New security policy for FreeBSD 3.x

FreeBSD Security Advisories security-advisories at
Sun Nov 19 19:51:57 PST 2000


The FreeBSD Security Officer would like to announce a change in policy
regarding security support for the FreeBSD 3.x branch.

Due to the frequent difficulties encountered in fixing the old code
contained in FreeBSD 3.x, we will no longer be requiring security
problems to be fixed in that branch prior to the release of an
advisory that also pertains to FreeBSD 4.x.  In recent months this
requirement has led to delays in the release of advisories, which
negatively impacts users of the current FreeBSD release branch
(FreeBSD 4.x).

Security fixes which are committed to FreeBSD 3.5.1-STABLE prior to
the advisory release will be included in the advisory, but the
advisory release will not be delayed awaiting a fix in the 3.x branch
when a fix is already in place in FreeBSD 4.x.  Serious
vulnerabilities will result in a reissue of the advisory once the
problem is corrected in 3.5.1-STABLE.  For less serious
vulnerabilities a notification will be sent to the
freebsd-security at mailing list only, to reduce overall
subscriber traffic on the freebsd-security-notifications and
freebsd-announce mailing lists.

We will continue endeavouring to ensure that applicable security fixes
are merged back to the 3.x branch by FreeBSD developers, and to work
with them to develop or merge the appropriate fix prior to the
advisory release, however as the 3.x branch is approaching end of life
we anticipate that there may be an increasing time lag between the
time of fix of a vulnerability in 4.x and when it is backported to
3.x.  Given this reality, users are encouraged to consider plans to
migrate security-critical systems to the 4.x branch over the coming

FreeBSD committers who are interested in providing security support
for older branches of FreeBSD should contact the Security Officer and
they will be kept informed of fixes which require merging to the older

Comments on this policy are welcomed - please reply to
security-officer at


Kris Kennaway
FreeBSD Security Officer
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list