Fwd: FreeBSD hiding security stuff

Devon H. O'Dell dodell at sitetronics.com
Fri Mar 4 13:28:21 GMT 2005

On Fri, 2005-03-04 at 07:58 -0500, Mike Tancsa wrote:
> >To: misc at openbsd.org
> >Subject: FreeBSD hiding security stuff
> >Date: Fri, 04 Mar 2005 03:51:42 -0700
> >From: Theo de Raadt <deraadt at cvs.openbsd.org>
> >
> >A few FreeBSD developers apparently have found some security issue
> >of some sort affecting i386 operating systems in some cases.
> >
> >They have refused to give us real details.
> >
> >A promise is now being made.
> >
> >If a bug is found in OpenSSH, which we believe to have security
> >consequences, we wil inform FreeBSD last.
> >
> >Fair is fair.
> >
> >I really wish it was not this way, but after a week of trying to get
> >policy to be fixed, we are changing our policy as well.
> >
> >Without immediate action from them to repair their polcy, and a
> >apology for this, that policy will stand.

DragonFly received this email as well, we were also not given details,
which is somewhat disturbing, to be honest. I haven't said anything
about this until now because I didn't want to cause a disturbance, but
obviously one has been caused.

Everyone who knows me from DragonFly knows that I am quite the DragonFly
diplomat: I really don't tolerate FUD about FreeBSD. As a person who
also contributes to FreeBSD (yes, I contribute to both projects), I
really have to say that I find this strange.

It would be okay if we were given a timeframe, but there was no

The `advisory' consisted of the following:

`On May 13th at BSDCan <http://www.bsdcan.org/> I will be publishing
a local information-disclosure vulnerability which affects multiple
operating systems running on x86 hardware.  I'm not sure if your OS
is affected; can you tell me the state of your SMP support on the x86

Matt (Dillon) replied stating that the aforementioned `advisory' wasn't
enough information to ``go on.'' We (security-officer at dragonflybsd.org)
were told that we'd receive the paper after it was confirmed that
DragonFly is affected. Matt asked if it was related to a certain issue.
The response was ``No.''

This seems vague.

This `advisory' was received by us last Saturday.

So, before we get a huge ruckus about Theo being totally unreasonable,
lets have a little bit of information about why this vulnerability isn't
being disclosed to the security teams of other projects. I think that
it's pretty unreasonable that we're not getting more information. We
can't even confirm that we're affected because we have nothing to go on.

For these reasons, I don't think Theo is being terribly unreasonable. I
don't want to start a holy war here, just present the facts before a
million misinformed subscribers to security@ start flaming OpenBSD and

Kind regards,

Devon H. O'Dell

More information about the freebsd-security mailing list