Merry Christmas from the FreeBSD Security Team

Hi all,


No, the Grinch didn’t steal the FreeBSD security officer GPG key, and your eyes

aren’t deceiving you: We really did just send out 5 security advisories.


The timing, to put it bluntly, sucks. We normally aim to release advisories on

Wednesdays in order to maximize the number of system administrators who will be

at work already; and we try very hard to avoid issuing advisories any time close

to holidays for the same reason. The start of the Christmas weekend — in some

parts of the world it’s already Saturday — is absolutely not when we want to be

releasing security advisories.


Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)

is a remote root vulnerability which is being actively exploited in the wild;

bugs really don’t come any worse than this. On the positive side, most people

have moved past telnet and on to SSH by now; but this is still not an issue we

could postpone until a more convenient time.


While I’m writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a

rather messy fix involving adding a new interface to libc; this has the awkward

side effect of causing the sizes of some “symbols” (aka. functions) in libc to

change, resulting in cascading changes into many binaries. The long list of

updated files is irritating, but isn’t a sign that anything in freebsd-update

went wrong.