oss-sec mailing list archives
Re: FreeBSD: URGENT: RNG broken for last 4 months
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 18 Feb 2015 21:43:15 -0700
On 18/02/15 09:03 PM, cve-assign () mitre org wrote:
If you are running a current kernel r273872 or later, please upgradeOur perspective at this point is that FreeBSD-CURRENT is not a "software product" and typically should not have CVE assignments. If anyone on the FreeBSD Security Officer Team believes that this, for whatever reason, is a case where FreeBSD-CURRENT should have a CVE, we are willing to go with their preference.quite a few people run -current (and it's a 4 month affected window), so if we're assigning CVE's to stuff hosted in github, then it seems fairA project on github can be a software product if the developers choose to use github that way. FreeBSD-CURRENT is, for example, advertised as "any given commit is just as likely to introduce new bugs as to fix existing ones" (https://www.freebsd.org/doc/en/books/handbook/current-stable.html). The defined use cases for FreeBSD-CURRENT don't suggest that it has any expected behavior, security-wise or otherwise: it is just a point in the development process. Also, we don't happen to know of situations where third parties repackage and support FreeBSD-CURRENT code (e.g., as the embedded OS of an appliance).
I respectfully disagree due to the fact that FreeBSD gives explicit instructions on running current: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html and even places it above using -stable in the order in the book. Looking at the instructions: To track FreeBSD-CURRENT: Join the freebsd-current and the svn-src-head lists. This is essential in order to see the comments that people are making about the current state of the system and to receive important bulletins about the current state of FreeBSD-CURRENT. if you look at those mailing lists you will see there are a ton of posters, so obviously more than a few people are using this. Any ways just my 5 cents, I don't think it's a good precedent to set that "oh the vendor says this is beta/not supported/etc so no CVE" when: 1) a lot of people use it (e.g. Google Chrome was a "beta", but it had several million users so it got CVEs) 2) the affected timeframe was quite significant (4 months, so for yearly key roll over that's 1/3 of the population affected) 3) the problem can linger on despite the system being updated (e.g. any certs/keys need to be re-generated). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- FreeBSD: URGENT: RNG broken for last 4 months Kurt Seifried (Feb 17)
- Re: FreeBSD: URGENT: RNG broken for last 4 months Loganaden Velvindron (Feb 17)
- Re: FreeBSD: URGENT: RNG broken for last 4 months cve-assign (Feb 18)
- Re: FreeBSD: URGENT: RNG broken for last 4 months Kurt Seifried (Feb 18)