reporter on deadline seeks comment about reported security bug
in FreeBSD
Michael Powell
nightrecon at hotmail.com
Fri Sep 18 21:39:14 UTC 2009
Przemyslaw Frasunek wrote:
> Giorgos Keramidas wrote:
>> Przemyslaw should email security-officer with any details he thinks are
>> relevant. Then the security team will make sure to fix the bug for all
>> affected releases of FreeBSD, release a patch with the fix, issue an
>> advisory through the usual channels, and post the details online at our
>> security information web pages at <http://www.FreeBSD.org/security/>.
>
> I see that I received a lot of criticism after disclosing 6.4
> vulnerability. Please read some facts:
>
> I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep
> directly to security officer. None of them were responded. I haven't
> filled any PRs, because it would disclose details of vulnerability to the
> public and allow blackhats to exploit it.
>
> I won't publish anything more than video, before official security
> advisory. The exploit is private to me and it won't be given to the
> "community".
>
> Michael Powell wrote:
>> Quoted from ~freebsd.security.general:
>> "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
>> was not recognized as security vulnerability."
>
> This is another bug. The former one affected only 6.1, this one affects
> everything up to 6.4-STABLE.
>
Please allow me to express my appreciation for your efforts in this matter.
Your work will only improve FreeBSD and I would like to thank you kindly for
that. I apologize if any, or all, of my comments appeared critical of your
work.
I was trying to express criticism of the writer whose only imperative was to
generate a sensationalist headline.
-Mike
More information about the freebsd-questions
mailing list