Proposal (Was: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl)

Pawel Biernacki pawel.biernacki at gmail.com
Wed Apr 9 12:36:50 UTC 2014 

On 9 April 2014 00:34, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-14:06.openssl                                    Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          OpenSSL multiple vulnerabilities
>
> Category:       contrib
> Module:         openssl
> Announced:      2014-04-08
> Affects:        All supported versions of FreeBSD.
> Corrected:      2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
>                 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
>                 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
>                 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
>                 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
>                 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
>                 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
>                 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
> CVE Name:       CVE-2014-0076, CVE-2014-0160
>

Thank you for finally patching that vulnerability. Many of us, FreeBSD
users, are deeply concerned about security. Yesterday we had a very
busy day on #FreeBSD on freenode with many people asking why there is
no SA and how to mitigate the thread or patch it on their own.

I understand that this is voluntary role and you have another (real
life) responsibilities that’s why I'd like to propose an idea of (at
least partially) paid position of Security Officer, because we all
need quick and efficient response in cases like that.

FreeBSD Community has a good history of paying for work, many of us
supported phk@ in 2004, and recently FreeBSD Foundation hired several
people to work for all of us. Because I've no idea how Foundation had
planned a budget for this year, I don't know if there are any money
that can be allocated for that position. If not, maybe Foundation can
conduct additional public fundraising for that purpose?




-- 
One of God's own prototypes. A high-powered mutant of some kind never
even considered for mass production. Too weird to live, and too rare to die.

More information about the freebsd-security mailing list