reporter on deadline seeks comment about reported security bug
in FreeBSD
Bill Moran
wmoran at potentialtech.com
Tue Sep 15 15:13:33 UTC 2009
In response to Jerry <gesbbb at yahoo.com>:
> On Tue, 15 Sep 2009 07:18:26 -0400
> Bill Moran <wmoran at potentialtech.com> wrote:
>
> > Mel Flynn <mel.flynn+fbsd.questions at mailing.thruhere.net> wrote:
> > >
> > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai at gmail.com wrote:
> > > > > Am 2009/9/14 Dan Goodin <dgoodin at sitpub.com> writhed:
> > > > > > Hello,
> > > > > >
> > > > > > Dan Goodin, a reporter at technology news website The
> > > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > > never got a response. We'll be writing a brief article about
> > > > > > this. Please let me know ASAP if someone cares to comment.
> > > > >
> > > > > Has anyone submitted a PR about this?
> > > >
> > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR
> > > > is not submitted then one has *not* informed the Powers That Be.
> > >
> > > Wrong. Security bugs should be reported to the security team, not
> > > PR'd.
> >
> > It's typical for security issues to be kept hushed until a fix is
> > ready. As a result, there are usually no PRs, and in the case where
> > the person who discovered the problem is amenable, there is no public
> > discussion at all until a fix is available.
> >
> > Apparently, Mr. Frasunek started out down that path, which is
> > admirable. It seems as if he doesn't have much patience, however,
> > since he thinks that only 2 weeks is enough time to fix a security
> > problem and QA the fix.
>
> I usually discover security problems with updates I receive from
> <http://www.us-cert.gov/>. Aren't FreeBSD security problems reported to
> their site? If not, why? IMHO, keeping users in the dark to known
> security problems is not a serviceable protocol.
Because releasing security advisories before there is a fix available is
not responsible use of the information, and (as is being discussed) the
fix is still in the works.
--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
More information about the freebsd-questions
mailing list