It seems (at least for me) the patches on ftp.freebsd.org are out of date for the 03:12 security advisory (openssh). ftp2.freebsd.org has them fine. I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? What compounds the issue is that right now the old openssh 3.7 patches are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be found on ftp2.freebsd.org). This could conceivably cause someone to miss a patch. Am i doing something wrong? If not, then this is just a little heads up. Perhaps it would be better to include ftp2.freebsd.org links in the security advisories. Hate to complain. The FreeBSD security team has done a great job, especially in the midst of this whole openssh mess. Nate Nielsen
If memory serves me right, Nielsen wrote:> It seems (at least for me) the patches on ftp.freebsd.org are out of > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has > them fine. > > I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? > > What compounds the issue is that right now the old openssh 3.7 patches > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be > found on ftp2.freebsd.org). This could conceivably cause someone to miss > a patch.As I understand the problem, it has to do with the updating cycles of the mirrors (both ftp.freebsd.org machines get their content in much the same way as any of the other top-level mirrors). By sheer luck, it might be possible that ftp.freebsd.org might sychronize later than the other mirrors. There's other factors, such as the periodicity of updating, that also come into play. I'm not sure what's a good solution to this. I know that security-team is aware of the problem, in fact it came up in the security-officer BoF at BSDCon. (One possibility might be to put the advisories on the Web site and force an update immediately after an advisory is issued. I do this during the late stages of a release cycle to push out the release announcements and release notes. The problem with this, however, is that everyone is conditioned to look to the FTP sites for advisories.) Bruce. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 223 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030917/6be79638/attachment.bin
Colin Percival
2003-Sep-17 20:49 UTC
ftp.freebsd.org out of date? (WRT security advisories)
At 20:40 17/09/2003 -0700, Bruce A. Mah wrote:>I'm not sure what's a good solution to this. I know that security-team >is aware of the problem, in fact it came up in the security-officer BoF >at BSDCon.It was mentioned, but I don't recall anything being decided.>(One possibility might be to put the advisories on the Web site and >force an update immediately after an advisory is issued. I do this >during the late stages of a release cycle to push out the release >announcements and release notes. The problem with this, however, is >that everyone is conditioned to look to the FTP sites for advisories.)One option would be to put the patch signatures on the website (where they could be force-updated). Nobody would ever consider applying a patch without verified the attached signature, right? Colin Percival
Olafur Osvaldsson
2003-Sep-18 03:09 UTC
ftp.freebsd.org out of date? (WRT security advisories)
Nielsen, On Thu, 18 Sep 2003, Nielsen wrote:> It seems (at least for me) the patches on ftp.freebsd.org are out of > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has > them fine. > > I'm wondering if this is a mirror issue or perhaps round-robin DNS problem?This has to do with the fact that ftp.freebsd.org is a mirror like all the other ftp*.freebsd.org servers and they sync at different intervals.> What compounds the issue is that right now the old openssh 3.7 patches > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be > found on ftp2.freebsd.org). This could conceivably cause someone to miss > a patch. > > Am i doing something wrong? If not, then this is just a little heads up. > Perhaps it would be better to include ftp2.freebsd.org links in the > security advisories.If you are going to do that you might as well add all the mirrors to the advisories as next time you might have the patch on ftp9 first and not the others untill later. /Oli -- Olafur Osvaldsson Systems Administrator Internet a Islandi hf. Tel: +354 525-5291 Email: oli@isnic.is -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030918/a3c56541/attachment.bin
Jacques A. Vidrine
2003-Sep-18 07:59 UTC
ftp.freebsd.org out of date? (WRT security advisories)
On Thu, Sep 18, 2003 at 12:39:47AM +0000, Nielsen wrote:> It seems (at least for me) the patches on ftp.freebsd.org are out of > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has > them fine. > > I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? > > What compounds the issue is that right now the old openssh 3.7 patches > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be > found on ftp2.freebsd.org). This could conceivably cause someone to miss > a patch. > > Am i doing something wrong? If not, then this is just a little heads up. > Perhaps it would be better to include ftp2.freebsd.org links in the > security advisories. > > Hate to complain. The FreeBSD security team has done a great job, > especially in the midst of this whole openssh mess.I always manually update ftp.freebsd.org (62.243.72.50) and ftp2.freebsd.org. The problem is, it seems, that recently a 2nd ftp.freebsd.org was added to DNS. (Seems like a really bad idea to me, but *shrug*.) I do not have access to this new machine, and indeed I'm not sure exactly who runs it. It is on my TODO list to find out and ask for a means to run manual updates there as well. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se