CVE-2015-7547: critical bug in libc
Kubilay Kocak
koobs at FreeBSD.org
Wed Feb 17 17:02:36 UTC 2016
On 18/02/2016 3:51 AM, Warren Block wrote:
> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
>
>> On 02/17/2016 08:19, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>
>>>> A short note on the www.freebsd.org website would probably be helpful,
>>>> as this case will produce a lot of noise.
>>>
>>> Maybe a short article like we did for leap seconds?
>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>
>>>
>>
>> Articles are permanent, which makes sense for the recurring issue of
>> leap seconds. This vulnerability is transient, so I would suggest a
>> news item.
>
> Yes, but news items are usually just links. For the amount of
> information we have so far, an article seems like the easiest way to do
> this. Or maybe an addition to the security part of the web site?
>
> For now, I'll collect the information as just text.
Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?
If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?
Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?
./koobs
More information about the freebsd-current
mailing list