From owner-freebsd-security@FreeBSD.ORG Mon Aug 6 08:03:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 0DBDB106564A; Mon, 6 Aug 2012 08:03:02 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id BB07314DAFD; Mon, 6 Aug 2012 08:03:01 +0000 (UTC) Message-ID: <501F7A35.5080207@FreeBSD.org> Date: Mon, 06 Aug 2012 01:03:01 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:14.0) Gecko/20120728 Thunderbird/14.0 MIME-Version: 1.0 To: Oliver Pinter References: In-Reply-To: X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd security , danfe@FreeBSD.org, freebsd-ports@FreeBSD.org Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 08:03:02 -0000 On 08/01/2012 05:09, Oliver Pinter wrote: > Hi all! > > I found this today on FD: > > http://seclists.org/fulldisclosure/2012/Aug/4 Apparently this affects us as well. Any news? -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) From owner-freebsd-security@FreeBSD.ORG Mon Aug 6 09:01:41 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F412106564A for ; Mon, 6 Aug 2012 09:01:41 +0000 (UTC) (envelope-from "cyb."@gmx.net) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by mx1.freebsd.org (Postfix) with SMTP id C398C8FC0C for ; Mon, 6 Aug 2012 09:01:40 +0000 (UTC) Received: (qmail invoked by alias); 06 Aug 2012 09:01:39 -0000 Received: from port-92-206-0-163.dynamic.qsc.de (EHLO CoreI5) [92.206.0.163] by mail.gmx.net (mp040) with SMTP; 06 Aug 2012 11:01:39 +0200 X-Authenticated: #4870692 X-Provags-ID: V01U2FsdGVkX1/MZrkcrrrMVqDB/lVYrVf45ekDV8Ik0kEXuYEAQX onqqZdA65dYFum Date: Mon, 6 Aug 2012 11:01:33 +0200 From: Andreas Rudisch To: Doug Barton Message-Id: <20120806110133.386b4fa14905148b266b6fad@gmx.net> In-Reply-To: <501F7A35.5080207@FreeBSD.org> References: <501F7A35.5080207@FreeBSD.org> X-Mailer: Sylpheed 3.2.0 (GTK+ 2.10.14; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Mon__6_Aug_2012_11_01_34_+0200_hzMBTvFgDDexcD+v" X-Y-GMX-Trusted: 0 Cc: freebsd security Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 09:01:41 -0000 --Signature=_Mon__6_Aug_2012_11_01_34_+0200_hzMBTvFgDDexcD+v Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 06 Aug 2012 01:03:01 -0700 Doug Barton wrote: > > http://seclists.org/fulldisclosure/2012/Aug/4 > Apparently this affects us as well. Any news? http://nvidia.custhelp.com/app/answers/detail/a_id/3140 Andreas -- GnuPG key : 0x2A573565 | http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565 --Signature=_Mon__6_Aug_2012_11_01_34_+0200_hzMBTvFgDDexcD+v Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlAfh+4ACgkQ8P3NNypXNWVIjACgotoBioSWXWJDRXqXVwtEHqg6 hRwAniJFf+tchIwfBu3hvqignhGJQ5me =sxyO -----END PGP SIGNATURE----- --Signature=_Mon__6_Aug_2012_11_01_34_+0200_hzMBTvFgDDexcD+v-- From owner-freebsd-security@FreeBSD.ORG Mon Aug 6 11:50:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FE69106566C; Mon, 6 Aug 2012 11:50:11 +0000 (UTC) (envelope-from rhurlin@gwdg.de) Received: from amailer.gwdg.de (amailer.gwdg.de [134.76.10.18]) by mx1.freebsd.org (Postfix) with ESMTP id BDEF08FC14; Mon, 6 Aug 2012 11:50:09 +0000 (UTC) Received: from wald.nfv.gwdg.de ([134.76.242.31] helo=pc028.nfv) by mailer.gwdg.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1SyLox-00031v-4m; Mon, 06 Aug 2012 13:50:03 +0200 Message-ID: <501FAF5E.6090101@gwdg.de> Date: Mon, 06 Aug 2012 13:49:50 +0200 From: Rainer Hurling User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:14.0) Gecko/20120727 Thunderbird/14.0 MIME-Version: 1.0 To: Doug Barton References: <501F7A35.5080207@FreeBSD.org> In-Reply-To: <501F7A35.5080207@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated: Id:rhurlin X-Spam-Level: - X-Virus-Scanned: (clean) by exiscan+sophie X-Mailman-Approved-At: Mon, 06 Aug 2012 12:16:56 +0000 Cc: freebsd security , danfe@FreeBSD.org, freebsd-ports@FreeBSD.org, Oliver Pinter Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 11:50:11 -0000 Am 06.08.2012 10:03 (UTC+1) schrieb Doug Barton: > On 08/01/2012 05:09, Oliver Pinter wrote: >> Hi all! >> >> I found this today on FD: >> >> http://seclists.org/fulldisclosure/2012/Aug/4 > > Apparently this affects us as well. Any news? > > Thanks for the info. I had been not aware of it before. NVidia has released a driver version 304.32 for FreeBSD i386 and amd64, which should remedy these security issues. From owner-freebsd-security@FreeBSD.ORG Mon Aug 6 22:12:05 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC5F2106566B; Mon, 6 Aug 2012 22:12:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B4F508FC14; Mon, 6 Aug 2012 22:12:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q76MC5QY015847; Mon, 6 Aug 2012 22:12:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q76MC5fc015846; Mon, 6 Aug 2012 22:12:05 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 6 Aug 2012 22:12:05 GMT Message-Id: <201208062212.q76MC5fc015846@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-12:05.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 22:12:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-12:05.bind Security Advisory The FreeBSD Project Topic: named(8) DNSSEC validation Denial of Service Category: contrib Module: bind Announced: 2012-08-06 Credits: Einar Lonn of IIS.se Affects: All supported versions of FreeBSD Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE) 2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10) 2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE) 2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4) 2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10) 2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13) 2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE) 2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4) CVE Name: CVE-2012-3817 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. III. Impact A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running the BIND resolving name server with dnssec-validation enabled are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind/dns # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind96-9.6.3.1.ESV.R7.2 bind97-9.7.6.2 bind98-9.8.3.2 bind99-9.9.1.2 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11 RELENG_7_4 src/UPDATING 1.507.2.36.2.12 src/sys/conf/newvers.sh 1.72.2.18.2.15 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.8.2.1 RELENG_8 src/contrib/bind9/CHANGES 1.9.2.15 src/contrib/bind9/lib/dns/resolver.c 1.3.2.6 src/contrib/bind9/lib/dns/zone.c 1.6.2.10 src/contrib/bind9/lib/isc/random.c 1.2.2.4 src/contrib/bind9/version 1.9.2.15 RELENG_8_3 src/UPDATING 1.632.2.26.2.6 src/sys/conf/newvers.sh 1.83.2.15.2.8 src/contrib/bind9/lib/dns/resolver.c 1.6.2.7.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.12 src/sys/conf/newvers.sh 1.83.2.12.2.15 src/contrib/bind9/lib/dns/resolver.c 1.6.2.4.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.16 src/sys/conf/newvers.sh 1.83.2.10.2.17 src/contrib/bind9/lib/dns/resolver.c 1.6.2.3.2.1 RELENG_9 src/contrib/bind9/CHANGES 1.21.2.5 src/contrib/bind9/lib/dns/resolver.c 1.15.2.3 src/contrib/bind9/lib/dns/zone.c 1.7.2.3 src/contrib/bind9/version 1.21.2.5 RELENG_9_0 src/UPDATING 1.702.2.4.2.6 src/sys/conf/newvers.sh 1.95.2.4.2.8 src/contrib/bind9/lib/dns/resolver.c 1.15.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r239108 releng/7.4/ r239108 stable/8/ r238749 releng/8.3/ r239108 releng/8.2/ r239108 releng/8.1/ r239108 stable/9/ r238756 releng/9.0/ r239108 - ------------------------------------------------------------------------- VII. References https://kb.isc.org/article/AA-00729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-12:05.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 iEYEARECAAYFAlAgP6kACgkQFdaIBMps37KLuQCfdF1xHFsD5vgeWKeTfPo1z0UG XN8AnRZQy5itaoFPFALXoDy3ZnZ5qA1t =hvTi -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Aug 7 06:18:15 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34FD8106566C for ; Tue, 7 Aug 2012 06:18:15 +0000 (UTC) (envelope-from ml@netfence.it) Received: from cp-out9.libero.it (cp-out9.libero.it [212.52.84.109]) by mx1.freebsd.org (Postfix) with ESMTP id A437E8FC0A for ; Tue, 7 Aug 2012 06:18:14 +0000 (UTC) X-CTCH-Spam: Unknown X-CTCH-RefID: str=0001.0A0B0207.5020B2A4.013F,ss=1,re=0.000,fgs=0 X-libjamoibt: 1555 Received: from soth.ventu (151.41.130.228) by cp-out9.libero.it (8.5.133) id 4FD1B523099A3715 for freebsd-security@freebsd.org; Tue, 7 Aug 2012 08:16:04 +0200 Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.5/8.14.5) with ESMTP id q776FsXa082232 for ; Tue, 7 Aug 2012 08:15:54 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <5020B29A.4010304@netfence.it> Date: Tue, 07 Aug 2012 08:15:54 +0200 From: Andrea Venturoli User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:14.0) Gecko/20120727 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <201208062212.q76MC5fc015846@freefall.freebsd.org> In-Reply-To: <201208062212.q76MC5fc015846@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.73 on 10.1.2.13 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-12:05.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 06:18:15 -0000 On 08/07/12 00:12, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-12:05.bind Security Advisory > The FreeBSD Project > > Topic: named(8) DNSSEC validation Denial of Service > > Category: contrib > Module: bind > Announced: 2012-08-06 > Credits: Einar Lonn of IIS.se > Affects: All supported versions of FreeBSD > Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE) > 2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10) > 2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE) > 2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4) > 2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10) > 2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13) > 2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE) > 2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4) > CVE Name: CVE-2012-3817 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > DNS Security Extensions (DNSSEC) provides data integrity, origin > authentication and authenticated denial of existence to resolvers. So, a system where "cat /etc/namedb/named.conf |grep -i dnssec" returns nothing should not be vulnerable. Could you confirm this? bye & Thanks av. From owner-freebsd-security@FreeBSD.ORG Wed Aug 8 10:34:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1033) id 19FA61065670; Wed, 8 Aug 2012 10:34:06 +0000 (UTC) Date: Wed, 8 Aug 2012 10:34:06 +0000 From: Alexey Dokuchaev To: Rainer Hurling Message-ID: <20120808103406.GA56960@FreeBSD.org> References: <501F7A35.5080207@FreeBSD.org> <501FAF5E.6090101@gwdg.de> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <501FAF5E.6090101@gwdg.de> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Wed, 08 Aug 2012 11:24:14 +0000 Cc: freebsd security , Doug Barton , freebsd-ports@FreeBSD.org, Oliver Pinter Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2012 10:34:06 -0000 On Mon, Aug 06, 2012 at 01:49:50PM +0200, Rainer Hurling wrote: > Am 06.08.2012 10:03 (UTC+1) schrieb Doug Barton: > >On 08/01/2012 05:09, Oliver Pinter wrote: > >>I found this today on FD: > >> > >>http://seclists.org/fulldisclosure/2012/Aug/4 > > > >Apparently this affects us as well. Any news? > > Thanks for the info. I had been not aware of it before. > > NVidia has released a driver version 304.32 for FreeBSD i386 and amd64, > which should remedy these security issues. Luckily, they've released version 295.71 which is on Long Lived Branch. I will update the port shortly. VuXML entry will have to follow separately, as it is unclear whether new CVE number will be assigned or not. ./danfe From owner-freebsd-security@FreeBSD.ORG Wed Aug 8 12:38:46 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5A7E106564A; Wed, 8 Aug 2012 12:38:46 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.49.45]) by mx1.freebsd.org (Postfix) with ESMTP id 961718FC0C; Wed, 8 Aug 2012 12:38:44 +0000 (UTC) Received: by syn.atarininja.org (Postfix, from userid 1001) id C8A035C34; Wed, 8 Aug 2012 08:38:43 -0400 (EDT) Date: Wed, 8 Aug 2012 08:38:43 -0400 From: Wesley Shields To: Alexey Dokuchaev Message-ID: <20120808123843.GA31238@atarininja.org> References: <501F7A35.5080207@FreeBSD.org> <501FAF5E.6090101@gwdg.de> <20120808103406.GA56960@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120808103406.GA56960@FreeBSD.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Doug Barton , freebsd security , Rainer Hurling , freebsd-ports@FreeBSD.org, Oliver Pinter Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2012 12:38:46 -0000 On Wed, Aug 08, 2012 at 10:34:06AM +0000, Alexey Dokuchaev wrote: > On Mon, Aug 06, 2012 at 01:49:50PM +0200, Rainer Hurling wrote: > > Am 06.08.2012 10:03 (UTC+1) schrieb Doug Barton: > > >On 08/01/2012 05:09, Oliver Pinter wrote: > > >>I found this today on FD: > > >> > > >>http://seclists.org/fulldisclosure/2012/Aug/4 > > > > > >Apparently this affects us as well. Any news? > > > > Thanks for the info. I had been not aware of it before. > > > > NVidia has released a driver version 304.32 for FreeBSD i386 and amd64, > > which should remedy these security issues. > > Luckily, they've released version 295.71 which is on Long Lived Branch. I > will update the port shortly. Thank you! > VuXML entry will have to follow separately, as it is unclear whether new CVE > number will be assigned or not. You can do the VuXML without a CVE for now and update it when/if one is assigned. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Aug 8 13:08:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1033) id 644CC106566C; Wed, 8 Aug 2012 13:08:17 +0000 (UTC) Date: Wed, 8 Aug 2012 13:08:17 +0000 From: Alexey Dokuchaev To: Wesley Shields Message-ID: <20120808130817.GA86124@FreeBSD.org> References: <501F7A35.5080207@FreeBSD.org> <501FAF5E.6090101@gwdg.de> <20120808103406.GA56960@FreeBSD.org> <20120808123843.GA31238@atarininja.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20120808123843.GA31238@atarininja.org> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Wed, 08 Aug 2012 13:14:58 +0000 Cc: Doug Barton , freebsd security , Rainer Hurling , freebsd-ports@FreeBSD.org, Oliver Pinter Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2012 13:08:17 -0000 On Wed, Aug 08, 2012 at 08:38:43AM -0400, Wesley Shields wrote: > On Wed, Aug 08, 2012 at 10:34:06AM +0000, Alexey Dokuchaev wrote: > > VuXML entry will have to follow separately, as it is unclear whether new > > CVE number will be assigned or not. > > You can do the VuXML without a CVE for now and update it when/if one is > assigned. True... I will commit VuXML together with legacy drivers update. ./danfe From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 04:51:49 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52AAD106564A for ; Thu, 9 Aug 2012 04:51:49 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id D167B8FC0A for ; Thu, 9 Aug 2012 04:51:48 +0000 (UTC) Received: by wgbfm10 with SMTP id fm10so9472wgb.1 for ; Wed, 08 Aug 2012 21:51:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version:x-mailer; bh=5gorkk06pIuVnfP5dA1GPzVLA7f4SWlN02ZDodhLwbU=; b=RGAEUZrjoBVNUTc0FQZe7sktPrMNr4Vj+zagdj9CThT0mOoE8GgLSF4ij+5XYvkXS5 0fDp9XTc0/YWH2WXxtr+BWHPP3GeNR3rrublFoXAjJTyJqXOHsB3tHVnmGb3y9nvAzmy UrEP0iAYWRTi3LelSriTs5vPE0rrfbmNYs1NOaOcX8GWxwV9rmtS7A+xT/Kt8A2DmIJL XeZTzrGliZ6lz/XOH37p4O8fBQr+YjrI7Z9WJsQuAzkUNOMDBk4m3XIZQark0//TY91O Af+y5VMyNKKi72WVi2Q0YbicY/YNbr9pobvK4ZIDMNo5Z1H8Qs6sWuNMquUeM83UJnbY 2WBg== Received: by 10.180.98.200 with SMTP id ek8mr3653926wib.0.1344487901611; Wed, 08 Aug 2012 21:51:41 -0700 (PDT) Received: from [10.0.0.86] ([93.152.184.10]) by mx.google.com with ESMTPS id fu8sm8928273wib.5.2012.08.08.21.51.39 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 08 Aug 2012 21:51:40 -0700 (PDT) From: Nikolay Denev Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 9 Aug 2012 07:51:44 +0300 To: freebsd-security@freebsd.org Message-Id: <302630DD-E12A-4BA9-B82A-409326172423@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1485\)) X-Mailer: Apple Mail (2.1485) X-Mailman-Approved-At: Thu, 09 Aug 2012 05:01:22 +0000 Subject: Where is auditdistd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 04:51:49 -0000 Hello all, I've read a lot about the new secure audit log shipping daemon, there = are PDF-s, announcements, etc. The project was supposed to be ready in february but I can't find a = trace of the source code? Any pointers? Thanks,= From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 09:50:45 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3D868106564A for ; Thu, 9 Aug 2012 09:50:45 +0000 (UTC) (envelope-from robertot@redix.it) Received: from redix.it (60.226.93.77.dsl.static.ip.kpnqwest.it [77.93.226.60]) by mx1.freebsd.org (Postfix) with SMTP id 75ECC8FC12 for ; Thu, 9 Aug 2012 09:50:44 +0000 (UTC) Received: (qmail 13755 invoked by uid 581); 9 Aug 2012 09:44:02 -0000 Received: from robertot@redix.it by mail by uid 504 with qmail-scanner-1.20 ( Clear:RC:1(127.0.0.1):. Processed in 0.007697 secs); 09 Aug 2012 09:44:02 -0000 Received: from unknown (HELO mail.redix.it) (127.0.0.1) by redix.it with SMTP; 9 Aug 2012 09:44:02 -0000 Received: from 192.168.0.107 (SquirrelMail authenticated user robertot) by mail.redix.it:443 with HTTP; Thu, 9 Aug 2012 11:44:02 +0200 (CEST) Message-ID: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> Date: Thu, 9 Aug 2012 11:44:02 +0200 (CEST) From: "Roberto" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Mailman-Approved-At: Thu, 09 Aug 2012 11:37:54 +0000 Subject: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 09:50:45 -0000 Hi all, I would like to know if there is a command or a way to retrieve the "patch level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of the running system: just an example, if I run: # freebsd-update fetch ... No updates needed to update system to 9.0-RELEASE-p4 or: ... The following files will be updated as part of updating to 9.0-RELEASE-p4: ... but this give me no info about the current system; I tried a brief search in config file but no luck; again the question is: is there a way to determine for a running server which "patch level" is currently at ? thanks Roberto From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 11:41:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A84951065677 for ; Thu, 9 Aug 2012 11:41:16 +0000 (UTC) (envelope-from przemek.zoltowski@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 36A4D8FC0A for ; Thu, 9 Aug 2012 11:41:15 +0000 (UTC) Received: by eaak11 with SMTP id k11so121599eaa.13 for ; Thu, 09 Aug 2012 04:41:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=v+wV9dGj/TcyQNK4aqD/dsh6yjHj2bq+QT7GXijNKeI=; b=Uyy2dl6BlXiDIIU2ARH5CWtdGS1fAoGgxjf01VBsL6FE/XUD+DdBFTbqf8ArOfZeH4 LWuFE2THtu0PkRhNV0EtTem8o25so1ZT2E1VH6gKL4RLq8V3wcAaNhO8BuMxNW/2e5so wfhBs/U2z4obfQk8VE7TOlsKbZRGcddM1Bfcx6o0Upw9INZaWssNHYJWje+mehH9rvxn csxeWUbLFJZhmAfAre5UQajHfWB6/8mgILLSh3plrE10FrP0aqNjyKGrMyiaoyDyeGKc V9Tqd2ckOoIMNxBhNlpL7VQn6nhbHVh5nVFIta7iaQ9N4xvwbuC84xfwqVVAGmmWnzT4 MgMg== Received: by 10.14.173.71 with SMTP id u47mr4642960eel.22.1344512468819; Thu, 09 Aug 2012 04:41:08 -0700 (PDT) Received: from [10.10.0.75] (snakedoc.metroplex.pl. [91.192.224.222]) by mx.google.com with ESMTPS id 8sm2778932eeg.16.2012.08.09.04.41.07 (version=SSLv3 cipher=OTHER); Thu, 09 Aug 2012 04:41:07 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1485\)) Content-Type: text/plain; charset=iso-8859-2 From: Przemyslaw Zoltowski X-Priority: 3 (Normal) In-Reply-To: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> Date: Thu, 9 Aug 2012 13:41:06 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> To: "Roberto" X-Mailer: Apple Mail (2.1485) Cc: freebsd-security@freebsd.org Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 11:41:16 -0000 Wiadomo=B6=E6 napisana przez "Roberto" w dniu 9 sie = 2012, o godz. 11:44: >=20 > Hi all, > I would like to know if there is a command or a way to retrieve the = "patch > level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of = the > running system: just an example, if I run: >=20 > # freebsd-update fetch > ... > No updates needed to update system to 9.0-RELEASE-p4 >=20 >=20 > or: > ... > The following files will be updated as part of updating to = 9.0-RELEASE-p4: > ... >=20 > but this give me no info about the current system; I tried a brief = search in > config file but no luck; >=20 > again the question is: > is there a way to determine for a running server which "patch level" = is > currently at ? uname -a >=20 > thanks > Roberto >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 11:44:45 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 146F9106564A for ; Thu, 9 Aug 2012 11:44:45 +0000 (UTC) (envelope-from karoly.arnhoffer@ericsson.com) Received: from mailgw7.ericsson.se (mailgw7.ericsson.se [193.180.251.48]) by mx1.freebsd.org (Postfix) with ESMTP id 65AEE8FC1C for ; Thu, 9 Aug 2012 11:44:44 +0000 (UTC) X-AuditID: c1b4fb30-b7fd46d000003161-40-5023a2a4e3c3 Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw7.ericsson.se (Symantec Mail Security) with SMTP id D0.32.12641.4A2A3205; Thu, 9 Aug 2012 13:44:37 +0200 (CEST) Received: from ESESSCMS0355.eemea.ericsson.se ([169.254.1.117]) by esessmw0191.eemea.ericsson.se ([153.88.115.84]) with mapi; Thu, 9 Aug 2012 13:44:36 +0200 From: =?iso-8859-1?Q?K=E1roly_Arnhoffer?= To: Roberto , "freebsd-security@freebsd.org" Date: Thu, 9 Aug 2012 13:44:35 +0200 Thread-Topic: getting the running patch level Thread-Index: Ac12I4jgW7tyY4XKRkyB7fVvoMnbZgAAJmCw Message-ID: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> References: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> In-Reply-To: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFLMWRmVeSWpSXmKPExsUyM+Jvre7SRcoBBm27eSx6Nj1hs1h4PsuB yWPGp/ksHtM62pgDmKK4bFJSczLLUov07RK4Ms5tfM9YcJCz4s37ZrYGxsfsXYycHBICJhL9 TZMZIWwxiQv31rN1MXJxCAmcYpT4MOstC4SzgFHi/Pf1TCBVbAKeEk2dx1lBbBGBBImGt6/B 4iwCKhK7P08FauDgEBbQkXj41BHEFBHQlbj2LAei2kii7+5HNhCbVyBcYvvyPrAbhATcJTad 7GABsTkFPCSuz18CNpER6J7vp9aA2cwC4hK3nsxngrhTQGLJnvPMELaoxMvH/1gh6kUl7rSv Z4So15O4MXUKG4StLbFs4WtmiL2CEidnPmGZwCg6C8nYWUhaZiFpmYWkZQEjyypG4dzEzJz0 cnO91KLM5OLi/Dy94tRNjMD4OLjlt8EOxk33xQ4xSnOwKInz6qnu9xcSSE8sSc1OTS1ILYov Ks1JLT7EyMTBKdXAWDlTX6rxd+yNnuo/OrfeX72q+Vh+esaWGIlyLpOKW1sZbx3qe8K4e+72 NCOHBykMYseCFDou/4nwSEpcLpfz7j1fe9W/C9flIlNld76KfPKuVFWFK3TR5PvHb/1jXq37 p1yLjVP4ukuSM3Py0c16f6d+1GV4uMJ+j7/XNuNJr5Rtr385PDvESYmlOCPRUIu5qDgRAL3S 1+hdAgAA Cc: Subject: RE: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 11:44:45 -0000 Hi, As I can remember=20 # uname -a provides this information. Regards, Karoly -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@fre= ebsd.org] On Behalf Of Roberto Sent: Thursday, August 09, 2012 11:44 AM To: freebsd-security@freebsd.org Subject: getting the running patch level Hi all, I would like to know if there is a command or a way to retrieve the "patch = level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of the = running system: just an example, if I run: # freebsd-update fetch ... No updates needed to update system to 9.0-RELEASE-p4 or: ... The following files will be updated as part of updating to 9.0-RELEASE-p4: ... but this give me no info about the current system; I tried a brief search i= n config file but no luck; again the question is: is there a way to determine for a running server which "patch level" is cur= rently at ? thanks Roberto _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/= listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 15:02:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9DCC1065673 for ; Thu, 9 Aug 2012 15:02:57 +0000 (UTC) (envelope-from cronfy@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 791378FC0C for ; Thu, 9 Aug 2012 15:02:57 +0000 (UTC) Received: by weyx56 with SMTP id x56so438783wey.13 for ; Thu, 09 Aug 2012 08:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=jQQVxMdfC9oGROjcMfJ3BdeAk6jvTPNUqBP7fE1kyck=; b=xCNWEBM2n7OLxQId1nwbiOG5/HJkGqRUkyUDG8TgN85OlxxWLdK2o1eCqCDno0RCNH OvPfJJxjFBrbk9WDbYn3OZ/Mk4BOJb1cNUWD/Kz0ZW1ujKzTCPchYcvAkklyqDyGamgs 0eCVTNZ9klQ3q75zXNvDRi/G4wlfT/9C7/RnDznpZEe1D85nrA3IS05lF3gfyrhpJ1CA FyCZD/KqHykGS+U3oB1AH4opcceLhqp2xkonbZV9EN1SLUYwTOu7Meantyf0F60MgdZw fnGnRZcOo2sZWY9nqAhLKY2bwzGNkxoP5sCMCOEObc7mSN1Ggb9FoufbANfFPPevumhL 9qqw== Received: by 10.216.135.147 with SMTP id u19mr11440584wei.12.1344524576574; Thu, 09 Aug 2012 08:02:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.59.75 with HTTP; Thu, 9 Aug 2012 08:02:16 -0700 (PDT) In-Reply-To: <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> From: cronfy Date: Thu, 9 Aug 2012 19:02:16 +0400 Message-ID: To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 15:02:58 -0000 >> Hi all, >> I would like to know if there is a command or a way to retrieve the "pat= ch >> level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of t= he >> running system: just an example, if I run: >> # freebsd-update fetch >> No updates needed to update system to 9.0-RELEASE-p4 >> or: >> ... >> The following files will be updated as part of updating to 9.0-RELEASE-p= 4: >> ... >> but this give me no info about the current system; I tried a brief searc= h in >> config file but no luck; >> again the question is: >> is there a way to determine for a running server which "patch level" is >> currently at ? > uname -a Unfortunately there is no trivial way. uname -a will show you correct patch level only if kernel was changed at this patch level. So the only way is to see what updates freebsd-update offers to you and try to guess, on which patch level you are on now. --=20 =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 15:43:47 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC88B106564A for ; Thu, 9 Aug 2012 15:43:47 +0000 (UTC) (envelope-from henke.andersen@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 38DF88FC1A for ; Thu, 9 Aug 2012 15:43:47 +0000 (UTC) Received: by lbbgk8 with SMTP id gk8so443764lbb.13 for ; Thu, 09 Aug 2012 08:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=2f3OER50PBgkrOmy85x3wC4DT2OI2TM7fd+s4/zxVlA=; b=WUMBqHVxaFUSlLH1xr5wiMezreATDyou43UpUqF4ijSzDXoFNDLLXw6FxSyTKXbVZA Lc1EL3G/GXPGZ7MCedAblM3zRojKN5XtHVcgaOJXJa0Fa+iPVDh7GpqPOKZ2fv5FMRX2 whJonx8fnOY0uYxBCSu6Ro8peBjXqrrNxB8oyw7guJT9dX/233etasEQAKdLMgdIuT0P 2WSEKdARJ/9x5YpkVAwbEKe7Z104q33lmcuJ6Q0hnL7dXW5siMt8CS8RvzoI5wUkHZjj ooD8Zby/adwvwxM1lo2pnx93KDtDZPSMpEJ/2h+XF228I3XTB8yLHOyJxTuWJ234ejpU OFpw== Received: by 10.152.114.3 with SMTP id jc3mr4560756lab.11.1344527026078; Thu, 09 Aug 2012 08:43:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.27.74 with HTTP; Thu, 9 Aug 2012 08:43:25 -0700 (PDT) In-Reply-To: References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> From: Henrik Andersen Date: Thu, 9 Aug 2012 08:43:25 -0700 Message-ID: To: cronfy Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 15:43:47 -0000 Hi all, You can find the current patch level in /usr/src/sys/conf/newvers.sh ex: TYPE=3D"FreeBSD" REVISION=3D"8.3" BRANCH=3D"RELEASE-p4" uname -v on the same server: FreeBSD 8.3-RELEASE #0: Mon Apr 9 21:23:18 UTC 2012 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC If I read the handbook correctly this should always be true on systems using freebsd-update. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgradin= g-freebsdupdate.html Regards, Henrik On Thu, Aug 9, 2012 at 8:02 AM, cronfy wrote: > >> Hi all, > >> I would like to know if there is a command or a way to retrieve the > "patch > >> level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of > the > >> running system: just an example, if I run: > >> # freebsd-update fetch > >> No updates needed to update system to 9.0-RELEASE-p4 > >> or: > >> ... > >> The following files will be updated as part of updating to > 9.0-RELEASE-p4: > >> ... > >> but this give me no info about the current system; I tried a brief > search in > >> config file but no luck; > >> again the question is: > >> is there a way to determine for a running server which "patch level" i= s > >> currently at ? > > uname -a > > Unfortunately there is no trivial way. uname -a will show you correct > patch level only if kernel was changed at this patch level. > > So the only way is to see what updates freebsd-update offers to you > and try to guess, on which patch level you are on now. > > -- > =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 13:38:53 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 736041065670 for ; Thu, 9 Aug 2012 13:38:53 +0000 (UTC) (envelope-from robertot@redix.it) Received: from redix.it (60.226.93.77.dsl.static.ip.kpnqwest.it [77.93.226.60]) by mx1.freebsd.org (Postfix) with SMTP id B85438FC0A for ; Thu, 9 Aug 2012 13:38:52 +0000 (UTC) Received: (qmail 20907 invoked by uid 581); 9 Aug 2012 13:38:50 -0000 Received: from robertot@redix.it by mail by uid 504 with qmail-scanner-1.20 ( Clear:RC:1(127.0.0.1):. Processed in 0.005569 secs); 09 Aug 2012 13:38:50 -0000 Received: from unknown (HELO mail.redix.it) (127.0.0.1) by redix.it with SMTP; 9 Aug 2012 13:38:50 -0000 Received: from 192.168.0.107 (SquirrelMail authenticated user robertot) by mail.redix.it:443 with HTTP; Thu, 9 Aug 2012 15:38:50 +0200 (CEST) Message-ID: <33584.192.168.0.107.1344519530.squirrel@mail.redix.it:443> In-Reply-To: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsso n.se> References: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> Date: Thu, 9 Aug 2012 15:38:50 +0200 (CEST) From: "Roberto" To: =?iso-8859-1?Q?K=E1roly_Arnhoffer?= User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Mailman-Approved-At: Thu, 09 Aug 2012 15:44:02 +0000 Cc: "freebsd-security@freebsd.org" Subject: RE: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 13:38:53 -0000 just a try on the server: -------------- % uname -a FreeBSD xxxx.yyyyy 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC zzzz % -------------- and with the update command: -------------- # freebsd-update fetch ... No updates needed to update system to 9.0-RELEASE-p4 -------------- so I think uname will NOT give me enough info on the running os patchlevel (p4), maybe uname could be useful when the kernel itself is updated in the update process and the system rebooted; or I am probably missing something ... regards Roberto On Thu, August 9, 2012 13:44, Károly Arnhoffer wrote: > Hi, > > As I can remember > # uname -a > provides this information. > > Regards, > Karoly > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Roberto > Sent: Thursday, August 09, 2012 11:44 AM > To: freebsd-security@freebsd.org > Subject: getting the running patch level > > > Hi all, > I would like to know if there is a command or a way to retrieve the "patch > level" (the handbook defines it "builds names" like 7.0-RELEASE-p1) of the > running system: just an example, if I run: > > # freebsd-update fetch > ... > No updates needed to update system to 9.0-RELEASE-p4 > > > or: > ... > The following files will be updated as part of updating to 9.0-RELEASE-p4: > ... > > but this give me no info about the current system; I tried a brief search in > config file but no luck; > > again the question is: > is there a way to determine for a running server which "patch level" is > currently at ? > > thanks > Roberto > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 16:05:22 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2151C106564A for ; Thu, 9 Aug 2012 16:05:22 +0000 (UTC) (envelope-from cgross@2blc.com) Received: from srv5.2blc.com (srv5.2blc.com [91.121.15.110]) by mx1.freebsd.org (Postfix) with ESMTP id D976A8FC0A for ; Thu, 9 Aug 2012 16:05:21 +0000 (UTC) Received: from DirTech (lnr56-1-82-246-51-185.fbx.proxad.net [82.246.51.185]) by srv5.2blc.com (Postfix) with ESMTP id 03993282998; Thu, 9 Aug 2012 18:05:14 +0200 (CEST) From: "Cedric GROSS" To: "'Roberto'" References: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <33584.192.168.0.107.1344519530.squirrel@mail.redix.it:443> In-Reply-To: <33584.192.168.0.107.1344519530.squirrel@mail.redix.it:443> Date: Thu, 9 Aug 2012 18:05:12 +0200 Message-ID: <001701cd7648$c2520350$46f609f0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac12RgnugP+peieoTq2caBs4ncVITQAAkW5g Content-Language: fr Cc: freebsd-security@freebsd.org Subject: RE: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 16:05:22 -0000 Hello Roberto, In fact "uname -a" report patch level BUT if you update your system by freebsd-update, patch level could be an old one. As discuss here http://forums.freebsd.org/archive/index.php/t-20154.html Regards Cedric -----Message d'origine----- De=A0: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] De la part de Roberto Envoy=E9=A0: jeudi 9 ao=FBt 2012 15:39 =C0=A0: K=E1roly Arnhoffer Cc=A0: freebsd-security@freebsd.org Objet=A0: RE: getting the running patch level Importance=A0: Haute just a try on the server: -------------- % uname -a FreeBSD xxxx.yyyyy 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 = 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC zzzz % -------------- and with the update command: -------------- # freebsd-update fetch ... No updates needed to update system to 9.0-RELEASE-p4 -------------- so I think uname will NOT give me enough info on the running os = patchlevel (p4), maybe uname could be useful when the kernel itself is updated in = the update process and the system rebooted; or I am probably missing = something ... regards Roberto On Thu, August 9, 2012 13:44, K=E1roly Arnhoffer wrote: > Hi, > > As I can remember > # uname -a > provides this information. > > Regards, > Karoly > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Roberto > Sent: Thursday, August 09, 2012 11:44 AM > To: freebsd-security@freebsd.org > Subject: getting the running patch level > > > Hi all, > I would like to know if there is a command or a way to retrieve the=20 > "patch level" (the handbook defines it "builds names" like=20 > 7.0-RELEASE-p1) of the running system: just an example, if I run: > > # freebsd-update fetch > ... > No updates needed to update system to 9.0-RELEASE-p4 > > > or: > ... > The following files will be updated as part of updating to = 9.0-RELEASE-p4: > ... > > but this give me no info about the current system; I tried a brief=20 > search in config file but no luck; > > again the question is: > is there a way to determine for a running server which "patch level"=20 > is currently at ? > > thanks > Roberto > > _______________________________________________ > freebsd-security@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 22:00:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 62CAD106566C for ; Thu, 9 Aug 2012 22:00:43 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 10B4C8FC0C for ; Thu, 9 Aug 2012 22:00:42 +0000 (UTC) Received: from WildRover.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id PAA02727; Thu, 9 Aug 2012 15:31:43 -0600 (MDT) Message-Id: <201208092131.PAA02727@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 09 Aug 2012 15:31:25 -0600 To: Henrik Andersen , cronfy From: Brett Glass In-Reply-To: References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 22:00:43 -0000 Yes, uname -v will work. Unfortunately, it has an annoying side effect. If one tries to use the "sysinstall" program to install binary packages, it will fail when a system patched by freebsd-update tries to access the FTP server, because the FTP server doesn't know about patch levels. One must MANUALLY go to the Options screen and remove the patch level (-p3, -p4 or whatever) from the version string before one can install a binary package. I realize that sysinstall is deprecated in favor of the new installer, but the new installer doesn't have the ability to install binary packages. Until and unless there's a convenient menu-based installer for binary packages, would it be possible to fix this glitch? --Brett Glass At 09:43 AM 8/9/2012, Henrik Andersen wrote: >Hi all, > >You can find the current patch level in /usr/src/sys/conf/newvers.sh ex: > TYPE="FreeBSD" > REVISION="8.3" > BRANCH="RELEASE-p4" > >uname -v on the same server: >FreeBSD 8.3-RELEASE #0: Mon Apr 9 21:23:18 UTC 2012 >root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > >If I read the handbook correctly this should always be true on systems >using freebsd-update. >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading-freebsdupdate.html > >Regards, >Henrik From owner-freebsd-security@FreeBSD.ORG Thu Aug 9 22:13:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D732106566B for ; Thu, 9 Aug 2012 22:13:06 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id E175C8FC0C for ; Thu, 9 Aug 2012 22:13:05 +0000 (UTC) Received: by qcsg15 with SMTP id g15so781339qcs.13 for ; Thu, 09 Aug 2012 15:13:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-operating-system :user-agent; bh=PHm6Zb8+nLWLIzXbGUyAiQ6jj8UNVg0f2fe+kLfrZXk=; b=gQhws+s5icmWQ9Kdtfx+luO7s5nQUJ2pWaBvrX7GlCPbfCSDzBwwlWin/g6wkEkRZq knn2tRz9vOiI2eDvt2/mKZhldqsvJziIzJZkAa3aqvv/U6+gjPY7KZDV6Ck/tRDroCjT kwtqsTeGLvbmXDEwkuN5yp1ruX7iwk1N7yG0diwYvvpMmYY0yE01fxgjS4xIINWrt2rj fN/Q2UK9537+e2adlaY/sAVVHrdSsPxbrd1qI27lxtzQ9InV17ianWL5gS1+yLXQQBV7 0/hyG6VuPfq/ZlF5DzbuBQkKD3y+0XJ8oKZ4lmkhoMWZ5CeDvRCgQk9/MkXaNr3qaJge zCHw== Received: by 10.224.188.83 with SMTP id cz19mr5429412qab.23.1344550384839; Thu, 09 Aug 2012 15:13:04 -0700 (PDT) Received: from schism.local (75-146-225-65-Philadelphia.hfc.comcastbusiness.net. [75.146.225.65]) by mx.google.com with ESMTPS id gw6sm2109340qab.21.2012.08.09.15.13.03 (version=SSLv3 cipher=OTHER); Thu, 09 Aug 2012 15:13:03 -0700 (PDT) Date: Thu, 9 Aug 2012 18:13:01 -0400 From: Glen Barber To: Brett Glass Message-ID: <20120809221301.GB1406@schism.local> References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> <201208092131.PAA02727@lariat.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201208092131.PAA02727@lariat.net> X-Operating-System: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: cronfy , freebsd-security@freebsd.org, Henrik Andersen Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 22:13:06 -0000 On Thu, Aug 09, 2012 at 03:31:25PM -0600, Brett Glass wrote: > I realize that sysinstall is deprecated in favor of the new installer, but > the new installer doesn't have the ability to install binary packages. > Until and unless there's a convenient menu-based installer for binary > packages, would it be possible to fix this glitch? > There is always pkgng, granted it is not menu-driven. Glen From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 10:12:41 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F163106566C for ; Fri, 10 Aug 2012 10:12:41 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 638178FC16 for ; Fri, 10 Aug 2012 10:12:40 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q7AACUPL010544 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 10 Aug 2012 11:12:31 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q7AACUPL010544 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1344593551; bh=ny+Gy+TgnWW4eZ5zX3NBPjjqeXONoFmk24je1Ic0IOc=; h=Date:From:To:Subject:References:In-Reply-To:Cc:Content-Type: Message-ID:Mime-Version; b=nFrdm787CRF9V/S6m12nJ4gcqpDZjhMwShBi2zFY1TgQ9rIdjkH0yNJR87VS2rskx mIdf6e3Z0lSJVWOGq8QUIO2xqQNMdLTSO8DtvqVZv/MWpIDt9VngL1v8ctmzM5iGpV akcqacdd237/3VUxOm/Vy2l4dYhhhKWlZfeJ+wjM= Message-ID: <5024DE87.4040609@infracaninophile.co.uk> Date: Fri, 10 Aug 2012 11:12:23 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <5023a174.c4df440a.09cc.ffffd3d2SMTPIN_ADDED@mx.google.com> <3FB858A6-807A-45E7-880B-F27D9C884827@gmail.com> <201208092131.PAA02727@lariat.net> <20120809221301.GB1406@schism.local> In-Reply-To: <20120809221301.GB1406@schism.local> X-Enigmail-Version: 1.4.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig8B0A44A57A48BA8791E94EF5" X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 10:12:41 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8B0A44A57A48BA8791E94EF5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 09/08/2012 23:13, Glen Barber wrote: > On Thu, Aug 09, 2012 at 03:31:25PM -0600, Brett Glass wrote: >> > I realize that sysinstall is deprecated in favor of the new installe= r, but >> > the new installer doesn't have the ability to install binary package= s. >> > Until and unless there's a convenient menu-based installer for binar= y >> > packages, would it be possible to fix this glitch? > There is always pkgng, granted it is not menu-driven. No reason pkgng couldn't be wrapped in some sort of menuing system. In fact, it's probably quite a lot easier than doing the same sort of thing with the old pkg_tools. Also, pkgdb functionality is expressed through libpkg.so.1, meaning that hooking it up to a different front-end should be a small matter of programming. There is already a Ruby interface available, and other languages are being worked on. The libpkg API is still subject to incompatible changes at this stage of development: that won't be settled for quite some time yet. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig8B0A44A57A48BA8791E94EF5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAk3o4ACgkQ8Mjk52CukIyr2QCfczzQitNqyoUJxhdf9amvkhc0 o2EAniiR0oTXOjO+59fZJX/D9xUOGiQ9 =oWr1 -----END PGP SIGNATURE----- --------------enig8B0A44A57A48BA8791E94EF5-- From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 12:06:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA9F7106566B for ; Fri, 10 Aug 2012 12:06:58 +0000 (UTC) (envelope-from robertot@redix.it) Received: from redix.it (60.226.93.77.dsl.static.ip.kpnqwest.it [77.93.226.60]) by mx1.freebsd.org (Postfix) with SMTP id E9A298FC0C for ; Fri, 10 Aug 2012 12:06:57 +0000 (UTC) Received: (qmail 7621 invoked by uid 581); 10 Aug 2012 12:06:56 -0000 Received: from robertot@redix.it by mail by uid 504 with qmail-scanner-1.20 ( Clear:RC:1(127.0.0.1):. Processed in 0.005456 secs); 10 Aug 2012 12:06:56 -0000 Received: from unknown (HELO mail.redix.it) (127.0.0.1) by redix.it with SMTP; 10 Aug 2012 12:06:56 -0000 Received: from 87.4.128.224 (SquirrelMail authenticated user robertot) by mail.redix.it:443 with HTTP; Fri, 10 Aug 2012 14:06:56 +0200 (CEST) Message-ID: <1510.87.4.128.224.1344600416.squirrel@mail.redix.it:443> In-Reply-To: <001701cd7648$c2520350$46f609f0$@com> References: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <33584.192.168.0.107.1344519530.squirrel@mail.redix.it:443> <001701cd7648$c2520350$46f609f0$@com> Date: Fri, 10 Aug 2012 14:06:56 +0200 (CEST) From: "Roberto" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: RE: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 12:06:58 -0000 So as far I understand, if the kernel is not updated by the update process, it is not possible to get via "uname" the currently patch level. I also read about put some syscall to return from the kernel the current patch level, but still this solution is "bound" to the kernel modification, which could be not in all cases; in my opinion, why should the kernel keep track of user space packages ? in other word, if freebsd-update change a ssh package (just an example) why this operation should have side effects with the kernel ? But this is just my opinion. I also think this task (keeping track of patch level) should better related to the command freebsd-update itself, should not ? could the update system (that include freebsd-update) keep track of what is the current system patching state ? and why not all previous package updates ? still these are my ideas... Roberto On Thu, August 9, 2012 18:05, Cedric GROSS wrote: > Hello Roberto, > > In fact "uname -a" report patch level BUT if you update your system by > freebsd-update, patch level could be an old one. > As discuss here http://forums.freebsd.org/archive/index.php/t-20154.html > > Regards > Cedric From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 14:35:35 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2993A1065673 for ; Fri, 10 Aug 2012 14:35:35 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id C6EC48FC18 for ; Fri, 10 Aug 2012 14:35:34 +0000 (UTC) Received: by ggnk4 with SMTP id k4so1944956ggn.13 for ; Fri, 10 Aug 2012 07:35:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4OT29Xf9rX2B8UOxhqifPX7X2J4X5C2FCFNmKU3U3j0=; b=RWtooVIALcjzms/8nV4eavsMOcELKfbGS3BrwwB0vY5gM4qpdXy7hKOWSwXAOy/f9i 493VXc7MdgAcCXRPxwf2rVqNExF3lxzLQARWf0rPGXetWsKHmKns7bvAxaOyP0xfYWP4 wF2uA3ZQ8Jp5enNOZ7i4TgJqZSMtM9bC01g0Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=4OT29Xf9rX2B8UOxhqifPX7X2J4X5C2FCFNmKU3U3j0=; b=GYj7VyA+pDKT7KawCnAgpgtjj1Fi2hs8eT0XXx32ifMe5lWzkzzYSY6yMps1aYpobT 2lgesSqeUAhFKiuFCdLPt9l4kcdW0CB+Etj0H9hMp+vDGwk35o6WqFfhsDW9fwk2RiT9 F90OaO9aFoD/lvK+z+jzEeBtJbcJ2VfpzAqBX0+y1VhfU74hMluMatCp4XnuIp+rFBh2 RHQ4fBCjWy+1Vhnfy1qvrSgblsZj4i0jtklm2+3KwrpjSbi00ednSKudLLgaI2jZfhd3 7F7Pap2ThGfRqw3ARei8PLOCPpIYtUXGrMM8A7FJlN/O0IdWTIlB5m6q7EAIENtHQNDc gzQQ== MIME-Version: 1.0 Received: by 10.50.87.227 with SMTP id bb3mr1921449igb.57.1344609333649; Fri, 10 Aug 2012 07:35:33 -0700 (PDT) Received: by 10.64.44.200 with HTTP; Fri, 10 Aug 2012 07:35:33 -0700 (PDT) X-Originating-IP: [2620:0:1040:201:41f4:8bea:6cbe:5f07] In-Reply-To: <20120808123843.GA31238@atarininja.org> References: <501F7A35.5080207@FreeBSD.org> <501FAF5E.6090101@gwdg.de> <20120808103406.GA56960@FreeBSD.org> <20120808123843.GA31238@atarininja.org> Date: Fri, 10 Aug 2012 15:35:33 +0100 Message-ID: From: "Simon L. B. Nielsen" To: Wesley Shields Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQnwCnZabkfSMCBd7BDMs0UwlVsy9iapODsbiWTcfumWlCdeBG+t89P4WJ/Hn6cYd3Y8eUz3 Cc: Alexey Dokuchaev , Doug Barton , Oliver Pinter , freebsd security , Rainer Hurling , freebsd-ports@freebsd.org Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 14:35:35 -0000 On Wed, Aug 8, 2012 at 1:38 PM, Wesley Shields wrote: > On Wed, Aug 08, 2012 at 10:34:06AM +0000, Alexey Dokuchaev wrote: >> On Mon, Aug 06, 2012 at 01:49:50PM +0200, Rainer Hurling wrote: >> > Am 06.08.2012 10:03 (UTC+1) schrieb Doug Barton: >> > >On 08/01/2012 05:09, Oliver Pinter wrote: >> > >>I found this today on FD: >> > >> >> > >>http://seclists.org/fulldisclosure/2012/Aug/4 >> > > >> > >Apparently this affects us as well. Any news? >> > >> > Thanks for the info. I had been not aware of it before. >> > >> > NVidia has released a driver version 304.32 for FreeBSD i386 and amd64, >> > which should remedy these security issues. >> >> Luckily, they've released version 295.71 which is on Long Lived Branch. I >> will update the port shortly. > > Thank you! > >> VuXML entry will have to follow separately, as it is unclear whether new CVE >> number will be assigned or not. > > You can do the VuXML without a CVE for now and update it when/if one is > assigned. Eh, why wouldn't a CVE name not be assigned? If none is we should ask MITRE to assign one, but it would surprise me if NVIDIA or a Linux vendor hasn't done this already. -- Simon L. B. Nielsen From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 14:40:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B40BD106566C for ; Fri, 10 Aug 2012 14:40:11 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 61AAA8FC1F for ; Fri, 10 Aug 2012 14:40:11 +0000 (UTC) Received: by ghrr13 with SMTP id r13so1951081ghr.13 for ; Fri, 10 Aug 2012 07:40:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ZudYGcKU0KwONhDvJCPsvvAR2T+qLdAFlD1zqV3NbZ8=; b=BP5m2E3zHZZiuzwvdm/UMhGTzkH5TqptcVra2ImmxByDNRLMWAaP/j7c/bfL/+5ecf YcXpbrgjLwAwSiCSeKVf+WWD4gNhKJIBa2QF0kBBSQ5wS+c429s1VzmYdpammmk7MwSo PjFi3T9CBZ36uOOffsqaBnU6fUR8M0ujJoLVQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=ZudYGcKU0KwONhDvJCPsvvAR2T+qLdAFlD1zqV3NbZ8=; b=gLuP6MJlwP5ku0eUY0N1KZ3ujciV23nORNI+ogm6uats1HfTIA65GI1thJmt52PVt7 zFu+DaMUQeMaupvMMAARN4XL5f6uibf231UKZT19hln46QaY7o6z/02EshHMTGkhslBc alQYymesyI7g7bqpzUtq05yPwMxhoXfV37OitGzA5kmQhlpVZvx3pBc/vgagyiOzy8Z+ +yWBVSr04llSYGEtvCAu6biV9BnTkJMirp1tk0BKZ3iEmWwl0YieyYXZH5elVSeBSOzS O00VYfroZQOcZO6I0enrzRCJnm7wHvrKeqrIIvlwsTRYNoSw6YJx1k25PsqNcH5aXrzE WCpg== MIME-Version: 1.0 Received: by 10.50.89.197 with SMTP id bq5mr1944214igb.64.1344609610599; Fri, 10 Aug 2012 07:40:10 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.64.44.200 with HTTP; Fri, 10 Aug 2012 07:40:10 -0700 (PDT) X-Originating-IP: [2620:0:1040:201:41f4:8bea:6cbe:5f07] In-Reply-To: <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> References: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <001701cd7648$c2520350$46f609f0$@com> <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> Date: Fri, 10 Aug 2012 15:40:10 +0100 X-Google-Sender-Auth: bcq4kQ9mBPTFvISnNowYpd7s-D0 Message-ID: From: "Simon L. B. Nielsen" To: Roberto Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkHfSg+9gpmxYZldtCqLxSbeexCUT6x/VjSfHJc+1Jkgi1InU8ciXtAI/DltQKtErH7lB7R Cc: freebsd-security@freebsd.org Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 14:40:11 -0000 On Fri, Aug 10, 2012 at 1:06 PM, Roberto wrote: > > So as far I understand, if the kernel is not updated by the update process, it > is not possible to get via "uname" the currently patch level. Correct. This has been discussed a number of time, but there are no nice and simple solution. There is a simple solution if we just update the kernel always, but that's a hack IMO. While the problem seems rather simple, there are many corner cases making it hard to solve. It should be solved so people can get this information, personally I just haven't had the time to work on it. -- Simon L. B. Nielsen From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 16:04:39 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4320B1065672; Fri, 10 Aug 2012 16:04:39 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from angkar.epipe.com (angkar.epipe.com [IPv6:2001:470:b:566::4]) by mx1.freebsd.org (Postfix) with ESMTP id 104508FC0C; Fri, 10 Aug 2012 16:04:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=epipe.com; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=EEE483keu0KdyNq1cGANuJTD3F9ogRGy26oxqeTiKwU=; b=doamFba0AUlUxEZyHzM60rLoha8X1Yk8BIGfxkPWuVhiBRKzkWWfkEOa10DkS6V1SeghOxbb08eneCjnWxsddCAwevs619lhcZl5e0w50wdYU9gJVBV1QWPgmmy6OV4O7NsQ8ZCpA26otVPk45ZPklFdIuYyBYvQhjBaI0kA7vQ=; Received: by angkar.epipe.com with esmtpsa (TLS1.0:ECDHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1SzrhR-0003S1-Li; Fri, 10 Aug 2012 16:04:33 +0000 Message-ID: <502530E2.1070308@epipe.com> Date: Fri, 10 Aug 2012 23:03:46 +0700 From: Janne Snabb MIME-Version: 1.0 To: "Simon L. B. Nielsen" References: <501F7A35.5080207@FreeBSD.org> <501FAF5E.6090101@gwdg.de> <20120808103406.GA56960@FreeBSD.org> <20120808123843.GA31238@atarininja.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Alexey Dokuchaev , Doug Barton , Wesley Shields , Oliver Pinter , freebsd security , Rainer Hurling , freebsd-ports@freebsd.org Subject: Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 16:04:39 -0000 On 08/10/2012 09:35 PM, Simon L. B. Nielsen wrote: [..] >>>>> On 08/01/2012 05:09, Oliver Pinter wrote: >>>>>> I found this today on FD: >>>>>> >>>>>> http://seclists.org/fulldisclosure/2012/Aug/4 [..] > Eh, why wouldn't a CVE name not be assigned? If none is we should ask > MITRE to assign one, but it would surprise me if NVIDIA or a Linux > vendor hasn't done this already. This is from oss-security: -------- Original Message -------- Subject: Re: [oss-security] CVE Request: NVidia Linux driver Date: Wed, 8 Aug 2012 18:46:34 -0400 (EDT) From: cve-assign@mitre.org Reply-To: oss-security@lists.openwall.com To: marc.deslauriers@canonical.com CC: cve-assign@mitre.org, oss-security@lists.openwall.com, security@ubuntu.com > http://seclists.org/fulldisclosure/2012/Aug/4 > http://nvidia.custhelp.com/app/answers/detail/a_id/3140 Use CVE-2012-4225. -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 17:02:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC3F81065674 for ; Fri, 10 Aug 2012 17:02:09 +0000 (UTC) (envelope-from chris@behanna.org) Received: from alayta.pair.com (alayta.pair.com [209.68.4.24]) by mx1.freebsd.org (Postfix) with ESMTP id A5E298FC18 for ; Fri, 10 Aug 2012 17:02:09 +0000 (UTC) Received: from tourmalet.ticom-geo.com (unknown [64.132.190.26]) by alayta.pair.com (Postfix) with ESMTPSA id 5BF34D9842 for ; Fri, 10 Aug 2012 12:55:50 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1485\)) From: Chris BeHanna In-Reply-To: Date: Fri, 10 Aug 2012 11:55:49 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <001701cd7648$c2520350$46f609f0$@com> <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1485) Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 17:02:09 -0000 On Aug 10, 2012, at 09:40 , Simon L. B. Nielsen = wrote: > On Fri, Aug 10, 2012 at 1:06 PM, Roberto wrote: >>=20 >> So as far I understand, if the kernel is not updated by the update = process, it >> is not possible to get via "uname" the currently patch level. >=20 > Correct. >=20 > This has been discussed a number of time, but there are no nice and > simple solution. There is a simple solution if we just update the > kernel always, but that's a hack IMO. >=20 > While the problem seems rather simple, there are many corner cases > making it hard to solve. It should be solved so people can get this > information, personally I just haven't had the time to work on it. Split off a version.ko and update that with each patch? --=20 Chris BeHanna chris@behanna.org= From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 17:49:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD92B106564A for ; Fri, 10 Aug 2012 17:49:17 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from angkar.epipe.com (angkar.epipe.com [IPv6:2001:470:b:566::4]) by mx1.freebsd.org (Postfix) with ESMTP id AE7BF8FC08 for ; Fri, 10 Aug 2012 17:49:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=epipe.com; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=1ZG1i/5PxNX9o6f83jqBPoCq+rcwxbigMrWNRzDMw/I=; b=AE3XRKmhvvLP2AbVa3q3TJ7nzBIGbxFBud7zKYT15GfWSd6c/9vcmyKBSK/ogSt0+a4ZwO5DAgLkKt/egZiikFrm3sMNX2LB5VXFJPbIErtxjlKghJIYyZon9jzG2NbLuXvw37I9HxHDK6BVKzkPO9OcxixCaKfj57kOYnb2drc=; Received: by angkar.epipe.com with esmtpsa (TLS1.0:ECDHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1SztKn-0004nc-0V for freebsd-security@freebsd.org; Fri, 10 Aug 2012 17:49:17 +0000 Message-ID: <5025496F.5020807@epipe.com> Date: Sat, 11 Aug 2012 00:48:31 +0700 From: Janne Snabb MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <001701cd7648$c2520350$46f609f0$@com> <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 17:49:18 -0000 On 08/10/2012 11:55 PM, Chris BeHanna wrote: > Split off a version.ko and update that with each patch? There is often no need to reboot the machine unless the kernel is affected (just restart the affected daemons). Thus the information would not necessarily match the userland status. The userland and kernel versions need to be kept separate because they may not match. I am often struggling to remember if I updated some machine already or not. I now need to compare the time stamps of newvers.sh and installed binaries to find out. IMHO a sensible approach would be something like what most Linux distros do: Have some file in a standard location and put the information there by generating that file from newvers.sh during make buildworld / installworld". Having it only in the source tree is not sufficient as not every machine has the source tree installed. On LSB compliant Linux distributions the proper way to find this out is the lsb_release command. On many Linux distributions there is also a /etc/DISTRONAME-release file which can be checked (for example /etc/debian-release on Debian and /etc/redhat-release on RHEL and clones). How about /etc/freebsd-release? Or freebsd_release command (shell script) which takes the same flags as lsb_release? -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 17:53:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D1F3106566B for ; Fri, 10 Aug 2012 17:53:58 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id DD06B8FC08 for ; Fri, 10 Aug 2012 17:53:57 +0000 (UTC) Received: (qmail invoked by alias); 10 Aug 2012 17:53:50 -0000 Received: from p578be941.dip0.t-ipconnect.de (EHLO [192.168.0.100]) [87.139.233.65] by mail.gmx.net (mp033) with SMTP; 10 Aug 2012 19:53:50 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18vw2BT5bwvKxeCjrmAA1nFEuNeGSrO3tYHUn0BZJ ju9Bi6l9V28zIE Message-ID: <50254AAD.40003@gmx.de> Date: Fri, 10 Aug 2012 19:53:49 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <001701cd7648$c2520350$46f609f0$@com> <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> In-Reply-To: X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 17:53:58 -0000 On 2012-08-10 16:40, Simon L. B. Nielsen wrote: > On Fri, Aug 10, 2012 at 1:06 PM, Roberto wrote: >> >> So as far I understand, if the kernel is not updated by the update process, it >> is not possible to get via "uname" the currently patch level. > > Correct. > > This has been discussed a number of time, but there are no nice and > simple solution. There is a simple solution if we just update the > kernel always, but that's a hack IMO. > > While the problem seems rather simple, there are many corner cases > making it hard to solve. It should be solved so people can get this > information, personally I just haven't had the time to work on it. > Maybe this information can be hold in an additional file, see http://cpe.mitre.org/ There is no guaranty root modifies the cpe files but thats the same for all systems which have cpe already implemented. -- Regards, olli From owner-freebsd-security@FreeBSD.ORG Sat Aug 11 19:05:47 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35649106564A; Sat, 11 Aug 2012 19:05:47 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E57898FC17; Sat, 11 Aug 2012 19:05:46 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A72786944; Sat, 11 Aug 2012 21:05:45 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 5B4CF8120; Sat, 11 Aug 2012 21:05:45 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Simon L. B. Nielsen" References: <0B65D7562F9DA04FAC3F15C508BF67136B90E09E1F@ESESSCMS0355.eemea.ericsson.se> <001701cd7648$c2520350$46f609f0$@com> <5024f984.45ca320a.1838.4155SMTPIN_ADDED@mx.google.com> Date: Sat, 11 Aug 2012 21:05:44 +0200 In-Reply-To: (Simon L. B. Nielsen's message of "Fri, 10 Aug 2012 15:40:10 +0100") Message-ID: <86pq6xs0zb.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Roberto Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2012 19:05:47 -0000 "Simon L. B. Nielsen" writes: > This has been discussed a number of time, but there are no nice and > simple solution. There is a simple solution that, while not bulletproof, would work well enough in most cases: have 'make installworld' create /etc/issue, which would look like this: FreeBSD 9.0-RELEASE-p4 amd64/amd64 DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no