On 23 Dec 2011, at 17:07, Damien Fleuriot wrote:
Seriously, this is just irritating.
Seriously, malevolent persons don't do engineering freeze times.
I thank the FreeBSD security team for keeping vigilant on this, despite they
have no official obligation as there is no SLA on the product and
On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot m...@my.gd wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I'm guessing the Security Officer and those with whom he consults.
Just a thought,
On Sat, Dec 24, 2011 at 08:36:15AM -0800, Kurt Buff wrote:
On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot m...@my.gd wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I'm guessing the
On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick free...@jdc.parodius.com wrote:
snip
While this is generally true, the BIND issue was absolutely not
addressed as fast as possible. I guess you weren't aware that it was
announced publicly literally over a month ago:
On 23 Dec 2011 18:56, George Kontostanos gkontos.m...@gmail.com wrote:
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
On 23/12/2011 18:05, George Kontostanos wrote:
Are all cvs mirror servers updated regarding these changes ?
ANYBODY
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and remained undisclosed until monday ?
I for one do *NOT* relish the idea of updating 50+ boxes this evening
and
On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and remained undisclosed until monday ?
On 12/23/11 5:39 PM, John Baldwin wrote:
On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and
So don't update until Monday? The outcome will be the same :)
Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and remained undisclosed until
My point (which may or may not be valid) was that if the vulnerabilities
remained *undisclosed*, they would have a much lower chance of being
exploited.
On 12/23/11 5:47 PM, Joe Holden wrote:
So don't update until Monday? The outcome will be the same :)
Damien Fleuriot wrote:
Hey up list,
The serious one (telnetd) is already being exploited in the wild, and if
you're running telnetd anyway then you can always switch to ssh or acl
the port, either way it is a relative non-issue to ignore the update for
now...
Damien Fleuriot wrote:
My point (which may or may not be valid) was
On 12/23/11 5:50 PM, Stephen Montgomery-Smith wrote:
On 12/23/2011 10:07 AM, Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
After receiving the fifth security advisory
On 12/23/2011 11:07 AM, Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
The Security Officer explained it was because one of them was being
actively exploited.
On 12/23/11 5:54 PM, Bas Smeelen wrote:
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
What's the impact for your boxes?
Only the BIND exploit concerns me, means that *potentially* servers for
my projects
Some people (like me) already knew about the vulnerabilities. And
others are already exploiting some of these vulnerabilities.
Thanks,
Shawn Webb
On Fri, Dec 23, 2011 at 9:50 AM, Damien Fleuriot m...@my.gd wrote:
My point (which may or may not be valid) was that if the vulnerabilities
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
What's the impact for your boxes?
I mean, couldn't this have waited and remained undisclosed until monday ?
Best time to exploit is Christmas/holidays
I for one do
I happen to APPLAUD the FreeBSD Security team for doing this.
I WANT security fixes out as soon as reasonably possible. You're NOT
telling the bad guys anything they don't already know, but you ARE
making it possible for the good guys to raise shields.
A remote root problem is about as bad as
On 12/23/2011 10:07 AM, Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
After receiving the fifth security advisory in a few moments, you will
get a Christmas message from
On Fri, Dec 23, 2011 at 11:39 AM, John Baldwin j...@freebsd.org wrote:
On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
On 12/23/2011 10:56 AM, Mike Tancsa wrote:
Also, the chroot issue has been public for some time along with sample
exploits. Same with BIND which was fixed some time ago. Judgment call,
and I think they made the right call at least from my perspective.
It is this chroot issue that bothers me.
On topic, where do you guys subscribe to know of these vulns ahead of
their release on the ML ?
I'm subscribed to the BIND ML but I don't recall seeing an advisory
there ahead of today.
On 12/23/11 6:03 PM, Shawn Webb wrote:
Some people (like me) already knew about the vulnerabilities. And
I usually hear about them from other people. I also subscribe to the
full-disclosure mailinglist.
On Fri, Dec 23, 2011 at 10:25 AM, Damien Fleuriot m...@my.gd wrote:
On topic, where do you guys subscribe to know of these vulns ahead of
their release on the ML ?
I'm subscribed to the BIND ML
These vulnerabilities are known many days before in other distributions .
Thank you very much .
Mehmet Erol Sanliturk
you're right, these were discussed on the mailinglists also
_but_ FreeBSD is not a distribution
It is *a complete operating system*
Happy holidays
Disclaimer:
On Fri, Dec 23, 2011 at 7:25 PM, Stephen Montgomery-Smith
step...@missouri.edu wrote:
On 12/23/2011 10:56 AM, Mike Tancsa wrote:
Also, the chroot issue has been public for some time along with sample
exploits. Same with BIND which was fixed some time ago. Judgment call,
and I think they made
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/23/11 11:53, Karl Denninger wrote:
I happen to APPLAUD the FreeBSD Security team for doing this.
I WANT security fixes out as soon as reasonably possible. You're NOT
telling the bad guys anything they don't already know, but you ARE
On topic, where do you guys subscribe to know of these vulns ahead of
their release on the ML ?
security, stable and questions
it has been discussed here and there
Disclaimer: http://www.ose.nl/email
___
freebsd-stable@freebsd.org mailing list
On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
It is this chroot issue that bothers me. From my reading of the ftpd
man page, if I have anonymous ftp to my server, it seems that I am using
chroot with ftpd, and there is no way to stop this happening.
Am I correct, or have I
On 23/12/2011 17:25, Damien Fleuriot wrote:
I'm subscribed to the BIND ML but I don't recall seeing an advisory
there ahead of today.
The BIND vulnerability was discussed on bind-users last month, and
updates were pushed to the ports and RELENG_7 and RELENG_8 pretty much
straight away.
On Dec 23, 2011, at 11:25 AM, Stephen Montgomery-Smith wrote:
On 12/23/2011 10:56 AM, Mike Tancsa wrote:
Also, the chroot issue has been public for some time along with sample
exploits. Same with BIND which was fixed some time ago. Judgment call,
and I think they made the right call at
On Fri, Dec 23, 2011 at 7:55 PM, Mike Tancsa m...@sentex.net wrote:
On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
It is this chroot issue that bothers me. From my reading of the ftpd
man page, if I have anonymous ftp to my server, it seems that I am using
chroot with ftpd, and
On 23/12/2011 18:05, George Kontostanos wrote:
Are all cvs mirror servers updated regarding these changes ?
ANYBODY
Should have by now. Commits usually take about an hour to propagate to
the official cvsup servers.
Easy enough to tell though -- the advisories have all the version
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
On 23/12/2011 18:05, George Kontostanos wrote:
Are all cvs mirror servers updated regarding these changes ?
ANYBODY
Should have by now. Commits usually take about an hour to propagate to
the
Quoting Mike Tancsa m...@sentex.net:
On 12/23/2011 11:07 AM, Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
The Security Officer explained it was because one of them
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
These vulnerabilities are known many days before in other distributions .
Thank you very much .
Mehmet Erol Sanliturk
you're right, these were discussed on the mailinglists also
_but_ FreeBSD is not a distribution
It is *a
On Fri, Dec 23, 2011 at 9:06 PM, Lars Engels lars.eng...@0x20.net wrote:
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
These vulnerabilities are known many days before in other distributions .
Thank you very much .
Mehmet Erol Sanliturk
you're right, these were discussed on
On Fri, Dec 23, 2011 at 2:06 PM, Lars Engels lars.eng...@0x20.net wrote:
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
These vulnerabilities are known many days before in other distributions .
Thank you very much .
Mehmet Erol Sanliturk
you're right, these were discussed on
On 2011-Dec-23 20:06:10 +0100, Lars Engels lars.eng...@0x20.net wrote:
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
_but_ FreeBSD is not a distribution
It is *a complete operating system*
Happy holidays
And the D in BSD is for? ;-)
FreeBSD is a complete operating system
On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote:
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
On 23/12/2011 18:05, George Kontostanos wrote:
Are all cvs mirror servers updated regarding these changes ?
ANYBODY
Should
On Fri, Dec 23, 2011 at 10:48 PM, Gary Palmer gpal...@freebsd.org wrote:
On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote:
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
On 23/12/2011 18:05, George Kontostanos wrote:
Are all cvs
As others have mentioned, you don't _have_ to patch this weekend. All
of the vulnerabilities have been [semi-]public knowledge for at least
a week. What's the harm in waiting till next week? Just pretend like
the patches came in on Tuesday.
I, for one, am grateful that FreeBSD has provided
On Fri, Dec 23, 2011 at 11:45 PM, Shawn Webb latt...@gmail.com wrote:
As others have mentioned, you don't _have_ to patch this weekend. All
of the vulnerabilities have been [semi-]public knowledge for at least
a week. What's the harm in waiting till next week? Just pretend like
the patches
On 2011-Dec-23 23:40:10 +0200, George Kontostanos gkontos.m...@gmail.com
wrote:
In any case, and IMHO this was not the proper time for this kind of
advisories considering the fact that many companies are in a freeze
period.
My honeypot logs suggest that the black hats aren't taking a holiday.
As
On Sat, Dec 24, 2011 at 12:02 AM, Peter Jeremy peterjer...@acm.org wrote:
On 2011-Dec-23 23:40:10 +0200, George Kontostanos gkontos.m...@gmail.com
wrote:
In any case, and IMHO this was not the proper time for this kind of
advisories considering the fact that many companies are in a freeze
43 matches
Mail list logo