security or lack thereof
Jacques Vidrine
nectar at FreeBSD.org
Wed Mar 23 07:06:31 PST 2005
On 3/22/05 9:04 PM, John Nemeth wrote:
> So, is it FreeBSD policy to ignore security bug reports? I sent
> the following bug report to security at freebsd.org on Feb. 19th, 2005 and
> it still hasn't been acted on. This total lack of action on an
> extremely simple (and silly) three year old bug doesn't give one the
> warm fuzzies. Heck, it took 48 hours to get a response from a security
> officer, and another 24 hours to get something from the guilty
> developer.
Hi John,
I'm sorry for the delay. I could give you a list of excuses, but
suffice it to say that the "simple (and silly)" bug had lower priority
than several other issues in our queue. We should have sent you a
status update, though: that's my fault. Better late than never, I hope?
Initially we believed the bug was more serious than you had reported,
since it has an evil side-effect (sets pw_uid to 0). However, we
discovered that due to a second bug the impact was limited. Saved by
dumb luck (^_^). Anyway, as you might know, we are in a code freeze for
5.4. Coincidentally, just yesterday we asked the Release Engineering
team for (and received) permission to apply a fix for 5.4-RELEASE. So
you will see the issue addressed shortly. The correct fix is a bit more
subtle than that suggested in your original message.
I guess I should also mention that we've discussed removing rexec/rexecd
entirely (for 6.x releases), since it has been deprecated for over 6
years, and the documentation has discouraged its use for over 11 years.
Cheers,
--
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at FreeBSD.org
More information about the freebsd-hackers
mailing list