From owner-freebsd-security@freebsd.org Tue Nov 1 12:41:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BEEDC237A3; Tue, 1 Nov 2016 12:41:00 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 29CB81901; Tue, 1 Nov 2016 12:41:00 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1c1YN1-000GPN-3G; Tue, 01 Nov 2016 15:40:51 +0300 Date: Tue, 1 Nov 2016 15:40:51 +0300 From: Slawa Olhovchenkov To: Jung-uk Kim Cc: Mathieu Arnold , Andrey Chernov , FreeBSD-current , freebsd-security Subject: Re: GOST in OPENSSL_BASE Message-ID: <20161101124051.GK57876@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <20160711195600.GQ46309@zxy.spb.ru> <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Nov 2016 12:41:00 -0000 On Mon, Jul 18, 2016 at 12:39:46PM -0400, Jung-uk Kim wrote: > On 07/18/16 08:12 AM, Mathieu Arnold wrote: > > Hi, > > > > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov > > wrote: > > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: > > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > > |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not > > |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your > > |> > /etc/make.conf and rebuild everything \ that needs SSL. > > |> > .endif > > |> > > |> FreeBSD 9.3 is still supported but GOST is not available there. It > > | > > | Thanks for clarifications. > > | > > |> seems the ports maintainer didn't want to break it on 9.3 (CC added). > > |> Version check may be needed there. > > | > > | Thanks! > > > > > > The idea is that you can't have mixed openssl usage. If you link half your > > ports with openssl from base, and half with openssl from ports, you are > > going to have dragons attacks, and core dumps. Also, if you are using > > openssl from ports, you cannot use GSSAPI from base, for the same reasons. > > Exactly. That's why we should *allow* using base OpenSSL for 10.x and > later because many packages are already linked against base OpenSSL by > default. Ports still refuse to GOST from base openssl. From owner-freebsd-security@freebsd.org Wed Nov 2 07:55:33 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E165BC2AC4E for ; Wed, 2 Nov 2016 07:55:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id C10401910; Wed, 2 Nov 2016 07:55:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 8BBA114B5; Wed, 2 Nov 2016 07:55:33 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161102075533.8BBA114B5@freefall.freebsd.org> Date: Wed, 2 Nov 2016 07:55:33 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 07:55:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:33.openssh Security Advisory The FreeBSD Project Topic: OpenSSH Remote Denial of Service vulnerability Category: contrib Module: OpenSSH Announced: 2016-11-02 Affects: All supported versions of FreeBSD. Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE) 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3) 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE) 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) CVE Name: CVE-2016-8858 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT. II. Problem Description When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place. III. Impact A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack. IV. Workaround No workaround is available, but systems where sshd(8) is not used are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r308199 releng/10.3/ r308203 stable/11/ r308198 releng/11.0/ r308202 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.15 (FreeBSD) iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnws4P/0i2V2lw3snDi4oVsX2AVkl+ bQ9iRUvgO0SSB4b8JZ8dK6wws8InDR8oihm8jBsaOYPOxu7Wz9Zua2ZAjBAY/GLB o2+2UMGKVNlP59D/pwBD3qWEjG2KYpE5hItX7iykjwDvd8c7UOLZt7oofVfq8R7D 84BkMQb9DM/1PwFI+ztMYN3uAlzsNxi0GqoHe7PBYmA5rq3QF9LoUlRyOW9KQq8Q TsBg8briGhy44XifhxU7eUsPUrxJLb5c/w3xsuzSw1AFpgSAc8IKAcrknnTdy+0c k5GfJz/84xcN1/HO6FDVtYgIoOK2C/ljCHiRAPRsVK3TvXl6agErVBf3CTvWKjg9 NY6QD0KTJw5QF0LT6GbLRAdwnAexQI0U7Hw3Xylv2CFnaxsdYeB9YTVqqMricUqQ 7GZ/ktiXJwBpDLkaieeI6WhbAVdsNQc5A1UWQwjv6mFr5TKhOFWvmHRo/KZprWqd vFqYNHc3NngcKs537WOXchNnW46hWMsiis/1mJfiRZd89rzq5Dtz7tCcX1c7RgRW 4h0vhtqRMQraby0fI0ND3kC7EnXchMqWAoQ3Tric+2yWQMW/OGDvWXWbM0HqUKq7 7fOGMmXmLhQnkykf4uwjrP4cyMSzSbGdrLQxpwWPwZoH47es/qYKHukBRcnmEkA+ VpT6Vpm0Lqi80W5bh783 =xyal -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Nov 2 07:55:39 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58106C2ACBB for ; Wed, 2 Nov 2016 07:55:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 44D701956; Wed, 2 Nov 2016 07:55:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id B7CD01508; Wed, 2 Nov 2016 07:55:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:34.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161102075536.B7CD01508@freefall.freebsd.org> Date: Wed, 2 Nov 2016 07:55:36 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 07:55:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:34.bind Security Advisory The FreeBSD Project Topic: BIND Remote Denial of Service vulnerability Category: contrib Module: bind Announced: 2016-11-02 Credits: ISC Affects: FreeBSD 9.x Corrected: 2016-11-02 05:13:27 UTC (stable/9, 9.3-STABLE) 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50) CVE Name: CVE-2016-8864 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A defect in BIND's handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c. During processing of a recursive response that contains a DNAME record in the answer section, BIND could stop executing after encountering an assertion error in resolver.c. III. Impact A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients. IV. Workaround No workaround is available, but hosts not running named(8) recursive servers are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the named service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r308193 releng/9.3/ r308205 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.15 (FreeBSD) iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rn14UQAOI+3haO5nI3D4wPP9EavF9j SU1yuv2ZrWaldbdv9lSHWsK5gjOjZAwK4TmZSnhe3yC3nNOJimiD5KAjHhCiQEMN xZ4L0Xtyhp6Bef7pEPdn1KgJCdufRaXt8QYx+YWz2Zk2lV78J9IRUuWNYzTleetM yNkPIfkGbIEyzMG11nZKzIQ+rjxNS+/KXJTBD4z4xpyjCwnulHuCTGNNPIGSPbbO 1rwY6NifZXRP6yCWmrQWZPV3I7eAjwtWpmU18kLf6dRbRAWa/M9f+ZCW4vR1bBoR CAX07D0VDPaUM56XCUaspKSvJ3dpJC9GjuEZVXfBoJzbfixeMqYkjgwaPGT+BxLo AxJv8PVXZiigq+0pXMGjaHdrwWW8UxkthyifGJFSffZMs4eECrIUhFe/SlMQ/5Zm WZhA28S4QqlcTpObnWVet3C9QdpBtjlodfZqmovHHWZGGcIVPbW+sVaJ3WF2ni6H OQuJucIVfKQVuv88aSRVlrtGY/KN9wjyUf4zIpyUgPL+qy3vxz2NB41mjM12ZyAi 35KIv3tR5lZIq4C062qR0zlHKldQgxaQPX4rWq7lhQkk2X8B3SjypSMBRfrAosoW p/xQGqVwX05M7F8ykcdf8vfu3iipz/JDQgSdy3aeziwO5+2xGUt5cdXWpR0gxK4M 2ajEFjl+rHAfYpDkfoGP =F1Vx -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Nov 2 07:55:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 297FEC2AD1E for ; Wed, 2 Nov 2016 07:55:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 3AB661981; Wed, 2 Nov 2016 07:55:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 3A3FF154E; Wed, 2 Nov 2016 07:55:41 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:35.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161102075541.3A3FF154E@freefall.freebsd.org> Date: Wed, 2 Nov 2016 07:55:41 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 07:55:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:35.openssl Security Advisory The FreeBSD Project Topic: OpenSSL Remote DoS vulnerability Category: contrib Module: openssl Announced: 2016-11-02 Affects: FreeBSD 9.x and FreeBSD 10.x. Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE) 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) 2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25) 2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42) 2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE) 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50) CVE Name: CVE-2016-8610 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. II. Problem Description Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages. III. Impact A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r308200 releng/9.3/ r308205 stable/10/ r308200 releng/10.1/ r308204 releng/10.2/ r308204 releng/10.3/ r308203 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.15 (FreeBSD) iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M 8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3 kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj 3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu 8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6 PJuvkUEQRMlhG8tX3+11 =1gO7 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Nov 2 08:21:49 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB588C2AC8E for ; Wed, 2 Nov 2016 08:21:49 +0000 (UTC) (envelope-from borys.bezukladov@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 152491D88; Wed, 2 Nov 2016 08:21:49 +0000 (UTC) (envelope-from borys.bezukladov@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id p190so251482779wmp.1; Wed, 02 Nov 2016 01:21:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zaHXOvOyo78xVmeN3MrCxfX3BQc0H6fv6a7GBf+OP7o=; b=ZBjpWlDGqWda3Q81IkT+Dw3f91EdBAk2wlt6NhraLO3XSTj9nrOBILYPfGgjEmdOk1 QPDWvq0rKegafTPXZV4A/QJ0HDHdVDYsUjq7prpSW4O7dAZyYafEaQfUPOyrJoNq43uK 0OKfSmDkF4nZuaMMubnZ9cBg7ZSqZVPx2ewMmEKsWCfrlnuh7oRonlbnv1g3v23SJi/K rJJTD6KH/v2luY+NpcpN5V91WFozT9fgBznuliDPDoJ94PeLYNTc7yjzq1XUJiIZ+QMZ sEvjamoKzPS2Bhist97wKdXwO7+hYVGzZ2DJcURd9vEe8bcm8T9AppuRCY3VuXvQeYaT PhIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zaHXOvOyo78xVmeN3MrCxfX3BQc0H6fv6a7GBf+OP7o=; b=dHjtz2QYJtKPOPusHpG1qrdu8C9jtjelGO16QFVGJXjQM/xKyXioFKnql5Vz7M+GNG f5h+uuUmFB3h+8UsXgQut4U0VT6anBlfcovv2zucDfb7286CKl+s2TAHUfba0IjZKv6x Et+9nUW0BhEAY+tgEQ//qR4Eatyh3ACZqobhaLA2uaOKzissDH/1zHSb7Ioo+uW3e35a PST/GUkxluelbCYWjtoQUD62igKG0V8PjQm9RJXORYRbgossnY7tfVQuLB9UeQ59BkC3 uWEqEpXwQDdKRwkdqGJOQcxfBS3dP/C2OScc0maiZzV7E/OXNq0YNlX0DfsXioD7RgNy xp/w== X-Gm-Message-State: ABUngvckJzVwO4WlHKlZheusCuARkJ+0qC7Y+a8GGQn8zMx7USRcqjmR7+sMPGebfM704w9n2ul09GWxWGrpow== X-Received: by 10.28.142.82 with SMTP id q79mr1523855wmd.20.1478074906952; Wed, 02 Nov 2016 01:21:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.227.230 with HTTP; Wed, 2 Nov 2016 01:21:46 -0700 (PDT) In-Reply-To: <20161102075541.3A3FF154E@freefall.freebsd.org> References: <20161102075541.3A3FF154E@freefall.freebsd.org> From: Borys Bezukladov Date: Wed, 2 Nov 2016 10:21:46 +0200 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:35.openssl To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 08:21:49 -0000 On Wed, Nov 2, 2016 at 9:55 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-16:35.openssl Security Advisory > The FreeBSD Project > > Topic: OpenSSL Remote DoS vulnerability > > Category: contrib > Module: openssl > Announced: 2016-11-02 > Affects: FreeBSD 9.x and FreeBSD 10.x. > Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE) > 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) > 2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25) > 2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42) > 2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE) > 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50) > CVE Name: CVE-2016-8610 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is > a collaborative effort to develop a robust, commercial-grade, full-featured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-strength > general purpose cryptography library. > > The SSL alert protocol is a way to communicate problems within a SSL/TLS session. > > II. Problem Description > > Due to improper handling of alert packets, OpenSSL would consume an excessive > amount of CPU time processing undefined alert messages. > > III. Impact > > A remote attacker who can initiate handshakes with an OpenSSL based server > can cause the server to consume a lot of computation power with very little > bandwidth usage, and may be able to use this technique in a leveraged Denial > of Service attack. > > IV. Workaround > > No workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > Restart all daemons that use the library, or reboot the system. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > Restart all daemons that use the library, or reboot the system. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 10.x] > # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch > # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc > # gpg --verify openssl-10.patch.asc > > [FreeBSD 9.3] > # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch > # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc > # gpg --verify openssl-9.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart all daemons that use the library, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/9/ r308200 > releng/9.3/ r308205 > stable/10/ r308200 > releng/10.1/ r308204 > releng/10.2/ r308204 > releng/10.3/ r308203 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.15 (FreeBSD) > > iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M > 8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3 > kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW > RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs > sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj > 3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW > fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK > UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu > VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f > MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu > 8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6 > PJuvkUEQRMlhG8tX3+11 > =1gO7 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Borys Bezukladov Embedded Systems Developer cell:+38 063 837 40 51 From owner-freebsd-security@freebsd.org Wed Nov 2 14:07:57 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E9DAC2BEA2 for ; Wed, 2 Nov 2016 14:07:57 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from lwfs1-cam.cam.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 9F8281034 for ; Wed, 2 Nov 2016 14:07:55 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.14.9/8.14.9) with ESMTP id uA2DvHp5074298; Wed, 2 Nov 2016 13:57:17 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id uA2DvHSQ003092; Wed, 2 Nov 2016 13:57:17 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id uA2DvHMW003088; Wed, 2 Nov 2016 13:57:17 GMT Date: Wed, 2 Nov 2016 13:57:17 GMT Message-Id: <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <20161102075533.8BBA114B5@freefall.freebsd.org> (message from FreeBSD Security Advisories on Wed, 2 Nov 2016 07:55:33 +0000 (UTC)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh References: <20161102075533.8BBA114B5@freefall.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 14:07:57 -0000 >>>>> On Wed, 2 Nov 2016 07:55:33 +0000 (UTC), FreeBSD Security Advisories said: > > ============================================================================= > FreeBSD-SA-16:33.openssh Security Advisory > The FreeBSD Project > > Topic: OpenSSH Remote Denial of Service vulnerability > > Category: contrib > Module: OpenSSH > Announced: 2016-11-02 > Affects: All supported versions of FreeBSD. > Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE) > 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3) > 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE) > 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) > CVE Name: CVE-2016-8858 Should this be corrected in 10.1-RELEASE as well? I ask because Debian (https://security-tracker.debian.org/tracker/CVE-2016-8858) has marked it as vulnerable in OpenSSH 6.0 and OpenSSH 6.7 and it looks like 10.1-RELEASE contains OpenSSH 6.6, which I assume is also vulnerable. __Martin From owner-freebsd-security@freebsd.org Thu Nov 3 09:41:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CF2EC2BAED for ; Thu, 3 Nov 2016 09:41:04 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A0F791395 for ; Thu, 3 Nov 2016 09:41:03 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id n67so88413439wme.1 for ; Thu, 03 Nov 2016 02:41:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+7DmhqWf3Bt3B/gc0S1rR4fNCoTZ0BrIU7wwZuwxEHk=; b=KLTtt0ic4Ra236VN4ggPS7E4dTaCnN37YjKCB+Qmjx1ji6gl3JkVvs+h/LtZF7m9xN 9jKtZcCZgUR2blsc9qasW3RDDjlA5c5FHQa7LfuPVCeTMXvLitGikLT748LTaXFHnLOh wXY5O1iMF/1S/tZE4jVKZ/wKga9gtCie+xNuLYxR7eGVJQFEecOI91n/CKC+fvqShkoB 3QsLh+PbDXBlPXXW+fOwobBf2oLSHl4LpRqr9W37daEyZe9HGMk+wtpXNTjTm6mZcjbY y0gGRtutB0y+6TUZl7gFOvA2nTde7+/U9JKeDJSMhNiy6BUWdd4MRyys5e+UiPlPGjiX GedA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+7DmhqWf3Bt3B/gc0S1rR4fNCoTZ0BrIU7wwZuwxEHk=; b=aai2Y0JE3Vz/MeL4ee9+6zvLyVP/USORLN2mKhu5jDSt0+MUeXGU0fnITbATVSI0mF 3tb59frYE2gYxa99MsiyQly+K3IzwGZC1gU5FpYsu3BEhhAuyTn02Vn+ChOQa/PqkYJ/ Z2CkNfgS0heg5Tgfg0fcOyJIMCCTBsq4iF6KkUb7q4xCDP3fSL8IhHexjuA6V9pZq6wM jPKZXmkAmstkla2TsPIZKCqCAonk9OatZQoTQ8cYCcFpJDi37YzODmdGpZIuD1qNTsUq fTYNJly4jDwXBg9+lhBmUEXFZCcWGxMpbjjHQ/QXKZ34qBQo9UKwwb+hJAw5tn13gth1 xK3Q== X-Gm-Message-State: ABUngvdgIv4ES6nbyJ3aT0hNwRROEe1NN62QqcmDoVGtS9KZMW2ilgNqa7JjVQjwImseoaR5LOia8RYuXVduTQ== X-Received: by 10.28.216.17 with SMTP id p17mr7889782wmg.11.1478166062143; Thu, 03 Nov 2016 02:41:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.173.195 with HTTP; Thu, 3 Nov 2016 02:41:01 -0700 (PDT) In-Reply-To: <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> From: Kimmo Paasiala Date: Thu, 3 Nov 2016 11:41:01 +0200 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: Martin Simmons Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2016 09:41:04 -0000 Both 10.1 and 10.2 are going to be unsupported by the end of this year, that's probably the reason the fix was not included in them. https://www.freebsd.org/security/#sup -Kimmo On Wed, Nov 2, 2016 at 3:57 PM, Martin Simmons wrote: >>>>>> On Wed, 2 Nov 2016 07:55:33 +0000 (UTC), FreeBSD Security Advisories said: >> >> ============================================================================= >> FreeBSD-SA-16:33.openssh Security Advisory >> The FreeBSD Project >> >> Topic: OpenSSH Remote Denial of Service vulnerability >> >> Category: contrib >> Module: OpenSSH >> Announced: 2016-11-02 >> Affects: All supported versions of FreeBSD. >> Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE) >> 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3) >> 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE) >> 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) >> CVE Name: CVE-2016-8858 > > Should this be corrected in 10.1-RELEASE as well? > > I ask because Debian > (https://security-tracker.debian.org/tracker/CVE-2016-8858) has marked it as > vulnerable in OpenSSH 6.0 and OpenSSH 6.7 and it looks like 10.1-RELEASE > contains OpenSSH 6.6, which I assume is also vulnerable. > > __Martin > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu Nov 3 10:37:01 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EECE2C2D532 for ; Thu, 3 Nov 2016 10:37:01 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 665D417A2 for ; Thu, 3 Nov 2016 10:37:01 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id DA61E121C for ; Thu, 3 Nov 2016 10:36:56 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/DA61E121C; dkim=none; dkim-atps=neutral Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: freebsd-security@freebsd.org References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> From: Matthew Seaman Message-ID: Date: Thu, 3 Nov 2016 10:36:50 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xIK6CJC8T56S2vxIUJlHNcNgK4p0hLT8x" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2016 10:37:02 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xIK6CJC8T56S2vxIUJlHNcNgK4p0hLT8x Content-Type: multipart/mixed; boundary="R8vlwi7g99CorCHe1PWrQuGKfGN1kvIHo"; protected-headers="v1" From: Matthew Seaman To: freebsd-security@freebsd.org Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> In-Reply-To: --R8vlwi7g99CorCHe1PWrQuGKfGN1kvIHo Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/11/03 09:41, Kimmo Paasiala wrote: > Both 10.1 and 10.2 are going to be unsupported by the end of this > year, that's probably the reason the fix was not included in them. >=20 > https://www.freebsd.org/security/#sup >=20 Yes, but 10.1 and 10.2 are still supported for the next two months. That means they should get security patches where warranted until Dec 31st. There's no point in stating an EoL date if the end of the support lifetime is effectively a few months before that... If and advisory hasn't been issued for 10.1 and 10.2 that's because the Security Team currently don't think the problem applies to those versions. It's possible SecTeam are mistaken and will need to update the advisory, but SecTeam are usually pretty accurate about these things.= Cheers, Matthew =09 --R8vlwi7g99CorCHe1PWrQuGKfGN1kvIHo-- --xIK6CJC8T56S2vxIUJlHNcNgK4p0hLT8x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJYGxNIXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnizgP/1ditrlm5dxG8YGI208fflFm 27ILmhsDVPXGFAgdtWtZYZzqYYAw0mK24z7ZF4TDpPvH55Frvyc58PPGX+daXdRh VPbn8K1ZBTh5di3X0pI9T6yoIFRMadE0j5hRAcBAWqHKsopfnVNRUEZCyHDxkmIa OnDHgTv0+2IJLub0GKF2HPLkdJ3R22KGxxcinZdGtUOXrtRnv+7mvrjCiAXjnm8E sMmX3WF1uqMcKKmVDLKA/SNncHyiHEW+KAh7TKWjKHXapXDCg3RWI+ONd5OwCfMM DnNUFVT+T+Kf0s6aiW9gcrTXVCXWcNL/M72RGwT1afRkLDFkyf2bE1LU/wVRwnyC utapxk8AFIlhkvcZmM9QqZq434EP0KSosTQeTtXoMWodmgQ11vESUmqbV38Kiyl6 oTSzXuAJTYUBmY4wrtkfkJV1teO1QkLHRH4rBqf6IY9ymCCN94vTLhMATqHdr+FO pN+Vq497gCT+JJ3SxKVD3hOowt9640HsAM8tLtOQEBj3+/iBC5eQgJPemHWBgM6V 3yHt8Hn14CxQk8LPn3kfiNsim9Okf0XnnTJ/KkW39hohBS78wGybo3AhSwVmGkve CiLNk1myn2HL0/mYjI/xD2ZUDtq2iyJEqKOA6Yo3nhY9y6dqtON+OBPMdlZaBEGa hmOfJX4nA8oQA6C+WJrg =2bP6 -----END PGP SIGNATURE----- --xIK6CJC8T56S2vxIUJlHNcNgK4p0hLT8x-- From owner-freebsd-security@freebsd.org Fri Nov 4 08:41:19 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 272DCC2D666 for ; Fri, 4 Nov 2016 08:41:19 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E7B1810FA; Fri, 4 Nov 2016 08:41:18 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf0-x22e.google.com with SMTP id n85so48180595pfi.1; Fri, 04 Nov 2016 01:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:reply-to:subject:to:references:from:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BTiwNbHyLwkFVq1zpbOcPrBs1fsv8QT2hfVQ9EXawe8=; b=bhMDnbgaW8ZYcMm6WlrRZUbVIN2oCwyE8gXL/uoB/yhh7oMI+VsDLmcKfrwiqd1tfu ogShzP1CXy2rIPrwP+nA6PV8T/2pgs6+v+08mVw6EArmi5pLGfqMA9LT/RVNLtnDpbnC 7056xuO/CMhN2voWuzbEO8RoU6ImbPvziAc7hqC/wwN40RESyEIMI054loUrDG4FiR6y bzylCqN4xFLEhIprwwV4AUTFY3EKQBt2ICwLkPLYxPalijA5EKp+hqTsUaF2ALT6RzeO GEebcF+MuYEBoeLdcaxnN44ebDSKFfKR4bl4E+e1cb1CIgOA/5KIXwrkaDvR41sp78cO AMtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:reply-to:subject:to:references:from:cc :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=BTiwNbHyLwkFVq1zpbOcPrBs1fsv8QT2hfVQ9EXawe8=; b=AMtmWYS8Ypg8duKnPKRMBkuyMYXT+f+E2yBjzNMCgdTCX5NiHGDAXoVoJAqkhxyl74 8uq4syv9qpeojaFNerPrUtJeZa9GsVNlzgxVXmyWwgpqEQWUxHDWTmRehm69xV6a3gsM YyWiKxMRygi9Oj11DNRMU4CrIdsjGEaaYhoh+bfVaHezaVGSqyAyfuqay24Cm9wVN1bI 2z1GsMBd91SzF3Cf2lxjEf4g/9dl6weBDPR1DCdnKS6R8yBHgkwfOM+TEgrhxLWsuHVB P9y1zzvqsMWmj+vbMqN+AQ5PPUKz8BQYftT0E5zF7pBZK4t5lbCX6RJDPM3Zf1Dl1TOV iw0w== X-Gm-Message-State: ABUngvetU5y1TH6Rra6lI05iwpvmdmJC7A6QYjsa5QBUdGsdxaaZvyHc6/59nKx+gVODoA== X-Received: by 10.98.68.90 with SMTP id r87mr24833317pfa.19.1478248878084; Fri, 04 Nov 2016 01:41:18 -0700 (PDT) Received: from ?IPv6:2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf? (2001-44b8-31ae-7b01-1c1a-5103-265d-bfaf.static.ipv6.internode.on.net. [2001:44b8:31ae:7b01:1c1a:5103:265d:bfaf]) by smtp.gmail.com with ESMTPSA id l7sm18335082pfg.35.2016.11.04.01.41.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Nov 2016 01:41:17 -0700 (PDT) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: freebsd-security@freebsd.org References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> From: Kubilay Kocak Cc: FreeBSD Security Team Message-ID: <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> Date: Fri, 4 Nov 2016 19:39:53 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Thunderbird/51.0a2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-AU Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 08:41:19 -0000 On 3/11/2016 9:36 PM, Matthew Seaman wrote: > On 2016/11/03 09:41, Kimmo Paasiala wrote: >> Both 10.1 and 10.2 are going to be unsupported by the end of this >> year, that's probably the reason the fix was not included in them. >> >> https://www.freebsd.org/security/#sup >> > > Yes, but 10.1 and 10.2 are still supported for the next two months. > That means they should get security patches where warranted until > Dec 31st. There's no point in stating an EoL date if the end of the > support lifetime is effectively a few months before that... > > If and advisory hasn't been issued for 10.1 and 10.2 that's because > the Security Team currently don't think the problem applies to those > versions. It's possible SecTeam are mistaken and will need to > update the advisory, but SecTeam are usually pretty accurate about > these things. > > Cheers, > > Matthew > > But everyone should always feel comfortable asking questions, particularly in matters of security and especially if things are left unsaid, unstated, implicit, or remain ambiguous. Security advisories should state explicitly when otherwise supported versions are not vulnerable. It's surprising this isn't already the case. How might this be improved for the future? ./koobs From owner-freebsd-security@freebsd.org Fri Nov 4 09:02:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 073DAC2E8F8 for ; Fri, 4 Nov 2016 09:02:13 +0000 (UTC) (envelope-from gregory.orange@calorieking.com) Received: from pandora.au.calorieking.net (mail.au.calorieking.net [115.70.179.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A87521046 for ; Fri, 4 Nov 2016 09:02:12 +0000 (UTC) (envelope-from gregory.orange@calorieking.com) Received: from pandora.au.calorieking.net (localhost [127.0.0.1]) by pandora.au.calorieking.net (Postfix) with ESMTP id 4397716D for ; Fri, 4 Nov 2016 17:02:02 +0800 (WST) X-Virus-Scanned: amavisd-new at calorieking.com Received: from pandora.au.calorieking.net ([127.0.0.1]) by pandora.au.calorieking.net (mail.au.calorieking.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrFbG7BUDSDL for ; Fri, 4 Nov 2016 17:02:01 +0800 (WST) Received: from louis.dv.oranges.id.au (125-209-157-40.dyn.iinet.net.au [125.209.157.40]) by pandora.au.calorieking.net (Postfix) with ESMTPSA id BBE04E6 for ; Fri, 4 Nov 2016 17:02:01 +0800 (WST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: freebsd-security@freebsd.org References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> From: Gregory Orange Message-ID: <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> Date: Fri, 4 Nov 2016 17:01:59 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 09:02:13 -0000 On 04/11/16 16:39, Kubilay Kocak wrote: > Security advisories should state explicitly when otherwise supported > versions are not vulnerable. It's surprising this isn't already the case. I disagree. If none of the version I have installed are listed, I don't read the rest of the advisory. Time saved. Listing them in a 'not affected' part of the message would add complexity and parsing for me - less time saved. Greg. From owner-freebsd-security@freebsd.org Fri Nov 4 09:23:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2DFEC2B80E for ; Fri, 4 Nov 2016 09:23:22 +0000 (UTC) (envelope-from Vladimir.Terziev@bwinparty.com) Received: from mgate03.itsfogo.com (mgate03.itsfogo.com [195.72.134.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.itsfogo.com", Issuer "thawte SSL CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 72AE11F02 for ; Fri, 4 Nov 2016 09:23:21 +0000 (UTC) (envelope-from Vladimir.Terziev@bwinparty.com) From: Vladimir Terziev To: Gregory Orange CC: "" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh Thread-Index: AQHSNN7BbY0D6VxgfU+pGovJvHKQ76DFu4c+gAE2voCAAA+YAIABcaiAgAAGLYCAAAG6AA== Date: Fri, 4 Nov 2016 09:08:10 +0000 Message-ID: <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> In-Reply-To: <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.1510) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [10.138.239.254] Content-Type: text/plain; charset="us-ascii" Content-ID: <1F2AFFF1A4049E40A913E84742AB26F4@bwinparty.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Nov 2016 10:51:38 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 09:23:22 -0000 Hi, if you look at the advisory, it states "Affects: All supported versi= ons of FreeBSD.", while in the "Corrected" section 10.1 & 10.2 are missing. They are still supported, so the fix for them must be developed or they mus= t be listed as not affected, if that's the case. Regards, Vladimir On Nov 4, 2016, at 11:01 AM, Gregory Orange wrote: > On 04/11/16 16:39, Kubilay Kocak wrote: >> Security advisories should state explicitly when otherwise supported >> versions are not vulnerable. It's surprising this isn't already the case= . > I disagree. If none of the version I have installed are listed, I don't r= ead the rest of the advisory. Time saved. Listing them in a 'not affected' = part of the message would add complexity and parsing for me - less time sav= ed. >=20 > Greg. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" From owner-freebsd-security@freebsd.org Fri Nov 4 16:03:25 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3AF4C2FA59 for ; Fri, 4 Nov 2016 16:03:25 +0000 (UTC) (envelope-from org.freebsd.security@io7m.com) Received: from mail.io7m.com (io7m.com [159.203.63.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.io7m.com", Issuer "arc7 CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C76AB321 for ; Fri, 4 Nov 2016 16:03:24 +0000 (UTC) (envelope-from org.freebsd.security@io7m.com) Received: from copperhead.int.arc7.info (cust187-dsl61.idnet.net [212.69.61.187]) by mail.io7m.com (Postfix) with ESMTPSA id 9226918A61B for ; Fri, 4 Nov 2016 16:03:17 +0000 (UTC) Date: Fri, 4 Nov 2016 16:03:04 +0000 From: org.freebsd.security@io7m.com To: freebsd-security@freebsd.org Subject: Signatures for base.txz, kernel.txz, etc? Message-ID: <20161104160304.7e3e9815@copperhead.int.arc7.info> Organization: io7m.com MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/eTpBogXs=zRmAZDX3I0j2Rp"; protocol="application/pgp-signature" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 16:03:26 -0000 --Sig_/eTpBogXs=zRmAZDX3I0j2Rp Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello. Are there any plans to provide PGP signatures on base.txz, kernel.txz, and friends? Right now, the only (apparent) way to obtain them is via http://ftp.freebsd.org over unsecured HTTP (the HTTPS certificate is misconfigured; it's for download.freebsd.org) and no signature files are provided. Regards, Mark --Sig_/eTpBogXs=zRmAZDX3I0j2Rp Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIrBAEBCgAVBQJYHLE4DhxtYXJrQGlvN20uY29tAAoJEAKt2nV+RgR4WJEQAKdA +MKpE3J2YE5n0Ni/GopIOQAUhQ4XANfEyoWRl1CyUqCMoWnrrV0Rfk4KxddDOqem 9Sbx1JiR1CSZpNU3S1T4jfL06xhIIUpN9xbBWuxNzGqanixljcvXCfbGonB7l3ey 4uEg/MtU14hqETZQAX/KpzzA3DcYCnv8vMH8bAmhzcHz4AoMQwVRRlEKFQVyRT4y sTgP3OoP+i6sRCQTrd7k1kyFWvsWmL4a8plLYPDHfm22AwSVKQCCzz767UOt0yGq QmzX1p3/1iveHpv3O8tkSQKL2I0U1ZJA/u303P2j2FTW98jA+C/TQ1CGOl6mH0AI YGNxdG3VZ7DifHJCXmTyRIGW8VjQUr2s5ixM7JrS47b0HZxdfatZ+i5YvrBf2fui xDJvfaQfr2CXu5R5EK6l6vrXq+UgdqiSKDQ/nNHEwOQQuk8zRbVUcdCdCeY8yFta jlPrlpgfFd4dyq3kXYXtMiKPxDHyXYOmbv2wCWeYc1u5VravI2lCKX8mGf82PlLb mGkkKNY7II6ZeH93OMZp5baZ/uUppR0/UzUP+x1YEby0PsvzQMXVAmIJhK0aSf4Q kKeBtDX2oBfgNwkiThKt1upou7aBZ063ATJlo7SQShRJYrBNw3uHqgvLWn792YGJ JqQGri4EoBEM7AgT+3R0ye/638EzSCFfSO8KDOUy =5U+a -----END PGP SIGNATURE----- --Sig_/eTpBogXs=zRmAZDX3I0j2Rp-- From owner-freebsd-security@freebsd.org Fri Nov 4 16:09:32 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28193C2FE38 for ; Fri, 4 Nov 2016 16:09:32 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 1951A894; Fri, 4 Nov 2016 16:09:32 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id CCB451C58; Fri, 4 Nov 2016 16:09:31 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Fri, 4 Nov 2016 16:09:29 +0000 From: Glen Barber To: org.freebsd.security@io7m.com Cc: freebsd-security@freebsd.org Subject: Re: Signatures for base.txz, kernel.txz, etc? Message-ID: <20161104160929.GF79915@FreeBSD.org> References: <20161104160304.7e3e9815@copperhead.int.arc7.info> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="f61P+fpdnY2FZS1u" Content-Disposition: inline In-Reply-To: <20161104160304.7e3e9815@copperhead.int.arc7.info> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer X-Spidey-Sense: Uh oh, Peter logged in User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 16:09:32 -0000 --f61P+fpdnY2FZS1u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 04, 2016 at 04:03:04PM +0000, org.freebsd.security@io7m.com wro= te: > Hello. >=20 > Are there any plans to provide PGP signatures on base.txz, kernel.txz, > and friends? Right now, the only (apparent) way to obtain them is via > http://ftp.freebsd.org over unsecured HTTP (the HTTPS certificate is > misconfigured; it's for download.freebsd.org) and no signature files are > provided. >=20 They are provided in the misc/freebsd-release-manifests port. Glen --f61P+fpdnY2FZS1u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYHLK5AAoJEAMUWKVHj+KTsSMP/jhndvlKfPFDbMuXKDrgDAMF mpjhMSjwlOpWqRHIVXVqk0ODNpQMV6p40W/VJ2OnTADjuJirDcIPh6GSVy1jHsHj gYiLf6D2tts1+b3KjgZEd8QZ2oCCRdN8WR51dIA7bwPn8l8ovNKqKpRrlho15kPQ Qf65Oq2y9y1scqq3VNM8IlRYAoGVC89sus33Ynx9xf8fyloPUnl1ZHl0sivXXM1t GEQGV7BiPUfkF21EujQ0KTlXkfNvOWCBg74d/UTJI62sSOU2qU9vVarYFCSLw/+E iM2hzj7Podds2HpbJazXcg9PeJWDN0shXcpksIdMYd3RCTbdzd+lW6UMHEpjbIj7 LkZ2AK6w7D4wW9f2do1Natobv8FE9W7VgrxYX31gXoFvdP7h3C5YRCNZF8dUFyLY tXPGOeMeQzb08KH+II+7NrHl9BMElVwpN799pNQiV9g6CgTN9+i/nTD+xxZIhPMC UJnYBIdg74Wq+QkRI044sz9hf1ipf5mbMx1RJPVbGUCp7AzrwK9Cscvbotx3Kek8 nbeY0LDkasWnZGkV8jVaLED6PA4jJAf0KshJSZrjYiT1I9HVSUF0yyb/kXoycfbz AzOo1/vTGVBJS9+HrloM6MeejAXW9vyOGRR7xsEY6TYsPudOvkO+K171rO7+pBO8 aDY9gLp4eKfExA6/aNis =YZ9K -----END PGP SIGNATURE----- --f61P+fpdnY2FZS1u-- From owner-freebsd-security@freebsd.org Fri Nov 4 17:08:09 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20C45C303FC for ; Fri, 4 Nov 2016 17:08:09 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A8ECDDCA for ; Fri, 4 Nov 2016 17:08:08 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id f82so3442504wmf.1 for ; Fri, 04 Nov 2016 10:08:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cNenZ3NNeuXhhUKYNRe2gtDJATsLM+15HfhriklaamQ=; b=bftl3jVv5ABeP2whqfk66PMQStX6LbBzrcxxE2tr71HeihfiwRtk5u8EuRXktmXIkm NUtrcJMXbOCBtx2X9iywaFZg6dUisL+v+UggmR3TdAC9U05eO7qyEZDGjRKjvYJEORrj br/yA94A/Ef/OmcVL6SHC9E84vJ/u3wcUypPoKwqwCdXXDTDgciRL7o3q63Q/t+q3i9l 0YWTxKLlsolykx2tIuIidE9xhYHKPZn1Wblez1e0n6i9NuT0p2VLUDyZvUR+M/hhtf2D IOHDleeH0PAI3HzZGvJHzOofsjrRxEowUKcSBM6Dwq6vpUMTIblxOTrn1xhImfvmk33q BsBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cNenZ3NNeuXhhUKYNRe2gtDJATsLM+15HfhriklaamQ=; b=clJtlIRv2vwQWrGHhvNbuB4P3wRnUJP5jP7DMAxhkqziE7fe90N0DkXAiMHQyuQAV9 E3CoYQU0n3xixoS7XVBw8OMewCmBDOVvsGr+cf+52MsoxTefLCFWyUXcIJO36PW4tXrl EGa8D99vtjkl7LWYfQtj2nQC9ReHmT+IEGA+w6DIq9lQVVGmro6Qye2tyOXiYVzxllWK qxoIYAu9OALEeR+gaJplI+rFsciDufawbLSfrIPZjzTHJlle4PU912Ug8v9EZEE2p4xB R0zGaMrGswzTGGKzCPHG/tKNKACgD2SH/k/M/z2vNgqARshCT8Gl+vWtNinrjOUYUxHr MgSw== X-Gm-Message-State: ABUngvfSrvt/2M97s7ZXxlPjkO31/c728u0u16ciJTIs+pQMzhbHpmIf2DAUtU0Bzx3OQ9lu1BODi30MLO8YTQ== X-Received: by 10.28.73.136 with SMTP id w130mr4694891wma.82.1478279286140; Fri, 04 Nov 2016 10:08:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.145.227 with HTTP; Fri, 4 Nov 2016 10:08:05 -0700 (PDT) In-Reply-To: <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> From: Xin LI Date: Fri, 4 Nov 2016 10:08:05 -0700 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh To: Vladimir Terziev Cc: Gregory Orange , "" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2016 17:08:09 -0000 The issue was originally reported to us as affecting OpenSSH 6.8+ (reference: RedHat bugtracker https://bugzilla.redhat.com/show_bug.cgi?id=1384860), and therefore 9.3, 10.1 and 10.2 were not believed to be affected, so the "Affects: All supported versions of FreeBSD" was a mistake in the original advisory text. We will investigate if the statement is true and will issue patches for earlier FreeBSD releases, if they are confirmed to be affected. The patch for 10.x can be amended (change "ssh_dispatch_set" to "dispatch_set") to adapt to the earlier releases, by the way. On Fri, Nov 4, 2016 at 2:08 AM, Vladimir Terziev wrote: > Hi, > > if you look at the advisory, it states "Affects: All supported versions of FreeBSD.", while in the "Corrected" section 10.1 & 10.2 are missing. > > They are still supported, so the fix for them must be developed or they must be listed as not affected, if that's the case. > > > Regards, > > Vladimir > > > On Nov 4, 2016, at 11:01 AM, Gregory Orange wrote: > >> On 04/11/16 16:39, Kubilay Kocak wrote: >>> Security advisories should state explicitly when otherwise supported >>> versions are not vulnerable. It's surprising this isn't already the case. >> I disagree. If none of the version I have installed are listed, I don't read the rest of the advisory. Time saved. Listing them in a 'not affected' part of the message would add complexity and parsing for me - less time saved. >> >> Greg. >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"