Matthew Donovan
2016-Aug-09 20:21 UTC
freebsd-update and portsnap users still at risk of compromise
You mean operating system as distribution is a Linux term. There's not much different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes vulnerabilities and has a an excellent ASLR system compared to the proposed one for FreeBSD. On Aug 9, 2016 3:10 PM, "Roger Marquis" <marquis at roble.com> wrote:> Timely update via Hackernews: > > <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit > y-update-libarchive> > > Note in particular: > > "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, > and libarchive vulnerabilities." > > Not sure why the portsec team has not commented or published an advisory > (possibly because the freebsd list spam filters are so bad that > subscriptions are being blocked) but from where I sit it seems that > those exposed should consider: > > cd /usr/ports > svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports > make index > rm -rf /usr/sbin/portsnap /var/db/portsnap/* > > I'd also be interested in hearing from hardenedbsd users regarding the > pros and cons of cutting over to that distribution. > > Roger > > > > On 2016-07-29 09:00, Julian Elischer wrote: >> >>> >>> not sure if you've been contacted privately, but I believe the answer is >>> "we're working on it" >>> >> >> My concerns are as follows: >> >> 1. This is already out there, and FreeBSD users haven't been alerted that >> they should avoid running freebsd-update/portsnap until the problems are >> fixed. >> >> 2. There was no mention in the bspatch advisory that running >> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >> are apparently already in operation. >> >> 3. Strangely, the "fix" in the advisory is incomplete and still permits >> heap corruption, even though a more complete fix is available. That's >> what prompted my post. If FreeBSD learned of the problem from the same >> source document we all did, which seems likely given the coincidental >> timing of an advisory for a little-known utility a week or two after that >> source document appeared, then surely FreeBSD had the complete fix >> available. >> >> _______________________________________________ > freebsd-ports at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org" >
Big Lebowski
2016-Aug-10 08:50 UTC
freebsd-update and portsnap users still at risk of compromise
On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan <kitche at kitchetech.com> wrote:> You mean operating system as distribution is a Linux term. There's not much > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > vulnerabilities and has a an excellent ASLR system compared to the proposed > one for FreeBSD. >And what are your sources on which you're formulating this statement? What is the HBSD authors security, or even general coding, track record? How well are they known for their code, whitepapers, implementations? I'd say, not at all. You can have the example of their 'ASLR' code quality in the FreeBSD reviews system, where known and respected coders point out very basic and critical code mistakes, where well known and respected system designers point out flaws in their lack of design, so on and so forth. The only thing that's excellent about them is how they spread this opinion about their code to other people, including you ;) I'd much rather take my bet with kib's implementation knowing who he is and how long and how well he does what he does (that is, quality code for FreeBSD) than untested, un-designed, self-procclaimed code from relatively young, inexperienced and unknown person, that's not willing to take advices on fixing their code, when given so. With all due respect :)> > On Aug 9, 2016 3:10 PM, "Roger Marquis" <marquis at roble.com> wrote: > > > Timely update via Hackernews: > > > > <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit > > y-update-libarchive> > > > > Note in particular: > > > > "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, > > and libarchive vulnerabilities." > > > > Not sure why the portsec team has not commented or published an advisory > > (possibly because the freebsd list spam filters are so bad that > > subscriptions are being blocked) but from where I sit it seems that > > those exposed should consider: > > > > cd /usr/ports > > svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports > > make index > > rm -rf /usr/sbin/portsnap /var/db/portsnap/* > > > > I'd also be interested in hearing from hardenedbsd users regarding the > > pros and cons of cutting over to that distribution. > > > > Roger > > > > > > > > On 2016-07-29 09:00, Julian Elischer wrote: > >> > >>> > >>> not sure if you've been contacted privately, but I believe the answer > is > >>> "we're working on it" > >>> > >> > >> My concerns are as follows: > >> > >> 1. This is already out there, and FreeBSD users haven't been alerted > that > >> they should avoid running freebsd-update/portsnap until the problems are > >> fixed. > >> > >> 2. There was no mention in the bspatch advisory that running > >> freebsd-update to "fix" bspatch would expose systems to MITM attackers > who > >> are apparently already in operation. > >> > >> 3. Strangely, the "fix" in the advisory is incomplete and still permits > >> heap corruption, even though a more complete fix is available. That's > >> what prompted my post. If FreeBSD learned of the problem from the same > >> source document we all did, which seems likely given the coincidental > >> timing of an advisory for a little-known utility a week or two after > that > >> source document appeared, then surely FreeBSD had the complete fix > >> available. > >> > >> _______________________________________________ > > freebsd-ports at freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > > To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org" > > > _______________________________________________ > freebsd-ports at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org" >
Mail Lists
2016-Aug-10 17:11 UTC
Re[2]: freebsd-update and portsnap users still at risk of compromise
sorry but this is blabla and does not come even near to answering the real problem: It appears that freebsd and the US-government is more connected that some of us might like: Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one. Just my thoughts...>Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche at kitchetech.com>: > >You mean operating system as distribution is a Linux term. There's not much >different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >vulnerabilities and has a an excellent ASLR system compared to the proposed >one for FreeBSD. > >On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote: > >> Timely update via Hackernews: >> >> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >> y-update-libarchive> >> >> Note in particular: >> >> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >> and libarchive vulnerabilities." >> >> Not sure why the portsec team has not commented or published an advisory >> (possibly because the freebsd list spam filters are so bad that >> subscriptions are being blocked) but from where I sit it seems that >> those exposed should consider: >> >> cd /usr/ports >> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >> make index >> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >> >> I'd also be interested in hearing from hardenedbsd users regarding the >> pros and cons of cutting over to that distribution. >> >> Roger >> >> >> >> On 2016-07-29 09:00, Julian Elischer wrote: >>> >>>> >>>> not sure if you've been contacted privately, but I believe the answer is >>>> "we're working on it" >>>> >>> >>> My concerns are as follows: >>> >>> 1. This is already out there, and FreeBSD users haven't been alerted that >>> they should avoid running freebsd-update/portsnap until the problems are >>> fixed. >>> >>> 2. There was no mention in the bspatch advisory that running >>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>> are apparently already in operation. >>> >>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>> heap corruption, even though a more complete fix is available. That's >>> what prompted my post. If FreeBSD learned of the problem from the same >>> source document we all did, which seems likely given the coincidental >>> timing of an advisory for a little-known utility a week or two after that >>> source document appeared, then surely FreeBSD had the complete fix >>> available. >>> >>> _______________________________________________ >> freebsd-ports at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to " freebsd-ports-unsubscribe at freebsd.org " >> >_______________________________________________ >freebsd-security at freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to " freebsd-security-unsubscribe at freebsd.org "Best regards, Mail Lists mlists at mail.ru
Mail Lists
2016-Aug-10 17:13 UTC
Re[2]: freebsd-update and portsnap users still at risk of compromise
sorry but this is bullshit and does not come even near to answering the real problem: It appears that freebsd and the US-government is more connected that some of us might like: Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one........ don't trust anyone.. Just my thoughts...>Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche at kitchetech.com>: > >You mean operating system as distribution is a Linux term. There's not much >different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >vulnerabilities and has a an excellent ASLR system compared to the proposed >one for FreeBSD. > >On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote: > >> Timely update via Hackernews: >> >> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >> y-update-libarchive> >> >> Note in particular: >> >> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >> and libarchive vulnerabilities." >> >> Not sure why the portsec team has not commented or published an advisory >> (possibly because the freebsd list spam filters are so bad that >> subscriptions are being blocked) but from where I sit it seems that >> those exposed should consider: >> >> cd /usr/ports >> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >> make index >> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >> >> I'd also be interested in hearing from hardenedbsd users regarding the >> pros and cons of cutting over to that distribution. >> >> Roger >> >> >> >> On 2016-07-29 09:00, Julian Elischer wrote: >>> >>>> >>>> not sure if you've been contacted privately, but I believe the answer is >>>> "we're working on it" >>>> >>> >>> My concerns are as follows: >>> >>> 1. This is already out there, and FreeBSD users haven't been alerted that >>> they should avoid running freebsd-update/portsnap until the problems are >>> fixed. >>> >>> 2. There was no mention in the bspatch advisory that running >>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>> are apparently already in operation. >>> >>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>> heap corruption, even though a more complete fix is available. That's >>> what prompted my post. If FreeBSD learned of the problem from the same >>> source document we all did, which seems likely given the coincidental >>> timing of an advisory for a little-known utility a week or two after that >>> source document appeared, then surely FreeBSD had the complete fix >>> available. >>> >>> _______________________________________________ >> freebsd-ports at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to " freebsd-ports-unsubscribe at freebsd.org " >> >_______________________________________________ >freebsd-security at freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to " freebsd-security-unsubscribe at freebsd.org "Best regards, Mail Lists mlists at mail.ru