Mail Lists
2016-Aug-10 17:11 UTC
Re[2]: freebsd-update and portsnap users still at risk of compromise
sorry but this is blabla and does not come even near to answering the real problem: It appears that freebsd and the US-government is more connected that some of us might like: Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one. Just my thoughts...>Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche at kitchetech.com>: > >You mean operating system as distribution is a Linux term. There's not much >different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >vulnerabilities and has a an excellent ASLR system compared to the proposed >one for FreeBSD. > >On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote: > >> Timely update via Hackernews: >> >> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >> y-update-libarchive> >> >> Note in particular: >> >> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >> and libarchive vulnerabilities." >> >> Not sure why the portsec team has not commented or published an advisory >> (possibly because the freebsd list spam filters are so bad that >> subscriptions are being blocked) but from where I sit it seems that >> those exposed should consider: >> >> cd /usr/ports >> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >> make index >> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >> >> I'd also be interested in hearing from hardenedbsd users regarding the >> pros and cons of cutting over to that distribution. >> >> Roger >> >> >> >> On 2016-07-29 09:00, Julian Elischer wrote: >>> >>>> >>>> not sure if you've been contacted privately, but I believe the answer is >>>> "we're working on it" >>>> >>> >>> My concerns are as follows: >>> >>> 1. This is already out there, and FreeBSD users haven't been alerted that >>> they should avoid running freebsd-update/portsnap until the problems are >>> fixed. >>> >>> 2. There was no mention in the bspatch advisory that running >>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>> are apparently already in operation. >>> >>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>> heap corruption, even though a more complete fix is available. That's >>> what prompted my post. If FreeBSD learned of the problem from the same >>> source document we all did, which seems likely given the coincidental >>> timing of an advisory for a little-known utility a week or two after that >>> source document appeared, then surely FreeBSD had the complete fix >>> available. >>> >>> _______________________________________________ >> freebsd-ports at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to " freebsd-ports-unsubscribe at freebsd.org " >> >_______________________________________________ >freebsd-security at freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to " freebsd-security-unsubscribe at freebsd.org "Best regards, Mail Lists mlists at mail.ru
Julian Elischer
2016-Aug-11 04:22 UTC
freebsd-update and portsnap users still at risk of compromise
On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:> > > sorry but this is blabla and does not come even near to answering the real problem: > > It appears that freebsd and the US-government is more connected that some of us might like: > > Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one. > > Just my thoughts...this has been in discussion a lot in private circles within FreeBSD. It's not being ignored and a "correct" patch is being developed. from one email I will quote just a small part.. ====== As of yet, [the] patches for the libarchive vulnerabilities have not been released upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created patches for some of the libarchive vulnerabilities, the first[3] is being considered for inclusion in FreeBSD, at least until a complete fix is committed upstream, however the second[4] is considered too brute-force and will not be committed as-is. Once the patches are in FreeBSD and updated binaries are available, a Security Advisory will be issued. ======so expect something soon. I will go on to say that the threat does need to come from an advanced MITM actor, though that does not make it a non threat..> > >> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche at kitchetech.com>: >> >> You mean operating system as distribution is a Linux term. There's not much >> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >> vulnerabilities and has a an excellent ASLR system compared to the proposed >> one for FreeBSD. >> >> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote: >> >>> Timely update via Hackernews: >>> >>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >>> y-update-libarchive> >>> >>> Note in particular: >>> >>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >>> and libarchive vulnerabilities." >>> >>> Not sure why the portsec team has not commented or published an advisory >>> (possibly because the freebsd list spam filters are so bad that >>> subscriptions are being blocked) but from where I sit it seems that >>> those exposed should consider: >>> >>> cd /usr/ports >>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>> make index >>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>> >>> I'd also be interested in hearing from hardenedbsd users regarding the >>> pros and cons of cutting over to that distribution. >>> >>> Roger >>> >>> >>> >>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>> not sure if you've been contacted privately, but I believe the answer is >>>>> "we're working on it" >>>>> >>>> My concerns are as follows: >>>> >>>> 1. This is already out there, and FreeBSD users haven't been alerted that >>>> they should avoid running freebsd-update/portsnap until the problems are >>>> fixed. >>>> >>>> 2. There was no mention in the bspatch advisory that running >>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>>> are apparently already in operation. >>>> >>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>>> heap corruption, even though a more complete fix is available. That's >>>> what prompted my post. If FreeBSD learned of the problem from the same >>>> source document we all did, which seems likely given the coincidental >>>> timing of an advisory for a little-known utility a week or two after that >>>> source document appeared, then surely FreeBSD had the complete fix >>>> available. >>>> >>>> _______________________________________________ >>> freebsd-ports at freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe at freebsd.org " >>> >> _______________________________________________ >> freebsd-security at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to " freebsd-security-unsubscribe at freebsd.org " > > Best regards, > Mail Lists > mlists at mail.ru > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >