From owner-freebsd-security@freebsd.org Sun May 1 20:20:36 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73DFAB296B1 for ; Sun, 1 May 2016 20:20:36 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from anongoth.pl (anongoth.pl [88.156.79.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anongoth.pl", Issuer "Let's Encrypt Authority X1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E97D214E1 for ; Sun, 1 May 2016 20:20:35 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail (unknown [127.0.1.10]) by anongoth.pl (Postfix) with ESMTP id 12888655F for ; Sun, 1 May 2016 22:12:08 +0200 (CEST) X-Virus-Scanned: amavisd-new at anongoth.pl Received: from anongoth.pl ([127.0.1.10]) by mail (anongoth.pl [127.0.1.10]) (amavisd-new, port 10024) with LMTP id c532MSPsDc77 for ; Sun, 1 May 2016 22:11:59 +0200 (CEST) Received: from [192.168.0.3] (89-65-4-169.dynamic.chello.pl [89.65.4.169]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pkubaj) by anongoth.pl (Postfix) with ESMTPSA id 69E80654B for ; Sun, 1 May 2016 22:11:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anongoth.pl; s=ANONGOTH; t=1462133519; bh=B+5TMvEFBQzazkj6e8DuArUxQd2JUULPqW5QtPFvflY=; h=Subject:To:References:From:Date:In-Reply-To; b=ftlF/DRZNJ+73k7HPHmoAYrr9/vLyzS0T0okGKvABtmFpRI3Fa0ua3JrYbBNnUjFK 5KeDIXug145MGPopI6FZ+bzwI6a5+rcEK/liy4DauQ/hkhI11kRqvo/ex5RPUmrRzT A72LI/JlA6dsQAioTjsPHMVhu5587ylEo8cGiR7IxMB8gtAdpnt4vIN7hREN4tY35g FsjhHALjrNsOCgk6iAR+MWD2eHfjvYoA4m9VJVKrnG7LJRqPd6wDj6qUlYqUtkAYyC RxvJ+o57KpXrXpX+KpKSeOvZc74QVq1K909efM1w6lCwN6o/qd9ufCbCnY2CTCxjG2 mh7oeCeqxLN7g== Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp To: freebsd-security@freebsd.org References: From: Piotr Kubaj Openpgp: id=C9CC8878D924828873B28A2B7A599B8520839C9D Message-ID: <572662EC.8060806@anongoth.pl> Date: Sun, 1 May 2016 22:11:24 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GmqNgWU3v4mI5v5r7e8BEFL7IAO7mqS0X" X-Mailman-Approved-At: Sun, 01 May 2016 20:26:27 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2016 20:20:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GmqNgWU3v4mI5v5r7e8BEFL7IAO7mqS0X Content-Type: multipart/mixed; boundary="88k9ow447mQk118c6wE6qFdxwnSksvFbu" From: Piotr Kubaj To: freebsd-security@freebsd.org Message-ID: <572662EC.8060806@anongoth.pl> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp References: In-Reply-To: --88k9ow447mQk118c6wE6qFdxwnSksvFbu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable AFAIK FreeBSD project tries to ship basic tools in pretty much every area (eg. DNS resolver etc.) that works for 99% of users and if anyone needs something more advanced, they are welcome to use ports. That it exactly why BIND was replaced with Unbound and LDNS tools. Why not go the same way with ntpd? Openntpd is just the same to ntpd as Unbound is to BIND - a simple tool that works for most users. --88k9ow447mQk118c6wE6qFdxwnSksvFbu-- --GmqNgWU3v4mI5v5r7e8BEFL7IAO7mqS0X Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXJmMNAAoJEHpZm4Ugg5yd7MgP/3IrdR/mwFDYeEmd8pze0Imr E4A4Ei3NTXkNZ/bmLUt0+WhZrT0PTZSxfz2A8P3s45eyZRYRLfNKA/ykmafKnOs4 IlXHzaKizejUvhLmtisgzNPKdTkI8iZ8uPqE5uhBFWoBENx0wRToHYdQEOAYwzxC Zhl4xcFCgpFx9wGQdfIXet6rq3S7s83EqqVty4idHyb6EyfREK4Pys4c2FtIh/rS ca9Cg58X/n6e0ytS1NQ4b3DkMem4dF6glXK7pKovqua+tO7phe1694tN5qQWVazx /7i5n+9XVBZcqggD4QvVmRWe9DQS0VSv9qj51i/WSw4tkzgRmz3hFajKJtwjGj8p 5bLBiBOHxpoPyXS87zraIowANvIMTZdhkdDQThCg4KMTwVoJ7upDcql4tQTCsENO pnYhH4Kni4GDpvHifiT4u+WOpvnhIVXZyHB17tiD11EKaH8sz/34HYoFpiUxbxBv xO9GVf6xCrvvFXNWVJCiWusi2hlRmQjWuvWNDwCzpXO16sFxN+WCmEv/OmWrJMWv 6ZjUHWZhHP31PyMtjGIwqGZB6nSkg2WFyHmjmXQjguFLNVOGUB8gMStHfRJJkl8t a7rBYio3OY8/57qcB6z32Z4wVQTpkQJsSiRrU8RF3+GG3jPRyPaQT/P0NPDpNcEz +9LKtgm38+UbVREahJpA =4Net -----END PGP SIGNATURE----- --GmqNgWU3v4mI5v5r7e8BEFL7IAO7mqS0X-- From owner-freebsd-security@freebsd.org Mon May 2 06:35:49 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B422B2AD90 for ; Mon, 2 May 2016 06:35:49 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F21751321 for ; Mon, 2 May 2016 06:35:48 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from Xins-MBP.home.us.delphij.net (unknown [IPv6:2601:646:8f00:8a91:11b2:e1ce:bdc8:f16]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id C102018A6F; Sun, 1 May 2016 23:35:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1462170947; x=1462185347; bh=q/kJCcX032pNYQczI+2sTNENqDKOcD25D8n2l/ci+IU=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=2GlA5kpKhVx7bcyLkPidDtxrFieV+j9jQj+zlc2e7b7wL3klzHhFlETfjGlUBjjtQ VeTIPhbpbkVCcjCdOaY7w4GIMUQ2WjC4uSg91bP/zHw8knCSnYqGg1AdxTK+K5ZtMH MqFA+payU6Vs2s+KnB2s8LliwWOdNH+VMD3BfuZk= Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp To: gabor@zahemszky.hu, freebsd-security@freebsd.org References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> Cc: d@delphij.net From: Xin Li Message-ID: <2d3c18a6-5c14-5e85-aa57-3acd64097488@delphij.net> Date: Sun, 1 May 2016 23:35:47 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mHmfXlMnTBFFKcFLwC6hand5e85KHvpAQ" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2016 06:35:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mHmfXlMnTBFFKcFLwC6hand5e85KHvpAQ Content-Type: multipart/mixed; boundary="Re1BuWqVe6qAVJLnJiG3Cff4d4R6mWqFt" From: Xin Li To: gabor@zahemszky.hu, freebsd-security@freebsd.org Cc: d@delphij.net Message-ID: <2d3c18a6-5c14-5e85-aa57-3acd64097488@delphij.net> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> In-Reply-To: <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> --Re1BuWqVe6qAVJLnJiG3Cff4d4R6mWqFt Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 4/29/16 04:13, gabor@zahemszky.hu wrote: >> 2) To update your vulnerable system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >=20 > Both on an i386 and on an amd64 machine, I got: >=20 > =3D=3D=3D=3D > .... > Fetching metadasa signature for 10.3-RELEASE from update5.freebsd.org..= =2E > done > Fetching metadata index.... done >=20 > The update metadata is correctly signed, but > failed an integrity check. > Cowardly refusing to proceed any further. > =3D=3D=3D=3D >=20 > Both machines are VM-s, upgraded from 10.2. >=20 > (Got the same with -s update[23456].freebsd.org, and without -s option.= There was a nit in the metadata, and this should have been addressed now.= Cheers, --Re1BuWqVe6qAVJLnJiG3Cff4d4R6mWqFt-- --mHmfXlMnTBFFKcFLwC6hand5e85KHvpAQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXJvVDAAoJEJW2GBstM+nssiUQAJCCt2A7s8Yl9XYogi06jbKD d1L/kJiQmJbWI9oX2HVo4JuaKsrYILep7GojPGn+Pmw6ECCW00VCtXTzyWm1P1Q2 SE5+gzcF9LV8O/lteOSsRSiHL/Q4mZyTY7Q58/sWG4Bk6lbynwXFSIwfznqzkdoW yc3GWJozTngw00apdxyVc0s8b+afU30YSyUbsL0kVJ2ViYxvkD36Yrel9rIPOMjy 5ubWERGblyqJKXL7WEJjM0EeskwNf2wlJaST//JM/Lv9f39C/dSNrtImu9/kTd1g 9RWhozuXEiP9Lg0uX2GA1VkQy6qFTxvTuYTPstkYo/zc8xcj+z6UksZ6vfjjTdVM rZVkCdbkYFy+mUc3DYxEueEmOhIBkUBmEcvHZZ4B5PBWLGieyf1GBCNh09RV2lvt HuWwL39uscUrs0nAIObxW7dNgBe7btcybDB7N00bTYgd1sliIkOH8yXRH1hHgDlP /mbvc50vNzWNRkWNBDsG54LIdP3vwSzN7gIg6C2O5nplMiQeu5tOJNNGj+TRZGce weuqFme9D0IrEAWWHZiG02tmr7qY7QHi7SqktIgz4uOVxCksyQiiae+Hgyvn/Zau WvcqkTU60Pr7KaBI0C3Aqy5ttLcthBYH0CgfGl1hv/vqpPXruNZzLhFqTfckgksf BVR77PT4KcBkxc3oyL7j =6Ou4 -----END PGP SIGNATURE----- --mHmfXlMnTBFFKcFLwC6hand5e85KHvpAQ-- From owner-freebsd-security@freebsd.org Tue May 3 14:11:16 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21203B2A792 for ; Tue, 3 May 2016 14:11:16 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from anongoth.pl (anongoth.pl [88.156.79.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anongoth.pl", Issuer "Let's Encrypt Authority X1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D143E1CBE for ; Tue, 3 May 2016 14:11:15 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail (unknown [127.0.1.10]) by anongoth.pl (Postfix) with ESMTP id 986E469DD for ; Tue, 3 May 2016 16:11:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at anongoth.pl Received: from anongoth.pl ([127.0.1.10]) by mail (anongoth.pl [127.0.1.10]) (amavisd-new, port 10024) with LMTP id RvM11XCw2jJj for ; Tue, 3 May 2016 16:10:52 +0200 (CEST) Received: from ThinkPad-X200.local (89-65-4-169.dynamic.chello.pl [89.65.4.169]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pkubaj) by anongoth.pl (Postfix) with ESMTPSA id 6906069D1 for ; Tue, 3 May 2016 16:10:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anongoth.pl; s=ANONGOTH; t=1462284652; bh=obM2dkIvqJeFbl2LJtWOz5JvcEOUivEPRtTs2r+ItkU=; h=To:From:Subject:Date; b=T5cRSCNCXz2wL4YfuRAca/bkgF+BjhK/aIzlQCCunqV2ayNJNZdDTl6K4NTYx/4Ct FBgZ5BaW5egwyQObMeulz6D1BSitqFmd5cGuVkt+5uPUIM9vZBWmoH261xWX29e7uQ JK+h32C1zwkFY8fJ/7ZLUMTy57FL3hzfxpQBJ39QJvMnWYvFmPXiklGkKgWg31UKdF RHJGs2lxt+FhirHfqR1TzFScdQGS26S5k7YkmRjrK+u/niJlArxs/A4aRIKWxwJt4j PRJpS7dnHxVBK0JiRpyoij0FzVoR6bgV25XqnUAPwU9ooDlD4gV2FB1E0w7VkVozGM tphp0ybcqXURg== To: freebsd-security@freebsd.org From: Piotr Kubaj Subject: New OpenSSL vulnerabilities Message-ID: <5728B167.8050408@anongoth.pl> Date: Tue, 3 May 2016 16:10:47 +0200 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 03 May 2016 15:11:42 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 14:11:16 -0000 https://mta.openssl.org/pipermail/openssl-announce/2016-May/000072.html From owner-freebsd-security@freebsd.org Wed May 4 09:40:57 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3636B2D924 for ; Wed, 4 May 2016 09:40:57 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 127A9138D for ; Wed, 4 May 2016 09:40:56 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u449PRLQ074523; Wed, 4 May 2016 19:25:27 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 4 May 2016 19:25:27 +1000 (EST) From: Ian Smith To: Poul-Henning Kamp cc: Christian Weisgerber , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp In-Reply-To: <46858.1462026437@critter.freebsd.dk> Message-ID: <20160504191704.L16195@sola.nimnet.asn.au> References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <201604300015.u3U0FB3k058050@lorvorc.mips.inka.de> <46858.1462026437@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 09:40:57 -0000 On Sat, 30 Apr 2016 14:27:17 +0000, Poul-Henning Kamp wrote: [..] > The best explanation of all this is John R. Vig's Quartz Tutorial > which is freely available on the web - highly recommended: > > http://www.am1.us/Local_Papers/U11625%20VIG-TUTORIAL.pdf This is one of the best scientific/engineering documents I've ever read; clearly written, almost painfully thorough and, dare I say, beautiful in presentation. Like a good novel, I couldn't put it aside, despite large swathes of it being well over my head. Thanks! cheers, Ian From owner-freebsd-security@freebsd.org Wed May 4 22:55:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DC15B2DDD2 for ; Wed, 4 May 2016 22:55:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 75C601529; Wed, 4 May 2016 22:55:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 748191CFC; Wed, 4 May 2016 22:55:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160504225546.748191CFC@freefall.freebsd.org> Date: Wed, 4 May 2016 22:55:46 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 22:55:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:17.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2016-05-04 Credits: OpenSSL Project Affects: All supported versions of FreeBSD. Corrected: 2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE) 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) 2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16) 2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33) 2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE) 2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41) CVE Name: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The padding check in AES-NI CBC MAC was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. [CVE-2016-2107] An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. [CVE-2016-2105] An overflow can occur in the EVP_EncryptUpdate() function, however it is believed that there can be no overflows in internal code due to this problem. [CVE-2016-2106] When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. [CVE-2016-2109] ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176] FreeBSD does not run on any EBCDIC systems and therefore is not affected. III. Impact A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. [CVE-2016-2107] If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. [CVE-2016-2105] Any application parsing untrusted data through d2i BIO functions are vulnerable to memory exhaustion attack. [CVE-2016-2109] TLS applications are not affected. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r299053 releng/9.3/ r299068 stable/10/ r298999 releng/10.1/ r299068 releng/10.2/ r299067 releng/10.3/ r299066 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXKjuIAAoJEO1n7NZdz2rneZoP/jqsWr9q5MkCel2aZzfmSVhU 8CjzPwm3t48ibZqrkolAak4dbjJGhidUM/S83BvIcCdtKWyoG8D0fzemB7bBIP2L fqvd1314vuy82CgZlAyJIqzokckUPfyHhTAz9FPZW46f8A+s8znzJcaaD81tt1Xe qg9JZ61e2DZJ2NdZSJSjOpBl55gZqQq3tIwGYw027GKjiflJSvOG1n/531R4rppI x0IZpLor7XBWuiC44hPc4yasC4khWzmdaRpqcUoWVEex8g6Il6xByS2o4AgX7kE/ NBZ0mj4IMYZNQW4VUYbnkmLtWXJYYScboBKh4FRljNCG/t5u/YoSfOY8SbS9LT9K KVj56C6tQRq+/frKbPt26HbqqRTFNVn3FKxJWNQ9CLzsebobXPUYATTN2NVC8gkj S0A/lT2xnvA2YqB9HfmHOvlHS2LDv8SivJWNK4dCPOwhVm624H4qH/N+VFcwU7zc ue+BPvDYU/czsyoJDdQoWxTdkreaOY6eLAWkYAh9dEDIkZSOxgsZR7C4th6THXMu ybIy544elc3bf9vS4tGR552Wi9VntE0B1/LJ2la8l+MnYE6qZL1hbAYpvNyuPWVP EDPjOc4inaMpV62fuL1UrKH1g1HMmFUnoWhC70iS+cuLeXWFdvwBFyL420Ixkd5H zvcsfJCrazlcZ6j83Qfd =PGTh -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu May 5 02:32:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0453FB2D121 for ; Thu, 5 May 2016 02:32:10 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E755F1E7D for ; Thu, 5 May 2016 02:32:09 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net [73.240.250.185]) by echo.brtsvcs.net (Postfix) with ESMTPS id AE91538103 for ; Thu, 5 May 2016 02:32:02 +0000 (UTC) Received: from [IPv6:2601:1c2:1402:3a86:92b1:1cff:fea6:3e5d] (unknown [IPv6:2601:1c2:1402:3a86:92b1:1cff:fea6:3e5d]) by chombo.houseloki.net (Postfix) with ESMTPSA id 2E8FF1896 for ; Wed, 4 May 2016 19:32:01 -0700 (PDT) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl To: freebsd-security@freebsd.org References: <20160504225546.748191CFC@freefall.freebsd.org> Reply-To: freebsd-security@freebsd.org From: Mel Pilgrim Message-ID: Date: Wed, 4 May 2016 19:32:18 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <20160504225546.748191CFC@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 02:32:10 -0000 On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: > FreeBSD-SA-16:17.openssl Security Advisory > The FreeBSD Project Something seems amiss with the update servers: # freebsd-version 10.3-RELEASE-p1 # freebsd-update fetch src component not installed, skipped Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p0. # Tried after emptying /var/db/freebsd-update From owner-freebsd-security@freebsd.org Thu May 5 05:14:02 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A7D9B2D898 for ; Thu, 5 May 2016 05:14:02 +0000 (UTC) (envelope-from gabor@zahemszky.hu) Received: from smtp-2-out.integrity.hu (smtp-2-out.integrity.hu [212.52.165.212]) by mx1.freebsd.org (Postfix) with ESMTP id 2C1911363 for ; Thu, 5 May 2016 05:14:01 +0000 (UTC) (envelope-from gabor@zahemszky.hu) Received: from webmail.integrity.hu (mail-fe-1.integrity.hu [10.1.64.120]) by mail-smtp.integrity.hu (Postfix) with ESMTPA id 689EF4086A for ; Thu, 5 May 2016 06:56:49 +0200 (CEST) Received: from MyF4XExEC8NbMmeMPS4ir9TOchr2bWEiPqL/bUkQpAJ2eYaAJjObwDtZ7GRNggKa (mFgWGcyfTL7990XMMpGH0Y1q/2TUBf/E) by webmail.integrity.hu with HTTP (HTTP/1.1 POST); Thu, 05 May 2016 06:56:49 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Thu, 05 May 2016 06:56:49 +0200 From: gabor@zahemszky.hu To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl In-Reply-To: References: <20160504225546.748191CFC@freefall.freebsd.org> Message-ID: X-Sender: gabor@zahemszky.hu User-Agent: Roundcube Webmail/1.1.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 05:14:02 -0000 2016-05-05 04:32 időpontban Mel Pilgrim ezt írta: > On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: >> FreeBSD-SA-16:17.openssl Security >> Advisory >> The FreeBSD >> Project > > Something seems amiss with the update servers: The same thing happened here. Zahy < Gabor at Zahemszky dot HU > > > # freebsd-version > 10.3-RELEASE-p1 > # freebsd-update fetch > src component not installed, skipped > Looking up update.FreeBSD.org mirrors... 4 mirrors found. > Fetching metadata signature for 10.3-RELEASE from > update6.freebsd.org... done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 10.3-RELEASE-p0. > # > > Tried after emptying /var/db/freebsd-update > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu May 5 09:50:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6EE0B2EC37 for ; Thu, 5 May 2016 09:50:48 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F10B1D9A for ; Thu, 5 May 2016 09:50:48 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 0AD552320 for ; Thu, 5 May 2016 09:50:43 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201601-infracaninophile; t=1462441843; bh=+wYIkY3uEEcS6pA3hygJUsZ189IKmH8TTLbPxFruKqQ=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20FreeBSD=20Security=20Advisory=20FreeBSD-SA-16:17 .openssl|To:=20freebsd-security@freebsd.org|References:=20<2016050 4225546.748191CFC@freefall.freebsd.org>=0D=0A=20=0D=0A=20|From:=20Matthew=20Seaman=20|Date:=20Thu,=205=20May=202016=2010:50:37=20 +0100|In-Reply-To:=20; b=lFPHEB+/zZIuFYhNcIyceZ1LnRGItWlq70up83v3kRAS4OZKO5LF8Rkz9klkanpO7 4L1DbIGc+Ce0KJHEgV5UNNFcyJuAICa2USjS/HgXhK7TPS01kPQaeWDmjjME5tL0/9 C676QcFbCAQYL9v/aM86ie6T9q/3Q7cwCXALQceM= Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl To: freebsd-security@freebsd.org References: <20160504225546.748191CFC@freefall.freebsd.org> From: Matthew Seaman Message-ID: <5c2f2080-7827-7e7d-3e62-5f0dd3d7b8c6@infracaninophile.co.uk> Date: Thu, 5 May 2016 10:50:37 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="DNXXupWt65OFLsQObhucQprLsxPSC6ilk" X-Virus-Scanned: clamav-milter 0.99.1 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE,SPF_FAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 09:50:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DNXXupWt65OFLsQObhucQprLsxPSC6ilk Content-Type: multipart/mixed; boundary="HIKdjiTGA0F0WHlvFOihgtv6RtUV0D27C" From: Matthew Seaman To: freebsd-security@freebsd.org Message-ID: <5c2f2080-7827-7e7d-3e62-5f0dd3d7b8c6@infracaninophile.co.uk> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl References: <20160504225546.748191CFC@freefall.freebsd.org> In-Reply-To: --HIKdjiTGA0F0WHlvFOihgtv6RtUV0D27C Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 05/05/16 05:56, gabor@zahemszky.hu wrote: > 2016-05-05 04:32 id=C5=91pontban Mel Pilgrim ezt =C3=ADrta: >> On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: >>> FreeBSD-SA-16:17.openssl Security >>> Advisory >>> The FreeBSD= >>> Project >> >> Something seems amiss with the update servers: >=20 >=20 > The same thing happened here. >=20 > Zahy < Gabor at Zahemszky dot HU > >=20 >> >> # freebsd-version >> 10.3-RELEASE-p1 >> # freebsd-update fetch >> src component not installed, skipped >> Looking up update.FreeBSD.org mirrors... 4 mirrors found. >> Fetching metadata signature for 10.3-RELEASE from >> update6.freebsd.org... done. >> Fetching metadata index... done. >> Inspecting system... done. >> Preparing to download files... done. >> >> No updates needed to update system to 10.3-RELEASE-p0. >> # >> >> Tried after emptying /var/db/freebsd-update Ditto. I also found that using freebsd-update to upgrade from 10.2-RELEASE to 10.3-RELEASE results in a 10.3-RELEASE-p1 system. Cheers, Matthew --HIKdjiTGA0F0WHlvFOihgtv6RtUV0D27C-- --DNXXupWt65OFLsQObhucQprLsxPSC6ilk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXKxdtAAoJEABRPxDgqeTndOcQAI0BUT04ojnoojs7u4SxCJda q70/xwwxBLjlQiYRMiC/D9Ccw/p4z31AM9ESVROCZuHZSVWld3TNLwQaTUOA1k4p LX6VeaF1A0F22JXAMQLjHRWDR4iCkbeyi+vtNSTl136T3qlPE6RfX449gVpk9Ob5 29g5RcSwlPAulLYm0Q34gBoeJdYm6pZ+9SNc7jsVdZxP8Gx8kt1pso+/88HfMFwC 0Iq93tAzd5VeAI85bzZqlPM9ps0TLXy8aBuYBnD29+gmeihyMSNqvMBXgUzdz/DS DVjby5+bmC9fwxRrWt2XEVGjyEkmxM01FqbXmfF4IJqNJtf6zn01RWFz9XgpumPn p9AoAwRlH5WF9EQXNHHHSUmRF7/LK1F/VM/bNr/vGakk/vzQVrUeC4sWgjeTPfRN Lr/x1vyq9EsrC1EGokruIiOAl5SvuXm72791+wcK/E8+R0UcCl4tOEiISt6EbMp2 dGs1TeSRIn9aT5LXIWA4qyfB2yK3/IDbzzNh/OmRBjQVVlgR8faSjy64j2X6gGOV MXpJ56RlkXmhoUVLpCUpmslLiQTyI31Rqm0GivF3qLwdyBgou9N2EmRqIxp8n2ii FVwAnDHUivPSazWwsHKFv1hVqHNmI9MXNgw4+MiR20uH7EynMzgnHX13JLGSojio gQano6AzdxiHE8Y2xBTH =DYfQ -----END PGP SIGNATURE----- --DNXXupWt65OFLsQObhucQprLsxPSC6ilk-- From owner-freebsd-security@freebsd.org Thu May 5 09:42:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CC58B2EA4A for ; Thu, 5 May 2016 09:42:50 +0000 (UTC) (envelope-from nreilly@nreilly.com) Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1406A1BD2 for ; Thu, 5 May 2016 09:42:50 +0000 (UTC) (envelope-from nreilly@nreilly.com) Received: by mail-pf0-x22e.google.com with SMTP id c189so37189553pfb.3 for ; Thu, 05 May 2016 02:42:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nreilly-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=wvk+OuKCVF+fi2NtjOv8QSJOSWSmLZpyUCDy6y0heiw=; b=Soo/a48YNxxST5yQYqQrT0H6hzRdWA52hur4Na3n+mkFeQXo9BtbGT067lfP/D8Cmj DL7cH1bVjq71aEntUUum9hvR41MmPYoRYEORyy/oVaXtbEGZh39IMjj7rSwKkyV+9ZF0 fM27Ee2vguVps0Unw2QG/sw5+gTs5eBPT99HhiVj2Zi9YuSR77c/8P+Sy5t7ZO/IUat3 zmOQay5tupb61vHyNXSfP/4yVZk/dmxa7fEWveNWmcv2rKQ/RvikxeOxVs+W++t4Exu7 NB5SYAmKRadInp6Yge+Fx2vrpCv7XEbfMr76MNVwa7+5TZHSoN4X60e3P4s+hYPP5eGc j0eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=wvk+OuKCVF+fi2NtjOv8QSJOSWSmLZpyUCDy6y0heiw=; b=KMBTy5oGEf6l5pMZufdkMAI1pROa6K4kzBbUnY5Gp/FIEid76hc/ijIZ4t6g5OGgws 6KYgGy+bWvCQ3ZNC+spWOlGF5ve9gdA6m1toKAKwBMsB9FmsQvmC2l0O3bZC9tJmDWMD Sl0hzEive4VNPTbL9ftAwbbYpROktFjoObUfY1s02NyHrc78SKpkdAL9FnFKUr4c2oIF N4iyHOPDcGBhq7UMSCPiJ6JMh6jHQRtgSfeDWWfs50tw+SWTOQbctANNL+G2kkhcXTyj n0xPupbHu/+PsJ5uhcDggMuc51gPgz7e8UVRVy59UvaIJfuwq5uP2SdAKgElmZ99fIxF V+hw== X-Gm-Message-State: AOPr4FXuxV2Bh6GmY9oxzNjRCN0OYGe+/3bUvr9B1vfD6STOSt9Whpui+BGJUe9QI5oYYQ== X-Received: by 10.98.98.6 with SMTP id w6mr7658713pfb.0.1462441369599; Thu, 05 May 2016 02:42:49 -0700 (PDT) Received: from [172.16.1.144] ([202.83.101.188]) by smtp.gmail.com with ESMTPSA id e7sm12184943pfa.28.2016.05.05.02.42.47 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 05 May 2016 02:42:48 -0700 (PDT) From: Nathan Reilly X-Google-Original-From: Nathan Reilly Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl In-Reply-To: Date: Thu, 5 May 2016 17:42:46 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160504225546.748191CFC@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3124) X-Mailman-Approved-At: Thu, 05 May 2016 11:27:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 09:42:50 -0000 > On 5 May 2016, at 12:56 PM, gabor@zahemszky.hu wrote: >=20 > 2016-05-05 04:32 id=C5=91pontban Mel Pilgrim ezt =C3=ADrta: >> On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: >>> FreeBSD-SA-16:17.openssl Security = Advisory >>> The FreeBSD = Project >> Something seems amiss with the update servers: >=20 >=20 > The same thing happened here. >=20 Still present > Zahy < Gabor at Zahemszky dot HU > >=20 >> # freebsd-version >> 10.3-RELEASE-p1 >> # freebsd-update fetch >> src component not installed, skipped >> Looking up update.FreeBSD.org mirrors... 4 mirrors found. >> Fetching metadata signature for 10.3-RELEASE from = update6.freebsd.org... done. >> Fetching metadata index... done. >> Inspecting system... done. >> Preparing to download files... done. >> No updates needed to update system to 10.3-RELEASE-p0. >> # >> Tried after emptying /var/db/freebsd-update >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu May 5 14:38:28 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2814BB2E8E3 for ; Thu, 5 May 2016 14:38:28 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 03E171D72 for ; Thu, 5 May 2016 14:38:27 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 93D822031C for ; Thu, 5 May 2016 10:38:26 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute6.internal (MEProxy); Thu, 05 May 2016 10:38:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=W4HplsPAFOpn4ij 7OoGrjY2Zy4Y=; b=FiBDyg/EkRs6G2z07cuptebzs4FVz6/UNJ8Qa7o58Jj8ooZ RZxXENn8Yo7JGgPYXqLQIaZD/hnw+FLihE3r9WTt+luAZINjucfx2YbRKaXlj9JY jXHsB6f4FhR0KK7loiLmgb6KtuZbpOasW+s/XLWeJiOnw41bfltc8lFXcJs4= Received: by web4.nyi.internal (Postfix, from userid 99) id 71434108A55; Thu, 5 May 2016 10:38:26 -0400 (EDT) Message-Id: <1462459106.1988234.599085033.60BC901A@webmail.messagingengine.com> X-Sasl-Enc: /3qXPe0E6AYgnzQOkbnXVT+V44wVhAnqK6lXbsbD66L3 1462459106 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-140377c4 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl Date: Thu, 05 May 2016 09:38:26 -0500 In-Reply-To: References: <20160504225546.748191CFC@freefall.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 14:38:28 -0000 On Wed, May 4, 2016, at 21:32, Mel Pilgrim wrote: > On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: > > FreeBSD-SA-16:17.openssl Security Advisory > > The FreeBSD Project > > Something seems amiss with the update servers: > > # freebsd-version > 10.3-RELEASE-p1 > # freebsd-update fetch > src component not installed, skipped > Looking up update.FreeBSD.org mirrors... 4 mirrors found. > Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 10.3-RELEASE-p0. > # > > Tried after emptying /var/db/freebsd-update > The freebsd-update mirrors do not have the latest updates for amd64 on any supported RELEASE. The i386 bits are there, but not amd64. I do not know if generating them failed or if something else happened that prevented their deployment. It appears the updates are pulled not pushed, so as soon as they are available on the master mirror they should be distributed within a few minutes. I have emailed secteam@ about it but have not yet heard back. -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Thu May 5 14:56:19 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6075B2EF9D for ; Thu, 5 May 2016 14:56:19 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E2C61945 for ; Thu, 5 May 2016 14:56:19 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7384120852 for ; Thu, 5 May 2016 10:56:18 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute1.internal (MEProxy); Thu, 05 May 2016 10:56:18 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=bLuYajhLrqkVLC+ OgrQas37Qtmk=; b=juTHo425z0c6QHNMCmcZkH9/Dc5CtPk8iqRmQT0FRDCo0RO ISFXz4TQicjUsSv5l/r5FwAAS1bJpJe5rfpI7AEi3lUKVVHNR2+Ns1fB3qMouNXc HjnWoQjzF/m070YHJrct5xhYIgBavFelDiT0VPJDG/emqkd4bW1dcc/4akSQ= Received: by web4.nyi.internal (Postfix, from userid 99) id 47AEF108FA8; Thu, 5 May 2016 10:56:18 -0400 (EDT) Message-Id: <1462460178.1993428.599107905.6B2C785D@webmail.messagingengine.com> X-Sasl-Enc: tveXyOoU79pG7Gs6YomgmG4ERThluBhfGYI9cpcj8nob 1462460178 From: Mark Felder To: Ian Smith , "Poul-Henning Kamp" Cc: freebsd-security@freebsd.org, Christian Weisgerber MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-140377c4 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp Date: Thu, 05 May 2016 09:56:18 -0500 In-Reply-To: <20160504191704.L16195@sola.nimnet.asn.au> References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <201604300015.u3U0FB3k058050@lorvorc.mips.inka.de> <46858.1462026437@critter.freebsd.dk> <20160504191704.L16195@sola.nimnet.asn.au> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 14:56:19 -0000 On Wed, May 4, 2016, at 04:25, Ian Smith wrote: > On Sat, 30 Apr 2016 14:27:17 +0000, Poul-Henning Kamp wrote: > > [..] > > > The best explanation of all this is John R. Vig's Quartz Tutorial > > which is freely available on the web - highly recommended: > > > > http://www.am1.us/Local_Papers/U11625%20VIG-TUTORIAL.pdf > > This is one of the best scientific/engineering documents I've ever read; > clearly written, almost painfully thorough and, dare I say, beautiful in > presentation. Like a good novel, I couldn't put it aside, despite large > swathes of it being well over my head. > I agree, this is fantastic! -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Thu May 5 15:00:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 930AAB2D17C for ; Thu, 5 May 2016 15:00:10 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 122B01D4F for ; Thu, 5 May 2016 15:00:09 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5B22694B.dip0.t-ipconnect.de [91.34.105.75]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id u45EwRuD016775 for ; Thu, 5 May 2016 16:58:27 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id u45F04Cx037646 for ; Thu, 5 May 2016 17:00:04 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id u45Exqdt084086 for ; Thu, 5 May 2016 17:00:04 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201605051500.u45Exqdt084086@fire.js.berklix.net> To: freebsd-security@freebsd.org Subject: Batching errata & advisories in heaps degrades security. From: "Julian H. Stacey" Organization: http://berklix.eu BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.eu/free/ X-URL: http://www.berklix.eu/~jhs/cv/ Date: Thu, 05 May 2016 16:59:52 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 15:00:10 -0000 Another bunch of Security alerts, degrades FreeBSD by being clumped together: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:17.openssl Date: Wed, 4 May 2016 22:55:46 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:06.libc Date: Wed, 4 May 2016 22:56:31 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:08.zfs Date: Wed, 4 May 2016 22:56:40 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:07.ipi Date: Wed, 4 May 2016 22:56:35 +0000 (UTC) I guess many recipients get tired of recent indigestable batches of multiple FreeBSD Errata & think approx: _Why_ have they been artificially batching in last years ? I could spare time to interrupt work for one priority alert, Not for a heap batched seconds apart ! _Why_ ?! I have no time now to action all this heap ! Maybe later ... ( & meanwhile security @ FreeBSD could complacently think: "We published all 4, if you don't immediately find time to secure all 4 & someone abuses you, don't blame us !" ) Are they batched in delusion it will help FreeBSD public relations, to not scare people with too many days with FreeBSD alerts ? Batching _Degrades_ security. It is bad over-management, FreeBSD was better previously without batching, publishing each problem when analysed, Not held back for batching. Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Brexit: Meeting +UK blocks votes of Brits in EU http://www.berklix.eu/brexit/ From owner-freebsd-security@freebsd.org Thu May 5 15:13:26 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCC71B2D6A8 for ; Thu, 5 May 2016 15:13:26 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64AB41897 for ; Thu, 5 May 2016 15:13:26 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074425-c6bff70000005f72-41-572b61d12601 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E0.19.24434.1D16B275; Thu, 5 May 2016 11:08:02 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u45F81mu029099; Thu, 5 May 2016 11:08:01 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u45F7uFW031555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 May 2016 11:07:59 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u45F7uX4026936; Thu, 5 May 2016 11:07:56 -0400 (EDT) Date: Thu, 5 May 2016 11:07:56 -0400 (EDT) From: Benjamin Kaduk To: "Julian H. Stacey" cc: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. In-Reply-To: <201605051500.u45Exqdt084086@fire.js.berklix.net> Message-ID: References: <201605051500.u45Exqdt084086@fire.js.berklix.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrPIsWRmVeSWpSXmKPExsUixG6nonspUTvcYOU6RoueTU/YLPasfcPu wOTx78YxNo8Zn+azBDBFcdmkpOZklqUW6dslcGUsO9vBUnCJr6Jh2S2mBsZj3F2MnBwSAiYS OxceZepi5OIQEmhjkvh3/g4jhLOBUWLy3assEM5BJokTDxeygrQICdRLbP47h7mLkYODRUBL Yt+FapAwm4CKxMw3G9lAbBEBDYlXhx6B2cwCChLvH59kArGFBVwlbp9pYgaxOQXsJOadbmUH sXkFHCXu3FzAAjJSSMBW4sYfI5CwqICOxOr9U1ggSgQlTs58wgIxUkti+fRtLBMYBWYhSc1C klrAyLSKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10IvN7NELzWldBMjOBxdVHcwzvnrdYhRgINR iYf3wHytcCHWxLLiytxDjJIcTEqivNuVtMOF+JLyUyozEosz4otKc1KLDzFKcDArifBWxwLl eFMSK6tSi/JhUtIcLErivIwMDAxCAumJJanZqakFqUUwWRkODiUJ3snAuBMSLEpNT61Iy8wp QUgzcXCCDOcBGj4RpIa3uCAxtzgzHSJ/ilFRSpw3Jx4oIQCSyCjNg+sFp4vdTKqvGMWBXhHm 3ZYAVMUDTDVw3a+ABjMBDX4/VxNkcEkiQkqqgVFIVrCwYX9WX0Ki+vt9D2oE5HmYFU82iG+Y Mf/in1t3Nt1gP7jghbzfvtbJDcmXd2xWL+o7vOO/6otrPX/jzDJ7T/e45bsfs+wrcV8UxF1Q tkSTQbP9YdVsPcsjT6X2f319SWVJ3SquvdnPfVir5c+tm3XT4f/2j9Fmjx+c2dA48+DXDoP9 hXZKLMUZiYZazEXFiQCT2s6h8gIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 15:13:26 -0000 On Thu, 5 May 2016, Julian H. Stacey wrote: > Another bunch of Security alerts, degrades FreeBSD by being clumped together: > > I guess many recipients get tired of recent indigestable batches of > multiple FreeBSD Errata & think approx: I cannot recall whether you were participating in the discussion the last time this topic came up. Regardless, it feels like it was somewhat recent (a year or so). > _Why_ have they been artificially batching in last years ? > I could spare time to interrupt work for one priority alert, > Not for a heap batched seconds apart ! _Why_ ?! > I have no time now to action all this heap ! Maybe later ... > ( & meanwhile security @ FreeBSD could complacently think: > "We published all 4, if you don't immediately find time to > secure all 4 & someone abuses you, don't blame us !" ) > Are they batched in delusion it will help FreeBSD public relations, > to not scare people with too many days with FreeBSD alerts ? > Batching _Degrades_ security. It is bad over-management, > FreeBSD was better previously without batching, publishing each > problem when analysed, Not held back for batching. As a member of the security team for two projects (not FreeBSD's, though), I can say that it is a lot of behind-the-scenes work to put out advisories, and batching them reduces the unit cost of any given one. I further note that this recent batch that you are complaining about, contained only one security advisory and three errata notices; the contents of the errata notices have been public for quite some time, and affected parties welcome to upgrade at their leisure [manually, without freebsd-update, of course]. We can perhaps agree to disagree about whether the batching is good, but I do not see much value in rehashing the same arguments periodically. -Ben From owner-freebsd-security@freebsd.org Thu May 5 16:25:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0823B2EF8F for ; Thu, 5 May 2016 16:25:35 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 784891B0D for ; Thu, 5 May 2016 16:25:34 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5B22694B.dip0.t-ipconnect.de [91.34.105.75]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id u45GNwiV017796 for ; Thu, 5 May 2016 18:23:58 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id u45GPahN037899 for ; Thu, 5 May 2016 18:25:36 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id u45GPODc084944 for ; Thu, 5 May 2016 18:25:36 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201605051625.u45GPODc084944@fire.js.berklix.net> To: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. From: "Julian H. Stacey" Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.eu/free/ X-URL: http://www.berklix.eu In-reply-to: Your message "Thu, 05 May 2016 11:07:56 -0400." Date: Thu, 05 May 2016 18:25:24 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 16:25:36 -0000 Benjamin Kaduk wrote: > As a member of the security team for two projects (not FreeBSD's, though), > I can say that it is a lot of behind-the-scenes work to put out > advisories, Of course. > and batching them reduces the unit cost of any given one. If so, their issue, not ours. Our concern is FreeBSD. > the > contents of the errata notices have been public for quite some time URLs ? If info was complete early, delaying those announcement degraded security of recipients. Batching also swamps recipients. Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Brexit: Meeting +UK blocks votes of Brits in EU http://www.berklix.eu/brexit/ From owner-freebsd-security@freebsd.org Thu May 5 16:38:01 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2241EB2E3D7 for ; Thu, 5 May 2016 16:38:01 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B61A91367 for ; Thu, 5 May 2016 16:38:00 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: by mail-wm0-x233.google.com with SMTP id e201so27455645wme.0 for ; Thu, 05 May 2016 09:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=multiplay-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=LgvdyDR+unos9QupIjVpREO5xd7Ce2GLVOPff2yBlwU=; b=a2pgunLEZSTIhF1uf2ZYInMaPfbvbaG4XlLS++sQr4b1C0bxXEMVFCg2U6kikEhO7N R1Kn9vNsIdFsIVNEOoa87eWW/5zS2BrAnQkM10SAh9ZDkctH+QvKzh2O8NnNIs/7Frvj Ugfx0zkK1KvkW2YOPHkQlLYPUyDZV784FYTrkg6TBbkReehQghAsuFvAb/K7QDKOHx+q 2d5GKMZ4GFiMC+CNFJ/4i5ZFVSHareZPb0bubfrK5Hy+//rJfZ9SyJxvmvjF514CIWXB T6asVgHbIm5SBRGLwAc+nO07IVtrf2UvxV9Q+gaBZ5Iu9odPBhRNl/BQjmM6WRQDAcS2 M9nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=LgvdyDR+unos9QupIjVpREO5xd7Ce2GLVOPff2yBlwU=; b=LJksvCLDdGO3iVsKK30BfXIzpsMZqPkDGWtUZbToWNR9f2k6jnYyBiFHYJO3OwXadV alGfgdcHAxE8vZuaVA89CrVw8KldE5BEq2e3Zh0xK6Ku2WoeReKya+G6T3Zdl1eRSvCj wFwTjRynckHtbkNIPvelIVtjiMr/SKA5QtrEtuJ5nDFaRvlI3QNdmHAvRKzzSL00nZov hzyHybABGmsVXIwyiAVtK5wAIr3LLH7GKYsdIXZESP+wC9gabMk44+SXKTz1JkI0VWZq 7iUQJRKvb9E6imwimIpeCq1jJK5SENUAKx+h0fx2BXLVfyGwBds0aQmR2M3oKdDR23jz c8MA== X-Gm-Message-State: AOPr4FUq3sXkczBJWl+KhbdqHtgrt097Eo1MhtssihMRL5C6kS8QE0hlVKrKlSQQ0AE5HM12 X-Received: by 10.28.232.1 with SMTP id f1mr4481646wmh.6.1462466278653; Thu, 05 May 2016 09:37:58 -0700 (PDT) Received: from [10.10.1.58] (liv3d.labs.multiplay.co.uk. [82.69.141.171]) by smtp.gmail.com with ESMTPSA id i4sm10537180wjj.49.2016.05.05.09.37.57 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 May 2016 09:37:57 -0700 (PDT) Subject: Re: Batching errata & advisories in heaps degrades security. To: freebsd-security@freebsd.org References: <201605051625.u45GPODc084944@fire.js.berklix.net> From: Steven Hartland Message-ID: <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> Date: Thu, 5 May 2016 17:37:56 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <201605051625.u45GPODc084944@fire.js.berklix.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 16:38:01 -0000 On 05/05/2016 17:25, Julian H. Stacey wrote: > Benjamin Kaduk wrote: > >> As a member of the security team for two projects (not FreeBSD's, though), >> I can say that it is a lot of behind-the-scenes work to put out >> advisories, > Of course. > >> and batching them reduces the unit cost of any given one. > If so, their issue, not ours. Our concern is FreeBSD. > > >> the >> contents of the errata notices have been public for quite some time > URLs ? If info was complete early, delaying those announcement > degraded security of recipients. Batching also swamps recipients. > Totally the opposite, it means one rollout instead of X rollouts making it simpler not harder. From owner-freebsd-security@freebsd.org Thu May 5 17:01:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67752B2EC79 for ; Thu, 5 May 2016 17:01:27 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146]) by mx1.freebsd.org (Postfix) with ESMTP id 4F5C213CC for ; Thu, 5 May 2016 17:01:23 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from sweettea.beer.town (unknown [76.164.8.130]) by smtp.vangyzen.net (Postfix) with ESMTPSA id 1635456ACE; Thu, 5 May 2016 12:01:23 -0500 (CDT) Subject: Re: Batching errata & advisories in heaps degrades security. References: <572B7ADB.6090500@FreeBSD.org> To: freebsd-security@FreeBSD.ORG, "Julian H. Stacey" From: Eric van Gyzen X-Forwarded-Message-Id: <572B7ADB.6090500@FreeBSD.org> Message-ID: <572B7C62.7050507@vangyzen.net> Date: Thu, 5 May 2016 12:01:22 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <572B7ADB.6090500@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 17:01:27 -0000 Julian suggested that I share our private conversation: Eric wrote: > Regardless of my opinion on the topic, three of these are errata with no > security implications, so the argument doesn't really apply in this context. Julian wrote: > Thanks Eric, fair point. So some of my argument doesnt apply, > better for FreeBSD than I thought. :-) Still batching is bad, > just not as bad as I thought, but still 3 errata swamp the security post. On 05/05/2016 09:59, Julian H. Stacey wrote: > Another bunch of Security alerts, degrades FreeBSD by being clumped together: > > Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:17.openssl > Date: Wed, 4 May 2016 22:55:46 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:06.libc > Date: Wed, 4 May 2016 22:56:31 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:08.zfs > Date: Wed, 4 May 2016 22:56:40 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:07.ipi > Date: Wed, 4 May 2016 22:56:35 +0000 (UTC) > > I guess many recipients get tired of recent indigestable batches of > multiple FreeBSD Errata & think approx: > > _Why_ have they been artificially batching in last years ? > I could spare time to interrupt work for one priority alert, > Not for a heap batched seconds apart ! _Why_ ?! > I have no time now to action all this heap ! Maybe later ... > ( & meanwhile security @ FreeBSD could complacently think: > "We published all 4, if you don't immediately find time to > secure all 4 & someone abuses you, don't blame us !" ) > Are they batched in delusion it will help FreeBSD public relations, > to not scare people with too many days with FreeBSD alerts ? > Batching _Degrades_ security. It is bad over-management, > FreeBSD was better previously without batching, publishing each > problem when analysed, Not held back for batching. > > Cheers, > Julian From owner-freebsd-security@freebsd.org Thu May 5 19:14:37 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F0CAB2EEAA for ; Thu, 5 May 2016 19:14:37 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 454C319A3 for ; Thu, 5 May 2016 19:14:36 +0000 (UTC) (envelope-from marquis@roble.com) Date: Thu, 5 May 2016 12:14:30 -0700 (PDT) From: Roger Marquis To: Steven Hartland cc: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. In-Reply-To: <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> References: <201605051625.u45GPODc084944@fire.js.berklix.net> <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 19:14:37 -0000 > Totally the opposite, it means one rollout instead of X rollouts making it > simpler not harder. I don't know, isn't that the logic behind Microsoft's failed patch-Tuesdays? It's important not to confound security with usability. Any delay to a security advisory is an invitation to hackers. I don't think that's what end-users expect from FreeBSD much as the long arm of the NSA might want to make it so (primarily vis-a-vis CERT and NIST). Those sites that don't care about security are well served by batching but given the packaging of base it seems like there's no longer any significant benefit. Roger From owner-freebsd-security@freebsd.org Thu May 5 23:01:08 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4166B2E947 for ; Thu, 5 May 2016 23:01:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (glebi.us [96.95.210.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BEF6C1960; Thu, 5 May 2016 23:01:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id u45N12RA009967 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 5 May 2016 16:01:02 -0700 (PDT) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id u45N12ov009966; Thu, 5 May 2016 16:01:02 -0700 (PDT) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 5 May 2016 16:01:02 -0700 From: Gleb Smirnoff To: Mark Felder Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl Message-ID: <20160505230102.GM1369@FreeBSD.org> References: <20160504225546.748191CFC@freefall.freebsd.org> <1462459106.1988234.599085033.60BC901A@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1462459106.1988234.599085033.60BC901A@webmail.messagingengine.com> User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 23:01:08 -0000 On Thu, May 05, 2016 at 09:38:26AM -0500, Mark Felder wrote: M> The freebsd-update mirrors do not have the latest updates for amd64 on M> any supported RELEASE. The i386 bits are there, but not amd64. I do not M> know if generating them failed or if something else happened that M> prevented their deployment. It appears the updates are pulled not M> pushed, so as soon as they are available on the master mirror they M> should be distributed within a few minutes. M> M> I have emailed secteam@ about it but have not yet heard back. Thanks to Colin Percival, now this is fixed. -- Totus tuus, Glebius. From owner-freebsd-security@freebsd.org Fri May 6 02:21:24 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 578B7B2E214 for ; Fri, 6 May 2016 02:21:24 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D2711E22 for ; Fri, 6 May 2016 02:21:23 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074425-c6bff70000005f72-a1-572bffa11ac3 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 98.1C.24434.1AFFB275; Thu, 5 May 2016 22:21:21 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u462LKJm006273; Thu, 5 May 2016 22:21:21 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u462LFpS005210 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 May 2016 22:21:19 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u462LExj023345; Thu, 5 May 2016 22:21:14 -0400 (EDT) Date: Thu, 5 May 2016 22:21:14 -0400 (EDT) From: Benjamin Kaduk To: "Julian H. Stacey" cc: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. In-Reply-To: <201605051625.u45GPODc084944@fire.js.berklix.net> Message-ID: References: <201605051625.u45GPODc084944@fire.js.berklix.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrPIsWRmVeSWpSXmKPExsUixCmqrbvwv3a4QXOzqkXPpidsFnvWvmF3 YPL4d+MYm8eMT/NZApiiuGxSUnMyy1KL9O0SuDKu797FUrCOt+LFvansDYwHuboYOTgkBEwk HkxT7mLk4hASaGOSeHGnlR3C2cAo8efcWyYI5yCTxJ9HL1i7GDmBnHqJv73n2UBsFgEtiQ+X DoLZbAIqEjPfbASzRQQ0JF4degRmMwsoSLx/fJIJxBYWcJW4faaJGcTmFLCT6Phzlh3E5hVw lLjz6iU7yEVCArYSU5ZqgYRFBXQkVu+fwgJRIihxcuYTFoiRWhLLp29jmcAoMAtJahaS1AJG plWMsim5Vbq5iZk5xanJusXJiXl5qUW6Fnq5mSV6qSmlmxhB4cjuorqDcc5fr0OMAhyMSjy8 GSe1w4VYE8uKK3MPMUpyMCmJ8q76BxTiS8pPqcxILM6ILyrNSS0+xCjBwawkwnsZJMebklhZ lVqUD5OS5mBREudlZGBgEBJITyxJzU5NLUgtgsnKcHAoSfC2gTQKFqWmp1akZeaUIKSZODhB hvMADc8CG15ckJhbnJkOkT/FqCglzrsTJCEAksgozYPrBaeL3UyqrxjFgV4R5lUFqeIBphq4 7ldAg5mABr+fqwkyuCQRISXVwFipxtEhtTlnte+MiJkKV0s3t3RUzGW2f/BSsDwgesKMA7ET 5Sdfbgt793X9pOTA8lQ7aZvOjNnnt1w9e69B4WjXCo5cAb0JPuseH/aUiNR9vSj/zJyNF3bm 2TexTRbeE5ShJBQhcL0xgWHuFkvDAK7pl3aJhc5dVBISxeWw4cuphwuf39FpVFFiKc5INNRi LipOBAB8LIsn8gIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 02:21:24 -0000 On Thu, 5 May 2016, Julian H. Stacey wrote: > Benjamin Kaduk wrote: > > > As a member of the security team for two projects (not FreeBSD's, though), > > I can say that it is a lot of behind-the-scenes work to put out > > advisories, > > Of course. > > > and batching them reduces the unit cost of any given one. > > If so, their issue, not ours. Our concern is FreeBSD. The potential for burnout of secteam is of significant concern for FreeBSD. > > the > > contents of the errata notices have been public for quite some time > > URLs ? If info was complete early, delaying those announcement > degraded security of recipients. Batching also swamps recipients. My apologies; looking back at what I wrote it was not very clear. What I mean is that the patches for ENs are already public well before the EN announcement. The procedure for getting an EN approved is to first merge the patch to the relevant stable branch, and then ask for approval for an EN, with a pointer to the commit(s) in question. However, it is not necessarily public that a given change on the stable branch is going to qualify as an EN. So, when I said (in the trimmed part) that "affected parties [are] welcome to upgrade at their leisure", what I was trying to say was that if (e.g.) you have systems that were tripping over the ZFS memory leak from FreeBSD-EN-16:08.zfs, the patch you would need to fix it was already in public Subversion on stable/10 or stable/9 (the dates in question are listed in the EN). But it was not exactly publicized that this was a major issue meriting an EN; someone would probably have to watch the commit mail to see it. Sorry for the confusion, Ben From owner-freebsd-security@freebsd.org Fri May 6 13:59:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE97DB315EA for ; Fri, 6 May 2016 13:59:15 +0000 (UTC) (envelope-from robertames@hotmail.com) Received: from BLU004-OMC3S20.hotmail.com (blu004-omc3s20.hotmail.com [65.55.116.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 569241048 for ; Fri, 6 May 2016 13:59:14 +0000 (UTC) (envelope-from robertames@hotmail.com) Received: from BLU177-W35 ([65.55.116.72]) by BLU004-OMC3S20.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 6 May 2016 06:58:07 -0700 X-TMN: [QgwgoGjXoQI+stmTGX9vyKqMiwj5NNVw] X-Originating-Email: [robertames@hotmail.com] Message-ID: From: Robert Ames To: "freebsd-security@freebsd.org" Subject: FreeBSD-EN-16:06 Date: Fri, 6 May 2016 09:58:06 -0400 Importance: Normal Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 06 May 2016 13:58:07.0286 (UTC) FILETIME=[511BA560:01D1A79F] X-Mailman-Approved-At: Fri, 06 May 2016 14:44:08 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 13:59:15 -0000 This directory seems to be empty.=0A= =0A= https://security.FreeBSD.org/patches/EN-16:06 = From owner-freebsd-security@freebsd.org Fri May 6 14:56:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2C0DB31661 for ; Fri, 6 May 2016 14:56:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CCB01664 for ; Fri, 6 May 2016 14:56:45 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u46EuY07097358; Sat, 7 May 2016 00:56:34 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 7 May 2016 00:56:34 +1000 (EST) From: Ian Smith To: Robert Ames cc: "freebsd-security@freebsd.org" Subject: Re: FreeBSD-EN-16:06 In-Reply-To: Message-ID: <20160507005308.G16195@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 14:56:46 -0000 On Fri, 6 May 2016 09:58:06 -0400, Robert Ames wrote: > This directory seems to be empty. > > https://security.FreeBSD.org/patches/EN-16:06 Like that, yes. >From the (redirected?) parent directory it works here: http://www.freebsd.org/security/patches/SA-16%3A06/ cheers, Ian From owner-freebsd-security@freebsd.org Fri May 6 15:15:33 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB56EB31C8C for ; Fri, 6 May 2016 15:15:33 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from lwfs1-cam.cam.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 72C37168F for ; Fri, 6 May 2016 15:15:32 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.14.9/8.14.9) with ESMTP id u46FFTsb011918; Fri, 6 May 2016 16:15:29 +0100 (BST) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id u46FFTtG009806; Fri, 6 May 2016 16:15:29 +0100 Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id u46FFTRU009802; Fri, 6 May 2016 16:15:29 +0100 Date: Fri, 6 May 2016 16:15:29 +0100 Message-Id: <201605061515.u46FFTRU009802@higson.cam.lispworks.com> From: Martin Simmons To: Ian Smith CC: robertames@hotmail.com, freebsd-security@freebsd.org In-reply-to: <20160507005308.G16195@sola.nimnet.asn.au> (message from Ian Smith on Sat, 7 May 2016 00:56:34 +1000 (EST)) Subject: Re: FreeBSD-EN-16:06 References: <20160507005308.G16195@sola.nimnet.asn.au> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 15:15:33 -0000 >>>>> On Sat, 7 May 2016 00:56:34 +1000 (EST), Ian Smith said: > > On Fri, 6 May 2016 09:58:06 -0400, Robert Ames wrote: > > > This directory seems to be empty. > > > > https://security.FreeBSD.org/patches/EN-16:06 > > Like that, yes. > > >From the (redirected?) parent directory it works here: > > http://www.freebsd.org/security/patches/SA-16%3A06/ Yes, but SA and EN are different things. __Martin From owner-freebsd-security@freebsd.org Fri May 6 15:19:42 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 939FAB31DE8 for ; Fri, 6 May 2016 15:19:42 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F32FC1AD4 for ; Fri, 6 May 2016 15:19:41 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u46FJc4B098222; Sat, 7 May 2016 01:19:38 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 7 May 2016 01:19:38 +1000 (EST) From: Ian Smith To: Robert Ames cc: "freebsd-security@freebsd.org" Subject: Re: FreeBSD-EN-16:06 In-Reply-To: <20160507005308.G16195@sola.nimnet.asn.au> Message-ID: <20160507011554.W16195@sola.nimnet.asn.au> References: <20160507005308.G16195@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 15:19:42 -0000 On Sat, 7 May 2016 00:56:34 +1000, Ian Smith wrote: > On Fri, 6 May 2016 09:58:06 -0400, Robert Ames wrote: > > > This directory seems to be empty. > > > > https://security.FreeBSD.org/patches/EN-16:06 > > Like that, yes. > > >From the (redirected?) parent directory it works here: > > http://www.freebsd.org/security/patches/SA-16%3A06/ Sorry, EN != SA .. you're right; http or https. From owner-freebsd-security@freebsd.org Fri May 6 21:34:34 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB1F7B2DED1 for ; Fri, 6 May 2016 21:34:34 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (glebi.us [96.95.210.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E16416D5 for ; Fri, 6 May 2016 21:34:34 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id u46LYXPw016453 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 May 2016 14:34:33 -0700 (PDT) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id u46LYXHT016452; Fri, 6 May 2016 14:34:33 -0700 (PDT) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 6 May 2016 14:34:33 -0700 From: Gleb Smirnoff To: Robert Ames Cc: "freebsd-security@freebsd.org" Subject: Re: FreeBSD-EN-16:06 Message-ID: <20160506213433.GS1369@FreeBSD.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 21:34:34 -0000 Robert, On Fri, May 06, 2016 at 09:58:06AM -0400, Robert Ames wrote: R> This directory seems to be empty. R> https://security.FreeBSD.org/patches/EN-16:06 Should be fixed now. Thanks for the report and sorry for inconvenience. -- Totus tuus, Glebius.