From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 21:12:33 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92C9A98A; Tue, 21 Oct 2014 21:12:33 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 395F19D4; Tue, 21 Oct 2014 21:12:33 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 91D51A123; Tue, 21 Oct 2014 21:12:31 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 9FF6D545E; Tue, 21 Oct 2014 23:12:19 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:20.rtsold Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141021211219.9FF6D545E@nine.des.no> Date: Tue, 21 Oct 2014 23:12:19 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 21:12:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:20.rtsold Security Advisory The FreeBSD Project Topic: rtsold(8) remote buffer overflow vulnerability Category: core Module: rtsold Announced: 2014-10-21 Credits: Florian Obser, Hiroki Sato Affects: FreeBSD 9.1 and later. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) CVE Name: CVE-2014-3954 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background As part of the stateless addess autoconfiguration (SLAAC) mechanism, IPv6 routers periodically broadcast router advertisement messages on attached networks to inform hosts of the correct network prefix, router address and MTU, as well as additional network parameters such as the DNS servers (RDNSS), DNS search list (DNSSL) and whether a stateful configuration service is available. Hosts that have recently joined the network can broadcast a router solicitation message to solicit an immediate advertisement instead of waiting for the next periodic advertisement. The router solicitation daemon, rtsold(8), broadcasts router solicitation messages at startup or when the state of an interface changes from passive to active. Incoming router advertisement messages are first processed by the kernel and then passed on to rtsold(8), which handles the DNS and stateful configuration options. II. Problem Description Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8). III. Impact Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash. While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult. When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements. IV. Workaround No workaround is available, but systems that do not run rtsold(8) are not affected. As a general rule, SLAAC should not be used on networks where trusted and untrusted hosts coexist in the same broadcast domain. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch.asc # gpg --verify rtsold.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/rtsold.patch c) Recompile rtsold. Execute the following commands as root: # cd /usr/src/usr.sbin/rtsold # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service rtsold restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r273411 releng/10.0/ r273415 releng/10.1/ r273414 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSoAAoJEO1n7NZdz2rn5GsP/2y0fUJYVdsZjA4VtUcLFp4Q nhjGO3I4NOXZAj3c+bWwbw/Bmg7juFVXiAdLgcpK8UuTT+0znAkEcGoG+uA9q6K1 PoFjTmXoukIqtu4sd5Gxp74+xVqY41XOuwanHNMiCbvGEbInxoCs3t56C7Ai1/9m DXhDCukNEH9JZv5qUS5L7IcosuQs2l1viU9oUA/hSfVeI9IFKp8SItDthwtLVrXe bgr50oQdCtwR3gx3Dwkg//er3JCsSJ0ixJO0bGGaqnGLPq7gwmJf8zKy10EE2fri AMpUcYMsO+MqhE+PyyuW9MJaPpX+zghZac75UYPh0EckIn8m2p6QGYXcDtZ18qR8 uq4JCk5nDARKuy7kraEuNJgFzNIBN/wVwOSqaF4n43vhmsuiKF9uzePrtEhB7xoN 7vT66EXXkCgiqQrQVJ6IH5LzoUJtYVDZTWLWU66r919qbQzYQFU7uslaGF8rgVIg HZOfEbDto3dvULmbVHkaWiyotKYSKXZROBTKvTOWVs+BX37zQgg4PGuU6CqatB8R Sltg2kxycQXoIm5XiiSL18RTgxEWb+DKfw8e/691EM1/F3XIQVNX11wJpeZwL/sf zE9TtTnmqpIBPGIe7aURgJWwX/iA4ljAqB1t5DmgIQrJMXovMXnAVMIu4L2jy+gY eRy82+SI3pc3thChv2hv =L56U -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 21:12:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A4218990; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 44BE39DC; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 03BB6A12E; Tue, 21 Oct 2014 21:12:32 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 052A95474; Tue, 21 Oct 2014 23:12:19 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:22.namei Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141021211220.052A95474@nine.des.no> Date: Tue, 21 Oct 2014 23:12:19 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 21:12:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:22.namei Security Advisory The FreeBSD Project Topic: memory leak in sandboxed namei lookup Category: core Module: kernel Announced: 2014-10-21 Credits: Mateusz Guzik Affects: FreeBSD 9.1 and later. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) CVE Name: CVE-2014-3711 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The namei kernel facility is responsible for performing and caching translations from path names to file system objects (vnodes). Capsicum is a lightweight capability and sandbox framework using a hybrid capability system model. It is often used to create sandboxes for applications that process data from untrusted sources. II. Problem Description The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name. III. Impact A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion. IV. Workaround Systems that do not have Capsicum enabled or do not run services that use Capsicum are not vulnerable. On systems that have Capsicum compiled into the kernel, it can be disabled by executing the following command as root: # sysctl kern.features.security_capabilities=0 Services that use Capsicum are usually able to run without it, albeit with reduced security. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.x] # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch.asc # gpg --verify namei-9.patch.asc [FreeBSD 10.x] # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch.asc # gpg --verify namei-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r273411 releng/10.0/ r273415 releng/10.1/ r273414 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsStAAoJEO1n7NZdz2rnoMoQAIuqKpDLi+sGXnWUQeYGPEZH OqwkK9ZbvEiNDAeol03FvxfTg8LzI4OtzkceFDy7KWUTNUN3HnGq1MhFLo+s5r7x KtJVIzKgitZVh/1ikr6+DObpuwVHQfdKws6NKqCssqOknDIcNhNG97B1wl/QwnDX 3/BmAWFYaf6+AG0+vQhxUBTuP9keu8DlpBJ4eEbhRqVCSuo6enJ4uTQXOet7lEOR loGqhuMJB265qi2e/vkcnXnOrd6eGQ9vkVJTS0jKmKF3VG8HTcUmUvwLAGeqmTuV LIJVpSaFgDX7BuG0tUhwmtmql4+ROU6tyHVWBAmVcSNTRgy9L/It/BdG0slNdVVq 2OG0ApKCQIukfK6xtz7adgxRYvClzVZZmyjEPzu0MGs/imdEpfgsUap9yrPhHyoe KM98VaKtzz2e09KxoAxAezgioDCv5rLZnaX8IqBlFft3BvfPP7TPbKrPvvmETu4P /4nthuEFE4jl9xyVINaHdKW9gVAOP44OAj+HlxvNxn4llkrA2v4Zbc3mjukK0ZEx OKz++lf7SmfTPI1lD+oN6FJRWEkK0YnVytsw8taHYlqDYdxaL+OB60B+Ko2JoqpL AROBT2tp9j/NsG46CgDFqA7oV5JWe/Kk67VrkOs8BL6nplKVD9M5m4XDyakn9wkk PA3J/dN5bSd7VIxYExZD =MO7y -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 21:12:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9B6B398E; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 41B1E9DA; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id C4471A129; Tue, 21 Oct 2014 21:12:31 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id D3073546A; Tue, 21 Oct 2014 23:12:19 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:21.routed Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141021211219.D3073546A@nine.des.no> Date: Tue, 21 Oct 2014 23:12:19 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 21:12:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:21.routed Security Advisory The FreeBSD Project Topic: routed(8) remote denial of service vulnerability Category: core Module: routed Announced: 2014-10-21 Credits: Hiroki Sato Affects: All supported versions of FreeBSD. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3955 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The routing information protocol (RIP) is an older routing protocol which, while not as capable as more recent protocols such as OSPF and BGP, is sometimes preferred for its simplicity and therefore still used as an interior gateway protocol on smaller networks. Routers in a RIP network periodically broadcast their routing table on all enabled interfaces. Neighboring routers and hosts receive these broadcasts and update their routing tables accordingly. The routed(8) daemon is a RIP implementation for FreeBSD. The rtquery(8) utility can be used to send a RIP query to a router and display the result without updating the routing table. II. Problem Description The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. III. Impact Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. IV. Workaround Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP packets with destination port 520 that did not originate on the same subnet as the destination address. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc # gpg --verify routed.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/routed.patch c) Recompile routed. Execute the following commands as root: # cd /usr/src/sbin/routed # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service routed restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r273413 releng/8.4/ r273416 stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r272872 releng/10.0/ r273415 releng/10.1/ r273414 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSrAAoJEO1n7NZdz2rneOIQAIXaYGwNAYmVFUqa/YOtxSlQ l1ETThsuHxuDUrlkHD82uZu6yJi+HdGz1R2xBLYlxpwk/4GO3D/IdUZI0w1LgNJs JRHmAikUpCgcMh0QfyoHD9KSp3wPiQJ9Cmp6ajrjsdIdjrNbFwczoaWHHQ1MyRwp kv9OEC7t9rJkZRMuCjrSvGTQVqHFixoZUdJV42a2PNYTyWZmwE33GJ+Zgv/59mPw bzGTTI3RTuj1WUJp4MmYV3Eb8y8SnM6szUs4Wlul/uVGfEI3dXYYo3iAHQNHWpAR sUaqoVI16P5x952I9PbMA/J5wq/Nm2bVwEAsJN9NE/KPMdD1I4QzvyAlNRFCro8S C7qS4a0X75nQ+pehRqPVDdnvJbkxfdgsWP+jwVZ4e0244DQfiKWTKTd+If/cPHa8 T0z1uZ4xE/BQ0DpJiu9r/ndcm5ych6TbIkNXmGI05jQPntvSYQzhyUTEp2Rmq3IX rmre4CHWrTYT7/niTJonieErmtGDe5LrUyP2Odv13euKEsCIbSOPVnDFFhAwsAjJ zu2Tm+BPXh0lXHuq/tQ+L5lWv1uoMi9hkLxh6zhFaX4li15sS5tR+GeBXmd9h2Wp +iT5hvgxfnQPZI3Ey932J20+7LMULlkr2aV2h5NcvroolnQIehj12z0IQBelFsXN wtFPveXqXWUfV8WVNBJ1 =uHh+ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 21:12:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A9A5A991; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 46BD19DD; Tue, 21 Oct 2014 21:12:34 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 090F1A130; Tue, 21 Oct 2014 21:12:32 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 19945547A; Tue, 21 Oct 2014 23:12:20 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:23.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141021211220.19945547A@nine.des.no> Date: Tue, 21 Oct 2014 23:12:20 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 21:12:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:23.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-10-21 Affects: All supported versions of FreeBSD. Corrected: 2014-10-15 19:59:43 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC3) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-15 20:28:31 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-15 20:28:31 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. [CVE-2014-3513]. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. [CVE-2014-3567]. The SSL protocol 3.0, as supported in OpenSSL and other products, supports CBC mode encryption where it could not adequately check the integrity of padding, because of the use of non-deterministic CBC padding. This protocol weakness makes it possible for an attacker to obtain clear text data through a padding-oracle attack. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE [CVE-2014-3566]. OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. [CVE-2014-3568]. III. Impact A remote attacker can cause Denial of Service with OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. [CVE-2014-3513] By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. [CVE-2014-3567]. An active man-in-the-middle attacker can force a protocol downgrade to SSLv3 and exploit the weakness of SSLv3 to obtain clear text data from the connection. [CVE-2014-3566] [CVE-2014-3568] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch.asc # gpg --verify openssl-10.0.patch.asc [FreeBSD 9.3] # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc [FreeBSD 8.4, 9.1 and 9.2] # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch.asc # gpg --verify openssl-8.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r273151 releng/8.4/ r273416 stable/9/ r273151 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r273149 releng/10.0/ r273415 releng/10.1/ r273399 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSwAAoJEO1n7NZdz2rn3ekQANG9DnAGJq/yAXXtX4wdeP08 Ep35L3dkxJsthoqJhn7fc/pra5SZ5iS7NCRHdh5Xn1dsxRiOsffYt9zanWyTOgj+ RQy9jiNp0oIWQEkxZVoHMIKn6VeQk1I2llSXyERANjeDtKX6GV2gV+Zd4tcExW4T Nn9jVHgkDL/doxJ3C1K0BrkdoEEwyPohAf8WLAg6ZKRm3Pys1Ewjm6fPBPtKUIEu zWFruP5xFz3rM6i/4zcihj7b4BuIKtUBgHf28rgf0I3TKZTr75Xr9h4q/8ZG4H0G Lk/1OoZTiMyjlBLufpTlCOdODjz7ORzDLif47Zyt52iZowq1hl4WO7Xo/C/kPUmG o631wsLmO9tPS2Z0TmIQm1fwjlTvIZefZAlMpa1lDwnwZx2hRsu9TzauACdSbuWx 9i+e8/CSMEsr0qJo8KXjltpV9siULhkvl9xr3PwxMfvHFjGUAuur2zHUoTQZTpy0 nKJJXSs3kIW/4ivLMDuDYijdVnf4hrih6GTKEND6aNXtyXitiFK8J4a/q0T4BBnh 89A2QUFVeeDPmf7jzMh824s8W2uoPFGJqHgdtqv1bLT29rqh5ya/5zi7sci6Q/Mk ov0U8X3Pwun7iwJDeYG6N38lUSdMqImHR12Ay7pOY04i4qau4Yf8B26lwcMk/HrU cZ84y1sCp0qHtTqKuak9 =ywze -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 01:29:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A783F7E; Wed, 22 Oct 2014 01:29:57 +0000 (UTC) Received: from nschwqsrv03p.mx.bigpond.com (nschwqsrv03p.mx.bigpond.com [61.9.189.237]) by mx1.freebsd.org (Postfix) with ESMTP id EB405BAB; Wed, 22 Oct 2014 01:29:55 +0000 (UTC) Received: from nschwcmgw08p ([61.9.190.168]) by nschwmtas01p.mx.bigpond.com with ESMTP id <20141022011008.ZCJM17954.nschwmtas01p.mx.bigpond.com@nschwcmgw08p>; Wed, 22 Oct 2014 01:10:08 +0000 Received: from hermes.heuristicsystems.com.au ([58.173.108.194]) by nschwcmgw08p with BigPond Outbound id 61A61p01E4BhPve011A63J; Wed, 22 Oct 2014 01:10:08 +0000 X-Authority-Analysis: v=2.0 cv=F6HVh9dN c=1 sm=1 a=4+whva0L5pAyL5dznpY5+Q==:17 a=vTn13sFsEjEA:10 a=N659UExz7-8A:10 a=GHIR_BbyAAAA:8 a=ndaoGXS1AAAA:8 a=6I5d2MoRAAAA:8 a=ttuqpNlATSj9IwYbvhMA:9 a=pILNOxqGKmIA:10 a=HruYj_XPREAA:10 a=ll53tLZ-EV4A:10 a=SV7veod9ZcQA:10 a=4+whva0L5pAyL5dznpY5+Q==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id s9M19vm2078220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 22 Oct 2014 12:10:03 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <544703E5.7000007@heuristicsystems.com.au> Date: Wed, 22 Oct 2014 12:09:57 +1100 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Hans Petter Selasky Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> <54369F43.9010806@selasky.org> In-Reply-To: <54369F43.9010806@selasky.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 01:29:57 -0000 On 10/10/2014 1:44 AM, Hans Petter Selasky wrote: > On 10/09/14 15:59, Oliver Pinter wrote: >> On 10/9/14, Hans Petter Selasky wrote: >>> Hi Julian, >>> >>> On 10/09/14 01:46, Julian H. Stacey wrote: >>>> Hi Hans etc >>>> "Julian H. Stacey" wrote: >>>>> Hans Petter Selasky wrote: >>>>>> Hi, >>>>>> >>>>>> Can you test the following kernel patch and give some feedback: >>>>>> >>>>>> https://svnweb.freebsd.org/changeset/base/272733 >>>> >>>> I'm now on latest current with src & sys/ GENERIC >>>> /usr/src/.ctm_status # src-cur 11645 >>>> >>>> This time I downloaded your files properly >>>> (last time I was severely distracted & made a silly mistake) >>>> >>>>>> After the patch you will get something like: >>>>>> hw.usb.disable_enumeration: 0 >>>>>> dev.uhub.0.disable_enumeration: 0 >>>>>> dev.uhub.1.disable_enumeration: 0 >>>>>> ... >>>> >>>> sysctl -a | grep enumeration >>>> hw.usb.disable_enumeration: 0 >>>> dev.uhub.0.disable_enumeration: 0 >>>> dev.uhub.1.disable_enumeration: 0 >>>> dev.uhub.2.disable_enumeration: 0 >>>> dev.uhub.3.disable_enumeration: 0 >>>> dev.uhub.4.disable_enumeration: 0 >>>> >>>> sysctl -d hw.usb.disable_enumeration >>>> hw.usb.disable_enumeration: Set to disable all USB device >>>> enumeration. >>>> >>>> sysctl -d dev.uhub.4.disable_enumeration >>>> dev.uhub.4.disable_enumeration: Set to disable enumeration on >>>> this USB >>>> HUB. >>>> >>>> usbconfig >>>> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen0.2: at usbus0, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen1.2: at usbus1, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH >>>> (480Mbps) pwr=OFF (500mA) >>>> ugen1.3: at usbus1, >>>> cfg=0 >>>> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) >>>> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) pwr=SAVE (100mA) >>>> >>> >>>> >>>> Great ! Seems to work. >>>> >>>> (Though I need to read up on how major & minor of ugen relate to >>>> the digit in eg 4.disable_enumeration) >>>> >>>> >>>>>> which is also settable through /boot/loader.conf (tunable) >>>> >>>> Good, >>>> I hope/presume loader.conf gets run before any USB, cos I recall >>>> lecturer Karsten Nohl pointing out one could get BadUSB taking up >>>> residence in USB controller chips inside a PC, ie for a built in >>>> mouse or web cam, so one would need to turn off enumeration earlier >>>> than when first external USB approaches to connect. >>> >>> Yes, if set by the loader.conf, you will only see the RootHUB after >>> boot. >>> >>> To get devices back after enabling enumeration again, you will need to >>> reset the HUBs: >>> >>> usbconfig -d X.1 reset >>> >>> For example. >>> >>> BTW: I've added some exceptions, that existing devices can be detached, >>> suspend/resumed and reset while the enumeration is disabled. >> >> Can we somehow improve this change, to powering down the ports/hubs >> which has the enumeration disabled? >> > > Hi, > > I've added this as an orthogonal feature. Please test and report back: > > hw.usb.disable_enumeration: 0 > hw.usb.disable_port_power: 0 > > dev.uhub.0.disable_enumeration: 0 > dev.uhub.0.disable_port_power: 0 > > https://svnweb.freebsd.org/changeset/base/272822 > > Thank you! > > --HPS > > _______________________________________________ > freebsd-usb@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-usb > To unsubscribe, send any mail to "freebsd-usb-unsubscribe@freebsd.org" > Hans, Thank-you for these enhancements, as its good to have something in the armoury to try to address this issue. I applied the patch https://lists.freebsd.org/pipermail/svn-src-head/2014-October/063443.html to an updated 10.Stable overnight. Disabling enumeration works as described above except that, placing the following in loader.conf has no effect? --- tail of /boot/loader.conf --- # 20141022 Didn't work as expected #dev.uhub.0.disable_enumeration="1" #dev.uhub.1.disable_enumeration="1" #dev.uhub.2.disable_enumeration="1" #dev.uhub.3.disable_enumeration="1" #dev.uhub.4.disable_enumeration="1" # 20141022 Also didn't work hw.usb.disable_enumeration="1" --- end of /boot/loader.conf --- I confirmed the setting was correctly read by loader, by interrupting the boot and showing the variables. But immediately after booting, sysctl -a|grep enumer hw.usb.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 dev.uhub.2.disable_enumeration: 0 dev.uhub.3.disable_enumeration: 0 dev.uhub.4.disable_enumeration: 0 Any ideas why loader.conf settings weren't applied? They are applied via /etc/sysctl.conf, but by that stage, any harm has been done. It was interesting doing "user testing" (ie dumb things). Having a mouse in hub-unit.endpoint=0.2 sysctl dev.uhub.0.disable_enumeration=1 usbconfig -d 0.2 power_off provides an opportunity to make a fresh cup of tea... ;) Regards, Dewayne. -- For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” For everyone else: “Life is really simple, but we insist on making it complicated.” From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 06:19:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5063AAAB; Wed, 22 Oct 2014 06:19:53 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10B3BA54; Wed, 22 Oct 2014 06:19:52 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id C07531FE023; Wed, 22 Oct 2014 08:19:49 +0200 (CEST) Message-ID: <54474C8B.5020000@selasky.org> Date: Wed, 22 Oct 2014 08:19:55 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Dewayne Geraghty Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> <54369F43.9010806@selasky.org> <544703E5.7000007@heuristicsystems.com.au> In-Reply-To: <544703E5.7000007@heuristicsystems.com.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 22 Oct 2014 11:30:40 +0000 Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 06:19:53 -0000 On 10/22/14 03:09, Dewayne Geraghty wrote: > Hans, > Thank-you for these enhancements, as its good to have something in the > armoury to try to address this issue. > > I applied the patch > https://lists.freebsd.org/pipermail/svn-src-head/2014-October/063443.html to > an updated 10.Stable overnight. Disabling enumeration works as > described above except that, placing the following in loader.conf has no > effect? > --- tail of /boot/loader.conf --- > # 20141022 Didn't work as expected > #dev.uhub.0.disable_enumeration="1" > #dev.uhub.1.disable_enumeration="1" > #dev.uhub.2.disable_enumeration="1" > #dev.uhub.3.disable_enumeration="1" > #dev.uhub.4.disable_enumeration="1" > > # 20141022 Also didn't work > hw.usb.disable_enumeration="1" > --- end of /boot/loader.conf --- Hi, The /boot/loader.conf only works in -current, because in 10-stable SYSCTLs cannot be automatically loaded from TUNABLEs. You would need to add some TUNABLE() statements for that. --HPS From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 11:41:28 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC2B9645 for ; Wed, 22 Oct 2014 11:41:28 +0000 (UTC) Received: from eu1sys200aog106.obsmtp.com (eu1sys200aog106.obsmtp.com [207.126.144.121]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 06168684 for ; Wed, 22 Oct 2014 11:41:27 +0000 (UTC) Received: from mail-wi0-f172.google.com ([209.85.212.172]) (using TLSv1) by eu1sys200aob106.postini.com ([207.126.147.11]) with SMTP ID DSNKVEeX4FIH15EOnbBeNQ75UXL0vmSGdgmg@postini.com; Wed, 22 Oct 2014 11:41:28 UTC Received: by mail-wi0-f172.google.com with SMTP id bs8so1093825wib.11 for ; Wed, 22 Oct 2014 04:41:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:message-id:to:subject:reply-to; bh=d/pZG3VuYgUxsH5iM5ivu/Y+OMlVS0T7gvLfRuKh3Jw=; b=MkF4j3M5jo9LteL+Q/0y/2ICehHzxT54Tef7VeDZ9XP6RV+gYvK78/qeaFDJXggzmX lV+0ABt5PYDIDxJLNusPTIzv0hMQcQ80dT2GuhRGBIn8tgZhpBKjldG+zMFImMdI1Lj7 xTr9Gs08boXYockpvD3hCsvGG9szZ6Vy9tEQ2nIvTiAT+6y9/Z/a1wxnCgiZRzKwuDHF RzstZJ8mwR/O7y1Bb0Uklpp30Yxln1Vn9vXbDRDEGN7bay0V2D3qV752Tx5LMyN8w4au PBcdQDmEMSeFzsFELpQHhjU8QH/OB67fIl5OhSKPHxxAtwoxlyH9gcxTuk+8B5axUNuO +N5w== X-Gm-Message-State: ALoCoQmBtUiT3eh8MWLXvj+9YGD+5HMy/bFNGodtM9Rda5UYeZbv6o4Vv/LMeFA91Ez3e1L3Ij4FZnylRkChoPeuaU23NATHDBIDvlzYswS3QYqVzuwCMW3msT7ZsyPQEhlQNQNsHE+w7cWDQ73asdYHT4zyWRu62w== X-Received: by 10.194.122.231 with SMTP id lv7mr51206036wjb.27.1413978080479; Wed, 22 Oct 2014 04:41:20 -0700 (PDT) X-Received: by 10.194.122.231 with SMTP id lv7mr51205998wjb.27.1413978080226; Wed, 22 Oct 2014 04:41:20 -0700 (PDT) Received: from mech-as221.men.bris.ac.uk (mech-as221.men.bris.ac.uk. [137.222.187.221]) by mx.google.com with ESMTPSA id y5sm1640434wix.10.2014.10.22.04.41.19 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 04:41:19 -0700 (PDT) Received: from mech-as221.men.bris.ac.uk (localhost [127.0.0.1]) by mech-as221.men.bris.ac.uk (8.14.9/8.14.9) with ESMTP id s9MBfILO027950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 22 Oct 2014 12:41:18 +0100 (BST) (envelope-from mexas@mech-as221.men.bris.ac.uk) Received: (from mexas@localhost) by mech-as221.men.bris.ac.uk (8.14.9/8.14.9/Submit) id s9MBfIRS027949 for freebsd-security@freebsd.org; Wed, 22 Oct 2014 12:41:18 +0100 (BST) (envelope-from mexas) Date: Wed, 22 Oct 2014 12:41:18 +0100 (BST) From: Anton Shterenlikht Message-Id: <201410221141.s9MBfIRS027949@mech-as221.men.bris.ac.uk> To: freebsd-security@freebsd.org Subject: Re: system identification in utx database? Reply-To: mexas@bris.ac.uk X-Mailman-Approved-At: Wed, 22 Oct 2014 11:48:24 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 11:41:28 -0000 I asked in questions@ and got no reply, trying here. Thanks Anton >From mexas Mon Oct 20 10:37:52 2014 >To: freebsd-questions@freebsd.org >Subject: system identification in utx database? >Reply-To: mexas@bris.ac.uk > >Hello > >Is there any information in a utx(8) database (log) >that allows one to identify the system where >that database was recorded? I cannot find any. > >I need to preserve the utx access logs from several >FreeBSD boxes. If I copy the logs to another box, >or just print, I lose the information about the >system where these logs came from. >This is because this information does not >seem to be present in the logs themselves. >So I have to add some manual database identification, >which might cast doubt on the database authenticity >or integrity, if I even need to rely such databases, >e.g. in court. > >So, I wonder if there is some system identification >information written to utx database that I'm not >familiar with. > >I also have auditing enabled, but I'm still >learning it, and don't want to loose the >simplicity of utx. > >Shall I ask in securuty@ list? > >Thanks > >Anton From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 13:58:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5D3929E8 for ; Wed, 22 Oct 2014 13:58:05 +0000 (UTC) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F503BF1 for ; Wed, 22 Oct 2014 13:58:04 +0000 (UTC) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 9F88E1F1079 for ; Wed, 22 Oct 2014 09:58:03 -0400 (EDT) Date: Wed, 22 Oct 2014 09:58:01 -0400 From: Mason Loring Bliss To: freebsd-security@freebsd.org Subject: DES? Message-ID: <20141022135801.GI2581@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 13:58:05 -0000 Can someone explain what this will impact in normal use? Does this mean that passwords will default to DES? I've dug around a little and I'm not seeing where a default is set for passwords - my desktop right now is using sha512, but if I had to guess I'd say it's because it was the crypt(3) default. http://article.gmane.org/gmane.os.freebsd.devel.cvs/516280 Save me from guessing! :) What is the scope and impact of this change? Thanks. -- Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come. From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 14:19:13 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5D6B112 for ; Wed, 22 Oct 2014 14:19:13 +0000 (UTC) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 96D29E79 for ; Wed, 22 Oct 2014 14:19:12 +0000 (UTC) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 140031F1079 for ; Wed, 22 Oct 2014 10:19:11 -0400 (EDT) Date: Wed, 22 Oct 2014 10:19:09 -0400 From: Mason Loring Bliss To: freebsd-security@freebsd.org Subject: Re: DES? Message-ID: <20141022141909.GJ2581@blisses.org> References: <20141022135801.GI2581@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141022135801.GI2581@blisses.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 14:19:13 -0000 On Wed, Oct 22, 2014 at 09:58:01AM -0400, Mason Loring Bliss wrote: > my desktop right now is using sha512, but if I had to guess I'd say it's > because it was the crypt(3) default. Or I could look at login.conf and see that it's set to sha512 there. Never mind. Nothing to see here - move along. :P -- Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abelson From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 19:08:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6167FE97 for ; Wed, 22 Oct 2014 19:08:44 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 25CF13D1 for ; Wed, 22 Oct 2014 19:08:43 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 94839A414; Wed, 22 Oct 2014 19:08:42 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 1B4FC5567; Wed, 22 Oct 2014 21:08:31 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mason Loring Bliss Subject: Re: DES? References: <20141022135801.GI2581@blisses.org> Date: Wed, 22 Oct 2014 21:08:31 +0200 In-Reply-To: <20141022135801.GI2581@blisses.org> (Mason Loring Bliss's message of "Wed, 22 Oct 2014 09:58:01 -0400") Message-ID: <8638afdis0.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 19:08:44 -0000 Mason Loring Bliss writes: > Can someone explain what this will impact in normal use? Does this > mean that passwords will default to DES? No, the default setting for user passwords is in login.conf and is still SHA-512. The hardcoded default only applies to programs that use crypt(3) for other purposes and do not call crypt_set_format(3) first. See https://bugs.freebsd.org/192277 for details and examples of affected applications. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 20:45:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 847B421E for ; Wed, 22 Oct 2014 20:45:44 +0000 (UTC) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6417DF88 for ; Wed, 22 Oct 2014 20:45:43 +0000 (UTC) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 0DA881F1079; Wed, 22 Oct 2014 16:45:37 -0400 (EDT) Date: Wed, 22 Oct 2014 16:45:35 -0400 From: Mason Loring Bliss To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: DES? Message-ID: <20141022204535.GL2581@blisses.org> References: <20141022135801.GI2581@blisses.org> <8638afdis0.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8638afdis0.fsf@nine.des.no> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 20:45:44 -0000 On Wed, Oct 22, 2014 at 09:08:31PM +0200, Dag-Erling Smørgrav wrote: > See https://bugs.freebsd.org/192277 for details and examples of affected > applications. Ah, thank you. That sheds a lot more light on it. -- Mason Loring Bliss mason@blisses.org Ewige Blumenkraft! awake ? sleep : random() & 2 ? dream : sleep; -- Hamlet, Act III, Scene I From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 01:51:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB5DF1F3 for ; Thu, 23 Oct 2014 01:51:58 +0000 (UTC) Received: from mail1.bur200.uecomm.net.au (mail1.bur200.uecomm.net.au [218.185.0.70]) by mx1.freebsd.org (Postfix) with ESMTP id 976B2281 for ; Thu, 23 Oct 2014 01:51:57 +0000 (UTC) Received: from mail.flexibledrive.com.au (unknown [115.186.196.106]) by mail1.bur200.uecomm.net.au (Postfix) with ESMTP id A46CCD4AD for ; Thu, 23 Oct 2014 12:26:29 +1100 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.flexibledrive.com.au (Postfix) with ESMTP id 5ACD5E66EE for ; Thu, 23 Oct 2014 12:26:29 +1100 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.flexibledrive.com.au ([127.0.0.1]) by localhost (mail.flexibledrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCzUxC5Y1MzR for ; Thu, 23 Oct 2014 12:26:20 +1100 (EST) Received: from ws-pross.vv.fda (ws-pross.vv.fda [192.168.50.199]) by mail.flexibledrive.com.au (Postfix) with ESMTPS id E1BD2E63F7 for ; Thu, 23 Oct 2014 12:26:20 +1100 (EST) Date: Thu, 23 Oct 2014 12:26:20 +1100 (AEDT) From: Peter Ross X-X-Sender: petros@linux-vic-05.vv.fda To: freebsd-security@freebsd.org Subject: Last SAs not on https://www.freebsd.org/security/advisories.html Message-ID: User-Agent: Alpine 2.11 (LRH 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Thu, 23 Oct 2014 02:43:41 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 01:51:58 -0000 Hi all, I can see the last security advisories on the main page (https://www.freebsd.org) but not on advisories.html. I noticed it yesterday. I am monitoring this page to apply patches when needed but I was aware of OpenSSH issues before [from the vuln.xml in the ports] so I expected them to show up for the base too. Regards Peter From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 06:28:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE172130 for ; Thu, 23 Oct 2014 06:28:34 +0000 (UTC) Received: from vps.markoturk.info (vps.markoturk.info [95.154.208.14]) by mx1.freebsd.org (Postfix) with ESMTP id B7CDBFD6 for ; Thu, 23 Oct 2014 06:28:34 +0000 (UTC) Received: by vps.markoturk.info (Postfix, from userid 1001) id 8C87D27415; Thu, 23 Oct 2014 08:22:56 +0200 (CEST) Date: Thu, 23 Oct 2014 08:22:56 +0200 From: Marko Turk To: Peter Ross Subject: Re: Last SAs not on https://www.freebsd.org/security/advisories.html Message-ID: <20141023062256.GA3921@vps.markoturk.info> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 06:28:35 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 23, 2014 at 12:26:20PM +1100, Peter Ross wrote: > Hi all, >=20 > I can see the last security advisories on the main page=20 > (https://www.freebsd.org) but not on advisories.html. >=20 > I noticed it yesterday. >=20 > I am monitoring this page to apply patches when needed but I was aware of= =20 > OpenSSH issues before [from the vuln.xml in the ports] so I expected them= =20 > to show up for the base too. >=20 > Regards > Peter Also, some latest portaudit links from 'pkg audit' are not working. For example: http://portaudit.FreeBSD.org/9c1495ac-8d8c-4789-a0f3-8ca6b476619c.html http://portaudit.FreeBSD.org/0642b064-56c4-11e4-8b87-bcaec565249c.html Regards, Marko --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUSJ7AAAoJEJXL/ReD3UkFtLgQALyzPiA5glpXy6HJUY5f1CZl iOj58iRXKnizA1mZ3/syYXYIkCoOObECQn17rAV5b59QT6j80DKbe6tGwk7jTiqy j5yLtv9ANEqondFeULgRCSA/Uc4hAlKSTiXlmAtz2qg+a8zTQVFs2b/7EqrE1aQn hurdMXRy2lDaROE5wkResbx2x51RYylogsSG87kRdVaHmVRZZw/LZbU7Dt5/U7PX zrkZzHuXsegIHkY91wyHkKBZm2dglJ+h69Qi72O4W63tSaYgQHam2XyWD0tfHBWS F5Om59dtLt32uiua1os3B1E/jtDoEt1fDJSSO7dcGsEBcft5Jgjs1e1JZNhM/G2r X3PwTH5jKQHz2K5/Rs6JwTbyif40zTqc71SxDtIRYg47TZRC6QMcy9L8Y7bDqSaT CVUO0vtJXgLJk5bRlCNwRhbkZhBKbwUpGwFRao4VAmfodgtCJmfnMiF8cfUMADYy kljeZEAH/ahNlZ/dZ0QsjOl5v0hkcb7oUmNXMLHRmv1HQV2YRVojRVLgF4DNAhh1 SzyAgrycj4+Q5cYmB+pTIixcLlcHLzg/aJTgOrKBZB7PeEX6l6OnhvD8jHn4sQKn bjO6DicTY39HYq12rQMZv21F0d1t+7QCIM8w0hI+sMCJnoX7bMZN4flcBZqEuK/Y U9WJR9TwhB1DN6FstgyZ =VLyI -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 07:38:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8857230A for ; Thu, 23 Oct 2014 07:38:42 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4B9828CC for ; Thu, 23 Oct 2014 07:38:41 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 3D85BA0F2; Thu, 23 Oct 2014 07:38:40 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 08DB655F7; Thu, 23 Oct 2014 09:38:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Peter Ross Subject: Re: Last SAs not on https://www.freebsd.org/security/advisories.html References: Date: Thu, 23 Oct 2014 09:38:28 +0200 In-Reply-To: (Peter Ross's message of "Thu, 23 Oct 2014 12:26:20 +1100 (AEDT)") Message-ID: <86h9yvb5hn.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 07:38:42 -0000 Peter Ross writes: > I can see the last security advisories on the main page > (https://www.freebsd.org) but not on advisories.html. That is strange. They were added ~36 hours ago and should have been visible within a few minutes of the commit. I will ask doceng@ to investigate. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 07:40:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 07D613FC for ; Thu, 23 Oct 2014 07:40:50 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BCBC78EF for ; Thu, 23 Oct 2014 07:40:48 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2F238A0FA; Thu, 23 Oct 2014 07:40:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id EC39E55FA; Thu, 23 Oct 2014 09:40:36 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Marko Turk Subject: Re: Last SAs not on https://www.freebsd.org/security/advisories.html References: <20141023062256.GA3921@vps.markoturk.info> Date: Thu, 23 Oct 2014 09:40:36 +0200 In-Reply-To: <20141023062256.GA3921@vps.markoturk.info> (Marko Turk's message of "Thu, 23 Oct 2014 08:22:56 +0200") Message-ID: <86d29jb5e3.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Peter Ross , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 07:40:50 -0000 Marko Turk writes: > Also, some latest portaudit links from 'pkg audit' are not working. > For example: > http://portaudit.FreeBSD.org/9c1495ac-8d8c-4789-a0f3-8ca6b476619c.html > http://portaudit.FreeBSD.org/0642b064-56c4-11e4-8b87-bcaec565249c.html Since portaudit was decommissioned a few weeks ago, these should point to http://vuxml.freebsd.org/freebsd/ instead. I will ask our webmaster to set up a redirect. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 20:54:14 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B86D1D52; Thu, 23 Oct 2014 20:54:14 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9D52FF33; Thu, 23 Oct 2014 20:54:14 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 0CEC81CD6A; Thu, 23 Oct 2014 13:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1414097654; x=1414112054; bh=54eSFF3hwFwzqN696piQg/4IXwINWilXjVxougL/F5I=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=R+6GTe7SgC9913WCjuJnD+u2caALduja7cG2XIsQ14qnTGjR35hPuaX+fQG1KzycK e3BOGJmRq22TgRJFr9GSDo/ELICExgwH8IADYa6rBQ1yHfqMYD+uoQE1jekVeiBs5j rIHwkbQmDQld1dB0bHGPLl4c3X6ZqgTl84BEqtsg= Message-ID: <54496AF5.7090402@delphij.net> Date: Thu, 23 Oct 2014 13:54:13 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , Peter Ross Subject: Re: Last SAs not on https://www.freebsd.org/security/advisories.html References: <86h9yvb5hn.fsf@nine.des.no> In-Reply-To: <86h9yvb5hn.fsf@nine.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Glen Barber X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 20:54:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/23/14 00:38, Dag-Erling Smørgrav wrote: > Peter Ross writes: >> I can see the last security advisories on the main page >> (https://www.freebsd.org) but not on advisories.html. > > That is strange. They were added ~36 hours ago and should have > been visible within a few minutes of the commit. I will ask > doceng@ to investigate. According to Glen it's caused by a libxml2 bug. He have reverted the recent upgrade on w.f.o and it fixed the problem, thanks for reporting! Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0 iQIcBAEBCgAGBQJUSWr1AAoJEJW2GBstM+nsZ4cP/2t2A4xoVVu5HCOU3n7J8VHL p/RdaxxDn8+xKJOPxbfGfOS2nRoY66gDLaOsAyLklI/oDNdmyUW4jOJpSEORd0lc qzQ59PcODCbXUDcwHBBq56MCh4IOQA0mg1R6Ucqy1IprrasqwKKqFM9ApHc215WU V9Qpg3Rk1KqmNc4QrJ5z7cYqzi8OTrExbvAmJr3dCrqG8fqFKLnQKbbX28rJENHV 2FNqE2vFLyCi84klIdcUYc5P9n+Fv/cUTdYXlu1jhgZbw2raXkebmw4nKt46bfZH OkCfDJ3C1k/LblcWSjCnGh1xS0u7hUJS08XZ7iVOPsFqYsmtbrskVKjCeeRUZhs/ erB4OQK0DFgA+VBrQkca0NnLmVRwznFbAZlawa+RbZhN9IgotIQXQpfb+ieCAJiw krLzZRNV4AP8BwrR269+q7sXa+tmMcXPtlzKXfyCJ6/b/CKB/JSnE6vAO+AgXpNT yBn4tG1KJtPeMeVIISDGPd0x+QSlFTzRxlgJb7bKn384UpULP9NWIL4rSV7gg/Wd tkFOyPJdrLOAs48fB18yV65mk1gSy786lKd7Q6T2UAu4BWlnwguDQcKd/klb6nww +JmVKkQhWUF+/k+WR5EWtEbBGCZMnZ9LpF1/Y3w0A82TRVoiZR+z87I5LNExvyCD Toivun34xRbVzNsjBZ0d =g7o/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Oct 25 19:21:27 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 46BD5D7E; Sat, 25 Oct 2014 19:21:27 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 07236DB8; Sat, 25 Oct 2014 19:21:26 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 26787AB66; Sat, 25 Oct 2014 19:21:26 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 35C0810480; Sat, 25 Oct 2014 21:21:16 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: d@delphij.net Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> Date: Sat, 25 Oct 2014 21:21:16 +0200 In-Reply-To: <53B499B1.4090003@delphij.net> (Xin Li's message of "Wed, 02 Jul 2014 16:45:53 -0700") Message-ID: <86bnp07y6r.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Ben Laurie , freebsd-security@FreeBSD.ORG, re , Jung-uk Kim , gecko@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Oct 2014 19:21:27 -0000 Reviving this discussion because it was never resolved. Xin Li writes: > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. [...] So my proposal would > be: > > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; At a minimum, we need the certificate chain for all freebsd.org certificates. > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; > > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; > > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. I would prefer to have each port install their certificate lists in a "hidden" location which is then added to the search path using c_rehash. This may require changing libfetch and various applications to pass a path to SSL_CTX_load_verify_locations() instead of or in addition to a file. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no