reporter on deadline seeks comment about reported security bug
in FreeBSD
Michael Powell
nightrecon at hotmail.com
Tue Sep 15 03:01:34 UTC 2009
Matthew Seaman wrote:
> Mikel King wrote:
>
>> Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to
>> be released either later this month or early next, and 6.x will be
>> officially retired at that time, is it possible that this was
>> overlooked? Personally I don't think it's ever good to overlook
>> security, especially in the case of a root exploit.
>
> Nope. 6.3 (RELENG_6_3) will be supported until at least 31 January 2010
> while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at
> least 30 November 2010 by the Security team.
>
> There are no more releases planned from the RELENG_6 branch, but that's
> not the same as 'unsupported' -- patches and advisories will be issued
> until the dates listed, and quite usually beyond that.
>
Quoted from ~freebsd.security.general:
"The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability."
So if the bug no longer exists in the non-EOL 6.3/6.4 there is nothing to
fix. Seems to me this is more about not getting due credit and a writer who
doesn't grok.
The posting to security was a forward done by another individual, since the
original discoverer notified the FreeBSD Foundation instead of the security
team. Since the FreeBSD foundation is largely administrative and not the
correct entity to notify, it is not surprising they did not reply.
The writer sounds like he is attempting to spin the SNAFU into a "they knew
about a security vulnerability and did nothing..." story. Self serving for
him, headline grabbing and sensationalist for sure, but not true as it was
quickly addressed at the time.
This is water under the bridge and a writer flogging a dead horse.
-Mike
More information about the freebsd-questions
mailing list