[17552] in bugtraq
Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]
daemon@ATHENA.MIT.EDU (Warner Losh)
Wed Nov 8 12:54:16 2000
Message-Id: <200011072045.NAA22694@harmony.village.org>
Date: Tue, 7 Nov 2000 13:45:08 -0700
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: vort-fu <vort@WIRETAPPED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 07 Nov 2000 13:12:56 +1100."
<Pine.BSO.4.21.0011071255400.30141-100000@new.wiretapped.net>
In message <Pine.BSO.4.21.0011071255400.30141-100000@new.wiretapped.net> vort-fu writes:
: ps. This was sent to the openbsd team, and patched, a month or so ago. How
: can the freebsd team justify the lateness in applying their patch
: (especially considering that they felt it was exploitable)?
Is this a retorical question, or have you stopped beating your wife?
I fixed top in the first place on October 4, the same day that OpenBSD
fixed their top. I thought I had fixed all of the places where it was
wrong. I missed one. On November 3 I got a bug report that I had
missed it and within an hour I'd committed a change. We didn't hold
anything back on purpose.
I don't know if it is exploitable or not. It was felt that it would
be better to release an advisory just to make sure people updated in
case someone who is very clever in the future can create an exploit.
As near as I can tell from my security-officer@freebsd.org archive,
you didn't try to inform us about the hole directly. We would welcome
you letting us know in the future at the same time as you let OpenBSD
know.
Warner
