[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: FreeBSD hiding security stuff
From: Dries Schellekens <gwyllion () ulyssis ! org>
Date: 2005-03-04 15:32:18
Message-ID: 42287F82.6050407 () ulyssis ! org
[Download RAW message or body]
Theo de Raadt wrote:
> A few FreeBSD developers apparently have found some security issue
> of some sort affecting i386 operating systems in some cases.
>
> They have refused to give us real details.
There is some discussion about Theo's promise on the freebsd security
mailing list.
(for archive see http://marc.theaimsgroup.com/?l=freebsd-security)
Colin Percival (cperciva@freebsd.org) found a bug and is not sure
whether OpenBSD is affected. According to a guy from DragonFly, the
email to other BSD projects consisted of the following:
`On May 13th at BSDCan <http://www.bsdcan.org/> I will be publishing
a local information-disclosure vulnerability which affects multiple
operating systems running on x86 hardware. I'm not sure if your OS
is affected; can you tell me the state of your SMP support on the x86
platform?'.
Cheers,
Dries
-------- Original Message --------
Subject: Re: FW:FreeBSD hiding security stuff
Date: Fri, 04 Mar 2005 04:42:48 -0800
From: Colin Percival <cperciva@freebsd.org>
To: Jonathan Weiss <tomonage2@gmx.de>
CC: freebsd-security@freebsd.org, FreeBSD-Hackers <hackers@freebsd.org>
References: <BE4E0FDD.1A486%tomonage2@gmx.de>
[I'm adding a CC: to freebsd-security, since I'm sure this thread will
get reposted there if I don't. For those not subscribed to -hackers:
Jonathan forwarded the an email Theo wrote to openbsd-misc:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=110993373705509&w=2 ]
Jonathan Weiss wrote:
> Whats the intention behind the FreeBSD developers policy?
Quoting from secteam's TODO list for advisories:
1. Check if security officers need to be contacted at OpenBSD, NetBSD,
OS X, or DragonFlyBSD.
Yes, that's item #1 on our list. :-)
In this case, I wasn't sure if OpenBSD was affected, so I emailed Theo
asking for certain details which would allow me to make this determination.
Theo wrote:
> A few FreeBSD developers apparently have found some security issue
> of some sort affecting i386 operating systems in some cases.
s/A few FreeBSD developers/One FreeBSD developer/
I discovered this issue in December; until a few days ago I was working
on it to determine whether it could be exploited.
> They have refused to give us real details.
Theo, in one of several replies, indicated that I should provide the
details to Ted Unangst (tedu@). I contacted Ted and provided him with
the details; he agreed with me about how and when it should be handled
by OpenBSD.
> A promise is now being made.
>
> If a bug is found in OpenSSH, which we believe to have security
> consequences, we wil inform FreeBSD last.
>
> Fair is fair.
>
> I really wish it was not this way, but after a week of trying to get
> the policy to be fixed, we are changing our policy as well.
>
> Without immediate action from them to repair their polcy, and a public
> apology for this, that policy will stand.
The policy of the FreeBSD security team is to notify other vendors and
work with them to co-ordinate a disclosure schedule. It is also the
policy of the FreeBSD security team to avoid disclosing security issues
to anyone who does not need to know about them (i.e., anyone other than
other affected vendors, admins@, and in some cases re@).
I will make no apology for either of these, and I doubt anyone else
(either from the security team, or the security officer himself) will do
so either.
Colin Percival
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic