Hi all,
No, the Grinch didn’t steal the FreeBSD security officer GPG key, and your eyes
aren’t deceiving you: We really did just send out 5 security advisories.
The timing, to put it bluntly, sucks. We normally aim to release advisories on
Wednesdays in order to maximize the number of system administrators who will be
at work already; and we try very hard to avoid issuing advisories any time close
to holidays for the same reason. The start of the Christmas weekend — in some
parts of the world it’s already Saturday — is absolutely not when we want to be
releasing security advisories.
Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)
is a remote root vulnerability which is being actively exploited in the wild;
bugs really don’t come any worse than this. On the positive side, most people
have moved past telnet and on to SSH by now; but this is still not an issue we
could postpone until a more convenient time.
While I’m writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a
rather messy fix involving adding a new interface to libc; this has the awkward
side effect of causing the sizes of some “symbols” (aka. functions) in libc to
change, resulting in cascading changes into many binaries. The long list of
updated files is irritating, but isn’t a sign that anything in freebsd-update
went wrong.