On 9 April 2014 15:32, Kimmo Paasiala <kpaasial at icloud.com> wrote:> Can you name some of those projects that claim to have such quick response > time? I'll be steering way clear of them knowing that they don't test their > security patches before releasing them. It's really quite shocking to see > that such unprofessional working attitude has taken so firm hold in the open > source world. What a pity.RedHat managed to provide the fix within 21 hours but aparently they knew very eraly about the issue. FreeBSD Security Team didn't? Why? You can _see_ the whole process on their bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1084875. On the other hand Xin Li acknowledged the issue answering to an mail to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of _silence_ the fix was commited. They managed to release the fix 15 hours before FreeBSD and I assume they test thing before release because beside Fedora and Centos they also have paying customers. Debian acknowledged the problem in the same time as FreeBSD according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they released fix very very quickly. Ports got the fix very quickly as well. Maybe it'll surprise you but there are still people using FreeBSD. What we are supposed to do when so@ is silent while scripts exploting the issue are in the wild? We need more transparency here. -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die.
On 09.04.2014 17:29, Pawel Biernacki wrote:> [snip] > We need more transparency here. >Please read this and other related threads and you'll understand that the FreeBSD-SecTeam had no real chance to react earlier than they did. http://seclists.org/oss-sec/2014/q2/22 In fact, they were realy fast, thanks therefor. Regards, Joe User
Pawel Biernacki <pawel.biernacki at gmail.com> writes:> RedHat managed to provide the fix within 21 hours but aparently they > knew very eraly about the issue. FreeBSD Security Team didn't? Why? > You can _see_ the whole process on their bugzilla > https://bugzilla.redhat.com/show_bug.cgi?id=1084875.No you can't. That ticket is just window dressing. By the time it was created, RedHat had known about the issue for at least a week, and probably more. DES -- Dag-Erling Sm?rgrav - des at des.no