Maybe it is a minor issue but where is the limit for when a security
announce and a patch is made available?
Quote from http://openbsd.org/security.html:
"Like many readers of the BUGTRAQ mailing list, we believe in full
disclosure of security problems. In the operating system arena, we were
probably the first to embrace the concept. Many vendors, even of free
software, still try to hide issues from their users."
Is this an attempt to hide this from OpenBSD's users?
I got the following responds offlist:
<quote>
I got a "vendor confirmed" alert for this issue from Symantec's
DeepSight. It points to the CVS tree but also the errata page. I went
to look at the errata and couldn't find anything.
So it's important enough to tell Symantec about it but not to put on
the errata page. I guess that I just don't understand what goes on the
errata.html.
Not trolling either,
Pierre
</quote>
From: Ted Unangst <[EMAIL PROTECTED]>
To: Rob W <[EMAIL PROTECTED]>
CC: [email protected]
Subject: Re: Missing patch and security announce
Date: Wed, 25 Jan 2006 10:25:08 -0800
it's a minor issue.
On 1/25/06, Rob W <[EMAIL PROTECTED]> wrote:
> See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
>
> Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
>
(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
>
> How does this match http://openbsd.org/security.html#disclosure ?
>
> _________________________________________________________________
> Opret en personlig blog og del dine billeder pe MSN Spaces:
> http://spaces.msn.com/
