From owner-freebsd-security@FreeBSD.ORG Sun May 17 09:28:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 55F92D78 for ; Sun, 17 May 2015 09:28:47 +0000 (UTC) Received: from ruxcon.org.au (li1009-6.members.linode.com [45.33.59.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3B56518E3 for ; Sun, 17 May 2015 09:28:45 +0000 (UTC) Received: by ruxcon.org.au (Postfix, from userid 110) id 8C5441137A; Sun, 17 May 2015 09:20:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruxcon.org.au; s=mail; t=1431854408; bh=jk/Tl2MSAud/vM4DO+S+r0BFCp4hMIjb4dToswKzs8I=; h=Subject:From:To:Date:From; b=nRqkh3iDRezO3+u+WX3EPLdE8guGUnmdhFm10jtMHj57NVZvU/xYSdVtxGGnrTN1X NWp8phnrHBL22qzLlebuOpcB+vgTpJQNkNdLQazidoq1GGWRTelrXafld4YqMm58oE 3C3RjjaOBIDBMlt224zxMZ9Se0ZW9D38CZD2yHqA= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ruxcon.org.au X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_40, T_DKIM_INVALID autolearn=disabled version=3.4.0 Received: from ruxcon.org.au (localhost [127.0.0.1]) by ruxcon.org.au (Postfix) with ESMTP id 78B1F11382 for ; Sun, 17 May 2015 09:20:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruxcon.org.au; s=mail; t=1431854404; bh=jk/Tl2MSAud/vM4DO+S+r0BFCp4hMIjb4dToswKzs8I=; h=Subject:From:To:Date:From; b=TKmVdNajpqySsyMUblKFoHyiJ2DwQ/lyzTn1WdaYGQEOjWpfc0rg2S7HL1e+rYNzf 9EJZ+S8+Hkc2GTA65daE92FV6m07a+gSr7kW2o89LqceMpcGZUZ9/JJMhRjhODwLHg HAKJ3Qcj4OSCuWZZUgXf6Rl8Jjv6VkiZK2cpaq88= MIME-Version: 1.0 Subject: Breakpoint 2015 Call For Presentations From: cfp@ruxcon.org.au To: freebsd-security@freebsd.org Date: Sun, 17 May 2015 09:20:04 +0000 Message-Id: <20150517092004.78B1F11382@ruxcon.org.au> X-Mailman-Approved-At: Sun, 17 May 2015 11:27:17 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 09:28:47 -0000 Breakpoint 2015 Call For Papers Melbourne, Australia, October 22th-23th Intercontinental Rialto http://www.ruxconbreakpoint.com .[x]. Introduction .[x]. We are pleased to announce Call For Presentations for Breakpoint 2015. Breakpoint showcases the work of expert security researchers from around the world on a wide range of topics. This conference is organised by the Ruxcon team and offers a specialised security conference to complement and lead into the larger and more casual Ruxcon weekend conference. Breakpoint caters towards security researchers and industry professionals alike, with a focus on cutting edge security research. Breakpoint presents a great opportunity for our selected speakers to receive a complimentary trip to Australia and experience both the Breakpoint and Ruxcon conferences, not to mention the great weather, parties, and friendly people. .[x]. Important Dates .[x]. May 15 - Call For Presentations Open August 30 - Call For Presentations Close October 19-21 - Breakpoint Training October 22-23 - Breakpoint Conference October 24-25 - Ruxcon Conference .[x]. Topic Scope .[x]. Topics of interest include, but are not limited to: o Mobile Device Security o Exploitation Techniques o Reverse Engineering o Vulnerability Discovery o Rootkit Development o Malware Analysis o Code Analysis o Virtualisation, Hypervisor Security o Cloud Security o Embedded Device Security o Hardware Security o Telecommunications Security o Wireless Network Security o Web Application Security o Law Enforcement Activities o Forensics o Threat Intelligence o Incident Response .[x]. Submission Guidelines .[x]. In order for us to process your submission we will require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in presentation 7. Information on where the presentation material has or will be presented before Breakpoint * Preference will be given to presentations that contain original research that will be first presented at Breakpoint. * As a general guideline, Breakpoint presentations are between 45 and 60 minutes, including question time. If you have any questions about submissions, or would like to make a submission, please send an email to bpx@ruxconbreakpoint.com .[x]. Speaker Benefits .[x]. Speakers at Breakpoint will be entitled to the following benefits: - A return economy airfare to Melbourne (total cost limit applies) - Three nights accommodation at the Intercontinental Rialto - Complimentary registration for Breakpoint and Ruxcon conferences - Invitation to all Breakpoint and Ruxcon parties - Unlock 'Presented on world's smallest continent' achievement * All speaker benefits apply to a single speaker per submission. .[x]. Contact .[x]. If you have any questions or inqueries, contact us at: * Email: bpx@ruxconbreakpoint.com * Twitter: ruxconbpx From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:20:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E34EB95 for ; Sun, 17 May 2015 20:20:20 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0EE491919 for ; Sun, 17 May 2015 20:20:19 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7406C20968 for ; Sun, 17 May 2015 16:20:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Sun, 17 May 2015 16:20:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=enbBi/8UaCjkBni yXvrRRNX6RFU=; b=N9x23vKMQPje2Cc5saTsJ/oumkyOiFf9l7f/ZR0zEooD2x1 KyrXv6Lh255KOPyEaIyuh7HMl9RvQkPEmZm3TvNrvMzBxPK6n/m0VXO1Kiqc3dbr tIVy4nFHTUY4C2fZDEkOEBA24Oc9ii+zaxzxy6xODlv2s+DsCv0jrHZDOHJk= Received: by web3.nyi.internal (Postfix, from userid 99) id 4E1D61013E0; Sun, 17 May 2015 16:20:12 -0400 (EDT) Message-Id: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> X-Sasl-Enc: ggdfqEYIZ/dI5+R/BO+5J4s7G3fM5mNwOXUgeyzEo2T6 1431894012 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 15:20:12 -0500 In-Reply-To: <5556E5DC.7090809@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:20:20 -0000 On Sat, May 16, 2015, at 01:38, Dan Lukes wrote: > Mark Felder wrote: > >> Base OpenSSL in still supported releases is too old version and doesn't > >> support TLS 1.2 as well. > >> > >> Either TLS 1.0 is so insecure and should not be used, or is secure > >> enough for FreeBSD. > > > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > > have these vulnerabilities or problems. > > All security patches are released because of something discovered after > release. So it is nothing new nor special. > > But it's not the matter of my comment. > > As far as I know, there has been no discussion on FreeBSD Security > related to fact that FreeBSD 9 will not receive security patches for > particular known security issue. Nor even announcement, if it has been > considered no topic for discussion here. > > So I'm confused (as claimed in previous comment). Other the issue is not > so severe, then I don't understand why TLS 1.0 needs to be disabled on > forums. Or it is so severe so I don't understand why there is still no > Security Advisory dedicated to it. Well, there may be no solution known > - but even in such case the issue should be announced. > > You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not ABI compatible with older versions. You can't just wedge it into FreeBSD 8 or 9. Sorry. From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:42:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7FB5BFAB for ; Sun, 17 May 2015 20:42:06 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 58EED1BDA for ; Sun, 17 May 2015 20:42:06 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:2580:181:21c:c0ff:fe7f:96ee]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 4A48C2D4FB4; Sun, 17 May 2015 20:42:04 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 9E1F6F03; Sun, 17 May 2015 13:42:01 -0700 (PDT) Message-ID: <5558FD16.104@bluerosetech.com> Date: Sun, 17 May 2015 13:41:58 -0700 From: Mel Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Kimmo Paasiala CC: freebsd-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> <20150515183437.E09DAA33@hub.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:42:06 -0000 On 2015-05-16 07:20, Kimmo Paasiala wrote: > On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote: >> Mark Felder wrote: >>>> >>>> Another option is a second openssl port, one that overwrites base and >>>> guarantees compatibility with RELEASE. Then we could at least have all >>>> versions of openssl in vuln.xml (not that that's been a reliable >>>> indicator of security of late). >>> >>> This will never work. You can't guarantee compatibility with RELEASE and >>> upgrade it too. >> >> How do you figure? RedHat does exactly that with every backport, and >> they do it for the life of a release. > > Redhat makes no promise of binary compatibility for locally compiled > software. They can update OpenSSL as they wish from version 1.0.1 to > 1.0.2, recompile all affected packages (all of Redhat "userland" is > covered by .rpm packages) and push them to the users and advise users > of locally compiled software to recompile what they have. This is > unacceptable in FreeBSD that makes a hard promise that the ABI will > remain compatible troughout the whole lifetime of the same major > version line. I'm really glad that FreeBSD makes that promise. It means I have a long-lived and well-defined scope of compatibility for a given system. It makes freebsd-update and pkg possible in production. I no longer have to deal with localized system images. That's paired with support for linking to openssl from ports and FreeBSD's recent direction of decoupling network services from the base. I have systems where all of the user-facing services link to openssl 1.0.2 even though the base OS doesn't. That means the time it will take to reimplement and test on what will eventually become 11.0 won't interact chronologically with the security needs of my existing deployments on 10.x. It means "following -current in preprod" is no longer part of my dayjob. That's a huge deal. From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:50:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 43BE814C; Sun, 17 May 2015 20:50:33 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 30B461C07; Sun, 17 May 2015 20:50:32 +0000 (UTC) Date: Sun, 17 May 2015 13:50:25 -0700 (PDT) From: Roger Marquis To: Mark Felder cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:50:33 -0000 > You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. This is why > everyone is running like mad from SSL 3.0 and TLS 1.0. Right, there are two issues being discussed that should be separated. The thread was originally about SSL version weaknesses and the rational for that (keeping v1.0 around for the near term) was described quite well. The second issue was regarding base and ports versions of openssl and how to coordinate between them. I recommended an openssl_base port so that security vulnerabilities (not necessarily protocol weaknesses) could be more easily remediated (than installworld) and so 'pkg audit' could report on those. It was asserted and reasserted that this would be infeasible, however, no example or reason was given. Considering the time to write and test patches is the same in either case it is still an open question. The problem of multiple versions of the same libraries and binaries, however, remains a weakness in the FreeBSD security model. This may be one of the reasons why the EU recently recommended more widespread adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that can and should be solved in the most robust way possible. Roger From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:56:53 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 29B1129C for ; Sun, 17 May 2015 20:56:53 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED0C11CED for ; Sun, 17 May 2015 20:56:52 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 07ACB206F1 for ; Sun, 17 May 2015 16:56:52 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Sun, 17 May 2015 16:56:52 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=xakhKar/MBSW6ta cPjAlU3D8yho=; b=qVP5Jj2aWqSoxk4PZihgQjOeW1XKt2f2VAAYEFgAKMHYfLN sEJlEyt/TbmiUuv3afn008wIVmWtJF6zIbTwIOSRppEYp/TvHULXJAMM0/1QIkqx jR6zlNr2wM3gYJO08eEQgL3XrYrNobk9lg25f+alwHbijxadeZdB2rCjvTgc= Received: by web3.nyi.internal (Postfix, from userid 99) id C1A321015B9; Sun, 17 May 2015 16:56:51 -0400 (EDT) Message-Id: <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> X-Sasl-Enc: 5IwK+BHNx6cgXZ+UAIB7p9+JVRRiwoDCo3gIkfffTpEs 1431896211 From: Mark Felder To: Roger Marquis Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 15:56:51 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:56:53 -0000 On Sun, May 17, 2015, at 15:50, Roger Marquis wrote: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. This is why > > everyone is running like mad from SSL 3.0 and TLS 1.0. > > Right, there are two issues being discussed that should be separated. > The thread was originally about SSL version weaknesses and the rational > for that (keeping v1.0 around for the near term) was described quite > well. > > The second issue was regarding base and ports versions of openssl and how > to coordinate between them. I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. It was asserted and reasserted that this would be > infeasible, however, no example or reason was given. Considering the > time to write and test patches is the same in either case it is still an > open question. > Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked to an OpenSSL library such as libcrypt with a version that was built against the updated OpenSSL. You might as well fork FreeBSD at this point. > The problem of multiple versions of the same libraries and binaries, > however, remains a weakness in the FreeBSD security model. This may be > one of the reasons why the EU recently recommended more widespread > adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that > can and should be solved in the most robust way possible. > > Roger OpenBSD can do this because they roll a new release every 6 months. They don't support an OS release train for 5 years. From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:02:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C0D4763; Sun, 17 May 2015 21:02:58 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6EB611E9B; Sun, 17 May 2015 21:02:58 +0000 (UTC) Date: Sun, 17 May 2015 14:02:57 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org, freebsd-ports@freebsd.org Subject: pkg audit / vuln.xml failures User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:02:58 -0000 Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team). Is there a URL outlining the policies and procedures of vuln.xml maintenance? Roger Marquis From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:08:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 010A2A66; Sun, 17 May 2015 21:08:43 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E12931EDD; Sun, 17 May 2015 21:08:43 +0000 (UTC) Date: Sun, 17 May 2015 14:08:43 -0700 (PDT) From: Roger Marquis To: Mark Felder cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:08:44 -0000 Mark Felder wrote: >> Considering the time to write and test patches is the same in either case >> it is still an open question. > Again, this is not possible. You can't just "replace" the base OpenSSL. > That port or package would also have to replace every binary and library > in the base system linked to an OpenSSL library such as libcrypt with a > version that was built against the updated OpenSSL. Sure, when you must change the ABI you also have to rebuild linked libs and bins, but how many openssl 0.9 updates have required ABI changes? Roger From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:13:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1DF4AB6F for ; Sun, 17 May 2015 21:13:05 +0000 (UTC) Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C57D51FBF for ; Sun, 17 May 2015 21:13:04 +0000 (UTC) Received: by wizk4 with SMTP id k4so55826991wiz.1 for ; Sun, 17 May 2015 14:12:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bDDMRfixb6gH5bu/H7TTIRrA7XypCLfX5yeHCDsCC+o=; b=g9pBIIHVA5RxbtU7jVD/hW5tWhpYrMA3H8SNWqx/ULmBMcc0dGfrIMeexPhG2hVyNU cqbXOFZ+3ddBcb2nVo/OHQ5Nf19VtuJMckPQHIbTxuu8ZN6Y/OHykdMgBUhq5Y7TmE0T JdMsmpNowk1CHgE2om0PXhYe0WZjlRIqmW2wiuNaLT44JbmyIzLDqvyChM81HF+mXgt2 A6bmyYE1wLsCheqeWj50LLCd9bcQg+uUggWjNakqnkVrdhyCbdYWm1pZYSUfRVUA4+ga TM1M2D/XqvvZ121OQGLA7M3TkINnPq0udskS7IFyJGHFaAEkYzK/ekamtn0WHtGgEuNj mjqQ== X-Gm-Message-State: ALoCoQmKQGJSK/MhVBrFuKFW9Il4WpR8wGX6EvN7G426j8L7Lc9QUHSYuzxK7oeGqDleANgUPHLT X-Received: by 10.194.185.107 with SMTP id fb11mr38802288wjc.9.1431897176800; Sun, 17 May 2015 14:12:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.159.207 with HTTP; Sun, 17 May 2015 14:12:15 -0700 (PDT) X-Originating-IP: [68.178.93.3] In-Reply-To: <20150517205035.5F0DD154@hub.freebsd.org> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <20150517205035.5F0DD154@hub.freebsd.org> From: Leif Pedersen Date: Sun, 17 May 2015 16:12:15 -0500 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? To: Roger Marquis Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:13:05 -0000 On Sun, May 17, 2015 at 3:50 PM, Roger Marquis wrote: > I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. > Exactly how would that differ from using freebsd-update? -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:15:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C9D5CB1 for ; Sun, 17 May 2015 21:15:44 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C1301FE0 for ; Sun, 17 May 2015 21:15:44 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 64D7420A50 for ; Sun, 17 May 2015 17:15:43 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Sun, 17 May 2015 17:15:43 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=+I2FSlQIapFkt9Q sbpeI1kc12Vc=; b=X+cj5DVN34OdN3HA8WXPVUQrsSQEH0QulzrS5GiWgC5eEZw oqUzhGCru0zN6scY7AxmgDCHscFCrGsclNBBLNRfdGGFO4S3Gsa7Z0SWC02C7ngy iXgVkfo3rscdzMQZ8JJiawujAW/lh5XtBsYCQ46hDP6PjqkV1cIBf+dxXH0s= Received: by web3.nyi.internal (Postfix, from userid 99) id 39C6D1016A5; Sun, 17 May 2015 17:15:43 -0400 (EDT) Message-Id: <1431897343.1957655.271052497.1254498A@webmail.messagingengine.com> X-Sasl-Enc: 8IT/s+bVs0bpJxbSqkQTYZEYvnXZyHJianVn+Lm01D7U 1431897343 From: Mark Felder To: Roger Marquis Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 16:15:43 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:15:44 -0000 On Sun, May 17, 2015, at 16:08, Roger Marquis wrote: > Mark Felder wrote: > >> Considering the time to write and test patches is the same in either case > >> it is still an open question. > > > Again, this is not possible. You can't just "replace" the base OpenSSL. > > That port or package would also have to replace every binary and library > > in the base system linked to an OpenSSL library such as libcrypt with a > > version that was built against the updated OpenSSL. > > Sure, when you must change the ABI you also have to rebuild linked libs > and bins, but how many openssl 0.9 updates have required ABI changes? > > Roger This entire discussion has been about doing MAJOR updates to OpenSSL in base. Updates that obviously require ABI changes. Please tell me about a feature change between FreeBSD 9.3's OpenSSL 0.9.8za and the latest compatible 0.9.8ze that validates a port for OpenSSL that replaces base. I cannot find any that justify the effort. From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:29:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20244EA5 for ; Sun, 17 May 2015 21:29:36 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A33951113 for ; Sun, 17 May 2015 21:29:35 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4HLStng095557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Sun, 17 May 2015 23:29:30 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <55590817.1030507@obluda.cz> Date: Sun, 17 May 2015 23:28:55 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:29:36 -0000 On 05/17/15 22:20, Mark Felder: > You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. Sorry, my English seems to be so poor so you don't understand my very simple question. You are still answering other questions I didn't asked. Last attempt. I will try ti make question as simple as possible. If it will not help I will become silent. TLS 1.0 *protocol* is buggy, new protocol has been implemented in new version of OpenSSL, but such version will not be imported into FreeBSD 9 because of ABI incompatibility. Instead old version of OpenSSL and vulnerable protocol is still used by base system libraries and utilities. So base system IS affected by known vulnerability. Thus I'm asking. If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? Dan From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:49:39 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AA99FD0; Sun, 17 May 2015 21:49:39 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9527312D5; Sun, 17 May 2015 21:49:39 +0000 (UTC) Date: Sun, 17 May 2015 14:49:38 -0700 (PDT) From: Roger Marquis To: Mark Felder cc: freebsd-security@freebsd.org, Leif Pedersen Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431897343.1957655.271052497.1254498A@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> <1431897343.1957655.271052497.1254498A@webmail.messagingengine.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:49:39 -0000 Mark Felder wrote: >> Sure, when you must change the ABI you also have to rebuild linked libs >> and bins, but how many openssl 0.9 updates have required ABI changes? >> > This entire discussion has been about doing MAJOR updates to OpenSSL in > base. I agree that this discussion has been about updates to OpenSSL but we're obviously not on the same page with regards to your definition of major. Leif Pedersen wrote: >> ... more easily remediated (than installworld) and so 'pkg audit' could > report on those. > >Exactly how would that differ from using freebsd-update? You mean aside from being locally compiled? Does freebsd-update only update the specific libs, apps, files that need to be updated? Roger From owner-freebsd-security@FreeBSD.ORG Sun May 17 22:00:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06F6C202 for ; Sun, 17 May 2015 22:00:12 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA88613A6 for ; Sun, 17 May 2015 22:00:11 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 5F95F207C1 for ; Sun, 17 May 2015 18:00:10 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Sun, 17 May 2015 18:00:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=flUgMVcpSFiKy8O jZdIDBPtk+Vo=; b=TlE57qnquez78FaJDHOPnImxQdF1mg5Hhu9Q1BVRJL3huWn ShG5txtovWj9/AK0W2sNQ2at3ZIIbzvu0BkX3e7cPM55xUR1WXSizUezrvL+Tkck GoFjT2CkFXLyjaDMJu3nTpcZNJ+nzIFFP/mpYT/+5mTAhv97WuFSSP0uxBhQ= Received: by web3.nyi.internal (Postfix, from userid 99) id 2C145101927; Sun, 17 May 2015 18:00:10 -0400 (EDT) Message-Id: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> X-Sasl-Enc: Pop7Mjgt+PPqW86zyitIQW/GoH5xAzoB5IhrvVRe/9rh 1431900010 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 In-Reply-To: <55590817.1030507@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 17:00:10 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 22:00:12 -0000 On Sun, May 17, 2015, at 16:28, Dan Lukes wrote: > On 05/17/15 22:20, Mark Felder: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. > > Sorry, my English seems to be so poor so you don't understand my very > simple question. You are still answering other questions I didn't asked. > > Last attempt. I will try ti make question as simple as possible. If it > will not help I will become silent. > > TLS 1.0 *protocol* is buggy, new protocol has been implemented in new > version of OpenSSL, but such version will not be imported into FreeBSD 9 > because of ABI incompatibility. Instead old version of OpenSSL and > vulnerable protocol is still used by base system libraries and > utilities. So base system IS affected by known vulnerability. > > Thus I'm asking. > > If TLS 1.0 is considered severe security issue AND system utilities are > using it, why there is no Security Advisory describing this system > vulnerability ? > It's not a vulnerability in software, it's weakness in the protocol design. By your logic we should have SAs for all of the following in the base system: hashes: MD5 SHA1 default passwd hash in FreeBSD 8: md5crypt (though phk did request a CVE to help usher its death) any openssl cipher using the following: MD5 SHA1 DES 3DES IDEA I'm sure there are even more examples. None of these problems fit the definition required to issue an SA. They're just a violation of widely-accepted Best Current Practices. From owner-freebsd-security@FreeBSD.ORG Sun May 17 23:06:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 001BD8B9 for ; Sun, 17 May 2015 23:06:21 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7FC7F1A67 for ; Sun, 17 May 2015 23:06:21 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4HN6GUq099364 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Mon, 18 May 2015 01:06:19 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <55591EE8.9070101@obluda.cz> Date: Mon, 18 May 2015 01:06:16 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> In-Reply-To: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 23:06:22 -0000 On 05/18/15 00:00, Mark Felder: >> If TLS 1.0 is considered severe security issue AND system utilities are >> using it, why there is no Security Advisory describing this system >> vulnerability ? >> > > It's not a vulnerability in software, it's weakness in the protocol > design. Like protocol protocol downgrade triggered by MITM attack flaw or protocol design flaw in session renegotiation support. The first one addressed in FreeBSD-SA-14:23.openssl, the second one in FreeBSD-SA-09:15.ssl So the "is it protocol flaw or implementation bug" seems not to be true major criteria. OK, I wish I got best answer to my question possible. I'm not going to discuss SA issuing policy in this thread. Thank you. Dan From owner-freebsd-security@FreeBSD.ORG Mon May 18 03:13:39 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8691089E for ; Mon, 18 May 2015 03:13:39 +0000 (UTC) Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1EDF312D2 for ; Mon, 18 May 2015 03:13:38 +0000 (UTC) Received: by wguv19 with SMTP id v19so110896028wgu.1 for ; Sun, 17 May 2015 20:13:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jzZkiloc305CLO4HfQHeq6nyISIIaGdh6q36jut3Zx4=; b=Nyu5iJQwQy5bTQFrh5BW1AWckd74zXvYDZQ0bI5krriu6jDYClG/i4TT5+FjHsPMJu 7EfWF+hN+gEiAryYE/Uxrn/kyJUuTsYOhYdbudLPIt6ybiPXYWI8WmOtiMP4r25OdiH1 ZsUi6NA+KqU9ewP23Ub6zUz7ll73wCfr0HkWIoPackyxk4rkQ430RYIjhUCNssP8aBF0 XgTp8/E5b1u67Dx45AXNJxLtszNEjpo6DJD7P2qwQTMJl2m5tFDTzfzLySXR0lM4fHd9 jqS2Y7zjaEx8RpGZ8KcLwkie+hFW/JfqtBZMPiFbIsBV4MglofOd1lC21ke7WiA4+0+q Yhew== X-Gm-Message-State: ALoCoQnKsP0gW+yWgFbJqUwxrMZqWGXcqDflLE49F7MUQJO9XCAGsMoXswqelcYsoROMAtn7soOG MIME-Version: 1.0 X-Received: by 10.194.185.107 with SMTP id fb11mr40582218wjc.9.1431918810995; Sun, 17 May 2015 20:13:30 -0700 (PDT) Received: by 10.28.159.207 with HTTP; Sun, 17 May 2015 20:13:30 -0700 (PDT) X-Originating-IP: [65.119.177.162] Received: by 10.28.159.207 with HTTP; Sun, 17 May 2015 20:13:30 -0700 (PDT) In-Reply-To: <55590cf4.2a53440a.6656.ffffe6c2SMTPIN_ADDED_MISSING@mx.google.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> <1431897343.1957655.271052497.1254498A@webmail.messagingengine.com> <55590cf4.2a53440a.6656.ffffe6c2SMTPIN_ADDED_MISSING@mx.google.com> Date: Sun, 17 May 2015 22:13:30 -0500 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? From: Leif Pedersen To: Roger Marquis Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 03:13:39 -0000 On May 17, 2015 4:49 PM, "Roger Marquis" wrote: > Leif Pedersen wrote: >>> >>> ... more easily remediated (than installworld) and so 'pkg audit' could >> >> report on those. >> >> Exactly how would that differ from using freebsd-update? > > > You mean aside from being locally compiled? Does freebsd-update only > update the specific libs, apps, files that need to be updated? > > Roger Maybe it would be a good idea to learn what freebsd-update does before continuing to give the developers who bring such a great OS to you a hard time. You have some good thoughts, but you may find that the need isn't as great as you think. From owner-freebsd-security@FreeBSD.ORG Mon May 18 07:05:24 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CF80FF79; Mon, 18 May 2015 07:05:24 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 38F8D1919; Mon, 18 May 2015 07:05:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t4I75EvH051222; Mon, 18 May 2015 17:05:14 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 18 May 2015 17:05:13 +1000 (EST) From: Ian Smith To: Mark Felder cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> Message-ID: <20150516190047.R69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 07:05:24 -0000 On Fri, 15 May 2015 07:51:34 -0500, Mark Felder wrote: > On Fri, May 15, 2015, at 03:07, Ian Smith wrote: > > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > > > Hello > > > > > > >> But I don't think disable TLS 1.0 is ok. > > > >> > > > > > > > > TLS 1.0 is dead and is even now banned in new installations according to > > > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > > > by *any* HTTPS site now. > > > > > > Maybe is dead but is used in many old browser / software still used. > > > > > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > > > (new installations "in theory" should not be built on TLS 1.0). > > > > > > So we have 1 year and FreeBSD forum is not e-commerce site ;) > > > > People seem determined to make sure freebsd forums are one of the first > > sites to ban TLS 1.0, as some sort of best-practice example. > > > > I admit my knowledge of TLS issues is scant. I'd like to know whether > > allowing TLS 1.0 - with fallback from later levels denied, as it already > > is - endangers the server, or only the client? If there's a clearly > > stated and immediate danger to the forum server, I can accept that, but > > I'd have thought https://www and svnweb would be more at such peril? > > Will there be any notice before they're denied TLS 1.0 access also? > The danger is decryption. Your username/password could be stolen if > someone captures your traffic after successfully initiating a downgrade > attack. So the danger is only to myself, from some MITM, and not to the server? And despite the forum cert setup shown at https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info) which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ which I've read, are we not trusting that mechanisn to prevent some successful initiation of a downgrade attack - which I rather imprecisely called "with fallback from later levels denied" above? > You can't login to www.freebsd.org or svnweb. The most they can do is > see what you're browsing, which isn't private anyway. Alright. > > If it's just for making the sort of point that Mark is advocating, to > > force people to join this 'rolling automatic update' model so beloved of > > Microsoft and their captive hardware vendors, then I think doing that, > > without any sort of prior notice, is rather less than I've come to > > expect from the FreeBSD project over 17 years. > > > > But I'm a grandpa too; guess I have old-fashioned expectations :) > Microsoft has nothing to do with this. They're setting a good example. Alright, the leopard has changed its spots; wonders will never cease. > OSX is sort-of on that train too. FreeBSD has always been ahead of the > curve with the ports tree being a rolling-release model. We need the > Linux distros to get their heads on straight now, too. The latter should be simple enough :) > Just a reminder: I don't speak for the project in these matters. I'm > just telling you what best current practices are. I have no idea who > made that decision for the forums, or if it's even worth having the > forums on https anyway. Other forums I use allow http connections, read only, only requiring switching to https for login and thus posting, which is fair enough, and I have almost always only read a few forum posts, but see below .. Noone has yet seen fit to even comment on the matter of no prior notice; there is usually at least some heads-up warning, 'better upgrade now', before access is denied to some FreeBSD service from older browsers. > If it was up to me I probably wouldn't even put > https on the forums even though Google will penalize it in search > results. (Sure, you have a user account there... but it doesn't really > do anything... you're not using the same credentials everywhere are > you?) Of course not. And I just checked, being unsure I'd ever posted there, to find my password server-allocated anyway, so I must have posted once. > Actually, that might be the reason -- Google search results. Perhaps > Google is also logging what protocols/ciphers your HTTPS has and is > using that in search rankings. You're seriously suggesting that the FreeBSD project should set security policies to favour higher rankings from an advertising company? cheers, Ian From owner-freebsd-security@FreeBSD.ORG Mon May 18 07:43:38 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 17A0D675; Mon, 18 May 2015 07:43:38 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7B101D81; Mon, 18 May 2015 07:43:37 +0000 (UTC) Received: from patpro.univ-lyon2.fr (patpro.univ-lyon2.fr [159.84.113.250]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id 7B252D40; Mon, 18 May 2015 09:43:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431935007; bh=0XjlvWE+qYxIo5+rcZmf2ya2HP57q2vpgYon17/ximo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=LUHfyXjY56VAEqzi/vTo23ENKV/2EA8DNajmwA8BCu1RuBUBa/lu8sK++3cYrJ4M3 X+CS+ZGjb0JZoo3ffLY1FxkvGzEAD798Jicahp4iszgpiVtX6wApx/GrM9adYY0AUT kkghLiKD9bR+4wXZVPn0upS0xn1cKVmY70Ob0ZI13588TAYwPf63Smnux3ocA8IbW9 5Q4cgSpXvI96CiGAMNgd3IxVGDciv37wF6G3/r1X8uW+1XN5TULCXmBQKikT0NL8IB RBHUbxX3DIf3WpGPZ7ugOWAwCRhQacym0fJX6qaRw+Jxila5PzEyBUNr1CYrD/iPm0 vDFYJf32wzQCFQpk7fxK5c6rbH21Q3qLco5Jgi5HgQHSKP/fJ0xnxeftMk2fA7tS8L XqVY7bvbP3IMohQlG9nbaSYMX3xgV/2JSGWZXW975yAxIlOg9rKyRwAh1dNRDrnaJx bbDZJIz0g7qCbHk0jMdNDi2qaA+OfnibvsLwajFet12etbDwpKlMSWK8Xcj+7FR3JJ tVqpbWlO1HvhcgE9j2OnWJsqANLffxw7ZEeZj+WuXfUdhe5mOm806SOir4zJn0ysMm SJfPrcaFmbYj3RRTyCQZl0rYxaNGCtEo/3OAeYrgMLcZjEZdZZeJzSHtLESsiqY0+Y iW6Srpi3yZQOGuWvD8Uu2uwQ= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Forums.FreeBSD.org - SSL Issue? From: patpro@patpro.net In-Reply-To: <20150516190047.R69409@sola.nimnet.asn.au> Date: Mon, 18 May 2015 09:43:24 +0200 Cc: Mark Felder , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7EA714EE-27E3-4433-96B8-A334C5A7BD30@patpro.net> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au> To: Ian Smith X-Mailer: Apple Mail (2.1510) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 07:43:38 -0000 On 18 mai 2015, at 09:05, Ian Smith wrote: >>=20 >> Actually, that might be the reason -- Google search results. Perhaps >> Google is also logging what protocols/ciphers your HTTPS has and is >> using that in search rankings. >=20 > You're seriously suggesting that the FreeBSD project should set = security=20 > policies to favour higher rankings from an advertising company? There's a bigger picture. Google is promoting strong security. Using web = sites HTTPS details (proto, ciphers, certificate trustworthiness...) as = ranking parameter is an incentive for admin to switch to better protocol = and stronger cipher suits (& more expensive certificates). Their next step, currently ongoing in fact, is to limit or even remove = browser confidence in older protocol/ciphers, so that users would be = deterred from visiting those web sites. Domain Validated certificates = are probably a target to be shot dead in few years too. As an admin I find it to be a pain in the *** to constantly have to deal = with latest Google "vision", but as a user I think they are right = because that's the way to go for promoting strong crypto. regards, patpro= From owner-freebsd-security@FreeBSD.ORG Mon May 18 08:21:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C8AFE4B for ; Mon, 18 May 2015 08:21:31 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 124241137 for ; Mon, 18 May 2015 08:21:31 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YuGIT-000Gab-Dk; Mon, 18 May 2015 11:21:13 +0300 Date: Mon, 18 May 2015 11:21:13 +0300 From: Slawa Olhovchenkov To: patpro@patpro.net Cc: Ian Smith , freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <20150518082113.GG1394@zxy.spb.ru> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au> <7EA714EE-27E3-4433-96B8-A334C5A7BD30@patpro.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7EA714EE-27E3-4433-96B8-A334C5A7BD30@patpro.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 08:21:31 -0000 On Mon, May 18, 2015 at 09:43:24AM +0200, patpro@patpro.net wrote: > On 18 mai 2015, at 09:05, Ian Smith wrote: > > >> > >> Actually, that might be the reason -- Google search results. Perhaps > >> Google is also logging what protocols/ciphers your HTTPS has and is > >> using that in search rankings. > > > > You're seriously suggesting that the FreeBSD project should set security > > policies to favour higher rankings from an advertising company? > > > There's a bigger picture. Google is promoting strong security. Using web sites HTTPS details (proto, ciphers, certificate trustworthiness...) as ranking parameter is an incentive for admin to switch to better protocol and stronger cipher suits (& more expensive certificates). > Their next step, currently ongoing in fact, is to limit or even remove browser confidence in older protocol/ciphers, so that users would be deterred from visiting those web sites. Domain Validated certificates are probably a target to be shot dead in few years too. > > As an admin I find it to be a pain in the *** to constantly have to deal with latest Google "vision", but as a user I think they are right because that's the way to go for promoting strong crypto. As user I am don't need crypto, strong or weak. From owner-freebsd-security@FreeBSD.ORG Mon May 18 13:42:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 31DA6576 for ; Mon, 18 May 2015 13:42:57 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 012361A7E for ; Mon, 18 May 2015 13:42:56 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 3252620C21 for ; Mon, 18 May 2015 09:42:55 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Mon, 18 May 2015 09:42:55 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=NhXDUrx2uNEurJj YAMr84eWyzKA=; b=GYUUIwf5lAedixyo+jT7Gi4vLmfS7jfRrcS+0V9gGDGybAo NxTsAUeS60FSRRwk3S3FPmjI3RnoqM266EJ+CPG0YYPOetoi5yRcQTswQ9NvHLJO l9O9H5gGAbeeWR3T7ocx9IIZ0/gxxr565Ufq+j7Vt5zCP6f0gTipuKyruo4g= Received: by web3.nyi.internal (Postfix, from userid 99) id 0EE8B106C13; Mon, 18 May 2015 09:42:55 -0400 (EDT) Message-Id: <1431956574.2820539.271626745.23D563FC@webmail.messagingengine.com> X-Sasl-Enc: PyXnJOI8tHwcBB8j+SNgf8Ko79lrROQu1EHaHJ1XaOor 1431956574 From: Mark Felder To: Ian Smith Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: <20150516190047.R69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au> Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 08:42:54 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 13:42:57 -0000 On Mon, May 18, 2015, at 02:05, Ian Smith wrote: > > > The danger is decryption. Your username/password could be stolen if > > someone captures your traffic after successfully initiating a downgrade > > attack. > > So the danger is only to myself, from some MITM, and not to the server? > And despite the forum cert setup shown at > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : > > Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more > info) > > which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ > which I've read, are we not trusting that mechanisn to prevent some > successful initiation of a downgrade attack - which I rather imprecisely > called "with fallback from later levels denied" above? > This is irrelevant to this conversation. with TLS_FALLBACK_SCSV, those with strong crypto keep strong crypto. Those with weak crypto are _still_ vulnerable to their traffic being decrypted. This new mechanism does not magically make their weak crypto more secure. > > > Microsoft has nothing to do with this. They're setting a good example. > > Alright, the leopard has changed its spots; wonders will never cease. > Troll detected. If by now in your adult life you haven't recognized that you need to use the right tool for the right job -- whether that be Windows, OSX, Linux, FreeBSD, OpenBSD, NetBSD, DragonflyBSD, SmartOS, Illumos, Solaris, etc etc etc -- I can't help you. It might surprise you that some FreeBSD developers use Windows as their daily OS. Many use OSX. > > Other forums I use allow http connections, read only, only requiring > switching to https for login and thus posting, which is fair enough, > and I have almost always only read a few forum posts, but see below .. > I agree that would be reasonable, but I am not involved in the forum administration -- or cluster, for that matter. > > > Actually, that might be the reason -- Google search results. Perhaps > > Google is also logging what protocols/ciphers your HTTPS has and is > > using that in search rankings. > > You're seriously suggesting that the FreeBSD project should set security > policies to favour higher rankings from an advertising company? > If people can't search Google and find results on the first page they're going to be very, very discouraged from even trying it out. I don't think I can provide any further information about what's going on here, but I hope that I've answered some questions about why this isn't such a terrible idea. Feel free to file a bug report if you would like this followed up by those who have control over these decisions. https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Services From owner-freebsd-security@FreeBSD.ORG Mon May 18 13:52:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 673BD93C for ; Mon, 18 May 2015 13:52:29 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 383CF1BCF for ; Mon, 18 May 2015 13:52:29 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 4A0B920BBB for ; Mon, 18 May 2015 09:52:28 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Mon, 18 May 2015 09:52:28 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=UXABVGyeRyMqW4b W2S9T1Wk9MRA=; b=Cc3Pt8iSe0prLRcqIjTduYPsNqZ8ITsFBGaxNIPRYXBzp0o hkRPU6KhK16vEZfL9VcLws3fkmJXQ7aKNcnQe/bD7bgk39S08ovo8j9UcGuUnsp0 LIaIFoS9p+o/4AvmTm9HpEbbCEzQiL+sxftccXhfK9QAZvgiJjqMPh3Jvh+Y= Received: by web3.nyi.internal (Postfix, from userid 99) id 27A001071A6; Mon, 18 May 2015 09:52:28 -0400 (EDT) Message-Id: <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> X-Sasl-Enc: Ytybg76VOq+tSXPShNu4jaNr/tg4OJl7xFjy4hNcgtOf 1431957148 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 08:52:28 -0500 In-Reply-To: <55591EE8.9070101@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 13:52:29 -0000 On Sun, May 17, 2015, at 18:06, Dan Lukes wrote: > On 05/18/15 00:00, Mark Felder: > >> If TLS 1.0 is considered severe security issue AND system utilities are > >> using it, why there is no Security Advisory describing this system > >> vulnerability ? > >> > > > > It's not a vulnerability in software, it's weakness in the protocol > > design. > > Like protocol protocol downgrade triggered by MITM attack flaw or > protocol design flaw in session renegotiation support. The first one > addressed in FreeBSD-SA-14:23.openssl, the second one in > FreeBSD-SA-09:15.ssl > > So the "is it protocol flaw or implementation bug" seems not to be true > major criteria. > > OK, I wish I got best answer to my question possible. I'm not going to > discuss SA issuing policy in this thread. > FreeBSD-SA-14:23: primarily backported a new feature (TLS_FALLBACK_SCSV) to help prevent those with stronger crypto from being forced to downgrade to weak crypto via a MITM attack FreeBSD-SA-09:15: fixes some bugs dealing with potential MITM attacks Neither of these directly address a broken protocol, such as warning all users that "using SSL 3.0 or TLS 1.0 is dangerous" I mean, should we have an SA because our libc supports strcpy and people can use that and create severe vulnerabilities? Or the fact that there is no firewall enabled by default, so you should probably enable one? That seems a bit extreme. You could write a whole book and still not cover all of these topics :-) Hope that helps From owner-freebsd-security@FreeBSD.ORG Mon May 18 14:54:35 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 698AFEBB; Mon, 18 May 2015 14:54:35 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FA0B12FB; Mon, 18 May 2015 14:54:35 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YuMR5-000NnU-2e; Mon, 18 May 2015 17:54:31 +0300 Date: Mon, 18 May 2015 17:54:31 +0300 From: Slawa Olhovchenkov To: Mark Felder Cc: Ian Smith , freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <20150518145430.GH1394@zxy.spb.ru> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au> <1431956574.2820539.271626745.23D563FC@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1431956574.2820539.271626745.23D563FC@webmail.messagingengine.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 14:54:35 -0000 On Mon, May 18, 2015 at 08:42:54AM -0500, Mark Felder wrote: > > > > > Actually, that might be the reason -- Google search results. Perhaps > > > Google is also logging what protocols/ciphers your HTTPS has and is > > > using that in search rankings. > > > > You're seriously suggesting that the FreeBSD project should set security > > policies to favour higher rankings from an advertising company? > > > > If people can't search Google and find results on the first page they're > going to be very, very discouraged from even trying it out. > > I don't think I can provide any further information about what's going > on here, but I hope that I've answered some questions about why this > isn't such a terrible idea. Feel free to file a bug report if you would > like this followed up by those who have control over these decisions. Need higher rankings with https? Do https mirrors for google/bing. Client can't use strong encription? Allow cleartext and weak encription. FreeBSD forum posts don't contains any sensitive information. "Be strict in what you send, but generous in what you receive" From owner-freebsd-security@FreeBSD.ORG Mon May 18 14:41:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8904F8E3 for ; Mon, 18 May 2015 14:41:19 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 54AEE1199 for ; Mon, 18 May 2015 14:41:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t4IEfJT6044397 for ; Mon, 18 May 2015 14:41:19 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t4IEfJRo044394 for freebsd-security@freebsd.org; Mon, 18 May 2015 14:41:19 GMT (envelope-from bdrewery) Received: (qmail 67180 invoked from network); 18 May 2015 09:41:14 -0500 Received: from unknown (HELO ?10.10.1.139?) (freebsd@shatow.net@10.10.1.139) by sweb.xzibition.com with ESMTPA; 18 May 2015 09:41:14 -0500 Message-ID: <5559FA0B.8080005@FreeBSD.org> Date: Mon, 18 May 2015 09:41:15 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Roger Marquis , freebsd-security@freebsd.org, freebsd-pkg@freebsd.org, freebsd-ports@freebsd.org Subject: Re: pkg audit / vuln.xml failures References: <20150517210259.C25DF76F@hub.freebsd.org> In-Reply-To: <20150517210259.C25DF76F@hub.freebsd.org> OpenPGP: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rB4sRDOgLiJcN0HGIXPAnXoh3l6s8Wa3V" X-Mailman-Approved-At: Mon, 18 May 2015 14:59:12 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 14:41:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rB4sRDOgLiJcN0HGIXPAnXoh3l6s8Wa3V Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/17/2015 4:02 PM, Roger Marquis wrote: > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in other cases are still not listed > (despite email to the security team). >=20 > Is there a URL outlining the policies and procedures of vuln.xml > maintenance? >=20 ports-secteam@ owns this file, not secteam@. The team needs more help. Would you like to volunteer to submit vuxml updates? Many contributors, and committers, feel the file is not easy to contribute to. Regards, Bryan Drewery --rB4sRDOgLiJcN0HGIXPAnXoh3l6s8Wa3V Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVWfoSAAoJEDXXcbtuRpfPA0EIAM6fvSkm3GsxafSbgwpSvVnZ S3wC+MlSwMS+UW0jYG9/y2Qpz3P3gZEHOSxcxI9lF/jvAtA46Za8pAxJRChN2TQZ ToOhfpZkH6EVgyg/8mw9kcRx1DAwSk4N7UsE9gBY8ubJDeIF/gvqlbOkbTN6xxRb tIbF8OXfzJnqKVIaNBfsoDfmNBOaUzEBzWoIEjXXuSTMD/QrlSZyiTJNIHj+s6W4 sJpGATzpRVmyadqcMwc8D4z2sONbf3f9jklLqeO4h7IItIO8Csa/UpYMWLW3IbYB aeRdIx8kBl0WbugV1cwnZu2Lq0QrGarwEsjyY2F6XYD7BDenVJejQ0GtlOIHuEw= =GJke -----END PGP SIGNATURE----- --rB4sRDOgLiJcN0HGIXPAnXoh3l6s8Wa3V-- From owner-freebsd-security@FreeBSD.ORG Mon May 18 15:04:41 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71068475; Mon, 18 May 2015 15:04:41 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6193C14A8; Mon, 18 May 2015 15:04:41 +0000 (UTC) Date: Mon, 18 May 2015 08:04:40 -0700 (PDT) From: Roger Marquis To: Bryan Drewery cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org, freebsd-ports@freebsd.org Subject: Re: pkg audit / vuln.xml failures In-Reply-To: <5559FA0B.8080005@FreeBSD.org> References: <20150517210259.C25DF76F@hub.freebsd.org> <5559FA0B.8080005@FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 15:04:41 -0000 > ports-secteam@ owns this file, not secteam@. Thanks for the pointer Bryan. I would hope that port vulnerability emails are forwarded from secteam@ to ports-secteam@, by policy, as the freebsd.org website is not clear on this. Either way at least I/we now know the right address/es. > The team needs more help. > Would you like to volunteer to submit vuxml updates? Many contributors, > and committers, feel the file is not easy to contribute to. I have been submitting ports vulnerability updates and will continue to do so (now to ports-secteam@). If there are any open seats on ports-secteam I would like to contribute on that level as well. Still interested in the team's policies and procedures, if those are online somewhere. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Mon May 18 17:34:09 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0DDBCB2 for ; Mon, 18 May 2015 17:34:09 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53DDC18C9 for ; Mon, 18 May 2015 17:34:08 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4IHY3n0047124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Mon, 18 May 2015 19:34:04 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <555A228B.8080807@obluda.cz> Date: Mon, 18 May 2015 19:34:03 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> In-Reply-To: <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 17:34:10 -0000 On 05/18/15 15:52, Mark Felder: > I mean, should we have an SA because our libc supports strcpy and people > can use that and create severe vulnerabilities? No, but we should have SA whenever other system component is using strcpy() the way that may affect system security. System utility 'fetch' is willing negotiate known-to-be-insecure protocol with no warning and by default. Sensitive user's data may be transferred by base system utility via insecure protocol. I consider it bug in fetch code. A system utility must not allow silent transfer of data via known insecure protocol if secure transfer has been requested. I see no reason to keep the issue in the dark, even in the case the issue will not be patched on 8-R & 9-R. OK, I'm former bank IT security officer, so I my expectations related to handling of security issues may be set so high. It seems there is nothing more to say about this (slightly off-)topic. I wish the vulnerability should be disclosed to public, you wish it is not necessary because it's known bug in a protocol design and users doesn't expect secure channel from 'fetch'. Two men, two opinions. It's not necessary to reach consent. Thank you for all comments and responses. Dan From owner-freebsd-security@FreeBSD.ORG Mon May 18 18:04:39 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1EB38B1 for ; Mon, 18 May 2015 18:04:39 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 801861CC5 for ; Mon, 18 May 2015 18:04:39 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 3E9AC20E13 for ; Mon, 18 May 2015 14:04:38 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Mon, 18 May 2015 14:04:38 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ji2TzdebigY+wg+ DL/G2A1uyxSU=; b=U1cslmQX/PwdlX6sN9NLCT2bD3q46wq7mJRuwlfQo19DtDX vsSAIRLe9s5bQ2GDkFGyQI82VOB1iW8imjIHk738X+iP+RnvPx9yWDNgptPMYUro qu5nZHVmEF3PGn9IZTWmNLabm32yz6RNk+Gc0gdYtp3sHAnnNK2I9QIvbKiI= Received: by web3.nyi.internal (Postfix, from userid 99) id 1F38D10B763; Mon, 18 May 2015 14:04:38 -0400 (EDT) Message-Id: <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> X-Sasl-Enc: XKCAhtSInuRIJlG+oujX7EgYzQn33EvwPUrYW26aQj5I 1431972278 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 13:04:38 -0500 In-Reply-To: <555A228B.8080807@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 18:04:39 -0000 On Mon, May 18, 2015, at 12:34, Dan Lukes wrote: > On 05/18/15 15:52, Mark Felder: > > I mean, should we have an SA because our libc supports strcpy and people > > can use that and create severe vulnerabilities? > > No, but we should have SA whenever other system component is using > strcpy() the way that may affect system security. > > System utility 'fetch' is willing negotiate known-to-be-insecure > protocol with no warning and by default. Sensitive user's data may be > transferred by base system utility via insecure protocol. I consider it > bug in fetch code. A system utility must not allow silent transfer of > data via known insecure protocol if secure transfer has been requested. > > I see no reason to keep the issue in the dark, even in the case the > issue will not be patched on 8-R & 9-R. OK, I'm former bank IT security > officer, so I my expectations related to handling of security issues may > be set so high. > > It seems there is nothing more to say about this (slightly off-)topic. I > wish the vulnerability should be disclosed to public, you wish it is not > necessary because it's known bug in a protocol design and users doesn't > expect secure channel from 'fetch'. > > Two men, two opinions. It's not necessary to reach consent. > > Thank you for all comments and responses. > > Dan > Fetch also doesn't have a certificate trust store out of the box. It's very dependent on the sysadmin to make good decisions. Much like Apache with mod_ssl will *accept* connections on SSLv3 unless you manually configure the protocols. FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this behavior in fetch. If you add this to your base system image you can lock this down pretty reliably. Keep in mind that changing this default behavior in fetch would be a POLA violation and possibly break scripts for countless users. Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't decide. :-( From owner-freebsd-security@FreeBSD.ORG Mon May 18 18:06:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5CCF19CE for ; Mon, 18 May 2015 18:06:55 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 30F261CF8 for ; Mon, 18 May 2015 18:06:54 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 09DD5207F0 for ; Mon, 18 May 2015 14:06:54 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Mon, 18 May 2015 14:06:54 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=WK/J41YI2vnv90r s9WtJFjIYahY=; b=g5M7Y6kK1TENAM2cUB2gJX3fZhOi6h1REMM/MIFoJeQXdHz 22R0xFgyZ7LCtiYiCKUovGfsP+eKekqJeEP9S5Uezqp4gwOr4AdOCqFYirrf8KBS ShejdaWECIWri5kMO/Msc18pBEFM2wwCkkD7OuGVugJdUarNVXgrqzmPD7M0= Received: by web3.nyi.internal (Postfix, from userid 99) id CAC1510B791; Mon, 18 May 2015 14:06:53 -0400 (EDT) Message-Id: <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> X-Sasl-Enc: wNKI5wm5gLfG8L2xUujZn3czzh7a4XiXZJJkE1oF/QVt 1431972413 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: <20150517210300.45FF67B8@hub.freebsd.org> References: <20150517210300.45FF67B8@hub.freebsd.org> Subject: Re: pkg audit / vuln.xml failures Date: Mon, 18 May 2015 13:06:53 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 18:06:55 -0000 On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in other cases are still not listed > (despite email to the security team). > > Is there a URL outlining the policies and procedures of vuln.xml > maintenance? > I am also interested. I know there is a desire to leverage CPE in the future, but I've seen CPE entries take weeks to show up. Our vuln.xml maintenance has always been pretty solid. Is there a lack of manpower right now? Are there notices/reports not being processed? How can we help? From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:01:32 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DC433A0; Mon, 18 May 2015 19:01:32 +0000 (UTC) Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19E7D1482; Mon, 18 May 2015 19:01:32 +0000 (UTC) Received: by wguv19 with SMTP id v19so138217732wgu.1; Mon, 18 May 2015 12:01:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2IGuXE/DNzYCBII8WeX1tIA2OjD82OXF6oyVvk8W4YY=; b=DIDi55FbbhutOF1nVQhHUin02LKdX9lF7vQm8xbFoIdc34YPcUlg0vkgd85+ZtakPJ mvW3Gza4jafdUTHvsnugCeXFUib43Qj0lHEscu7BfTJY7pHwnaEzyz4WTE95Pnhs7mDz bA7RASjqr1l1uEvL+GUUfWHVQZhLkmRzzgwRE7jGdOY0kUa4foRU/OzOsdTqqkp69Sya g+nMusWOfYLruJ2X3LPaTWs1Jczl3NVuRFcM2JK/fCzhMMCO4sQWkBOgiMsmlfMHo9q1 TcNXwvTyR5gIPQQT+kj4kQitruNa+YJLIXyNWIaLFt+Zxs28fyYbkGddo7sNQPBzgqd1 B80A== MIME-Version: 1.0 X-Received: by 10.180.206.211 with SMTP id lq19mr24744255wic.26.1431975690552; Mon, 18 May 2015 12:01:30 -0700 (PDT) Received: by 10.194.88.165 with HTTP; Mon, 18 May 2015 12:01:30 -0700 (PDT) In-Reply-To: <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> References: <20150517210300.45FF67B8@hub.freebsd.org> <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> Date: Mon, 18 May 2015 20:01:30 +0100 Message-ID: Subject: Re: pkg audit / vuln.xml failures From: "Sevan / Venture37" To: Mark Felder Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:01:32 -0000 On 18 May 2015 at 19:06, Mark Felder wrote: > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). >> >> Is there a URL outlining the policies and procedures of vuln.xml >> maintenance? >> > > I am also interested. I know there is a desire to leverage CPE in the > future, but I've seen CPE entries take weeks to show up. Our vuln.xml > maintenance has always been pretty solid. Is there a lack of manpower > right now? Are there notices/reports not being processed? > > How can we help? Bug reports with notice of new additions just to give a heads up at the least. Sevan / Venture37 From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:26:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 357C4F5B for ; Mon, 18 May 2015 19:26:20 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 08CDF1867 for ; Mon, 18 May 2015 19:26:19 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id EEEB6210B0 for ; Mon, 18 May 2015 15:26:18 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Mon, 18 May 2015 15:26:18 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=9VtwSW7SzbnrVHn B56VIuKCRg/U=; b=mqtAz9itsyLLMpHl8gnTvhNwYOrwlo6mPzLkcEuwiRWsSu8 9H+MpkUteqaM1d1Z23+S3UOO0/ZP+fhA0Z3DdH2kFlod4gh7W/K7EMKrLNWqbImX iLtXicANNMj2SZga1dUEE/WGlQYpZpKkQ207/izH83NbVk7AJ3y6uls5BuHQ= Received: by web3.nyi.internal (Postfix, from userid 99) id C8E8210BF32; Mon, 18 May 2015 15:26:18 -0400 (EDT) Message-Id: <1431977178.2897923.271980105.0D554040@webmail.messagingengine.com> X-Sasl-Enc: tIpaL9Z1OVKJu1SQLBGV/ebK1eEXdzVI2yGlT0bzC5f9 1431977178 From: Mark Felder To: "Sevan / Venture37" Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: References: <20150517210300.45FF67B8@hub.freebsd.org> <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> Subject: Re: pkg audit / vuln.xml failures Date: Mon, 18 May 2015 14:26:18 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:26:20 -0000 On Mon, May 18, 2015, at 14:01, Sevan / Venture37 wrote: > On 18 May 2015 at 19:06, Mark Felder wrote: > > > > > > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote: > >> Does anyone know what's going on with vuln.xml updates? Over the last > >> few weeks and months CVEs and application mailing lists have announced > >> vulnerabilities for several ports that in some cases only showed up in > >> vuln.xml after several days and in other cases are still not listed > >> (despite email to the security team). > >> > >> Is there a URL outlining the policies and procedures of vuln.xml > >> maintenance? > >> > > > > I am also interested. I know there is a desire to leverage CPE in the > > future, but I've seen CPE entries take weeks to show up. Our vuln.xml > > maintenance has always been pretty solid. Is there a lack of manpower > > right now? Are there notices/reports not being processed? > > > > How can we help? > > Bug reports with notice of new additions just to give a heads up at the > least. > I was just thinking it might be nice when you're committing a change to a port to fix a CVE if there was a tag you can drop in the commit log to tell ports-security if there is a need for an entry to vuln.xml. At least those without experience editing vuln.xml can more easily have someone else assist them with getting it added. From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:27:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25C7312D for ; Mon, 18 May 2015 19:27:52 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (ns.ms.mff.cuni.cz [195.113.20.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A35AE1895 for ; Mon, 18 May 2015 19:27:50 +0000 (UTC) Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4IItFaU050630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Mon, 18 May 2015 20:55:21 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <555A3593.3010306@obluda.cz> Date: Mon, 18 May 2015 20:55:15 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz> <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> In-Reply-To: <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:27:52 -0000 On 05/18/15 20:04, Mark Felder: > Fetch also doesn't have a certificate trust store out of the box. fetch (nor SSL protocol itself) claim there is one here > FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this > behavior in fetch. If you add this to your base system image you can > lock this down pretty reliably. I'm not using fetch for transfer of secure data at all. But yes, the countermeasures you described can be part of SA I'm calling for. > Keep in mind that changing this default behavior in fetch would be a > POLA violation and possibly break scripts for countless users. > Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't > decide. :-( If I will be called to decide between POLA to be violated and security to be violated, I will vote for POLA violation all the times. Security have higher priority to be maintained. I'm sure it's not necessary to compare possible damages for those two scenarios. And no broken user script may happen in advance. No system will change behavior unless upgraded to patched version by responsible admin. He should be allowed to configure patched system to start fetch in former "security violation" mode (but not by default) if it will fit better their wishes. I consider it better than silence about the issue. But to say true, it's not my war - and no one seems to be with me here ;-) I have own source repository with custom system patches so I'm not tied to "official" decisions. No offense to FreeBSD team in any way! I'm just not average user. ;-) Dan From owner-freebsd-security@FreeBSD.ORG Mon May 18 20:20:15 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F9A233F; Mon, 18 May 2015 20:20:15 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 196201F08; Mon, 18 May 2015 20:20:15 +0000 (UTC) Received: by wgbgq6 with SMTP id gq6so27219505wgb.3; Mon, 18 May 2015 13:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vvqmhFfLT9Uvec8QFMJ/8/YkB8DH7HQeY5GOoGwoZGY=; b=Ef6kWCCmw3F778C+6Y6PF7hDOycuhgm7v0oLCjfylqJT5hEgy4Hn/UuStyE1zMhTK0 D9vJd1g+Ul1UpWVyCMvTs2/VGAoZ3kou9D1DAUOQ/n377f3RiOJAHDqK335gCMC+541r 3uwXKCs3NVaPvv3Jb1v+vGpZwuPOC56Nnzj+q6e0ZssHlSwMvA2AXziNQ3wH3xRnsaSq eBQpjb4t/DKsfRqrttjbfCj4fZD1c3SOLrp1dYXI3fTKckD+D5ruzUUGoTgcdeBg1EBX mvmmmmDDKGvKvppCza7DOW9NBBZ5Pbh4adjCh9NTuDvCMcGRb8/liXP5OBCXcU+npiur WA/Q== MIME-Version: 1.0 X-Received: by 10.180.206.211 with SMTP id lq19mr25259969wic.26.1431980411996; Mon, 18 May 2015 13:20:11 -0700 (PDT) Received: by 10.194.88.165 with HTTP; Mon, 18 May 2015 13:20:11 -0700 (PDT) In-Reply-To: <1431977178.2897923.271980105.0D554040@webmail.messagingengine.com> References: <20150517210300.45FF67B8@hub.freebsd.org> <1431972413.2880876.271908321.6959F2D3@webmail.messagingengine.com> <1431977178.2897923.271980105.0D554040@webmail.messagingengine.com> Date: Mon, 18 May 2015 21:20:11 +0100 Message-ID: Subject: Re: pkg audit / vuln.xml failures From: "Sevan / Venture37" To: Mark Felder Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 20:20:15 -0000 On 18 May 2015 at 20:26, Mark Felder wrote: > I was just thinking it might be nice when you're committing a change to > a port to fix a CVE if there was a tag you can drop in the commit log to > tell ports-security if there is a need for an entry to vuln.xml. At > least those without experience editing vuln.xml can more easily have > someone else assist them with getting it added. Ah, yes, that applies to those with those shiny commit bits. I'm on the other side. It certainly needs to be added to the workflow of updating/maintaining ports somehow. There's the problem of Maintaining the vuxml entries Flagging security issues resolved in updates Flagging unaddressed security updates Sevan / Venture37 From owner-freebsd-security@FreeBSD.ORG Mon May 18 20:45:15 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E3BA8862 for ; Mon, 18 May 2015 20:45:15 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B2465126A for ; Mon, 18 May 2015 20:45:15 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id ED94120B6B for ; Mon, 18 May 2015 16:45:06 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Mon, 18 May 2015 16:45:06 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=zcbpjafL6n0BW4u uPDvbaajD06A=; b=cpBm0FP+AwHiFLDCzE3PBceGOZnvOdiDDdZNLfh7DETTi2I JnoIc1HqBZDzSj/hHVun0cwBO+jYvGuHTVGAJROoiOkVPSSSFDFKXvH6pdRUJc/m GOdZJvoPB0DFiEPVcNVds4U+iAyzX0HoaswAq/JtNSXPr00qs22VXJ3nfDCA= Received: by web3.nyi.internal (Postfix, from userid 99) id CB64010781D; Mon, 18 May 2015 16:45:06 -0400 (EDT) Message-Id: <1431981906.3567446.272056337.4819B8B6@webmail.messagingengine.com> X-Sasl-Enc: 4jUia5pvzdMGUta3inAHrjPP09ulrUZeflzvdndOV4xl 1431981906 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: <555A3593.3010306@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz> <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> <555A3593.3010306@obluda.cz> Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 15:45:06 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 20:45:16 -0000 On Mon, May 18, 2015, at 13:55, Dan Lukes wrote: > > I have own source repository with custom system patches so I'm not tied > to "official" decisions. No offense to FreeBSD team in any way! I'm just > not average user. ;-) > > Do not be discouraged about submitting them. It's quite easy to get eyes on them now with the Phabricator https://reviews.freebsd.org/ From owner-freebsd-security@FreeBSD.ORG Wed May 20 22:48:24 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BF192BE7; Wed, 20 May 2015 22:48:24 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9F14511F4; Wed, 20 May 2015 22:48:24 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id C77E515BF6; Wed, 20 May 2015 15:48:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1432162103; x=1432176503; bh=sizwBqxrRS4bvALEogW86zpwALspItBxthuBek5ZBR8=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=3lSbtFXKceyJ4RQWk1GaBEQ2oUQXvg7aqgGdVImzCnoSQrJH3GQkI3fVeOs2vaeuH wldf7COu96DQodI3R4lDk1RX1/lPX8nMlcul1eILJtIR3n9SyesQwm/jFh2mQmZH+E m6PJc3bpbRPAi7cDGBdB7ZWPW3ZhQN2E72JuRIC0= Message-ID: <555D0F37.8040605@delphij.net> Date: Wed, 20 May 2015 15:48:23 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: "Julian H. Stacey" , "freebsd-security@freebsd.org" CC: ports@freebsd.org Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? References: <201505202140.t4KLekE6081029@fire.js.berklix.net> In-Reply-To: <201505202140.t4KLekE6081029@fire.js.berklix.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2015 22:48:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/20/15 14:40, Julian H. Stacey wrote: > Hi security@freebsd.org Please note that security@freebsd.org = secteam@freebsd.org. Since this is posted to ports@ which is public, I'm assuming it's not intended to be in private. > (& bcc'd a couple of friends) > > Refa: http://www.bbc.com/news/technology-32814309 (posted 5 hours > before Wed May 20 23:01:22 CEST 2015) > http://www.theregister.co.uk/2015/05/20/logjam_impact/ 20 May 2015 > at 16:29 > > Does it affect FreeBSD ? If so, I guess security-officer@ will > already be drafting a notification; If not, might it be good PR > anyway to put out a brief summary / statement on a mail list or web > page ? Well, currently OpenSSL do accept weak DH so _arguably_ it does affect FreeBSD, and it's likely to break existing applications if we enforce such restrictions (namely, Java 6). However, system administrator should always follow best practices, like disabling export grade ciphers, use ECDHE and generate their own DH parameters when they implemented PFS. Recommended for system administrators: 1. Check if any of export grade cipher is enabled (here we used port 443, https as example, and it can be used for other TLS enabled services). This can be checked by doing: openssl s_client -connect www.example.com:443 -cipher 'EXPORT' If the connection was successful, then the server supports export grade cipher should be disabled immediately. 2. Make sure that ECDHE is supported. openssl s_client -connect www.example.com:443 -cipher 'ECDH' And the connection should succeed. 3. Make sure you are using unique DH parameters, and configure it in the server. To generate a 2048-bit DH parameter and save as dhparams.pem: openssl dhparam -out dhparams.pem 2048 The document at https://weakdh.org/sysadmin.html gives additional information for individual daemons, including Apache (mod_ssl), nginx, lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. I personally find Qualys SSL Labs' SSL/TLS Deployment Best Practices a good reading, by the way. It can be found at: https://www.ssllabs.com/projects/best-practices/ Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.4 (FreeBSD) iQIcBAEBCgAGBQJVXQ83AAoJEJW2GBstM+nsrWMP/3ewU18rj/imD8s2ATtgWFMD WmmaHgGyjqrVd8RyZBRIvsgPYlS2G0gPL2KP3GoeOeyU2dEkGEhvI4cvvpWoqUFW rpY7AxtXQWOKRxY5PVtpU1siuczJ1Na/ypy28y1Dw0CGTf1Ul8rEzrent0kNsQ7b NXD0hZojAhBiMO0XLb3bJqElviz11yDXPou1X12ZkueStP7DGquN081oLWZ4y8+j 19qSqdwkx8OsNLpnD9IUo5RoY5TvxNG53ZgDoGXwKWda8BnswRpDgSs3H2M/OKya cKO7B9VWtIyJnbH5oVsv3VLi7o1n8weitGg1rWpKewZ1caiG+G1c9SmgAeSG1Egm cuy4HV2btCxqSvLJRwAQ7Jbpc/SVnUTWZNrrI8YP7ug3/tzRTat0RpbdhxF3bqbM hK8Pe2zpK6nIBNFhcoJ+CkhE3fW1IOEthSLBkJPgcb0U7mET0Z8kpWNLeJOuh5yJ 5o3ooLap+UtVlv25nQOODQecuNuvBFr0Mx67S4+jgmtUYqe9nFp1AjmPPvntN1GQ sUzqMB7eAtSsxoQbHHGqF74zKk8BbfgqROUbEvcZ4kOsInN/GZ/iaPMUPu8KtieE /ASdpwpxUfbZtu+Vs5fveWSiWmtiz3k1n7JzCWenXkLYW9KUn40fxv/mh7j76lYs Am30LtLxtiZNw59cn2H6 =KtLx -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu May 21 00:05:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 91D7F2D6; Thu, 21 May 2015 00:05:25 +0000 (UTC) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 23B4D1ADF; Thu, 21 May 2015 00:05:24 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBF7DA.dip0.t-ipconnect.de [93.203.247.218]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t4L06Hlg022812; Thu, 21 May 2015 02:06:18 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t4L0563H099025; Thu, 21 May 2015 02:05:06 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t4L04eIq082662; Thu, 21 May 2015 02:04:59 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201505210004.t4L04eIq082662@fire.js.berklix.net> To: d@delphij.net cc: "freebsd-security@freebsd.org" , ports@freebsd.org Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 20 May 2015 15:48:23 -0700." <555D0F37.8040605@delphij.net> Date: Thu, 21 May 2015 02:04:40 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 00:05:25 -0000 Xin Li wrote: > On 05/20/15 14:40, Julian H. Stacey wrote: > > Hi security@freebsd.org > > Please note that security@freebsd.org = secteam@freebsd.org. Since > this is posted to ports@ which is public, I'm assuming it's not > intended to be in private. Yes, correct, thanks Xin Li, (Sorry I forgot that lack of naming alias, different to other [freebsd-](hackers|current|ports)@freebsd.org lists). Thanks for the quick response :-) PS I checked some finance sites (random, OS unknown) from a FreeBSD client, all failed with 'EXPORT', just 2 responded OK with 'ECDH' Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Reply Below as a play script. Send plain text, Not quoted-printable, HTML, or base64. From owner-freebsd-security@FreeBSD.ORG Thu May 21 07:07:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48938D4B; Thu, 21 May 2015 07:07:26 +0000 (UTC) Received: from mail.cleverbridge.com (mail.cleverbridge.com [89.1.11.32]) by mx1.freebsd.org (Postfix) with ESMTP id 0093B1AFA; Thu, 21 May 2015 07:07:25 +0000 (UTC) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by mail.cleverbridge.com (Postfix) with ESMTP id 412709C54B4; Thu, 21 May 2015 08:59:42 +0200 (CEST) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 3B6C88B4005A; Thu, 21 May 2015 08:59:42 +0200 (CEST) Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id foTUuew2jxQQ; Thu, 21 May 2015 08:59:41 +0200 (CEST) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 1AB0B8B4007C; Thu, 21 May 2015 08:59:41 +0200 (CEST) X-Virus-Scanned: amavisd-new at homer.cgn.cleverbridge.com Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id J2LwiUi0N0Xc; Thu, 21 May 2015 08:59:40 +0200 (CEST) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id EC0DC8B4005A; Thu, 21 May 2015 08:59:40 +0200 (CEST) Date: Thu, 21 May 2015 08:59:40 +0200 (CEST) From: Winfried Neessen To: freebsd-security@freebsd.org Cc: ports@freebsd.org Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com> In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net> Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.0.5.154] X-Mailer: Zimbra 8.5.0_GA_3050 (ZimbraWebClient - GC42 (Win)/8.5.0_GA_3042) Thread-Topic: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 07:07:26 -0000 Hi, > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. > Unfortunately the documentation does only offer guidance for Apache 2.4. As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter, I've created a "rather ugly but seems to work" workaround for Apache 2.2, which switches the pre-shipped default 512/1024 bits DH parameters to a set of self-generated 2048/3072 bit DH params. There is also a quick and dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, that automagically applies the workaround. It can be found here: http://nop.li/dy Winni From owner-freebsd-security@FreeBSD.ORG Thu May 21 08:34:16 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADD7ECA2; Thu, 21 May 2015 08:34:16 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 44C2F17F0; Thu, 21 May 2015 08:34:16 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t4L8Y0Qm042151 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 21 May 2015 09:34:09 +0100 (BST) (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t4L8Y0Qm042151 Authentication-Results: smtp.infracaninophile.co.uk/t4L8Y0Qm042151; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <555D9866.7030507@freebsd.org> Date: Thu, 21 May 2015 09:33:42 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org CC: freebsd-ports@freebsd.org Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net> In-Reply-To: <555D0F37.8040605@delphij.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, RAZOR2_CHECK,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Thu, 21 May 2015 11:34:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 08:34:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 05/20/15 23:48, Xin Li wrote: > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. The part of that https://weakdh.org/ site that concerns me most is the statement about 25.7% of SSH servers being vulnerable if the 1024bit D-H group is broken. We've got pretty good instructions for hardening anything that uses TLS against this attack, but not a lot on SSH. About the only relevant thing I've found is: http://blog.mro.name/2015/05/hardening-ssh-debian-wheezy/ which inter-alia suggests upgrading to OpenSSH-6.6 -- which has been in FreeBSD-10 since March ---, modifying some config parameters: KexAlgorithms, Ciphers, MACs and then regenerating ed25519 and rsa host keys. Err... what? How are ed25519 and rsa host keys affected by a downgrade attack on Diffie-Helman? Cheers, Matthew --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVXZh4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnX58QALHD2YU0j6XRLtWYOFer79hr 1piRUhU2qYfs00t3a8D3zei5T2gN64ZWkC/zaYRsQK7ZjladKji4T5Wsp08T46xI Zct93n11f20Nw1kE9qDh43XV/Oun7sTVcQrKmvvaLecx9XwUKTyyWYVrMV5LCqCN +UoTUQPHRy0FXuPNcf3vIV+2XkUuKHOfCGJNSspcsFsHV01dPFzGgOKbTJNU94Xs 3BtbeGgcJtd+bSzfwHwQdY34O9YUYHb7AR9o2Ru0t25k5MeKf7O0eOPZ9yEkJb+r w9rzOz3sUAuadvIuWRK3OOyCB55C92q4dGYfWV6u50+BTTj1D77NiTF/SYTWoLri OdOABz6n3y9EOa+tgKkxTaL5v2f3Pn13JDA+O9x70Jpygb7sfPGGqyX8yemr2EHE 7vdRbvNi5ViLCPEWkH8vGmm8IgAthMQ/jc6KGboOLE6bvYIJTAhJIxgxlSxeMcwD eFT7iMXmCgmRvi/PEeyB1zCcujQ4EpGZQvefz5h/sKBhxWH3F1vUzKruT72FjjV2 dy7YxSRnQ6cvKzte+3ZYhcM40Cj6NJhaikzbZvlAePDy1k6kNCSO/PPKwnTcdewy mn+ETUEa573K7y90Q4FGTMhzcSHywPdWsaYZnjxwvBYhT+wDbv+HuNYOOQpfpsiQ MgHKjP33N0g7LLLrwYZy =F9Z5 -----END PGP SIGNATURE----- --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV-- From owner-freebsd-security@FreeBSD.ORG Sat May 23 15:30:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3DA32164; Sat, 23 May 2015 15:30:26 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F5431B47; Sat, 23 May 2015 15:30:25 +0000 (UTC) Date: Sat, 23 May 2015 08:30:24 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: New pkg audit / vuln.xml failures (php55, unzoo) In-Reply-To: References: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 15:30:26 -0000 FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago ) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum deinstall reinstall clean' to secure a server without waiting for the port to be updated. Older versions of PHP may also have unpatched vulnerabilities that are not noted in the vuln.xml database. New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest convenience if you have these installed. HEADS-UP: anyone maintaining public-facing FreeBSD servers who is depending on 'pkg audit' to report whether a server is secure it should be noted that this method is no longer reliable. If you find a vulnerability such as a new CVE or mailing list announcement please send it to the port maintainer and as quickly as possible. They are whoefully understaffed and need our help. Though freebsd.org indicates that security alerts should be sent to this is incorrect. If the vulnerability is in a port or package send an alert to ports-secteam@ and NOT secteam@ as the secteam will generally not reply to your email or forward the alerts to ports-secteam. Roger > Does anyone know what's going on with vuln.xml updates? Over the last > few weeks and months CVEs and application mailing lists have announced > vulnerabilities for several ports that in some cases only showed up in > vuln.xml after several days and in other cases are still not listed > (despite email to the security team). From owner-freebsd-security@FreeBSD.ORG Sat May 23 16:14:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1696728B; Sat, 23 May 2015 16:14:55 +0000 (UTC) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D791410CA; Sat, 23 May 2015 16:14:54 +0000 (UTC) Received: by iepj10 with SMTP id j10so49847142iep.3; Sat, 23 May 2015 09:14:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Y5gP4KD2hXp2RZZS2DmMa/JhXuCVO0SHQe1lw5TzBVM=; b=CEQAngsuP2iMG9GFKNKy7qNHzFRLy7B9KpJul8chRdmUkNlFLKPjRvLaLFodbEoFKb 9afX3sAMhTOEXwX03AGCbXytiYdHhATAU6VOrhGmTvKVajzWSADqIi05NIrpZsazLtdT JDattUZOyvSw3cpHUrH30KP51kezsLC+BANYDqJQLvhLjch2wTQBkRlzJOBTVk1mA2vV 229yULpnSrlrgWdYHWpq7qLdtBNdHIOShkVPnoORmJ2+lXa0sUHCbjo1IMU8azLR1iCC oFGNSLvcOMDJGTf9cT7i6MS18CcnbyzE2rbM94GJSGM2PFwT4bBhtFO5mW14WLDHKqqY kFUA== MIME-Version: 1.0 X-Received: by 10.50.132.71 with SMTP id os7mr12681007igb.24.1432397694210; Sat, 23 May 2015 09:14:54 -0700 (PDT) Received: by 10.36.27.139 with HTTP; Sat, 23 May 2015 09:14:54 -0700 (PDT) In-Reply-To: <20150523153031.A1A07357@hub.freebsd.org> References: <20150523153031.A1A07357@hub.freebsd.org> Date: Sat, 23 May 2015 12:14:54 -0400 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Jason Unovitch To: ports-secteam@FreeBSD.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 16:14:55 -0000 On Sat, May 23, 2015 at 11:30 AM, Roger Marquis wrote: > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > I've attempted to knock out a couple of these over the past 2 days. There's certainly a non-trivial amount of PRs stuck in Bugzilla that mention security or CVE that need some care and attention. Here's a few that are now ready for the taking. vuxml patch ready: emulators/virtualbox-ose -- https://bugs.freebsd.org/200311 databases/cassandra -- https://bugs.freebsd.org/199091 databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to vuxml patch in PR 199091) sysutils/py-salt -- https://bugs.freebsd.org/200172 vuxml previously done and update patch ready: net/chrony -- https://bugs.freebsd.org/199508 both vuxml and update patch ready: mail/davmail -- https://bugs.freebsd.org/198297 Jason From owner-freebsd-security@FreeBSD.ORG Sat May 23 15:55:03 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD9D0ECF; Sat, 23 May 2015 15:55:03 +0000 (UTC) Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5539A1E95; Sat, 23 May 2015 15:55:03 +0000 (UTC) Received: by lagv1 with SMTP id v1so29101701lag.3; Sat, 23 May 2015 08:55:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NHDUzGpxEYeL3mWNsUyGKvbuwzArfC2Yfwy8K8WW+qM=; b=v9nCtPov8k0QndYvAbn2thDOmYaoIXwc8oim1JX5m1Yk7ky2cKmUpwenEfVtS25i2X fpl3AQN4mR/F4L6wQaX9cxKNBEsKEkFIdGthDEmihT6BsCxnGhus/bpahhgXciIyRpHJ FgtGRdsK0gjoS5uXIvm2QoWqYOrlW1bsk9Eaj+ooyYBoJYmmxJ1sgzl9IQ1R+032oOdO EsnE1ePtGIxJT5B3cAwOQmuzuMS2GfCBScZG8UkPDY4LKwEM7Ty1F+0eyOl7qYvZFyAQ fmUbUsyp0fc40e6+r1hAnK4bWj8DC5H1NQVqWJldkcVRArmbVU0oqEKRMUDxp7nkMN4Y jQPg== MIME-Version: 1.0 X-Received: by 10.112.199.133 with SMTP id jk5mr11208326lbc.32.1432396500079; Sat, 23 May 2015 08:55:00 -0700 (PDT) Received: by 10.112.201.10 with HTTP; Sat, 23 May 2015 08:55:00 -0700 (PDT) In-Reply-To: <20150523153029.F1BBE2AA@hub.freebsd.org> References: <20150523153029.F1BBE2AA@hub.freebsd.org> Date: Sat, 23 May 2015 17:55:00 +0200 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Andreas Andersson To: Roger Marquis Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org X-Mailman-Approved-At: Sat, 23 May 2015 16:41:08 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 15:55:04 -0000 Is it enough to only update php55? I could create a patch with relative easyness in that case. 2015-05-23 17:30 GMT+02:00 Roger Marquis : > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > ) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > > Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). >> > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat May 23 18:28:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D42D7E6; Sat, 23 May 2015 18:28:52 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:210:34e4::25]) by mx1.freebsd.org (Postfix) with ESMTP id 2BBD51E32; Sat, 23 May 2015 18:28:52 +0000 (UTC) Received: from [10.0.2.17] (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 8682C48F8; Sat, 23 May 2015 20:28:34 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.0 mail.jr-hosting.nl 8682C48F8 Authentication-Results: mail.jr-hosting.nl/8682C48F8; dmarc=none header.from=FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Content-Type: multipart/signed; boundary="Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.5b6 From: Remko Lodder In-Reply-To: <20150523153030.CEA8C2DB@hub.freebsd.org> Date: Sat, 23 May 2015 20:28:32 +0200 Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Message-Id: References: <20150523153030.CEA8C2DB@hub.freebsd.org> To: Roger Marquis X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 18:28:52 -0000 --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Please send these things to ports-secteam@FreeBSD.org so that they can have a look at these please. Thanks, Remko > On 23 May 2015, at 17:30, Roger Marquis wrote: > > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > ) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > >> Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVYMbRAAoJEKjD27JZ84ywBDAP/RycGa076N4u6pYxmAoPlgdz SelWR8q2kkQdAVmTOdSQwi4DRrsnBFg049yJkswt2dGxzKg5H9WfmF0g0HGGAfZG EbJxKdARglWyq/BEOYB239WRTDLrZrHb6AbluayajLpqKxHD8NK+rSoYyPfTZBQ+ FNbw8k3i/KrCg+zCZWPKJl3/367/ZQwZC0c2ZKt3k+9IFZxODQ3UxnBOlmXESsXR y50/47ahF/SaaExbB9pBKUDCD+zsogpoGclYzDkejKKj5e5NazOea9TWkEVA7uOd pnnw7oWz4LFnSYg6myb69TYfgdCpzd4U4XwllHn6YASRX9ojo+GMhTK936Oz5PYp 6my1tF7gQ/YYWH4G7lOjDDY/gxR4HBAq1cCVRgsHLnwnD0E3wEgZmVA2BAyAng9e 5d80KU9AZp4/GDLYrC8bT0FTMXn9Xj0y9xAzvQQ2p32C5b55PD/E8qZEMy2XtMiD oDuEcTGlhIhxjMsvG2WGC95V4wKOfPQi+3Y3UJSdWiUKJiTsHj5/vfdqWfw9sp6X KHfLJ38UkooZMjoqibOTQktRrn1nxuhyO0fGJ+0wwjWPq6KdPMLgN5JPos51tUDp QYzkgqLsF4vokKgguUTzlFfFdvI+D88Bws1Uit27/FStDIS7MF8i9mUFXBVFgIB4 /4n9TnRHasPBo1HQXok7 =Xxvi -----END PGP SIGNATURE----- --Apple-Mail=_771C25E0-8625-451F-974D-1AEADE7C42E8--