[nycbug-talk] Fwd: Merry Christmas from the FreeBSD Security Team

George Rosamond george at ceetonetechnology.com
Fri Dec 23 20:57:10 EST 2011

For those who didn't see this. . . wow.


-------- Original Message --------
Subject: Merry Christmas from the FreeBSD Security Team
Date: Fri, 23 Dec 2011 07:39:20 -0800
From: FreeBSD Security Officer <cpeSNIPbsd.org>
Reply-To: security-ofSNIPbsd.org
Organization: FreeBSD Project
To: freebsd-announce at freebsd.org, freebsd-security-notifications at freebsd.org

Hash: SHA1

Hi all,

No, the Grinch didn't steal the FreeBSD security officer GPG key, and 
your eyes
aren't deceiving you: We really did just send out 5 security advisories.

The timing, to put it bluntly, sucks.  We normally aim to release 
advisories on
Wednesdays in order to maximize the number of system administrators who 
will be
at work already; and we try very hard to avoid issuing advisories any 
time close
to holidays for the same reason.  The start of the Christmas weekend -- 
in some
parts of the world it's already Saturday -- is absolutely not when we 
want to be
releasing security advisories.

Unfortunately my hand was forced: One of the issues 
is a remote root vulnerability which is being actively exploited in the 
bugs really don't come any worse than this.  On the positive side, most 
have moved past telnet and on to SSH by now; but this is still not an 
issue we
could postpone until a more convenient time.

While I'm writing, a note to freebsd-update users: 
FreeBSD-SA-11:07.chroot has a
rather messy fix involving adding a new interface to libc; this has the 
side effect of causing the sizes of some "symbols" (aka. functions) in 
libc to
change, resulting in cascading changes into many binaries.  The long list of
updated files is irritating, but isn't a sign that anything in 
went wrong.

- -- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly 
Version: GnuPG v2.0.18 (FreeBSD)

freebsd-security-notifications at freebsd.org mailing list
To unsubscribe, send any mail to 
"freebsd-security-notifications-unsubscribe at freebsd.org"

More information about the talk mailing list