Re: FreeBSD: URGENT: RNG broken for last 4 months

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> If you are running a current kernel r273872 or later, please upgrade

Our perspective at this point is that FreeBSD-CURRENT is not a
"software product" and typically should not have CVE assignments. If
anyone on the FreeBSD Security Officer Team believes that this, for
whatever reason, is a case where FreeBSD-CURRENT should have a CVE, we
are willing to go with their preference.

> quite a few people run -current (and it's a 4 month affected window),
> so if we're assigning CVE's to stuff hosted in github, then it seems
> fair

A project on github can be a software product if the developers choose
to use github that way. FreeBSD-CURRENT is, for example, advertised as
"any given commit is just as likely to introduce new bugs as to fix
existing ones"
(https://www.freebsd.org/doc/en/books/handbook/current-stable.html).
The defined use cases for FreeBSD-CURRENT don't suggest that it has
any expected behavior, security-wise or otherwise: it is just a point
in the development process. Also, we don't happen to know of
situations where third parties repackage and support FreeBSD-CURRENT
code (e.g., as the embedded OS of an appliance).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU5V/UAAoJEKllVAevmvmswX0IAJvlnDzjyPxNgRbkZbMkqBlP
jWu4RE4wKDIdNbMWKkPofiS0CjxT1JUvdjWJccUuEFvGMusGQcPahbIlkWUMvnRw
fzJz+y8ge2Va7VrFoy+MzP083d3X1/oUeSf/MF4UjruoUhu1LFrTKRvHZhjuVJDn
/VXmbtScI3V8zNPkmOcepdhau6AWzXi1kZ0jvTcAPtobkXc/MUCOkr2hca5iACDL
zLr/H3rzRxBMqGLXW4YqvWWRTBZc5+l3w6RGuiY5oJWkigs8UTNyKurovsw/zGZ9
lpflDjdBbSKaFvycWNOJLj9A0bTD7jo1M/6EUdzvIzBGlVnbSrlCiFfES5jpmXI=
=6XgW
-----END PGP SIGNATURE-----