hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
[20111224] The timing of security advisories
It's an old debate on when to release a security advisory: It should be released as early as possible to give people a chance to fix, but at the same time the fixing should be in a coordinated way. "Coordinated" means a fair chance for professional sysadmins to deploy a fix during working hours, and not in the middle of the night on a weekend. Or on the day before chistmas eve. But what if there's a pressing reason, maybe an exploit in the wild?

Apparently FreeBSD's telnetd currently has such a problem, and I think it's fair that Colin Percival as the FreeBSD Security Officer did release the advisory, even if it's in a sub-optimal timeframe.

For those NetBSD uses wondering if there's a similar problem in NetBSD's telnetd: Apparenly an unchecked argument can cause memory corruption by a memcpy length parameter overflow in sub-option processing (for terminal type, size etc.). This was fixed in NetBSD thanks to a hints from Colin. There's no NetBSD Security Advisory yet, but people still using telnetd in production networks may consider rebuilding libtelnet and telnetd.

So, to those of you who have moved to SSH: Happy Holidays!
To the rest: Happy Updating! :-)

[Tags: ]

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 32397480
Copyright (c) Hubert Feyrer