[nycbug-talk] Fwd: Merry Christmas from the FreeBSD Security Team
George Rosamond
george at ceetonetechnology.com
Fri Dec 23 20:57:10 EST 2011
For those who didn't see this. . . wow.
g
-------- Original Message --------
Subject: Merry Christmas from the FreeBSD Security Team
Date: Fri, 23 Dec 2011 07:39:20 -0800
From: FreeBSD Security Officer <cpeSNIPbsd.org>
Reply-To: security-ofSNIPbsd.org
Organization: FreeBSD Project
To: freebsd-announce at freebsd.org, freebsd-security-notifications at freebsd.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
No, the Grinch didn't steal the FreeBSD security officer GPG key, and
your eyes
aren't deceiving you: We really did just send out 5 security advisories.
The timing, to put it bluntly, sucks. We normally aim to release
advisories on
Wednesdays in order to maximize the number of system administrators who
will be
at work already; and we try very hard to avoid issuing advisories any
time close
to holidays for the same reason. The start of the Christmas weekend --
in some
parts of the world it's already Saturday -- is absolutely not when we
want to be
releasing security advisories.
Unfortunately my hand was forced: One of the issues
(FreeBSD-SA-11:08.telnetd)
is a remote root vulnerability which is being actively exploited in the
wild;
bugs really don't come any worse than this. On the positive side, most
people
have moved past telnet and on to SSH by now; but this is still not an
issue we
could postpone until a more convenient time.
While I'm writing, a note to freebsd-update users:
FreeBSD-SA-11:07.chroot has a
rather messy fix involving adding a new interface to libc; this has the
awkward
side effect of causing the sizes of some "symbols" (aka. functions) in
libc to
change, resulting in cascading changes into many binaries. The long list of
updated files is irritating, but isn't a sign that anything in
freebsd-update
went wrong.
- --
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
paranoid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iEYEARECAAYFAk70oKgACgkQFdaIBMps37IsdACgh01CeO+zVGe3o9dn2cLvhh70
ISoAoJCeLUAbJ+0ibyfbVM4fYxpiEfo0
=vt5I
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to
"freebsd-security-notifications-unsubscribe at freebsd.org"
More information about the talk
mailing list