Re: advisory coordination (Re: SA-02:35)

From: Colin Percival (Colin_Percival@sfu.ca)
Date: 08/06/02

• Next message: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Previous message: Dag-Erling Smorgrav: "Re: Merged security patches for 4.3-RELEASE"
• In reply to: Peter C. Lai: "Re: advisory coordination (Re: SA-02:35)"
• Next in thread: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Reply: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 06 Aug 2002 14:32:12 -0700
From: Colin Percival <Colin_Percival@sfu.ca>
To: peter.lai@uconn.edu, Anatole Shaw <shaw@autoloop.com>

At 16:20 06/08/2002 -0400, Peter C. Lai wrote:
>On Tue, Aug 06, 2002 at 02:03:00PM -0400, Anatole Shaw wrote:
> > I think that a policy of issuing "early warning" advisories, as Colin
> > Percival extrapolated from my original post, is one right solution. That
> > is, an incomplete advisory is better than no advisory at all, when bug
> > details (i.e. patch) are already circulating.
>
>[...] Still, the openssl revision along with the
>stdio repatch seems to suggest that we may want to balance haste
>with quality of the patches.

   I didn't mean at all that the quality of the patches should be
endangered in order to issue an advisory quickly; rather, I meant that once
everyone involved agreed that a patch was good, issuing an advisory saying
"there's a problem, here's the patch, we don't know what the possible
workarounds might be" would be preferable to waiting until you had analyzed
exactly when there is a security risk and what the workarounds might be.

Colin Percival

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Previous message: Dag-Erling Smorgrav: "Re: Merged security patches for 4.3-RELEASE"
• In reply to: Peter C. Lai: "Re: advisory coordination (Re: SA-02:35)"
• Next in thread: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Reply: Jacques A. Vidrine: "Re: advisory coordination (Re: SA-02:35)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages advisory coordination (Re: SA-02:35) ... We release patches early to make sure ... release of advisory SA-02:25, which referenced patches that didn't yet ... One SO told me that, in the future, patch propagation ... (FreeBSD-Security) Re: sshd patch ... > version string still doesn't match the one in the advisory. ... patches can be applied to as many different versions of FreeBSD as ... eyeball inspection of the patch. ... This is generally the case with security advisories, ... (freebsd-questions) Mistake in security advisory. ... These patches have been verified to apply to FreeBSD 4.2-RELEASE, ... Advisory 00:69 prior to applying this patch). ... Download the patch and the detached PGP signature from the following ... (FreeBSD-Security) Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:22.openssh ... BTW, the patches for this advisory appear to also need a patch to add log.c into src/secure/usr.sbin/sshd/Makefile. ... (FreeBSD-Security) Re: Security Announcements? ... relying on blind updates would be foolish. ... The advisory can also mean avoiding a complete build. ... >until a patch is available. ... checking the latter takes longer than applying the fix would have. ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint