freebsd-security Digest, Vol 482, Issue 4
Ke-li Dong
dong.keli at gmail.com
Thu Apr 10 01:24:23 UTC 2014
help
2014-04-10 4:20 GMT+08:00 <freebsd-security-request at freebsd.org>:
> Send freebsd-security mailing list submissions to
> freebsd-security at freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> freebsd-security-request at freebsd.org
>
> You can reach the person managing the list at
> freebsd-security-owner at freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
> 1. Proposal (Was: Re: FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl) (Pawel Biernacki)
> 2. Re: Proposal (Dag-Erling Sm?rgrav)
> 3. Re: Proposal (Karl Denninger)
> 4. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> (Zoran Kolic)
> 5. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> (Karl Denninger)
> 6. Re: Proposal (Kimmo Paasiala)
> 7. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> (Gary Palmer)
> 8. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> (Steven Hartland)
> 9. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> (Karl Denninger)
> 10. Re: Proposal (Was: Re: FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl) (Big Lebowski)
> 11. Re: Proposal (Walter Hop)
> 12. Re: Proposal (Pawel Biernacki)
> 13. Re: Proposal (Joe Holden)
> 14. Re: Proposal (Joe User)
> 15. Re: Proposal (jungleboogie0)
> 16. Re: Proposal (ari edelkind)
> 17. Re: Proposal (Dag-Erling Sm?rgrav)
> 18. Re: Proposal (Pawel Biernacki)
> 19. Re: Proposal (Dag-Erling Sm?rgrav)
> 20. Re: Proposal (Joe User)
> 21. Re: Proposal (Pawel Biernacki)
> 22. Re: Proposal (jungleboogie0)
> 23. Re: Proposal (Pawel Biernacki)
> 24. Re: Proposal (leon at tuco)
> 25. Re: Proposal (Nathan Dorfman)
> 26. Re: Proposal (Matthew Seaman)
> 27. Re: Proposal (Dag-Erling Sm?rgrav)
> 28. Re: Proposal (Dag-Erling Sm?rgrav)
> 29. Re: Proposal (Xin Li)
> 30. Re: Proposal (Dag-Erling Sm?rgrav)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 9 Apr 2014 13:36:48 +0100
> From: Pawel Biernacki <pawel.biernacki at gmail.com>
> To: freebsd-security at freebsd.org
> Subject: Proposal (Was: Re: FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl)
> Message-ID:
> <
> CAA3htvtb+yZRApEqJ41ue+6jB5Y_Une96SYyJRwQXBmQfRZbtQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 9 April 2014 00:34, FreeBSD Security Advisories
> <security-advisories at freebsd.org> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> >
> =============================================================================
> > FreeBSD-SA-14:06.openssl Security
> Advisory
> > The FreeBSD
> Project
> >
> > Topic: OpenSSL multiple vulnerabilities
> >
> > Category: contrib
> > Module: openssl
> > Announced: 2014-04-08
> > Affects: All supported versions of FreeBSD.
> > Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
> > 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
> > 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
> > 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
> > 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
> > 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
> > 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
> > 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
> > CVE Name: CVE-2014-0076, CVE-2014-0160
> >
>
> Thank you for finally patching that vulnerability. Many of us, FreeBSD
> users, are deeply concerned about security. Yesterday we had a very
> busy day on #FreeBSD on freenode with many people asking why there is
> no SA and how to mitigate the thread or patch it on their own.
>
> I understand that this is voluntary role and you have another (real
> life) responsibilities that?s why I'd like to propose an idea of (at
> least partially) paid position of Security Officer, because we all
> need quick and efficient response in cases like that.
>
> FreeBSD Community has a good history of paying for work, many of us
> supported phk@ in 2004, and recently FreeBSD Foundation hired several
> people to work for all of us. Because I've no idea how Foundation had
> planned a budget for this year, I don't know if there are any money
> that can be allocated for that position. If not, maybe Foundation can
> conduct additional public fundraising for that purpose?
>
>
>
>
> --
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to
> die.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 09 Apr 2014 15:25:04 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Pawel Biernacki <pawel.biernacki at gmail.com>
> Cc: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <86fvlm7hzj.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> > I understand that this is voluntary role and you have another (real
> > life) responsibilities that?s why I'd like to propose an idea of (at
> > least partially) paid position of Security Officer, because we all
> > need quick and efficient response in cases like that.
>
> Having a paid Security Officer would not have made any difference.
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 09 Apr 2014 08:57:28 -0500
> From: Karl Denninger <karl at denninger.net>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <534551C8.6030004 at denninger.net>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>
> On 4/9/2014 8:25 AM, Dag-Erling Sm?rgrav wrote:
> > Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> >> I understand that this is voluntary role and you have another (real
> >> life) responsibilities that?s why I'd like to propose an idea of (at
> >> least partially) paid position of Security Officer, because we all
> >> need quick and efficient response in cases like that.
> > Having a paid Security Officer would not have made any difference.
> >
> > DES
> Agreed.
>
> In this particular case FreeBSD's team responded very quickly once the
> threat was known and a resolution path was made available in a very
> expeditious fashion.
>
> The real problem here is the depth of damage and the amount of work to
> rectify it, particularly for those who have certificates issued by
> someone else where **they** may have been compromised. But this has
> nothing to do with FreeBSD.
>
> --
> -- Karl
> karl at denninger.net
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2711 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/859bf373/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 4
> Date: Wed, 9 Apr 2014 16:21:36 +0200
> From: Zoran Kolic <zkolic at sbb.rs>
> To: freebsd-security at freebsd.org
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> Message-ID: <20140409142136.GA871 at faust.sbb.rs>
> Content-Type: text/plain; charset=us-ascii
>
> Advisory claims 10.0 only to be affected. Patches to
> branch 9 are not of importance on the same level?
>
> Zoran
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 09 Apr 2014 09:25:59 -0500
> From: Karl Denninger <karl at denninger.net>
> To: freebsd-security at freebsd.org
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> Message-ID: <53455877.5020006 at denninger.net>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
>
> On 4/9/2014 9:21 AM, Zoran Kolic wrote:
> > Advisory claims 10.0 only to be affected. Patches to
> > branch 9 are not of importance on the same level?
> >
> > Zoran
> >
> 9 (and before) were only impacted if you loaded the newer OpenSSL from
> ports. A fair number of people did, however, as a means of preventing
> BEAST attack vectors.
>
> If you did, then you need to update that and have all your private keys
> re-issued. If you did not then you never had the buggy code in the
> first place.
>
> --
> -- Karl
> karl at denninger.net
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2711 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/29a9014a/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 6
> Date: Wed, 09 Apr 2014 13:36:28 +0000 (GMT)
> From: Kimmo Paasiala <kpaasial at icloud.com>
> To: Pawel Biernacki <pawel.biernacki at gmail.com>
> Cc: "Dag-Erling Sm?rgrav" <des at des.no>, freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <9eeba1ab-2ab0-4188-82aa-686c5573a5db at me.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On Apr 09, 2014, at 03:25 PM, Dag-Erling Sm?rgrav <des at des.no> wrote:
>
> Pawel Biernacki <pawel.biernacki at gmail.com ? ? ?> writes:
> ? ? ? ?> I understand that this is voluntary role and you have another
> (real
> ? ? ? ?> life) responsibilities that?s why I'd like to propose an idea of
> (at
> ? ? ? ?> least partially) paid position of Security Officer, because we
> all
> ? ? ? ?> need quick and efficient response in cases like that.
>
> Having a paid Security Officer would not have made any difference.
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
> ?
> Could everyone just please stop panicking and take an objective look on
> this issue. It took only one full DAY to come up with a fix and issue the
> security advisory. That's damn fast if you look at some of the commercial
> entities that face the exact same kind of issues and often struggle to even
> acknowledge that there is a problem they need to address and take sometimes
> weeks to release hotfixes.
>
> In my opinion this issue couldn't have been handled any better considering
> what it takes to do the job properly, congrats to the security team from me.
>
> -Kimmo
>
> ------------------------------
>
> Message: 7
> Date: Wed, 9 Apr 2014 10:39:40 -0400
> From: Gary Palmer <gpalmer at freebsd.org>
> To: Zoran Kolic <zkolic at sbb.rs>
> Cc: freebsd-security at freebsd.org
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> Message-ID: <20140409143940.GA15884 at in-addr.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Apr 09, 2014 at 04:21:36PM +0200, Zoran Kolic wrote:
> > Advisory claims 10.0 only to be affected. Patches to
> > branch 9 are not of importance on the same level?
>
> The version of OpenSSL shipped in the base FreeBSD code prior to 10.0
> is not vulnerable to the Heartbeat attack, however there is a different
> vulnerability which *is* in 8.x and 9.x and was documented in the advisory
> as [CVE-2014-0076]
>
> You should update 8.x and 9.x systems also, even though the vulnerability
> there is probably not as easy to exploit as the Heartbeat attack.
>
> Regards,
>
> Gary
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 9 Apr 2014 15:47:25 +0100
> From: "Steven Hartland" <killing at multiplay.co.uk>
> To: "Karl Denninger" <karl at denninger.net>,
> <freebsd-security at freebsd.org>
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> Message-ID: <8A7E8A9A8B034A3498601347FFFF088C at multiplay.co.uk>
> Content-Type: text/plain; format=flowed; charset="Windows-1252";
> reply-type=response
>
> ----- Original Message -----
> From: "Karl Denninger" <karl at denninger.net>
>
>
>
> On 4/9/2014 9:21 AM, Zoran Kolic wrote:
> >> Advisory claims 10.0 only to be affected. Patches to
> >> branch 9 are not of importance on the same level?
> >>
> >>
> > 9 (and before) were only impacted if you loaded the newer OpenSSL from
> > ports. A fair number of people did, however, as a means of preventing
> > BEAST attack vectors.
> >
> > If you did, then you need to update that and have all your private keys
> > re-issued. If you did not then you never had the buggy code in the
> > first place.
>
> Actually they are vulnerable without any ports install just not to
> CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
> SA-14:06.openssl
>
> Regards
> Steve
>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 09 Apr 2014 09:50:25 -0500
> From: Karl Denninger <karl at denninger.net>
> To: Steven Hartland <killing at multiplay.co.uk>,
> freebsd-security at freebsd.org
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
> Message-ID: <53455E31.90100 at denninger.net>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
>
> On 4/9/2014 9:47 AM, Steven Hartland wrote:
> > ----- Original Message ----- From: "Karl Denninger" <karl at denninger.net>
> >
> >
> >
> > On 4/9/2014 9:21 AM, Zoran Kolic wrote:
> >>> Advisory claims 10.0 only to be affected. Patches to
> >>> branch 9 are not of importance on the same level?
> >>>
> >>>
> >> 9 (and before) were only impacted if you loaded the newer OpenSSL
> >> from ports. A fair number of people did, however, as a means of
> >> preventing BEAST attack vectors.
> >>
> >> If you did, then you need to update that and have all your private
> >> keys re-issued. If you did not then you never had the buggy code in
> >> the first place.
> >
> > Actually they are vulnerable without any ports install just not to
> > CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
> > SA-14:06.openssl
> >
> > Regards
> > Steve
> Good point -- there is that other advisory in there so "base" 8.x and
> 9.x users should update as well.
>
> However, the other problem does not involve the same sort of
> vulnerability to remote "grabs" of data, including authentication
> credentials (and worse, private key data.)
>
> --
> -- Karl
> karl at denninger.net
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2711 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/71c79a00/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 10
> Date: Wed, 9 Apr 2014 15:57:09 +0200
> From: Big Lebowski <spankthespam at gmail.com>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal (Was: Re: FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl)
> Message-ID:
> <
> CAHcXP+dnKwJJrarzjTA4_y9BOFCf5trPe9MAuM7KtCxhEQSU_w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> > >* I understand that this is voluntary role and you have another (real
> *> >* life) responsibilities that?s why I'd like to propose an idea of (at
> *> >* least partially) paid position of Security Officer, because we all
> *> >* need quick and efficient response in cases like that.
> *>
> > Having a paid Security Officer would not have made any difference.
>
> Do you care to elaborate on why it would not made any difference? And,
> if possible, also on what could do one, if you have any ideas about
> that?
>
> I have to say that I agree with Pawe? fully, I would love to see such
> things being handled a way faster and to be better communicated, if
> they're 'on they way' and I also belive having paid Security Office
> could help - but I am happy to get to know why I might be under wrong
> impression.
>
> I also doesnt know if there's any chance of directing any monye from
> this year's budget towards improving that situation, but I also like
> the idea of 'targeted' funding, where people gets a chance to say
> where they want the money to be used, some sort of money democracy, I
> would say.
>
>
> Regards,
>
> Bl
>
>
> ------------------------------
>
> Message: 11
> Date: Wed, 9 Apr 2014 17:17:37 +0200
> From: Walter Hop <freebsd at spam.lifeforms.nl>
> To: Kimmo Paasiala <kpaasial at icloud.com>
> Cc: freebsd-security at freebsd.org, Dag-Erling Sm?rgrav <des at des.no>,
> Pawel Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID: <8D81F198-36A7-47F4-B486-DA059910A6B4 at spam.lifeforms.nl>
> Content-Type: text/plain; charset=windows-1252
>
> > In my opinion this issue couldn't have been handled any better
> considering what it takes to do the job properly, congrats to the security
> team from me.
> >
> > -Kimmo
>
> Please don?t frame this as criticism of the security people, that?s not
> fair. Of course we all congratulate them :)
>
> I think we?re just interested in discussing what could be improved to
> improve response time and also make their lives better.
>
> Do we need moar Jenkins? Extra build boxes? More cash to keep people on
> retainer? Resources for training new people? Liaisons with other projects
> to improve prior notification channels? Etc.
>
> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base
> about an hour later, FreeBSD base took around 24 hours. Not super bad, but
> I think it?s safe to expect much more scrutiny of security-critical code in
> the coming years, so it looks like a good time to try to streamline if
> possible at all.
>
> The public attention for this and similar events may also provide a unique
> window of opportunity for soliciting extra resources from professional
> users (e.g. via a Foundation campaign).
>
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
>
>
>
> ------------------------------
>
> Message: 12
> Date: Wed, 9 Apr 2014 16:29:13 +0100
> From: Pawel Biernacki <pawel.biernacki at gmail.com>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID:
> <
> CAA3htvve4NNvmN0QOf6v4RwbT8PmGrSCFzNCbivfaEMN7J26Ow at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 9 April 2014 15:32, Kimmo Paasiala <kpaasial at icloud.com> wrote:
> > Can you name some of those projects that claim to have such quick
> response
> > time? I'll be steering way clear of them knowing that they don't test
> their
> > security patches before releasing them. It's really quite shocking to see
> > that such unprofessional working attitude has taken so firm hold in the
> open
> > source world. What a pity.
>
>
> RedHat managed to provide the fix within 21 hours but aparently they
> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> You can _see_ the whole process on their bugzilla
> https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
>
> On the other hand Xin Li acknowledged the issue answering to an mail
> to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of
> _silence_ the fix was commited. They managed to release the fix 15
> hours before FreeBSD and I assume they test thing before release
> because beside Fedora and Centos they also have paying customers.
>
> Debian acknowledged the problem in the same time as FreeBSD according
> to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they
> released fix very very quickly.
>
> Ports got the fix very quickly as well.
>
> Maybe it'll surprise you but there are still people using FreeBSD.
> What we are supposed to do when so@ is silent while scripts exploting
> the issue are in the wild?
> We need more transparency here.
>
> --
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to
> die.
>
>
> ------------------------------
>
> Message: 13
> Date: Wed, 09 Apr 2014 16:37:42 +0100
> From: Joe Holden <lists at rewt.org.uk>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <53456946.9030200 at rewt.org.uk>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> On 09/04/2014 16:17, Walter Hop wrote:
> >> In my opinion this issue couldn't have been handled any better
> considering what it takes to do the job properly, congrats to the security
> team from me.
> >>
> >> -Kimmo
> >
> > Please don?t frame this as criticism of the security people, that?s not
> fair. Of course we all congratulate them :)
> >
> > I think we?re just interested in discussing what could be improved to
> improve response time and also make their lives better.
> >
> > Do we need moar Jenkins? Extra build boxes? More cash to keep people on
> retainer? Resources for training new people? Liaisons with other projects
> to improve prior notification channels? Etc.
> >
> > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their
> base about an hour later, FreeBSD base took around 24 hours. Not super bad,
> but I think it?s safe to expect much more scrutiny of security-critical
> code in the coming years, so it looks like a good time to try to streamline
> if possible at all.
> >
> > The public attention for this and similar events may also provide a
> unique window of opportunity for soliciting extra resources from
> professional users (e.g. via a Foundation campaign).
> >
> 24 hours for a fix that doesn't break ABI and is relatively simple (and
> proven to be fine by other distros) is horrendous for such a critical
> problem. I mentioned this on twitter also, but there wasn't even a
> headsup from the SO until the patch went live.
>
>
> ------------------------------
>
> Message: 14
> Date: Wed, 09 Apr 2014 18:08:31 +0200
> From: Joe User <mailinglists at rootservice.org>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <3g3r546WVbz62Xv at devnoip.rootservice.org>
> Content-Type: text/plain; charset=UTF-8
>
> On 09.04.2014 17:29, Pawel Biernacki wrote:
> > [snip]
> > We need more transparency here.
> >
>
> Please read this and other related threads and you'll understand that
> the FreeBSD-SecTeam had no real chance to react earlier than they did.
> http://seclists.org/oss-sec/2014/q2/22
>
> In fact, they were realy fast, thanks therefor.
>
> Regards,
> Joe User
>
>
> ------------------------------
>
> Message: 15
> Date: Wed, 9 Apr 2014 09:28:46 -0700
> From: jungleboogie0 <jungleboogie0 at gmail.com>
> To: Walter Hop <freebsd at spam.lifeforms.nl>
> Cc: freebsd-security at freebsd.org, Pawel Biernacki
> <pawel.biernacki at gmail.com>, Kimmo Paasiala <kpaasial at icloud.com>,
> Dag-Erling Sm?rgrav <des at des.no>
> Subject: Re: Proposal
> Message-ID:
> <CAKE2PDuR9Av2HeYzQPbE+P2=eB1obY=
> aOSRrWtrjGLWynQSXCg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Walter,
>
>
> On 9 April 2014 08:17, Walter Hop <freebsd at spam.lifeforms.nl> wrote:
> >> In my opinion this issue couldn't have been handled any better
> considering what it takes to do the job properly, congrats to the security
> team from me.
> >>
> >> -Kimmo
> >
> > Please don?t frame this as criticism of the security people, that?s not
> fair. Of course we all congratulate them :)
> >
> > I think we?re just interested in discussing what could be improved to
> improve response time and also make their lives better.
> >
> > Do we need moar Jenkins? Extra build boxes? More cash to keep people on
> retainer? Resources for training new people? Liaisons with other projects
> to improve prior notification channels? Etc.
> >
> > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their
> base about an hour later, FreeBSD base took around 24 hours. Not super bad,
> but I think it?s safe to expect much more scrutiny of security-critical
> code in the coming years, so it looks like a good time to try to streamline
> if possible at all.
> >
>
> Please let us not forget that kernel.org was hacked and not detected
> for 17 days:
> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
>
>
> I would rather was 24 hours for a fix that's been verified and
> reviewed over having to re-update the system. It looks like many linux
> distros had this updated before
> freeBSD but its a matter of hours we're talking about.
>
>
>
> > The public attention for this and similar events may also provide a
> unique window of opportunity for soliciting extra resources from
> professional users (e.g. via a Foundation campaign).
> >
> > --
> > Walter Hop | PGP key: https://lifeforms.nl/pgp
> >
>
>
> --
> -------
> inum: 883510009902611
> sip: jungleboogie at sip2sip.info
> xmpp: jungle-boogie at jit.si
>
>
> ------------------------------
>
> Message: 16
> Date: Wed, 9 Apr 2014 11:54:28 -0400
> From: ari edelkind <edelkind-list-freebsd-security at episec.com>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID:
> <
> CAPxErSUkfJjS_kZcYb3gUbKZbcYwoGwC2O0gjRZmxNPpMPZ3TA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote:
>
> > 24 hours for a fix that doesn't break ABI and is relatively simple (and
> > proven to be fine by other distros) is horrendous for such a critical
> > problem. I mentioned this on twitter also, but there wasn't even a
> headsup
> > from the SO until the patch went live.
> >
>
> To give this some additional perspective, it took me approximately 30
> minutes to write a working exploit.
>
> Everyone makes a big deal out of private keys (which, admittedly, are a big
> deal), but i was able to collect usernames, passwords, session credentials,
> back-end single-sign-on credentials (e.g. client tokens), database
> passwords, and more from affected hosts -- all quite easily.
>
> ari
>
>
> ------------------------------
>
> Message: 17
> Date: Wed, 09 Apr 2014 19:28:53 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Walter Hop <freebsd at spam.lifeforms.nl>
> Cc: freebsd-security at freebsd.org, Kimmo Paasiala
> <kpaasial at icloud.com>, Pawel Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID: <867g6y1kfe.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Walter Hop <freebsd at spam.lifeforms.nl> writes:
> > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their
> > base about an hour later, FreeBSD base took around 24 hours.
>
> All Bryan had to do to update the port was change the version number in
> the Makefile, run "make makesum" and commit. I assume that he did some
> testing as well, but apart from that, he probably spent more time
> writing the commit message than actually updating the port.
>
> Ubuntu is much the same, since they distribute OpenSSL as a package
> rather than part of the base system - they don't even _have_ a base
> system.
>
> RedHat had prior notice since one of the OpenSSL devs is on their
> security team. They had an update ready to roll out before the issue
> was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were
> basically just waiting for the announcement, which was originally
> planned for today.
>
> To update OpenSSL in the FreeBSD base system, Xin first had to verify
> which FreeBSD releases were vulnerable and which weren't. He then had
> to obtain, verify, apply and test a patch for head, stable/10 and
> releng/10.0. Next, he had to upload the patch to the freebsd-update
> build servers and start the builds, which take several hours. Once the
> builds were done, he had to sign them and move them to the master
> server, from which they propagated to the mirrors, and then sign the
> release.
>
> Once the builds were ready to go, he moved into a phase where everything
> had to happen more or less simultaneously: commit the patches, finalize
> the advisory (which contains revision numbers and timestamps), sign it,
> then commit the advisory and the patch to the doc tree, update the
> relevant portions of the web site, wait for them to propagate (or grab a
> passing member of clusteradm@ and have them push it through manually),
> and finally mail out the advisory.
>
> Bonus points for updating vuln.xml and liaising with MITRE / CMU CERT /
> NVD / what have you.
>
> And yes, he has a whole team, but apart from writing the advisory (which
> is a lot more work than you'd think), this process is pretty much
> single-threaded. The best you can hope for is to have someone relieve
> you while you eat and sleep.
>
> And while everybody is running around yelling OMG THE INTERNET IS ON
> FIRE and calling this an unprecedented event, I'm sitting here with a
> strong sense of d?ja vu, because this sort of thing actually happens
> quite often. Off the top of my head, I can think of two advisories last
> year - out of 14 - that were more or less rushed out in a panic.
>
> DES (so@ on sabbatical)
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Message: 18
> Date: Wed, 9 Apr 2014 18:50:33 +0100
> From: Pawel Biernacki <pawel.biernacki at gmail.com>
> To: jungleboogie0 <jungleboogie0 at gmail.com>
> Cc: freebsd-security at freebsd.org, Kimmo Paasiala
> <kpaasial at icloud.com>, Walter Hop <freebsd at spam.lifeforms.nl>,
> Dag-Erling Sm?rgrav <des at des.no>
> Subject: Re: Proposal
> Message-ID:
> <CAA3htvss=
> 2UkiEYF+V2+nUY2iacBJwbJVEp66cvLbh4nX_vgZQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 9 April 2014 17:28, jungleboogie0 <jungleboogie0 at gmail.com> wrote:
> >
> > Please let us not forget that kernel.org was hacked and not detected
> > for 17 days:
> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
>
> I don't know why you're bringing it up here, because FreeBSD had
> similar problem some time ago
> (http://www.freebsd.org/news/2012-compromise.html) and I think that we
> had learnt a lot from it.
>
> > I would rather was 24 hours for a fix that's been verified and
> > reviewed over having to re-update the system. It looks like many linux
> > distros had this updated before
> > freeBSD but its a matter of hours we're talking about.
> >
>
> --
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to
> die.
>
>
> ------------------------------
>
> Message: 19
> Date: Wed, 09 Apr 2014 19:53:10 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Pawel Biernacki <pawel.biernacki at gmail.com>
> Cc: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <86txa2z8xl.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> > RedHat managed to provide the fix within 21 hours but aparently they
> > knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> > You can _see_ the whole process on their bugzilla
> > https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
>
> No you can't. That ticket is just window dressing. By the time it was
> created, RedHat had known about the issue for at least a week, and
> probably more.
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Message: 20
> Date: Wed, 09 Apr 2014 20:00:01 +0200
> From: Joe User <mailinglists at rootservice.org>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <3g3tYW2jPgz62Y0 at devnoip.rootservice.org>
> Content-Type: text/plain; charset=UTF-8
>
> On 09.04.2014 19:53, Dag-Erling Sm?rgrav wrote:
> > Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> >> RedHat managed to provide the fix within 21 hours but aparently they
> >> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> >> You can _see_ the whole process on their bugzilla
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
> >
> > No you can't. That ticket is just window dressing. By the time it was
> > created, RedHat had known about the issue for at least a week, and
> > probably more.
> >
> > DES
> >
>
> According to Kurts Post on oss-sec RedHat didn't know it before others.
>
> Regards,
> Joe User
>
>
> ------------------------------
>
> Message: 21
> Date: Wed, 9 Apr 2014 19:00:52 +0100
> From: Pawel Biernacki <pawel.biernacki at gmail.com>
> To: joeuser at rootservice.org
> Cc: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID:
> <
> CAA3htvtSOGdfUQY9SiAQu5SUzgRxs6izyLjjMPWtKao8HjJo+w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 9 April 2014 17:08, Joe User <mailinglists at rootservice.org> wrote:
> > On 09.04.2014 17:29, Pawel Biernacki wrote:
> >> [snip]
> >> We need more transparency here.
> >>
> >
> > Please read this and other related threads and you'll understand that
> > the FreeBSD-SecTeam had no real chance to react earlier than they did.
> > http://seclists.org/oss-sec/2014/q2/22
> >
> > In fact, they were realy fast, thanks therefor.
>
> Interesting lecture, thank you. But if FreeBSD SO wasn't on the
> mentioned list it's an argument for payable position because that can
> help developing more efficient social network in the future ;-).
>
> --
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to
> die.
>
>
> ------------------------------
>
> Message: 22
> Date: Wed, 9 Apr 2014 11:04:23 -0700
> From: jungleboogie0 <jungleboogie0 at gmail.com>
> To: Pawel Biernacki <pawel.biernacki at gmail.com>
> Cc: freebsd-security at freebsd.org, Kimmo Paasiala
> <kpaasial at icloud.com>, Walter Hop <freebsd at spam.lifeforms.nl>,
> Dag-Erling Sm?rgrav <des at des.no>
> Subject: Re: Proposal
> Message-ID:
> <CAKE2PDsRa15+=
> qZNLJPkdTaDJNJn6hkmgVLg+5T9dFdHAh53ew at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Pawel,
>
>
>
> On 9 April 2014 10:50, Pawel Biernacki <pawel.biernacki at gmail.com> wrote:
> > On 9 April 2014 17:28, jungleboogie0 <jungleboogie0 at gmail.com> wrote:
> >>
> >> Please let us not forget that kernel.org was hacked and not detected
> >> for 17 days:
> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
> >
> > I don't know why you're bringing it up here, because FreeBSD had
> > similar problem some time ago
> > (http://www.freebsd.org/news/2012-compromise.html) and I think that we
> > had learnt a lot from it.
> >
>
> Interesting, I didn't know these were identical in nature. Thanks!
>
>
> >> I would rather was 24 hours for a fix that's been verified and
> >> reviewed over having to re-update the system. It looks like many linux
> >> distros had this updated before
> >> freeBSD but its a matter of hours we're talking about.
> >>
> >
> > --
> > One of God's own prototypes. A high-powered mutant of some kind never
> > even considered for mass production. Too weird to live, and too rare to
> die.
>
>
>
> --
> -------
> inum: 883510009902611
> sip: jungleboogie at sip2sip.info
> xmpp: jungle-boogie at jit.si
>
>
> ------------------------------
>
> Message: 23
> Date: Wed, 9 Apr 2014 19:15:46 +0100
> From: Pawel Biernacki <pawel.biernacki at gmail.com>
> To: Dag-Erling Sm?rgrav <des at des.no>
> Cc: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID:
> <CAA3htvtKGXhvoJ_k6VvqeeuhN40QF+guZfGNhakXrqqiT=
> iPFQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 9 April 2014 18:53, Dag-Erling Sm?rgrav <des at des.no> wrote:
> > Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> >> RedHat managed to provide the fix within 21 hours but aparently they
> >> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> >> You can _see_ the whole process on their bugzilla
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
> >
> > No you can't. That ticket is just window dressing. By the time it was
> > created, RedHat had known about the issue for at least a week, and
> > probably more.
> >
>
> According to http://seclists.org/oss-sec/2014/q2/36 RedHat learnt
> about it 7th March and after that the bugzilla entry was created. I
> assume that it was marked as private and unaccessible to other users
> for few hours until release of SA but at least he have some trace of
> what was done.
>
>
> --
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to
> die.
>
>
> ------------------------------
>
> Message: 24
> Date: Wed, 09 Apr 2014 20:02:55 +0200
> From: "leon at tuco" <leon at tucoinfo.fr>
> To: Dag-Erling Sm?rgrav <des at des.no>, Pawel Biernacki
> <pawel.biernacki at gmail.com>
> Cc: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <53458B4F.5070908 at tucoinfo.fr>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 09/04/2014 19:53, Dag-Erling Sm?rgrav wrote:
> > Pawel Biernacki<pawel.biernacki at gmail.com> writes:
> >> >RedHat managed to provide the fix within 21 hours but aparently they
> >> >knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> >> >You can_see_ the whole process on their bugzilla
> >> >https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
> > No you can't. That ticket is just window dressing. By the time it was
> > created, RedHat had known about the issue for at least a week, and
> > probably more.
> Who cares, nobody found it in 2 years and we are squabbling about a few
> hours or days!
>
> I am much more worried about the late coming journalists who are
> starting to freak out any Internet credit card user. That is really bad
> for e-commerce - in addition to these depressing last years of financial
> crisis.
>
> Thank you for your efforts and I will definitely continue using FreeBSD.
>
>
> ------------------------------
>
> Message: 25
> Date: Wed, 9 Apr 2014 15:44:53 -0400
> From: Nathan Dorfman <na at rtfm.net>
> To: Dag-Erling Sm?rgrav <des at des.no>
> Cc: freebsd-security at freebsd.org, Kimmo Paasiala
> <kpaasial at icloud.com>, Walter Hop <freebsd at spam.lifeforms.nl>,
> Pawel
> Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID:
> <CADgEyUstkxO1i_B9Qsw=K9qT=
> nrh9evhv8VekMdNKauOQFN6dg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> First, the (unfortunately) necessary disclaimer: this is an honest
> question to satisfy my curiosity, nothing more. Absolutely no
> criticism of anyone is intended.
>
> Is it implausible to suggest that before embarking on the task of
> backporting, reviewing, testing and releasing the actual fix, an
> announcement could have been made immediately with the much simpler
> workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
> flags?
>
> Given the severity of the issue, it doesn't seem that an immediate
> advisory stating "here's an immediate workaround, a full fix will be
> coming in the next day or two" would be terribly inappropriate.
> Perhaps this workaround would have required more testing than I
> imagine, but surely it'd be a tiny fraction of the time required to
> release the full fix?
>
> While I'm out here drawing fire, I might as well also ask if I'm crazy
> to think that it might be a good idea for the base system OpenSSL (and
> other third party imports) to just disable any and all non-essential
> functionality that can be disabled at compile time? Non-essential
> meaning everything not required for the base system to function --
> there's always the ports version if anyone needs more.
>
> Thanks for your thoughts, and of course, your ongoing efforts. They
> are much appreciated.
>
> -nd.
>
>
> ------------------------------
>
> Message: 26
> Date: Wed, 09 Apr 2014 20:38:39 +0100
> From: Matthew Seaman <matthew at FreeBSD.org>
> To: freebsd-security at freebsd.org
> Subject: Re: Proposal
> Message-ID: <5345A1BF.2030809 at FreeBSD.org>
> Content-Type: text/plain; charset="utf-8"
>
> On 09/04/2014 18:28, Dag-Erling Sm?rgrav wrote:
> > RedHat had prior notice since one of the OpenSSL devs is on their
> > security team. They had an update ready to roll out before the issue
> > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were
> > basically just waiting for the announcement, which was originally
> > planned for today.
>
> Didn't we (FreeBSD) have any advanced knowledge? There is at least one
> FreeBSD committer who is also an OpenSSL developer...
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 1036 bytes
> Desc: OpenPGP digital signature
> URL: <
> http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/117cdc73/attachment-0001.sig
> >
>
> ------------------------------
>
> Message: 27
> Date: Wed, 09 Apr 2014 22:12:29 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Nathan Dorfman <na at rtfm.net>
> Cc: freebsd-security at freebsd.org, Kimmo Paasiala
> <kpaasial at icloud.com>, Walter Hop <freebsd at spam.lifeforms.nl>,
> Pawel
> Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID: <86d2gqz2he.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Nathan Dorfman <na at rtfm.net> writes:
> > Is it implausible to suggest that before embarking on the task of
> > backporting, reviewing, testing and releasing the actual fix, an
> > announcement could have been made immediately with the much simpler
> > workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
> > flags?
>
> No, that's not implausible, although I don't know whether that
> workaround was known at the time. It seems obvious in retrospect, but
> may not have been that obvious under pressure. Was it mentioned in the
> OpenSSL advisory?
>
> If all you wanted to hear was "we're working on it", well, Xin did write
> that almost on -security exactly 48 hours ago.
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Message: 28
> Date: Wed, 09 Apr 2014 22:13:23 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Nathan Dorfman <na at rtfm.net>
> Cc: freebsd-security at freebsd.org, Walter Hop
> <freebsd at spam.lifeforms.nl>, Kimmo Paasiala <kpaasial at icloud.com>,
> Pawel Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID: <868urez2fw.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Dag-Erling Sm?rgrav <des at des.no> writes:
> > If all you wanted to hear was "we're working on it", well, Xin did write
> > that almost on -security exactly 48 hours ago.
>
> s/that almost on -security/that on -security almost/
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Message: 29
> Date: Wed, 09 Apr 2014 13:20:42 -0700
> From: Xin Li <delphij at delphij.net>
> To: Dag-Erling Sm?rgrav <des at des.no>, Nathan Dorfman <na at rtfm.net>
> Cc: freebsd-security at freebsd.org, Walter Hop
> <freebsd at spam.lifeforms.nl>, Kimmo Paasiala <kpaasial at icloud.com>,
> Pawel Biernacki <pawel.biernacki at gmail.com>
> Subject: Re: Proposal
> Message-ID: <5345AB9A.8040001 at delphij.net>
> Content-Type: text/plain; charset=UTF-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 04/09/14 13:12, Dag-Erling Sm?rgrav wrote:
> > Nathan Dorfman <na at rtfm.net> writes:
> >> Is it implausible to suggest that before embarking on the task
> >> of backporting, reviewing, testing and releasing the actual fix,
> >> an announcement could have been made immediately with the much
> >> simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the
> >> OpenSSL compiler flags?
> >
> > No, that's not implausible, although I don't know whether that
> > workaround was known at the time. It seems obvious in retrospect,
> > but may not have been that obvious under pressure. Was it
> > mentioned in the OpenSSL advisory?
>
> The OpenSSL advisory did mentioned it.
>
> I didn't mention the workaround because I had posted our patch (ported
> and committed to secteam repo pending review at about 13:00 PDT I
> think, which later was revised because another unrelated CVE), and the
> workaround also requires recompile. Moreover, the patch would provide
> better protection because it changes the code so NO_CLEAN= won't skip
> it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's
> possible that the user can mistakenly miss the fix.
>
> Cheers,
> - --
> Xin LI <delphij at delphij.net> https://www.delphij.net/
> FreeBSD - The Power to Serve! Live free or die
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (FreeBSD)
>
> iQIcBAEBCgAGBQJTRauaAAoJEJW2GBstM+nsxtIQAKOcxp0ziuJgrEpCg9yt2q7B
> rU6P6xOfVAbdMcNtj0v1XpXPyRrCtK2VHSYEd1BIIWlrYBwSLByeU2hfkYI0+TRS
> FGslwuiQVZFgkqfzQjHysAf3gZICa93q8PseHD0zcMb2gLYBqHxQo222dXBjJYY4
> kdvK0qBaIy8JtYGyQbyZl9nUku0s642mla8wGPb4cuTi57F2jQk2y1lFz8dZbz3+
> tiGqoEk02uJsoTYOryfgaydc4WuZ63g0w8EMIsN+18qNAVigMPgzisG8kpljA/yx
> mcNGfqp31BV3cHLEPjjXt7dnXvVbiEkU17ZlMNGJbgnjirfpG5sSWDM3HX1QA2Ih
> GYh05a3V+l2ZgpaBhdg22KBYoH7GOc4bPs1tdHzGr1dKwzZpt3JyiR+vpCAmDfwr
> RxNeFqmJnsK8VfvmIYqQHlZoDCTnzH60z8ecZG1dy6GiBVge9bqPBDUl9wvBRion
> 3vR3UMi1Ieby9a73MbffEyboXAGjXIXOTYp8JioqUlutj8VhgXNstDTdBw04w3s0
> 5lMXA6xI5hseZ/uJukrouVTzGKwZzFWht583An4DIsN4hjc4oF+LyBsFp1DYkRmX
> H7WA8wqOuqTW8rVMPLiQzt3vZOTpC98q/xntAaYktAO5lHAFoBwQnO+5xYBrENEK
> yJqP4hDtWUvFqQqBXPzi
> =fETK
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 30
> Date: Wed, 09 Apr 2014 22:20:55 +0200
> From: Dag-Erling Sm?rgrav <des at des.no>
> To: Pawel Biernacki <pawel.biernacki at gmail.com>
> Cc: freebsd-security at freebsd.org, joeuser at rootservice.org
> Subject: Re: Proposal
> Message-ID: <8638hmz23c.fsf at nine.des.no>
> Content-Type: text/plain; charset=utf-8
>
> Pawel Biernacki <pawel.biernacki at gmail.com> writes:
> > Joe User <mailinglists at rootservice.org> writes:
> > > http://seclists.org/oss-sec/2014/q2/22
> > Interesting lecture, thank you. But if FreeBSD SO wasn't on the
> > mentioned list [...]
>
> We are. By my reckoning, Xin posted on -security that he was aware of
> the issue and working on it less than two hours after that announcement.
>
> DES
> --
> Dag-Erling Sm?rgrav - des at des.no
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org
> "
>
> ------------------------------
>
> End of freebsd-security Digest, Vol 482, Issue 4
> ************************************************
>
More information about the freebsd-security
mailing list