> > > Bill Moran  wrote:
> > > > In response to Jerry :
> > > > > I usually discover security problems with updates I receive from
> > > > > . Aren't FreeBSD security problems
> > > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > > dark to known security problems is not a serviceable protocol.
> > > >
> > > > Because releasing security advisories before there is a fix
> > > > available is not responsible use of the information, and (as is
> > > > being discussed) the fix is still in the works.
> > >
> > > I disagree. If I have a medical problem, or what ever, I expect to
> > > be informed of it. The fact that there is no known cure, fix, etc.
> > > is immaterial, if in fact not grossly negligent.
> >
> > This is a stupid and non-relevant comparison.  A better comparison
> > would be if I realized that you'd left your car door unlocked in a
> > less than safe neighborhood.  Would you rather I told you discreetly,
> > or just started shouting it out loud to the neighborhood?  Wait, I
> > know the answer, if I see _your_ car unlocked, I'll just start
> > shouting.
> 
> The fact is, that you do in fact notify me. Keeping important security
> information secret benefits no one, except for possibly those
> responsible for the problem to begin with who do not want the
> knowledge of the problem to become public. A multitude of software,
> such as Mozilla, publish known security holes in their software.
> The ramifications of allowing a user to actively use a piece of
> software when a known bug/exploit/etc. exists within it is grossly
> negligent.

Please inform yourself properly before assuming you're right. Mozilla does not 
by default publish vulnerabilities before a fix is known. In some cases 
publishing has been delayed by months. The exception is when exploits are 
already in the wild and a work around is available, while a real fix will take 
more work.

This is also why vulnerabilities are typically not disclosed till a fix is 
known, because it does not protect the typical user, but puts him in harms 
way, which is exactly what you don't want.

In theory, if I know the details of this particular exploit, I can patch my 
6.4 machines myself, but more realistically, if developers take all this time 
to come up with a solution that doesn't break functionality the chances that I 
and more casual users can do this are slim. Meanwhile, the exploit will be 
coded into the usual rootkits and internet scanners and casualties will be 
made. That doesn't help anyone.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 13:18:29 -0400
Bill Moran  wrote:

> On Tue, 15 Sep 2009 13:03:50 -0400
> Jerry  wrote:
> 
> > On Tue, 15 Sep 2009 11:13:31 -0400
> > Bill Moran  wrote:
> > 
> > > In response to Jerry :
> > > 
> > > > 
> > > > I usually discover security problems with updates I receive from
> > > > . Aren't FreeBSD security problems
> > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > dark to known security problems is not a serviceable protocol.
> > > 
> > > Because releasing security advisories before there is a fix
> > > available is not responsible use of the information, and (as is
> > > being discussed) the fix is still in the works.
> > 
> > I disagree. If I have a medical problem, or what ever, I expect to
> > be informed of it. The fact that there is no known cure, fix, etc.
> > is immaterial, if in fact not grossly negligent.
> 
> This is a stupid and non-relevant comparison.  A better comparison
> would be if I realized that you'd left your car door unlocked in a
> less than safe neighborhood.  Would you rather I told you discreetly,
> or just started shouting it out loud to the neighborhood?  Wait, I
> know the answer, if I see _your_ car unlocked, I'll just start
> shouting.

The fact is, that you do in fact notify me. Keeping important security
information secret benefits no one, except for possibly those
responsible for the problem to begin with who do not want the
knowledge of the problem to become public. A multitude of software,
such as Mozilla, publish known security holes in their software.
The ramifications of allowing a user to actively use a piece of
software when a known bug/exploit/etc. exists within it is grossly
negligent.

 
> > Being keep ignorant of a
> > security problem is as foolish a theory as "Security through
> > Obscurity".
> 
> No, it's not.  And I don't even want to hear your ill-fitting
> metaphor for how you arrived at that conclusion.
> 
> > I find the  updates invaluable. The fact
> > that apparently FBSD does not encompass them I find discomforting.
> 
> You're missing the fact that FreeBSD's security issues _are_ listed
> there, when appropriate.
> 
> Your obvious ignorance of how things operate absolves you of any right
> to complain.
> 
> > BTW, please do not CC: me. I am subscribe to the list and do not
> > need multiple copies of the same post.
> 
> Whine me a river, for crying out loud.  List policy on this list
> since the Dawn of Time has been to CC the list and the poster.  I'm
> not going to check with everyone on the list to see if they're
> subscribed or not.  Don't like it?  Get off the list.

I just check the FreeBSD list web page,
 and
failed to find any indication that CC:ing was the desired posting
response. In fact, except for a few, perhaps one or two others, I am
not aware of any perpetual CC:'s on this list. Then again, I doubt that
they feel as threatened when their beliefs are questioned. Perhaps you
should seek professional help for your anger issues.

Now, if you don't like that, "KISS MY ASS".
 
> -Bill

-- 
Jerry
ges...@yahoo.com

If it doesn't smell yet, it's pretty fresh.

Dave Johnson, on dead seagulls
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

On Tue, 15 Sep 2009 13:03:50 -0400
Jerry  wrote:

> On Tue, 15 Sep 2009 11:13:31 -0400
> Bill Moran  wrote:
> 
> > In response to Jerry :
> > 
> > > 
> > > I usually discover security problems with updates I receive from
> > > . Aren't FreeBSD security problems
> > > reported to their site? If not, why? IMHO, keeping users in the
> > > dark to known security problems is not a serviceable protocol.
> > 
> > Because releasing security advisories before there is a fix available
> > is not responsible use of the information, and (as is being
> > discussed) the fix is still in the works.
> 
> I disagree. If I have a medical problem, or what ever, I expect to be
> informed of it. The fact that there is no known cure, fix, etc. is
> immaterial, if in fact not grossly negligent.

This is a stupid and non-relevant comparison.  A better comparison would
be if I realized that you'd left your car door unlocked in a less than
safe neighborhood.  Would you rather I told you discreetly, or just started
shouting it out loud to the neighborhood?  Wait, I know the answer, if I
see _your_ car unlocked, I'll just start shouting.

> Being keep ignorant of a
> security problem is as foolish a theory as "Security through Obscurity".

No, it's not.  And I don't even want to hear your ill-fitting metaphor for
how you arrived at that conclusion.

> I find the  updates invaluable. The fact that
> apparently FBSD does not encompass them I find discomforting.

You're missing the fact that FreeBSD's security issues _are_ listed there,
when appropriate.

Your obvious ignorance of how things operate absolves you of any right
to complain.

> BTW, please do not CC: me. I am subscribe to the list and do not need
> multiple copies of the same post.

Whine me a river, for crying out loud.  List policy on this list since the
Dawn of Time has been to CC the list and the poster.  I'm not going to check
with everyone on the list to see if they're subscribed or not.  Don't like
it?  Get off the list.

-Bill
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 11:13:31 -0400
Bill Moran  wrote:

> In response to Jerry :
> 
> > On Tue, 15 Sep 2009 07:18:26 -0400
> > Bill Moran  wrote:
> > 
> > > Mel Flynn  wrote:
> > > >
> > > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com
> > > > > wrote:
> > > > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > > > Hello,
> > > > > > >
> > > > > > > Dan Goodin, a reporter at technology news website The
> > > > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > > > never got a response. We'll be writing a brief article
> > > > > > > about this. Please let me know ASAP if someone cares to
> > > > > > > comment.
> > > > > >
> > > > > > Has anyone submitted a PR about this?
> > > > > 
> > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a
> > > > > PR is not submitted then one has *not* informed the Powers
> > > > > That Be.
> > > > 
> > > > Wrong. Security bugs should be reported to the security team,
> > > > not PR'd.
> > > 
> > > It's typical for security issues to be kept hushed until a fix is
> > > ready. As a result, there are usually no PRs, and in the case
> > > where the person who discovered the problem is amenable, there is
> > > no public discussion at all until a fix is available.
> > > 
> > > Apparently, Mr. Frasunek started out down that path, which is
> > > admirable. It seems as if he doesn't have much patience, however,
> > > since he thinks that only 2 weeks is enough time to fix a security
> > > problem and QA the fix.
> > 
> > I usually discover security problems with updates I receive from
> > . Aren't FreeBSD security problems
> > reported to their site? If not, why? IMHO, keeping users in the
> > dark to known security problems is not a serviceable protocol.
> 
> Because releasing security advisories before there is a fix available
> is not responsible use of the information, and (as is being
> discussed) the fix is still in the works.

I disagree. If I have a medical problem, or what ever, I expect to be
informed of it. The fact that there is no known cure, fix, etc. is
immaterial, if in fact not grossly negligent. Being keep ignorant of a
security problem is as foolish a theory as "Security through Obscurity".

I find the  updates invaluable. The fact that
apparently FBSD does not encompass them I find discomforting.

BTW, please do not CC: me. I am subscribe to the list and do not need
multiple copies of the same post.

-- 
Jerry
ges...@yahoo.com

There is no sin but ignorance.

Christopher Marlowe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

In response to Jerry :

> On Tue, 15 Sep 2009 07:18:26 -0400
> Bill Moran  wrote:
> 
> > Mel Flynn  wrote:
> > >
> > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > > Hello,
> > > > > >
> > > > > > Dan Goodin, a reporter at technology news website The
> > > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > > never got a response. We'll be writing a brief article about
> > > > > > this. Please let me know ASAP if someone cares to comment.
> > > > >
> > > > > Has anyone submitted a PR about this?
> > > > 
> > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR
> > > > is not submitted then one has *not* informed the Powers That Be.
> > > 
> > > Wrong. Security bugs should be reported to the security team, not
> > > PR'd.
> > 
> > It's typical for security issues to be kept hushed until a fix is
> > ready. As a result, there are usually no PRs, and in the case where
> > the person who discovered the problem is amenable, there is no public
> > discussion at all until a fix is available.
> > 
> > Apparently, Mr. Frasunek started out down that path, which is
> > admirable. It seems as if he doesn't have much patience, however,
> > since he thinks that only 2 weeks is enough time to fix a security
> > problem and QA the fix.
> 
> I usually discover security problems with updates I receive from
> . Aren't FreeBSD security problems reported to
> their site? If not, why? IMHO, keeping users in the dark to known
> security problems is not a serviceable protocol.

Because releasing security advisories before there is a fix available is
not responsible use of the information, and (as is being discussed) the
fix is still in the works.

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Lane Holcombe]

On Tue, 2009-09-15 at 10:49 -0400, Jerry wrote:
> On Tue, 15 Sep 2009 07:18:26 -0400
> Bill Moran  wrote:
> 
> > Mel Flynn  wrote:
> > >
> > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:

> snip

> I usually discover security problems with updates I receive from
> . Aren't FreeBSD security problems reported to
> their site? If not, why? IMHO, keeping users in the dark to known
> security problems is not a serviceable protocol.

Jerry, 

point your aggregator to http://www.freebsd.org/security/advisories.rdf

There have only been 12 security advisories put out this year, as far as
I can tell.  Nothing about this one, though.

lane

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 07:18:26 -0400
Bill Moran  wrote:

> Mel Flynn  wrote:
> >
> > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > Hello,
> > > > >
> > > > > Dan Goodin, a reporter at technology news website The
> > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > never got a response. We'll be writing a brief article about
> > > > > this. Please let me know ASAP if someone cares to comment.
> > > >
> > > > Has anyone submitted a PR about this?
> > > 
> > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR
> > > is not submitted then one has *not* informed the Powers That Be.
> > 
> > Wrong. Security bugs should be reported to the security team, not
> > PR'd.
> 
> It's typical for security issues to be kept hushed until a fix is
> ready. As a result, there are usually no PRs, and in the case where
> the person who discovered the problem is amenable, there is no public
> discussion at all until a fix is available.
> 
> Apparently, Mr. Frasunek started out down that path, which is
> admirable. It seems as if he doesn't have much patience, however,
> since he thinks that only 2 weeks is enough time to fix a security
> problem and QA the fix.

I usually discover security problems with updates I receive from
. Aren't FreeBSD security problems reported to
their site? If not, why? IMHO, keeping users in the dark to known
security problems is not a serviceable protocol.

-- 
Jerry
ges...@yahoo.com

If there is a possibility of several things going wrong, the one that
will cause the most damage will be the one to go wrong.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Giorgos Keramidas]

On Tue, 15 Sep 2009 09:58:31 +0200, Przemyslaw Frasunek 
 wrote:
> Giorgos Keramidas wrote:
>> Przemyslaw should email security-officer with any details he thinks are
>> relevant.  Then the security team will make sure to fix the bug for all
>> affected releases of FreeBSD, release a patch with the fix, issue an
>> advisory through the usual channels, and post the details online at our
>> security information web pages at .
>
> I see that I received a lot of criticism after disclosing 6.4 vulnerability.
> Please read some facts:
>
> I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep 
> directly
> to security officer. None of them were responded. I haven't filled any PRs,
> because it would disclose details of vulnerability to the public and allow
> blackhats to exploit it.
>
> I won't publish anything more than video, before official security advisory. 
> The
> exploit is private to me and it won't be given to the "community".

Hi Przemyslaw,

What I wrote is not criticism for what you have or might have not done.
I now know (after posting the initial message) that the security officer
is preparing a fix and an advisory, so my response was more like ``this
is the usual way of handling this sort of thing''.  The wording was a
bit careful to avoid implying that you didn't know or were not prepared
to do what is appropriate :)



pgp6EjWT4Gvtk.pgp
Description: PGP signature

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 09:58:31 Przemyslaw Frasunek wrote:
> Giorgos Keramidas wrote:
> > Przemyslaw should email security-officer with any details he thinks are
> > relevant.  Then the security team will make sure to fix the bug for all
> > affected releases of FreeBSD, release a patch with the fix, issue an
> > advisory through the usual channels, and post the details online at our
> > security information web pages at .
> 
> I see that I received a lot of criticism after disclosing 6.4
>  vulnerability. Please read some facts:

FWIW, I think some people here read with their eyes closed and I'm wondering 
myself, why security@ did not at least respond with a "we're looking into it, 
please hold on, as we're busy with 8.0 release.".
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

Mel Flynn  wrote:
>
> On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > Am 2009/9/14 Dan Goodin  writhed:
> > > > Hello,
> > > >
> > > > Dan Goodin, a reporter at technology news website The Register.
> > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4
> > > > of FreeBSD has a security bug. He says he notified the FreeBSD
> > > > Foundation on August 29 and never got a response. We'll be writing a
> > > > brief article about this. Please let me know ASAP if someone cares to
> > > > comment.
> > >
> > > Has anyone submitted a PR about this?
> > 
> > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
> > submitted then one has *not* informed the Powers That Be.
> 
> Wrong. Security bugs should be reported to the security team, not PR'd.

It's typical for security issues to be kept hushed until a fix is ready.
As a result, there are usually no PRs, and in the case where the person
who discovered the problem is amenable, there is no public discussion at
all until a fix is available.

Apparently, Mr. Frasunek started out down that path, which is admirable.
It seems as if he doesn't have much patience, however, since he thinks
that only 2 weeks is enough time to fix a security problem and QA the fix.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Przemyslaw Frasunek]

Giorgos Keramidas wrote:
> Przemyslaw should email security-officer with any details he thinks are
> relevant.  Then the security team will make sure to fix the bug for all
> affected releases of FreeBSD, release a patch with the fix, issue an
> advisory through the usual channels, and post the details online at our
> security information web pages at .

I see that I received a lot of criticism after disclosing 6.4 vulnerability.
Please read some facts:

I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly
to security officer. None of them were responded. I haven't filled any PRs,
because it would disclose details of vulnerability to the public and allow
blackhats to exploit it.

I won't publish anything more than video, before official security advisory. The
exploit is private to me and it won't be given to the "community".

Michael Powell wrote:
> Quoted from ~freebsd.security.general:
> "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
> was not recognized as security vulnerability."

This is another bug. The former one affected only 6.1, this one affects
everything up to 6.4-STABLE.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Giorgos Keramidas]

Hi Dan,

The right place to report security problems with FreeBSD is to the
Security Officer team.  A PGP signed email to the email address of the
security team at  is enough to get the
attention of the FreeBSD Project.

Przemyslaw should email security-officer with any details he thinks are
relevant.  Then the security team will make sure to fix the bug for all
affected releases of FreeBSD, release a patch with the fix, issue an
advisory through the usual channels, and post the details online at our
security information web pages at .

Regards,
Giorgos

On Mon, 14 Sep 2009 12:12:50 -0700, Dan Goodin  wrote:
> Hello,
>
> Dan Goodin, a reporter at technology news website The Register. Security
> researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD
> has a security bug. He says he notified the FreeBSD Foundation on August
> 29 and never got a response. We'll be writing a brief article about
> this. Please let me know ASAP if someone cares to comment.
>
> Kind regards,
>
> Dan Goodin
> 415-495-5411
>
>  Original Message 
> Subject: Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer
> dereference
> Date: Sun, 13 Sep 2009 10:49:33 +0200
> From: Przemyslaw Frasunek 
> Organization: frasunek.com
> To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
> References: <4a9028ac.9080...@freebsd.lublin.pl>
>
> Przemyslaw Frasunek pisze:
>> FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
>
> There is yet another kqueue related vulnerability. It affects 6.x, up to
> 6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
> response until now, so I won't publish any details.
>
> Sucessful exploitation yields local root and allows to exit from jail.
> For now,
> you can see demo on:
>
> http://www.vimeo.com/6554787
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mak Kolybabi]

On 2009-09-14 12:12, Dan Goodin wrote:
> We'll be writing a brief article about this.

I didn't notice anyone link the finished article yet, so here it is:
http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/

--
Matthew Anthony Kolybabi (Mak)


() ASCII Ribbon Campaign | Against HTML e-mail
/\  www.asciiribbon.org  | Against proprietary extensions

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Michael Powell]

Matthew Seaman wrote:

> Mikel King wrote:
> 
>> Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to
>> be released either later this month or early next, and 6.x will be
>> officially retired at that time, is it possible that this was
>> overlooked? Personally I don't think it's ever good to overlook
>> security, especially in the case of a root exploit.
> 
> Nope.  6.3 (RELENG_6_3) will be supported until at least 31 January 2010
> while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at
> least 30 November 2010 by the Security team.
> 
> There are no more releases planned from the RELENG_6 branch, but that's
> not the same as 'unsupported' -- patches and advisories will be issued
> until the dates listed, and quite usually beyond that.
> 

Quoted from ~freebsd.security.general:

 "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
 was not recognized as security vulnerability."

So if the bug no longer exists in the non-EOL 6.3/6.4 there is nothing to 
fix. Seems to me this is more about not getting due credit and a writer who 
doesn't grok. 

The posting to security was a forward done by another individual, since the 
original discoverer notified the FreeBSD Foundation instead of the security 
team. Since the FreeBSD foundation is largely administrative and not the 
correct entity to notify, it is not surprising they did not reply.

The writer sounds like he is attempting to spin the SNAFU into a "they knew 
about a security vulnerability and did nothing..." story. Self serving for 
him, headline grabbing and sensationalist for sure, but not true as it was 
quickly addressed at the time.

This is water under the bridge and a writer flogging a dead horse.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Monday 14 September 2009 23:46:42 David Kelly wrote:
> On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > Am 2009/9/14 Dan Goodin  writhed:
> > > Hello,
> > >
> > > Dan Goodin, a reporter at technology news website The Register.
> > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4
> > > of FreeBSD has a security bug. He says he notified the FreeBSD
> > > Foundation on August 29 and never got a response. We'll be writing a
> > > brief article about this. Please let me know ASAP if someone cares to
> > > comment.
> >
> > Has anyone submitted a PR about this?
> 
> Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
> submitted then one has *not* informed the Powers That Be.

Wrong. Security bugs should be reported to the security team, not PR'd.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[David Kelly]

On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> Am 2009/9/14 Dan Goodin  writhed:
> > Hello,
> >
> > Dan Goodin, a reporter at technology news website The Register. Security
> > researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD
> > has a security bug. He says he notified the FreeBSD Foundation on August
> > 29 and never got a response. We'll be writing a brief article about
> > this. Please let me know ASAP if someone cares to comment.
> 
> Has anyone submitted a PR about this?

Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
submitted then one has *not* informed the Powers That Be. Having said
that, for all I know there is a PR in the system that has been given
restricted access until its dealt with. IIRC there is an option where
one may request privacy when submitting a PR, perhaps that is the case
here?

Why is this in -questions? Seems -chat is more appropriate.

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Erik Trulsson]

On Mon, Sep 14, 2009 at 05:21:48PM -0400, Mikel King wrote:
> 
> On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote:
> 
> > Hello,
> >
> > Dan Goodin, a reporter at technology news website The Register.  
> > Security
> > researcher Przemyslaw Frasunek says versions 6.x through 6.4 of  
> > FreeBSD
> > has a security bug. He says he notified the FreeBSD Foundation on  
> > August
> > 29 and never got a response. We'll be writing a brief article about
> > this. Please let me know ASAP if someone cares to comment.
> >
> > Kind regards,
> >
> > Dan Goodin
> > 415-495-5411
> 
> Hasn't 6.x been End Of Lifed?

Not at all.  The 6.2 and earlier releases have been EOL'd, but 6.3 and 6.4
are still supported by the security team.  6.4 (and 6.x in general) will
be supported until November 2010, which is more than a year away.
(See http://security.freebsd.org/ for official EOL information.)

> I mean considering that 8.0 is expected  
> to be released either later this month or early next, and 6.x will be  
> officially retired at that time, is it possible that this was  
> overlooked? Personally I don't think it's ever good to overlook  
> security, especially in the case of a root exploit.
> 
> http://www.freebsd.org/releases/6.4R/announce.html

-- 

Erik Trulsson
ertr1...@student.uu.se
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Matthew Seaman]

Mikel King wrote:

Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to 
be released either later this month or early next, and 6.x will be 
officially retired at that time, is it possible that this was 
overlooked? Personally I don't think it's ever good to overlook 
security, especially in the case of a root exploit.


Nope.  6.3 (RELENG_6_3) will be supported until at least 31 January 2010
while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at
least 30 November 2010 by the Security team.

There are no more releases planned from the RELENG_6 branch, but that's not
the same as 'unsupported' -- patches and advisories will be issued until the
dates listed, and quite usually beyond that.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jason]

On Mon, Sep 14, 2009 at 05:21:48PM -0400, Mikel King thus spake:


On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote:


Hello,

Dan Goodin, a reporter at technology news website The Register.
Security
researcher Przemyslaw Frasunek says versions 6.x through 6.4 of
FreeBSD
has a security bug. He says he notified the FreeBSD Foundation on
August
29 and never got a response. We'll be writing a brief article about
this. Please let me know ASAP if someone cares to comment.

Kind regards,

Dan Goodin
415-495-5411


Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected
to be released either later this month or early next, and 6.x will be
officially retired at that time, is it possible that this was
overlooked? Personally I don't think it's ever good to overlook
security, especially in the case of a root exploit.

http://www.freebsd.org/releases/6.4R/announce.html


Looks like the EOL will be: November 30, 2010

http://security.freebsd.org/



Regards,
Mikel King
CEO, Olivent Technologies
Senior Editor, Daemon News
Columnist, BSD Magazine
6 Alpine Court,
Medford, NY 11763

skype:mikel.king
http://olivent.com
http://mikelking.com
http://twitter.com/mikelking

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Matthew Seaman]

Dan Goodin wrote:

Hello,

Dan Goodin, a reporter at technology news website The Register. Security
researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD
has a security bug. He says he notified the FreeBSD Foundation on August
29 and never got a response. We'll be writing a brief article about
this. Please let me know ASAP if someone cares to comment.

Kind regards,

Dan Goodin
415-495-5411

 Original Message 
Subject: Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer
dereference
Date: Sun, 13 Sep 2009 10:49:33 +0200
From: Przemyslaw Frasunek 
Organization: frasunek.com
To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
References: <4a9028ac.9080...@freebsd.lublin.pl>

Przemyslaw Frasunek pisze:

FreeBSD <= 6.1 suffers from classical check/use race condition on SMP


There is yet another kqueue related vulnerability. It affects 6.x, up to
6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
response until now, so I won't publish any details.

Sucessful exploitation yields local root and allows to exit from jail.
For now,
you can see demo on:

http://www.vimeo.com/6554787



You need to contact the Security Officer to get the official position.  That's 
security-offi...@freebsd.org

I don't know why you seem to think this should have been reported to the FreeBSD
Foundation.  They aren't the responsible parties.  What to do is clearly 
explained
on this web page: http://www.freebsd.org/security/security.html (which 
Przemyslaw for one seems to have read).


Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mikel King]

On Sep 14, 2009, at 3:12 PM, Dan Goodin wrote:


Hello,

Dan Goodin, a reporter at technology news website The Register.  
Security
researcher Przemyslaw Frasunek says versions 6.x through 6.4 of  
FreeBSD
has a security bug. He says he notified the FreeBSD Foundation on  
August

29 and never got a response. We'll be writing a brief article about
this. Please let me know ASAP if someone cares to comment.

Kind regards,

Dan Goodin
415-495-5411


Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected  
to be released either later this month or early next, and 6.x will be  
officially retired at that time, is it possible that this was  
overlooked? Personally I don't think it's ever good to overlook  
security, especially in the case of a root exploit.


http://www.freebsd.org/releases/6.4R/announce.html

Regards,
Mikel King
CEO, Olivent Technologies
Senior Editor, Daemon News
Columnist, BSD Magazine
6 Alpine Court,
Medford, NY 11763

skype:mikel.king
http://olivent.com
http://mikelking.com
http://twitter.com/mikelking

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[ill...@gmail.com]

Am 2009/9/14 Dan Goodin  writhed:
> Hello,
>
> Dan Goodin, a reporter at technology news website The Register. Security
> researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD
> has a security bug. He says he notified the FreeBSD Foundation on August
> 29 and never got a response. We'll be writing a brief article about
> this. Please let me know ASAP if someone cares to comment.
>

Has anyone submitted a PR about this?

-- 
--
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

reporter on deadline seeks comment about reported security bug in FreeBSD

[Dan Goodin]

Hello,

Dan Goodin, a reporter at technology news website The Register. Security
researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD
has a security bug. He says he notified the FreeBSD Foundation on August
29 and never got a response. We'll be writing a brief article about
this. Please let me know ASAP if someone cares to comment.

Kind regards,

Dan Goodin
415-495-5411

 Original Message 
Subject: Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer
dereference
Date: Sun, 13 Sep 2009 10:49:33 +0200
From: Przemyslaw Frasunek 
Organization: frasunek.com
To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
References: <4a9028ac.9080...@freebsd.lublin.pl>

Przemyslaw Frasunek pisze:
> FreeBSD <= 6.1 suffers from classical check/use race condition on SMP

There is yet another kqueue related vulnerability. It affects 6.x, up to
6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
response until now, so I won't publish any details.

Sucessful exploitation yields local root and allows to exit from jail.
For now,
you can see demo on:

http://www.vimeo.com/6554787

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"