FLAME - security advisories on the 23rd ? uncool idea is uncool
Damien Fleuriot
ml at my.gd
Fri Dec 23 16:42:17 UTC 2011
On 12/23/11 5:39 PM, John Baldwin wrote:
> On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote:
>> Hey up list,
>>
>>
>>
>> Look, just a rant here.
>>
>>
>> Who in *HELL* thought it would be a cool idea to release no less than
>> FOUR security advisories today ?
>>
>> I mean, couldn't this have waited and remained undisclosed until monday ?
>>
>> I for one do *NOT* relish the idea of updating 50+ boxes this evening
>> and tomorrow !
>>
>>
>> Not to mention a whole lot of merchants and banks have toggled IT Freeze
>> a few weeks ago, to ensure xmas shopping doesn't get disturbed by
>> production changes.
>>
>>
>> Seriously, this is just irritating.
>
> From an e-mail sent to security@ from the security officer:
>
> <quote>
> Hi all,
>
> No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes
> aren't deceiving you: We really did just send out 5 security advisories.
>
> The timing, to put it bluntly, sucks. We normally aim to release advisories on
> Wednesdays in order to maximize the number of system administrators who will be
> at work already; and we try very hard to avoid issuing advisories any time close
> to holidays for the same reason. The start of the Christmas weekend -- in some
> parts of the world it's already Saturday -- is absolutely not when we want to be
> releasing security advisories.
>
> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)
> is a remote root vulnerability which is being actively exploited in the wild;
> bugs really don't come any worse than this. On the positive side, most people
> have moved past telnet and on to SSH by now; but this is still not an issue we
> could postpone until a more convenient time.
>
> While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a
> rather messy fix involving adding a new interface to libc; this has the awkward
> side effect of causing the sizes of some "symbols" (aka. functions) in libc to
> change, resulting in cascading changes into many binaries. The long list of
> updated files is irritating, but isn't a sign that anything in freebsd-update
> went wrong.
> </quote>
>
At least they're aware the timing sucks completely and feel as sorry as us.
Ty John.
More information about the freebsd-stable
mailing list