From owner-freebsd-security@FreeBSD.ORG Tue Mar 3 08:59:18 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EED1D948; Tue, 3 Mar 2015 08:59:18 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id ABF78838; Tue, 3 Mar 2015 08:59:18 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A080160D5; Tue, 3 Mar 2015 08:53:19 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 4188DC8B4; Tue, 3 Mar 2015 09:53:11 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> <20150225124710.GA70915@zxy.spb.ru> Date: Tue, 03 Mar 2015 09:53:11 +0100 In-Reply-To: <20150225124710.GA70915@zxy.spb.ru> (Slawa Olhovchenkov's message of "Wed, 25 Feb 2015 15:47:10 +0300") Message-ID: <868ufea2dk.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security , Xin Li , Bartek Rutkowski , so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 08:59:19 -0000 Slawa Olhovchenkov writes: > Do you planed to fix it? It's not a bug. Remove the src component from your freebsd-update.conf. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Mar 3 12:44:08 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C43A81CA for ; Tue, 3 Mar 2015 12:44:08 +0000 (UTC) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 85A0D5FF for ; Tue, 3 Mar 2015 12:44:08 +0000 (UTC) Received: by igbhn18 with SMTP id hn18so26836695igb.2 for ; Tue, 03 Mar 2015 04:44:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=b/a/NBthDvJm/O7wK+9vHH+kU8Tddp77uNh+Ga0lhiE=; b=xrGEHhXv8CBWLyR5e2SQVjUqBiH4HHpsDTJGP0qcAfpkLvyfTwPRsD7ICSsqtIOMj2 GfUbMs5e63JqHfFXWKB084yxnui8B3JnjIMvHEVQkkQcOl59l9sJiL5Syj14tJFuhU9I XqiL+MNmB0xVTsDqBLp20kzVRXojRZhtdFxvo4+n5FDADDFuzKwhYr0yN8097x0Y2Pfr 2zJsoU6HFBdC4Kw5/QYpRZqGGPKvaZzX7/9FFe7ZFSEJqhaHfKDSzrNgYWIRTfSodUwG hQYxPSguUgsjbcsqXvlQrTXN9TIQyBGG0yhNNNW+KMpIJh7mJ2O61Uy+AnZH+4zJuC7g QQOQ== MIME-Version: 1.0 X-Received: by 10.43.64.204 with SMTP id xj12mr1292258icb.9.1425386647952; Tue, 03 Mar 2015 04:44:07 -0800 (PST) Received: by 10.36.117.71 with HTTP; Tue, 3 Mar 2015 04:44:07 -0800 (PST) Received: by 10.36.117.71 with HTTP; Tue, 3 Mar 2015 04:44:07 -0800 (PST) In-Reply-To: <868ufea2dk.fsf@nine.des.no> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> <20150225124710.GA70915@zxy.spb.ru> <868ufea2dk.fsf@nine.des.no> Date: Tue, 3 Mar 2015 07:44:07 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 12:44:08 -0000 On Mar 3, 2015 3:59 AM, "Dag-Erling Sm=C3=B8rgrav" wrote: > > Slawa Olhovchenkov writes: > > Do you planed to fix it? > > It's not a bug. Remove the src component from your freebsd-update.conf. It seems that this question arises every time a patch is deployed. Perhaps a small fix is in order? I propose that bsdinstall modify freebsd-update.conf during the install process so that it reflects which distributions are checked off for installation by the user. Basically, if the user unchecks src, it is commented out or removed from the configuration file. From owner-freebsd-security@FreeBSD.ORG Tue Mar 3 13:31:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CBA0FF07; Tue, 3 Mar 2015 13:31:31 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 807C5B80; Tue, 3 Mar 2015 13:31:31 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YSmut-0003Xj-Qg; Tue, 03 Mar 2015 16:31:19 +0300 Date: Tue, 3 Mar 2015 16:31:19 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?koi8-r?Q?Smorgrav?= Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind Message-ID: <20150303133119.GL48476@zxy.spb.ru> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> <20150225124710.GA70915@zxy.spb.ru> <868ufea2dk.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <868ufea2dk.fsf@nine.des.no> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security , Xin Li , Bartek Rutkowski , so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 13:31:31 -0000 On Tue, Mar 03, 2015 at 09:53:11AM +0100, Dag-Erling Smorgrav wrote: > Slawa Olhovchenkov writes: > > Do you planed to fix it? > > It's not a bug. Remove the src component from your freebsd-update.conf. I see same message for may setup (track -STABLE) for base component. From owner-freebsd-security@FreeBSD.ORG Thu Mar 5 11:13:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C781BA1 for ; Thu, 5 Mar 2015 11:13:05 +0000 (UTC) Received: from mailrelay3.public.one.com (mailrelay3.public.one.com [195.47.247.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C111C3CE for ; Thu, 5 Mar 2015 11:13:04 +0000 (UTC) X-HalOne-Cookie: fc530ff54916d36363e8605c3f263f7b52f69163 X-HalOne-ID: 6db21aa7-c328-11e4-88ef-b8ca3afa9d73 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cederstrand.dk; s=20140924; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding; bh=XZZ0yD4IMZYsX3p0FAGQveK8pmyCeBSmeDIoNthdWTk=; b=QqanNJn3ENHjACQMZ4qSfwDm/kO2DuuCeLhXkIPhESa+kNwTvxcgiA62RGw0PpHOpYg60rLXGl/w/ KGDrZVi7z+UVlT5qnyfGVUBFj9nre82criqANk9NhDco8tXfAAOBSsbJANIY82p+bUlJGLjl5mcWNW sEjfwboFMDHUR9yQ= Received: from [192.168.1.69] (unknown [217.157.7.221]) by smtpfilter1.public.one.com (Halon Mail Gateway) with ESMTPSA for ; Thu, 5 Mar 2015 11:11:53 +0000 (GMT) From: Erik Cederstrand Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Missind #defines in /usr/include/gssapi/gssapi.h? Message-Id: <30A05DC2-951F-46E6-924B-207E5F32A949@cederstrand.dk> Date: Thu, 5 Mar 2015 12:11:52 +0100 To: "freebsd-security@freebsd.org" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 11:13:05 -0000 Hello list, Currently, installing the Python gssapi module (sudo pip install = python-gssapi) fails (on FreeBSD 10.1, at least) because a lot of = #defines are missing from /usr/include/gssapi/gssapi.h (installed from = /usr/src/include/gssapi/gssapi.h) compared to = /usr/src/crypto/heimdal/lib/gssapi/gssapi/gssapi.h, e.g.: #define GSS_C_AF_INET6 24 Is there any reason these #defines are not present? Adding the missing = ones let the python-gssapi installation complete. Thanks, Erik From owner-freebsd-security@FreeBSD.ORG Thu Mar 5 11:53:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80F68469; Thu, 5 Mar 2015 11:53:52 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3D4ECA0F; Thu, 5 Mar 2015 11:53:51 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 780175B9F; Thu, 5 Mar 2015 11:53:39 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id C6A91CA75; Thu, 5 Mar 2015 12:53:35 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> <20150225124710.GA70915@zxy.spb.ru> <868ufea2dk.fsf@nine.des.no> <20150303133119.GL48476@zxy.spb.ru> Date: Thu, 05 Mar 2015 12:53:35 +0100 In-Reply-To: <20150303133119.GL48476@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Mar 2015 16:31:19 +0300") Message-ID: <86wq2v7j9c.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security , Xin Li , Bartek Rutkowski , so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 11:53:52 -0000 Slawa Olhovchenkov writes: > I see same message for may setup (track -STABLE) for base component. You can't run freebsd-update on a system that tracks -STABLE (i.e. is built from source). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Mar 5 12:30:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2810E304; Thu, 5 Mar 2015 12:30:48 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1BEFE02; Thu, 5 Mar 2015 12:30:47 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YTUvI-000O8n-Qp; Thu, 05 Mar 2015 15:30:40 +0300 Date: Thu, 5 Mar 2015 15:30:40 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?koi8-r?Q?Smorgrav?= Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind Message-ID: <20150305123040.GB90978@zxy.spb.ru> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> <20150225124710.GA70915@zxy.spb.ru> <868ufea2dk.fsf@nine.des.no> <20150303133119.GL48476@zxy.spb.ru> <86wq2v7j9c.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <86wq2v7j9c.fsf@nine.des.no> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security , Xin Li , Bartek Rutkowski , so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 12:30:48 -0000 On Thu, Mar 05, 2015 at 12:53:35PM +0100, Dag-Erling Smorgrav wrote: > Slawa Olhovchenkov writes: > > I see same message for may setup (track -STABLE) for base component. > > You can't run freebsd-update on a system that tracks -STABLE (i.e. is > built from source). No, I don't run freebsd-update on a system that tracks -STABLE. I run freebsd-update FOR track -STABLE (i have private freebsd-update-server and build update to -STABLE for freebsd-update). From owner-freebsd-security@FreeBSD.ORG Thu Mar 5 16:11:18 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BFD5FE3 for ; Thu, 5 Mar 2015 16:11:18 +0000 (UTC) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 41F8BECA for ; Thu, 5 Mar 2015 16:11:17 +0000 (UTC) X-AuditID: 12074425-f79846d0000054e1-5a-54f8801e0d7b Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 10.F5.21729.E1088F45; Thu, 5 Mar 2015 11:11:10 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t25GAnQV011874; Thu, 5 Mar 2015 11:10:49 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t25GAlUW028606 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 Mar 2015 11:10:49 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t25GAlss007715; Thu, 5 Mar 2015 11:10:47 -0500 (EST) Date: Thu, 5 Mar 2015 11:10:47 -0500 (EST) From: Benjamin Kaduk To: Erik Cederstrand Subject: Re: Missind #defines in /usr/include/gssapi/gssapi.h? In-Reply-To: <30A05DC2-951F-46E6-924B-207E5F32A949@cederstrand.dk> Message-ID: References: <30A05DC2-951F-46E6-924B-207E5F32A949@cederstrand.dk> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrCvX8CPE4N1kDYunb+0tejY9YXNg 8mhevpjdY8an+SwBTFFcNimpOZllqUX6dglcGV/fbWMtuMZZ8fjlHbYGxiaOLkZODgkBE4kn B78zQthiEhfurWcDsYUEFjNJnDoW3MXIBWRvYJT4sPsFVOIgk8StXii7XuLV4k2sIDaLgJbE t10nweJsAioSM99sBLNFBAwkTnx8zwxiMws4Sty58BpsmbCAncSS9kfsIDangJPEgitTwebw CjhIzFtzjh1ivqPEzaVHWEBsUQEdidX7p7BA1AhKnJz5hAVippbE8unbWCYwCs5CkpqFJLWA kWkVo2xKbpVubmJmTnFqsm5xcmJeXmqRroVebmaJXmpK6SZGUJCyu6juYJxwSOkQowAHoxIP 74yN30OEWBPLiitzDzFKcjApifL+qPoRIsSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmE93I9UI43 JbGyKrUoHyYlzcGiJM676QdfiJBAemJJanZqakFqEUxWhoNDSYJXB6RRsCg1PbUiLTOnBCHN xMEJMpwHaPihOpDhxQWJucWZ6RD5U4y6HG9O757JJMSSl5+XKiXOOxukSACkKKM0D24OLLm8 YhQHekuYdz1IFQ8wMcFNegW0hAloiZYY2JKSRISUVANj4VyRFM+G8igWJa+bvpZHrBN0F+su aHW4vm7ztaMbrl6J6Qw92G/V8GGFe8gWY5vvGj+jO+asLUrqmveb0yfhwUf9zZuXXTtgO6l5 /ZP8LfZv2VhyXxQob9gd/FjDQVOweJmVs/YuB4ng96biX3Pbfyac3l8smjF5Sm7au7Wn7tyf 9+XX/f3TlViKMxINtZiLihMBHRNObwkDAAA= Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 16:11:18 -0000 On Thu, 5 Mar 2015, Erik Cederstrand wrote: > Hello list, > > Currently, installing the Python gssapi module (sudo pip install python-gssapi) fails (on FreeBSD 10.1, at least) because a lot of #defines are missing from /usr/include/gssapi/gssapi.h (installed from /usr/src/include/gssapi/gssapi.h) compared to /usr/src/crypto/heimdal/lib/gssapi/gssapi/gssapi.h, e.g.: > > #define GSS_C_AF_INET6 24 > > Is there any reason these #defines are not present? Adding the missing ones let the python-gssapi installation complete. No value has been assigned to the symbol GSS_C_AF_INET6 in a standards-track IETF document, so one might argue that its absence is the correct behavior, as unfortunate as that may be. Apparently it has been in the Heimdal tree since 1999, though (!). Since FreeBSD is basically stuck with the Heimdal implementation for POLA reasons, it would probably be okay to synchronize the installed version with Heimdal's version. My understanding was that python-gssapi was intended to support both Heimdal and MIT implementations, so given that MIT (correctly) does not provide a GSS_C_AF_INET6 symbol, I am somewhat surprised that python-gssapi cannot cope with its absence. -Ben Kaduk From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 01:23:35 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A988C124 for ; Fri, 6 Mar 2015 01:23:35 +0000 (UTC) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C7FB6DB for ; Fri, 6 Mar 2015 01:23:35 +0000 (UTC) X-AuditID: 12074424-f79356d000004839-c4-54f90061274d Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 00.61.18489.16009F45; Thu, 5 Mar 2015 20:18:25 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t261IP29018733; Thu, 5 Mar 2015 20:18:25 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t261INNr028391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 Mar 2015 20:18:24 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t261INfQ017057; Thu, 5 Mar 2015 20:18:23 -0500 (EST) Date: Thu, 5 Mar 2015 20:18:22 -0500 (EST) From: Benjamin Kaduk To: Erik Cederstrand Subject: Re: Missind #defines in /usr/include/gssapi/gssapi.h? In-Reply-To: Message-ID: References: <30A05DC2-951F-46E6-924B-207E5F32A949@cederstrand.dk> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRmVeSWpSXmKPExsUixCmqrZvI8DPE4NERM4unb+0tejY9YXNg 8mhevpjdY8an+SwBTFFcNimpOZllqUX6dglcGe/e/mUvmM9SsWurcgPjDuYuRk4OCQETiSVv 5rBB2GISF+6tB7K5OIQEFjNJzN+3ghnC2cAoceX6dyYI5yCTxOKHj1hBWoQE6iUerF/BBGKz CGhJTHnaATaKTUBFYuabjWC2iICBxImP78HWMQs4Sty58JoRxBYWsJNY0v6IHcTmBIpvmLIR zOYVcJCY+uktC8T8MolPa9aA2aICOhKr909hgagRlDg58wkLxEwtieXTt7FMYBSchSQ1C0lq ASPTKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1zvdzMEr3UlNJNjKAwZXdR2cHYfEjpEKMAB6MS D++Mjd9DhFgTy4orcw8xSnIwKYnyyv76ESLEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDftC1CO NyWxsiq1KB8mJc3BoiTOu+kHX4iQQHpiSWp2ampBahFMVoaDQ0mCt+k/UKNgUWp6akVaZk4J QpqJgxNkOA/QcC2QGt7igsTc4sx0iPwpRmOON6d3z2TiWNC+fyaTEEtefl6qlDivNUipAEhp Rmke3DRYqnnFKA70nDDvh39AVTzANAU37xXQKiaQVWJgq0oSEVJSDYyh/DVxJ/mCP9QoV98v LJRqm/HItPHzb6XjRxnzPp9e3MDzRum0rHiC6Uz1BWf+PDLp2Br1nKHuQLZ/TGLEgzdFPZ8C 8oJkImVfWGbYO9attjMra1zxqyG3Lub0tLuVr18c6uw5le7D5OsocstfWLW1Vzf5vXz5Zvm/ 3y+sPDavmqu+771NlxJLcUaioRZzUXEiAAosEqQQAwAA Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 01:23:35 -0000 On Thu, 5 Mar 2015, Benjamin Kaduk wrote: > My understanding was that python-gssapi was intended to support both > Heimdal and MIT implementations, so given that MIT (correctly) does not > provide a GSS_C_AF_INET6 symbol, I am somewhat surprised that > python-gssapi cannot cope with its absence. Furthermore, the best current practice is to not pass addresses in the supplied channel bindings, since that breaks traffic through NATs, etc.. So there does not seem to be a good reason to want to use GSS_C_AF_INET6 anyway. -Ben