reporter on deadline seeks comment about reported security bug in FreeBSD

Michael Powell nightrecon at
Tue Sep 15 03:01:34 UTC 2009

Matthew Seaman wrote:

> Mikel King wrote:
>> Hasn't 6.x been End Of Lifed? I mean considering that 8.0 is expected to
>> be released either later this month or early next, and 6.x will be
>> officially retired at that time, is it possible that this was
>> overlooked? Personally I don't think it's ever good to overlook
>> security, especially in the case of a root exploit.
> Nope.  6.3 (RELENG_6_3) will be supported until at least 31 January 2010
> while 6.4 (RELENG_6_4) and 6-STABLE (RELENG_6) will be supported until at
> least 30 November 2010 by the Security team.
> There are no more releases planned from the RELENG_6 branch, but that's
> not the same as 'unsupported' -- patches and advisories will be issued
> until the dates listed, and quite usually beyond that.

Quoted from

 "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
 was not recognized as security vulnerability."

So if the bug no longer exists in the non-EOL 6.3/6.4 there is nothing to 
fix. Seems to me this is more about not getting due credit and a writer who 
doesn't grok. 

The posting to security was a forward done by another individual, since the 
original discoverer notified the FreeBSD Foundation instead of the security 
team. Since the FreeBSD foundation is largely administrative and not the 
correct entity to notify, it is not surprising they did not reply.

The writer sounds like he is attempting to spin the SNAFU into a "they knew 
about a security vulnerability and did nothing..." story. Self serving for 
him, headline grabbing and sensationalist for sure, but not true as it was 
quickly addressed at the time.

This is water under the bridge and a writer flogging a dead horse.


More information about the freebsd-questions mailing list