freebsd stable - Dec 2011 - FLAME - security advisories on the 23rd ? uncool idea is uncool

Hey up list,



Look, just a rant here.


Who in *HELL* thought it would be a cool idea to release no less than
FOUR security advisories today ?

I mean, couldn't this have waited and remained undisclosed until monday ?

I for one do *NOT* relish the idea of updating 50+ boxes this evening
and tomorrow !


Not to mention a whole lot of merchants and banks have toggled IT Freeze
a few weeks ago, to ensure xmas shopping doesn't get disturbed by
production changes.


Seriously, this is just irritating.


/flame

On Friday, December 23, 2011 11:07:56 am Damien Fleuriot
wrote:
> Hey up list,
> 
> 
> 
> Look, just a rant here.
> 
> 
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
> 
> I mean, couldn't this have waited and remained undisclosed until monday
?
> 
> I for one do *NOT* relish the idea of updating 50+ boxes this evening
> and tomorrow !
> 
> 
> Not to mention a whole lot of merchants and banks have toggled IT Freeze
> a few weeks ago, to ensure xmas shopping doesn't get disturbed by
> production changes.
> 
> 
> Seriously, this is just irritating.
From an e-mail sent to security@ from the security officer:

<quote>
Hi all,

No, the Grinch didn't steal the FreeBSD security officer GPG key, and your
eyes
aren't deceiving you: We really did just send out 5 security advisories.

The timing, to put it bluntly, sucks.  We normally aim to release advisories on
Wednesdays in order to maximize the number of system administrators who will be
at work already; and we try very hard to avoid issuing advisories any time close
to holidays for the same reason.  The start of the Christmas weekend -- in some
parts of the world it's already Saturday -- is absolutely not when we want
to be
releasing security advisories.

Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)
is a remote root vulnerability which is being actively exploited in the wild;
bugs really don't come any worse than this.  On the positive side, most
people
have moved past telnet and on to SSH by now; but this is still not an issue we
could postpone until a more convenient time.

While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot
has a
rather messy fix involving adding a new interface to libc; this has the awkward
side effect of causing the sizes of some "symbols" (aka. functions) in
libc to
change, resulting in cascading changes into many binaries.  The long list of
updated files is irritating, but isn't a sign that anything in
freebsd-update
went wrong.
</quote>

-- 
John Baldwin

So don't update until Monday? The outcome will be the same :)

Damien Fleuriot wrote:
> Hey up list,
> 
> 
> 
> Look, just a rant here.
> 
> 
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
> 
> I mean, couldn't this have waited and remained undisclosed until monday
?
> 
> I for one do *NOT* relish the idea of updating 50+ boxes this evening
> and tomorrow !
> 
> 
> Not to mention a whole lot of merchants and banks have toggled IT Freeze
> a few weeks ago, to ensure xmas shopping doesn't get disturbed by
> production changes.
> 
> 
> Seriously, this is just irritating.
> 
> 
> /flame
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"

On 12/23/11 5:54 PM, Bas Smeelen wrote:
>> Look, just a rant here.
> 
> 
>> Who in *HELL* thought it would be a cool idea to release no less than
>> FOUR security advisories today ?
> What's the impact for your boxes?
> 
Only the BIND exploit concerns me, means that *potentially* servers for
my projects might be unable to run DNS resolution anymore -> prod problems.

I don't think we'll be getting trouble though so I'm postponing the
update until next week.

>> I mean, couldn't this have waited and remained undisclosed until
monday ?
> Best time to exploit is Christmas/holidays
> 
>> I for one do *NOT* relish the idea of updating 50+ boxes this evening
>> and tomorrow !
> updating 30 boxes right now
> 
>> Not to mention a whole lot of merchants and banks have toggled IT
Freeze
>> a few weeks ago, to ensure xmas shopping doesn't get disturbed by
>> production changes.
> 
> 
>> Seriously, this is just irritating.
> If you don't use telnet, ftpd, dns, pam, then it's not a big
problem
> 
> merry Christmas
> 
> Disclaimer: http://www.ose.nl/email
>

On 12/23/2011 11:07 AM, Damien Fleuriot wrote:
> Hey up list,
> Look, just a rant here.
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?

The Security Officer explained it was because one of them was being
actively exploited.

http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/000165.html


Also, the chroot issue has been public for some time along with sample
exploits. Same with BIND which was fixed some time ago.  Judgment call,
and I think they made the right call at least from my perspective.

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

>Look, just a rant here.
>Who in *HELL* thought it would be a cool idea to release no less than
>FOUR security advisories today ?
What's the impact for your boxes?
>I mean, couldn't this have waited and remained undisclosed until monday
?
Best time to exploit is Christmas/holidays
>I for one do *NOT* relish the idea of updating 50+ boxes this evening
>and tomorrow !
updating 30 boxes right now
>Not to mention a whole lot of merchants and banks have toggled IT Freeze
>a few weeks ago, to ensure xmas shopping doesn't get disturbed by
>production changes.
>Seriously, this is just irritating.
If you don't use telnet, ftpd, dns, pam, then it's not a big problem

merry Christmas

Disclaimer: http://www.ose.nl/email

On 12/23/2011 10:07 AM, Damien Fleuriot wrote:
> Hey up list,
>
>
>
> Look, just a rant here.
>
>
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
After receiving the fifth security advisory in a few moments, you will 
get a Christmas message from the Security Advisory team, which will
both apologize and explain why these untimely advisories came today.

http://lists.freebsd.org/pipermail/freebsd-security-notifications/2011-December/thread.html

On 12/23/2011 10:56 AM, Mike Tancsa wrote:
> Also, the chroot issue has been public for some time along with sample
> exploits. Same with BIND which was fixed some time ago.  Judgment call,
> and I think they made the right call at least from my perspective.
It is this chroot issue that bothers me.  From my reading of the ftpd 
man page, if I have anonymous ftp to my server, it seems that I am using 
chroot with ftpd, and there is no way to stop this happening.

Am I correct, or have I missed something?  (I am hoping I missed something.)

On Fri, Dec 23, 2011 at 7:25 PM, Stephen Montgomery-Smith
<stephen@missouri.edu> wrote:
> On 12/23/2011 10:56 AM, Mike Tancsa wrote:
>
>> Also, the chroot issue has been public for some time along with sample
>> exploits. Same with BIND which was fixed some time ago. ?Judgment call,
>> and I think they made the right call at least from my perspective.
>
>
> It is this chroot issue that bothers me. ?From my reading of the ftpd man
> page, if I have anonymous ftp to my server, it seems that I am using chroot
> with ftpd, and there is no way to stop this happening.
>
> Am I correct, or have I missed something? ?(I am hoping I missed
something.)
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"

To sum up this mess. Are all cvs mirror servers updated regarding this changes ?
Also, I see that FreeBSD 9.0-RELEASE is included. Has it been released ?
Regards--
George Kontostanos
Aicom telecoms ltd
http://www.barebsd.com

On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
> 
> It is this chroot issue that bothers me.  From my reading of the ftpd
> man page, if I have anonymous ftp to my server, it seems that I am using
> chroot with ftpd, and there is no way to stop this happening.
> 
> Am I correct, or have I missed something?  (I am hoping I missed
> something.)
Depends what they can write to and upload. The thread starts here

http://lists.freebsd.org/pipermail/freebsd-security/2011-November/006085.html

that discusses it in more detail

	---Mike



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On Fri, Dec 23, 2011 at 7:55 PM, Mike Tancsa <mike@sentex.net>
wrote:
> On 12/23/2011 12:25 PM, Stephen Montgomery-Smith wrote:
>>
>> It is this chroot issue that bothers me. ?From my reading of the ftpd
>> man page, if I have anonymous ftp to my server, it seems that I am
using
>> chroot with ftpd, and there is no way to stop this happening.
>>
>> Am I correct, or have I missed something? ?(I am hoping I missed
>> something.)
>
> Depends what they can write to and upload. The thread starts here
>
>
http://lists.freebsd.org/pipermail/freebsd-security/2011-November/006085.html
>
> that discusses it in more detail
>
> ? ? ? ?---Mike
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada ? http://www.tancsa.com/
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
Are all cvs mirror servers updated regarding these changes ?

ANYBODY ????




-- 
George Kontostanos
Aicom telecoms ltd
http://www.barebsd.com

On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot <ml@my.gd>
wrote:
> Hey up list,
>
> Look, just a rant here.
>
>
> Who in *HELL* thought it would be a cool idea to release no less than
> FOUR security advisories today ?
I'm guessing the Security Officer and those with whom he consults.
Just a thought, since that's who sent the email.
> I mean, couldn't this have waited and remained undisclosed until monday
?
Does "active exploitation in the wild" mean anything to you?
> I for one do *NOT* relish the idea of updating 50+ boxes this evening
> and tomorrow !
Sucks to be you. You knew the job was dangerous when you took it, and
if you didn't, well, then, bummer, it's what comes with the territory.

I just spent my day yesterday downing my entire server environment in
the US to upgrade the electrical, and it was a paid holiday for the
company.

As a sysadmin, you should know that these things happen, and learn to
deal with them.
> Not to mention a whole lot of merchants and banks have toggled IT Freeze
> a few weeks ago, to ensure xmas shopping doesn't get disturbed by
> production changes.
Yeah. It's hell being a professional.
> Seriously, this is just irritating.
Cry me a river. You should be thanking the team for getting the
releases to you as fast as possible, so you can take effective
measures ASAP.

Kurt

On 23 Dec 2011, at 17:07, Damien Fleuriot wrote:
> Seriously, this is just irritating.
Seriously, malevolent persons don't do engineering freeze times.

I thank the FreeBSD security team for keeping vigilant on this, despite they
have no official obligation as there is no SLA on the product and neither being
backed by a commercial company.

Best Regards,
	Ruben