On 23 Dec 2011, at 17:07, Damien Fleuriot wrote:
> Seriously, this is just irritating.
Seriously, malevolent persons don't do engineering freeze times.
I thank the FreeBSD security team for keeping vigilant on this, despite they
have no official obligation as there is no SLA on the product and
On 23 Dec 2011 18:56, "George Kontostanos" wrote:
>
> On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
> wrote:
> > On 23/12/2011 18:05, George Kontostanos wrote:
> >> Are all cvs mirror servers updated regarding these changes ?
> >>
> >> ANYBODY
> >
> > Should have by now. Commits usually t
On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick wrote:
>
> While this is generally true, the BIND issue was absolutely not
> addressed "as fast as possible". I guess you weren't aware that it was
> announced publicly literally over a month ago:
>
> https://www.isc.org/software/bind/advisories/cve
On Sat, Dec 24, 2011 at 08:36:15AM -0800, Kurt Buff wrote:
> On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot wrote:
> > Hey up list,
> >
> > Look, just a rant here.
> >
> >
> > Who in *HELL* thought it would be a cool idea to release no less than
> > FOUR security advisories today ?
>
> I'm guessi
On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot wrote:
> Hey up list,
>
> Look, just a rant here.
>
>
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
I'm guessing the Security Officer and those with whom he consults.
Just a thought, since
On Sat, Dec 24, 2011 at 12:02 AM, Peter Jeremy wrote:
> On 2011-Dec-23 23:40:10 +0200, George Kontostanos
> wrote:
>>In any case, and IMHO this was not the proper time for this kind of
>>advisories considering the fact that many companies are in a freeze
>>period.
>
> My honeypot logs suggest th
On 2011-Dec-23 23:40:10 +0200, George Kontostanos
wrote:
>In any case, and IMHO this was not the proper time for this kind of
>advisories considering the fact that many companies are in a freeze
>period.
My honeypot logs suggest that the black hats aren't taking a holiday.
As Colin posted, the S
On Fri, Dec 23, 2011 at 11:45 PM, Shawn Webb wrote:
> As others have mentioned, you don't _have_ to patch this weekend. All
> of the vulnerabilities have been [semi-]public knowledge for at least
> a week. What's the harm in waiting till next week? Just pretend like
> the patches came in on Tuesda
As others have mentioned, you don't _have_ to patch this weekend. All
of the vulnerabilities have been [semi-]public knowledge for at least
a week. What's the harm in waiting till next week? Just pretend like
the patches came in on Tuesday.
I, for one, am grateful that FreeBSD has provided patches
On Fri, Dec 23, 2011 at 10:48 PM, Gary Palmer wrote:
> On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote:
>> On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
>> wrote:
>> > On 23/12/2011 18:05, George Kontostanos wrote:
>> >> Are all cvs mirror servers updated regarding these chan
On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote:
> On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
> wrote:
> > On 23/12/2011 18:05, George Kontostanos wrote:
> >> Are all cvs mirror servers updated regarding these changes ?
> >>
> >> ANYBODY
> >
> > Should have by now. ?Co
On 2011-Dec-23 20:06:10 +0100, Lars Engels wrote:
>On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
>> _but_ FreeBSD is not a distribution
>> It is *a complete operating system*
>> Happy holidays
>
>And the D in BSD is for? ;-)
FreeBSD is a complete operating system _derived_from_ the
On Fri, Dec 23, 2011 at 2:06 PM, Lars Engels wrote:
> On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
>> > These vulnerabilities are known many days before in other distributions .
>>
>> >Thank you very much .
>>
>> >Mehmet Erol Sanliturk
>>
>> you're right, these were discussed on th
On Fri, Dec 23, 2011 at 9:06 PM, Lars Engels wrote:
> On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
>> > These vulnerabilities are known many days before in other distributions .
>>
>> >Thank you very much .
>>
>> >Mehmet Erol Sanliturk
>>
>> you're right, these were discussed on th
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote:
> > These vulnerabilities are known many days before in other distributions .
>
> >Thank you very much .
>
> >Mehmet Erol Sanliturk
>
> you're right, these were discussed on the mailinglists also
> _but_ FreeBSD is not a distribution
>
Quoting Mike Tancsa :
> On 12/23/2011 11:07 AM, Damien Fleuriot wrote:
> > Hey up list,
> > Look, just a rant here.
> > Who in *HELL* thought it would be a cool idea to release no less than
> > FOUR security advisories today ?
>
>
> The Security Officer explained it was because one of them was b
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman
wrote:
> On 23/12/2011 18:05, George Kontostanos wrote:
>> Are all cvs mirror servers updated regarding these changes ?
>>
>> ANYBODY
>
> Should have by now. Commits usually take about an hour to propagate to
> the official cvsup servers.
>
> E
On 23/12/2011 18:05, George Kontostanos wrote:
> Are all cvs mirror servers updated regarding these changes ?
>
> ANYBODY
Should have by now. Commits usually take about an hour to propagate to
the official cvsup servers.
Easy enough to tell though -- the advisories have all the version
num
On Fri, Dec 23, 2011 at 7:55 PM, Mike Tancsa wrote:
> On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
>>
>> It is this chroot issue that bothers me. From my reading of the ftpd
>> man page, if I have anonymous ftp to my server, it seems that I am using
>> chroot with ftpd, and there is no
On Dec 23, 2011, at 11:25 AM, Stephen Montgomery-Smith wrote:
> On 12/23/2011 10:56 AM, Mike Tancsa wrote:
>
>> Also, the chroot issue has been public for some time along with sample
>> exploits. Same with BIND which was fixed some time ago. Judgment call,
>> and I think they made the right cal
On 23/12/2011 17:25, Damien Fleuriot wrote:
> I'm subscribed to the BIND ML but I don't recall seeing an advisory
> there ahead of today.
The BIND vulnerability was discussed on bind-users last month, and
updates were pushed to the ports and RELENG_7 and RELENG_8 pretty much
straight away. RELENG
On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
>
> It is this chroot issue that bothers me. From my reading of the ftpd
> man page, if I have anonymous ftp to my server, it seems that I am using
> chroot with ftpd, and there is no way to stop this happening.
>
> Am I correct, or have I
On topic, where do you guys subscribe to know of these vulns ahead of
their release on the ML ?
security, stable and questions
it has been discussed here and there
Disclaimer: http://www.ose.nl/email
___
freebsd-stable@freebsd.org mailing list
ht
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/23/11 11:53, Karl Denninger wrote:
> I happen to APPLAUD the FreeBSD Security team for doing this.
>
> I WANT security fixes out as soon as reasonably possible. You're NOT
> telling the bad guys anything they don't already know, but you ARE
> m
On Fri, Dec 23, 2011 at 7:25 PM, Stephen Montgomery-Smith
wrote:
> On 12/23/2011 10:56 AM, Mike Tancsa wrote:
>
>> Also, the chroot issue has been public for some time along with sample
>> exploits. Same with BIND which was fixed some time ago. Judgment call,
>> and I think they made the right ca
> These vulnerabilities are known many days before in other distributions .
>Thank you very much .
>Mehmet Erol Sanliturk
you're right, these were discussed on the mailinglists also
_but_ FreeBSD is not a distribution
It is *a complete operating system*
Happy holidays
Disclaimer: http://www.os
I usually hear about them from other people. I also subscribe to the
full-disclosure mailinglist.
On Fri, Dec 23, 2011 at 10:25 AM, Damien Fleuriot wrote:
> On topic, where do you guys subscribe to know of these vulns ahead of
> their release on the ML ?
>
> I'm subscribed to the BIND ML but I do
On topic, where do you guys subscribe to know of these vulns ahead of
their release on the ML ?
I'm subscribed to the BIND ML but I don't recall seeing an advisory
there ahead of today.
On 12/23/11 6:03 PM, Shawn Webb wrote:
> Some people (like me) already knew about the vulnerabilities. And
> o
On 12/23/2011 10:56 AM, Mike Tancsa wrote:
Also, the chroot issue has been public for some time along with sample
exploits. Same with BIND which was fixed some time ago. Judgment call,
and I think they made the right call at least from my perspective.
It is this chroot issue that bothers me.
On Fri, Dec 23, 2011 at 11:39 AM, John Baldwin wrote:
> On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
> > Hey up list,
> >
> >
> >
> > Look, just a rant here.
> >
> >
> > Who in *HELL* thought it would be a cool idea to release no less than
> > FOUR security advisories today ?
>
On 12/23/2011 10:07 AM, Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
After receiving the fifth security advisory in a few moments, you will
get a Christmas message from th
I happen to APPLAUD the FreeBSD Security team for doing this.
I WANT security fixes out as soon as reasonably possible. You're NOT
telling the bad guys anything they don't already know, but you ARE
making it possible for the good guys to raise shields.
A "remote root" problem is about as bad as
>Look, just a rant here.
>Who in *HELL* thought it would be a cool idea to release no less than
>FOUR security advisories today ?
What's the impact for your boxes?
>I mean, couldn't this have waited and remained undisclosed until monday ?
Best time to exploit is Christmas/holidays
>I for one do
Some people (like me) already knew about the vulnerabilities. And
others are already exploiting some of these vulnerabilities.
Thanks,
Shawn Webb
On Fri, Dec 23, 2011 at 9:50 AM, Damien Fleuriot wrote:
> My point (which may or may not be valid) was that if the vulnerabilities
> remained *undisc
On 12/23/11 5:54 PM, Bas Smeelen wrote:
>> Look, just a rant here.
>
>
>> Who in *HELL* thought it would be a cool idea to release no less than
>> FOUR security advisories today ?
> What's the impact for your boxes?
>
Only the BIND exploit concerns me, means that *potentially* servers for
my pr
On 12/23/2011 11:07 AM, Damien Fleuriot wrote:
> Hey up list,
> Look, just a rant here.
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
The Security Officer explained it was because one of them was being
actively exploited.
http://lists.
On 12/23/11 5:50 PM, Stephen Montgomery-Smith wrote:
> On 12/23/2011 10:07 AM, Damien Fleuriot wrote:
>> Hey up list,
>>
>>
>>
>> Look, just a rant here.
>>
>>
>> Who in *HELL* thought it would be a cool idea to release no less than
>> FOUR security advisories today ?
>
> After receiving the fifth
The serious one (telnetd) is already being exploited in the wild, and if
you're running telnetd anyway then you can always switch to ssh or acl
the port, either way it is a relative non-issue to ignore the update for
now...
Damien Fleuriot wrote:
My point (which may or may not be valid) was t
My point (which may or may not be valid) was that if the vulnerabilities
remained *undisclosed*, they would have a much lower chance of being
exploited.
On 12/23/11 5:47 PM, Joe Holden wrote:
> So don't update until Monday? The outcome will be the same :)
>
> Damien Fleuriot wrote:
>> Hey up li
So don't update until Monday? The outcome will be the same :)
Damien Fleuriot wrote:
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and remained undisclosed until
On 12/23/11 5:39 PM, John Baldwin wrote:
> On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
>> Hey up list,
>>
>>
>>
>> Look, just a rant here.
>>
>>
>> Who in *HELL* thought it would be a cool idea to release no less than
>> FOUR security advisories today ?
>>
>> I mean, couldn't
On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
> Hey up list,
>
>
>
> Look, just a rant here.
>
>
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
>
> I mean, couldn't this have waited and remained undisclosed until mo
Hey up list,
Look, just a rant here.
Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?
I mean, couldn't this have waited and remained undisclosed until monday ?
I for one do *NOT* relish the idea of updating 50+ boxes this evening
and tomo
43 matches
Mail list logo