Missing patch and security announce

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing patch and security announce

Rob W
See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018

Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)

How does this match http://openbsd.org/security.html#disclosure ?

_________________________________________________________________
Opret en personlig blog og del dine billeder pe MSN Spaces:  
http://spaces.msn.com/

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Eric Pancer
On Wed, 2006-01-25 at 16:06:55 +0100, Rob W proclaimed...

> See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
>
> Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
> (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
>
> How does this match http://openbsd.org/security.html#disclosure ?

Troll,

It's usually best to just troll once and wait for a reply.

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Rob W
This wasn't meant as a Troll - I just want to understand why there isn't a
patch available for this. Moreover why there haven't been made a security
announce.

(I thought that something went wrong with my first message)

>From: eric <[hidden email]>
>To: Rob W <[hidden email]>
>CC: [hidden email]
>Subject: Re: Missing patch and security announce
>Date: Wed, 25 Jan 2006 11:03:21 -0600
>
>On Wed, 2006-01-25 at 16:06:55 +0100, Rob W proclaimed...
>
> > See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
> >
> > Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
> >
>(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
> >
> > How does this match http://openbsd.org/security.html#disclosure ?
>
>Troll,
>
>It's usually best to just troll once and wait for a reply.

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Ted Unangst-2
In reply to this post by Rob W
it's a minor issue.

On 1/25/06, Rob W <[hidden email]> wrote:

> See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
>
> Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
> (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
>
> How does this match http://openbsd.org/security.html#disclosure ?
>
> _________________________________________________________________
> Opret en personlig blog og del dine billeder pe MSN Spaces:
> http://spaces.msn.com/

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Rob W
Maybe it is a minor issue but where is the limit for when a security
announce and a patch is made available?

Quote from http://openbsd.org/security.html:
"Like many readers of the BUGTRAQ mailing list, we believe in full
disclosure of security problems. In the operating system arena, we were
probably the first to embrace the concept. Many vendors, even of free
software, still try to hide issues from their users."

Is this an attempt to hide this from OpenBSD's users?

I got the following responds offlist:
<quote>
I got a "vendor confirmed" alert for this issue from Symantec's
DeepSight. It points to the CVS tree but also the errata page.  I went
to look at the errata and couldn't find anything.

So it's important enough to tell Symantec about it but not to put on
the errata page. I guess that I just don't understand what goes on the
errata.html.

Not trolling either,
Pierre
</quote>

>From: Ted Unangst <[hidden email]>
>To: Rob W <[hidden email]>
>CC: [hidden email]
>Subject: Re: Missing patch and security announce
>Date: Wed, 25 Jan 2006 10:25:08 -0800
>
>it's a minor issue.
>
>On 1/25/06, Rob W <[hidden email]> wrote:
> > See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
> >
> > Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
> >
>(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
> >
> > How does this match http://openbsd.org/security.html#disclosure ?
> >
> > _________________________________________________________________
> > Opret en personlig blog og del dine billeder pe MSN Spaces:
> > http://spaces.msn.com/

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Rob W
In reply to this post by Ted Unangst-2
What about http://www.securityfocus.com/bid/16375

_________________________________________________________________
Ta' pe udsalg eret rundt pe MSN Shopping:  http://shopping.msn.dk  - her
finder du altid de bedste priser

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Rob W
In reply to this post by Ted Unangst-2
What about http://www.securityfocus.com/columnists/380

_________________________________________________________________
Find dine dokumenter lettere med MSN Toolbar med Windows-pc-sxgning:  
http://toolbar.msn.dk

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Claudio Jeker
On Thu, Jan 26, 2006 at 01:51:48PM +0100, Rob W wrote:
> What about http://www.securityfocus.com/columnists/380
>

Oh please! Could we please stop this immutable files (non-)issue.
This securityfocus article shows only one thing the incompetence of the
columnist and securityfocus itself. Probably some people should read one
or two books about UNIX.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Ted Unangst-2
In reply to this post by Rob W
On 1/26/06, Rob W <[hidden email]> wrote:
> Maybe it is a minor issue but where is the limit for when a security
> announce and a patch is made available?

do you know what the preconditions necessary for exploit are?  do you
know the consequences of the bug?

> <quote>
> I got a "vendor confirmed" alert for this issue from Symantec's
> DeepSight. It points to the CVS tree but also the errata page.  I went
> to look at the errata and couldn't find anything.
>
> So it's important enough to tell Symantec about it but not to put on
> the errata page. I guess that I just don't understand what goes on the
> errata.html.

nobody told symantec.  anyway, of course they list it.  that way they
can say "our vuln db has 88,400 entries, and secunia only has 88,295,
and iss only has 87,957, so we're better."  besides the fact that it's
some dude's job to make those entries, and at the end of the week when
his boss asks how many he added, the more the merrier.

Reply | Threaded
Open this post in threaded view
|

Re: Missing patch and security announce

Dries Schellekens
In reply to this post by Rob W
Rob W wrote:

> What about http://www.securityfocus.com/bid/16375

Fixed in -current, 3.8-stable and 3.7-stable
See http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c


Cheers,

Dries