SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users.
This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and portsnap. Some of the problems in that post were verified and the FreeBSD devs started working on repairs.
But over on the FreeBSD security list, threads like this started asking why users weren't being told much about the bugs or remediation efforts. That's a fair question because updating FreeBSD could in some circumstances actually expose users to the problem.
Now the FreeBSD team has answered those questions by saying “As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch.”
The operating system's developers and security team are now “reviewing this policy for cases where a proof-of-concept or working exploit is already public.”
That post also explains that the team is considering more detailed security advisories. There's also an admission that the proposed patch may have broken other things in the OS.
The post concludes by saying that the FreeBSB core and security teams are working with all due haste to fix things and will let those subscribed to its mailing lists know when patches are ready and the danger is past.
[The majority of SoylentNews.org's servers run Ubuntu 14.04 LTS (Long Term Stable version). Upgrading to version 16.04 LTS would expose our systems to systemd and there has been some discussion among staff about our options. One option under consideration would be FreeBSD. Are there any Soylentils who run FreeBSD? What has your experience been? Any surprises to share with the community? --martyb]
(Score: 2, Interesting) by Anonymous Coward on Friday August 12 2016, @04:16PM
Theo de Raadt has speculated that FreeBSD is compromised given their complete lack of security culture and the proximity of a USGOV building in California to FreeBSD. This is exactly the kind of exploit that we've seen in the past with the USGOV. Suddenly, the freebsd-security team has been quiet on this front. Note that FreeBSD is the core operating system behind many Juniper routers/firewalls and Netapp file servers.
Similarly, Julian Assange has claimed that Debian and RedHat are compromised. Remember that exploit where pressing backspace exactly 28 times would let you bypass a grub2 password, allowing you write access to the unlocked /boot partition on a full disk encrypted drive? Yeah. Exactly what you would need to happen if say, you had physical access to a laptop and wanted to install a keylogger to get the LUKS password, but suddenly laptops were being designed to be difficult to physically tamper with due to their ultrabook thinness and SecureBoot.
I just don't know man. Use whatever you feel comfortable with to host your website. Linux doesn't have a culture of security-consciousness outside of GrSecurity, which has been slandered by GNU apologists who probably can't even write a Hello World in C. If you were really security conscious, I guess you would just use OpenBSD and whatever comes in the base install, marking /usr/local nosuid and not allowing any partition to have wxallowed.
(Score: 0) by Anonymous Coward on Friday August 12 2016, @10:53PM
Are you shitting me? They built a whole building "near" FreeBSD and staffed it just to spy on FreeBSD??? Geez, what a dope.
(Score: 0) by Anonymous Coward on Saturday August 13 2016, @02:53AM
No, it implies there would be a lot of cross-contamination with people working in both facilities you fucking idiot.
For example:
https://www.google.com/maps/place/Red+Hat+Inc/@38.9326313,-77.2299323,13z/data=!4m5!3m4!1s0x89b64af20cfba0c7:0x38413f0d0b0534eb!8m2!3d38.9236674!4d-77.2295031 [google.com]