From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 01:48:10 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D3CE402 for ; Sun, 25 Jan 2015 01:48:10 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0E89DE2B for ; Sun, 25 Jan 2015 01:48:09 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 5E7AE466F; Sun, 25 Jan 2015 01:48:03 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 76ED913C14; Sun, 25 Jan 2015 02:47:12 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Garrett Wollman Subject: Re: Strange package checksum report References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> Date: Sun, 25 Jan 2015 02:47:12 +0100 In-Reply-To: <21698.32224.747971.146491@khavrinen.csail.mit.edu> (Garrett Wollman's message of "Fri, 23 Jan 2015 11:59:12 -0500") Message-ID: <868ugrr5r3.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 01:48:10 -0000 Garrett Wollman writes: > Checking for packages with mismatched checksums: > p5-XML-SAX-0.99_2: /usr/local/lib/perl5/site_perl/XML/SAX/ParserDetails.i= ni This file is updated whenever you install or remove a SAX parser, so this is expected. There are at least half a dozen different Perl SAX implementations in the ports tree. > python27-2.7.9: /usr/local/lib/python2.7/UserDict.pyc > python27-2.7.9: /usr/local/lib/python2.7/_weakrefset.pyc > python27-2.7.9: /usr/local/lib/python2.7/abc.pyc > python27-2.7.9: /usr/local/lib/python2.7/codecs.pyc > python27-2.7.9: /usr/local/lib/python2.7/copy_reg.pyc > python27-2.7.9: /usr/local/lib/python2.7/encodings/__init__.pyc > [ a bunch of other .pyc files elided ] These are Pyhon bytecode files. They are automatically regenerated if you have write access to them and Python thinks they are stale when it tries to load them. Apparently, Python's definition of "stale" is slightly more complex than just comparing timestamps; they are one of the reasons why Baptiste gave up reproducible package builds. Is your clock synchronized with NTP? Is this a VM? What is the underlying filesystem? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 03:03:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2ABF82CA for ; Sun, 25 Jan 2015 03:03:36 +0000 (UTC) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D7B986A for ; Sun, 25 Jan 2015 03:03:34 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id t0P33OUe075901; Sat, 24 Jan 2015 22:03:24 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id t0P33OfO075898; Sat, 24 Jan 2015 22:03:24 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <21700.23803.911745.834275@hergotha.csail.mit.edu> Date: Sat, 24 Jan 2015 22:03:23 -0500 From: Garrett Wollman To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: Strange package checksum report In-Reply-To: <868ugrr5r3.fsf@nine.des.no> References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Sat, 24 Jan 2015 22:03:24 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 25 Jan 2015 04:49:16 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 03:03:36 -0000 < said: > Garrett Wollman writes: >> Checking for packages with mismatched checksums: >> p5-XML-SAX-0.99_2: /usr/local/lib/perl5/site_perl/XML/SAX/ParserDeta= ils.ini > This file is updated whenever you install or remove a SAX parser, so > this is expected. There are at least half a dozen different Perl SAX= > implementations in the ports tree. So perhaps this file should be treated as, um, whatever our equivalent of a "conffile" is from dpkg-land. > These are Pyhon bytecode files. They are automatically regenerated if= > you have write access to them and Python thinks they are stale when i= t > tries to load them. Apparently, Python's definition of "stale" is > slightly more complex than just comparing timestamps; they are one of= > the reasons why Baptiste gave up reproducible package builds. That's unfortunate. Perhaps either Python can be trained to write updated copies somewhere else? Or maybe we can generate them at package installation rather than shipping pregenerated versions? (Would slow down builds of dependent packages, but those are the breaks.) > Is your clock synchronized with NTP? Is this a VM? What is the > underlying filesystem? Yes, on all machines; no; and ZFS. -GAWollman From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 05:50:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2AC535C6 for ; Sun, 25 Jan 2015 05:50:55 +0000 (UTC) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B3B6F7DF for ; Sun, 25 Jan 2015 05:50:54 +0000 (UTC) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.9/8.14.9) with ESMTP id t0P5o7IA048614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 25 Jan 2015 16:50:13 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id t0P5o0R6023931 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 25 Jan 2015 16:50:00 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id t0P5nu5x023924; Sun, 25 Jan 2015 16:49:56 +1100 (AEDT) (envelope-from peter) Date: Sun, 25 Jan 2015 16:49:56 +1100 From: Peter Jeremy To: Garrett Wollman Subject: Re: Strange package checksum report Message-ID: <20150125054956.GB23253@server.rulingia.com> References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> <21700.23803.911745.834275@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <21700.23803.911745.834275@hergotha.csail.mit.edu> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 05:50:55 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-Jan-24 22:03:23 -0500, Garrett Wollman wro= te: >< said: >> These are Pyhon bytecode files. They are automatically regenerated if >> you have write access to them and Python thinks they are stale when it >> tries to load them. Apparently, Python's definition of "stale" is >> slightly more complex than just comparing timestamps; they are one of >> the reasons why Baptiste gave up reproducible package builds. > >That's unfortunate. Perhaps either Python can be trained to write >updated copies somewhere else? If Python isn't going to use the .pyc files we ship (because it thinks they are out of date), we might as well not ship them. > Or maybe we can generate them >at package installation rather than shipping pregenerated versions? My feeling is that we should only distribute .py files and build the =2Epyc files at package install time. As far as I can see, this is what Ubuntu and Debian (the two Linux distros I have ready access to) do. >(Would slow down builds of dependent packages, but those are the >breaks.) It would be interesting to know how big an impact this is. --=20 Peter Jeremy --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUxIQEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs020kP/isDnEiiMRFfhJjQe9ObNERC ZySeSOjGn0G5T78ME/nb98YuHB1ieHly/RZMdD4cNKzK1YUHRPJZ2GxCZjk92+O7 lFkUOQW/Bq738QqGYdB8OhPBF1UGEN+YS1UfRtoVpONQZAVaItnDP6AASKfC7TCF k/5DNT/EMvN72UppSz5qKmA5OHjrIwEg+2jOicPdm5n+JwGwhVEIHODjkiWO33zn PRhw3ZsD4PYpENr+GAuooU8+JQ2EFZ7J4x5pm6D+T51pMEzwjLnAZEBE0B1B/WYG kD8tplUXfeEgfkLtLl32i8y4imPgw09PiC1GvBEVvianc9jFjQjXOyc3+YmF9fBZ E3gO4/vysHU1ec0MsIMrIhhxdRMZQ1U+Hb8ig8IdYhNr0ljYxN5f7hvw1iZyvHSf 4GftJIDc4U5LTSOJJKy/LuP00PdvvSBZvby9tLeLKkkpoTjV9G9X3PadjlRz1zpA Mw7FH+U319jB3e9WNBXQek8P9RU13NbcH4W+GzDrG9xV5K/Q4hZ0pCYbv7C71MFq naRoDYefJDK0qrgvsr8wvXFAUUlBisc7g62TrSfXe7RejDAxIib1S7EYeX4ESu0m KEO013F7CphUSQhwyhZFU3fB8HylIayUMCKzc2wGTGOGWNaSaA3TdGAX0fESSoS4 GR9DY0Edb2qAnQDUmf48 =F3kJ -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2-- From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 10:30:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8C17A80 for ; Sun, 25 Jan 2015 10:30:44 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4EDDC307 for ; Sun, 25 Jan 2015 10:30:43 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 900EF4B8A; Sun, 25 Jan 2015 10:30:37 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id EA12413CF4; Sun, 25 Jan 2015 11:29:46 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Garrett Wollman Subject: Re: Strange package checksum report References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> <21700.23803.911745.834275@hergotha.csail.mit.edu> Date: Sun, 25 Jan 2015 11:29:46 +0100 In-Reply-To: <21700.23803.911745.834275@hergotha.csail.mit.edu> (Garrett Wollman's message of "Sat, 24 Jan 2015 22:03:23 -0500") Message-ID: <86y4orp2zp.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 10:30:44 -0000 Garrett Wollman writes: > Dag-Erling Sm=C3=B8rgrav writes: > > These are Pyhon bytecode files. They are automatically regenerated if > > you have write access to them and Python thinks they are stale when it > > tries to load them. Apparently, Python's definition of "stale" is > > slightly more complex than just comparing timestamps; they are one of > > the reasons why Baptiste gave up reproducible package builds. > That's unfortunate. Well, it's a bug. I assume that you're using official packages and don't have a locally compiled Python interpreter or anything like that? Could you perhaps turn on auditing in order to find out what's touching these files? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jan 26 00:32:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DF1A29FF for ; Mon, 26 Jan 2015 00:32:58 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9EA10D23 for ; Mon, 26 Jan 2015 00:32:58 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id AA4E35461; Mon, 26 Jan 2015 00:32:49 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 6704D13F80; Mon, 26 Jan 2015 01:32:38 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Peter Jeremy Subject: Re: Strange package checksum report References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> <21700.23803.911745.834275@hergotha.csail.mit.edu> <20150125054956.GB23253@server.rulingia.com> Date: Mon, 26 Jan 2015 01:32:38 +0100 In-Reply-To: <20150125054956.GB23253@server.rulingia.com> (Peter Jeremy's message of "Sun, 25 Jan 2015 16:49:56 +1100") Message-ID: <86r3uiidp5.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Garrett Wollman X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2015 00:32:59 -0000 Peter Jeremy writes: > If Python isn't going to use the .pyc files we ship (because it thinks > they are out of date), we might as well not ship them. It usually does. There is something strange going on there, and we don't have enough information (yet) to figure out what. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 10:21:32 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1033) id A7CAFB39; Tue, 27 Jan 2015 10:21:32 +0000 (UTC) Date: Tue, 27 Jan 2015 10:21:32 +0000 From: Alexey Dokuchaev To: Benjamin Kaduk Subject: Re: Securing SSH Message-ID: <20150127102132.GA42413@FreeBSD.org> References: <54B32FC8.1080000@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Tue, 27 Jan 2015 12:34:02 +0000 Cc: Greg Rivers , Jonathan Anderson , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 10:21:32 -0000 On Sun, Jan 11, 2015 at 09:23:25PM -0500, Benjamin Kaduk wrote: > The author also appears to not understand the difference between > single-DES and triple-DES, so I would expect the value of that posting to > be only as a brainstormed list of ideas to consider for further analysis. Right, original article does contain a few embarrassing mistakes, so it's better to discuss a follow up (albeit written in Russian, should be easily translated by Google or your favorite translation service): http://www.cypherpunks.ru/articles/securing_ssh.html ./danfe From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 19:55:08 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B89A9BC1; Tue, 27 Jan 2015 19:55:08 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 99CA1D52; Tue, 27 Jan 2015 19:55:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJt8oA055447; Tue, 27 Jan 2015 19:55:08 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t0RJt8YB055445; Tue, 27 Jan 2015 19:55:08 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 27 Jan 2015 19:55:08 GMT Message-Id: <201501271955.t0RJt8YB055445@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:55:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:02.kmem Security Advisory The FreeBSD Project Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure Category: core Module: sctp Announced: 2015-01-27 Credits: Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies Affects: All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements. II. Problem Description Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory. III. Impact An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This smay lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/ r277807 releng/10.0/ r277808 releng/10.1/ r277808 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References We would like to acknowledge Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies who discovered the issue independently and reported to the FreeBSD Security Team. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx+qPAAoJEO1n7NZdz2rndPwQAJYuUZhkBqt6Lj0Wnuu220QL OwMQAVBDggfNMJj5GCMRYqniARGg53UpzBjbKyen9N7tQtjgF6ll9EcWQhUdQSSl 07iCLGkn7kAu5jRO7+S/fJLXaUBfo+KfrUakHBdrWGKD0VVp/DDMbjbzZWl8Yw0S 7g0tqSmNcR1uUbAAsSXUfN9N/8OZzkqCiDvmVcFtalw1CjFyl6XbYXxNS+/j7LrU YQBJdz9F/X/oPe19VQ36olZWzTdlSLwa/ylwNW7O6K5NdoCq73Co4IDL0gkAgtdQ s4A7h4UwEoYleRRX+g9Rbeq2tz9FwfIwSferFRF5/1thc0cVJ2e/oDq9lmzyepwa rbH8jy/TMtSKHlali8I3w6KYfqRFs6whS9Bud1b0SgrqqZizsO64BbvSzkELxHJl PMUPHHCh3w0CXnRcaxC+rY/kazPZeRzebMaxQLAV0KTEVp0aSGw7FBtEE+ldrHUd rp1bLESjTjtagr1K1UsCKKZr/t9RSHSZ1I6vfxBPUsUu7oUgd+aOmEpiyYKxna0y vS5ECCrJG4k9fsQ1emyB5NhROYCXdq2CavfWWOOi3LoUhVvh34N27HVZlqv2m3Y9 sM20xOB3dSx3ufsv19nAclVpL76Pu7fD/MNe+lhUk1KKgqx0L7vdiJfMIrafLYsR V2Rre46fapln8T+wvhQP =o9yw -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 19:55:11 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DF9BDBD4; Tue, 27 Jan 2015 19:55:11 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BFB52D56; Tue, 27 Jan 2015 19:55:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJtBfn055481; Tue, 27 Jan 2015 19:55:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t0RJtB7X055479; Tue, 27 Jan 2015 19:55:11 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 27 Jan 2015 19:55:11 GMT Message-Id: <201501271955.t0RJtB7X055479@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:03.sctp Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:55:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:03.sctp Security Advisory The FreeBSD Project Topic: SCTP stream reset vulnerability Category: core Module: sctp Announced: 2015-01-27 Credits: Gerasimos Dimitriadis Affects: All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. II. Problem Description The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later. III. Impact A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service. IV. Workaround On FreeBSD 10.1 or later systems, the system administrator can set net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG chunks. This workaround is not available on earlier FreeBSD releases, but systems that do not serve SCTP connections are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/ r277807 releng/10.0/ r277808 releng/10.1/ r277808 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6 eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6 sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0 2mZYLoCrSHfBongLMohs4DQ8CCnH3iEoUBRbG9HGwlAh4s9CAre87oIdHHFWRSsg oIHxNDG+lk+yNJuOKfjDT+poyuYw7TlBfYN+ifO5UHPOEIH430FWF3B3P2oH4I/M 7VQRClaxaNiPfAJxa11IwHKWM12yrrM7483AuPqdd1r9OUnx33y1jPY0ByemXv9d LE8jJXs0cdR7zCJuV9R8Uif9xkdGLTj9emsqjaS1KxSJrSzPJaah4nkWq8BRmMXK 3xOxlIM/cGJLU+/cliDy3CqHipU4pt+S4RuAB41xx2k5g9YiAMH178xrfOgrklSH xKfAM/gz4YqESK5QPjqO =859G -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 21:03:17 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F66F5AA for ; Tue, 27 Jan 2015 21:03:17 +0000 (UTC) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [IPv6:2001:41d0:8:67d4:1:1:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 578B2A72 for ; Tue, 27 Jan 2015 21:03:17 +0000 (UTC) Received: from mbp.fritz.box (p4FC3B655.dip0.t-ipconnect.de [79.195.182.85]) by mx1.enfer-du-nord.net (Postfix) with ESMTPSA id 3kX0lb32FFzRh4 for ; Tue, 27 Jan 2015 22:03:07 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: Michael Grimm In-Reply-To: <201501271955.t0RJt8WC055452@freefall.freebsd.org> Date: Tue, 27 Jan 2015 22:03:06 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <6D500B8B-DA1F-4F66-B407-1996FE7AD2EB@odo.in-berlin.de> References: <201501271955.t0RJt8WC055452@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1993) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 21:03:17 -0000 Hi -- This mail: > FreeBSD-SA-15:02.kmem Security = Advisory Other Mail: | FreeBSD-SA-15:03.sctp Security = Advisory > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 This mail: > # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch > # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc The other mail: | # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch | # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc Well, experienced admins will notice that both patches are distinct, won't overwrite the first patch file downloaded with the second one, and won't start compiling the kernel missing the first patch. But, I do have the feeling that this naming scheme is error prone. Just my 2 cents and with kind regards, Michael= From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 21:06:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECA288ED for ; Tue, 27 Jan 2015 21:06:52 +0000 (UTC) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [87.98.149.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B49DAAC4 for ; Tue, 27 Jan 2015 21:06:52 +0000 (UTC) Received: from mbp.fritz.box (p4FC3B655.dip0.t-ipconnect.de [79.195.182.85]) by mx1.enfer-du-nord.net (Postfix) with ESMTPSA id 3kX0qt2NsMzRhj for ; Tue, 27 Jan 2015 22:06:50 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: Michael Grimm In-Reply-To: <6D500B8B-DA1F-4F66-B407-1996FE7AD2EB@odo.in-berlin.de> Date: Tue, 27 Jan 2015 22:06:49 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <8F83D101-093B-4C32-9D45-572237869768@odo.in-berlin.de> References: <201501271955.t0RJt8WC055452@freefall.freebsd.org> <6D500B8B-DA1F-4F66-B407-1996FE7AD2EB@odo.in-berlin.de> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1993) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 21:06:53 -0000 > On 27.01.2015, at 22:03, Michael Grimm = wrote: >=20 > This mail: >> FreeBSD-SA-15:02.kmem Security = Advisory >=20 > Other Mail: > | FreeBSD-SA-15:03.sctp Security = Advisory >=20 >> 3) To update your vulnerable system via a source code patch: >>=20 >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >>=20 >> a) Download the relevant patch from the location below, and verify = the >> detached PGP signature using your PGP utility. >>=20 >=20 > This mail: >> # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch >> # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc >=20 > The other mail: > | # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch > | # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc Grrr: | # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch | # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc >=20 > Well, experienced admins will notice that both patches are distinct, > won't overwrite the first patch file downloaded with the second one, > and won't start compiling the kernel missing the first patch. >=20 > But, I do have the feeling that this naming scheme is error prone. >=20 > Just my 2 cents and with kind regards, > Michael From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 22:42:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A91C6713 for ; Tue, 27 Jan 2015 22:42:54 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 589587FE for ; Tue, 27 Jan 2015 22:42:54 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t0RMgq7c095576 for ; Tue, 27 Jan 2015 17:42:52 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <54C81457.2000200@sentex.net> Date: Tue, 27 Jan 2015 17:42:31 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <201501271955.t0RJt8YB055445@freefall.freebsd.org> In-Reply-To: <201501271955.t0RJt8YB055445@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 22:42:54 -0000 On 1/27/2015 2:55 PM, FreeBSD Security Advisories wrote: > IV. Workaround > > No workaround is available. If SCTP is NOT compiled in the kernel, are you still vulnerable ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 00:57:02 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D4C91E7C for ; Wed, 28 Jan 2015 00:57:02 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BBA4B7EB for ; Wed, 28 Jan 2015 00:57:02 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id D28572D3D; Tue, 27 Jan 2015 16:57:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1422406621; x=1422421021; bh=QILXYg/JMsL1GICEJcqLXRP2cAEwtRKegCeFZTiD6+Y=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=yDjxT9mFNkQ0wf7iMN+O7HyxiMKWuobtFw5IKzly5/rnIlOz22YQVTZAUyVEVAZKT cdHaeGIgTLu4pPvlYS30RfB3v8iPfr+kidl0+Ao0H8wAMuaZ97NxDLpjh0PpOaJPUe qyeEun34qCQxUmtDWw867iP7XYSbeMyaWAEpIkO4= Message-ID: <54C833DD.9070907@delphij.net> Date: Tue, 27 Jan 2015 16:57:01 -0800 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <201501271955.t0RJt8YB055445@freefall.freebsd.org> <54C81457.2000200@sentex.net> In-Reply-To: <54C81457.2000200@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 00:57:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/27/15 14:42, Mike Tancsa wrote: > On 1/27/2015 2:55 PM, FreeBSD Security Advisories wrote: > > >> IV. Workaround >> >> No workaround is available. > > If SCTP is NOT compiled in the kernel, are you still vulnerable ? No -- we should have mentioned that too. For GENERIC kernel however SCTP is compiled in. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUyDPdAAoJEJW2GBstM+nsPaMP/2f48Houf+92qRwuHipmMXhd Q8cBPwaiOeXg2cEQuYn8pPzwEU4UTbSAtW9e2OymmZupJr1jw6+SGUoMeDCOkQur nAr8wRiVHUfFxkPg649lfE2IUuA+hKitgCMbfHeFG0y3Ee948ZH+UO1jPwB2GNbp Gpa+QwbonfMLeHvHC+rg5lmcbgVfCKi8gVw+FI894IBZPS532W6+ry+Qx4PWvjW1 t3oDCplyrOXkhmddxJdnEXA6jkj/TgxKQM9ueacjcWHbsPiLDoaF+BJ2JsA7gFu7 wU+syi/fFPAVlYPDQUoqY19N6akd+pX5qp90nhKnlcAPP/SRTKyTVFQTMg8dcTlq GiG/3frq9ZfQHsspaWUikr8qL2/kPjUMNsEOu7uDI8XuTaTnoNIontj7dhswlk1+ A0CBjbx0Dqte6RpZzJE1stkPILK2rmEJdaNSGmlwTDiVzvroPqNiZ5aqTq/iMeVC QI1YWdJu+j7Syf3xhx7o/r0J/6EDqg2lrQKBt3/g10vXiyRhXM1mE9whDx/DwiRx EVhPw7+Cms9UBjsvJMpn5Uv3Wp9/N3F7zwumotS8uQpFZ1sGZnDZRLWUjwvjCLUT 1EF0rRjwZ0T6wiLXNlHcqVTml/ar5lOqCsvAG9p/aMJ4xaCqvxc/miPVQaF1fEEn OcSg9FKbhtS+XvF+Gz3D =tJNT -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 09:42:27 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92292BF7 for ; Wed, 28 Jan 2015 09:42:27 +0000 (UTC) Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 150418BB for ; Wed, 28 Jan 2015 09:42:27 +0000 (UTC) Received: by mail-la0-f41.google.com with SMTP id gm9so18056954lab.0 for ; Wed, 28 Jan 2015 01:42:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=pouS9m6ceuXBlVscRBVXWG1f1b+CyFKGbIzUN/UrBvo=; b=HrbZHuWNBN0872bgvd2xch1i9X/mulJT7OLgB8HxJjd+XtWcqX8ylgLh3S8sEUDhIC WD8a7spyd+e9xqxSCpw21T5FwGdTnSl4ciKYSWgbaKpqtrMiTfnbiHGTePmOAyWHlPoc kP5583/3HMqhvkgbWTNI0QFZ/p5YAb8VIaMKjhZFb0g1fV5GdkMk6dj6LRePm6GeBoei DK/JKCI/bWPWSUOnSyw7OFW0nravjxZzvxHiL1xlbokeU82WOMtbdlpWFY3P9//kR536 nFkZpmDdJxfxikbknePE7IddParnDyyYq/kc5XmgYbzq2FPIlibwoNXO7l0gH7zyWW/a Ra7A== MIME-Version: 1.0 X-Received: by 10.112.118.144 with SMTP id km16mr6736154lbb.75.1422438144827; Wed, 28 Jan 2015 01:42:24 -0800 (PST) Received: by 10.152.144.161 with HTTP; Wed, 28 Jan 2015 01:42:24 -0800 (PST) Date: Wed, 28 Jan 2015 09:42:24 +0000 Message-ID: Subject: Fwd: svn commit: r277806 - head/sys/dev/vt From: Pawel Biernacki To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 09:42:27 -0000 Hi, I found very worrying statement in that document: "2015-01-27: FreeBSD informs us that after going through their mail archive they found out that the same issue was reported by Google and that they missed it." How many other such mails were missed? Pawel ---------- Forwarded message ---------- From: Ed Maste Date: 28 January 2015 at 01:03 Subject: svn commit: r277806 - head/sys/dev/vt On 27 January 2015 at 14:35, Xin LI wrote: > Author: delphij > Date: Tue Jan 27 19:35:41 2015 > New Revision: 277806 > URL: https://svnweb.freebsd.org/changeset/base/277806 > ... > > More information can be found at CORE Security's advisory at: > http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities That link gives me a 404; it looks like the page is now here: http://www.coresecurity.com/advisories/freebsd-kernel-multiple-vulnerabilities -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die. From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 10:49:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06347D78 for ; Wed, 28 Jan 2015 10:49:54 +0000 (UTC) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B95C1F24 for ; Wed, 28 Jan 2015 10:49:53 +0000 (UTC) Received: from [84.44.152.72] (helo=fabiankeil.de) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.84) (envelope-from ) id 1YGQBr-0004F7-PA for freebsd-security@freebsd.org; Wed, 28 Jan 2015 11:49:43 +0100 Date: Wed, 28 Jan 2015 11:49:48 +0100 From: Fabian Keil To: freebsd-security@freebsd.org Subject: Re: svn commit: r277806 - head/sys/dev/vt Message-ID: <693b2987.2b23d5b0@fabiankeil.de> In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/4lwCHAd_gI=1bb=WdpUbVs."; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 10:49:54 -0000 --Sig_/4lwCHAd_gI=1bb=WdpUbVs. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Pawel Biernacki wrote: > I found very worrying statement in that document: >=20 > "2015-01-27: FreeBSD informs us that after going through their mail archi= ve > they found out that the same issue was reported by Google and that they > missed it." >=20 > How many other such mails were missed? I can't answer this question, but I reported a couple of ggated issues (DoS, non-critical memory disclosure) in December: 2014-12-09: Initial notification sent with potential patches. 2014-12-18: The mail was acknowledged and additional information requested. 2014-12-19: A more verbose description of the issue was sent as requested. 2015-01-15: I asked for a status update, preferably before FOSDEM. I haven't heard back yet and don't know when the issues will be addressed. Fabian --Sig_/4lwCHAd_gI=1bb=WdpUbVs. Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlTIvswACgkQBYqIVf93VJ14jQCcC/BlMAPlBRQu9TAwA5YqIUxC n6kAmwW5KMBPXjejziHVwGn8wM9D5/zR =kDgM -----END PGP SIGNATURE----- --Sig_/4lwCHAd_gI=1bb=WdpUbVs.-- From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 12:13:37 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AED66FB8 for ; Wed, 28 Jan 2015 12:13:37 +0000 (UTC) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.fagskolen.gjovik.no", Issuer "Fagskolen i Gj??vik" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 20956A9D for ; Wed, 28 Jan 2015 12:13:36 +0000 (UTC) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.14.9/8.14.9) with ESMTP id t0SCDU7I022906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 28 Jan 2015 13:13:30 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.14.9/8.14.9/Submit) with ESMTP id t0SCDUna022903 for ; Wed, 28 Jan 2015 13:13:30 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Wed, 28 Jan 2015 13:13:30 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Sender: Trond.Endrestol@fagskolen.gjovik.no To: freebsd-security@freebsd.org Subject: Re: svn commit: r277806 - head/sys/dev/vt In-Reply-To: <693b2987.2b23d5b0@fabiankeil.de> Message-ID: References: <693b2987.2b23d5b0@fabiankeil.de> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.fig.ol.no Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 12:13:37 -0000 On Wed, 28 Jan 2015 11:49+0100, Fabian Keil wrote: > Pawel Biernacki wrote: > > > I found very worrying statement in that document: > > > > "2015-01-27: FreeBSD informs us that after going through their mail archive > > they found out that the same issue was reported by Google and that they > > missed it." > > > > How many other such mails were missed? > > I can't answer this question, but I reported a couple of ggated issues > (DoS, non-critical memory disclosure) in December: > > 2014-12-09: Initial notification sent with potential patches. > 2014-12-18: The mail was acknowledged and additional information requested. > 2014-12-19: A more verbose description of the issue was sent as requested. > 2015-01-15: I asked for a status update, preferably before FOSDEM. > > I haven't heard back yet and don't know when the issues will be addressed. Just out of curiosity, shouldn't size_t be used for indexing? -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 19:40:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93917193 for ; Wed, 28 Jan 2015 19:40:05 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 816CD15C for ; Wed, 28 Jan 2015 19:40:05 +0000 (UTC) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 5D2866784E for ; Wed, 28 Jan 2015 11:39:20 -0800 (PST) In-Reply-To: References: Date: Wed, 28 Jan 2015 11:39:20 -0800 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: "Roger Marquis" To: freebsd-security@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 19:40:05 -0000 >> If SCTP is NOT compiled in the kernel, are you still vulnerable ? > > No -- we should have mentioned that too. For GENERIC kernel however > SCTP is compiled in. Should probably fix that too, in GENERIC, considering how little used this protocol is. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 21:07:08 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEE1072E for ; Wed, 28 Jan 2015 21:07:08 +0000 (UTC) Received: from 1.mo2.mail-out.ovh.net (1.mo2.mail-out.ovh.net [46.105.63.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D0EFE96 for ; Wed, 28 Jan 2015 21:07:07 +0000 (UTC) Received: from mail427.ha.ovh.net (b9.ovh.net [213.186.33.59]) by mo2.mail-out.ovh.net (Postfix) with SMTP id 7CE69FFAA9C for ; Wed, 28 Jan 2015 20:47:40 +0100 (CET) Received: from b0.ovh.net (HELO queueout) (213.186.33.50) by b0.ovh.net with SMTP; 28 Jan 2015 21:47:40 +0200 Received: from vau75-5-82-227-220-138.fbx.proxad.net (HELO ?127.0.0.1?) (leon.fazakerley@commerceo.com@82.227.220.138) by ns0.ovh.net with SMTP; 28 Jan 2015 21:47:39 +0200 Message-ID: <54C93CDB.8070909@tucoinfo.fr> Date: Wed, 28 Jan 2015 20:47:39 +0100 From: "leon@tuco" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <20150128194012.37080238@hub.freebsd.org> In-Reply-To: <20150128194012.37080238@hub.freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Ovh-Tracer-Id: 4385098663891245938 X-Ovh-Remote: 82.227.220.138 (vau75-5-82-227-220-138.fbx.proxad.net) X-Ovh-Local: 213.186.33.20 (ns0.ovh.net) X-OVH-SPAMSTATE: OK X-OVH-SPAMSCORE: 20 X-OVH-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeejkedrvdekucetufdoteggodetrfcurfhrohhfihhlvgemucfqggfjnecuuegrihhlohhuthemuceftddtnecuogetfedtledqtdduucdlvddtmd X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 20 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeejkedrvdekucetufdoteggodetrfcurfhrohhfihhlvgemucfqggfjnecuuegrihhlohhuthemuceftddtnecuogetfedtledqtdduucdlvddtmd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 21:07:08 -0000 +1 and +10 to enable ALTQ in GENERIC in lieu of. On 28/01/2015 20:39, Roger Marquis wrote: >>> If SCTP is NOT compiled in the kernel, are you still vulnerable ? >> > >> >No -- we should have mentioned that too. For GENERIC kernel however >> >SCTP is compiled in. > Should probably fix that too, in GENERIC, considering how little used this > protocol is. From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 21:19:17 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7ADF8E32 for ; Wed, 28 Jan 2015 21:19:17 +0000 (UTC) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.isc.org", Issuer "RapidSSL CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B9FD6A for ; Wed, 28 Jan 2015 21:19:17 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 2FAB21FCB1C; Wed, 28 Jan 2015 21:19:12 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 37AB0160068; Wed, 28 Jan 2015 21:25:52 +0000 (UTC) Received: from rock.dv.isc.org (c122-106-252-81.belrs3.nsw.optusnet.com.au [122.106.252.81]) by zmx1.isc.org (Postfix) with ESMTPSA id 072FC16005A; Wed, 28 Jan 2015 21:25:52 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 80082283DA18; Thu, 29 Jan 2015 08:19:10 +1100 (EST) To: marquis@roble.com From: Mark Andrews References: <20150128194011.2175B19F@hub.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem In-reply-to: Your message of "Wed, 28 Jan 2015 11:39:20 -0800." <20150128194011.2175B19F@hub.freebsd.org> Date: Thu, 29 Jan 2015 08:19:10 +1100 Message-Id: <20150128211910.80082283DA18@rock.dv.isc.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 21:19:17 -0000 In message <20150128194011.2175B19F@hub.freebsd.org>, "Roger Marquis" writes: > >> If SCTP is NOT compiled in the kernel, are you still vulnerable ? > > > > No -- we should have mentioned that too. For GENERIC kernel however > > SCTP is compiled in. > > Should probably fix that too, in GENERIC, considering how little used this > protocol is. It is not used much because there is not critical mass and you want to reduce what little there is out there? It is a good thing that it is in GENERIC. Mark > Roger Marquis > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 22:46:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3398326 for ; Wed, 28 Jan 2015 22:46:29 +0000 (UTC) Received: from mail.as41113.net (mail.as41113.net [91.208.177.22]) by mx1.freebsd.org (Postfix) with ESMTP id 658EDDF3 for ; Wed, 28 Jan 2015 22:46:29 +0000 (UTC) Received: from [172.21.88.60] (cpc6-staf8-2-0-cust519.3-1.cable.virginm.net [82.16.54.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: lists@rewt.org.uk) by mail.as41113.net (Postfix) with ESMTPSA id 3kXg0M41F7z1N2W6 for ; Wed, 28 Jan 2015 22:46:27 +0000 (GMT) Message-ID: <54C966BF.9000803@rewt.org.uk> Date: Wed, 28 Jan 2015 22:46:23 +0000 From: Joe Holden User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> In-Reply-To: <20150128211910.80082283DA18@rock.dv.isc.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 22:46:29 -0000 Really, how many SCTP users are there om the wild... maybe one? It shouldn't be in GENERIC at the very least! On 28/01/2015 21:19, Mark Andrews wrote: > > In message <20150128194011.2175B19F@hub.freebsd.org>, "Roger Marquis" writes: >>>> If SCTP is NOT compiled in the kernel, are you still vulnerable ? >>> >>> No -- we should have mentioned that too. For GENERIC kernel however >>> SCTP is compiled in. >> >> Should probably fix that too, in GENERIC, considering how little used this >> protocol is. > > It is not used much because there is not critical mass and you want > to reduce what little there is out there? It is a good thing that > it is in GENERIC. > > Mark > >> Roger Marquis >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 23:09:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A990FC65 for ; Wed, 28 Jan 2015 23:09:14 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 94E6185 for ; Wed, 28 Jan 2015 23:09:14 +0000 (UTC) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 1B4C66784F; Wed, 28 Jan 2015 15:09:13 -0800 (PST) In-Reply-To: <20150128211910.80082283DA18@rock.dv.isc.org> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> Date: Wed, 28 Jan 2015 15:09:13 -0800 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: "Roger Marquis" To: "Mark Andrews" Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 23:09:14 -0000 >> >> If SCTP is NOT compiled in the kernel, are you still vulnerable ? >> > >> > No -- we should have mentioned that too. For GENERIC kernel however >> > SCTP is compiled in. >> >> Should probably fix that too, in GENERIC, considering how little used this >> protocol is. > > It is not used much because there is not critical mass and you want > to reduce what little there is out there? It is a good thing that > it is in GENERIC. While this isn't the place to enumerate the issues with SCTP (beyond the recent advisories) I hope we're not putting anything in the GENERIC kernel for advocacy purposes. Cannot the few who want to use it simply compile their own kernel? Roger From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 23:24:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 43199323 for ; Wed, 28 Jan 2015 23:24:44 +0000 (UTC) Received: from mail-yk0-f178.google.com (mail-yk0-f178.google.com [209.85.160.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 05AF428A for ; Wed, 28 Jan 2015 23:24:43 +0000 (UTC) Received: by mail-yk0-f178.google.com with SMTP id q200so10629527ykb.9 for ; Wed, 28 Jan 2015 15:24:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ajbJPne2/uoSy+OHg2iEEhBGOXfB9aLaACOXyIFrReY=; b=cjUXmNSJeGzwcGqaK8gJBwBSbaSggsSDG04dH9rTgu/W+v6gkA5hV5+JPT5mwj/L07 UfIZI8GYsbTEBZvluM8yW7P7PAaE01Eokq0YpZjKJcEfl+8v+lB5NDaqB0bEWwk5D1Uv Wmsrl3iwoCRY897RRkCE8d0Or6iEMQC2yQbxZYF4xIpg+XFPIri0kbs7MetDaUhsCL3V tnqO4Zfrco+GzrdYAn1YRFX3Lc6N2Vevs2kBhPFW7NHAh1uMTvLTQWigxfaagcrCO65a 0yE8haXCol5KEVFSXs3uUOKKQghC1OeabBe0KMrD64A1jA5o+Zb7p9pG0os11V4Rvh2E W/Ug== X-Gm-Message-State: ALoCoQkY/jLknZZy9kuDTLlS6k+53tY5WWw0JpODsbad7gdcF+V8Pj3E1HoNZdVSK8NU1Jq8YSYh MIME-Version: 1.0 X-Received: by 10.236.34.228 with SMTP id s64mr2011038yha.31.1422487477063; Wed, 28 Jan 2015 15:24:37 -0800 (PST) Received: by 10.170.46.81 with HTTP; Wed, 28 Jan 2015 15:24:36 -0800 (PST) In-Reply-To: <54C966BF.9000803@rewt.org.uk> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> Date: Thu, 29 Jan 2015 00:24:36 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: Oliver Pinter To: Joe Holden Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 23:24:44 -0000 Much more, than you explain. Hint: 3G and 4G mobile core networks. ;) On Wed, Jan 28, 2015 at 11:46 PM, Joe Holden wrote: > Really, how many SCTP users are there om the wild... maybe one? > > It shouldn't be in GENERIC at the very least! > > > On 28/01/2015 21:19, Mark Andrews wrote: >> >> >> In message <20150128194011.2175B19F@hub.freebsd.org>, "Roger Marquis" >> writes: >>>>> >>>>> If SCTP is NOT compiled in the kernel, are you still vulnerable ? >>>> >>>> >>>> No -- we should have mentioned that too. For GENERIC kernel however >>>> SCTP is compiled in. >>> >>> >>> Should probably fix that too, in GENERIC, considering how little used >>> this >>> protocol is. >> >> >> It is not used much because there is not critical mass and you want >> to reduce what little there is out there? It is a good thing that >> it is in GENERIC. >> >> Mark >> >>> Roger Marquis >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 00:56:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2B9A0F6F for ; Thu, 29 Jan 2015 00:56:44 +0000 (UTC) Received: from mail.akips.com (mail.akips.com [65.19.130.19]) by mx1.freebsd.org (Postfix) with ESMTP id 14D33DA5 for ; Thu, 29 Jan 2015 00:56:43 +0000 (UTC) Received: from [10.1.8.7] (CPE-120-146-191-2.static.qld.bigpond.net.au [120.146.191.2]) by mail.akips.com (Postfix) with ESMTPSA id 7E3A227F2E for ; Thu, 29 Jan 2015 10:49:02 +1000 (EST) Message-ID: <54C9837C.8090704@akips.com> Date: Thu, 29 Jan 2015 10:49:00 +1000 From: Nick Frampton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> In-Reply-To: <54C966BF.9000803@rewt.org.uk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on host1.akips.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 00:56:44 -0000 On 29/01/15 08:46, Joe Holden wrote: > Really, how many SCTP users are there om the wild... maybe one? > > It shouldn't be in GENERIC at the very least! We use Netflow over SCTP in our network monitoring product, so it would be a pain to have to build a custom kernel. Nick -- Founder, CTO www.akips.com From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 01:01:51 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E0341A1 for ; Thu, 29 Jan 2015 01:01:51 +0000 (UTC) Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6277CE70 for ; Thu, 29 Jan 2015 01:01:51 +0000 (UTC) Received: by mail-oi0-f44.google.com with SMTP id a3so21859687oib.3 for ; Wed, 28 Jan 2015 17:01:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=z6iI5WEPKMXGb+/HNykhcdFbat8is6k+/N1q9VgDvHM=; b=snT6h5N++6CDV2ty6mJxwgvsG5h5XgHiq1DGtF5iz7qdueZ0c8YnV3O56ab2blVrXs bJnP2/Aq7ylbNRTgSrnogbNTf6Kkc5HqV+VLTpX3QGqiEoxZaFZ3YNYjQKHk9eSEIZLS SVl5PqIDkCYILRHPX/MxEACBs5RnIyxpL3HLoVHPFN4Y5oIS5RJA8xcz1Dq4nJKjXuYD fKGGw2S6zvZNtfio/7cvya8VVN5/eCz/qIrSBABtj+bTz/wA6HNRN1a9rooSaeEvz3mO NwGinDjpvS/zq7eH3jnXbCOEGtr7aPZ2VY+sLDHrk1SnjIMvxZh7B7UVjYMbZIB+yEyS GqhA== MIME-Version: 1.0 X-Received: by 10.202.59.131 with SMTP id i125mr3709079oia.125.1422493310687; Wed, 28 Jan 2015 17:01:50 -0800 (PST) Received: by 10.182.247.74 with HTTP; Wed, 28 Jan 2015 17:01:50 -0800 (PST) Received: by 10.182.247.74 with HTTP; Wed, 28 Jan 2015 17:01:50 -0800 (PST) In-Reply-To: <54C9837C.8090704@akips.com> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> <54C9837C.8090704@akips.com> Date: Wed, 28 Jan 2015 17:01:50 -0800 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: jungle Boogie To: Nick Frampton Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 01:01:51 -0000 Hi Nick, On Jan 28, 2015 4:56 PM, "Nick Frampton" wrote: > > On 29/01/15 08:46, Joe Holden wrote: >> >> Really, how many SCTP users are there om the wild... maybe one? >> >> It shouldn't be in GENERIC at the very least! > > > We use Netflow over SCTP in our network monitoring product, so it would be a pain to have to build a custom kernel. But also a pain to have an exploit when it could be prevented. Its all about trade offs, right? > > Nick > -- > Founder, CTO > www.akips.com > > From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 07:28:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D9AFC87 for ; Thu, 29 Jan 2015 07:28:12 +0000 (UTC) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EBB6FBC0 for ; Thu, 29 Jan 2015 07:28:11 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id t0T7S1m9063592; Thu, 29 Jan 2015 02:28:01 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id t0T7S05M063589; Thu, 29 Jan 2015 02:28:00 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <21705.57600.546683.831932@hergotha.csail.mit.edu> Date: Thu, 29 Jan 2015 02:28:00 -0500 From: Garrett Wollman To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: Strange package checksum report In-Reply-To: <86y4orp2zp.fsf@nine.des.no> References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> <21700.23803.911745.834275@hergotha.csail.mit.edu> <86y4orp2zp.fsf@nine.des.no> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 29 Jan 2015 02:28:01 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on hergotha.csail.mit.edu X-Mailman-Approved-At: Thu, 29 Jan 2015 12:30:42 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 07:28:12 -0000 < said: > I assume that you're using official packages and don't have a locally= > compiled Python interpreter or anything like that? We build our own package repositories. > Could you perhaps turn on auditing in order to find out what's touchi= ng > these files? Maybe. It will probably take a while. My a priori guess, knowing that we don't directly use any python programs is that it's either some Nagios plugin or some Munin plugin (there are a few that are written in python) that's actually causing the files to get updated. There's nothing else that should be running as root on these systems. If I get a moment, I can check which plugins meet those criteria and try disabling them. -GAWollman From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 14:21:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 427F3196 for ; Thu, 29 Jan 2015 14:21:12 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B6973FFA for ; Thu, 29 Jan 2015 14:21:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t0TEKu0F037375; Fri, 30 Jan 2015 01:20:56 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 30 Jan 2015 01:20:56 +1100 (EST) From: Ian Smith To: jungle Boogie Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem In-Reply-To: Message-ID: <20150130011402.P36378@sola.nimnet.asn.au> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> <54C9837C.8090704@akips.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org, Nick Frampton X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 14:21:12 -0000 On Wed, 28 Jan 2015 17:01:50 -0800, jungle Boogie wrote: > Hi Nick, > On Jan 28, 2015 4:56 PM, "Nick Frampton" wrote: > > > > On 29/01/15 08:46, Joe Holden wrote: > >> > >> Really, how many SCTP users are there om the wild... maybe one? > >> > >> It shouldn't be in GENERIC at the very least! > > > > > > We use Netflow over SCTP in our network monitoring product, so it would > be a pain to have to build a custom kernel. > > But also a pain to have an exploit when it could be prevented. Are you vulnerable to an SCTP exploit if you're not using SCTP? > Its all about trade offs, right? I seem to recall similar resistance to including IPv6 into GENERIC .. It _would_ be good to know more about who's using SCTP, and for what usage cases it has tangible benefits over TCP, but I guess not here. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 14:31:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4E23E472 for ; Thu, 29 Jan 2015 14:31:14 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0EC19106 for ; Thu, 29 Jan 2015 14:31:14 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.85 (FreeBSD)) (envelope-from ) id 1YGq7j-0007Ki-Bv; Thu, 29 Jan 2015 14:31:11 +0000 Date: Thu, 29 Jan 2015 14:31:11 +0000 From: Gary Palmer To: Ian Smith Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem Message-ID: <20150129143111.GA29167@in-addr.com> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> <54C9837C.8090704@akips.com> <20150130011402.P36378@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150130011402.P36378@sola.nimnet.asn.au> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Nick Frampton , jungle Boogie X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 14:31:14 -0000 On Fri, Jan 30, 2015 at 01:20:56AM +1100, Ian Smith wrote: > On Wed, 28 Jan 2015 17:01:50 -0800, jungle Boogie wrote: > > Hi Nick, > > On Jan 28, 2015 4:56 PM, "Nick Frampton" wrote: > > > > > > On 29/01/15 08:46, Joe Holden wrote: > > >> > > >> Really, how many SCTP users are there om the wild... maybe one? > > >> > > >> It shouldn't be in GENERIC at the very least! > > > > > > > > > We use Netflow over SCTP in our network monitoring product, so it would > > be a pain to have to build a custom kernel. > > > > But also a pain to have an exploit when it could be prevented. > > Are you vulnerable to an SCTP exploit if you're not using SCTP? >From one of the advisories (FreeBSD-SA-15:02.kmem): -- QUOTE -- An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This smay lead to exposure of sensitive information or allow privilege escalation. -- ENDQUOTE -- So even if you don't use SCTP, if someone got a shell on your box they could potentially use SCTP to get root or modify kernel memory to break out of a jail, etc. In other words, you don't necessarily need to use SCTP to be affected by vulnerabilities in it. Regards, Gary From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 15:51:46 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E43866D for ; Thu, 29 Jan 2015 15:51:46 +0000 (UTC) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 98A85DAE for ; Thu, 29 Jan 2015 15:51:46 +0000 (UTC) Received: by mail-ie0-f180.google.com with SMTP id rl12so35206503iec.11 for ; Thu, 29 Jan 2015 07:51:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Ks4vkTKol+X6DuwZqVxmztkW3r3U3QTIEsG+NvhEMTI=; b=h5d94bsEesdIZAstlfuZDBG/mEeqJw1ZjvxMKpYtBY27wEJZo1pzzGkJO7viPDeNFH bmZcidKConyupuO1W3ejAGyRiW1J8grKXyMiaLP55FVMXFfmoxQ7NbdP170z+v2nNbcg yPjPJYEdsZWhSXC/53LwrS32A+MflEoq68WwHD/ByULoMCs70P0k019lvBfAfDzkdWfO rKXXTbliuAeuEt2TFzLVhpsMHiP9L7aJ1RVFKDvapxR7uX8hEo2iH/xolBPaDk4OtU34 Hy7Ify2XAwTtsRRAAi2DgH62lF0CnD2n7K/pFC7YA31/os3F0362T6DgMg+eS98TcbQX 7IdA== MIME-Version: 1.0 X-Received: by 10.42.21.78 with SMTP id j14mr1183642icb.43.1422546705613; Thu, 29 Jan 2015 07:51:45 -0800 (PST) Received: by 10.36.8.215 with HTTP; Thu, 29 Jan 2015 07:51:45 -0800 (PST) In-Reply-To: <20150129143111.GA29167@in-addr.com> References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> <54C9837C.8090704@akips.com> <20150130011402.P36378@sola.nimnet.asn.au> <20150129143111.GA29167@in-addr.com> Date: Thu, 29 Jan 2015 10:51:45 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 15:51:47 -0000 Nonsense. Throw out a protocol that is more resistant to Man-In-The-Middle and DDoS attacks due to an implementation bug? This is a protocol that is built on lessons learned from TCP. What should be done is more work improving the implementation and widening the usage and uptake of SCTP. On Thu, Jan 29, 2015 at 9:31 AM, Gary Palmer wrote: > So even if you don't use SCTP, if someone got a shell on your box > they could potentially use SCTP to get root or modify kernel memory > to break out of a jail, etc. > > In other words, you don't necessarily need to use SCTP to be affected > by vulnerabilities in it. From owner-freebsd-security@FreeBSD.ORG Thu Jan 29 17:24:16 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8CDAD462 for ; Thu, 29 Jan 2015 17:24:16 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 673DFB0F for ; Thu, 29 Jan 2015 17:24:16 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 4F9432D4F93; Thu, 29 Jan 2015 17:24:14 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 8173A1A2; Thu, 29 Jan 2015 09:24:12 -0800 (PST) Message-ID: <54CA6CBB.4060301@bluerosetech.com> Date: Thu, 29 Jan 2015 09:24:11 -0800 From: Darren Pilgrim Reply-To: freebsd-security@freebsd.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Joe Holden , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem References: <20150128194011.2175B19F@hub.freebsd.org> <20150128211910.80082283DA18@rock.dv.isc.org> <54C966BF.9000803@rewt.org.uk> In-Reply-To: <54C966BF.9000803@rewt.org.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 17:24:16 -0000 On 1/28/2015 2:46 PM, Joe Holden wrote: > Really, how many SCTP users are there om the wild... maybe one? > > It shouldn't be in GENERIC at the very least! It's used for IP-based telecom backhaul with modern POTS networks and cell networks. It's far better than TCP at handling the vagaries of voice routing. Cell carriers like to use IP backhaul instead of private lines because IP transport is ubiquitous, dirt cheap, and all you need is a VPN to secure it. I use SCTP on video systems because it handles 1:N and M:N distribution systems very well, all I need to do is string UTP or deploy wifi, and, best of all, I don't have to use multicast.