FreeBSD Security Officer
2011-Dec-23 16:02 UTC
Merry Christmas from the FreeBSD Security Team
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70oR8ACgkQFdaIBMps37IHEwCeNT8dws04qyJ8yuOz7g2xd9Xs IsoAn0QfaSE6i90zFBuk1k0isvrDMYO3 =p94J -----END PGP SIGNATURE-----
On Fri, 23 Dec 2011, FreeBSD Security Officer wrote:> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time.Is there any reason this does would not apply to telnetd from most other vendors? In particular MIT Kerberos & heimdal? Thanks, - Tim
On 2011-Dec-23 07:41:20 -0800, FreeBSD Security Officer <cperciva@freebsd.org> wrote:>The timing, to put it bluntly, sucks.Since it's Saturday here, at the start of an extended holiday season, I would tend to agree. That said, thanks for the explanation and I think you made the right call.> On the positive side, most people >have moved past telnet and on to SSH by now;I thought everyone had but an acquaintance explained that he has to run telnet because his employer doesn't permit any encrypted outside access so the employer can monitor all traffic. Merry Christmas to the security team. Thanks for your efforts during 2011 and I hope you have a quiet and uneventful holiday period and 2012. -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20111223/789af4d5/attachment.pgp