FLAME - security advisories on the 23rd ? uncool idea is uncool

Jeremy Chadwick freebsd at jdc.parodius.com
Sat Dec 24 17:25:07 UTC 2011


On Sat, Dec 24, 2011 at 08:36:15AM -0800, Kurt Buff wrote:
> On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot <ml at my.gd> wrote:
> > Hey up list,
> >
> > Look, just a rant here.
> >
> >
> > Who in *HELL* thought it would be a cool idea to release no less than
> > FOUR security advisories today ?
> 
> I'm guessing the Security Officer and those with whom he consults.
> Just a thought, since that's who sent the email.
> 
> > I mean, couldn't this have waited and remained undisclosed until monday ?
> 
> Does "active exploitation in the wild" mean anything to you?
> 
> > I for one do *NOT* relish the idea of updating 50+ boxes this evening
> > and tomorrow !
> 
> Sucks to be you. You knew the job was dangerous when you took it, and
> if you didn't, well, then, bummer, it's what comes with the territory.
> 
> I just spent my day yesterday downing my entire server environment in
> the US to upgrade the electrical, and it was a paid holiday for the
> company.
> 
> As a sysadmin, you should know that these things happen, and learn to
> deal with them.
> 
> > Not to mention a whole lot of merchants and banks have toggled IT Freeze
> > a few weeks ago, to ensure xmas shopping doesn't get disturbed by
> > production changes.
> 
> Yeah. It's hell being a professional.
> 
> > Seriously, this is just irritating.
> 
> Cry me a river. You should be thanking the team for getting the
> releases to you as fast as possible, so you can take effective
> measures ASAP.

While this is generally true, the BIND issue was absolutely not
addressed "as fast as possible".  I guess you weren't aware that it was
announced publicly literally over a month ago:

https://www.isc.org/software/bind/advisories/cve-2011-4313

I'm pretty certain there was a software update (new version of BIND)
announced by ISC shortly after the discovery of this issue.  I say this
because we updated BIND at my workplace within 48-72 hours after said
issue was announced.

I say all of the above as politely and sincerely as possible -- I don't
want the FreeBSD Security Team to feel like I'm slamming them for taking
so long, as I'm quite aware there is sometimes red tape and unexpected
complexities that take precedent.  My point is that you're effectively
telling Damien that he should be thankful for the quick resolution
times, and that really isn't the case with regards to the BIND issue.

As for the rest of your comments: I both agree and disagree with their
sentiments.  I would have summed it up as: "responsibility's a bitch".
Try to remember: Damien admitted point blank, up front, that his Email
was a rant.  You know what they say about opinions, right?  ;-)

All in all, I do hope everyone here has a good holiday season,
regardless if that's updating 50+ servers on Christmas Eve or at home
with family.  Try to take something positive out of either experience.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |



More information about the freebsd-stable mailing list