The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users.
This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in
portsnap. Some of the problems in that post were verified and the FreeBSD devs started working on repairs.
But over on the FreeBSD security list, threads like this started asking why users weren't being told much about the bugs or remediation efforts. That's a fair question because updating FreeBSD could in some circumstances actually expose users to the problem.
Now the FreeBSD team has answered those questions by saying “As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch.”
The operating system's developers and security team are now “reviewing this policy for cases where a proof-of-concept or working exploit is already public.”
That post also explains that the team is considering more detailed security advisories. There's also an admission that the proposed patch may have broken other things in the OS.
The post concludes by saying that the FreeBSB core and security teams are working with all due haste to fix things and will let those subscribed to its mailing lists know when patches are ready and the danger is past.
They've got a fair bit of work to do: the post says the job requires the following efforts:
“The Security team is working on redesigning
portsnapto do signature verification on all downloaded files before they are processed by
libarchive/tar, bspatch, or any other utilities. However, this change requires modifying the metadata format used in the utilities, and care must be taken to preserve compatibility with the existing clients, so the existing clients can be used to install the future updates. Users will of course have the option to build/apply the patches themselves if they do not feel comfortable using freebsd-update to do so.”