Quarterly packages and security updates...
Mark Felder
feld at FreeBSD.org
Fri Aug 14 19:58:45 UTC 2015
On Fri, Aug 14, 2015, at 12:31, Mason Loring Bliss wrote:
>
> > The packages are there, so I don't understand how you observe these
> > packages to still be vulnerable.
>
> How about, two of them were vulnerable until I wrote to the list with the
> dismaying thought that we were going to ship vulnerable packages, at
> which
> point someone with the ability to push packages around decided to fix
> them...?
>
My mistake, I didn't notice they were published after your initial
email.
Looking at the timestamps for Firefox 40.0,1 getting committed:
HEAD r393690 Fri Aug 7 12:02:41 2015 UTC
2015Q3 r393958 Tue Aug 11 18:29:59 2015 UTC
Ok, that took much longer than usual. The MFH requests are usually
processed quickly. I checked my emails an the MFH request was processed
& approved a few hours after the commit.
Now to add further complications, Firefox 40.0,1 received a lot of
complaints about very frequent crashing (PR 202174). It wasn't until a
bit later that it was fixed at r393805 on Sunday.
Basically, 2015Q3 users didn't receive Firefox 40.0 until several
changes went into HEAD. They could have received the update same day for
the sake of security, but I'm not sure what good it would have been if
the browser was unusable.
I'm not going to make excuses -- I wish it could have been pushed out
faster. I just hope this helps clear up what was going on with this
incident, though. We will continue to push forward and learn from
mistakes.
> That said, I will happily use the mechanisms you noted if I see this sort
> of
> situation in the future, and I am sincerely, deeply grateful that the
> high-
> profile stuff I pointed out was fixed so rapidly in response to my
> pointing
> it out.
>
More information about the freebsd-security
mailing list