From owner-freebsd-security@FreeBSD.ORG  Sun Nov 18 18:04:27 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 9D418F6F
 for <freebsd-security@freebsd.org>; Sun, 18 Nov 2012 18:04:27 +0000 (UTC)
 (envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1])
 by mx1.freebsd.org (Postfix) with ESMTP id 66E648FC12
 for <freebsd-security@freebsd.org>; Sun, 18 Nov 2012 18:04:27 +0000 (UTC)
Received: from gjp by noop.in-addr.com with local (Exim 4.80.1 (FreeBSD))
 (envelope-from <gpalmer@freebsd.org>)
 id 1Ta9ED-000Maq-Fg; Sun, 18 Nov 2012 13:04:21 -0500
Date: Sun, 18 Nov 2012 13:04:21 -0500
From: Gary Palmer <gpalmer@freebsd.org>
To: "M. Schulte" <m-freebsd@fuglos.org>
Subject: Re: Recent security announcement and csup/cvsup?
Message-ID: <20121118180421.GF24320@in-addr.com>
References: <20121117150556.GE24320@in-addr.com>
 <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2012 18:04:27 -0000

On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote:
> Hi,
> 
> > Can someone explain why the cvsup/csup infrastructure is considered
> > insecure [...]
> 
> Speaking of cvsup security -- correct me if I'm wrong, but as far as I
> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd
> be very happy about more and more people moving over to the portsnap
> camp.
> 
> Best,
> mel
> 
> [0] http://en.wikipedia.org/wiki/Portsnap
>      http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html

While I haven't investigated its protocol in detail, I would tend to suspect
that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running
in clear text mode.  And yet we are being pushed towards SVN for source
access instead of cvsup.

portsnap is great if you can use the official ports tree without local
modifications.  If you need to patch some ports locally (for whatever
reason) then I believe it is less helpful. cvs/svn let you update your local
ports tree while keeping your local changes.

In other words: while signed updates via freebsd-update and portsnap
are great for a good chunk of users, they don't address everyones needs.

Regards,

Gary