Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: > Hey up list, > > > > Look, just a rant here. > > > Who in *HELL* thought it would be a cool idea to release no less than > FOUR security advisories today ? > > I mean, couldn't this have waited and remained undisclosed until monday ? > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > and tomorrow ! > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > production changes. > > > Seriously, this is just irritating. From an e-mail sent to security@ from the security officer: Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. -- John Baldwin ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/11 5:39 PM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. > > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your > eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release advisories > on > Wednesdays in order to maximize the number of system administrators who will > be > at work already; and we try very hard to avoid issuing advisories any time > close > to holidays for the same reason. The start of the Christmas weekend -- in > some > parts of the world it's already Saturday -- is absolutely not when we want to > be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot > has a > rather messy fix involving adding a new interface to libc; this has the > awkward > side effect of causing the sizes of some "symbols" (aka. functions) in libc to > change, resulting in cascading changes into many binaries. The long list of > updated files is irritating, but isn't a sign that anything in freebsd-update > went wrong. > > At least they're aware the timing sucks completely and feel as sorry as us. Ty John. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
So don't update until Monday? The outcome will be the same :) Damien Fleuriot wrote: Hey up list, Look, just a rant here. Who in *HELL* thought it would be a cool idea to release no less than FOUR security advisories today ? I mean, couldn't this have waited and remained undisclosed until monday ? I for one do *NOT* relish the idea of updating 50+ boxes this evening and tomorrow ! Not to mention a whole lot of merchants and banks have toggled IT Freeze a few weeks ago, to ensure xmas shopping doesn't get disturbed by production changes. Seriously, this is just irritating. /flame ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
My point (which may or may not be valid) was that if the vulnerabilities remained *undisclosed*, they would have a much lower chance of being exploited. On 12/23/11 5:47 PM, Joe Holden wrote: > So don't update until Monday? The outcome will be the same :) > > Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. >> >> >> /flame >> ___ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
The serious one (telnetd) is already being exploited in the wild, and if you're running telnetd anyway then you can always switch to ssh or acl the port, either way it is a relative non-issue to ignore the update for now... Damien Fleuriot wrote: My point (which may or may not be valid) was that if the vulnerabilities remained *undisclosed*, they would have a much lower chance of being exploited. On 12/23/11 5:47 PM, Joe Holden wrote: So don't update until Monday? The outcome will be the same :) Damien Fleuriot wrote: Hey up list, Look, just a rant here. Who in *HELL* thought it would be a cool idea to release no less than FOUR security advisories today ? I mean, couldn't this have waited and remained undisclosed until monday ? I for one do *NOT* relish the idea of updating 50+ boxes this evening and tomorrow ! Not to mention a whole lot of merchants and banks have toggled IT Freeze a few weeks ago, to ensure xmas shopping doesn't get disturbed by production changes. Seriously, this is just irritating. /flame ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/11 5:50 PM, Stephen Montgomery-Smith wrote: > On 12/23/2011 10:07 AM, Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? > > After receiving the fifth security advisory in a few moments, you will > get a Christmas message from the Security Advisory team, which will > both apologize and explain why these untimely advisories came today. > > http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/thread.html > Indeed, just read the one John copied. Still sucks, but at least they're aware and apologetic about how the timing completely blows. Happy xmas. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/2011 11:07 AM, Damien Fleuriot wrote: > Hey up list, > Look, just a rant here. > Who in *HELL* thought it would be a cool idea to release no less than > FOUR security advisories today ? The Security Officer explained it was because one of them was being actively exploited. http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/000165.html Also, the chroot issue has been public for some time along with sample exploits. Same with BIND which was fixed some time ago. Judgment call, and I think they made the right call at least from my perspective. ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/11 5:54 PM, Bas Smeelen wrote: >> Look, just a rant here. > > >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? > What's the impact for your boxes? > Only the BIND exploit concerns me, means that *potentially* servers for my projects might be unable to run DNS resolution anymore -> prod problems. I don't think we'll be getting trouble though so I'm postponing the update until next week. >> I mean, couldn't this have waited and remained undisclosed until monday ? > Best time to exploit is Christmas/holidays > >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! > updating 30 boxes right now > >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. > > >> Seriously, this is just irritating. > If you don't use telnet, ftpd, dns, pam, then it's not a big problem > > merry Christmas > > Disclaimer: http://www.ose.nl/email > ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
Some people (like me) already knew about the vulnerabilities. And others are already exploiting some of these vulnerabilities. Thanks, Shawn Webb On Fri, Dec 23, 2011 at 9:50 AM, Damien Fleuriot wrote: > My point (which may or may not be valid) was that if the vulnerabilities > remained *undisclosed*, they would have a much lower chance of being > exploited. > > > > On 12/23/11 5:47 PM, Joe Holden wrote: >> So don't update until Monday? The outcome will be the same :) >> >> Damien Fleuriot wrote: >>> Hey up list, >>> >>> >>> >>> Look, just a rant here. >>> >>> >>> Who in *HELL* thought it would be a cool idea to release no less than >>> FOUR security advisories today ? >>> >>> I mean, couldn't this have waited and remained undisclosed until monday ? >>> >>> I for one do *NOT* relish the idea of updating 50+ boxes this evening >>> and tomorrow ! >>> >>> >>> Not to mention a whole lot of merchants and banks have toggled IT Freeze >>> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >>> production changes. >>> >>> >>> Seriously, this is just irritating. >>> >>> >>> /flame >>> ___ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" >> > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
>Look, just a rant here. >Who in *HELL* thought it would be a cool idea to release no less than >FOUR security advisories today ? What's the impact for your boxes? >I mean, couldn't this have waited and remained undisclosed until monday ? Best time to exploit is Christmas/holidays >I for one do *NOT* relish the idea of updating 50+ boxes this evening >and tomorrow ! updating 30 boxes right now >Not to mention a whole lot of merchants and banks have toggled IT Freeze >a few weeks ago, to ensure xmas shopping doesn't get disturbed by >production changes. >Seriously, this is just irritating. If you don't use telnet, ftpd, dns, pam, then it's not a big problem merry Christmas Disclaimer: http://www.ose.nl/email ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
I happen to APPLAUD the FreeBSD Security team for doing this. I WANT security fixes out as soon as reasonably possible. You're NOT telling the bad guys anything they don't already know, but you ARE making it possible for the good guys to raise shields. A "remote root" problem is about as bad as it gets. -- Karl Denninger /The Market Ticker/ On 12/23/2011 10:39 AM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: >> Hey up list, >> >> >> >> Look, just a rant here. >> >> >> Who in *HELL* thought it would be a cool idea to release no less than >> FOUR security advisories today ? >> >> I mean, couldn't this have waited and remained undisclosed until monday ? >> >> I for one do *NOT* relish the idea of updating 50+ boxes this evening >> and tomorrow ! >> >> >> Not to mention a whole lot of merchants and banks have toggled IT Freeze >> a few weeks ago, to ensure xmas shopping doesn't get disturbed by >> production changes. >> >> >> Seriously, this is just irritating. > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your > eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release advisories > on > Wednesdays in order to maximize the number of system administrators who will > be > at work already; and we try very hard to avoid issuing advisories any time > close > to holidays for the same reason. The start of the Christmas weekend -- in > some > parts of the world it's already Saturday -- is absolutely not when we want to > be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot > has a > rather messy fix involving adding a new interface to libc; this has the > awkward > side effect of causing the sizes of some "symbols" (aka. functions) in libc to > change, resulting in cascading changes into many binaries. The long list of > updated files is irritating, but isn't a sign that anything in freebsd-update > went wrong. > > ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/2011 10:07 AM, Damien Fleuriot wrote: Hey up list, Look, just a rant here. Who in *HELL* thought it would be a cool idea to release no less than FOUR security advisories today ? After receiving the fifth security advisory in a few moments, you will get a Christmas message from the Security Advisory team, which will both apologize and explain why these untimely advisories came today. http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/thread.html ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 11:39 AM, John Baldwin wrote: > On Friday, December 23, 2011 11:07:56 am Damien Fleuriot wrote: > > Hey up list, > > > > > > > > Look, just a rant here. > > > > > > Who in *HELL* thought it would be a cool idea to release no less than > > FOUR security advisories today ? > > > > I mean, couldn't this have waited and remained undisclosed until monday ? > > > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > > and tomorrow ! > > > > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > > production changes. > > > > > > Seriously, this is just irritating. > > From an e-mail sent to security@ from the security officer: > > > Hi all, > > No, the Grinch didn't steal the FreeBSD security officer GPG key, and your > eyes > aren't deceiving you: We really did just send out 5 security advisories. > > The timing, to put it bluntly, sucks. We normally aim to release > advisories on > Wednesdays in order to maximize the number of system administrators who > will be > at work already; and we try very hard to avoid issuing advisories any time > close > to holidays for the same reason. The start of the Christmas weekend -- in > some > parts of the world it's already Saturday -- is absolutely not when we want > to be > releasing security advisories. > > Unfortunately my hand was forced: One of the issues > (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the > wild; > bugs really don't come any worse than this. On the positive side, most > people > have moved past telnet and on to SSH by now; but this is still not an > issue we > could postpone until a more convenient time. > > While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot > has a > rather messy fix involving adding a new interface to libc; this has the > awkward > side effect of causing the sizes of some "symbols" (aka. functions) in > libc to > change, resulting in cascading changes into many binaries. The long list > of > updated files is irritating, but isn't a sign that anything in > freebsd-update > went wrong. > > > -- > John Baldwin > These vulnerabilities are known many days before in other distributions . Thank you very much . Mehmet Erol Sanliturk ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/2011 10:56 AM, Mike Tancsa wrote: Also, the chroot issue has been public for some time along with sample exploits. Same with BIND which was fixed some time ago. Judgment call, and I think they made the right call at least from my perspective. It is this chroot issue that bothers me. From my reading of the ftpd man page, if I have anonymous ftp to my server, it seems that I am using chroot with ftpd, and there is no way to stop this happening. Am I correct, or have I missed something? (I am hoping I missed something.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
> These vulnerabilities are known many days before in other distributions . >Thank you very much . >Mehmet Erol Sanliturk you're right, these were discussed on the mailinglists also _but_ FreeBSD is not a distribution It is *a complete operating system* Happy holidays Disclaimer: http://www.ose.nl/email ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 7:25 PM, Stephen Montgomery-Smith wrote: > On 12/23/2011 10:56 AM, Mike Tancsa wrote: > >> Also, the chroot issue has been public for some time along with sample >> exploits. Same with BIND which was fixed some time ago. Judgment call, >> and I think they made the right call at least from my perspective. > > > It is this chroot issue that bothers me. From my reading of the ftpd man > page, if I have anonymous ftp to my server, it seems that I am using chroot > with ftpd, and there is no way to stop this happening. > > Am I correct, or have I missed something? (I am hoping I missed something.) > > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" To sum up this mess. Are all cvs mirror servers updated regarding this changes ? Also, I see that FreeBSD 9.0-RELEASE is included. Has it been released ? Regards-- George Kontostanos Aicom telecoms ltd http://www.barebsd.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/23/11 11:53, Karl Denninger wrote: > I happen to APPLAUD the FreeBSD Security team for doing this. > > I WANT security fixes out as soon as reasonably possible. You're NOT > telling the bad guys anything they don't already know, but you ARE > making it possible for the good guys to raise shields. > > A "remote root" problem is about as bad as it gets. +1 Even if the timing is less than optimal, having the necessary information "out there" offers the opportunity for each organization to make an *informed choice* as to which vulnerabilities might be present in their deployments, which are of highest priority and what resourcing decision are appropriate in their specific context. The FreeBSD Security folk are not saying "you must do this today"; they *can't* make that call on our behalf - it is entirely an organizational decision based on our assessment(s) of our risk and exposure, imb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk70vFkACgkQQv9rrgRC1JJ1YgCdELKoI5JH8FaIjrlHm/Fco3y1 3s8AoJHarM0WhuCf0edFUWQpfkFF4g+S =Z4M2 -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote: > > It is this chroot issue that bothers me. From my reading of the ftpd > man page, if I have anonymous ftp to my server, it seems that I am using > chroot with ftpd, and there is no way to stop this happening. > > Am I correct, or have I missed something? (I am hoping I missed > something.) Depends what they can write to and upload. The thread starts here http://lists.freebsd.org/pipermail/freebsd-security/2011-November/006085.html that discusses it in more detail ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Dec 23, 2011, at 11:25 AM, Stephen Montgomery-Smith wrote: > On 12/23/2011 10:56 AM, Mike Tancsa wrote: > >> Also, the chroot issue has been public for some time along with sample >> exploits. Same with BIND which was fixed some time ago. Judgment call, >> and I think they made the right call at least from my perspective. > > It is this chroot issue that bothers me. From my reading of the ftpd man > page, if I have anonymous ftp to my server, it seems that I am using chroot > with ftpd, and there is no way to stop this happening. > > Am I correct, or have I missed something? (I am hoping I missed something.) I think that to exploit the ftpd chroot issue, the attacker must have the ability to create an /etc/nsswitch.conf (if it doesn't already exist), and then requires installing a malicious shared library file in the chroot /lib, /usr/lib, or /usr/local/lib directory. Local users who have chroot configured on their home directory for FTP access could probably exploit this. If your anonymous FTP directories are setup correctly, in particular so that anonymous users have no write access, and if local users can't corrupt that configuration (such as by changing owners or permissions of directories in the anonymous chroot area), then I wouldn't expect this to be exploitable. Still, I would install the update as soon as possible… Guy This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 7:55 PM, Mike Tancsa wrote: > On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote: >> >> It is this chroot issue that bothers me. From my reading of the ftpd >> man page, if I have anonymous ftp to my server, it seems that I am using >> chroot with ftpd, and there is no way to stop this happening. >> >> Am I correct, or have I missed something? (I am hoping I missed >> something.) > > Depends what they can write to and upload. The thread starts here > > http://lists.freebsd.org/pipermail/freebsd-security/2011-November/006085.html > > that discusses it in more detail > > ---Mike > > > > -- > --- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, m...@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" Are all cvs mirror servers updated regarding these changes ? ANYBODY -- George Kontostanos Aicom telecoms ltd http://www.barebsd.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 23/12/2011 18:05, George Kontostanos wrote: > Are all cvs mirror servers updated regarding these changes ? > > ANYBODY Should have by now. Commits usually take about an hour to propagate to the official cvsup servers. Easy enough to tell though -- the advisories have all the version numbers in, and you'ld only need to check a file or two from each of them to be reasonably sure you'ld got all the updates. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman wrote: > On 23/12/2011 18:05, George Kontostanos wrote: >> Are all cvs mirror servers updated regarding these changes ? >> >> ANYBODY > > Should have by now. Commits usually take about an hour to propagate to > the official cvsup servers. > > Easy enough to tell though -- the advisories have all the version > numbers in, and you'ld only need to check a file or two from each of > them to be reasonably sure you'ld got all the updates. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > Thanks for the info Matthew. I think though that it is best for all to first make sure that the servers all updated before sending out all those security advisories. Regards -- George Kontostanos Aicom telecoms ltd http://www.barebsd.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
Quoting Mike Tancsa : > On 12/23/2011 11:07 AM, Damien Fleuriot wrote: > > Hey up list, > > Look, just a rant here. > > Who in *HELL* thought it would be a cool idea to release no less than > > FOUR security advisories today ? > > > The Security Officer explained it was because one of them was being > actively exploited. > > http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/000165.html > > > Also, the chroot issue has been public for some time along with sample > exploits. Same with BIND which was fixed some time ago. Judgment call, > and I think they made the right call at least from my perspective. > > ---Mike > > > -- > --- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, m...@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > To think a security threat could be rendered less serious based on the date of its announcement is rather provincial. You're damn right they made the right call. This message was sent using IMP, the Internet Messaging Program. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote: > > These vulnerabilities are known many days before in other distributions . > > >Thank you very much . > > >Mehmet Erol Sanliturk > > you're right, these were discussed on the mailinglists also > _but_ FreeBSD is not a distribution > It is *a complete operating system* > Happy holidays And the D in BSD is for? ;-) pgpEZ416UIDD8.pgp Description: PGP signature
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 9:06 PM, Lars Engels wrote: > On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote: >> > These vulnerabilities are known many days before in other distributions . >> >> >Thank you very much . >> >> >Mehmet Erol Sanliturk >> >> you're right, these were discussed on the mailinglists also >> _but_ FreeBSD is not a distribution >> It is *a complete operating system* >> Happy holidays > > And the D in BSD is for? ;-) So, are we done for today with the security advisories ? I hate to start rebuilding world & kernel again. -- George Kontostanos Aicom telecoms ltd http://www.barebsd.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 2:06 PM, Lars Engels wrote: > On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote: >> > These vulnerabilities are known many days before in other distributions . >> >> >Thank you very much . >> >> >Mehmet Erol Sanliturk >> >> you're right, these were discussed on the mailinglists also >> _but_ FreeBSD is not a distribution >> It is *a complete operating system* >> Happy holidays > > And the D in BSD is for? ;-) diethylamide ? -- Eitan Adler ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 2011-Dec-23 20:06:10 +0100, Lars Engels wrote: >On Fri, Dec 23, 2011 at 06:30:59PM +0100, Bas Smeelen wrote: >> _but_ FreeBSD is not a distribution >> It is *a complete operating system* >> Happy holidays > >And the D in BSD is for? ;-) FreeBSD is a complete operating system _derived_from_ the Berkeley Software Distribution that used to be available from the now-defunct UCB CSRG. The "BSD" in FreeBSD acknowledges its roots. And on-topic - yes, the timing sucks (especially since I'm one of the people reading this on the Saturday commencing a long holiday period) but I think the SO made the right call. Hopefully, this was all that was holding up 9.0-RELEASE and RE will be giving us a more welcome Xmas present. -- Peter Jeremy pgpJ5YZU425S5.pgp Description: PGP signature
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote: > On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman > wrote: > > On 23/12/2011 18:05, George Kontostanos wrote: > >> Are all cvs mirror servers updated regarding these changes ? > >> > >> ANYBODY > > > > Should have by now. ?Commits usually take about an hour to propagate to > > the official cvsup servers. > > > > Easy enough to tell though -- the advisories have all the version > > numbers in, and you'ld only need to check a file or two from each of > > them to be reasonably sure you'ld got all the updates. > > > > ? ? ? ?Cheers, > > > > ? ? ? ?Matthew > > > > -- > > Dr Matthew J Seaman MA, D.Phil. ? ? ? ? ? ? ? ? ? 7 Priory Courtyard > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Flat 3 > > PGP: http://www.infracaninophile.co.uk/pgpkey ? ? Ramsgate > > JID: matt...@infracaninophile.co.uk ? ? ? ? ? ? ? Kent, CT11 9PW > > > > Thanks for the info Matthew. I think though that it is best for all to > first make sure that the servers all updated before sending out all > those security advisories. I don't believe they're monitored like that. If you want the updates quickly, download the files referenced in the advisories. My build was done before my local cvsup server picked up the changes. Gary ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 10:48 PM, Gary Palmer wrote: > On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote: >> On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman >> wrote: >> > On 23/12/2011 18:05, George Kontostanos wrote: >> >> Are all cvs mirror servers updated regarding these changes ? >> >> >> >> ANYBODY >> > >> > Should have by now. ?Commits usually take about an hour to propagate to >> > the official cvsup servers. >> > >> > Easy enough to tell though -- the advisories have all the version >> > numbers in, and you'ld only need to check a file or two from each of >> > them to be reasonably sure you'ld got all the updates. >> > >> > ? ? ? ?Cheers, >> > >> > ? ? ? ?Matthew >> > >> > -- >> > Dr Matthew J Seaman MA, D.Phil. ? ? ? ? ? ? ? ? ? 7 Priory Courtyard >> > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Flat 3 >> > PGP: http://www.infracaninophile.co.uk/pgpkey ? ? Ramsgate >> > JID: matt...@infracaninophile.co.uk ? ? ? ? ? ? ? Kent, CT11 9PW >> > >> >> Thanks for the info Matthew. I think though that it is best for all to >> first make sure that the servers all updated before sending out all >> those security advisories. > > I don't believe they're monitored like that. If you want the updates > quickly, download the files referenced in the advisories. My build was > done before my local cvsup server picked up the changes. > > Gary Yes, that's easy if you dealing with one server. But it is very different when you have to apply those patches to 20 different servers that are in different locations. Having a local cvsup server doing this job tends to make updating easier. In any case, and IMHO this was not the proper time for this kind of advisories considering the fact that many companies are in a freeze period. Cheers -- George Kontostanos ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
As others have mentioned, you don't _have_ to patch this weekend. All of the vulnerabilities have been [semi-]public knowledge for at least a week. What's the harm in waiting till next week? Just pretend like the patches came in on Tuesday. I, for one, am grateful that FreeBSD has provided patches. It allows people who do have the time/ability to patch this weekend to do just that. If you don't want to, then don't. Simple as that. Thanks, Shawn On Fri, Dec 23, 2011 at 2:40 PM, George Kontostanos wrote: > On Fri, Dec 23, 2011 at 10:48 PM, Gary Palmer wrote: >> On Fri, Dec 23, 2011 at 08:55:35PM +0200, George Kontostanos wrote: >>> On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman >>> wrote: >>> > On 23/12/2011 18:05, George Kontostanos wrote: >>> >> Are all cvs mirror servers updated regarding these changes ? >>> >> >>> >> ANYBODY >>> > >>> > Should have by now. ?Commits usually take about an hour to propagate to >>> > the official cvsup servers. >>> > >>> > Easy enough to tell though -- the advisories have all the version >>> > numbers in, and you'ld only need to check a file or two from each of >>> > them to be reasonably sure you'ld got all the updates. >>> > >>> > ? ? ? ?Cheers, >>> > >>> > ? ? ? ?Matthew >>> > >>> > -- >>> > Dr Matthew J Seaman MA, D.Phil. ? ? ? ? ? ? ? ? ? 7 Priory Courtyard >>> > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Flat 3 >>> > PGP: http://www.infracaninophile.co.uk/pgpkey ? ? Ramsgate >>> > JID: matt...@infracaninophile.co.uk ? ? ? ? ? ? ? Kent, CT11 9PW >>> > >>> >>> Thanks for the info Matthew. I think though that it is best for all to >>> first make sure that the servers all updated before sending out all >>> those security advisories. >> >> I don't believe they're monitored like that. If you want the updates >> quickly, download the files referenced in the advisories. My build was >> done before my local cvsup server picked up the changes. >> >> Gary > > Yes, that's easy if you dealing with one server. But it is very > different when you have to apply those patches to 20 different servers > that are in different locations. Having a local cvsup server doing > this job tends to make updating easier. > > In any case, and IMHO this was not the proper time for this kind of > advisories considering the fact that many companies are in a freeze > period. > > Cheers > > -- > George Kontostanos > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 11:45 PM, Shawn Webb wrote: > As others have mentioned, you don't _have_ to patch this weekend. All > of the vulnerabilities have been [semi-]public knowledge for at least > a week. What's the harm in waiting till next week? Just pretend like > the patches came in on Tuesday. > > I, for one, am grateful that FreeBSD has provided patches. It allows > people who do have the time/ability to patch this weekend to do just > that. If you don't want to, then don't. Simple as that. > > Thanks, > > Shawn > I wish it was that simple. It is very different to be aware of a possible vulnerability from getting an official security advisory. Unfortunately sometimes, the decision to patch or not to patch, comes from people who decide based upon bureaucracy. I am certainly thankful to the FreeBSD security team for identifying and providing patches. However, when you start receiving emails about security advisories every 5 minutes, you tend to wonder when will they stop :) Regards and happy holidays George ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 2011-Dec-23 23:40:10 +0200, George Kontostanos wrote: >In any case, and IMHO this was not the proper time for this kind of >advisories considering the fact that many companies are in a freeze >period. My honeypot logs suggest that the black hats aren't taking a holiday. As Colin posted, the SO had to decide between two unpalatable options and, IMHO, he made the correct decision. The details and fixes are now available - it's up to you to weigh up the risks of patching vs the risks of not patching. -- Peter Jeremy pgpwPaYsswqdf.pgp Description: PGP signature
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Sat, Dec 24, 2011 at 12:02 AM, Peter Jeremy wrote: > On 2011-Dec-23 23:40:10 +0200, George Kontostanos > wrote: >>In any case, and IMHO this was not the proper time for this kind of >>advisories considering the fact that many companies are in a freeze >>period. > > My honeypot logs suggest that the black hats aren't taking a holiday. > As Colin posted, the SO had to decide between two unpalatable options > and, IMHO, he made the correct decision. The details and fixes are > now available - it's up to you to weigh up the risks of patching vs > the risks of not patching. > > -- > Peter Jeremy If a security advisory is announced, you have to patch, period! Happy holidays to all. Black hats too :) -- George ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot wrote: > Hey up list, > > Look, just a rant here. > > > Who in *HELL* thought it would be a cool idea to release no less than > FOUR security advisories today ? I'm guessing the Security Officer and those with whom he consults. Just a thought, since that's who sent the email. > I mean, couldn't this have waited and remained undisclosed until monday ? Does "active exploitation in the wild" mean anything to you? > I for one do *NOT* relish the idea of updating 50+ boxes this evening > and tomorrow ! Sucks to be you. You knew the job was dangerous when you took it, and if you didn't, well, then, bummer, it's what comes with the territory. I just spent my day yesterday downing my entire server environment in the US to upgrade the electrical, and it was a paid holiday for the company. As a sysadmin, you should know that these things happen, and learn to deal with them. > Not to mention a whole lot of merchants and banks have toggled IT Freeze > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > production changes. Yeah. It's hell being a professional. > Seriously, this is just irritating. Cry me a river. You should be thanking the team for getting the releases to you as fast as possible, so you can take effective measures ASAP. Kurt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Sat, Dec 24, 2011 at 08:36:15AM -0800, Kurt Buff wrote: > On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot wrote: > > Hey up list, > > > > Look, just a rant here. > > > > > > Who in *HELL* thought it would be a cool idea to release no less than > > FOUR security advisories today ? > > I'm guessing the Security Officer and those with whom he consults. > Just a thought, since that's who sent the email. > > > I mean, couldn't this have waited and remained undisclosed until monday ? > > Does "active exploitation in the wild" mean anything to you? > > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > > and tomorrow ! > > Sucks to be you. You knew the job was dangerous when you took it, and > if you didn't, well, then, bummer, it's what comes with the territory. > > I just spent my day yesterday downing my entire server environment in > the US to upgrade the electrical, and it was a paid holiday for the > company. > > As a sysadmin, you should know that these things happen, and learn to > deal with them. > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > > production changes. > > Yeah. It's hell being a professional. > > > Seriously, this is just irritating. > > Cry me a river. You should be thanking the team for getting the > releases to you as fast as possible, so you can take effective > measures ASAP. While this is generally true, the BIND issue was absolutely not addressed "as fast as possible". I guess you weren't aware that it was announced publicly literally over a month ago: https://www.isc.org/software/bind/advisories/cve-2011-4313 I'm pretty certain there was a software update (new version of BIND) announced by ISC shortly after the discovery of this issue. I say this because we updated BIND at my workplace within 48-72 hours after said issue was announced. I say all of the above as politely and sincerely as possible -- I don't want the FreeBSD Security Team to feel like I'm slamming them for taking so long, as I'm quite aware there is sometimes red tape and unexpected complexities that take precedent. My point is that you're effectively telling Damien that he should be thankful for the quick resolution times, and that really isn't the case with regards to the BIND issue. As for the rest of your comments: I both agree and disagree with their sentiments. I would have summed it up as: "responsibility's a bitch". Try to remember: Damien admitted point blank, up front, that his Email was a rant. You know what they say about opinions, right? ;-) All in all, I do hope everyone here has a good holiday season, regardless if that's updating 50+ servers on Christmas Eve or at home with family. Try to take something positive out of either experience. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick wrote: > > While this is generally true, the BIND issue was absolutely not > addressed "as fast as possible". I guess you weren't aware that it was > announced publicly literally over a month ago: > > https://www.isc.org/software/bind/advisories/cve-2011-4313 > > I'm pretty certain there was a software update (new version of BIND) > announced by ISC shortly after the discovery of this issue. I say this > because we updated BIND at my workplace within 48-72 hours after said > issue was announced. > > I say all of the above as politely and sincerely as possible -- I don't > want the FreeBSD Security Team to feel like I'm slamming them for taking > so long, as I'm quite aware there is sometimes red tape and unexpected > complexities that take precedent. My point is that you're effectively > telling Damien that he should be thankful for the quick resolution > times, and that really isn't the case with regards to the BIND issue. > > As for the rest of your comments: I both agree and disagree with their > sentiments. I would have summed it up as: "responsibility's a bitch". > Try to remember: Damien admitted point blank, up front, that his Email > was a rant. You know what they say about opinions, right? ;-) > > All in all, I do hope everyone here has a good holiday season, > regardless if that's updating 50+ servers on Christmas Eve or at home > with family. Try to take something positive out of either experience. I was aware, and followed along with, the discussion of the DNS problem on this and other lists. To me, "as fast as possible" does include overcoming the obstacles lie in wait beyond the brute coding. I also know that those who are more skilled or adventurous and otherwise more fortunate could have grabbed code and done it for themselves, but in many cases it's not possible. I'm betting the Colin, et al, were sweating over these releases, and really didn't want to do these releases quite so hard up against the holidays, but I'm glad they released them as soon as they felt it was the reasonable thing to do. I'm just afraid I don't have a lot of time for "woe is me" when the security of machines (and by extension of organizations) is at stake. Kurt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 23 Dec 2011 18:56, "George Kontostanos" wrote: > > On Fri, Dec 23, 2011 at 8:40 PM, Matthew Seaman > wrote: > > On 23/12/2011 18:05, George Kontostanos wrote: > >> Are all cvs mirror servers updated regarding these changes ? > >> > >> ANYBODY > > > > Should have by now. Commits usually take about an hour to propagate to > > the official cvsup servers. > > > > Easy enough to tell though -- the advisories have all the version > > numbers in, and you'ld only need to check a file or two from each of > > them to be reasonably sure you'ld got all the updates. > > > >Cheers, > > > >Matthew > > > > -- > > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > > Flat 3 > > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > > > > Thanks for the info Matthew. I think though that it is best for all to > first make sure that the servers all updated before sending out all > those security advisories. > The emails contain patches. Chris ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FLAME - security advisories on the 23rd ? uncool idea is uncool
On 23 Dec 2011, at 17:07, Damien Fleuriot wrote: > Seriously, this is just irritating. Seriously, malevolent persons don't do engineering freeze times. I thank the FreeBSD security team for keeping vigilant on this, despite they have no official obligation as there is no SLA on the product and neither being backed by a commercial company. Best Regards, Ruben___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Goo lists to subscribe to hear quickly about vulns ? ( was: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool)
On topic, where do you guys subscribe to know of these vulns ahead of their release on the ML ? I'm subscribed to the BIND ML but I don't recall seeing an advisory there ahead of today. On 12/23/11 6:03 PM, Shawn Webb wrote: > Some people (like me) already knew about the vulnerabilities. And > others are already exploiting some of these vulnerabilities. > > Thanks, > > Shawn Webb > > On Fri, Dec 23, 2011 at 9:50 AM, Damien Fleuriot wrote: >> My point (which may or may not be valid) was that if the vulnerabilities >> remained *undisclosed*, they would have a much lower chance of being >> exploited. >> >> >> >> On 12/23/11 5:47 PM, Joe Holden wrote: >>> So don't update until Monday? The outcome will be the same :) >>> >>> Damien Fleuriot wrote: Hey up list, Look, just a rant here. Who in *HELL* thought it would be a cool idea to release no less than FOUR security advisories today ? I mean, couldn't this have waited and remained undisclosed until monday ? I for one do *NOT* relish the idea of updating 50+ boxes this evening and tomorrow ! Not to mention a whole lot of merchants and banks have toggled IT Freeze a few weeks ago, to ensure xmas shopping doesn't get disturbed by production changes. Seriously, this is just irritating. /flame ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" >>> >> ___ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Goo lists to subscribe to hear quickly about vulns ? ( was: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool)
I usually hear about them from other people. I also subscribe to the full-disclosure mailinglist. On Fri, Dec 23, 2011 at 10:25 AM, Damien Fleuriot wrote: > On topic, where do you guys subscribe to know of these vulns ahead of > their release on the ML ? > > I'm subscribed to the BIND ML but I don't recall seeing an advisory > there ahead of today. > > > On 12/23/11 6:03 PM, Shawn Webb wrote: >> Some people (like me) already knew about the vulnerabilities. And >> others are already exploiting some of these vulnerabilities. >> >> Thanks, >> >> Shawn Webb >> >> On Fri, Dec 23, 2011 at 9:50 AM, Damien Fleuriot wrote: >>> My point (which may or may not be valid) was that if the vulnerabilities >>> remained *undisclosed*, they would have a much lower chance of being >>> exploited. >>> >>> >>> >>> On 12/23/11 5:47 PM, Joe Holden wrote: So don't update until Monday? The outcome will be the same :) Damien Fleuriot wrote: > Hey up list, > > > > Look, just a rant here. > > > Who in *HELL* thought it would be a cool idea to release no less than > FOUR security advisories today ? > > I mean, couldn't this have waited and remained undisclosed until monday ? > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > and tomorrow ! > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > production changes. > > > Seriously, this is just irritating. > > > /flame > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" >>> ___ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Goo lists to subscribe to hear quickly about vulns ? ( was: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool)
On topic, where do you guys subscribe to know of these vulns ahead of their release on the ML ? security, stable and questions it has been discussed here and there Disclaimer: http://www.ose.nl/email ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Goo lists to subscribe to hear quickly about vulns ? ( was: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool)
On 23/12/2011 17:25, Damien Fleuriot wrote: > I'm subscribed to the BIND ML but I don't recall seeing an advisory > there ahead of today. The BIND vulnerability was discussed on bind-users last month, and updates were pushed to the ports and RELENG_7 and RELENG_8 pretty much straight away. RELENG_9 was patched slightly later. ISC's advisory is here: https://www.isc.org/software/bind/advisories/cve-2011-4313 Was also discussed on freebsd-questions@... around the same timeframe. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature