The timing of security advisories
It's an old debate on when to release a security advisory:
It should be released as early as possible to give people a
chance to fix, but at the same time the fixing should be in
a coordinated way. "Coordinated" means a fair chance for
professional sysadmins to deploy a fix during working hours,
and not in the middle of the night on a weekend. Or on the
day before chistmas eve. But what if there's a pressing reason,
maybe an exploit in the wild?
currently has such a problem, and I think it's fair that
Colin Percival as the FreeBSD Security Officer did release
the advisory, even if it's in a sub-optimal timeframe.
For those NetBSD uses wondering if there's a similar problem
in NetBSD's telnetd: Apparenly an unchecked argument can cause
memory corruption by a memcpy length parameter overflow in sub-option processing (for terminal type, size etc.).
This was fixed in NetBSD thanks to a hints from Colin.
There's no NetBSD Security Advisory yet,
but people still using telnetd in production networks may
consider rebuilding libtelnet and telnetd.
So, to those of you who have moved to SSH: Happy Holidays!
To the rest: Happy Updating! :-)