similar to: Fw: Certification (was RE: realpath(3) et al)

Just saw this from eWeek. "IBM, which paid roughly $500,000 for the testing, and SuSE (pronounced "SOOS-ah") were announcing the certification jointly. " The article is here: http://www.eweek.com/article2/0,3959,1212529,00.asp --- Darren Reed <avalon@caligula.anu.edu.au> wrote: > In some mail from twig les, sie said: > > > > I actually just asked

The mailing list detained my email because I posted from the wrong address... hoepfully it will get through this time. -------- Original Message -------- Subject: Re: Fwd: FreeBSD hiding security stuff Date: Fri, 04 Mar 2005 05:35:32 -0800 From: Colin Percival <cperciva@freebsd.org> To: Devon H. O'Dell <dodell@sitetronics.com> CC: mike@sentex.net, freebsd-security@freebsd.org,

First, I hope that this message is not considered flame bait. As someone who has used FreeBSD for for 5+ years now, I have a genuine interest in the integrity of our source code. Second, I hope that this message is not taken as any form of insult or finger pointing. Software without bugs does not exist, and I think we all know that. Acknowledging that point and working to mitigate the risks

I seem to remember seeing somewhere (on this list/on the web -- don't remember) that there was some ``Snort-like'' software that was available under the BSD license. Unfortunately, I'm unable to find any information about such software. Was I dreaming, or can anybody else jog my memory? :) Kind regards, Devon H. O'Dell

Hello Everyone, ISC has released new versions of BIND 8 which address a remotely exploitable denial-of-service vulnerability that may allow an attacker to perform `negative cache poisoning'--- convincing a name server that certain RRs do not exist (even though they may). I do not know of any workaround at this time. I have committed fixes to the RELENG_5_1 and RELENG_4_9 security branches.

Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent releases and EoL (end-of-life) events. The new list is below (and should appear at <URL: http://www.freebsd.org/security/ > soon). In particular, FreeBSD 4.6 and FreeBSD 5.0 have `expired'. If you wish to be certain to get critical bug fixes, it is recommended that you upgrade

Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below (and should appear at <URL: http://www.freebsd.org/security/ > soon). FreeBSD 4.7 has `expired', but I have extended the EoL date for FreeBSD 5.1. If you are running FreeBSD 4.7 or older and you wish to be certain to get critical

Hello Everyone, You may have seen the recent announcement regarding new OpenSSL vulnerabilities. <URL: http://www.openssl.org/news/secadv_20030930.txt > Just thought I'd drop a line to head off the usual questions. :-) Don't panic. The vulnerability is denial-of-service. OpenSSL 0.9.7c will be imported into -CURRENT and -STABLE over the next couple of days, and included

Hello Folks, Just a status on upcoming advisories. FreeBSD-SA-03:15.openssh This is in final review and should be released today. Fixes for this issue entered the tree on September 24. I apologize for the delay in getting this one out. FreeBSD-SA-03:16.filedesc A reference counting bug was discovered that could lead to kernel memory disclosure or a system panic.

Hello, I have scheduled a birds-of-a-feather (BoF) meeting at BSDcon to discuss the FreeBSD Security Officer role. Details such as time, location, and topics are posted on the BSDcon unofficial Wiki <URL: http://bsdcon.kwiki.org/index.cgi?FreeBSDSecurityOfficerBoF >. Please attend if you are interested in what the SO team does currently and in participating in and improving its

You may or may not have already seen: <URL: http://www.sendmail.org/dnsmap1.html> I thought I'd drop an explanatory note here until I publish an advisory. This problem has been known for some time (it was first reported in FreeBSD PR#54367). The default configuration of sendmail is unaffected, and it is unknown whether the issue is truly exploitable by any means. Nonetheless, I

Hello, Expect to see commits to all branches today, and a FreeBSD advisory following sometime today or tomorrow. <URL: http://www.cert.org/advisories/CA-2003-12.html > <URL: http://www.sendmail.org/8.12.9.html > Cheers, -- Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos

You've probably already seen the latest sendmail vulnerability. http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html I believe you can apply the following patch to any of the security branches: http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 Download the patch and: # cd /usr/src # patch -p1 < /path/to/patch #

You've probably already seen the latest sendmail vulnerability. http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html I believe you can apply the following patch to any of the security branches: http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 Download the patch and: # cd /usr/src # patch -p1 < /path/to/patch #

Hi Folks, I have extended the lifetime of the RELENG_4_8 security branch, and of security branches in general: ----- Forwarded message from Jacques Vidrine <nectar@FreeBSD.org> ----- Date: Sat, 3 Apr 2004 07:23:54 -0800 (PST) From: Jacques Vidrine <nectar@FreeBSD.org> To: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit:

Hello Everyone, I have made a few small changes to the VuXML.org web sites, http://www.vuxml.org/freebsd/ (aka vuxml.freebsd.org) and http://www.vuxml.org/openbsd/ - Date-oriented indices (e.g. entry date index) visually group entries from the same date. - The package name index is more useful, listing individual package names. - Each package referenced in VuXML now has its own index

On May 19, 2005, at 5:53 AM, Christian Brueffer wrote: > Hi, > > fixes for the vulnerability described in http://www.kb.cert.org/ > vuls/id/637934 > were checked in to CURRENT and RELENG_5 by ps in April. > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c > > Revisions 1.270 and 1.252.2.16 > > He didn't commit it to RELENG_5_4 for some

Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at <URL: http://www.freebsd.org/security/ >. FreeBSD 5.2.1 has `expired' and is no longer supported effective January 1, 2005. Also note that FreeBSD 4.9 ceased to be supported on November 1, 2004, while FreeBSD 4.8 will

Hi Everyone, http://vuxml.freebsd.org/c4b025bb-f05d-11d8-9837-000c41e2cdad.html A critical vulnerability was found in lukemftpd, which shipped with some FreeBSD versions (4.7 and later). However, with the exception of FreeBSD 4.7, lukemftpd was not built and installed by default. So, unless you are running FreeBSD 4.7-RELEASE or specified WANT_LUKEMFTP when building FreeBSD from source, you

OK, an official OpenSSH advisory was released, see here: <URL: http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be applied to the security branches as well today. Attached are patches: buffer46.patch -- For FreeBSD 4.6-RELEASE and later buffer45.patch -- For FreeBSD 4.5-RELEASE and