Re: security or lack thereof
In message: [EMAIL PROTECTED] [EMAIL PROTECTED] (John Nemeth) writes: : So, is it FreeBSD policy to ignore security bug reports? I sent : the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and : it still hasn't been acted on. This total lack of action on an : extremely simple (and silly) three year old bug doesn't give one the : warm fuzzies. Heck, it took 48 hours to get a response from a security : officer, and another 24 hours to get something from the guilty : developer. You should learn to send it to the right place: [EMAIL PROTECTED] Warner ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security or lack thereof
On Thu, 24 Mar 2005 12:48:48 -0700 (MST), M. Warner Losh [EMAIL PROTECTED] wrote: In message: [EMAIL PROTECTED] [EMAIL PROTECTED] (John Nemeth) writes: : So, is it FreeBSD policy to ignore security bug reports? I sent : the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and : it still hasn't been acted on. This total lack of action on an : extremely simple (and silly) three year old bug doesn't give one the : warm fuzzies. Heck, it took 48 hours to get a response from a security : officer, and another 24 hours to get something from the guilty : developer. You should learn to send it to the right place: [EMAIL PROTECTED] Warner He did send it to the correct place. Otherwise the documentation is wrong: ---from http://www.freebsd.org/security/index.html--- All FreeBSD Security issues should be reported directly to the Security Officer Team ([EMAIL PROTECTED]) personally or otherwise to the Security Officer ([EMAIL PROTECTED]). --- Chris ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security or lack thereof
John Nemeth wrote: So, is it FreeBSD policy to ignore security bug reports? I sent the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and it still hasn't been acted on. This total lack of action on an extremely simple (and silly) three year old bug doesn't give one the warm fuzzies. Heck, it took 48 hours to get a response from a security officer, and another 24 hours to get something from the guilty developer. I'm a nobody as far as FreeBSD src trees, bugs, etc go, but I didn't see a PR in the bug reports database (link on the left of the main freebsd.org website). This is probably why it got shuffled into a crack somewhere, but take my bits with a grain of salt. If you haven't, please submit your patch via the bug system here: http://www.freebsd.org/send-pr.html Thanks for the bug find.. Eric -- Eric AndersonSr. Systems AdministratorCentaur Technology I have seen the future and it is just like the present, only longer. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security or lack thereof
On 3/22/05 9:04 PM, John Nemeth wrote: So, is it FreeBSD policy to ignore security bug reports? I sent the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and it still hasn't been acted on. This total lack of action on an extremely simple (and silly) three year old bug doesn't give one the warm fuzzies. Heck, it took 48 hours to get a response from a security officer, and another 24 hours to get something from the guilty developer. Hi John, I'm sorry for the delay. I could give you a list of excuses, but suffice it to say that the simple (and silly) bug had lower priority than several other issues in our queue. We should have sent you a status update, though: that's my fault. Better late than never, I hope? Initially we believed the bug was more serious than you had reported, since it has an evil side-effect (sets pw_uid to 0). However, we discovered that due to a second bug the impact was limited. Saved by dumb luck (^_^). Anyway, as you might know, we are in a code freeze for 5.4. Coincidentally, just yesterday we asked the Release Engineering team for (and received) permission to apply a fix for 5.4-RELEASE. So you will see the issue addressed shortly. The correct fix is a bit more subtle than that suggested in your original message. I guess I should also mention that we've discussed removing rexec/rexecd entirely (for 6.x releases), since it has been deprecated for over 6 years, and the documentation has discouraged its use for over 11 years. Cheers, -- Jacques A Vidrine / NTT/Verio [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]