FYI>To: misc@openbsd.org >Subject: FreeBSD hiding security stuff >Date: Fri, 04 Mar 2005 03:51:42 -0700 >From: Theo de Raadt <deraadt@cvs.openbsd.org> > >A few FreeBSD developers apparently have found some security issue >of some sort affecting i386 operating systems in some cases. > >They have refused to give us real details. > >A promise is now being made. > >If a bug is found in OpenSSH, which we believe to have security >consequences, we wil inform FreeBSD last. > >Fair is fair. > >I really wish it was not this way, but after a week of trying to get the >policy to be fixed, we are changing our policy as well. > >Without immediate action from them to repair their polcy, and a public >apology for this, that policy will stand.-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
> FYI > > > >To: misc@openbsd.org > >Subject: FreeBSD hiding security stuff > >Date: Fri, 04 Mar 2005 03:51:42 -0700 > >From: Theo de Raadt <deraadt@cvs.openbsd.org> > > > >A few FreeBSD developers apparently have found some > security issue > >of some sort affecting i386 operating systems in > some cases. > > > >They have refused to give us real details. > > > >A promise is now being made. > > > >If a bug is found in OpenSSH, which we believe to > have security > >consequences, we wil inform FreeBSD last. > > > >Fair is fair. > > > >I really wish it was not this way, but after a week > of trying to get the > >policy to be fixed, we are changing our policy as > well. > > > >Without immediate action from them to repair their > polcy, and a public > >apology for this, that policy will stand. >Did you verify with Theo whether this mail originated from him? regards Claus
On Fri, 2005-03-04 at 07:58 -0500, Mike Tancsa wrote:> FYI > > > >To: misc@openbsd.org > >Subject: FreeBSD hiding security stuff > >Date: Fri, 04 Mar 2005 03:51:42 -0700 > >From: Theo de Raadt <deraadt@cvs.openbsd.org> > > > >A few FreeBSD developers apparently have found some security issue > >of some sort affecting i386 operating systems in some cases. > > > >They have refused to give us real details. > > > >A promise is now being made. > > > >If a bug is found in OpenSSH, which we believe to have security > >consequences, we wil inform FreeBSD last. > > > >Fair is fair. > > > >I really wish it was not this way, but after a week of trying to getthe> >policy to be fixed, we are changing our policy as well. > > > >Without immediate action from them to repair their polcy, and apublic> >apology for this, that policy will stand.DragonFly received this email as well, we were also not given details, which is somewhat disturbing, to be honest. I haven't said anything about this until now because I didn't want to cause a disturbance, but obviously one has been caused. Everyone who knows me from DragonFly knows that I am quite the DragonFly diplomat: I really don't tolerate FUD about FreeBSD. As a person who also contributes to FreeBSD (yes, I contribute to both projects), I really have to say that I find this strange. It would be okay if we were given a timeframe, but there was no information. The `advisory' consisted of the following: `On May 13th at BSDCan <http://www.bsdcan.org/> I will be publishing a local information-disclosure vulnerability which affects multiple operating systems running on x86 hardware. I'm not sure if your OS is affected; can you tell me the state of your SMP support on the x86 platform?' Matt (Dillon) replied stating that the aforementioned `advisory' wasn't enough information to ``go on.'' We (security-officer@dragonflybsd.org) were told that we'd receive the paper after it was confirmed that DragonFly is affected. Matt asked if it was related to a certain issue. The response was ``No.'' This seems vague. This `advisory' was received by us last Saturday. So, before we get a huge ruckus about Theo being totally unreasonable, lets have a little bit of information about why this vulnerability isn't being disclosed to the security teams of other projects. I think that it's pretty unreasonable that we're not getting more information. We can't even confirm that we're affected because we have nothing to go on. For these reasons, I don't think Theo is being terribly unreasonable. I don't want to start a holy war here, just present the facts before a million misinformed subscribers to security@ start flaming OpenBSD and Theo. Kind regards, Devon H. O'Dell
At 08:28 AM 04/03/2005, Claus Guttesen wrote:> > > >Did you verify with Theo whether this mail originated >from him?No, and good point, but I did look at the headers. It appeared to come from his machine. I am guessing this is related to the Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) ---Mike
On Fri, Mar 04, 2005 at 07:58:35AM -0500, Mike Tancsa wrote:> > FYI > > > >To: misc@openbsd.org > >Subject: FreeBSD hiding security stuff > >Date: Fri, 04 Mar 2005 03:51:42 -0700 > >From: Theo de Raadt <deraadt@cvs.openbsd.org> > > > >A few FreeBSD developers apparently have found some security issue > >of some sort affecting i386 operating systems in some cases. > > > >They have refused to give us real details.Daddy Timmy won't give me a turn!....> >A promise is now being made. > > > >If a bug is found in OpenSSH, which we believe to have security > >consequences, we wil inform FreeBSD last.Ohhhhh tough guy! what a testicle.> >Fair is fair.Like when you take Net BSD and change it around, make it so upon boot up nothing is open by default, slapping the "It's secure" sticker .....> >I really wish it was not this way, but after a week of trying to get the > >policy to be fixed, we are changing our policy as well."I'm telling my Daddy on you!" Damn I can't stand him.> >Without immediate action from them to repair their polcy, and a public > >apology for this, that policy will stand.If you guys apologize to that walking turnip I'm trading in my Free BSD merchadise I've paid for, for Windows NT tee-shirts. -Allen / Gore. A Slackware and Free BSD guy.> -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"