22. "Оценка оперативности устранения новых уязвимостей в BSD-сист..."  +/
Сообщение от Аноним (-), 26-Янв-18, 23:45 
Во FreeBSD не лучше:

"The policy of the FreeBSD Security Team is that local denial of service
bugs not be treated as security issues; it is possible that this problem
will be corrected in a future Erratum."

If there was any potential for
(a) privilege escalation,
(b) disclosure of potentially sensitive information, or
(c) denial of service by a non-authenticated attacker,
we would have issued a security advisory.

An unprivileged user who is able to execute code on an affected system
can cause a kernel panic.  There are a variety of reasons for not treating
bugs like this as security issues; the strongest reason imho is that if one
of your users is making a system crash, you can disable his account and call
the police.

2015-01-26: FreeBSD confirms the bugs, but informs us that they'll only publish a security advisory for the SCTP Socket SCTP_SS_VALUE Memory Corruption and Kernel Memory Disclosure vulnerabilities. For the "vt Driver VT_WAITACTIVE Sign Conversion Vulnerability" they will commit a normal change and then release an "Errata Notice" informing the fix. They set the publication date for 27th January, 2015.

2015-01-26: Core Security informs that understands their position regarding the vt Driver VT_WAITACTIVE Sign Conversion issue, but we will nevertheless publish thew bug in the advisory because we consider it a vulnerability. We accepted their offer of sharing CVE IDs.

26. "Оценка оперативности устранения новых уязвимостей в BSD-сист..."  +/
Сообщение от Аноним (-), 26-Янв-18, 23:55 
> Во FreeBSD не лучше:

Ну, Поттерингу тоже какой-то "Приз" за это совсем недавно вручали :)

