From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 12:03:01 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 13EB516A41F;
Tue, 11 Oct 2005 12:03:01 +0000 (GMT)
(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 16F5743D73;
Tue, 11 Oct 2005 12:02:50 +0000 (GMT)
(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9BC2oQ8081878;
Tue, 11 Oct 2005 12:02:50 GMT
(envelope-from security-advisories@freebsd.org)
Received: (from cperciva@localhost)
by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9BC2obf081876;
Tue, 11 Oct 2005 12:02:50 GMT
(envelope-from security-advisories@freebsd.org)
Date: Tue, 11 Oct 2005 12:02:50 GMT
Message-Id: <200510111202.j9BC2obf081876@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to
security-advisories@freebsd.org using -f
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Precedence: bulk
Cc:
Subject: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Reply-To: security-advisories@freebsd.org
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 12:03:01 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:21.openssl Security Advisory
The FreeBSD Project
Topic: Potential SSL 2.0 rollback
Category: contrib
Module: openssl
Announced: 2005-10-11
Credits: Yutaka Oiwa
Affects: All FreeBSD releases.
Corrected: 2005-10-11 11:52:46 UTC (RELENG_6, 6.0-STABLE)
2005-10-11 11:53:03 UTC (RELENG_6_0, 6.0-RELEASE)
2005-10-11 11:52:01 UTC (RELENG_5, 5.4-STABLE)
2005-10-11 11:52:28 UTC (RELENG_5_4, 5.4-RELEASE-p8)
2005-10-11 11:52:13 UTC (RELENG_5_3, 5.3-RELEASE-p23)
2005-10-11 11:50:50 UTC (RELENG_4, 4.11-STABLE)
2005-10-11 11:51:45 UTC (RELENG_4_11, 4.11-RELEASE-p13)
2005-10-11 11:51:20 UTC (RELENG_4_10, 4.10-RELEASE-p19)
CVE Name: CAN-2005-2969
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The OpenSSL library implements the Secure Sockets Layer and Transport
Layer Security protocols, as well as providing a large number of basic
cryptographic functions.
The Secure Sockets Layer protocol exists in two versions and includes a
mechanism for negotiating the protocol version to be used. If the
protocol is executed correctly, it is impossible for a client and
server both capable of the newer version of the protocol (SSLv3) to end
up using the older version of the protocol (SSLv2).
II. Problem Description
In order to provide bug-for-bug compatibility with Microsoft Internet
Explorer 3.02, a verification step required by the Secure Sockets Layer
protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING
option in OpenSSL. This option is implied by the frequently-used
SSL_OP_ALL option.
III. Impact
If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server
application using OpenSSL, an attacker who is able to intercept and
tamper with packets transmitted between a client and the server can
cause the protocol version negotiation to result in SSLv2 being used
even when both the client and the server support SSLv3. Due to a
number of weaknesses in the SSLv2 protocol, this may allow the attacker
to read or tamper with the encrypted data being sent.
Applications which do not support SSLv2, have been configured to not
permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
or SSL_OP_ALL options are not affected.
IV. Workaround
No workaround is available.
V. Solution
NOTE WELL: The solution described below causes OpenSSL to ignore the
SSL_OP_MSIE_SSLV2_RSA_PADDING option and hence to require conformance
with the Secure Sockets Layer protocol. As a result, this solution
will reintroduce incompatibility with Microsoft Internet Explorer 3.02
and any other applications which exhibit the same protocol violation.
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:21/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:21/openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.11
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.6
RELENG_4_11
src/UPDATING 1.73.2.91.2.14
src/sys/conf/newvers.sh 1.44.2.39.2.17
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.8.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.19
src/sys/conf/newvers.sh 1.44.2.34.2.20
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.6.1
RELENG_5
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.15.2.2
src/crypto/openssl/ssl/s23_srvr.c 1.7.6.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.17
src/sys/conf/newvers.sh 1.62.2.18.2.13
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.2.1.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.10.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.26
src/sys/conf/newvers.sh 1.62.2.15.2.28
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.8.1
RELENG_6
src/crypto/openssl/ssl/s23_srvr.c 1.7.12.1
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.2.1
RELENG_6_0
src/UPDATING 1.73.2.91.2.14
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.14.1
- -------------------------------------------------------------------------
VII. References
http://www.openssl.org/news/secadv_20051011.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:21.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDS6g2FdaIBMps37IRAr7CAJ9l7bq6Fy1l1bN2LRUS0bXqi+aKKACfW1Sj
JCNxiTF4GT/oV2EMDnIs0gc=
=j+YS
-----END PGP SIGNATURE-----
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 13:09:23 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id C191816A420
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:09:23 +0000 (GMT)
(envelope-from jimmy@inet-solutions.be)
Received: from mail.ihosting.be (vero.ihosting.be [83.217.81.43])
by mx1.FreeBSD.org (Postfix) with SMTP id 25C7043D72
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:09:10 +0000 (GMT)
(envelope-from jimmy@inet-solutions.be)
Received: (qmail 9938 invoked by uid 1033); 11 Oct 2005 13:14:41 -0000
Received: from jimmy@inet-solutions.be by excalibur.hyprotech.be by uid 1016
with qmail-scanner-1.20st
(clamscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):.
Processed in 0.0097 secs); 11 Oct 2005 13:14:41 -0000
Received: from localhost (HELO vero.ihosting.be) (127.0.0.1)
by mail.ihosting.be with SMTP; 11 Oct 2005 13:14:41 -0000
Received: (from jimmy@inet-solutions.be)
by vero.ihosting.be (mini_sendmail/1.3.5 16nov2003);
Tue, 11 Oct 2005 15:14:41 CEST
(sender jimmy@inet-solutions.be by using webserver vero.ihosting.be
path /www/ihosting/horde.ihosting.be/imp - report abuse to
abuse@boxke.be)
Received: from 194.78.143.3 ([194.78.143.3])
by webmail.boxke.be (IMP) with HTTP
for <jimmy@inet-solutions.be@83.217.81.43>;
Tue, 11 Oct 2005 15:14:41 +0200
Message-ID: <1129036481.434bbac1720a6@webmail.boxke.be>
Date: Tue, 11 Oct 2005 15:14:41 +0200
From: jimmy@inet-solutions.be
To: freebsd-security@freebsd.org
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
In-Reply-To: <200510111202.j9BC2obf081876@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.3
X-Originating-IP: 194.78.143.3
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 13:09:23 -0000
Quoting FreeBSD Security Advisories <security-advisories@freebsd.org>:
> =============================================================================
> FreeBSD-SA-05:21.openssl Security Advisory
> The FreeBSD Project
[..]
>
> c) Recompile the operating system as described in
> <URL:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
Is there any reason why one would need to compile the whole operating system?
I can understand that static linked apps need to be recompiled, but which
are there actually any at all (and linked against openssl)?
Kind regards,
Jimmy Scott
----------------------------------------------------------------
This message has been sent through ihosting.be
To report spamming or other unaccepted behavior
by a iHosting customer, please send a message
to abuse@ihosting.be
----------------------------------------------------------------
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 13:30:54 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id A5F5A16A421
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:30:54 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls405.htnet.hr (ls405.htnet.hr [195.29.150.97])
by mx1.FreeBSD.org (Postfix) with ESMTP id ED8D143D46
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:30:53 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls422.t-com.hr (ls422.t-com.hr [195.29.150.237])
by ls405.htnet.hr (0.0.0/8.12.10) with ESMTP id j9BDUcX3032165;
Tue, 11 Oct 2005 15:30:46 +0200
Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1])
by ls422.t-com.hr (Qmlai) with ESMTP id BF58A988043;
Tue, 11 Oct 2005 15:30:46 +0200 (CEST)
X-Envelope-Sender: jere@htnet.hr
X-Envelope-Sender: jere@htnet.hr
Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1])
by ls422.t-com.hr (Qmlai) with ESMTP id A99B7988042;
Tue, 11 Oct 2005 15:30:46 +0200 (CEST)
Received: from [195.29.148.251] (bla.htnet.hr [195.29.148.251])
by ls422.t-com.hr (Qmlai) with ESMTP id 6AFE28B8071;
Tue, 11 Oct 2005 15:30:46 +0200 (CEST)
Message-ID: <434BBF09.6040101@htnet.hr>
Date: Tue, 11 Oct 2005 15:32:57 +0200
From: jere <jere@htnet.hr>
Organization: bla
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050428)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jimmy@inet-solutions.be
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be>
In-Reply-To: <1129036481.434bbac1720a6@webmail.boxke.be>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 11 Oct 2005 13:38:52 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 13:30:54 -0000
unfortunately, this is the dark side of FreeBSD security patch
management :) and I think also the main reason FreeBSD isn't so widely
deployed into enterprise environments. It's ok for hacking or managing
few boxes but try to imagine how to manage security on hundreds of them
this way. :(
on the other side (bright side :) you can try to use unofficial and
often somewhat slowly updating solutions such as bsdupdate
(www.bsdupdates.com) or freebsd-update (from ports tree).
currently, FreeBSD just don't have a mechanism to handle security
advisories in quick way.
any suggestions/corrections ?
j.
jimmy@inet-solutions.be wrote:
> Quoting FreeBSD Security Advisories <security-advisories@freebsd.org>:
>
>
>>=============================================================================
>>FreeBSD-SA-05:21.openssl Security Advisory
>> The FreeBSD Project
>
> [..]
>
>>c) Recompile the operating system as described in
>><URL:
>>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
>
>
> Is there any reason why one would need to compile the whole operating system?
> I can understand that static linked apps need to be recompiled, but which
> are there actually any at all (and linked against openssl)?
>
> Kind regards,
> Jimmy Scott
>
> ----------------------------------------------------------------
> This message has been sent through ihosting.be
> To report spamming or other unaccepted behavior
> by a iHosting customer, please send a message
> to abuse@ihosting.be
> ----------------------------------------------------------------
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 14:33:38 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 72D6216A42F
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 14:33:38 +0000 (GMT)
(envelope-from vaida.bogdan@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196])
by mx1.FreeBSD.org (Postfix) with ESMTP id DBA7943D48
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 14:33:37 +0000 (GMT)
(envelope-from vaida.bogdan@gmail.com)
Received: by zproxy.gmail.com with SMTP id z31so346909nzd
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 07:33:37 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
b=a2ifJcCtSDnwA1DpN0GoBPOeMhQEdbsBZ8MTJMdz9Imh3YbFymAeNnazfLm94IVqjRGkC56zzYVhuVuQyM0IH8MUxWK7TgNAqfxYLnVfgZjyl5Nc+2fqJfjnaw2PnGv8rfHECzZgUgOnVG3/tBzYrzg1Zwj22Arc9sDmXrm+zZY=
Received: by 10.36.227.26 with SMTP id z26mr1119864nzg;
Tue, 11 Oct 2005 07:33:37 -0700 (PDT)
Received: by 10.36.251.23 with HTTP; Tue, 11 Oct 2005 07:33:37 -0700 (PDT)
Message-ID: <12848a3b0510110733y552771b4l5c332a59fd835ec3@mail.gmail.com>
Date: Tue, 11 Oct 2005 14:33:37 +0000
From: Vaida Bogdan <vaida.bogdan@gmail.com>
To: Bret Walker <bret-walker@northwestern.edu>
In-Reply-To: <4339E416.8050300@northwestern.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <Pine.BSF.4.44.0509242146130.60044-100000@home.fake.net>
<4337A962.6020600@gmail.com> <4339E416.8050300@northwestern.edu>
Cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: 5.X Tripwire Policy File
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 14:33:38 -0000
I would be interested in the answer too. An unofficial freebsd
tripwire file posted somewhere + a forum to discuss changes would be
also interesting.
On 9/28/05, Bret Walker <bret-walker@northwestern.edu> wrote:
> Hello all.
>
> I am just setting up my first 5.X box, and I'm in the process of fine
> tuning my tripwire policy file.
>
> I am much more familiar with 4.X than I am with 5, so I'm worried that I
> may be missing a critical element of 5.X in my policy file. Cy (the
> tripwire port maintainer) updated the policy file to a certain extent,
> but I would appreciate it if those on the security list would provide
> some more feedback as to what should definitely be in a tripwire policy
> file for a 5.X box.
>
> I know most good sysadmins use tripwire, so I think it would be good to
> have a well thought out policy file for 5.X that others may use as well.
>
> I've attached mine to this message.
>
> Thanks,
> Bret
>
>
> #
> # Policy file for FreeBSD
> #
> # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.3 2005/08/09 18:2=
4:15 cy Exp $
>
>
> #
> # This is the example Tripwire Policy file. It is intended as a place to
> # start creating your own custom Tripwire Policy file. Referring to it a=
s
> # well as the Tripwire Policy Guide should give you enough information to
> # make a good custom Tripwire Policy file that better covers your
> # configuration and security needs. A text version of this policy file i=
s
> # called twpol.txt.
> #
> # Note that this file is tuned to an install of FreeBSD using
> # buildworld. If run unmodified, this file should create no errors on
> # database creation, or violations on a subsiquent integrity check.
> # However it is impossible for there to be one policy file for all machin=
es,
> # so this existing one errs on the side of security. Your FreeBSD
> # configuration will most likey differ from the one our policy file was
> # tuned to, and will therefore require some editing of the default
> # Tripwire Policy file.
> #
> # The example policy file is best run with 'Loose Directory Checking'
> # enabled. Set LOOSEDIRECTORYCHECKING=3DTRUE in the Tripwire Configuratio=
n
> # file.
> #
> # Email support is not included and must be added to this file.
> # Add the 'emailto=3D' to the rule directive section of each rule (add a =
comma
> # after the 'severity=3D' line and add an 'emailto=3D' and include the em=
ail
> # addresses you want the violation reports to go to). Addresses are
> # semi-colon delimited.
> #
>
>
>
> #
> # Global Variable Definitions
> #
> # These are defined at install time by the installation script. You may
> # Manually edit these if you are using this file directly and not from th=
e
> # installation script itself.
> #
>
> @@section GLOBAL
> TWDOCS=3D"/usr/local/share/doc/tripwire";
> TWBIN=3D"/usr/local/sbin";
> TWPOL=3D"/usr/local/etc/tripwire";
> TWDB=3D"/var/db/tripwire";
> TWSKEY=3D"/usr/local/etc/tripwire";
> TWLKEY=3D"/usr/local/etc/tripwire";
> TWREPORT=3D"/var/db/tripwire/report";
> HOSTNAME=3Dspeedy.medill.northwestern.edu;
>
> @@section FS
> SEC_CRIT =3D $(IgnoreNone)-SHa ; # Critical files that cannot chang=
e
> SEC_SUID =3D $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID f=
lags set
> SEC_BIN =3D $(ReadOnly) ; # Binaries that should not change
> SEC_CONFIG =3D $(Dynamic) ; # Config files that are changed in=
frequently but accessed often
> SEC_TTY =3D $(Dynamic)-ugp ; # Tty files that change ownership =
at login
> SEC_LOG =3D $(Growing) ; # Files that grow, but that should=
never change ownership
> SEC_INVARIANT =3D +tpug ; # Directories that should never ch=
ange permission or ownership
> SIG_LOW =3D 33 ; # Non-critical files that are of m=
inimal security impact
> SIG_MED =3D 66 ; # Non-critical files that are of s=
ignificant security impact
> SIG_HI =3D 100 ; # Critical files that are signific=
ant points of vulnerability
>
>
> # Tripwire Binaries
> (
> rulename =3D "Tripwire Binaries",
> severity =3D $(SIG_HI)
> )
> {
> $(TWBIN)/siggen -> $(SEC_BIN) ;
> $(TWBIN)/tripwire -> $(SEC_BIN) ;
> $(TWBIN)/twadmin -> $(SEC_BIN) ;
> $(TWBIN)/twprint -> $(SEC_BIN) ;
> }
>
> # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports,=
Databases
> (
> rulename =3D "Tripwire Data Files",
> severity =3D $(SIG_HI)
> )
> {
> # NOTE: We remove the inode attribute because when Tripwire creates a b=
ackup,
> # it does so by renaming the old file and creating a new one (which wil=
l
> # have a new inode number). Inode is left turned on for keys, which sh=
ouldn't
> # ever change.
>
> # NOTE: The first integrity check triggers this rule and each integrity=
check
> # afterward triggers this rule until a database update is run, since th=
e
> # database file does not exist before that point.
>
> $(TWDB) -> $(SEC_CONFIG) -i ;
> $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
> $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
> $(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
> $(TWPOL)/twpol.txt -> $(SEC_BIN) ;
> $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
> $(TWSKEY)/site.key -> $(SEC_BIN) ;
>
> #don't scan the individual reports
> $(TWREPORT) -> $(SEC_CONFIG) (recurse=3D0) ;
> }
>
>
> # Tripwire HQ Connector Binaries
> #(
> # rulename =3D "Tripwire HQ Connector Binaries",
> # severity =3D $(SIG_HI)
> #)
> #{
> # $(TWBIN)/hqagent -> $(SEC_BIN) ;
> #}
> #
> # Tripwire HQ Connector - Configuration Files, Keys, and Logs
>
> #
> # Note: File locations here are different than in a stock HQ Connector
> # installation. This is because Tripwire 2.3 uses a different path
> # structure than Tripwire 2.2.1.
> #
> # You may need to update your HQ Agent configuation file (or this policy
> # file) to correct the paths. We have attempted to support the FHS stand=
ard
> # here by placing the HQ Agent files similarly to the way Tripwire 2.3
> # places them.
> #
>
> #(
> # rulename =3D "Tripwire HQ Connector Data Files",
> # severity =3D $(SIG_HI)
> #)
> #{
> #
> # # NOTE: Removing the inode attribute because when Tripwire creates a ba=
ckup
> # # it does so by renaming the old file and creating a new one (which wil=
l
> # # have a new inode number). Leaving inode turned on for keys, which
> # # shouldn't ever change.
> #
> #
> # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
> # $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
> # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
> # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
> #
> # # Uncomment if you have agent logging enabled.
> # #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
> #}
>
>
>
> # Commonly accessed directories that should remain static with regards to=
owner and group
> (
> rulename =3D "Invariant Directories",
> severity =3D $(SIG_MED)
> )
> {
> / -> $(SEC_INVARIANT) (recurse =3D f=
alse) ;
> /home -> $(SEC_INVARIANT) (recurse =3D f=
alse) ;
> }
>
> #
> # First, root's "home"
> #
>
> (
> rulename =3D "Root's home",
> severity =3D $(SIG_HI)
> )
> {
> # /.rhosts -> $(SEC_CRIT) ;
> /.profile -> $(SEC_CRIT) ;
> /.cshrc -> $(SEC_CRIT) ;
> # /.login -> $(SEC_CRIT) ;
> # /.exrc -> $(SEC_CRIT) ;
> # /.logout -> $(SEC_CRIT) ;
> # /.forward -> $(SEC_CRIT) ;
> /root -> $(SEC_CRIT) (recurse =3D true)=
;
> !/root/.history ;
> !/root/.bash_history ;
> # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
> }
>
>
> #
> # FreeBSD Kernel
> #
>
> (
> rulename =3D "FreeBSD Kernel",
> severity =3D $(SIG_HI)
> )
> {
> # /boot is used by FreeBSD 5.X+
> /boot -> $(SEC_CRIT) ;
> # /kernel is used by FreeBSD 4.X
> # /kernel -> $(SEC_CRIT) ;
> # /kernel.old -> $(SEC_CRIT) ;
> # /kernel.GENERIC -> $(SEC_CRIT) ;
> }
>
>
> #
> # FreeBSD Modules
> #
>
> (
> rulename =3D "FreeBSD Modules",
> severity =3D $(SIG_HI)
> )
> {
> # /modules is used by FreeBSD 4.X
> # /modules -> $(SEC_CRIT) (recurse =3D true)=
;
> # /modules.old -> $(SEC_CRIT) (recurse =3D true)=
;
> # /lkm is used by FreeBSD 2.X and 3.X
> # /lkm -> $(SEC_CRIT) (recurse =3D true)=
; # uncomment if using lkm kld
> }
>
>
> #
> # System Administration Programs
> #
>
> (
> rulename =3D "System Administration Programs",
> severity =3D $(SIG_HI)
> )
> {
> /sbin -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/sbin -> $(SEC_CRIT) (recurse =3D true)=
;
> }
>
>
> #
> # User Utilities
> #
>
> (
> rulename =3D "User Utilities",
> severity =3D $(SIG_HI)
> )
> {
> /bin -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/bin -> $(SEC_CRIT) (recurse =3D true)=
;
> }
>
>
> #
> # /dev
> #
>
> (
> rulename =3D "/dev",
> severity =3D $(SIG_HI)
> )
> {
> # XXX Do we really need to verify the integrity of /dev on 5.X?
> # /dev -> $(Device) (recurse =3D true) ;
> # !/dev/vga ;
> # !/dev/dri ;
> # /dev/console -> $(SEC_TTY) ;
> # /dev/ttyv0 -> $(SEC_TTY) ;
> # /dev/ttyv1 -> $(SEC_TTY) ;
> # /dev/ttyv2 -> $(SEC_TTY) ;
> # /dev/ttyv3 -> $(SEC_TTY) ;
> # /dev/ttyv4 -> $(SEC_TTY) ;
> # /dev/ttyv5 -> $(SEC_TTY) ;
> # /dev/ttyv6 -> $(SEC_TTY) ;
> # /dev/ttyv7 -> $(SEC_TTY) ;
> # /dev/ttyp0 -> $(SEC_TTY) ;
> # /dev/ttyp1 -> $(SEC_TTY) ;
> # /dev/ttyp2 -> $(SEC_TTY) ;
> # /dev/ttyp3 -> $(SEC_TTY) ;
> # /dev/ttyp4 -> $(SEC_TTY) ;
> # /dev/ttyp5 -> $(SEC_TTY) ;
> # /dev/ttyp6 -> $(SEC_TTY) ;
> # /dev/ttyp7 -> $(SEC_TTY) ;
> # /dev/ttyp8 -> $(SEC_TTY) ;
> # /dev/ttyp9 -> $(SEC_TTY) ;
> # /dev/ttypa -> $(SEC_TTY) ;
> # /dev/ttypb -> $(SEC_TTY) ;
> # /dev/ttypc -> $(SEC_TTY) ;
> # /dev/ttypd -> $(SEC_TTY) ;
> # /dev/ttype -> $(SEC_TTY) ;
> # /dev/ttypf -> $(SEC_TTY) ;
> # /dev/ttypg -> $(SEC_TTY) ;
> # /dev/ttyph -> $(SEC_TTY) ;
> # /dev/ttypi -> $(SEC_TTY) ;
> # /dev/ttypj -> $(SEC_TTY) ;
> # /dev/ttypl -> $(SEC_TTY) ;
> # /dev/ttypm -> $(SEC_TTY) ;
> # /dev/ttypn -> $(SEC_TTY) ;
> # /dev/ttypo -> $(SEC_TTY) ;
> # /dev/ttypp -> $(SEC_TTY) ;
> # /dev/ttypq -> $(SEC_TTY) ;
> # /dev/ttypr -> $(SEC_TTY) ;
> # /dev/ttyps -> $(SEC_TTY) ;
> # /dev/ttypt -> $(SEC_TTY) ;
> # /dev/ttypu -> $(SEC_TTY) ;
> # /dev/ttypv -> $(SEC_TTY) ;
> # /dev/cuaa0 -> $(SEC_TTY) ; # modem
> }
>
>
> #
> # /etc
> #
>
> (
> rulename =3D "/etc",
> severity =3D $(SIG_HI)
> )
> {
> /etc -> $(SEC_CRIT) (recurse =3D true)=
;
> # /etc/mail/aliases -> $(SEC_CONFIG) ;
> /etc/dumpdates -> $(SEC_CONFIG) ;
> /etc/motd -> $(SEC_CONFIG) ;
> !/etc/ppp/connect-errors ;
> # /etc/skeykeys -> $(SEC_CONFIG) ;
> # Uncomment the following 4 lines if your password file does not change
> # /etc/passwd -> $(SEC_CONFIG) ;
> # /etc/master.passwd -> $(SEC_CONFIG) ;
> # /etc/pwd.db -> $(SEC_CONFIG) ;
> # /etc/spwd.db -> $(SEC_CONFIG) ;
> }
>
>
> #
> # Copatibility (Linux)
> #
>
> (
> rulename =3D "Linux Compatibility",
> severity =3D $(SIG_HI)
> )
> {
> /compat -> $(SEC_CRIT) (recurse =3D true)=
;
> #
> # Uncomment the following if Linux compatibility is used. Replace
> # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
> # installed.
> #
> #@@ifhost HOSTNAME1 || HOSTNAME2
> # /compat/linux/etc -> $(SEC_INVARIANT) (recurse =3D =
false) ;
> # /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse=
=3D true) ;
> # /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> # /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> # /compat/linux/etc/real -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> # /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
> # /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
> # /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
> # /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
> # /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
> # /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
> # /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
> # /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
> # /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
> # /compat/linux/etc/profile -> $(SEC_CONFIG) ;
> # /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
> # /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
> # /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
> # /compat/linux/etc/shells -> $(SEC_CONFIG) ;
> # /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
> # /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
> # !/compat/linux/etc/ld.so.cache ;
> # !/compat/linux/var/spool/mail ;
> #@@endif
> }
>
>
> #
> # Libraries, include files, and other system files
> #
>
> (
> rulename =3D "Libraries, include files, and other system files",
> severity =3D $(SIG_HI)
> )
> {
> /usr/include -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/lib -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/libdata -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/libexec -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man -> $(SEC_CONFIG) ;
> !/usr/share/man/whatis ;
> !/usr/share/man/.glimpse_filenames ;
> !/usr/share/man/.glimpse_filenames_index ;
> !/usr/share/man/.glimpse_filetimes ;
> !/usr/share/man/.glimpse_filters ;
> !/usr/share/man/.glimpse_index ;
> !/usr/share/man/.glimpse_messages ;
> !/usr/share/man/.glimpse_partitions ;
> !/usr/share/man/.glimpse_statistics ;
> !/usr/share/man/.glimpse_turbo ;
> /usr/share/man/man1 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man2 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man3 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man4 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man5 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man6 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man7 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man8 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/share/man/man9 -> $(SEC_CRIT) (recurse =3D true)=
;
> # /usr/share/man/mann -> $(SEC_CRIT) (recurse =3D true)=
;
> ! /usr/share/man/cat1 ;
> ! /usr/share/man/cat2 ;
> ! /usr/share/man/cat3 ;
> ! /usr/share/man/cat4 ;
> ! /usr/share/man/cat5 ;
> ! /usr/share/man/cat6 ;
> ! /usr/share/man/cat7 ;
> ! /usr/share/man/cat8 ;
> ! /usr/share/man/cat9 ;
> ! /usr/share/man/catl ;
> ! /usr/share/man/catn ;
> # /usr/share/perl/man -> $(SEC_CONFIG) ;
> !/usr/share/perl/man/whatis ;
> !/usr/share/perl/man/.glimpse_filenames ;
> !/usr/share/perl/man/.glimpse_filenames_index ;
> !/usr/share/perl/man/.glimpse_filetimes ;
> !/usr/share/perl/man/.glimpse_filters ;
> !/usr/share/perl/man/.glimpse_index ;
> !/usr/share/perl/man/.glimpse_messages ;
> !/usr/share/perl/man/.glimpse_partitions ;
> !/usr/share/perl/man/.glimpse_statistics ;
> !/usr/share/perl/man/.glimpse_turbo ;
> # /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse =3D true)=
;
> ! /usr/share/perl/man/cat3 ;
> # /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
> ! /usr/local/lib/perl5/5.00503/man/whatis ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
> ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
> # /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (r=
ecurse =3D true) ;
> ! /usr/local/lib/perl5/5.00503/man/cat3 ;
> }
>
>
> #
> # X11R6
> #
>
> (
> rulename =3D "X11R6",
> severity =3D $(SIG_HI)
> )
> {
> /usr/X11R6 -> $(SEC_CRIT) (recurse =3D true)=
;
> # /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> !/usr/X11R6/lib/X11/xdm/xdm-errors ;
> !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
> !/usr/X11R6/lib/X11/xdm/xdm-pid ;
> # /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> /usr/X11R6/man -> $(SEC_CONFIG) ;
> !/usr/X11R6/man/whatis ;
> !/usr/X11R6/man/.glimpse_filenames ;
> !/usr/X11R6/man/.glimpse_filenames_index ;
> !/usr/X11R6/man/.glimpse_filetimes ;
> !/usr/X11R6/man/.glimpse_filters ;
> !/usr/X11R6/man/.glimpse_index ;
> !/usr/X11R6/man/.glimpse_messages ;
> !/usr/X11R6/man/.glimpse_partitions ;
> !/usr/X11R6/man/.glimpse_statistics ;
> !/usr/X11R6/man/.glimpse_turbo ;
> /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse =3D true)=
;
> ! /usr/X11R6/man/cat1 ;
> ! /usr/X11R6/man/cat2 ;
> ! /usr/X11R6/man/cat3 ;
> ! /usr/X11R6/man/cat4 ;
> ! /usr/X11R6/man/cat5 ;
> ! /usr/X11R6/man/cat6 ;
> ! /usr/X11R6/man/cat7 ;
> ! /usr/X11R6/man/cat8 ;
> ! /usr/X11R6/man/cat9 ;
> ! /usr/X11R6/man/catl ;
> ! /usr/X11R6/man/catn ;
> }
>
>
> #
> # sources
> #
>
> (
> rulename =3D "Sources",
> severity =3D $(SIG_HI)
> )
> {
> /usr/src -> $(SEC_CRIT) (recurse =3D true)=
;
> # /usr/src/sys/compile -> $(SEC_CONFIG) (recurse =3D fal=
se) ;
> }
>
>
> #
> # NIS
> #
>
> (
> rulename =3D "NIS",
> severity =3D $(SIG_HI)
> )
> {
> /var/yp -> $(SEC_CRIT) (recurse =3D true)=
;
> !/var/yp/binding ;
> }
>
>
> #
> # Temporary directories
> #
> (
> rulename =3D "Temporary directories",
> recurse =3D false,
> severity =3D $(SIG_LOW)
> )
> {
> # /usr/tmp -> $(SEC_INVARIANT) ;
> /var/tmp -> $(SEC_INVARIANT) ;
> /var/preserve -> $(SEC_INVARIANT) ;
> /tmp -> $(SEC_INVARIANT) ;
> }
>
> #
> # Local files
> #
>
> (
> rulename =3D "Local files",
> severity =3D $(SIG_MED)
> )
> {
> /usr/local/bin -> $(SEC_BIN) (recurse =3D true) =
;
> /usr/local/sbin -> $(SEC_BIN) (recurse =3D true) =
;
> /usr/local/etc -> $(SEC_BIN) (recurse =3D true) =
;
> /usr/local/lib -> $(SEC_BIN) (recurse =3D true )=
;
> /usr/local/libexec -> $(SEC_BIN) (recurse =3D true )=
;
> /usr/local/share -> $(SEC_BIN) (recurse =3D true )=
;
> /usr/local/man -> $(SEC_CONFIG) ;
> !/usr/local/man/whatis ;
> !/usr/local/man/.glimpse_filenames ;
> !/usr/local/man/.glimpse_filenames_index ;
> !/usr/local/man/.glimpse_filetimes ;
> !/usr/local/man/.glimpse_filters ;
> !/usr/local/man/.glimpse_index ;
> !/usr/local/man/.glimpse_messages ;
> !/usr/local/man/.glimpse_partitions ;
> !/usr/local/man/.glimpse_statistics ;
> !/usr/local/man/.glimpse_turbo ;
> /usr/local/man/man1 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man2 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man3 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man4 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man5 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man6 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man7 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man8 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/man9 -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/manl -> $(SEC_CRIT) (recurse =3D true)=
;
> /usr/local/man/mann -> $(SEC_CRIT) (recurse =3D true)=
;
> ! /usr/local/man/cat1 ;
> ! /usr/local/man/cat2 ;
> ! /usr/local/man/cat3 ;
> ! /usr/local/man/cat4 ;
> ! /usr/local/man/cat5 ;
> ! /usr/local/man/cat6 ;
> ! /usr/local/man/cat7 ;
> ! /usr/local/man/cat8 ;
> ! /usr/local/man/cat9 ;
> ! /usr/local/man/catl ;
> ! /usr/local/man/catn ;
> # /usr/local/krb5 -> $(SEC_CRIT) (recurse =3D true)=
;
> # /usr/local/krb5/man -> $(SEC_CONFIG) ;
> !/usr/local/krb5/man/whatis ;
> !/usr/local/krb5/man/.glimpse_filenames ;
> !/usr/local/krb5/man/.glimpse_filenames_index ;
> !/usr/local/krb5/man/.glimpse_filetimes ;
> !/usr/local/krb5/man/.glimpse_filters ;
> !/usr/local/krb5/man/.glimpse_index ;
> !/usr/local/krb5/man/.glimpse_messages ;
> !/usr/local/krb5/man/.glimpse_partitions ;
> !/usr/local/krb5/man/.glimpse_statistics ;
> !/usr/local/krb5/man/.glimpse_turbo ;
> # /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse =
=3D true) ;
> # /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse =
=3D true) ;
> ! /usr/local/krb5/man/cat1 ;
> ! /usr/local/krb5/man/cat2 ;
> ! /usr/local/krb5/man/cat3 ;
> ! /usr/local/krb5/man/cat4 ;
> ! /usr/local/krb5/man/cat5 ;
> ! /usr/local/krb5/man/cat6 ;
> ! /usr/local/krb5/man/cat7 ;
> ! /usr/local/krb5/man/cat8 ;
> ! /usr/local/krb5/man/cat9 ;
> ! /usr/local/krb5/man/catl ;
> ! /usr/local/krb5/man/catn ;
> /usr/local/www -> $(SEC_CONFIG) (recurse =3D tru=
e) ;
> }
>
>
> (
> rulename =3D "Security Control",
> severity =3D $(SIG_HI)
> )
> {
> /etc/group -> $(SEC_CRIT) ;
> /etc/crontab -> $(SEC_CRIT) ;
> }
>
> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> #
> # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tri=
pwire,
> # Inc. in the United States and other countries. All rights reserved.
> #
> # FreeBSD is a registered trademark of the FreeBSD Project Inc.
> #
> # UNIX is a registered trademark of The Open Group.
> #
> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> #
> # Permission is granted to make and distribute verbatim copies of this do=
cument
> # provided the copyright notice and this permission notice are preserved =
on all
> # copies.
> #
> # Permission is granted to copy and distribute modified versions of this
> # document under the conditions for verbatim copying, provided that the e=
ntire
> # resulting derived work is distributed under the terms of a permission n=
otice
> # identical to this one.
> #
> # Permission is granted to copy and distribute translations of this docum=
ent
> # into another language, under the above conditions for modified versions=
,
> # except that this permission notice may be stated in a translation appro=
ved by
> # Tripwire, Inc.
> #
> # DCM
>
>
>
>
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 16:26:48 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 50FEF16A41F
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:26:48 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
[24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3FF443D48
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:26:47 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd2mr2so.prod.shaw.ca
(pd2mr2so-qfe3.prod.shaw.ca [10.0.141.109]) by l-daemon
(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with ESMTP id <0IO7000E6F0N2JE0@l-daemon> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT)
Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152])
by pd2mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01
(built Mar
15 2004)) with ESMTP id <0IO7006UKF0NK650@pd2mr2so.prod.shaw.ca> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT)
Received: from [192.168.0.60]
(S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon
(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
with ESMTP id <0IO7001U1F0M4A@l-daemon> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT)
Date: Tue, 11 Oct 2005 09:26:46 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <434BCB75.2000402@iang.org>
To: Ian G <iang@iang.org>
Message-id: <434BE7C6.4080605@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
X-Enigmail-Version: 0.92.1.0
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434BCB75.2000402@iang.org>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001)
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 16:26:48 -0000
Ian G wrote:
> FreeBSD Security Advisories wrote:
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
>> or SSL_OP_ALL options are not affected.
>>
>> IV. Workaround
>>
>> No workaround is available.
>
> Isn't the workaround obviously to switch off V2?
Disabling applications to not permit use of SSLv2 is a
workaround. However, this is something which needs to
be done on an application-by-application basis, and it
is likely that there will be some applications will do
not have any option for doing this.
> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?
SSL is supposed to negotiate the use of SSLv3 if it is
supported by both the client and the server, so I don't
see why disabling SSLv2 entirely would be useful aside
from protecting against this vulnerability.
Colin Percival
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 16:31:26 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 7F6D816A41F
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:31:26 +0000 (GMT)
(envelope-from jimmy@inet-solutions.be)
Received: from mail.ihosting.be (vero.ihosting.be [83.217.81.43])
by mx1.FreeBSD.org (Postfix) with SMTP id C83F243D45
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:31:25 +0000 (GMT)
(envelope-from jimmy@inet-solutions.be)
Received: (qmail 28526 invoked by uid 1033); 11 Oct 2005 16:37:00 -0000
Received: from jimmy@inet-solutions.be by excalibur.hyprotech.be by uid 1016
with qmail-scanner-1.20st
(clamscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):.
Processed in 0.010176 secs); 11 Oct 2005 16:37:00 -0000
Received: from localhost (HELO vero.ihosting.be) (127.0.0.1)
by mail.ihosting.be with SMTP; 11 Oct 2005 16:37:00 -0000
Received: (from jimmy@inet-solutions.be)
by vero.ihosting.be (mini_sendmail/1.3.5 16nov2003);
Tue, 11 Oct 2005 18:37:00 CEST
(sender jimmy@inet-solutions.be by using webserver vero.ihosting.be
path /www/ihosting/horde.ihosting.be/imp - report abuse to
abuse@boxke.be)
Received: from d515281EE.access.telenet.be (d515281EE.access.telenet.be
[81.82.129.238]) by webmail.boxke.be (IMP) with HTTP
for <jimmy@inet-solutions.be@83.217.81.43>;
Tue, 11 Oct 2005 18:37:00 +0200
Message-ID: <1129048620.434bea2c6b7ab@webmail.boxke.be>
Date: Tue, 11 Oct 2005 18:37:00 +0200
From: jimmy@inet-solutions.be
To: jere <jere@htnet.hr>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr>
In-Reply-To: <434BBF09.6040101@htnet.hr>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.3
X-Originating-IP: 81.82.129.238
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 16:31:26 -0000
> jimmy@inet-solutions.be wrote:
> > Quoting FreeBSD Security Advisories <security-advisories@freebsd.org>:
> >
> >
>
>>=============================================================================
> >>FreeBSD-SA-05:21.openssl Security
> Advisory
> >> The FreeBSD
> Project
> >
> > [..]
> >
> >>c) Recompile the operating system as described in
> >><URL:
> >>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
> >
> >
> > Is there any reason why one would need to compile the whole operating
> system?
> > I can understand that static linked apps need to be recompiled, but which
> > are there actually any at all (and linked against openssl)?
> >
> > Kind regards,
> > Jimmy Scott
> >
> > ----------------------------------------------------------------
> > This message has been sent through ihosting.be
> > To report spamming or other unaccepted behavior
> > by a iHosting customer, please send a message
> > to abuse@ihosting.be
> > ----------------------------------------------------------------
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> >
>
Quoting jere <jere@htnet.hr>:
> unfortunately, this is the dark side of FreeBSD security patch
> management :) and I think also the main reason FreeBSD isn't so widely
> deployed into enterprise environments. It's ok for hacking or managing
> few boxes but try to imagine how to manage security on hundreds of them
> this way. :(
>
> on the other side (bright side :) you can try to use unofficial and
> often somewhat slowly updating solutions such as bsdupdate
> (www.bsdupdates.com) or freebsd-update (from ports tree).
>
> currently, FreeBSD just don't have a mechanism to handle security
> advisories in quick way.
>
> any suggestions/corrections ?
>
> j.
>
What I meant was: "why compile everything instead of just openssl"
I'm thinking about this question since the last openssl issue in FreeBSD.
----------------------------------------------------------------
This message has been sent through ihosting.be
To report spamming or other unaccepted behavior
by a iHosting customer, please send a message
to abuse@ihosting.be
----------------------------------------------------------------
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 22:53:05 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2437C16A41F
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 22:53:05 +0000 (GMT) (envelope-from ml@netfence.it)
Received: from parrot.aev.net (parrot.aev.net [212.31.247.179])
by mx1.FreeBSD.org (Postfix) with ESMTP id 6D09943D45
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 22:53:04 +0000 (GMT) (envelope-from ml@netfence.it)
Received: from soth.ventu (aspd01-213.dialup.serenacom.it [213.214.70.213])
(authenticated bits=128)
by parrot.aev.net (8.13.4/8.13.4) with ESMTP id j9BN175o026004
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 01:01:18 +0200 (CEST) (envelope-from ml@netfence.it)
Received: from [10.1.2.18] (alamar.ventu [10.1.2.18]) (authenticated bits=0)
by soth.ventu (8.13.5/8.13.3) with ESMTP id j9BMi0aG032742
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 00:44:01 +0200 (CEST) (envelope-from ml@netfence.it)
Message-ID: <434C427D.40501@netfence.it>
Date: Wed, 12 Oct 2005 00:53:49 +0200
From: Andrea Venturoli <ml@netfence.it>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051003)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
In-Reply-To: <200510111202.j9BC2obf081876@freefall.freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.52 on 212.31.247.179
X-Scanned-By: MIMEDefang 2.53 on 10.1.2.13
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 22:53:05 -0000
FreeBSD Security Advisories wrote:
> Note that any statically linked applications that are not part of the
> base system (i.e. from the Ports Collection or other 3rd-party sources)
> must be recompiled.
Ok, is there any way to list installed ports which are statically linked
against OpenSSL?
bye & Thanks
av.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 00:38:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id E693B16A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 00:38:59 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
[24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F8C343D45
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 00:38:59 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd3mr2so.prod.shaw.ca
(pd3mr2so-qfe3.prod.shaw.ca [10.0.141.178]) by l-daemon
(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with ESMTP id <0IO8002KJ1S39KB0@l-daemon> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 18:38:27 -0600 (MDT)
Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146])
by pd3mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01
(built Mar
15 2004)) with ESMTP id <0IO800KV21S320F0@pd3mr2so.prod.shaw.ca> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 18:38:27 -0600 (MDT)
Received: from [192.168.0.60]
(S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon
(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
with ESMTP id <0IO800B1L1S2QX@l-daemon> for
freebsd-security@freebsd.org; Tue, 11 Oct 2005 18:38:27 -0600 (MDT)
Date: Tue, 11 Oct 2005 17:38:26 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <434C427D.40501@netfence.it>
To: Andrea Venturoli <ml@netfence.it>
Message-id: <434C5B02.8030904@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
X-Enigmail-Version: 0.92.1.0
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434C427D.40501@netfence.it>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001)
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 00:39:00 -0000
Andrea Venturoli wrote:
> FreeBSD Security Advisories wrote:
>> Note that any statically linked applications that are not part of the
>> base system (i.e. from the Ports Collection or other 3rd-party sources)
>> must be recompiled.
>
> Ok, is there any way to list installed ports which are statically linked
> against OpenSSL?
There isn't any particularly good approach, unfortunately. I think I'd
probably use a combination of find(1), file(1), and fgrep(1) to find any
executable files (via find) which are statically linked (using file) and
which contain the string "OpenSSL" (using fgrep).
Colin Percival
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 07:12:37 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2FABA16A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 07:12:37 +0000 (GMT)
(envelope-from arne_woerner@yahoo.com)
Received: from web30302.mail.mud.yahoo.com (web30302.mail.mud.yahoo.com
[68.142.200.95]) by mx1.FreeBSD.org (Postfix) with SMTP id 85A9443D53
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 07:12:36 +0000 (GMT)
(envelope-from arne_woerner@yahoo.com)
Received: (qmail 32918 invoked by uid 60001); 12 Oct 2005 07:12:36 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=xLKHRr4p1cWsgLdXfkDyhVCvlO24N2nrLOWm4tAggCHFw+zCS8zAAqDVnP8q/4iAiOvODUoCfZcqmdzxNzPXL3PKh+wFIbnjIchTGQBO5+EOWuYfhrNp41DhAp8V5L8ISFrLvqF3qevuIsUz5QRpGvv64wZkUYmVEpQy1FbDfqI=
;
Message-ID: <20051012071235.32916.qmail@web30302.mail.mud.yahoo.com>
Received: from [213.54.70.38] by web30302.mail.mud.yahoo.com via HTTP;
Wed, 12 Oct 2005 00:12:35 PDT
Date: Wed, 12 Oct 2005 00:12:35 -0700 (PDT)
From: Arne "Wörner" <arne_woerner@yahoo.com>
To: Colin Percival <cperciva@freebsd.org>
In-Reply-To: <434C5B02.8030904@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 07:12:37 -0000
--- Colin Percival <cperciva@freebsd.org> wrote:
> Andrea Venturoli wrote:
> > FreeBSD Security Advisories wrote:
> >> Note that any statically linked applications that are not
> part of the
> >> base system (i.e. from the Ports Collection or other
> 3rd-party sources)
> >> must be recompiled.
> >
> > Ok, is there any way to list installed ports which are
> statically linked
> > against OpenSSL?
>
> There isn't any particularly good approach, unfortunately. I
> think I'd
> probably use a combination of find(1), file(1), and fgrep(1) to
> find any
> executable files (via find) which are statically linked (using
> file) and
> which contain the string "OpenSSL" (using fgrep).
>
I would use a combination out of nm(1) and grep(1) instead of
fgrep(1). But I do not now right now, which symbol will always be
contained in a statically linked executable that might use
OpenSSL...
Btw: Why should the string "OpenSSL" be contained in each and
every executable, that might use OpenSSL?
-Arne
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 07:39:50 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 3FE6816A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 07:39:50 +0000 (GMT)
(envelope-from timothy@open-networks.net)
Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254])
by mx1.FreeBSD.org (Postfix) with ESMTP id 6ABB343D53
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 07:39:48 +0000 (GMT)
(envelope-from timothy@open-networks.net)
Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1])
by titan.open-networks.net (Postfix) with ESMTP id 0B6F76E5
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 17:39:47 +1000 (EST)
Message-ID: <434CBDC2.4070405@open-networks.net>
Date: Wed, 12 Oct 2005 17:39:46 +1000
From: Timothy Smith <timothy@open-networks.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Cc: freebsd-security@freebsd.org
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr>
In-Reply-To: <434BBF09.6040101@htnet.hr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 07:39:50 -0000
jere wrote:
> unfortunately, this is the dark side of FreeBSD security patch
> management :) and I think also the main reason FreeBSD isn't so
> widely deployed into enterprise environments. It's ok for hacking or
> managing few boxes but try to imagine how to manage security on
> hundreds of them this way. :(
>
> on the other side (bright side :) you can try to use unofficial and
> often somewhat slowly updating solutions such as bsdupdate
> (www.bsdupdates.com) or freebsd-update (from ports tree).
>
> currently, FreeBSD just don't have a mechanism to handle security
> advisories in quick way.
>
> any suggestions/corrections ?
>
> j.
>
your totally right, even though i hate to admit it. stuff like having to
make world is a nightmare when admining lots of machines. i can't afford
to make world only to find something screwed up, stuff like that would
cost me a lot of time i can't afford.
the make world documents mentioning backing up your system. it fails to
give any preffered methods or utilites for doing this. anyone got some
input on that.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 08:22:02 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 5830E16A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:22:02 +0000 (GMT)
(envelope-from yann@raven.kierun.org)
Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17])
by mx1.FreeBSD.org (Postfix) with ESMTP id E686943D46
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:22:01 +0000 (GMT)
(envelope-from yann@raven.kierun.org)
Received: from yann by raven.kierun.org with local (Exim 4.54 (FreeBSD))
id 1EPbs7-000EBB-M3; Wed, 12 Oct 2005 09:21:59 +0100
Date: Wed, 12 Oct 2005 09:21:59 +0100
From: Yann Golanski <yann@kierun.org>
To: Timothy Smith <timothy@open-networks.net>
Message-ID: <20051012082159.GA54387@kierun.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr> <434CBDC2.4070405@open-networks.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C"
Content-Disposition: inline
In-Reply-To: <434CBDC2.4070405@open-networks.net>
User-Agent: Mutt/1.5.11
Sender: "Yann Golanski, University of York,
+44(0)1904-433088" <yann@raven.kierun.org>
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 08:22:02 -0000
--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoth Timothy Smith on Wed, Oct 12, 2005 at 17:39:46 +1000
> the make world documents mentioning backing up your system. it fails to=
=20
> give any preffered methods or utilites for doing this. anyone got some=20
> input on that.
I find rdiff-backup to be very good indeed. It's in the port tree.
--=20
yann@kierun.org -=3D*=3D- www.kierun.=
org
PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318
--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDTMen91FwBp3iYxgRAtIpAKCGhhbgOcAteABIACOsZEpr8g7YmwCgrTqS
NwTHY0dms5QJCcJ4GXzyBTs=
=SpBw
-----END PGP SIGNATURE-----
--a8Wt8u1KmwUX3Y2C--
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 08:25:54 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id D08A716A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:25:54 +0000 (GMT)
(envelope-from PeterJeremy@optushome.com.au)
Received: from mail18.syd.optusnet.com.au (mail18.syd.optusnet.com.au
[211.29.132.199])
by mx1.FreeBSD.org (Postfix) with ESMTP id DD03C43D45
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:25:52 +0000 (GMT)
(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
by mail18.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
j9C8PoJo031500
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
Wed, 12 Oct 2005 18:25:51 +1000
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])
by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id
j9C8PoHh006198; Wed, 12 Oct 2005 18:25:50 +1000 (EST)
(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)
by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id j9C8Po5w006197;
Wed, 12 Oct 2005 18:25:50 +1000 (EST) (envelope-from pjeremy)
Date: Wed, 12 Oct 2005 18:25:50 +1000
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: Arne =?iso-8859-1?Q?W=F6rner?= <arne_woerner@yahoo.com>
Message-ID: <20051012082550.GH2482@cirb503493.alcatel.com.au>
References: <434C5B02.8030904@freebsd.org>
<20051012071235.32916.qmail@web30302.mail.mud.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20051012071235.32916.qmail@web30302.mail.mud.yahoo.com>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 08:25:55 -0000
On Wed, 2005-Oct-12 00:12:35 -0700, Arne Wörner wrote:
>Btw: Why should the string "OpenSSL" be contained in each and
>every executable, that might use OpenSSL?
OpenSSL has a version string of the form "OpenSSL 0.9.7e 25 Oct 2004"
embedded in it.
--
Peter Jeremy
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 08:55:10 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 3D92116A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:55:10 +0000 (GMT)
(envelope-from arne_woerner@yahoo.com)
Received: from web30310.mail.mud.yahoo.com (web30310.mail.mud.yahoo.com
[68.142.200.103])
by mx1.FreeBSD.org (Postfix) with SMTP id B25C343D49
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:55:09 +0000 (GMT)
(envelope-from arne_woerner@yahoo.com)
Received: (qmail 42396 invoked by uid 60001); 12 Oct 2005 08:55:09 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=fmvubIkO1ARTCwj5Vwtk4eDcXriRGfl08lwuXoHNlCyOdo0E4ha6te3uKGf+1RmW7NCjQcst3hqXC9b8dUdujZmneonAZM215f4WNYNxf6ku+cDHbsDh5pz9RfQYsOJfB3wN3lDve+YhkZQDRaR5+Mk01qO1T/xHx+/EquLKcfU=
;
Message-ID: <20051012085509.42394.qmail@web30310.mail.mud.yahoo.com>
Received: from [213.54.70.38] by web30310.mail.mud.yahoo.com via HTTP;
Wed, 12 Oct 2005 01:55:08 PDT
Date: Wed, 12 Oct 2005 01:55:08 -0700 (PDT)
From: Arne "Wörner" <arne_woerner@yahoo.com>
To: Peter Jeremy <PeterJeremy@optushome.com.au>
In-Reply-To: <20051012082550.GH2482@cirb503493.alcatel.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 08:55:10 -0000
--- Peter Jeremy <PeterJeremy@optushome.com.au> wrote:
> On Wed, 2005-Oct-12 00:12:35 -0700, Arne Wörner wrote:
> >Btw: Why should the string "OpenSSL" be contained in each and
> >every executable, that might use OpenSSL?
>
> OpenSSL has a version string of the form "OpenSSL 0.9.7e 25 Oct
> 2004" embedded in it.
>
As far as I understand static linking, only the symbols that r
used r linked into the executable... So: Why should that version
string be linked into the executable? Is it a necessary part of
the SSL protocol to say the version?
-Arne
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 12:32:29 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 7E84C16A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 12:32:29 +0000 (GMT)
(envelope-from fernando@mecon.gov.ar)
Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11])
by mx1.FreeBSD.org (Postfix) with ESMTP id E611443D58
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 12:32:24 +0000 (GMT)
(envelope-from fernando@mecon.gov.ar)
Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15])
by relay2.mecon.ar (8.12.11/8.12.11) with ESMTP id j9CCWJ9M061992;
Wed, 12 Oct 2005 09:32:21 -0300 (ART)
(envelope-from fernando@mecon.gov.ar)
Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149])
by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id j9CCWIRf054555;
Wed, 12 Oct 2005 09:32:18 -0300 (ART)
(envelope-from fernando@mecon.gov.ar)
Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11])
by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id j9CCWIi2054552;
Wed, 12 Oct 2005 09:32:18 -0300 (ART)
(envelope-from fernando@mecon.gov.ar)
Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1])
by bal740r0.mecon.gov.ar (8.13.3/8.13.3) with ESMTP id j9CCWJrO045159;
Wed, 12 Oct 2005 09:32:19 -0300 (ART)
(envelope-from fernando@mecon.gov.ar)
Received: (from fpscha@localhost)
by bal740r0.mecon.gov.ar (8.13.3/8.13.3/Submit) id j9CCWH8h045158;
Wed, 12 Oct 2005 09:32:17 -0300 (ART)
(envelope-from fernando@mecon.gov.ar)
X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to
fernando@mecon.gov.ar using -f
Date: Wed, 12 Oct 2005 09:32:17 -0300
From: Fernando Schapachnik <fernando@mecon.gov.ar>
To: Timothy Smith <timothy@open-networks.net>
Message-ID: <20051012123217.GY766@bal740r0.mecon.gov.ar>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr> <434CBDC2.4070405@open-networks.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <434CBDC2.4070405@open-networks.net>
User-Agent: Mutt/1.4.2.1i
X-OS: FreeBSD 5.4 - http://www.freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 12:32:29 -0000
En un mensaje anterior, Timothy Smith escribió:
> your totally right, even though i hate to admit it. stuff like having to
> make world is a nightmare when admining lots of machines. i can't afford
> to make world only to find something screwed up, stuff like that would
> cost me a lot of time i can't afford.
> the make world documents mentioning backing up your system. it fails to
> give any preffered methods or utilites for doing this. anyone got some
> input on that.
Have one machine make world for all of them, then installworld via NFS
in all the others. Works pretty well and is very fast (and trustable).
Regards.
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 16:47:23 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id D2B5016A47F
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:47:22 +0000 (GMT)
(envelope-from jacques@vidrine.us)
Received: from mail.phi23.org (phi23.org [161.58.133.165])
by mx1.FreeBSD.org (Postfix) with ESMTP id 836E543D45
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 16:47:22 +0000 (GMT)
(envelope-from jacques@vidrine.us)
Received: from [17.202.40.57] (A17-202-40-57.apple.com [17.202.40.57])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(Client did not present a certificate)
by mail.phi23.org (Postfix) with ESMTP id 85B11250AD;
Tue, 11 Oct 2005 16:47:21 +0000 (UTC)
In-Reply-To: <434BCB75.2000402@iang.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434BCB75.2000402@iang.org>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us>
Content-Transfer-Encoding: 7bit
From: Jacques Vidrine <jacques@vidrine.us>
Date: Tue, 11 Oct 2005 09:45:53 -0700
To: Ian G <iang@iang.org>
X-Mailer: Apple Mail (2.734)
X-Mailman-Approved-At: Wed, 12 Oct 2005 12:43:15 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 16:47:23 -0000
[Trimmed cc: to just the appropriate public mailing list.]
On Oct 11, 2005, at 7:25 AM, Ian G wrote:
> FreeBSD Security Advisories wrote:
>
>
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the
>> SSL_OP_MSIE_SSLV2_RSA_PADDING
>> or SSL_OP_ALL options are not affected.
>> IV. Workaround
>> No workaround is available.
>>
>
> Isn't the workaround obviously to switch off V2?
Yes. Sorry that wasn't mentioned.
> SSL v2 should be disabled anyway. In the browser
> world we have been actively moving to a position
> of not delivering SSL v2 as enabled by default,
> and we've been telling people to switch off SSL
> v2 for some time in order to flush out any issues.
> (none reported that I know of.)
>
> We *desparately* need this done so that servers
> can be switched off SSL v2 so they can deliver
> the SSL v3 hello so that we can start to use
> virtual hosts. The ability to use more SSL
> more frequently feeds into tools that defend
> against phishing because they rely on the use
> of certificates to cache identity; so this is
> actually a highly desirable thing in security
> terms.
>
> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?
I agree. The SSLv3 specification was published in 1995 and quickly
adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999.
SSLv2 has several well-known cryptographic weakness with real impact
and should not be used. Summarizing [Rescorla 2000]:
* An attacker may interfere with the SSLv2 protocol negotiation in
order to force the selection of a weak suite of cryptographic
algorithms. (This is the most severe problem for most installations,
IMHO)
* An attacker may inject a TCP FIN packet into an active SSLv2
session, causing data transfer to terminate. This termination will
not be detected by the client or server.
* The only message authentication code (MAC) algorithm available for
SSLv2 is MD5. There have been several developments that have caused
some cryptographers to become concerned about the security of MD5.
* SSLv2 uses the same key for encryption and message authentication,
so that any successful cryptographic attack is a total break.
* A design flaw in SSLv2 client authentication may allow an attacker
to hijack a client's credentials.
I've been concerned enough to disable SSLv2 in most of my own
installations. But now that it is clear that there are downgrade-to-
SSLv2 attacks in some versions of OpenSSL (and probably some other
SSL/TLS implementations), I'm even more concerned.
Cheers,
--
Jacques Vidrine <jacques@vidrine.us>
[Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building
Secure Systems_. Addison-Wesley, 2000.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 12:36:35 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 1CD7B16A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 12:36:35 +0000 (GMT)
(envelope-from keramida@freebsd.org)
Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95])
by mx1.FreeBSD.org (Postfix) with ESMTP id DFF6C43D46
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 12:36:33 +0000 (GMT)
(envelope-from keramida@freebsd.org)
Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226])
by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id j9CCaVXh015325;
Wed, 12 Oct 2005 15:36:31 +0300
Received: from flame.pc (flame [127.0.0.1])
by flame.pc (8.13.4/8.13.4) with ESMTP id j9CCZLNp002235;
Wed, 12 Oct 2005 15:35:21 +0300 (EEST)
(envelope-from keramida@freebsd.org)
Received: (from keramida@localhost)
by flame.pc (8.13.4/8.13.4/Submit) id j9CCZLZw002234;
Wed, 12 Oct 2005 15:35:21 +0300 (EEST)
(envelope-from keramida@freebsd.org)
Date: Wed, 12 Oct 2005 15:35:21 +0300
From: Giorgos Keramidas <keramida@freebsd.org>
To: jimmy@inet-solutions.be
Message-ID: <20051012123521.GB2071@flame.pc>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr>
<1129048620.434bea2c6b7ab@webmail.boxke.be>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1129048620.434bea2c6b7ab@webmail.boxke.be>
X-Mailman-Approved-At: Wed, 12 Oct 2005 12:43:40 +0000
Cc: freebsd-security@freebsd.org, jere <jere@htnet.hr>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 12:36:35 -0000
On 2005-10-11 18:37, jimmy@inet-solutions.be wrote:
>Quoting jere <jere@htnet.hr>:
>> unfortunately, this is the dark side of FreeBSD security patch
>> management :) and I think also the main reason FreeBSD isn't so widely
>> deployed into enterprise environments. It's ok for hacking or managing
>> few boxes but try to imagine how to manage security on hundreds of them
>> this way. :(
>>
>> on the other side (bright side :) you can try to use unofficial and
>> often somewhat slowly updating solutions such as bsdupdate
>> (www.bsdupdates.com) or freebsd-update (from ports tree).
>>
>> currently, FreeBSD just don't have a mechanism to handle security
>> advisories in quick way.
>>
>> any suggestions/corrections ?
>
> What I meant was: "why compile everything instead of just openssl"
> I'm thinking about this question since the last openssl issue in FreeBSD.
Because it's the easiest way (read "the most easy way to automate for
thousands of machines, through a few well selected build machines")
to make sure that you get *ALL* the dependencies right.
The alternative of manually fiddling with makefiles under /usr/src may
be ok for hacker-style, experimental installations, where a few hours of
breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
Especially if one considers that large setups can make use of network
booting from preinstalled images, which have been asynchronously
updated, for any number of machines, to include the fixes.
I don't see anything wrong with that.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 10:07:44 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B596516A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:07:44 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls405.htnet.hr (ls405.htnet.hr [195.29.150.97])
by mx1.FreeBSD.org (Postfix) with ESMTP id F3DB643D48
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:07:43 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls422.t-com.hr (ls422.t-com.hr [195.29.150.237])
by ls405.htnet.hr (0.0.0/8.12.10) with ESMTP id j9CA7WXL013410;
Wed, 12 Oct 2005 12:07:41 +0200
Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1])
by ls422.t-com.hr (Qmlai) with ESMTP id EDF26988043;
Wed, 12 Oct 2005 12:07:40 +0200 (CEST)
X-Envelope-Sender: jere@htnet.hr
X-Envelope-Sender: jere@htnet.hr
Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1])
by ls422.t-com.hr (Qmlai) with ESMTP id CCF8D988042;
Wed, 12 Oct 2005 12:07:40 +0200 (CEST)
Received: from [195.29.148.251] (bla.htnet.hr [195.29.148.251])
by ls422.t-com.hr (Qmlai) with ESMTP id 65BA48B8073;
Wed, 12 Oct 2005 12:07:39 +0200 (CEST)
Message-ID: <434CE0F1.6090400@htnet.hr>
Date: Wed, 12 Oct 2005 12:09:53 +0200
From: jere <jere@htnet.hr>
Organization: bla
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050428)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Timothy Smith <timothy@open-networks.net>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.4 34bbac1720a6@webmail.boxke.be><434BBF09.6040101@htnet.hr>
<434CBDC2.4070405@open-networks.net>
In-Reply-To: <434CBDC2.4070405@open-networks.net>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 12 Oct 2005 12:44:05 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 10:07:44 -0000
Please read these articles/manuals:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/small-lan.html
http://2004.eurobsdcon.org/uploads/media/EBSD04_27.pdf
http://www.taosecurity.com/keeping_freebsd_applications_up-to-date.html
http://www.taosecurity.com/keeping_freebsd_up-to-date.html
These are very helpful articles on this matter and it seems every large
environment should have a big-bytecrunching-beast-server(s) to do the
dirty job of building OS and making packages you'll use. Another thing
is if you have same or similar hardware (today's blade servers come to
mention here) the whole process is focused to building just few (or just
one) OS/kernel versions you can instantly install on any production
server say via NFS (as explained in above articles) over isolated LAN
segment dedicated to this, if you want additional security and
reliability. Let's say it *is* possible to automate OS security patching
to some reasonable degree this way even in large environments but you
don't have this feature "out-of-box" - you have to build it yourself.
Beleive me, large environments like "out-of-box" solutions. :)
And there lies another problem. In large environments it is also
difficult to manage packages security issues. The problem is updated
port tree not just necessariliy fix the security issue - it often also
bumps version of affected package - something not always needed in
production and most often avoided. The first concern of production
(enterprise or not) should be stability. For example, one can use build
server to quickly build new packages but that package may be
automatically bumped to newer version - with patched security issue and
new features added. Currently FreeBSD admins don't have a clear chioce
to manage only ports security issues but I think it's primarily due to
lack of port maintainers.
Does anyone have other thoughts about this?
j.
Timothy Smith wrote:
> jere wrote:
>
>> unfortunately, this is the dark side of FreeBSD security patch
>> management :) and I think also the main reason FreeBSD isn't so
>> widely deployed into enterprise environments. It's ok for hacking or
>> managing few boxes but try to imagine how to manage security on
>> hundreds of them this way. :(
>>
>> on the other side (bright side :) you can try to use unofficial and
>> often somewhat slowly updating solutions such as bsdupdate
>> (www.bsdupdates.com) or freebsd-update (from ports tree).
>>
>> currently, FreeBSD just don't have a mechanism to handle security
>> advisories in quick way.
>>
>> any suggestions/corrections ?
>>
>> j.
>>
> your totally right, even though i hate to admit it. stuff like having to
> make world is a nightmare when admining lots of machines. i can't afford
> to make world only to find something screwed up, stuff like that would
> cost me a lot of time i can't afford.
> the make world documents mentioning backing up your system. it fails to
> give any preffered methods or utilites for doing this. anyone got some
> input on that.
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 13:58:32 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id BFC3616A45E
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:58:32 +0000 (GMT)
(envelope-from marsgmiro@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199])
by mx1.FreeBSD.org (Postfix) with ESMTP id 4DCA743D46
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 13:58:31 +0000 (GMT)
(envelope-from marsgmiro@gmail.com)
Received: by zproxy.gmail.com with SMTP id z31so340063nzd
for <freebsd-security@freebsd.org>;
Tue, 11 Oct 2005 06:58:31 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
b=uphsJH3fxSnB9CzItSwI94U5RgobslFiCJRFX6M/plhkrYqPgaou6ZY6/9umfHoMKqr+oyUZHs4yPaCY7O9bqfZn4fHT6oQpZp1opJejbHD5/lcASy1te1Ce0YYQgzrxc77ilZmYN4UZRTf3HzAYzrkCSLyD1TmK2cptdh98dkI=
Received: by 10.36.56.10 with SMTP id e10mr1295344nza;
Tue, 11 Oct 2005 06:58:30 -0700 (PDT)
Received: by 10.36.72.10 with HTTP; Tue, 11 Oct 2005 06:58:29 -0700 (PDT)
Message-ID: <28edec3c0510110658s5d663d4et1a824174e20bf851@mail.gmail.com>
Date: Tue, 11 Oct 2005 21:58:29 +0800
From: "Mars G. Miro" <marsgmiro@gmail.com>
To: jere@htnet.hr, freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Mailman-Approved-At: Wed, 12 Oct 2005 12:44:34 +0000
Cc:
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2005 13:58:32 -0000
> unfortunately, this is the dark side of FreeBSD security patch
> management :) and I think also the main reason FreeBSD isn't so widely
> deployed into enterprise environments. It's ok for hacking or managing
> few boxes but try to imagine how to manage security on hundreds of them
> this way. :(
> on the other side (bright side :) you can try to use unofficial and
> often somewhat slowly updating solutions such as bsdupdate
> (www.bsdupdates.com) or freebsd-update (from ports tree).
> currently, FreeBSD just don't have a mechanism to handle security
> advisories in quick way.
> any suggestions/corrections ?
> j.
You can always designate a build box and NFS share /usr/obj and
/usr/src and have the other FreeBSD boxens mount this and then do an
install{world/kernel}
jimmy at inet-solutions.be wrote:
> Quoting FreeBSD Security Advisories <security-advisories at freebsd.org>:
>
>
>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
>>FreeBSD-SA-05:21.openssl Security Advi=
sory
>> The FreeBSD Pro=
ject
>
> [..]
>
>>c) Recompile the operating system as described in
>><URL:
>>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html =
>.
>
>
> Is there any reason why one would need to compile the whole operating sys=
tem?
> I can understand that static linked apps need to be recompiled, but which
> are there actually any at all (and linked against openssl)?
>
> Kind regards,
> Jimmy Scott
>
> ----------------------------------------------------------------
> This message has been sent through ihosting.be
> To report spamming or other unaccepted behavior
> by a iHosting customer, please send a message
> to abuse at ihosting.be
> ----------------------------------------------------------------
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd=
.org"
>
cheers
mars
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 08:15:04 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id EFF7116A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:15:04 +0000 (GMT)
(envelope-from vladimir.terziev@sun-fish.com)
Received: from blah.sun-fish.com (blah.sun-fish.com [62.176.125.194])
by mx1.FreeBSD.org (Postfix) with ESMTP id 759A343D69
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 08:15:01 +0000 (GMT)
(envelope-from vladimir.terziev@sun-fish.com)
Received: from blah.sun-fish.com (localhost [127.0.0.1])
by blah.sun-fish.com (Postfix) with ESMTP
id 740C134174; Wed, 12 Oct 2005 10:14:58 +0200 (CEST)
Received: from sun-fish.com (fs.cmotd.com [192.168.3.253])
by blah.sun-fish.com (Postfix) with ESMTP id 3DC6D34164
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:14:58 +0200 (CEST)
Received: from sun-fish.com (localhost.cmotd.com [127.0.0.1])
by sun-fish.com (Postfix) with ESMTP id C278138406
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:14:57 +0200 (CEST)
Received: from daemon.cmotd.com (daemon.cmotd.com [192.168.3.104])
by sun-fish.com (Postfix) with SMTP id 8E48338404
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:14:57 +0200 (CEST)
Date: Wed, 12 Oct 2005 11:14:57 +0300
From: Vladimir Terziev <vladimir.terziev@sun-fish.com>
To: freebsd-security@freebsd.org
Message-Id: <20051012111457.17eacc99.vlady@sun-fish.com>
In-Reply-To: <434C427D.40501@netfence.it>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434C427D.40501@netfence.it>
Organization: SunFish Ltd., Sofia
X-Mailer: Sylpheed version 2.0.1 (GTK+ 2.4.0; i386-unknown-freebsd4.10)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-AV-Checked: ClamAV
X-AV-Checked: ClamAV SF1
X-Mailman-Approved-At: Wed, 12 Oct 2005 12:45:04 +0000
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 08:15:05 -0000
Ok, i think the FreeBSD team should isolate all statically linked applications which are part of the operating system and which depend on OpenSSL. They must be re-build (not the whole operating system) in order OpenSSL changes to be applyed to them.
Statically linked ports are responsibility of the person who installed them.
Vladimir
On Wed, 12 Oct 2005 00:53:49 +0200
Andrea Venturoli <ml@netfence.it> wrote:
> FreeBSD Security Advisories wrote:
>
> > Note that any statically linked applications that are not part of the
> > base system (i.e. from the Ports Collection or other 3rd-party sources)
> > must be recompiled.
>
> Ok, is there any way to list installed ports which are statically linked
> against OpenSSL?
>
> bye & Thanks
> av.
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 13:44:45 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B895516A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 13:44:45 +0000 (GMT)
(envelope-from roth@droopy.unibe.ch)
Received: from mailhub03.unibe.ch (mailhub03.unibe.ch [130.92.9.70])
by mx1.FreeBSD.org (Postfix) with ESMTP id 9DBE743D46
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 13:44:44 +0000 (GMT)
(envelope-from roth@droopy.unibe.ch)
Received: from localhost (scanhub03.unibe.ch [130.92.254.67])
by mailhub03.unibe.ch (Postfix) with ESMTP id A25332187F;
Wed, 12 Oct 2005 15:44:42 +0200 (CEST)
Received: from mailhub03.unibe.ch ([130.92.9.70])
by localhost (scanhub03.unibe.ch [130.92.254.67]) (amavisd-new,
port 10024)
with LMTP id 19100-19-94; Wed, 12 Oct 2005 15:44:40 +0200 (CEST)
Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4])
by mailhub03.unibe.ch (Postfix) with ESMTP id D233F213BF;
Wed, 12 Oct 2005 15:44:40 +0200 (CEST)
Received: from droopy.unibe.ch (droopy [130.92.64.20])
by asterix.unibe.ch (8.12.10+Sun/8.12.10) with ESMTP id j9CDiedB018218;
Wed, 12 Oct 2005 15:44:40 +0200 (MEST)
Received: (from roth@localhost)
by droopy.unibe.ch (8.12.10+Sun/8.12.9/Submit) id j9CDieLc017865;
Wed, 12 Oct 2005 15:44:40 +0200 (MEST)
Date: Wed, 12 Oct 2005 15:44:40 +0200
From: Tobias Roth <roth@iam.unibe.ch>
To: jere <jere@htnet.hr>
Message-ID: <20051012134440.GA17517@droopy.unibe.ch>
Mail-Followup-To: jere <jere@htnet.hr>, freebsd-security@freebsd.org
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <434CE0F1.6090400@htnet.hr>
User-Agent: Mutt/1.4i
X-message-flag: Warning! Using Outlook is insecure and promotes virus
distribution. Please use a different email client.
X-Virus-checked: by University of Berne
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 13:44:45 -0000
On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
[snip]
> And there lies another problem. In large environments it is also
> difficult to manage packages security issues. The problem is updated
> port tree not just necessariliy fix the security issue - it often also
> bumps version of affected package - something not always needed in
> production and most often avoided. The first concern of production
> (enterprise or not) should be stability.
If your primary concern is stability, don't upgrade the port. If your
primary concern is security, then upgrade it. If you want both, be
prepared to do extra work (i.e. testing the upgrade on a staging
system before deployment).
> For example, one can use build
> server to quickly build new packages but that package may be
> automatically bumped to newer version - with patched security issue and
> new features added. Currently FreeBSD admins don't have a clear chioce
> to manage only ports security issues but I think it's primarily due to
> lack of port maintainers.
You cannot expect a system where all security fixes can be automatically
applied without disrupting the stability of the environment. If you
want to be sure nothing breaks, you will have to test it in your
specific environment, period. And you cannot expect the port maintainers
to backport security fixes if the upstream provider chose to release the
fix only together with a new version.
cheers, t.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 14:14:48 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 44E3616A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 14:14:48 +0000 (GMT) (envelope-from ivoras@fer.hr)
Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18])
by mx1.FreeBSD.org (Postfix) with ESMTP id B689C43D66
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 14:14:44 +0000 (GMT) (envelope-from ivoras@fer.hr)
Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113])
by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id j9CEJxFx028399;
Wed, 12 Oct 2005 16:19:59 +0200 (MEST)
Message-ID: <434D1A21.9040104@fer.hr>
Date: Wed, 12 Oct 2005 16:13:53 +0200
From: Ivan Voras <ivoras@fer.hr>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Tobias Roth <roth@iam.unibe.ch>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net>
<434CE0F1.6090400@htnet.hr>
<20051012134440.GA17517@droopy.unibe.ch>
In-Reply-To: <20051012134440.GA17517@droopy.unibe.ch>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org, jere <jere@htnet.hr>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 14:14:48 -0000
Tobias Roth wrote:
> On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
> And you cannot expect the port maintainers
> to backport security fixes if the upstream provider chose to release the
> fix only together with a new version.
Yes you can, ask these guys: http://www.debian.org/. It's just a matter
of policy.
I dislike the long cycles between version updates in Debian but must
admit that the "stable" distributions indeed justify their name,
INCLUDING packages.
My idea is that there could maybe be some "core" ports, about 1500 or
so, that would get the special treatment of beeing updated in such a
"stable" fashion on a branch in ports tree tagged (for example)
RELENG_6_0. These ports would be publically announced as being
"anchored" to a release and updated (including backporting security
fixes) for as long as the release is maintained by the FreeBSD's
security team.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 14:23:10 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 84A4716A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 14:23:10 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
by mx1.FreeBSD.org (Postfix) with ESMTP id 3F9F943D64
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 14:23:05 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from pumice6.sentex.ca (pumice6.sentex.ca [64.7.153.21])
by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j9CEN5jR097393
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 10:23:05 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
by pumice6.sentex.ca (8.13.4/8.13.4) with ESMTP id j9CEN40i051728;
Wed, 12 Oct 2005 10:23:04 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j9CEN1wR092273
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Wed, 12 Oct 2005 10:23:04 -0400 (EDT) (envelope-from mike@sentex.net)
Message-Id: <6.2.3.4.0.20051012101734.0675f208@64.7.153.2>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Wed, 12 Oct 2005 10:23:16 -0400
To: Ivan Voras <ivoras@fer.hr>
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <434D1A21.9040104@fer.hr>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr>
<20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: by amavisd-new
X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18
X-Scanned-By: MIMEDefang 2.53 on 64.7.153.21
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 14:23:10 -0000
At 10:13 AM 12/10/2005, Ivan Voras wrote:
>Tobias Roth wrote:
>>On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
>
>>And you cannot expect the port maintainers
>>to backport security fixes if the upstream provider chose to release the
>>fix only together with a new version.
>
>Yes you can, ask these guys: http://www.debian.org/. It's just a
>matter of policy.
>
>I dislike the long cycles between version updates in Debian but must
>admit that the "stable" distributions indeed justify their name,
>INCLUDING packages.
>
>My idea is that there could maybe be some "core" ports, about 1500 or so,
This sounds like a recipe for confusion. Some users have problems
distinguishing between whats in the base, and whats out of the
ports. Another type of "psudo base app" would just add to the
confusion. Users / admins need to take *some* responsibility for
what is installed on their system. Many ports are not very well
maintained in the first place and to say that the security team
should be responsible for another 1500 applications is not realistic.
---Mike
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 16:26:45 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2B78616A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 16:26:45 +0000 (GMT)
(envelope-from piechota@argolis.org)
Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159])
by mx1.FreeBSD.org (Postfix) with ESMTP id 5BF4E43D48
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 16:26:43 +0000 (GMT)
(envelope-from piechota@argolis.org)
Received: (qmail 13555 invoked from network); 12 Oct 2005 16:26:28 -0000
Received: from unknown (HELO webmail.gigatrex.com) (127.0.0.1)
by 127.0.0.1 with SMTP; 12 Oct 2005 16:26:28 -0000
Received: from proxy3b.external.lmco.com ([192.35.35.35])
(SquirrelMail authenticated user piechota@argolis.org)
by webmail.gigatrex.com with HTTP;
Wed, 12 Oct 2005 12:26:28 -0400 (EDT)
Message-ID: <41508.192.35.35.35.1129134388.squirrel@webmail.gigatrex.com>
In-Reply-To: <20051012082159.GA54387@kierun.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<1129036481.434bbac1720a6@webmail.boxke.be> <434BBF09.6040101@htnet.hr>
<434CBDC2.4070405@open-networks.net>
<20051012082159.GA54387@kierun.org>
Date: Wed, 12 Oct 2005 12:26:28 -0400 (EDT)
From: "Matt Piechota" <piechota@argolis.org>
To: "Yann Golanski" <yann@kierun.org>
User-Agent: SquirrelMail/1.4.5
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-XheaderVersion: 1.1
X-UserAgent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20050816
Cc: Timothy Smith <timothy@open-networks.net>, freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 16:26:45 -0000
On Wed, October 12, 2005 4:21 am, Yann Golanski wrote:
> Quoth Timothy Smith on Wed, Oct 12, 2005 at 17:39:46 +1000
>> the make world documents mentioning backing up your system. it fails to
>> give any preffered methods or utilites for doing this. anyone got some
>> input on that.
>
> I find rdiff-backup to be very good indeed. It's in the port tree.
Section 16.11 in the handbook. It's geared towards full-system backups, but
that's probably a good idea anyways.
Also, couldn't you use ffs snapshots as a backout plan? I don't see anything
obvious to disregard everything after a snapshot in the man pages or handbook,
however. I suppose you could do a recursive diff and copy the files from the
snapshot to the current filesystem.
--
Matt Piechota
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 16:33:28 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 0AB5616A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 16:33:28 +0000 (GMT) (envelope-from ivoras@fer.hr)
Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18])
by mx1.FreeBSD.org (Postfix) with ESMTP id 6222043D48
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 16:33:27 +0000 (GMT) (envelope-from ivoras@fer.hr)
Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113])
by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id j9CGcgFx024100;
Wed, 12 Oct 2005 18:38:42 +0200 (MEST)
Message-ID: <434D3AA4.1020000@fer.hr>
Date: Wed, 12 Oct 2005 18:32:36 +0200
From: Ivan Voras <ivoras@fer.hr>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mike Tancsa <mike@sentex.net>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net>
<434CE0F1.6090400@htnet.hr> <20051012134440.GA17517@droopy.unibe.ch>
<434D1A21.9040104@fer.hr>
<6.2.3.4.0.20051012101734.0675f208@64.7.153.2>
In-Reply-To: <6.2.3.4.0.20051012101734.0675f208@64.7.153.2>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 16:33:28 -0000
Mike Tancsa wrote:
> At 10:13 AM 12/10/2005, Ivan Voras wrote:
>> My idea is that there could maybe be some "core" ports, about 1500 or so,
>
> This sounds like a recipe for confusion. Some users have problems
> distinguishing between whats in the base, and whats out of the ports.
> Another type of "psudo base app" would just add to the confusion. User
I agree that "core ports" is a very confusing name... maybe something
like "ports with extended security support" :)
> / admins need to take *some* responsibility for what is installed on
> their system. Many ports are not very well maintained in the first
> place and to say that the security team should be responsible for
> another 1500 applications is not realistic.
No, not the FreeBSD security team - I mentioned them only as a reference
for "how long does it make sense to support a release". All ports that
would get the extended support will HAVE to be supported by their
respective maintainers/authors. Any port whose maintainer doesn't want
to do it this way will automatically get kicked off the list.
The reason why I think this would work is that I think that many
widely-used applications (e.g.: apache, php, mysql, postgresql, perl,
postfix) are well maintained by their authors and there would certainly
be an audience among the maintainers themselves for such a thing.
To summarize:
- each release would tag the ports tree with RELENG_x_y
- on that tag, certain ports would be supported security-wise by their
maintainers for as long as RELENG_x_y itself is supported by the
security team, being carefull to leave the same version of the port (or
one that's 100% backward compatible).
- other ports would not be supported/maintained, and will just be
"frozen in time" by the CVS tag.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 17:02:39 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 1C2A716A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 17:02:39 +0000 (GMT)
(envelope-from no-html@jonathan-glaschke.de)
Received: from mail.liberty-hosting.de (mail.liberty-hosting.de
[195.225.132.203])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7FC7043D48
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 17:02:38 +0000 (GMT)
(envelope-from no-html@jonathan-glaschke.de)
Received: from mail.liberty-hosting.de ([195.225.132.203])
by localhost (liberty-mail [195.225.132.203]) (amavisd-new, port 10024)
with ESMTP id 02032-05; Wed, 12 Oct 2005 19:02:32 +0200 (CEST)
Received: from kuckucksei.jogla (p50896396.dip.t-dialin.net [80.137.99.150])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.liberty-hosting.de (Postfix) with ESMTP id 60134158BC0;
Wed, 12 Oct 2005 19:02:32 +0200 (CEST)
Received: from kuckucksei.jogla (localhost.jogla [127.0.0.1])
by kuckucksei.jogla (8.13.3/8.13.3) with ESMTP id j9CH1vbI002749;
Wed, 12 Oct 2005 19:01:57 +0200 (CEST)
Received: (from jonathan@localhost)
by kuckucksei.jogla (8.13.3/8.13.3/Submit) id j9CH1uVX026345;
Wed, 12 Oct 2005 19:01:56 +0200 (CEST)
Date: Wed, 12 Oct 2005 19:01:56 +0200
From: Jonathan Glaschke <no-html@jonathan-glaschke.de>
To: freebsd-security@freebsd.org
Message-ID: <20051012170156.GA11723@kuckucksei.jogla>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr>
<20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr>
<6.2.3.4.0.20051012101734.0675f208@64.7.153.2>
<434D3AA4.1020000@fer.hr>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0"
Content-Disposition: inline
In-Reply-To: <434D3AA4.1020000@fer.hr>
User-Agent: Mutt/1.5.8i
X-Virus-Scanned: by amavisd-new at mail.liberty-hosting.de
Cc:
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 17:02:39 -0000
--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 12, 2005 at 06:32:36PM +0200, Ivan Voras wrote:
> Mike Tancsa wrote:
> >At 10:13 AM 12/10/2005, Ivan Voras wrote:
>=20
> >>My idea is that there could maybe be some "core" ports, about 1500 or s=
o,
> >
> >This sounds like a recipe for confusion. Some users have problems=20
> >distinguishing between whats in the base, and whats out of the ports. =
=20
> >Another type of "psudo base app" would just add to the confusion. User
>=20
> I agree that "core ports" is a very confusing name... maybe something=20
> like "ports with extended security support" :)
>=20
> >/ admins need to take *some* responsibility for what is installed on=20
> >their system. Many ports are not very well maintained in the first=20
> >place and to say that the security team should be responsible for=20
> >another 1500 applications is not realistic.
>=20
> No, not the FreeBSD security team - I mentioned them only as a reference=
=20
> for "how long does it make sense to support a release". All ports that=20
> would get the extended support will HAVE to be supported by their=20
> respective maintainers/authors. Any port whose maintainer doesn't want=20
> to do it this way will automatically get kicked off the list.
If you do it in this way you'll get the highest number of point of
failers as possible. This work should be done by a few persons, _not_ by
1500 persons/maintainers for 1500 "security enhanced ports".
>=20
> The reason why I think this would work is that I think that many=20
> widely-used applications (e.g.: apache, php, mysql, postgresql, perl,=20
> postfix) are well maintained by their authors and there would certainly=
=20
> be an audience among the maintainers themselves for such a thing.
>=20
> To summarize:
> - each release would tag the ports tree with RELENG_x_y
> - on that tag, certain ports would be supported security-wise by their=
=20
> maintainers for as long as RELENG_x_y itself is supported by the=20
> security team, being carefull to leave the same version of the port (or=
=20
> one that's 100% backward compatible).
> - other ports would not be supported/maintained, and will just be=20
> "frozen in time" by the CVS tag.
then all other ports are excluded from getting security fixes and will
become useless in a production/critical enviroment.
The other ports should be available as in a normal system, just as it is
today - in a newer version. thats still better than an old _and_
insecure version.
Greetings,
Jonathan
--=20
| /"\ ASCII Ribbon | Jonathan Glaschke - Lorenz-G=F6rtz-Stra=DFe 71,
| \ / Campaign Against | 41238 M=F6nchengladbach, Tel: 02166-265876
| X HTML In Mail | Mobil: 0162-3390789, ICQ: 231021883
| / \ And News | http://jonathan-glaschke.de/
--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (OpenBSD)
iD8DBQFDTUGEXdiTI6yMWu0RAlyZAKCeBbpRUBbzbRP/UuLY0Yh62kYYvwCfTpFR
4wQX8B4WzO3r7pitTFn36zA=
=NcyT
-----END PGP SIGNATURE-----
--k+w/mQv8wyuph6w0--
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 19:10:23 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 82F8D16A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 19:10:23 +0000 (GMT)
(envelope-from PeterJeremy@optushome.com.au)
Received: from mail09.syd.optusnet.com.au (mail09.syd.optusnet.com.au
[211.29.132.190])
by mx1.FreeBSD.org (Postfix) with ESMTP id A994743D48
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 19:10:22 +0000 (GMT)
(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
by mail09.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
j9CJAKjq014309
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
Thu, 13 Oct 2005 05:10:20 +1000
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])
by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id
j9CJAJHh007291; Thu, 13 Oct 2005 05:10:19 +1000 (EST)
(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)
by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id j9CJAJUE007290;
Thu, 13 Oct 2005 05:10:19 +1000 (EST) (envelope-from pjeremy)
Date: Thu, 13 Oct 2005 05:10:19 +1000
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: Jacques Vidrine <jacques@vidrine.us>
Message-ID: <20051012191019.GJ2482@cirb503493.alcatel.com.au>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434BCB75.2000402@iang.org>
<B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 19:10:23 -0000
On Tue, 2005-Oct-11 09:45:53 -0700, Jacques Vidrine wrote:
>On Oct 11, 2005, at 7:25 AM, Ian G wrote:
>>Isn't the workaround obviously to switch off V2?
>
>Yes. Sorry that wasn't mentioned.
That sounds like a good workaround. How do I implement it? I've
looked through the documentation and can't find any reference to a
runtime OpenSSL configuration file that would let me do this.
--
Peter Jeremy
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 20:50:40 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B0B3316A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 20:50:40 +0000 (GMT)
(envelope-from timothy@open-networks.net)
Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254])
by mx1.FreeBSD.org (Postfix) with ESMTP id 2E9EA43D46
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 20:50:39 +0000 (GMT)
(envelope-from timothy@open-networks.net)
Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1])
by titan.open-networks.net (Postfix) with ESMTP
id 26FC46E5; Thu, 13 Oct 2005 06:50:37 +1000 (EST)
Message-ID: <434D771C.9000708@open-networks.net>
Date: Thu, 13 Oct 2005 06:50:36 +1000
From: Timothy Smith <timothy@open-networks.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Matt Piechota <piechota@argolis.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.434bbac1720a6@webmail.boxke.be>
<434BBF09.6040101@htnet.hr> <434CBDC2.4070405@open-networks.net> <20051012082159.GA54387@kierun.org>
<41508.192.35.35.35.1129134388.squirrel@webmail.gigatrex.com>
In-Reply-To: <41508.192.35.35.35.1129134388.squirrel@webmail.gigatrex.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Yann Golanski <yann@kierun.org>, freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 20:50:40 -0000
Matt Piechota wrote:
>On Wed, October 12, 2005 4:21 am, Yann Golanski wrote:
>
>
>>Quoth Timothy Smith on Wed, Oct 12, 2005 at 17:39:46 +1000
>>
>>
>>>the make world documents mentioning backing up your system. it fails to
>>>give any preffered methods or utilites for doing this. anyone got some
>>>input on that.
>>>
>>>
>>I find rdiff-backup to be very good indeed. It's in the port tree.
>>
>>
>
>Section 16.11 in the handbook. It's geared towards full-system backups, but
>that's probably a good idea anyways.
>
>Also, couldn't you use ffs snapshots as a backout plan? I don't see anything
>obvious to disregard everything after a snapshot in the man pages or handbook,
>however. I suppose you could do a recursive diff and copy the files from the
>snapshot to the current filesystem.
>
>
>
ffs snap shots are all very well when i have pyshical access to the machine.
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 20:56:52 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id BA94016A420
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 20:56:52 +0000 (GMT)
(envelope-from kris@obsecurity.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
by mx1.FreeBSD.org (Postfix) with ESMTP id 6D53E43D45
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 20:56:52 +0000 (GMT)
(envelope-from kris@obsecurity.org)
Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196])
by elvis.mu.org (Postfix) with ESMTP id 55A071A3C24;
Wed, 12 Oct 2005 13:56:52 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 8A0AA511BC; Wed, 12 Oct 2005 16:56:51 -0400 (EDT)
Date: Wed, 12 Oct 2005 16:56:51 -0400
From: Kris Kennaway <kris@obsecurity.org>
To: Vladimir Terziev <vladimir.terziev@sun-fish.com>
Message-ID: <20051012205651.GA91215@xor.obsecurity.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434C427D.40501@netfence.it>
<20051012111457.17eacc99.vlady@sun-fish.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline
In-Reply-To: <20051012111457.17eacc99.vlady@sun-fish.com>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 20:56:52 -0000
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 12, 2005 at 11:14:57AM +0300, Vladimir Terziev wrote:
>=20
> Ok, i think the FreeBSD team should isolate all statically linked ?
> applications which are part of the operating system and which depend
> on OpenSSL. They must be re-build (not the whole operating system)
> in order OpenSSL changes to be applyed to them.
AFAIK there are no statically linked openssl applications in the
FreeBSD base system, unless someone has specifically compiled them
that way on their own.
Kris
P.S. Please wrap your lines at 70 characters so that your emails may
be easily read.
--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDTXiSWry0BWjoQKURAju8AJ4y0iaW4BX8NDPPDLy2pSPNotykvwCgwVCX
YJvK4RAptw0F3p2MuBgxOV8=
=brzr
-----END PGP SIGNATURE-----
--jRHKVT23PllUwdXP--
From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 22:08:43 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2668916A41F
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 22:08:43 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd5mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
[24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBE2543D46
for <freebsd-security@freebsd.org>;
Wed, 12 Oct 2005 22:08:42 +0000 (GMT)
(envelope-from cperciva@freebsd.org)
Received: from pd3mr3so.prod.shaw.ca
(pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon
(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with ESMTP id <0IO9000A0PHEG9C0@l-daemon> for
freebsd-security@freebsd.org; Wed, 12 Oct 2005 16:08:02 -0600 (MDT)
Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146])
by pd3mr3so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01
(built Mar
15 2004)) with ESMTP id <0IO9005O9PHELI40@pd3mr3so.prod.shaw.ca> for
freebsd-security@freebsd.org; Wed, 12 Oct 2005 16:08:02 -0600 (MDT)
Received: from [192.168.0.60]
(S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon
(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
with ESMTP id <0IO90088ZPHDTL@l-daemon> for
freebsd-security@freebsd.org; Wed, 12 Oct 2005 16:08:02 -0600 (MDT)
Date: Wed, 12 Oct 2005 15:08:01 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <20051012205651.GA91215@xor.obsecurity.org>
To: Kris Kennaway <kris@obsecurity.org>
Message-id: <434D8941.1090306@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
X-Enigmail-Version: 0.92.1.0
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434C427D.40501@netfence.it>
<20051012111457.17eacc99.vlady@sun-fish.com>
<20051012205651.GA91215@xor.obsecurity.org>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001)
Cc: Vladimir Terziev <vladimir.terziev@sun-fish.com>,
freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2005 22:08:43 -0000
Kris Kennaway wrote:
> AFAIK there are no statically linked openssl applications in the
> FreeBSD base system, unless someone has specifically compiled them
> that way on their own.
I can confirm that this is true for 4.10, 4.11, 5.3, and 5.4, at least
under the default build flags.
Colin Percival
From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 07:25:46 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 4F79816A41F
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 07:25:46 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls405.htnet.hr (ls405.htnet.hr [195.29.150.97])
by mx1.FreeBSD.org (Postfix) with ESMTP id 97A2643D46
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 07:25:44 +0000 (GMT) (envelope-from jere@htnet.hr)
Received: from ls401.t-com.hr (ls401.t-com.hr [195.29.150.236])
by ls405.htnet.hr (0.0.0/8.12.10) with ESMTP id j9D7PfWl028394;
Thu, 13 Oct 2005 09:25:41 +0200
Received: from ls401.t-com.hr (localhost.localdomain [127.0.0.1])
by ls401.t-com.hr (Qmlai) with ESMTP id AAA8070003;
Thu, 13 Oct 2005 09:25:41 +0200 (CEST)
X-Envelope-Sender: jere@htnet.hr
X-Envelope-Sender: jere@htnet.hr
X-Envelope-Sender: jere@htnet.hr
Received: from [195.29.148.251] (bla.htnet.hr [195.29.148.251])
by ls401.t-com.hr (Qmlai) with ESMTP id 60980A802D;
Thu, 13 Oct 2005 09:25:41 +0200 (CEST)
Message-ID: <434E0C7C.5060408@htnet.hr>
Date: Thu, 13 Oct 2005 09:27:56 +0200
From: jere <jere@htnet.hr>
Organization: bla
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050428)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ivan Voras <ivoras@fer.hr>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.407 0405@open-networks.net><434CE0F1.6090400@htnet.hr><20051012134440.GA17517@d roopy.unibe.ch>
<434D1A21.9040104@fer.hr>
In-Reply-To: <434D1A21.9040104@fer.hr>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 13 Oct 2005 13:24:20 +0000
Cc: freebsd-security@freebsd.org, Tobias Roth <roth@iam.unibe.ch>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2005 07:25:46 -0000
I agree with that. What enterprise environment wants is quick patching
and a quick rollback (in case of failure). Nobody asks you how good is
or how much you like your OS - system just has to work - that's all.
FreeBSD itself *is* very robust OS but not having this properties it is
still limited to be widely accepted in large production environments.
j.
Ivan Voras wrote:
> Tobias Roth wrote:
> >> On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
>
>> And you cannot expect the port maintainers
>> to backport security fixes if the upstream provider chose to release the
>> fix only together with a new version.
>
> Yes you can, ask these guys: http://www.debian.org/. It's just a matter
> of policy.
>
> I dislike the long cycles between version updates in Debian but must
> admit that the "stable" distributions indeed justify their name,
> INCLUDING packages.
>
From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 13:29:29 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 6413416A41F
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 13:29:29 +0000 (GMT)
(envelope-from tataz@tataz.chchile.org)
Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30])
by mx1.FreeBSD.org (Postfix) with ESMTP id 309D443D5F
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 13:29:26 +0000 (GMT)
(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
by smtp4-g19.free.fr (Postfix) with ESMTP id 1EB643FCFB;
Thu, 13 Oct 2005 15:29:13 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
id A920E4080; Thu, 13 Oct 2005 15:29:01 +0200 (CEST)
Date: Thu, 13 Oct 2005 15:29:01 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Ivan Voras <ivoras@fer.hr>
Message-ID: <20051013132901.GH45070@obiwan.tataz.chchile.org>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr>
<20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <434D1A21.9040104@fer.hr>
User-Agent: Mutt/1.5.10i
Cc: freebsd-security@freebsd.org, jere <jere@htnet.hr>,
Tobias Roth <roth@iam.unibe.ch>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2005 13:29:29 -0000
> >On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
>
> >And you cannot expect the port maintainers
> >to backport security fixes if the upstream provider chose to release the
> >fix only together with a new version.
>
> Yes you can, ask these guys: http://www.debian.org/. It's just a matter
> of policy.
OTOH, Debian packages maintainers chose to do this work whereas asking
FreeBSD ports maintainers to do this extra work just now is awkward.
Yes, the FreeBSD project could still ask for volunteers for this job
but anyway I noticed that this kind of policy leads to delayed package
updates whereas merely changing the Makefile in order to upgrade the
port is very quick.
The best example I can give to this is Firefox. Recently we have seen
a great increase of security advisories about it. As both a FreeBSD and
Debian user I have to admit that the FreeBSD port is often updated before
the Debian package (however I must also admit this compares somewhat
the two maintainers).
Eventually I would say that when someone administers a network, I
think it is his own responsability to choose softwares whose release
process is serious enough - which used to be a major reason for using
FreeBSD - and it is not the responsability of FreeBSD to overcome their
deficiencies.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 14:57:38 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 1C02A16A41F
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 14:57:38 +0000 (GMT)
(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
by mx1.FreeBSD.org (Postfix) with ESMTP id DCA8143D46
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 14:57:37 +0000 (GMT)
(envelope-from marquis@roble.com)
Date: Thu, 13 Oct 2005 07:57:37 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20051013120111.E8AAD16A421@hub.freebsd.org>
Message-ID: <20051013073851.D37953@roble.com>
References: <20051013120111.E8AAD16A421@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2005 14:57:38 -0000
Giorgos Keramidas wrote:
> The alternative of manually fiddling with makefiles under /usr/src may
> be ok for hacker-style, experimental installations, where a few hours of
> breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
This is one of the reasons we have continued using
OPENSSL_OVERWRITE_BASE="YES" plus WITH_OPENSSL_BASE="YES" and
keeping up-to-date via the openssl and openssh ports. These options
have saved us a _lot_ of headaches over the years despite the fact
that it is has been officially "deprecated" since 4.11 and requires
a Makefile hack.
*_OVERWRITE_BASE _should_be_a_required_option_ in _all_ ports that
are also available as base applications (sendmail/postfix, bind,
...) Either that or move these apps out of the base altogether (as
was done with Perl).
> Especially if one considers that large setups can make use of network
> booting from preinstalled images, which have been asynchronously
> updated, for any number of machines, to include the fixes.
Large setups can take advantage of many economies of scale that the
rest of us cannot. We cannot reboot client servers whenever a kernel
or OS patch comes out, much less keep a test machine around for
every arch and OS version under support.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 20:44:32 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 5888516A423
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 20:44:32 +0000 (GMT)
(envelope-from jacques@vidrine.us)
Received: from mail.phi23.org (phi23.org [161.58.133.165])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7BB8243D45
for <freebsd-security@freebsd.org>;
Thu, 13 Oct 2005 20:44:31 +0000 (GMT)
(envelope-from jacques@vidrine.us)
Received: from [17.202.43.236] (A17-202-43-236.apple.com [17.202.43.236])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(Client did not present a certificate)
by mail.phi23.org (Postfix) with ESMTP id 5F99C2509C;
Thu, 13 Oct 2005 20:44:30 +0000 (UTC)
In-Reply-To: <20051012191019.GJ2482@cirb503493.alcatel.com.au>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434BCB75.2000402@iang.org>
<B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us>
<20051012191019.GJ2482@cirb503493.alcatel.com.au>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us>
Content-Transfer-Encoding: 7bit
From: Jacques Vidrine <jacques@vidrine.us>
Date: Thu, 13 Oct 2005 13:44:28 -0700
To: Peter Jeremy <PeterJeremy@optushome.com.au>
X-Mailer: Apple Mail (2.746.2)
X-Mailman-Approved-At: Fri, 14 Oct 2005 12:44:02 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2005 20:44:32 -0000
On 2005-10-12, at 12:10 :19, Peter Jeremy wrote:
> On Tue, 2005-Oct-11 09:45:53 -0700, Jacques Vidrine wrote:
>> On Oct 11, 2005, at 7:25 AM, Ian G wrote:
>>> Isn't the workaround obviously to switch off V2?
>>
>> Yes. Sorry that wasn't mentioned.
>
> That sounds like a good workaround. How do I implement it? I've
> looked through the documentation and can't find any reference to a
> runtime OpenSSL configuration file that would let me do this.
I'm not aware of a global option for OpenSSL, either. Disabling
SSLv2 would need to be handled by the application, i.e. turn off
SSLv2 for each of your SSL/TLS applications. Cheers,
--
Jacques Vidrine <jacques@vidrine.us>
From owner-freebsd-security@FreeBSD.ORG Fri Oct 14 18:11:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B827D16A41F
for <freebsd-security@freebsd.org>;
Fri, 14 Oct 2005 18:11:59 +0000 (GMT) (envelope-from iang@iang.org)
Received: from postix.sonance.net (mx2.sonance.net [62.116.45.130])
by mx1.FreeBSD.org (Postfix) with ESMTP id F0CF243D60
for <freebsd-security@freebsd.org>;
Fri, 14 Oct 2005 18:11:58 +0000 (GMT) (envelope-from iang@iang.org)
Received: from localhost (localhost [127.0.0.1])
by postix.sonance.net (Postfix) with ESMTP id 07CF717B486;
Fri, 14 Oct 2005 20:11:48 +0200 (CEST)
Received: from postix.sonance.net ([127.0.0.1])
by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 30195-03; Fri, 14 Oct 2005 20:11:46 +0200 (CEST)
Received: from [IPv6???1] (localhost [127.0.0.1])
by postix.sonance.net (Postfix) with ESMTP id C763417B480;
Fri, 14 Oct 2005 20:11:45 +0200 (CEST)
Message-ID: <434FF511.1000505@iang.org>
Date: Fri, 14 Oct 2005 19:12:33 +0100
From: Ian G <iang@iang.org>
Organization: http://iang.org/
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jacques Vidrine <jacques@vidrine.us>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org> <B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us> <20051012191019.GJ2482@cirb503493.alcatel.com.au>
<47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us>
In-Reply-To: <47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at sonance.net
Cc: Peter Jeremy <PeterJeremy@optushome.com.au>, freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2005 18:11:59 -0000
Jacques Vidrine wrote:
>
> On 2005-10-12, at 12:10 :19, Peter Jeremy wrote:
>
>> On Tue, 2005-Oct-11 09:45:53 -0700, Jacques Vidrine wrote:
>>
>>> On Oct 11, 2005, at 7:25 AM, Ian G wrote:
>>>
>>>> Isn't the workaround obviously to switch off V2?
>>>
>>>
>>> Yes. Sorry that wasn't mentioned.
>>
>>
>> That sounds like a good workaround. How do I implement it? I've
>> looked through the documentation and can't find any reference to a
>> runtime OpenSSL configuration file that would let me do this.
>
>
> I'm not aware of a global option for OpenSSL, either. Disabling SSLv2
> would need to be handled by the application, i.e. turn off SSLv2 for
> each of your SSL/TLS applications. Cheers,
Seems correct, no global option. Sorry to have
got your hopes up there.
iang
-------- Original Message --------
Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl]
Date: Fri, 14 Oct 2005 14:38:15 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Ian G <iang@iang.org>
Ian G wrote:
> Does this sound right? No global option in OpenSSL
> to turn off SSL v2?
Yes.
From owner-freebsd-security@FreeBSD.ORG Fri Oct 14 14:38:58 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 5BCD116A420
for <freebsd-security@freebsd.org>;
Fri, 14 Oct 2005 14:38:58 +0000 (GMT)
(envelope-from dacoder@dcoder.net)
Received: from ns0.dcoder.net (ns0.dcoder.net [66.92.160.14])
by mx1.FreeBSD.org (Postfix) with ESMTP id CE4D543D53
for <freebsd-security@freebsd.org>;
Fri, 14 Oct 2005 14:38:56 +0000 (GMT)
(envelope-from dacoder@dcoder.net)
Received: from ns0.dcoder.net (ns0.dcoder.net [66.92.160.14])
by ns0.dcoder.net (Postfix) with ESMTP id 29CF92841A;
Fri, 14 Oct 2005 10:38:56 -0400 (EDT)
Date: Fri, 14 Oct 2005 10:38:56 -0400 (EDT)
From: David Coder <dacoder@dcoder.net>
To: Jacques Vidrine <jacques@vidrine.us>
In-Reply-To: <47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us>
Message-ID: <20051014103322.J825@ns0.dcoder.net>
References: <200510111202.j9BC2obf081876@freefall.freebsd.org>
<434BCB75.2000402@iang.org>
<B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us>
<20051012191019.GJ2482@cirb503493.alcatel.com.au>
<47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mailman-Approved-At: Sat, 15 Oct 2005 13:50:42 +0000
Cc: Peter Jeremy <PeterJeremy@optushome.com.au>, freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Coder <dacoder@dcoder.net>
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2005 14:38:58 -0000
Hi, Jacques,
The mod_ssl how-to explains how to run an SSLv2-only Apache server, but not
SSLv2, but assuming that the httpd.conf syntax is the same I thought I'd
substitute the two lines
SSLProtocol -all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+LOW:+EXP
for the line
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
in that file. Any idea whether this is correct?
Thx. Hope you're well!
David
On Thu, 13 Oct 2005, Jacques Vidrine wrote:
:Date: Thu, 13 Oct 2005 13:44:28 -0700
:From: Jacques Vidrine <jacques@vidrine.us>
:To: Peter Jeremy <PeterJeremy@optushome.com.au>
:Cc: freebsd-security@freebsd.org
:Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
:
:
:On 2005-10-12, at 12:10 :19, Peter Jeremy wrote:
:
:> On Tue, 2005-Oct-11 09:45:53 -0700, Jacques Vidrine wrote:
:> > On Oct 11, 2005, at 7:25 AM, Ian G wrote:
:> > > Isn't the workaround obviously to switch off V2?
:> >
:> > Yes. Sorry that wasn't mentioned.
:>
:> That sounds like a good workaround. How do I implement it? I've
:> looked through the documentation and can't find any reference to a
:> runtime OpenSSL configuration file that would let me do this.
:
:I'm not aware of a global option for OpenSSL, either. Disabling SSLv2 would
:need to be handled by the application, i.e. turn off SSLv2 for each of your
:SSL/TLS applications. Cheers,
:--
:Jacques Vidrine <jacques@vidrine.us>
:
:
:_______________________________________________
:freebsd-security@freebsd.org mailing list
:http://lists.freebsd.org/mailman/listinfo/freebsd-security
:To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
: