From owner-freebsd-security@FreeBSD.ORG Sun May 24 07:53:51 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7AB9CE7B; Sun, 24 May 2015 07:53:51 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 590B51ED6; Sun, 24 May 2015 07:53:51 +0000 (UTC) Received: from Xins-MBP.home.us.delphij.net (c-71-202-112-39.hsd1.ca.comcast.net [71.202.112.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 6D4CD15BC7; Sun, 24 May 2015 00:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1432454025; x=1432468425; bh=M/xtWT73tH5z05/4IvK3eIS/r/JnWCXPJWbDcTfrv28=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=04/xcajxFKNPoA5FeuvJnVUs5Nrpc0Zy9mN6XDQaGK/RQMvQdWE0R3oqLmKYW4gNn 5lccecEK2+AUYJHLOM+6+x5ClBH0iJsj/qXSa+E1QZEux8LBGOvY96SB8FIfRkfZqB ABS6V3FYryqJ8Ej6Bcg45y0ePUj73Lqc5pAtrpTg= Message-ID: <55618388.7000504@delphij.net> Date: Sun, 24 May 2015 00:53:44 -0700 From: Xin Li User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Jason Unovitch , ports-secteam@FreeBSD.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org CC: Roger Marquis , xmj@FreeBSD.org, pi@FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) References: <20150523153031.A1A07357@hub.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 07:53:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > wrote: >> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> as quickly as possible. They are >> whoefully understaffed and need our help. Though freebsd.org >> indicates that security alerts should be sent to >> this is incorrect. If the vulnerability is >> in a port or package send an alert to ports-secteam@ and NOT >> secteam@ as the secteam will generally not reply to your email or >> forward the alerts to ports-secteam. >> >> Roger >> > > I've attempted to knock out a couple of these over the past 2 > days. There's certainly a non-trivial amount of PRs stuck in > Bugzilla that mention security or CVE that need some care and > attention. Here's a few that are now ready for the taking. > > vuxml patch ready: emulators/virtualbox-ose -- > https://bugs.freebsd.org/200311 I've added the information to the main entry and discarded virtualbox specific text from Oracle. Since Xen is also affected I have applied the fix to xen-tools; the 2015Q2 branch version is not affected as Dom0 support is not there so I haven't merged the change there. > databases/cassandra -- https://bugs.freebsd.org/199091 Committed, thanks! I've assigned the PR to the maintainer for the port update. > databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to > vuxml patch in PR 199091) I've assigned the PR to the maintainer. We should probably mark the above two ports as FORBIDDEN and/or DEPRECATED. > sysutils/py-salt -- https://bugs.freebsd.org/200172 This was already done by xmj@. This one seems serious, can the fix be backported or should the port merged to 2015Q2 branch? > vuxml previously done and update patch ready: net/chrony -- > https://bugs.freebsd.org/199508 The vuxml entry was committed by jbeich@ and port updated by pi@. I think the update should be merged to quarterly branch. > both vuxml and update patch ready: mail/davmail -- > https://bugs.freebsd.org/198297 This was done by pi@. I think this fix should also go to 2015Q2 branch? Thanks everyone working on these issues and thanks for taking time preparing the patches. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX 3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7 M7b0T5Y6hN425BmaPaeA =tvL9 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun May 24 16:22:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5679EB17 for ; Sun, 24 May 2015 16:22:29 +0000 (UTC) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 23304138A for ; Sun, 24 May 2015 16:22:28 +0000 (UTC) Received: by igbyr2 with SMTP id yr2so22114760igb.0 for ; Sun, 24 May 2015 09:22:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dragondata.com; s=google; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=i/yGs0jRoEH/8oYjP8SmQ1srP4MFOl8ylxEuA5TqSwI=; b=o4Ivnh/Mjkaq5cM15nyjn9Ny8H5QtUwle2/A7hfDaXx33i2efpVlMFxJ24FLRjLg1j JVy7Y97JxIg46LOUMYhle5xef/e+jo/RI0essoYjFSQ1my5Q0BsSWuNebJ27V9FM+zLY Ag4x984GuJfbWiA+XKxoPSxBP6mz3Znmr89pQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:message-id:date:to:mime-version; bh=i/yGs0jRoEH/8oYjP8SmQ1srP4MFOl8ylxEuA5TqSwI=; b=Da+XI17Mg++ai28hC4SzZhKQLvn68+I2EBDsG/xVKUMekrB813sPZAz3K8emE1kliZ fH+dGtFyYdqoRvuDjm5KUqmCSkQLEFQDnPOMQPnPM9AQ4VfbsMe62Gi9Lj1DVvGRaUJl SqVlzwD1LLrmK5WOA2oxjtMHSAELmdj3qLTUKX1JoxoFSm3BxDK/GcIOoUn5QS2nykuD Hhp/UlKp183I8w4zaLdG7EV5CsACW9fRhxJ4nG8UmZPuEaLQKmuEG2aiC85NSbs1bHEu yqUb5ROw8v/A2ss0Np47atcu471wxqjQGBPal5EjOsvtTODSPPyCq1BGlvyMgpbRtsHf 8H+A== X-Gm-Message-State: ALoCoQkI6KeWU/Yprbv7P5t7uv7XmjMXIg6JcP62tdEA+l4dyrxu46yvF5JQoH5KrjodoGlDA8Tm X-Received: by 10.50.132.71 with SMTP id os7mr18203367igb.24.1432484548156; Sun, 24 May 2015 09:22:28 -0700 (PDT) Received: from unassigned.v6.your.org ([2001:4978:1:45:1dd:435:e677:4a9f]) by mx.google.com with ESMTPSA id fm3sm4068791igb.1.2015.05.24.09.22.26 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 May 2015 09:22:26 -0700 (PDT) From: Kevin Day Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Atom C2758 - loading aesni(4) reduces performance Message-Id: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> Date: Sun, 24 May 2015 11:22:25 -0500 To: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.4\)) X-Mailer: Apple Mail (2.2070.4) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 16:22:29 -0000 I=E2=80=99ve got an Atom C2758 system: CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class CPU) Origin =3D "GenuineIntel" Id =3D 0x406d8 Family =3D 0x6 Model =3D = 0x4d Stepping =3D 8 = Features=3D0xbfebfbff = Features2=3D0x43d8e3bf AMD Features=3D0x28100800 AMD Features2=3D0x101 Standard Extended Features=3D0x2282 Enabling aesni seems to make performance much worse: root@router:~ # openssl speed -evp aes-256-cbc -elapsed You have chosen to measure elapsed time instead of user CPU time. Doing aes-256-cbc for 3s on 16 size blocks: 33200486 aes-256-cbc's in = 3.01s Doing aes-256-cbc for 3s on 64 size blocks: 11444626 aes-256-cbc's in = 3.01s Doing aes-256-cbc for 3s on 256 size blocks: 3328753 aes-256-cbc's in = 3.02s Doing aes-256-cbc for 3s on 1024 size blocks: 866523 aes-256-cbc's in = 3.02s Doing aes-256-cbc for 3s on 8192 size blocks: 108891 aes-256-cbc's in = 3.00s OpenSSL 1.0.1e-freebsd 11 Feb 2013 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) = idea(int) blowfish(idx) compiler: cc The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 = bytes aes-256-cbc 176609.34k 243517.86k 281851.62k 293480.37k = 297345.02k root@router:~ # kldload aesni root@router:~ # openssl speed -evp aes-256-cbc -elapsed You have chosen to measure elapsed time instead of user CPU time. Doing aes-256-cbc for 3s on 16 size blocks: 881020 aes-256-cbc's in = 3.02s Doing aes-256-cbc for 3s on 64 size blocks: 842078 aes-256-cbc's in = 3.00s Doing aes-256-cbc for 3s on 256 size blocks: 700368 aes-256-cbc's in = 3.03s Doing aes-256-cbc for 3s on 1024 size blocks: 425602 aes-256-cbc's in = 3.00s Doing aes-256-cbc for 3s on 8192 size blocks: 76495 aes-256-cbc's in = 3.00s OpenSSL 1.0.1e-freebsd 11 Feb 2013 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) = idea(int) blowfish(idx) compiler: cc The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 = bytes aes-256-cbc 4662.35k 17964.33k 59148.60k 145272.15k = 208882.35k Is this expected here, or is something broken? =E2=80=94 Kevin From owner-freebsd-security@FreeBSD.ORG Sun May 24 16:01:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2F63D50; Sun, 24 May 2015 16:01:21 +0000 (UTC) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A98EC1165; Sun, 24 May 2015 16:01:21 +0000 (UTC) Received: by igbpi8 with SMTP id pi8so21870056igb.1; Sun, 24 May 2015 09:01:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hlbLsC6g4cli5n56lj/n18NMwfJAhqayn1Sa02SiCAA=; b=bNy8c1WOY0gcMNHL9zgLAOC4BQ7ezi2IiOY57XI+/Pye8pMm/fkegyF0jThGdaJyqi ZwJdzp0/i54Rg++0yeVepLwq/OYdsm3eB/JHzdr907hHFGlpKrthV33D++laaul6R3Mn zwQiqU72Fh0jnFPH7PnVMsCHiD76LuhLrKnJdc1y3UptZ3uvGYTZdBme55IWMCW0R1zE B8FgRyFDNVykCwZZTbSVOCDGFTKTRxOVHydvwRmttowo2g8EbfT48Em3lyAjCdvbvqKn Ja/AlcJj5fzb45mIiYdRcXS2LqJEWjtWqPtSLH98IKJ6xtOOzdDZSR3i3q1+jiBgv7qy VEdw== MIME-Version: 1.0 X-Received: by 10.50.79.167 with SMTP id k7mr18200187igx.32.1432483280902; Sun, 24 May 2015 09:01:20 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.107.174.22 with HTTP; Sun, 24 May 2015 09:01:20 -0700 (PDT) In-Reply-To: <55618388.7000504@delphij.net> References: <20150523153031.A1A07357@hub.freebsd.org> <55618388.7000504@delphij.net> Date: Sun, 24 May 2015 09:01:20 -0700 X-Google-Sender-Auth: 7jjLSPZgyXxUxWN3H7OK4NzQt9o Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Kevin Oberman To: Xin Li Cc: Jason Unovitch , ports-secteam@freebsd.org, freebsd-security@freebsd.org, FreeBSD Ports ML , xmj@freebsd.org, pi@freebsd.org X-Mailman-Approved-At: Sun, 24 May 2015 16:48:40 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 16:01:22 -0000 On Sun, May 24, 2015 at 12:53 AM, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > On 5/23/15 09:14, Jason Unovitch wrote: > > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > > wrote: > >> If you find a vulnerability such as a new CVE or mailing list > >> announcement please send it to the port maintainer and > >> as quickly as possible. They are > >> whoefully understaffed and need our help. Though freebsd.org > >> indicates that security alerts should be sent to > >> this is incorrect. If the vulnerability is > >> in a port or package send an alert to ports-secteam@ and NOT > >> secteam@ as the secteam will generally not reply to your email or > >> forward the alerts to ports-secteam. > >> > >> Roger > Can our bugzilla have a button or something similar to tag bugs with CVE entries and adding ports-secteam to the cc list? Better would be a scan of bug submissions for the string "CVE-". (I have never looked at bugzilla other than to use it to search or submit bugs, so have no idea if this is feasible.) I know that this would generate false positives, but it appears to me that most all such could be dismissed very quickly and would be better than having serious security issues lost in the heap of bug reports. I know that when I opened a PR (pre-bugzilla) for a significant security issue in a popular port (ImageMagick) a few years ago, even though I marked it as "critical", it was almost 2 weeks before the port was updated, probably because the maintainer was just routinely updating the port as the commit did not reference the vulnerability, at all. It was a rather gaping hole, too. The PR was eventually closed as very stale, as it should have been by then. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com From owner-freebsd-security@FreeBSD.ORG Sun May 24 17:30:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0FA60642 for ; Sun, 24 May 2015 17:30:22 +0000 (UTC) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CE1AE1BB2 for ; Sun, 24 May 2015 17:30:21 +0000 (UTC) Received: by igbsb11 with SMTP id sb11so20694843igb.0 for ; Sun, 24 May 2015 10:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=a6e/Ca0XszEeDKME7JeU04QeeZo9XQ1c++j5re46uQU=; b=eJpkZ/OjYKU5rE4G7UmYMQpOo6vbRYsG5haL4i1DPzN9penDDQBsTPwdAwAjriS4v7 /xN5xR8ZbaNOaVNshaZJmX35U2YIiUt6GLOHZGUYPPkyV7PQAmtmD5V1vJZCNi3qDEwR hysu9GhFxNFh0iz2/M9pyH6nwFJa5EId9yVhZ5jngvERtGsCLY0Jv6cdABbFNrQ7qLu4 KWfc92RXB/3RR6lk4+HrYEvlEPL9F4xpdQ9lWIemYLrf0hCuFdYY+FdGTPjbXI6tPqGt kGuOC9aEkGBrsgm/oOqkDIoQ43MC8hcxOegQB1ilEgghcC+kuwI/3s6J8soEG4XqbTcv NokA== MIME-Version: 1.0 X-Received: by 10.107.137.80 with SMTP id l77mr16944252iod.92.1432488621108; Sun, 24 May 2015 10:30:21 -0700 (PDT) Received: by 10.36.121.86 with HTTP; Sun, 24 May 2015 10:30:21 -0700 (PDT) In-Reply-To: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> Date: Sun, 24 May 2015 13:30:21 -0400 Message-ID: Subject: Re: Atom C2758 - loading aesni(4) reduces performance From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 17:30:22 -0000 Can you provide the output of freebsd-version, and openssl version? It looks like you're using a very old version of OpenSSL. Here's my output as an example: % freebsd-version 10.1-RELEASE-p10 % openssl version OpenSSL 1.0.1l-freebsd 15 Jan 2015 % /usr/local/bin/openssl version OpenSSL 1.0.2a 19 Mar 2015 On Sun, May 24, 2015 at 12:22 PM, Kevin Day wrote: > > I=E2=80=99ve got an Atom C2758 system: > > CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class CPU) > Origin =3D "GenuineIntel" Id =3D 0x406d8 Family =3D 0x6 Model =3D 0x= 4d Stepping =3D 8 > Features=3D0xbfebfbff > Features2=3D0x43d8e3bf > AMD Features=3D0x28100800 > AMD Features2=3D0x101 > Standard Extended Features=3D0x2282 > > Enabling aesni seems to make performance much worse: > > root@router:~ # openssl speed -evp aes-256-cbc -elapsed > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-256-cbc for 3s on 16 size blocks: 33200486 aes-256-cbc's in 3.0= 1s > Doing aes-256-cbc for 3s on 64 size blocks: 11444626 aes-256-cbc's in 3.0= 1s > Doing aes-256-cbc for 3s on 256 size blocks: 3328753 aes-256-cbc's in 3.0= 2s > Doing aes-256-cbc for 3s on 1024 size blocks: 866523 aes-256-cbc's in 3.0= 2s > Doing aes-256-cbc for 3s on 8192 size blocks: 108891 aes-256-cbc's in 3.0= 0s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int= ) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 b= ytes > aes-256-cbc 176609.34k 243517.86k 281851.62k 293480.37k 29734= 5.02k > > > root@router:~ # kldload aesni > root@router:~ # openssl speed -evp aes-256-cbc -elapsed > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-256-cbc for 3s on 16 size blocks: 881020 aes-256-cbc's in 3.02s > Doing aes-256-cbc for 3s on 64 size blocks: 842078 aes-256-cbc's in 3.00s > Doing aes-256-cbc for 3s on 256 size blocks: 700368 aes-256-cbc's in 3.03= s > Doing aes-256-cbc for 3s on 1024 size blocks: 425602 aes-256-cbc's in 3.0= 0s > Doing aes-256-cbc for 3s on 8192 size blocks: 76495 aes-256-cbc's in 3.00= s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int= ) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 b= ytes > aes-256-cbc 4662.35k 17964.33k 59148.60k 145272.15k 20888= 2.35k > > > Is this expected here, or is something broken? > > =E2=80=94 Kevin > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" From owner-freebsd-security@FreeBSD.ORG Sun May 24 17:44:39 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A243B398 for ; Sun, 24 May 2015 17:44:39 +0000 (UTC) Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 621FF1D8E for ; Sun, 24 May 2015 17:44:39 +0000 (UTC) Received: by igbyr2 with SMTP id yr2so22815566igb.0 for ; Sun, 24 May 2015 10:44:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dragondata.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6aHg+8GymkXD4D4F3JZYnnVw1X5kTXhqBX42LXYebZk=; b=FJ5pxpFEIDdTjAU3cyhjOXUIq3E/jesDcA3aApK+0nIAksq5mXiuBxHtpZE/bINCYg pb2O4oLrQlThFrHzP1bdZC0yZp6QMrnphq7WnWvfY++hihpGZvm4dhNt36Rn6DN1McaV pivEAP92aqBdAgb3KxC1sG/1rA2brJHuXz4A8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=6aHg+8GymkXD4D4F3JZYnnVw1X5kTXhqBX42LXYebZk=; b=TBbm6Ofme3dUVHNXnme8Gs4cn3xft+lsJgksQAHiq68splKn131l5tINOFh4AiR6zX gFo4VU5I3xld7nhEg2sTLfpcFFcJu6upRS0SIIysg3vvQwWMNt5kcSab7jg8nK6CJVrd d7YN1cS7/qPF9dUEcTOpjo3L5NtKoqW1XwHB2gvs/R3Cd/l/dH6/ZsgBQT6mxremq54k +HzCKor92m7BVxoGJBvfa8v07OSBj76AwLszWvZm/XALnDMGvHYxaIMiD5wZ5rtAincp +ELwoBQ3lpiC72FFEPBCi4YZAdBZnyMHUd2QUdDcwVj0XBM1yJVxGzR84p0xkHTasChK MSzQ== X-Gm-Message-State: ALoCoQnYlc0HavXtpaO5jKoD22ILWVAwxPMlIuwS3UFM9WsztCK7h8mexrVGyBNmh8WJ43yUsWYi X-Received: by 10.107.136.197 with SMTP id s66mr24468375ioi.65.1432489478855; Sun, 24 May 2015 10:44:38 -0700 (PDT) Received: from unassigned.v6.your.org ([2001:4978:1:45:1dd:435:e677:4a9f]) by mx.google.com with ESMTPSA id vk8sm4179016igb.4.2015.05.24.10.44.37 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 May 2015 10:44:37 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.4\)) Subject: Re: Atom C2758 - loading aesni(4) reduces performance From: Kevin Day In-Reply-To: Date: Sun, 24 May 2015 12:44:36 -0500 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> To: Robert Simmons X-Mailer: Apple Mail (2.2070.4) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 17:44:39 -0000 root@router:/sys # freebsd-version 10.0-RELEASE-p7 root@router:/sys # openssl version OpenSSL 1.0.1e-freebsd 11 Feb 2013 That=E2=80=99s what ships with 10.0. Trying your version (1.0.2a) seems = worse for both, but still slower with aesni than without. 1.0.1e without aesni: aes-256-cbc 176609.34k 243517.86k = 281851.62k 293480.37k 297345.02k 1.0.1e with aesni: aes-256-cbc 4662.35k 17964.33k = 59148.60k 145272.15k 208882.35k 1.0.2a without aesni: aes-256-cbc 34727.24k 38003.39k = 38926.26k 39369.94k 39291.87k 1.0.2a with aesni: aes-256-cbc 4585.40k 17842.11k = 59530.18k 145439.74k 204827.31k > On May 24, 2015, at 12:30 PM, Robert Simmons = wrote: >=20 > Can you provide the output of freebsd-version, and openssl version? It > looks like you're using a very old version of OpenSSL. Here's my > output as an example: >=20 > % freebsd-version > 10.1-RELEASE-p10 >=20 > % openssl version > OpenSSL 1.0.1l-freebsd 15 Jan 2015 >=20 > % /usr/local/bin/openssl version > OpenSSL 1.0.2a 19 Mar 2015 >=20 > On Sun, May 24, 2015 at 12:22 PM, Kevin Day = wrote: >>=20 >> I=E2=80=99ve got an Atom C2758 system: >>=20 >> CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class = CPU) >> Origin =3D "GenuineIntel" Id =3D 0x406d8 Family =3D 0x6 Model =3D = 0x4d Stepping =3D 8 >> = Features=3D0xbfebfbff >> = Features2=3D0x43d8e3bf >> AMD Features=3D0x28100800 >> AMD Features2=3D0x101 >> Standard Extended Features=3D0x2282 >>=20 >> Enabling aesni seems to make performance much worse: >>=20 >> root@router:~ # openssl speed -evp aes-256-cbc -elapsed >> You have chosen to measure elapsed time instead of user CPU time. >> Doing aes-256-cbc for 3s on 16 size blocks: 33200486 aes-256-cbc's in = 3.01s >> Doing aes-256-cbc for 3s on 64 size blocks: 11444626 aes-256-cbc's in = 3.01s >> Doing aes-256-cbc for 3s on 256 size blocks: 3328753 aes-256-cbc's in = 3.02s >> Doing aes-256-cbc for 3s on 1024 size blocks: 866523 aes-256-cbc's in = 3.02s >> Doing aes-256-cbc for 3s on 8192 size blocks: 108891 aes-256-cbc's in = 3.00s >> OpenSSL 1.0.1e-freebsd 11 Feb 2013 >> built on: date not available >> options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) = idea(int) blowfish(idx) >> compiler: cc >> The 'numbers' are in 1000s of bytes per second processed. >> type 16 bytes 64 bytes 256 bytes 1024 bytes = 8192 bytes >> aes-256-cbc 176609.34k 243517.86k 281851.62k 293480.37k = 297345.02k >>=20 >>=20 >> root@router:~ # kldload aesni >> root@router:~ # openssl speed -evp aes-256-cbc -elapsed >> You have chosen to measure elapsed time instead of user CPU time. >> Doing aes-256-cbc for 3s on 16 size blocks: 881020 aes-256-cbc's in = 3.02s >> Doing aes-256-cbc for 3s on 64 size blocks: 842078 aes-256-cbc's in = 3.00s >> Doing aes-256-cbc for 3s on 256 size blocks: 700368 aes-256-cbc's in = 3.03s >> Doing aes-256-cbc for 3s on 1024 size blocks: 425602 aes-256-cbc's in = 3.00s >> Doing aes-256-cbc for 3s on 8192 size blocks: 76495 aes-256-cbc's in = 3.00s >> OpenSSL 1.0.1e-freebsd 11 Feb 2013 >> built on: date not available >> options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) = idea(int) blowfish(idx) >> compiler: cc >> The 'numbers' are in 1000s of bytes per second processed. >> type 16 bytes 64 bytes 256 bytes 1024 bytes = 8192 bytes >> aes-256-cbc 4662.35k 17964.33k 59148.60k 145272.15k = 208882.35k >>=20 >>=20 >> Is this expected here, or is something broken? >>=20 >> =E2=80=94 Kevin >>=20 >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun May 24 20:47:30 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 831233CE for ; Sun, 24 May 2015 20:47:30 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:50a2::3:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ns.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 43FF3375 for ; Sun, 24 May 2015 20:47:30 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from localhost (localhost [127.0.0.1]) by smtp.burggraben.net (Postfix) with ESMTP id BA52B600098 for ; Sun, 24 May 2015 22:47:27 +0200 (CEST) X-Spam-Scanned: by amavisd-new at exwg.net Received: from smtp.burggraben.net ([127.0.0.1]) by localhost (ns.burggraben.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IENXdpsGoZUg for ; Sun, 24 May 2015 22:47:23 +0200 (CEST) Received: from elch.exwg.net (dslb-088-066-008-054.088.066.pools.vodafone-ip.de [88.66.8.54]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "elch.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by smtp.burggraben.net (Postfix) with ESMTPS for ; Sun, 24 May 2015 22:47:23 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id 4886242; Sun, 24 May 2015 22:47:23 +0200 (CEST) Date: Sun, 24 May 2015 22:47:23 +0200 From: Christoph Moench-Tegeder To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150524204723.GA2853@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 20:47:30 -0000 ## Kevin Day (toasty@dragondata.com): > Is this expected here, or is something broken? I'd expect there's something wrong (I don't have access to an AES-NI capable Atom, but on my i7 there's no such impact). The performance numbers for the "openssl speed" suite show heavy fluctutation even under light load - was this a one-shot test or is this reproducable on a "unloaded" (yes, I know, system stuff...) system? Can you run multiple tests in each configuration and check average, median and standard deviation? (just to make sure this is significant). Anyways, openssl does not use crypto(4) by default (and therefore cannot use aesni(4)). openssl detects the cpu features by itself and uses the AES-NI instruction set if available - unless told otherwise (see OPENSSL_ia32cap(3)). To make the long manual short - you can force openssl not to use AES-NI by setting the environment OPENSSL_ia32cap="~0x0200000000000000". From my tests I estimate (I did only a few tests) that this option alone cuts aes-256-cbc by 50 to 60%. Loading (or not) aesni(4) has no obvious effect on the numbers in both cases (variations are in the order of the usual noise). Regards, Christoph -- Spare Space From owner-freebsd-security@FreeBSD.ORG Sun May 24 22:44:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1E9A988 for ; Sun, 24 May 2015 22:44:57 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 92B8721B for ; Sun, 24 May 2015 22:44:57 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t4OMisJS018599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 May 2015 15:44:54 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t4OMis46018598; Sun, 24 May 2015 15:44:54 -0700 (PDT) (envelope-from jmg) Date: Sun, 24 May 2015 15:44:54 -0700 From: John-Mark Gurney To: Kevin Day Cc: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150524224454.GX37063@funkthat.com> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Sun, 24 May 2015 15:44:55 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 22:44:57 -0000 Kevin Day wrote this message on Sun, May 24, 2015 at 11:22 -0500: > I???ve got an Atom C2758 system: > > CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class CPU) > Origin = "GenuineIntel" Id = 0x406d8 Family = 0x6 Model = 0x4d Stepping = 8 > Features=0xbfebfbff > Features2=0x43d8e3bf > AMD Features=0x28100800 > AMD Features2=0x101 > Standard Extended Features=0x2282 > > Enabling aesni seems to make performance much worse: > > root@router:~ # openssl speed -evp aes-256-cbc -elapsed > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-256-cbc for 3s on 16 size blocks: 33200486 aes-256-cbc's in 3.01s > Doing aes-256-cbc for 3s on 64 size blocks: 11444626 aes-256-cbc's in 3.01s > Doing aes-256-cbc for 3s on 256 size blocks: 3328753 aes-256-cbc's in 3.02s > Doing aes-256-cbc for 3s on 1024 size blocks: 866523 aes-256-cbc's in 3.02s > Doing aes-256-cbc for 3s on 8192 size blocks: 108891 aes-256-cbc's in 3.00s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-256-cbc 176609.34k 243517.86k 281851.62k 293480.37k 297345.02k > > > root@router:~ # kldload aesni > root@router:~ # openssl speed -evp aes-256-cbc -elapsed > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-256-cbc for 3s on 16 size blocks: 881020 aes-256-cbc's in 3.02s > Doing aes-256-cbc for 3s on 64 size blocks: 842078 aes-256-cbc's in 3.00s > Doing aes-256-cbc for 3s on 256 size blocks: 700368 aes-256-cbc's in 3.03s > Doing aes-256-cbc for 3s on 1024 size blocks: 425602 aes-256-cbc's in 3.00s > Doing aes-256-cbc for 3s on 8192 size blocks: 76495 aes-256-cbc's in 3.00s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-256-cbc 4662.35k 17964.33k 59148.60k 145272.15k 208882.35k > > > Is this expected here, or is something broken? If you have cryptodev loaded, this is to be expected as OpenSSL will use /dev/crypto instead of the AES-NI instructions.. Just don't load cryptodev and you'll be fine.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Mon May 25 04:11:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B49DA109 for ; Mon, 25 May 2015 04:11:26 +0000 (UTC) (envelope-from fehwalker@gmail.com) Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7689F8E0 for ; Mon, 25 May 2015 04:11:26 +0000 (UTC) (envelope-from fehwalker@gmail.com) Received: by yhom41 with SMTP id m41so19924157yho.1 for ; Sun, 24 May 2015 21:11:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=r31GZ6rU5lqR+q46Y08Lk9bQjI1k/eC3UuAmW4C0AI0=; b=WHMmM/O8eRBSVO/JyDkaMmeP6qE3buFbgYihXiW+vP3P4DEt0VAyXbDZc+lAnhPWOH XvuyPc8NsmUKA4b23KQbZNo5A2IWNnPkN3PExVALKghkyoR1ZSdIgtq9jh4loV7+L8Dm OiTA1TOva0UBkCV8xaMcQcxHFcOjlXy7IVc2PkfTJpkJSmjxz6r+n+AXYpRAlnPUL9vu LEHO3UwkuNBuyM4vt9pKAxWDZZp2XClEjxP7e+wqk3O1sEXJ41WwZLWTBhH3Z0UAim7r 2qIpDI8erldI0bjQf9B78sH2n9cy9qVHlnab+NFrz63juFMIEVdv14htXio+yRx4vphw VTrQ== MIME-Version: 1.0 X-Received: by 10.236.8.97 with SMTP id 61mr18677827yhq.95.1432527085662; Sun, 24 May 2015 21:11:25 -0700 (PDT) Received: by 10.129.56.3 with HTTP; Sun, 24 May 2015 21:11:25 -0700 (PDT) Date: Mon, 25 May 2015 00:11:25 -0400 Message-ID: Subject: 10.1-p10? From: Bryan Fullerton To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 04:11:26 -0000 Just ran freebsd-update and got updates for 10.1-p10, but see no advisories on the security lists or web site. The following files will be updated as part of updating to 10.1-RELEASE-p10: /bin/freebsd-version /boot/kernel/kernel /boot/kernel/kernel.symbols /boot/kernel/ufs.ko /boot/kernel/ufs.ko.symbols /usr/include/ufs/ffs/softdep.h /usr/sbin/freebsd-update /usr/share/man/man8/freebsd-update.8.gz Wut? Bryan From owner-freebsd-security@FreeBSD.ORG Mon May 25 04:15:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F389A213; Mon, 25 May 2015 04:15:13 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Mon, 25 May 2015 04:15:10 +0000 From: Glen Barber To: Bryan Fullerton Cc: freebsd-security@freebsd.org Subject: Re: 10.1-p10? Message-ID: <20150525041510.GE1589@hub.FreeBSD.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HeFlAV5LIbMFYYuh" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 04:15:14 -0000 --HeFlAV5LIbMFYYuh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 25, 2015 at 12:11:25AM -0400, Bryan Fullerton wrote: > Just ran freebsd-update and got updates for 10.1-p10, but see no advisori= es > on the security lists or web site. >=20 > The following files will be updated as part of updating to 10.1-RELEASE-p= 10: > /bin/freebsd-version > /boot/kernel/kernel > /boot/kernel/kernel.symbols > /boot/kernel/ufs.ko > /boot/kernel/ufs.ko.symbols > /usr/include/ufs/ffs/softdep.h > /usr/sbin/freebsd-update > /usr/share/man/man8/freebsd-update.8.gz >=20 This was an EN. gjb@nucleus:~/freebsd/src/base/releng/10.1 % svn log --diff -r282873 \ sys/conf/newvers.sh=20 ------------------------------------------------------------------------ r282873 | delphij | 2015-05-13 18:52:35 -0400 (Wed, 13 May 2015) | 7 lines Fix bug with freebsd-update(8) that does not ensure the previous upgrade was completed. [EN-15:04] Fix deadlock on reboot with UFS tuned with SU+J. [EN-15:05] Approved by: so Index: sys/conf/newvers.sh =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/conf/newvers.sh (revision 282872) +++ sys/conf/newvers.sh (revision 282873) @@ -32,7 +32,7 @@ =20 TYPE=3D"FreeBSD" REVISION=3D"10.1" -BRANCH=3D"RELEASE-p9" +BRANCH=3D"RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" !=3D "X" ]; then BRANCH=3D${BRANCH_OVERRIDE} fi ------------------------------------------------------------------------ Glen --HeFlAV5LIbMFYYuh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVYqHOAAoJEAMUWKVHj+KTfOEP/1G48qwXaAaFWG+V0DG8WXtT FeOJitDnUJjz+x05lu+dq5WrLoy5uVLb5tGJ/2vd/K06lDZ5J4MAJm1b4xqiHebV S3tJ0NLtOOcB46Wd3D2UGt0pTFkkHQbN++APdwSAoBqA8ZJ3qsV0cWm9GY+y7J05 H+mxwSPLVoeR4JtiKWox85uoJzYbEchvxlZSYAKez11IUgKdzmLVQBY+d3eClSdP HOi0TcyYQr1ZpNUuzmxty/+ar+oVy6jig1+yXkfTxPRG3Ydd/ZYjMpsphwlSwy36 RqhZuoo/Yk/DEn/vIGt/yFop/iwzQQcImA6KgT86S/etwqvZGjHrGf9Wyjnr+4Eb B8L/83PgKhfwyQvKIjLyvgjhWbdpS7B/Z2fSJr20u/V6CaUnelmKRDNe9Tj50A04 yqFANtpVwOJ3KqW2ZNLkb8ywD+FdJMk/96mR7HQbLYRQPDpjCgFXl4U9ydSpbYyt iI9bOsmRoBgeXo/kZtUv4BQ0vAGAT+ibJTy8akM/lnZDT5OBcA88ETrdg2NlgsOy OWxsbKEVesU5b9HC5NicKXeyKnYFoWEU1IJm4so9cRAzhgqFLtV2HxuEvtn5ODLS fyoAxK2ztdFjwS7Svoa/we8bK+Ds4uZDikuerPBrLk/UnhVk6K55V9vyFv4UDAqh vCmEZaOY+zZuLim1fEKG =u1EX -----END PGP SIGNATURE----- --HeFlAV5LIbMFYYuh-- From owner-freebsd-security@FreeBSD.ORG Mon May 25 04:15:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 16C4927D for ; Mon, 25 May 2015 04:15:21 +0000 (UTC) (envelope-from toasty@dragondata.com) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CE65295F for ; Mon, 25 May 2015 04:15:20 +0000 (UTC) (envelope-from toasty@dragondata.com) Received: by igbpi8 with SMTP id pi8so29728068igb.0 for ; Sun, 24 May 2015 21:15:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dragondata.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kmoeNCbvmg0oza8bvybkRlpt18gDgLadueOhVzBclIc=; b=bGXQb0imNhIBz0EFRawBmyePeUi7aa1PQid0Up4ihGT56AstF2rbhlRtN5fc2WsTo3 RJKDnl2U3vtd26odPb99QB2+KzK6OuJnhy0FxtGP5YfecrJXB/6R4VKblgkEKqvK5qPc c61hFznua/K13eEQ4LtrAZGwQI+BmdsodHIMQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=kmoeNCbvmg0oza8bvybkRlpt18gDgLadueOhVzBclIc=; b=XZHcDHcArRPbeRI3bPEm1Rg+dpB/hHTUwumCcDa2evMh7KHS8fBN9ljUaQTHJSBCw/ b3hs4L9MhvpW16XcqsXrsVxNtIT3j7mT//s30zMeasMIyJDLBvvTLwE/hj7yeeK/KOXn zQyBJHygHtxAN8mClUcYCqZUOBGuQyrDr+HRqdAOKiNMEYQB8UJL+xPDPIxMxI81BOAm qEGxX3Ozn0liA6Cscp71gpCecrpR6UxVbNYdE45BZg4obiU3JnZcI+tT1tO3mX9K1luk +1W8lcvt8E+DP63Pe2zlNRe1v/ra9ThPOt3pMT+T+m0QCmKcuPl9mVvL94FNaAmLL3km ArQQ== X-Gm-Message-State: ALoCoQkrfeRhXUVe9ZXQOYD1vhyBe4OatkjUlPveF725LKPVb+7wX0NjtL2Clx5I//hXBFtE4GkS X-Received: by 10.50.138.70 with SMTP id qo6mr20641611igb.15.1432527320097; Sun, 24 May 2015 21:15:20 -0700 (PDT) Received: from unassigned.v6.your.org ([2001:4978:1:45:4468:d71f:d52c:9235]) by mx.google.com with ESMTPSA id 17sm2214346ioq.39.2015.05.24.21.15.18 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 May 2015 21:15:18 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.4\)) Subject: Re: Atom C2758 - loading aesni(4) reduces performance From: Kevin Day In-Reply-To: <20150524224454.GX37063@funkthat.com> Date: Sun, 24 May 2015 23:15:17 -0500 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> To: John-Mark Gurney X-Mailer: Apple Mail (2.2070.4) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 04:15:21 -0000 > On May 24, 2015, at 5:44 PM, John-Mark Gurney = wrote: >=20 > If you have cryptodev loaded, this is to be expected as OpenSSL will > use /dev/crypto instead of the AES-NI instructions.. Just don't load > cryptodev and you'll be fine.. >=20 So to make sure I=E2=80=99m understanding=E2=80=A6 openssl has native = AES-NI support, and it also can use /dev/crypto. It=E2=80=99s preferring = /dev/crypto, but /dev/crypto has much higher overhead? =E2=80=94 Kevin From owner-freebsd-security@FreeBSD.ORG Mon May 25 04:21:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 281BC410; Mon, 25 May 2015 04:21:31 +0000 (UTC) (envelope-from fehwalker@gmail.com) Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCFC1B2F; Mon, 25 May 2015 04:21:30 +0000 (UTC) (envelope-from fehwalker@gmail.com) Received: by yhrr66 with SMTP id r66so19925380yhr.3; Sun, 24 May 2015 21:21:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZSdGisAyXvmjFG0PWXGFn8TvKvDezAEdWifyvZBsqg4=; b=M02T5HaEPbhxFIYxoxW5cO7x/1xUeo2cGSKeSVSVDMrvlv880klaiO/2fDQKl4Sq+4 uQNCLwqBPUDjBLE80N8e28HDeHWYmZtsH8a+rv/iWTqYslY3xZsgSQAGEClrIqsmMbG+ cKxad0FHhA6FVrX7Rko7qIBvqTPifcLpQI3VE/qgcJY4F62wbZQYP0ux9Zs21N38yMJN +eN0CAktdTZIHVMqy2K0DqUmJhaBoAADHOV/fGHUCgjWR4GJmggnMrrCuZWUsyvU0J/2 EebjCMJUPhsmkgL0zVRiDD4uV/xDJHIZND+vkw1R1Uc+luqy43oqT6jPvqiyJmzNE63r 94bg== MIME-Version: 1.0 X-Received: by 10.170.208.82 with SMTP id z79mr3043523yke.106.1432527689926; Sun, 24 May 2015 21:21:29 -0700 (PDT) Received: by 10.129.56.3 with HTTP; Sun, 24 May 2015 21:21:29 -0700 (PDT) In-Reply-To: <20150525041510.GE1589@hub.FreeBSD.org> References: <20150525041510.GE1589@hub.FreeBSD.org> Date: Mon, 25 May 2015 00:21:29 -0400 Message-ID: Subject: Re: 10.1-p10? From: Bryan Fullerton To: Glen Barber Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 04:21:31 -0000 Ah, thanks, I see it now, and re-subbed to freebsd-announce. Bryan On Mon, May 25, 2015 at 12:15 AM, Glen Barber wrote: > On Mon, May 25, 2015 at 12:11:25AM -0400, Bryan Fullerton wrote: > > Just ran freebsd-update and got updates for 10.1-p10, but see no > advisories > > on the security lists or web site. > > > > The following files will be updated as part of updating to > 10.1-RELEASE-p10: > > /bin/freebsd-version > > /boot/kernel/kernel > > /boot/kernel/kernel.symbols > > /boot/kernel/ufs.ko > > /boot/kernel/ufs.ko.symbols > > /usr/include/ufs/ffs/softdep.h > > /usr/sbin/freebsd-update > > /usr/share/man/man8/freebsd-update.8.gz > > > > This was an EN. > > gjb@nucleus:~/freebsd/src/base/releng/10.1 % svn log --diff -r282873 \ > sys/conf/newvers.sh > ------------------------------------------------------------------------ > r282873 | delphij | 2015-05-13 18:52:35 -0400 (Wed, 13 May 2015) | 7 lines > > Fix bug with freebsd-update(8) that does not ensure the previous > upgrade was completed. [EN-15:04] > > Fix deadlock on reboot with UFS tuned with SU+J. [EN-15:05] > > Approved by: so > > > Index: sys/conf/newvers.sh > =================================================================== > --- sys/conf/newvers.sh (revision 282872) > +++ sys/conf/newvers.sh (revision 282873) > @@ -32,7 +32,7 @@ > > TYPE="FreeBSD" > REVISION="10.1" > -BRANCH="RELEASE-p9" > +BRANCH="RELEASE-p10" > if [ "X${BRANCH_OVERRIDE}" != "X" ]; then > BRANCH=${BRANCH_OVERRIDE} > fi > > ------------------------------------------------------------------------ > > Glen > > From owner-freebsd-security@FreeBSD.ORG Mon May 25 05:22:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8C2E3A29 for ; Mon, 25 May 2015 05:22:00 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5FFA4AB9 for ; Mon, 25 May 2015 05:22:00 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t4P5LvUl023427 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 May 2015 22:21:57 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t4P5Lvha023426; Sun, 24 May 2015 22:21:57 -0700 (PDT) (envelope-from jmg) Date: Sun, 24 May 2015 22:21:57 -0700 From: John-Mark Gurney To: Kevin Day Cc: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525052157.GC37063@funkthat.com> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Sun, 24 May 2015 22:21:57 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 05:22:00 -0000 Kevin Day wrote this message on Sun, May 24, 2015 at 23:15 -0500: > > On May 24, 2015, at 5:44 PM, John-Mark Gurney wrote: > > > > If you have cryptodev loaded, this is to be expected as OpenSSL will > > use /dev/crypto instead of the AES-NI instructions.. Just don't load > > cryptodev and you'll be fine.. > > So to make sure I???m understanding??? openssl has native AES-NI support, and it also can use /dev/crypto. It???s preferring /dev/crypto, but /dev/crypto has much higher overhead? Correct... At least OpenSSL 1.0.1 that started shipping w/ 10.0 has native AES-NI support... Pre-10.0 doesn't have it... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Mon May 25 11:41:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0831E6C9 for ; Mon, 25 May 2015 11:41:42 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:50a2::3:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ns.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B5F766F for ; Mon, 25 May 2015 11:41:41 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from localhost (localhost [127.0.0.1]) by smtp.burggraben.net (Postfix) with ESMTP id 52863600098 for ; Mon, 25 May 2015 13:41:36 +0200 (CEST) X-Spam-Scanned: by amavisd-new at exwg.net Received: from smtp.burggraben.net ([127.0.0.1]) by localhost (ns.burggraben.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycATS2gcIKN0 for ; Mon, 25 May 2015 13:41:32 +0200 (CEST) Received: from elch.exwg.net (elch.exwg.net [IPv6:2001:470:7b43:1:922b:34ff:fe56:321]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "elch.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by smtp.burggraben.net (Postfix) with ESMTPS for ; Mon, 25 May 2015 13:41:32 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id A0ADF6A; Mon, 25 May 2015 13:41:31 +0200 (CEST) Date: Mon, 25 May 2015 13:41:31 +0200 From: Christoph Moench-Tegeder To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525114131.GA1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 11:41:42 -0000 ## Kevin Day (toasty@dragondata.com): > > If you have cryptodev loaded, this is to be expected as OpenSSL will > > use /dev/crypto instead of the AES-NI instructions.. Just don't load > > cryptodev and you'll be fine.. > > So to make sure I’m understanding… openssl has native AES-NI support, and > it also can use /dev/crypto. It’s preferring /dev/crypto, but /dev/crypto > has much higher overhead? Yes (I hadn't thought of cryptodev, because "why would one load that without really special crypto hardware?"). The overhead is obvious - when offloading the crypto operations to the kernel, the benefit of the kernel/hardware crypto support has to be better than the penalty of communicating with the kernel; and as you already have AES-NI support in openssl, there's not that much chance that the kernel is that much faster than openssl itself. Regards, Christoph -- Spare Space From owner-freebsd-security@FreeBSD.ORG Mon May 25 12:10:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78FEC532 for ; Mon, 25 May 2015 12:10:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1FBC3848 for ; Mon, 25 May 2015 12:10:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wichy4 with SMTP id hy4so47196013wic.1 for ; Mon, 25 May 2015 05:10:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=hHguYc0X3EUX595vCDTDE/WlHaKSw89QvkERFspIoYQ=; b=xdyE2JdKnrCB7KvQklJKjQtN2R/AGWUztoRynbrquQq4Oi8bK88eklM47fUKKQ0DMB y/GIZrQQHy1IonpbTz7F9BKBhpUZkoi3Z12J7XQBpxtV2CDIKA5nxjvSL10+kM1klrA1 XyEeMK+ghpOoNs3MCuILG8UPEQUuenShNiaMwmG+YFMuQ6aWJJjNVIeaZI9xRhlDldJK cXneAcacmlVxlpRrXjbVe9Q0Y41Jdi12IzW3vYTxKHk0tqJcFlQfL1b0RgBV+R4dKDFf gOmX1HmpruK+HJtHC4zf6Au8mhE6reaAJwEYiBdqJ4JLRAYkhS10cCy+PH9jRPNkgSTb YuIg== X-Received: by 10.194.100.42 with SMTP id ev10mr11821618wjb.50.1432555818438; Mon, 25 May 2015 05:10:18 -0700 (PDT) Received: from gumby.homeunix.com (5ec39b76.skybroadband.com. [94.195.155.118]) by mx.google.com with ESMTPSA id hm8sm5221559wjc.28.2015.05.25.05.10.16 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2015 05:10:17 -0700 (PDT) Date: Mon, 25 May 2015 13:10:10 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525131010.1abda315@gumby.homeunix.com> In-Reply-To: <20150525114131.GA1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> <20150525114131.GA1457@elch.exwg.net> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 12:10:20 -0000 On Mon, 25 May 2015 13:41:31 +0200 Christoph Moench-Tegeder wrote: > ## Kevin Day (toasty@dragondata.com): >=20 > > > If you have cryptodev loaded, this is to be expected as OpenSSL > > > will use /dev/crypto instead of the AES-NI instructions.. Just > > > don't load cryptodev and you'll be fine.. > >=20 > > So to make sure I?m understanding? openssl has native AES-NI > > support, and it also can use /dev/crypto. It?s > > preferring /dev/crypto, but /dev/crypto has much higher overhead? >=20 > Yes (I hadn't thought of cryptodev, because "why would one load that > without really special crypto hardware?"). > The overhead is obvious - when offloading the crypto operations to > the kernel, the benefit of the kernel/hardware crypto support has > to be better than the penalty of communicating with the kernel; and > as you already have AES-NI support in openssl, there's not that much > chance that the kernel is that much faster than openssl itself. But AFAIK you need the crypto module for AES-NI support in geli. Is there any way to have both work optimally? From owner-freebsd-security@FreeBSD.ORG Mon May 25 13:46:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0BF64A6F for ; Mon, 25 May 2015 13:46:55 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:50a2::3:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ns.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BBABE1F8 for ; Mon, 25 May 2015 13:46:54 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from localhost (localhost [127.0.0.1]) by smtp.burggraben.net (Postfix) with ESMTP id B99A9600098 for ; Mon, 25 May 2015 15:46:48 +0200 (CEST) X-Spam-Scanned: by amavisd-new at exwg.net Received: from smtp.burggraben.net ([127.0.0.1]) by localhost (ns.burggraben.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUyrSLuKDXLF for ; Mon, 25 May 2015 15:46:44 +0200 (CEST) Received: from elch.exwg.net (dslb-088-066-008-054.088.066.pools.vodafone-ip.de [88.66.8.54]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "elch.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by smtp.burggraben.net (Postfix) with ESMTPS for ; Mon, 25 May 2015 15:46:44 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id 6FEBC6A; Mon, 25 May 2015 15:46:44 +0200 (CEST) Date: Mon, 25 May 2015 15:46:44 +0200 From: Christoph Moench-Tegeder To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525134644.GB1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> <20150525114131.GA1457@elch.exwg.net> <20150525131010.1abda315@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150525131010.1abda315@gumby.homeunix.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 13:46:55 -0000 ## RW (rwmaillists@googlemail.com): > But AFAIK you need the crypto module for AES-NI support in geli. > > Is there any way to have both work optimally? geli needs crypto(4), but does not use cryptodev(4) - at least, that's what I gather from the man page. Regards, Christoph -- Spare Space From owner-freebsd-security@FreeBSD.ORG Mon May 25 18:05:53 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 795FD73C for ; Mon, 25 May 2015 18:05:53 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3989D918 for ; Mon, 25 May 2015 18:05:52 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t4PHifqC031269 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 May 2015 10:44:41 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t4PHifSK031268; Mon, 25 May 2015 10:44:41 -0700 (PDT) (envelope-from jmg) Date: Mon, 25 May 2015 10:44:41 -0700 From: John-Mark Gurney To: Christoph Moench-Tegeder Cc: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525174441.GD37063@funkthat.com> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> <20150525114131.GA1457@elch.exwg.net> <20150525131010.1abda315@gumby.homeunix.com> <20150525134644.GB1457@elch.exwg.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150525134644.GB1457@elch.exwg.net> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Mon, 25 May 2015 10:44:41 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 18:05:53 -0000 Christoph Moench-Tegeder wrote this message on Mon, May 25, 2015 at 15:46 +0200: > ## RW (rwmaillists@googlemail.com): > > > But AFAIK you need the crypto module for AES-NI support in geli. > > > > Is there any way to have both work optimally? > > geli needs crypto(4), but does not use cryptodev(4) - at least, that's what > I gather from the man page. Correct... It is safe to load crypto(4) and aesni(4)... and cryptodev(4) isn't needed for geli to use the aesni module... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Wed May 27 21:35:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77B08530; Wed, 27 May 2015 21:35:42 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 635B6E7B; Wed, 27 May 2015 21:35:42 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 6A9FF67D41; Wed, 27 May 2015 14:35:41 -0700 (PDT) In-Reply-To: <1432756690.2290224.279775121.3E052535@webmail.messagingengine.com> References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <1432756690.2290224.279775121.3E052535@webmail.messagingengine.com> Date: Wed, 27 May 2015 14:35:41 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: "Mark Felder" Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 21:35:42 -0000 >> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >> OpenBSD server operators) have no assurance that their systems are >> secure. > > Slow down here for a second. Where's the command-line tool on RedHat or > Debian that lists only the known vulnerable packages? In RedHat you can create a security repo list ( grep "-security" /etc/apt/sources.list), install the security plugin (yum install yum-plugin-security) and 'yum check-update --security' for the same functionality as 'pkg audit -F'. Debian is even more obscure (apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list --just-print). FreeBSD 'pkg audit' is much cleaner but what difference does that make, really, when you have a vulnerable package that isn't in the database? > But that's not the end of the story. That > command won't list vulnerabilities until they have a patch released. > Let's look at CVE-2015-0209 > https://access.redhat.com/security/cve/CVE-2015-0209 > Release date was March 23rd. No question there's variability in bugfix timeliness, especially for DOS-type bugs like CVE-2015-0209. FreeBSD ports maintainers are also able to commit patches and version updates much more quickly than their binary-only competitors, as noted with the php55/Makefile tweak. In the past that's what made FreeBSD a more secure OS to host applications on. But that's not the main issue this thread has been about. The issue that really matters from a security perspective is the completeness of the vulnerability database, vuln.xml in our case. > The grass is always greener... or is it? > > Let's just concentrate on how to improve things here and not worry about > how they're handling security issues because they have their own unique > problems to solve. I must say I am disappointed in the response to this serious and significant issue. My Redhat using co-workers, OTOH, are no doubt eating it up. Problem is I'm not the only one who has to defend their business unit's use of FreeBSD in a corporation that has otherwise nearly standardized on Redhat (and RH security, bash notwithstanding). Roger From owner-freebsd-security@FreeBSD.ORG Wed May 27 22:03:39 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0B18AAB7; Wed, 27 May 2015 22:03:39 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EAECF807; Wed, 27 May 2015 22:03:38 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id DA39067D41; Wed, 27 May 2015 15:03:37 -0700 (PDT) In-Reply-To: References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> Date: Wed, 27 May 2015 15:03:38 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: "Roger Marquis" Cc: "Mark Felder" , freebsd-ports@freebsd.org, freebsd-security@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 22:03:39 -0000 > Mark Felder wrote: >> Who is "ports-secteam"? > > It was Xin Li who alerted me to the ports-secteam@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (secteam@freebsd.org) address noted on > . Also have to thank Remko Lodder for pointing out the ports-secteam@ address. Should also note that while the ports-secteam@ is not mentioned in or various other places where it probably should be (like the Types of Problem Reports page ) it is noted in the Port Specific FAQ and on the port mainters' page . Roger > >> There has been no Call For Help that I've ever seen. If people are needed >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. > > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: > > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review nor > returned to the sender with a note regarding the correct destination > address, > > * the freebsd.org/security web page is not correct and not being > updated, > > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, > > * nobody @freebsd.org appears to be following CVE announcements and the > maintainers of several high profile ports are also not following it or > even their application's -announce list, > > * there appears to be no automated process to alert vuln.xml maintainers > (ports-secteam@) of potential new port vulnerabilities, > > * offers of help to secteam@ and ports-secteam@ are neither replied to > nor acted upon (except for Xin Li's request, thanks Xin!), > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are secure. > > This is a MAJOR CHANGE from just a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself. > > IMO, > Roger Marquis > From owner-freebsd-security@FreeBSD.ORG Thu May 28 17:19:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 39DEEA9 for ; Thu, 28 May 2015 17:19:14 +0000 (UTC) (envelope-from walterp@gmail.com) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9A0A337 for ; Thu, 28 May 2015 17:19:13 +0000 (UTC) (envelope-from walterp@gmail.com) Received: by wifw1 with SMTP id w1so70922361wif.0 for ; Thu, 28 May 2015 10:19:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=DbPNuhw54hYEN2qVIFv93oBXga7p13ZMcMeRKoND2BA=; b=EAeMCKHMVlouZwKhFVI/SCRbvYXSWmYbAb/lruj8R4HVeIc6N+3h7dy+AgnbKbOWs/ djgUpV+hw708Jp0IoU7u6SzKsynJHbkCLx0v57LOHEU/P8cFMLKJtmGevMj3y2LWWLsM 8AkwVqSpPnINUDxg9i64sF2BF/WuaZDEheXtE54Vsx7tXelnOce4G+YjI/zXZsHSNEeI Mi2iCrkTPEq33kjfVABBhOwErOZE+xPqkZkL0p/652yuIGGXqeRTdGvG4JLh2psZ7sA6 //XwjXC3pjutcGv0Dr2ou0C5CRRGXjWa3cjQMPmUJxtmZD9bA0AALio8lsfI6gZfXHZ2 sjwQ== MIME-Version: 1.0 X-Received: by 10.194.177.133 with SMTP id cq5mr6957032wjc.145.1432833552302; Thu, 28 May 2015 10:19:12 -0700 (PDT) Received: by 10.27.125.134 with HTTP; Thu, 28 May 2015 10:19:12 -0700 (PDT) Date: Thu, 28 May 2015 10:19:12 -0700 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Walter Parker To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2015 17:19:14 -0000 > Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" > To: "Mark Felder" > Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: > Content-Type: text/plain;charset=iso-8859-1 > >>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >>> OpenBSD server operators) have no assurance that their systems are >>> secure. >> That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the "security assurance" club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter From owner-freebsd-security@FreeBSD.ORG Thu May 28 19:59:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F376CBB6 for ; Thu, 28 May 2015 19:59:48 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E3B1EEE for ; Thu, 28 May 2015 19:59:48 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 11CF4680D5; Thu, 28 May 2015 12:59:42 -0700 (PDT) In-Reply-To: References: Date: Thu, 28 May 2015 12:59:42 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: "Walter Parker" Cc: freebsd-security@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2015 19:59:49 -0000 Walter Parker wrote: > What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that > their systems are secure? An audit trail of CVE issues fixed, while a > good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There is no assurance against zero-day vulnerabilities or vulns that are otherwise not published (outside of the NSA). That would be absolute security. In the context of relative security, however, assurance can perhaps be defined as being able to assume that CVEs released by the NIST, announced by code or other operating system maintainers or published by researchers or third parties such as Rapid7 and Tripwire are reflected in vuln.xml (after a reasonable timeframe). > How much faster must FreeBSD respond for it to join the "security > assurance" club of the major Linux vendors? Is this a paperwork issue > or a process issue? We don't have much insight into the workings of FreeBSD's security teams so it appears to be a matter of policy. Would be great if Dag could comment here. The policies I would most like to know about are transparency-related i.e., published security-related procedures, projects and RFCs. Otherwise, what appears to be lacking is (additional) automation of the process of scanning CVEs and advisories by other organizations and subsequent prioritization, review and formatting for publication. There are several of us interested in contributing towards these goals, financially, codewise and otherwise, but it is distressingly unclear how. There are PRs of course, but if, say, someone wanted to contribute specifically to the process of automating vuln.xml updates or to donate specifically to the security teams .... Pointers gladly accepted. Roger