From owner-freebsd-security@FreeBSD.ORG Mon Mar 18 14:47:08 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 999EFCCF for ; Mon, 18 Mar 2013 14:47:08 +0000 (UTC) (envelope-from freebsd@tern.ru) Received: from ns.tern.ru (ns.tern.ru [89.175.165.150]) by mx1.freebsd.org (Postfix) with ESMTP id 0D246F22 for ; Mon, 18 Mar 2013 14:47:07 +0000 (UTC) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id r2IEkxc7025986 for ; Mon, 18 Mar 2013 18:46:59 +0400 (MSK) Received: from mail.tern.ru (root@localhost) by mail.tern.ru (X/X) with SMTP id r2IEkwjR059025 for ; Mon, 18 Mar 2013 18:46:58 +0400 (MSK) Received: from localhost (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id r2IEkvZW059020; Mon, 18 Mar 2013 18:46:57 +0400 (MSK) Date: Mon, 18 Mar 2013 18:46:56 +0400 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1019401689.20130318184656@tern.ru> To: Ryan Steinmetz Subject: Re: old perl vulnerabilitiy In-Reply-To: <20130315135454.GA41210@exodus.zi0r.com> References: <1472823038.20130315173020@tern.ru> <20130315135454.GA41210@exodus.zi0r.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: freebsd@tern.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 14:47:08 -0000 Thank you. Now it's fixed. RS> On (03/15/13 17:30), freebsd@tern.ru wrote: >>Hello Freebsd-security, >> >>I've got portaudit alarm on perl-5.8.9_7 with regard to >> >>perl -- denial of service via algorithmic complexity attack on hashing routines. >>Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html >> >>But on the other server I have perl-threaded-5.8.9_7 >>and portaudit thinks that it is OK (no problem) >> >>Is it correct? >>It seems to me that threaded perl also should have the same problem. >> RS> It does have the same issue. I've corrected the VuXML entry and you RS> should see updated portaudit results within 30 minutes. Your 5.8.9 RS> perl-threaded installation should also show up as vulnerable to the same RS> issue. RS> Thanks! RS> -r >>Please advise. >> >>PS. I know that it is old and "unsupported" but I don't want to >> upgrade without serious reason. And, any way, the "behavior" of >> portaudit seems to me not correct. >> >> >>With best regards, >>Alexandre Krasnov. >> >> >>_______________________________________________ >>freebsd-security@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Alexander Krasnov. From owner-freebsd-security@FreeBSD.ORG Mon Mar 18 16:01:16 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5D1BA34C; Mon, 18 Mar 2013 16:01:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 16C4C68B; Mon, 18 Mar 2013 16:01:15 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2572ACDD7; Mon, 18 Mar 2013 16:01:15 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id DE5FDA0D6; Mon, 18 Mar 2013 17:01:14 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ryan Steinmetz Subject: Re: old perl vulnerabilitiy References: <1472823038.20130315173020@tern.ru> <20130315135454.GA41210@exodus.zi0r.com> Date: Mon, 18 Mar 2013 17:01:14 +0100 In-Reply-To: <20130315135454.GA41210@exodus.zi0r.com> (Ryan Steinmetz's message of "Fri, 15 Mar 2013 09:54:55 -0400") Message-ID: <86zjy04rzp.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 16:01:16 -0000 Ryan Steinmetz writes: > It does have the same issue. I've corrected the VuXML entry and you > should see updated portaudit results within 30 minutes. Your 5.8.9 > perl-threaded installation should also show up as vulnerable to the same > issue. This wouldn't keep happening if we used CPEs whenever possible... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Mar 20 17:22:51 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A34B3E39 for ; Wed, 20 Mar 2013 17:22:51 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) by mx1.freebsd.org (Postfix) with ESMTP id 43B0074C for ; Wed, 20 Mar 2013 17:22:51 +0000 (UTC) Received: by mail-ob0-f178.google.com with SMTP id wd20so1885228obb.37 for ; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=lS5C1b05n8pY7UvgSH8zmAcPUgCS+uDVC1sBlTUxBqQ=; b=G4mnZgC449ZJob59LETB8DVb4QYnPf+xATngsDBBD3ebv71TsJ+gWmhWamw/qVUkUC //8K0C9wTvhxz0W3SU+fWo0UAlPhvzrR0e5fGMb2Dl1Tag9iZRZERqn4cHDKgoAcpaFI qbOnSFAr10ZprkGJT7OmqUKmmAcWZ6IXrfoCs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=lS5C1b05n8pY7UvgSH8zmAcPUgCS+uDVC1sBlTUxBqQ=; b=ECx4m0DkhrVzvMBn8KQxk2GEaH6hUzTFFtVqTOPLnKtGz8HBNpWdGqLqr0QMFdw4bJ 7KIfOfNSVCdwC7BmeNr0UN8C/XC7zpo8o/xRGgFaKHnhfoR8FySDc5Vf1kOEduRJwDUF qi0LQ2WsTevU2dTelVLFLXghlfrOtoitJkmWvNPWzQnGf5KludW/SqT9JDJLOh7fqM1q 4eI/CxFy5ELDiWsQOCIEGrG8L0OrorhXzz8gDCoGhEn/rGE7Hq+Pne3VLo7C7ac7Oq8H gkbigvOLhHNF6tLMNhHZro21dXWt+Vm+yi14F9xvmPaN/Z3GoSg7HK4WkMyh49zzB5JB jSDg== MIME-Version: 1.0 X-Received: by 10.60.37.229 with SMTP id b5mr4832300oek.21.1363800170820; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) Received: by 10.76.168.129 with HTTP; Wed, 20 Mar 2013 10:22:50 -0700 (PDT) X-Originating-IP: [2620:0:1040:204:3939:5af7:1315:a5] Date: Wed, 20 Mar 2013 17:22:50 +0000 Message-ID: Subject: Re: CPE [was old perl vulnerabilitiy] From: "Simon L. B. Nielsen" To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkmjNk/T5Q2nUbGhtwGottAC2O2H1k0OKkT+ELu+8BNEWIKJidTyIzESjh8CfaeDZMsyam3 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Mar 2013 17:22:51 -0000 On 18 March 2013 16:01, Dag-Erling Sm=C3=B8rgrav wrote: > Ryan Steinmetz writes: >> It does have the same issue. I've corrected the VuXML entry and you >> should see updated portaudit results within 30 minutes. Your 5.8.9 >> perl-threaded installation should also show up as vulnerable to the same >> issue. > > This wouldn't keep happening if we used CPEs whenever possible... Where would you use CPE - in all packages ? I assume you are talking about http://cpe.mitre.org/about/ ? Part of the problem for VuXML is the trilion names for packages some ports have, making it more painful. In the past we also had a number of the tools which let one simpler grep for package names, but those require infrastructure which doesn't exist anymore. --=20 Simon L. B. Nielsen From owner-freebsd-security@FreeBSD.ORG Thu Mar 21 10:11:17 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 275405AA for ; Thu, 21 Mar 2013 10:11:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E08639D2 for ; Thu, 21 Mar 2013 10:11:16 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A8C82C39A; Thu, 21 Mar 2013 10:04:19 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 57D87A312; Thu, 21 Mar 2013 11:04:19 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Simon L. B. Nielsen" Subject: Re: CPE [was old perl vulnerabilitiy] References: Date: Thu, 21 Mar 2013 11:04:18 +0100 In-Reply-To: (Simon L. B. Nielsen's message of "Wed, 20 Mar 2013 17:22:50 +0000") Message-ID: <867gl19ihp.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 10:11:17 -0000 "Simon L. B. Nielsen" writes: > Dag-Erling Sm=C3=B8rgrav wrote: > > This wouldn't keep happening if we used CPEs whenever possible... > Where would you use CPE - in all packages ? I assume you are talking > about http://cpe.mitre.org/about/ ? Yes. > Part of the problem for VuXML is the trilion names for packages some > ports have, making it more painful. Exactly. So what I propose is: - Add a port Makefile variable for the CPE (or multiple variables for the different components of the CPE, and code that "assembles" it). The ports infrastructure ensures that the CPE is included in the port / package metadata. - If a vulnerability is discovered in a port that has a CPE, the CPE is included in the vuxml entry. - portaudit, "pkg audit" etc are modified so that if an installed package has a CPE, the CPE is used instead of (or in addition to?) the name when matching vuxml entries. It is very important that the CPE logic be conditional on the presence of a CPE in the *package* and not in the vuxml entry, not just to ensure the transition from the pre-CPE regime, but also because most software doesn't even have a CPE until the first time it is the subject of a CVE. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no