versions and up-to-date...
Peter Pentchev
roam at ringlet.net
Thu Aug 7 08:23:22 PDT 2003
On Thu, Aug 07, 2003 at 09:49:42AM -0500, freebsd at critesclan.com wrote:
> On Thu, Aug 07, 2003 at some time lost in the quoting, I wrote:
> > On Thu, Aug 07, 2003 at 08:50:56AM -0400, Francisco Reyes wrote:
> > > On Wed, 6 Aug 2003, Jacques A. Vidrine wrote:
> > >
> > > > Sounds like you cvsup'd RELENG_4, not RELENG_4_8.
> > >
> > >
> > > I went back to the handbook to read the difference between these two.
> > > If I understand correct RELENG_4 is basically the latest of the 4.X
> > > branch. The RELENG_# are basically only security patches for a particular
> > > 4.# release. Do I understand it correctly?
> >
> > If you meant RELENG_4_# where you said RELENG_#, then yes, this is
> > correct. The RELENG_4 branch was not affected, since shortly after
> > FreeBSD 4.8-RELEASE was out, a new version of realpath(3) was imported
> > into the tree, and it did not have this problem.
> >
> > Thus, if you have a reasonably recent -STABLE (you seem to, since you
> > mention realpath.c rev. 1.9.2.2), there's nothing to fear - not for
> > this problem, at least.
>
> This is not really a security related issue, but since we're talking about
> releases and such, it kind of ties in. I do a CVSup every week, using the
> "tag=." method. It is my assumption that I am getting the
> latest-and-greatest version, so I'm on the bleeding edge of the 5.X system.
> Is that correct?
Yes, that is correct; of course, this also means that you are liable to
get hit at any time by any temporary instability in the couple of hours
or days before it is fixed (this is -CURRENT, after all), but I'd say
that the new features, development and bugfixes kind of offset that
danger.. most of the time :)
> Further, I assume that as soon as any security patch is
> available, I will get it as well, since I'm keeping up-to-date with the
> latest-and-greatest.
Yes. Actually, if you update your system regularly, you'll probably get
the fix well *before* the time it is announced. This is in some degree
also true for those who track -STABLE (RELENG_4 for the present,
RELENG_4 and RELENG_5 in the near future): security fixes are backported
relatively quickly, and are given some (not much, but still some time)
to be "shaken out" - tested by the early adopters around the world -
before they are merged into the real security branches and announced.
This time is usually on the order of a day or three, sometimes only a
couple of hours, and sometimes it may be more, depending on the
particular problem and the way its disclosure is coordinated with the
other OS and software vendors.
This is just my opinion as a FreeBSD user. Maybe I should not really be
the one to comment on this - if I've messed things up horribly, the
Security Officer team should feel free to put me straight :)
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Thit sentence is not self-referential because "thit" is not a word.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030807/86b525d9/attachment.bin
More information about the freebsd-security
mailing list