From owner-freebsd-security@freebsd.org Mon Jul 6 02:10:01 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D178A98E05B for ; Mon, 6 Jul 2015 02:10:01 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: from ruxcon.org.au (li1009-6.members.linode.com [45.33.59.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ACAAC1E85 for ; Mon, 6 Jul 2015 02:10:00 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: by ruxcon.org.au (Postfix, from userid 110) id C27771101E; Mon, 6 Jul 2015 02:04:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruxcon.org.au; s=mail; t=1436148275; bh=ljXZHEMG8adkxZRraZZ+QKrl/Mv/td7L1Sg+TQpyTEA=; h=Subject:From:To:Date:From; b=GmNsR5iCdrmFr8TJFvUcGQAu+gH3IKmWi/40D1Jb0hZL/IBwsyXG3ORXYk7T64VcZ bGtR0v0lpioMpm7tVEVOQjY+5S7p1XqZ6YTQpI5Zh9mLKMa5xaBSRjkIKqqm3ocnXE ZnqCTgxNy4pjRHZKCygZ3QCnnhHtoLHCuaO7mJkU= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ruxcon.org.au X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE,HTML_TAG_BALANCE_BODY,HTML_TAG_BALANCE_HEAD,T_DKIM_INVALID autolearn=disabled version=3.4.0 Received: from ruxcon.org.au (localhost [127.0.0.1]) by ruxcon.org.au (Postfix) with ESMTP id 6E0B411025 for ; Mon, 6 Jul 2015 02:04:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruxcon.org.au; s=mail; t=1436148270; bh=ljXZHEMG8adkxZRraZZ+QKrl/Mv/td7L1Sg+TQpyTEA=; h=Subject:From:To:Date:From; b=cMeSheBUMGCKII8DZCKI6C80YBlYPYFaLsbRhLsOiaaJTTUAMf+NTbyYk9GI1hxyi 9+0m0NAWMYSj25iQivGt83uIkyFKREyODun8sRKhmYVrzCGVu/Bkcrex9X7dB0+/0E uigH9gfceFrv7WLPrzY79OScNu9PZFf9nsKXIkAg= MIME-Version: 1.0 Subject: Ruxcon 2015 Final Call For Presentations From: cfp@ruxcon.org.au To: freebsd-security@freebsd.org Date: Mon, 06 Jul 2015 02:04:30 +0000 Message-Id: <20150706020430.6E0B411025@ruxcon.org.au> X-Mailman-Approved-At: Mon, 06 Jul 2015 02:59:12 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 02:10:01 -0000 Ruxcon 2015 Final Call For Presentations Melbourne, Australia, October 24-25 CQ Function Centre http://www.ruxcon.org.au The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015. This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre, Melbourne, Australia. The deadline for submissions is the 15th of September, 2015. .[x]. About Ruxcon .[x]. Ruxcon is ia premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community. .[x]. Important Dates .[x]. September 30 - Final Call For Presentations Close October 22-23 - Breakpoint Conference October 24-25 - Ruxcon Conference .[x]. Topic Scope .[x]. o Topics of interest include, but are not limited to: o Mobile Device Security o Virtualization, Hypervisor, and Cloud Security o Malware Analysis o Reverse Engineering o Exploitation Techniques o Rootkit Development o Code Analysis o Forensics and Anti-Forensics o Embedded Device Security o Web Application Security o Network Traffic Analysis o Wireless Network Security o Cryptography and Cryptanalysis o Social Engineering o Law Enforcement Activities o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc) .[x]. Submission Guidelines .[x]. In order for us to process your submission we require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Ruxcon To submit a presentation please use our submission form: http://goo.gl/WXNBvr * As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time. .[x]. Contact .[x]. o Email: presentations@ruxcon.org.au o Twitter: @ruxcon From owner-freebsd-security@freebsd.org Tue Jul 7 23:25:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59146996F34 for ; Tue, 7 Jul 2015 23:25:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4F00E1624; Tue, 7 Jul 2015 23:25:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 4D7A31B0D; Tue, 7 Jul 2015 23:25:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:11.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150707232549.4D7A31B0D@freefall.freebsd.org> Date: Tue, 7 Jul 2015 23:25:49 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 23:25:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:11.bind Security Advisory The FreeBSD Project Topic: BIND resolver remote denial of service when validating Category: contrib Module: bind Announced: 2015-07-07 Credits: ISC Affects: FreeBSD 8.4 and FreeBSD 9.3. Corrected: 2015-07-07 21:43:23 UTC (stable/9, 9.3-STABLE) 2015-07-07 21:44:01 UTC (releng/9.3, 9.3-RELEASE-p19) 2015-07-07 21:43:23 UTC (stable/8, 8.4-STABLE) 2015-07-07 21:44:01 UTC (releng/8.4, 8.4-RELEASE-p33) CVE Name: CVE-2015-4620 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocol. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description Due to a software defect, specially constructed zone data could cause named(8) to crash with an assertion failure and rejecting the malformed query when DNSSEC validation is enabled. III. Impact An attacker who can cause specific queries to be sent to a nameserver could cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch.asc # gpg --verify bind-9.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch.asc # gpg --verify bind-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285257 releng/8.4/ r285258 stable/9/ r285257 releng/9.3/ r285258 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.5 (FreeBSD) iQIcBAEBCgAGBQJVnEi/AAoJEO1n7NZdz2rnw4cP/jg5odJDqjzynxVweq+rCo7q 10Wwa5Is3BOFAMxE+qVvIyjPKwBTlYOud4Lwp9+6GXpEa6DQDTrqwGsgsEKsqrNN WF8mfOhsSSHuhKNdcCT3+9/ERhdS6JwmvIgMhmEvBAWhf2HA6FRPQ1J6TP0ZoGKm 0x745/cqiYM4eCwH8kbC1tmMYBHqYapuI9aTZ8iuiddBR1lunE03GVlNn1A6e2U6 CUt6rHNslup4C7sGq6fBt/5qlJZ4yOGCXHDys9l0OSeYUfKohbDi2TILhoMhio2x 8OdFIdr5U7sOtLPirbfLAUTb1C/H/BsKZfIX3Ff7iZQruVQrU4hKR1hd+GjZQb2G 5foI9jP3AIRZ3xaHjH0Y95/4diJz+nauH5BTeD9OLGJC3Mg/NsVVtoflg3o+AWKn 692ovG1csdkT598K0VV7Kp36n4tR43SPFZ8bqo8TMdt40H9imaN7ghXOFhpG1Yw8 A6EU/yHJ5Jn9XyGM0E803pFodZEQk8wM8/LllA1txz85eDy+6HOQsxJeROcwJFeH rtzJ6bweqV3keJPkP/AR+QLqFMEbySHp2al7uGAIHyd/3fGlvWhP10CTyxvG7ucY Ak9PwH11UTw+RexOhOTWF+Bz9A5vVWG/wDPfGFLbhdmK00gX4y9xNOk2/QP6fTL3 8Sz9sMkdOx3Vrbq+PPmu =SVcF -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Jul 8 16:29:44 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B410F9969EB for ; Wed, 8 Jul 2015 16:29:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8A4E81CA5 for ; Wed, 8 Jul 2015 16:29:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 97083208CF for ; Wed, 8 Jul 2015 12:29:21 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Wed, 08 Jul 2015 12:29:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=RVTy2sfSkQ9QcBd 2gdbdmNb8i68=; b=Fv3iof88+1WnVezVqhlCnHElmF4OBF0o3Ak0tOfqYipPmHd iNA3Iyv1evYH8VpUWEt3a98ineCZlqN61j/j1eY9Ym24Hm7M+0tGATnttDyQZ0re NJc7BoDW7eJypGmShhzBjOLOp+hNDWg7N+hEKQfO2Pe6fPhXNrQIe60SClQI= Received: by web3.nyi.internal (Postfix, from userid 99) id D323C100669; Wed, 8 Jul 2015 12:29:21 -0400 (EDT) Message-Id: <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> X-Sasl-Enc: WaNSAcOgpTl5JvSOWXTwB1NtfTOifSIa5R+H/pTdMz8D 1436372961 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind Date: Wed, 08 Jul 2015 11:29:21 -0500 In-Reply-To: <20150707232549.4D7A31B0D@freefall.freebsd.org> References: <20150707232549.4D7A31B0D@freefall.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 16:29:44 -0000 On Tue, Jul 7, 2015, at 18:25, FreeBSD Security Advisories wrote: > > IV. Workaround > > No workaround is available, but hosts not running named(8) are not > vulnerable. > Why is no workaround available? Can't you just disable DNSSEC validation? dnssec-enable no; dnssec-validation no; In fact, don't they have to be explicitly enabled anyway? From owner-freebsd-security@freebsd.org Wed Jul 8 17:28:01 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A735199685D for ; Wed, 8 Jul 2015 17:28:01 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3AD3D1D03; Wed, 8 Jul 2015 17:28:00 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t68HRuGW067364 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK); Wed, 8 Jul 2015 19:27:58 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <559D5D9C.2020709@obluda.cz> Date: Wed, 08 Jul 2015 19:27:56 +0200 From: Dan Lukes Reply-To: freebsd-security User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: Mark Felder CC: freebsd-security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind References: <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> In-Reply-To: <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 17:28:01 -0000 On 07/08/15 18:29, Mark Felder: >> IV. Workaround >> >> No workaround is available, but hosts not running named(8) are not >> vulnerable. > Why is no workaround available? Can't you just disable DNSSEC > validation? > > dnssec-enable no; > dnssec-validation no; Well, it depend ... If someone is running DNSSEC validation, then turning it off is no solution. You may claim either "turn off named" or "power off the computer" to be available workaround ... Just my $0.02 Dan From owner-freebsd-security@freebsd.org Wed Jul 8 17:49:14 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5104A996D9D for ; Wed, 8 Jul 2015 17:49:14 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2692D1CD2 for ; Wed, 8 Jul 2015 17:49:13 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 4676220187 for ; Wed, 8 Jul 2015 13:49:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Wed, 08 Jul 2015 13:49:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=KgwNViUc7a5iWZE AywgHcNCz+Qw=; b=d2RZTtqUf/HeeiRf+tf5Q8QcgQxBx3azsUtNwTmVye3afPv 6URuDt+K6LmTxvDKHgKynsCJZTkH//aQOkN1W1CEO3soXhNyOACwKDIdlWyDA5mN iWthhMWp0VFueNhhZsj2kX0hO7lVeSD1BrQ4L0LkgF6VncMdAibXsSd8DzRM= Received: by web3.nyi.internal (Postfix, from userid 99) id 29BBE1012F9; Wed, 8 Jul 2015 13:49:12 -0400 (EDT) Message-Id: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> X-Sasl-Enc: +XGO2mr+NNaqoy/PbdjxJK/+zkLkTOjkGyY3918N6Iez 1436377752 From: Mark Felder To: "freebsd-security" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae In-Reply-To: <559D5D9C.2020709@obluda.cz> References: <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> <559D5D9C.2020709@obluda.cz> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind Date: Wed, 08 Jul 2015 12:49:12 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 17:49:14 -0000 On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote: > On 07/08/15 18:29, Mark Felder: > >> IV. Workaround > >> > >> No workaround is available, but hosts not running named(8) are not > >> vulnerable. > > > Why is no workaround available? Can't you just disable DNSSEC > > validation? > > > > dnssec-enable no; > > dnssec-validation no; > > > Well, it depend ... > > If someone is running DNSSEC validation, then turning it off is no > solution. > > You may claim either "turn off named" or "power off the computer" to be > available workaround ... > DNSSEC is not a requirement to run a DNS resolver. We have pointed out when you're not affected in other entries: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc > IV. Workaround > > No workaround is available, but systems that do not use OpenSSL to implement > the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols implementation and do not use the ECDSA implementation from OpenSSL > are not vulnerable. or look at this ipv6 entry: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc > IV. Workaround > > Only systems that are manually configured to use "accept_rtadv" > ifconfig(8) flag on an interface are affected. "No workaround is available, but only systems that are manually configured to enable DNSSEC validation are affected." would be a reasonable statement. From owner-freebsd-security@freebsd.org Wed Jul 8 18:34:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A4D4995B70 for ; Wed, 8 Jul 2015 18:34:31 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C3B71219; Wed, 8 Jul 2015 18:34:31 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (unknown [IPv6:2601:1c2:d02:2605:21c:c0ff:fe7f:96ee]) by luigi.brtsvcs.net (Postfix) with ESMTPS id 65FAE2D4FC0; Wed, 8 Jul 2015 18:34:23 +0000 (UTC) Received: from [IPv6:2601:1c2:d02:2605:baca:3aff:fe83:bd29] (unknown [IPv6:2601:1c2:d02:2605:baca:3aff:fe83:bd29]) by chombo.houseloki.net (Postfix) with ESMTPSA id BEF228BB; Wed, 8 Jul 2015 11:34:21 -0700 (PDT) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind To: Mark Felder , freebsd-security References: <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> <559D5D9C.2020709@obluda.cz> <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> From: Mel Pilgrim Message-ID: <559D6D24.6000709@bluerosetech.com> Date: Wed, 8 Jul 2015 11:34:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 18:34:31 -0000 On 2015-07-08 10:49, Mark Felder wrote: > DNSSEC is not a requirement to run a DNS resolver. It is requirement if you're using DANE or other technologies where the trust model relies on authenticated DNS. I've always understood the term "workaround" to mean "mitigate the problem without a loss of feature/functionality". Because "turn off DNSSEC" doesn't universally meet that definition, it's not really a workaround. For example, a workaround for vulnerabilities in the base BIND that's already fixed in ports is to disable the in-base version and install the port. From owner-freebsd-security@freebsd.org Thu Jul 9 06:06:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA6FB99567D for ; Thu, 9 Jul 2015 06:06:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A4D01E1D; Thu, 9 Jul 2015 06:06:09 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t695eRZx028337; Thu, 9 Jul 2015 15:40:28 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 9 Jul 2015 15:40:27 +1000 (EST) From: Ian Smith To: Mark Felder cc: freebsd-security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind In-Reply-To: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> Message-ID: <20150709152004.G70511@sola.nimnet.asn.au> References: <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> <559D5D9C.2020709@obluda.cz> <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 06:06:10 -0000 On Wed, 8 Jul 2015 12:49:12 -0500, Mark Felder wrote: > "No workaround is available, but only systems that are manually > configured to enable DNSSEC validation are affected." would be a > reasonable statement. Agreed. DNSSEC may become mandatory, and while surely 'best practice', it's not yet required and many resolvers are not yet DNSSEC configured. cheers, Ian From owner-freebsd-security@freebsd.org Thu Jul 9 16:16:11 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F0D19969E9 for ; Thu, 9 Jul 2015 16:16:11 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id DC1071B36 for ; Thu, 9 Jul 2015 16:16:10 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id E51EE12DC for ; Thu, 9 Jul 2015 19:16:01 +0300 (MSK) Message-ID: <559E9E3E.7050709@FreeBSD.org> Date: Thu, 09 Jul 2015 19:15:58 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: FreeBSD + Yubikey NEO in OATH-HOTP mode? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 16:16:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Does somebody succeed to setup FreeBSD for usage with Yubikey NEO token without Yubico authentication service, with OATH-HOTP? - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJVnp4+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP9kQP/RdOqWCRxEQFVUCH/PrbHaEt dgFGk4Y50jG2HzGXodKtdVXJ6+YIry24v/w23Ba9Z3MqOuOOX8FCfF0dTATCDGVP La+HCai+ggT+KcZl3phUu6nuG6ucI4rPmSvwotQjqSdFYoGrwp2GqaL6PMwtpD3L CETZnJrCH2+vl5FFeMdb0C6NwzwSFWQNvBiKfmi7Hnc3a+EA5i2KEQE1zIQHqX+N 7aw7ncn2BUOvPpgCvqFFqmuvM9y21pJu6yLuLtLaqU2s2D5+UX8OnTTTObwadnd0 LndlK0TKCDwHFiqBnbZIWrwQNLVKw7q4MXQFA3EbhforYtgvX/XpkqtSl1yzuohY dAkaUXND+Na1dz0MrJqqdnD9lPjJg9JkMbtZCTxVTHZK1x4KnSi4cK4J2i3kgepx OxtNR6T6kfeNrwF4Tph8GoM3Q/Vn9w5XMNj1ZjTQyMHCui7ip6h99UzHT+cUNG/i Ke69TqpJ1k1GXTJVORgAbynwaciEXCTfzul0BCOWufO/kwp5Z5QcPf6QaNnr51XS iE7N0Y7gQr+ZkdqaN+VbN2PaGi9wb4yTGDD281SKH93JgxejzAOGZG80H5izLDtu 7OsJvDHG3WNTL5UE6LEY4dCQpiTbddvgsoqwGZtdApGqp+N5hBlDF/k6vq1J+nHA fo2DXanU3Lr74XgVAFOJ =mC8W -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jul 9 16:20:53 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E438996B45 for ; Thu, 9 Jul 2015 16:20:53 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64FA81D05 for ; Thu, 9 Jul 2015 16:20:53 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 461E320794 for ; Thu, 9 Jul 2015 12:20:52 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 09 Jul 2015 12:20:52 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=8XGtNKIzN5F1ox7 puS7S/IE9JrY=; b=ZEBuqC4s/7z0McDtcYxUIOtNfszIqEwU9fo8Ev3un/vJKu+ whKE9d15qIg8Snlo2YXxB1KVmHGKor3Qb0L6OBAhRsnKndfFf2LQTFD7Eq1N/+tw nF6FW1IexT3h1+0uYndC+olySYgt0Of1Sk2t+yp6cyryiEq681H7F7qlz680= Received: by web3.nyi.internal (Postfix, from userid 99) id 02B6E104285; Thu, 9 Jul 2015 12:20:51 -0400 (EDT) Message-Id: <1436458851.3436254.319593905.74B45600@webmail.messagingengine.com> X-Sasl-Enc: 3IqiB4lDlftEYIf2TueyfnWpFQq0dFv9MHLqwJOzXgcI 1436458851 From: Mark Felder To: Lev Serebryakov , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae Subject: Re: FreeBSD + Yubikey NEO in OATH-HOTP mode? Date: Thu, 09 Jul 2015 11:20:51 -0500 In-Reply-To: <559E9E3E.7050709@FreeBSD.org> References: <559E9E3E.7050709@FreeBSD.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 16:20:53 -0000 On Thu, Jul 9, 2015, at 11:15, Lev Serebryakov wrote: > > Does somebody succeed to setup FreeBSD for usage with Yubikey NEO > token without Yubico authentication service, with OATH-HOTP? > What have you tried so far? I don't do the offline auth, but this seems to be documented well in ykpamcfg(1) From owner-freebsd-security@freebsd.org Thu Jul 9 16:47:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C42CB99720D for ; Thu, 9 Jul 2015 16:47:16 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AEFF32B9; Thu, 9 Jul 2015 16:47:16 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: by igrv9 with SMTP id v9so227928296igr.1; Thu, 09 Jul 2015 09:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JzgMnrGCAj+3SrwD+chh6FJ29Klu/PacnRa0LGXx7/g=; b=OedkcUGY6gJ6TplJ9owQ4YvRhqwLZ/u35s+lpAtyJ+fc0mezm8lsm6RiD+0KbAIJAe qpnEOin32AC9zdq2d9RJQXztVWUv3UBOzIA5053g5J6NOub+QJErQGiF9M/KLcBAn7uX u6Z2nWT0ALOLtpCQ2XercJYLc2X1hRIIjErLj6KZHgZf0pq8mhDbEEwnh7qX1bZUV9lG ix2uLbFaHDK7CA7LKztQ7aQqmz4uNTIPSuUIBoAt+baIkxHv8Fz6bh6Kjp0WTbpe93u7 MsFheKoJjSMATsL9KK5H13n4ZA9Mj+J4Mu/QCs4ZbNNq78NqPrvQM0OoPN0P5GyeUNFc OGjA== MIME-Version: 1.0 X-Received: by 10.107.19.193 with SMTP id 62mr28459825iot.26.1436460435795; Thu, 09 Jul 2015 09:47:15 -0700 (PDT) Received: by 10.79.74.130 with HTTP; Thu, 9 Jul 2015 09:47:15 -0700 (PDT) In-Reply-To: <559E9E3E.7050709@FreeBSD.org> References: <559E9E3E.7050709@FreeBSD.org> Date: Thu, 9 Jul 2015 09:47:15 -0700 Message-ID: Subject: Re: FreeBSD + Yubikey NEO in OATH-HOTP mode? From: jungle Boogie To: lev@freebsd.org Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 16:47:16 -0000 Hi, On 9 July 2015 at 09:15, Lev Serebryakov wrote: > Does somebody succeed to setup FreeBSD for usage with Yubikey NEO > token without Yubico authentication service, with OATH-HOTP? I don't have the neo but it works, at least, with openssh. See comments in this blog post: http://sysconfig.org.uk/two-factor-authentication-with-ssh.html And this blog post discussing neo with some password manager called pass: https://drupalwatchdog.com/blog/2015/6/yubikey-neo-and-better-password-manager-pass -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si From owner-freebsd-security@freebsd.org Thu Jul 9 16:55:35 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E5E5997416 for ; Thu, 9 Jul 2015 16:55:35 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id 3DFC1364F; Thu, 9 Jul 2015 16:55:35 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 62DFE12EB; Thu, 9 Jul 2015 19:55:32 +0300 (MSK) Message-ID: <559EA77D.3080301@FreeBSD.org> Date: Thu, 09 Jul 2015 19:55:25 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Mark Felder , freebsd-security@freebsd.org Subject: Re: FreeBSD + Yubikey NEO in OATH-HOTP mode? References: <559E9E3E.7050709@FreeBSD.org> <1436458851.3436254.319593905.74B45600@webmail.messagingengine.com> In-Reply-To: <1436458851.3436254.319593905.74B45600@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 16:55:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09.07.2015 19:20, Mark Felder wrote: >> Does somebody succeed to setup FreeBSD for usage with Yubikey >> NEO token without Yubico authentication service, with OATH-HOTP? >> > > What have you tried so far? I don't do the offline auth, but this > seems to be documented well in ykpamcfg(1) ykpamcfg(1) documents challenge-response which is for local usage, as it needs two-way communication with token. I'm trying to install security/oathtoolkit but I don't understand which parameters in user file is right for Yubikey. - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJVnqd9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePoj0QAKbM+I1wj1QrkpO/hF858ga3 UsSmUffFe+veD5NzasxZfTwVflN3v1lcLHu01j2SX14ZaCBeqDbzDp1kuZ9/dK+8 94iIla7FSC8tB1Ym0esHP8l2hF+oKxJUTxIk9A5ACUbJWxaL1Ms3/5tdAP02Odw5 xnq0MmPubNw9TELJ6lISGC/fZxpIbPSg63ToLHKgBUpGfTzHkUCbeIc/2HWQmx6w Q4egsk05UqRmLmSsk7WGnqKGBtowMAhYaYEDn/6jZeIVeqdaMntMuzsa9VJPQTmu 03BNYfPWi/lsDmtk8wTbrP7GKZ4eEeq/ooHHmHWhCdHkRIIP7wy8wtswLmu0CxlM +ip5d6xlRchNeb30DBL4Q0RUeo1VC9JRK/lVv3opPzlyGX4Srbhxs7smxB8iHgw2 /tT5fPr05W0DKo78s9VCJMX7DIgK51l2kpOewLdzSrY/Vj/ybyUVlzYStMlCYGdl PTApJW0wOCLuM0s9ZnTdfH6HQiIRs0nyBLkX5SKe0yr2OR0eYWkBgLpOW9ZJ6Q3w rWYRJN2SHBaoWhpFhE/GyNnqPjI7r21OrnUXvysn9A3/56MyJ9EeYhdIxCXV+q60 75cqVp25xPDDV7RHsARlrgoR4jreX0hY5s4xo+qdcfzK/RIRAXYr2D7drPhJc2UU q0k9cTmBO23XUoZq/bwO =MwAr -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jul 9 17:32:19 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89146997DE6 for ; Thu, 9 Jul 2015 17:32:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 650051BF0; Thu, 9 Jul 2015 17:32:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 647A7168C; Thu, 9 Jul 2015 17:32:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:12.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150709173219.647A7168C@freefall.freebsd.org> Date: Thu, 9 Jul 2015 17:32:19 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 17:32:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:12.openssl Security Advisory The FreeBSD Project Topic: OpenSSL alternate chains certificate forgery vulnerability Category: contrib Module: openssl Announced: 2015-07-09 Credits: Adam Langley/David Benjamin (Google/BoringSSL), OpenSSL Affects: FreeBSD 10.1-STABLE after 2015-06-11 and prior to the correction date. Corrected: 2015-07-09 17:17:22 UTC (stable/10, 10.2-PRERELEASE, 10.2-BETA1) CVE Name: CVE-2015-1793 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails, unless the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS. An error in the implementation of this logic could erroneously mark certificate as trusted when they should not. III. Impact An attacker could cause certain checks on untrusted certificates, such as the CA (certificate authority) flag, to be bypassed, which would enable them to use a valid leaf certificate to act as a CA and issue an invalid certificate. IV. Workaround No workaround is available. NOTE WELL: This issue does not affect earlier FreeBSD releases, including the supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate chain feature was not introduced in these releases. Only 10.1-STABLE after 2015-06-11 and prior to the correction date is affected. V. Solution Upgrade your vulnerable system to the latest supported FreeBSD stable/10 branch dated after the correction date. Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r285330 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVnq6lAAoJEO1n7NZdz2rntOsP/A07ZJWDt2DpN5h2En0fE+tL tIB2uSV0pcoUAZExLjft5IDMau/zbZd/JFXczR5RRollu0jaETcpWYzXzjtAQ4IG ZEKwvjdThN0naKk0F0DOjAm84ukIds9zR4JZ2KpJmzZnChzZYoF21ZkGPBMMlVhZ 4T9GNTiphdz3HsWx57r2WSapMlys0U0f32xOfYr1iUMRVkNNJfnkFSSxA2MEwuBl /HzVLYOpVEGn/V3I+USQ1KmwMhTtJ+JY6WQlv0k/UKgrQHjdsKjoDwMwWT7UJgPZ j7bvYKftXMYl22KDTlyvZA1c0YZ8kyP9bd+dz6NogCgiNUcIux/wTgMmbnbauZXb pV+MAAAXKfeUoU94qXRD0QHRDXYt34buSswTtPI3LuVeLkqVk/ZdQATZYqMmCcCZ 4XNtdefKN/HZIq9Lx5N1F1a4MQn3MgbNPUNRfDLtwDFp2w9nMA2XoP8j4oLHul3z umFwrEDtO8yojjj6qFGaAjpKktwYfq7/+ISFTYFpWLO3pb2QUw+3S+rWmrclyyd9 xMOt2+tMpq46ESydmDSBXkgEQ6yL5XWA4FY+6VvWJrhM49DiP+FzpxZMpAKDHFmf 55L1mjSttHxU3G6/b1VPkRnphgqG03j1+nmyL+fIjHGa1ojvInzxuGcDgAJvUWkc kMEkVjlnca3CDs5zADOX =iBF6 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jul 9 18:05:29 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95967997C7D for ; Thu, 9 Jul 2015 18:05:29 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6120C1E60 for ; Thu, 9 Jul 2015 18:05:29 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 7BBF91302 for ; Thu, 9 Jul 2015 21:05:27 +0300 (MSK) Message-ID: <559EB7E6.6040805@FreeBSD.org> Date: Thu, 09 Jul 2015 21:05:26 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Where 3rd-party PAM modules should be placed? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 18:05:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 `security/pam_ssh_agent_auth' installs PAM module (pam_ssh_agent_auth.so) into `${LOCALBASE}/lib', but `security/pam_yubico' and `security/oath-toolkit' install PAM modules into `${LOCALBASE}/lib/security'. And, by default on 10-STABLE, modules from `${LOCALBASE}/lib/security' can not be loaded by name (without full path) in PAM configuration file. Which place is correct? I like `${LOCALBASE}/lib/security', but using full pathnames looks ugly! - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVnrfmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP8cgQAI+5Bj9EteOICQKePSSQ3Ox4 vYMQuX8IRmZvDDjfVzeuu9ExzO0qSMQtbARRVbd54HchwzcSVI807zatzwavvoPS 9LcJZNSA2/k19H6bd8nROB9SDdZsQg/pDCRCm9ePInIBxp9fhLXABUV2TSM0ZZHV ed+BkbyAIA7pfpVOgMN6HVzQ5Snp/LtqWP7AAGlopOQ+jce52hABQ6pufeiucBjS kGsuJy4pVn8Uc2XHtx5i0m0+F/j4lZYgkNgJjHfZhuh2JkTsEd0rPFgpvteCS/++ /rrRyOwVFeW8BrllKI5bVvimVD+HTBNFbo4oQY2kLvJxamL1NFOksbmXQqWOCEE6 968hV2hetvkOkaCbZLlnMD3QKUyQhqJtjcKN/1HforDmOvFyjk7vknt9755gBlm1 w6lwPbJR45YNDKbDN/Y+5xL7KGHYmNZefgjLy2wyZhBcdz4I8xqsdxOHb5LAmXrQ oX+i6jg+gxZLcHOfeacezEOlN6ZeQw2ElHRxViEEabYX0NtabRXu7VjxME83Vjmq HtWCPV0PAglGrnYdlz72YreR0l5WxN4WjrkR2TOzoQeJ7aK1LUH3VbL+Dsb3BA2t Yd06cyA192s54VlJ2ntppzZ8EnOz+wYHpVRSL9nNZfQh2SCv8A/ic57aV9QoOYqy qjNhE9GTDAENP/XRvbzE =NI2q -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jul 9 18:35:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82C51997372 for ; Thu, 9 Jul 2015 18:35:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59D031F1E for ; Thu, 9 Jul 2015 18:35:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1BAC12096A for ; Thu, 9 Jul 2015 14:35:53 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 09 Jul 2015 14:35:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=gdgFB0I0HHIjPT8 5dW8a0QcvXKM=; b=IX9CHUtAefZdGhyFYfshGZ1ITSypUgp48AiiR6Z24v7DbMA 55n1eZ4uQHVDimBBg0ZxhJGGEhFbTVQidIXHU/gCZ0YTpIHeP+9timqkh3+hNwfN I808PFpMGj8qEBtoerrTo7ascQ6MXULIJMnI6QAsTnACO2ryV+LWph1aWS8g= Received: by web3.nyi.internal (Postfix, from userid 99) id F01D9107C9B; Thu, 9 Jul 2015 14:35:52 -0400 (EDT) Message-Id: <1436466952.3471772.319701833.03042483@webmail.messagingengine.com> X-Sasl-Enc: Ugw0Jix0aflIsb0wtcnFYauK+ViOhkKx4EQmJBrYe3Gd 1436466952 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae In-Reply-To: <559EB7E6.6040805@FreeBSD.org> References: <559EB7E6.6040805@FreeBSD.org> Subject: Re: Where 3rd-party PAM modules should be placed? Date: Thu, 09 Jul 2015 13:35:52 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 18:35:54 -0000 On Thu, Jul 9, 2015, at 13:05, Lev Serebryakov wrote: > > `security/pam_ssh_agent_auth' installs PAM module > (pam_ssh_agent_auth.so) into `${LOCALBASE}/lib', but > `security/pam_yubico' and `security/oath-toolkit' install PAM modules > into `${LOCALBASE}/lib/security'. > > And, by default on 10-STABLE, modules from > `${LOCALBASE}/lib/security' can not be loaded by name (without full > path) in PAM configuration file. > > Which place is correct? I like `${LOCALBASE}/lib/security', but using > full pathnames looks ugly! > pam_google-authenticator also is installed into ${LOCALBASE}/lib For the record, I've always used full path names in my /etc/pam.d files to enable additional modules. Being able to use the short names would be nice. From owner-freebsd-security@freebsd.org Thu Jul 9 18:58:02 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32A52997702 for ; Thu, 9 Jul 2015 18:58:02 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id DF5811AA5; Thu, 9 Jul 2015 18:58:01 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id C22F81315; Thu, 9 Jul 2015 21:57:59 +0300 (MSK) Message-ID: <559EC436.1030403@FreeBSD.org> Date: Thu, 09 Jul 2015 21:57:58 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Mark Felder , freebsd-security@freebsd.org Subject: Re: Where 3rd-party PAM modules should be placed? References: <559EB7E6.6040805@FreeBSD.org> <1436466952.3471772.319701833.03042483@webmail.messagingengine.com> In-Reply-To: <1436466952.3471772.319701833.03042483@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 18:58:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09.07.2015 21:35, Mark Felder wrote: > For the record, I've always used full path names in my /etc/pam.d > files to enable additional modules. Being able to use the short > names would be nice. pam.conf(5) says: The module-path field specifies the name or full path of the module to call. If only the name is specified, the PAM library will search for it in the following locations: 1. /usr/lib 2. /usr/local/lib - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVnsQ2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP5NsP+wUzlwlEUYgHbL0CZ2I3GFMw s1zere9uwJBIjpY3EpZQuTW0DYfzyULMsShqnKENPsF5jaPpMa1TV1AfFm0Rfkc2 WaLXDZbWeQBg8enN4cQwH6J/fDkJAGmc8AUdgzHQBnQzZ51LGcV7m7dKoxEW926s 1xBlo7Djq+gvr09+pJsDlJoP/Ej9oncU22z+IrSQRw4VOscZ0L3/QQhikllfr3mW JkRPFWlZvaE8baYELEfy4KjVQRUTzlR904m41yR8EScYKaz8Xk7jSZWMcVfOraN1 4spf9kt4rbPY3vh4xoNYN3GSOMtcau+ziD+bYTyV1rpWJp8ndgDkwmVqJ8oofSHk 4W/OWASBqWjSBCwyiiz03mUJwhKBVKoz2cqRnNKSIMHdJu/KbP9LfYqty1Y3Am88 5KAHFXdr8rm+cvd8SNZBHwfcdDoclyA+XqFf9NgHB9eTQGTTPwECCr68jj4YmmXs 7mHRRvcg6EiPmSSkc0z8OMZepV2tEaK1E9w/LddNIjg7iEBZ4mC++w6e2NOeQYDS dklOz5yXhcJCpN1zCxPqgpoZQD4MTwuiyAZr7yE4ubStFzGvrNk1L2xU1c2r0Sz3 ER/ZeMkUV4PWsWvsG/6/IwKdPCQkRHMTL2yWX4ZRM03Gn27LI+m8WRtQjkybmay4 gSQWVAjkKf9WDqYn4Dpf =4e1s -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jul 9 19:40:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6308997156 for ; Thu, 9 Jul 2015 19:40:45 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 60663186A for ; Thu, 9 Jul 2015 19:40:44 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.9/8.14.9) with ESMTP id t69JeXBS072389 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 10 Jul 2015 05:40:39 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id t69JeRic082464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 10 Jul 2015 05:40:27 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id t69JeRjR082463 for freebsd-security@freebsd.org; Fri, 10 Jul 2015 05:40:27 +1000 (AEST) (envelope-from peter) Date: Fri, 10 Jul 2015 05:40:27 +1000 From: Peter Jeremy To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:12.openssl Message-ID: <20150709194027.GA47053@server.rulingia.com> References: <20150709173219.647A7168C@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline In-Reply-To: <20150709173219.647A7168C@freefall.freebsd.org> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 19:40:46 -0000 --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-Jul-09 17:32:19 +0000, FreeBSD Security Advisories wrote: >NOTE WELL: This issue does not affect earlier FreeBSD releases, including = the >supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate ch= ain >feature was not introduced in these releases. Only 10.1-STABLE after >2015-06-11 and prior to the correction date is affected. Since this only affects people who build from SVN, it would be useful to give affected revisions. Based on the given dates, I gather this was introduced in r284283/r284285 and doesn't affect releng/10.1 because it wasn't in the r284295 cherry-pick. --=20 Peter Jeremy --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVns4rXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0a50P/i1NyckJI0i9zw7/dFfvVUI4 6QRNIzthxXVm8auFLC00Tbe5ixkxgXD0GO6kHDrLL8VE3DQ66SpIoOoRVW+xz5LB f7bEEsNnnk8EuksWHhvnKbxVrTgTJWRdxFW+PXCKwZ+Zd4dnJS0dAZOEIvHbdk95 4AhjR5ZYjjpsjEyOP3nh2UgpL2Se89Ux9JPhPOXM2S6hIcqsmepudihaMmHpw17T ref7DuxSawqD0CixTbHYSpBQzB22mQyY4n3DEeQ4ioh1MlZGZjEV1ERHEFv1dKkD sB2SgNxo56uv1ZlxoKkTNNxNSrgWKh0xRjdL0eh7CXF1zeu+vp+2W6gVtpVYFkgK qklGKXdI+IQNz91mKgQ6IND6IG2R8Y1eTIzWT1JrNN5jbXZLTk2Nnkx7GZTHb16o epvYvweQ1F8VK+HH2fSAQtIpqP194QH+dM4+vlL7iZPmwHSQ9SVxRYXaq2jVddke z/QYhPXEsrFxnTQ4CUgZH//Q6MF2bv2bN3UaT+OOBNHyLgtGJUBYW0l3QrjpUwU0 YU9sVGFmXo8FXsIOjFpdjxAbzMWEh7eKCVB3uWEV16NW/1ROlfwKIzWJnTTYfqIi kIBMOp0s5YX3XiIkMMG9VlURZYdcBnEkz39GmVAyuMi3n093utZn+AYCOyXaCQmk A/7I/d/yUZhQo+HnhCrF =iIPG -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- From owner-freebsd-security@freebsd.org Fri Jul 10 00:40:30 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7F5C3C79 for ; Fri, 10 Jul 2015 00:40:30 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59FAE131 for ; Fri, 10 Jul 2015 00:40:30 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by wgjx7 with SMTP id x7so236406495wgj.2 for ; Thu, 09 Jul 2015 17:40:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=gIZkSTOkVkn6T/Y+JGU3Kc5nULShxO6QX6LBIpsPLjc=; b=vuiWI8KFj36Gv3Y5A1kcNQxHGTfbhMIXlfg/t3/uJ6BzzygmIsTLarC8REtPxkgK+M S6aWXQgGGwfIZCvM6RJttzEO2TiwxTq8x0qjoEV5FiKLwFMoqnjjCsSfFbznfPx8BkTr 88D36k6xdndZfyxxO5+0esw9+T9ZYLvztaJYX4o7yU4P8hipF6F8UIgfghZ5ie1Hti0c 5AfbXFYgPMhqSaZRcTWYECSlOuaxhSBbsAd7VBc3vYA6/R7xG/03n1Ksuvr4bKWCsSbs VB2Aijs9L38c18eI5F5Pa7mqjYBEZgIczHtvyNYF7TujK+qAMhX3M1Pg/RN4RmyOE5CE nTqg== MIME-Version: 1.0 X-Received: by 10.180.95.35 with SMTP id dh3mr1041464wib.30.1436488828857; Thu, 09 Jul 2015 17:40:28 -0700 (PDT) Received: by 10.28.63.140 with HTTP; Thu, 9 Jul 2015 17:40:28 -0700 (PDT) In-Reply-To: <559E9E3E.7050709@FreeBSD.org> References: <559E9E3E.7050709@FreeBSD.org> Date: Thu, 9 Jul 2015 20:40:28 -0400 Message-ID: Subject: Re: FreeBSD + Yubikey NEO in OATH-HOTP mode? From: Robert Simmons To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2015 00:40:30 -0000 I use security/duo with Yubikeys configured as the token all over the place. It works flawlessly with sudo, su, openssh-portable, and the OS openssh. https://svnweb.freebsd.org/ports/head/security/duo/ On Thu, Jul 9, 2015 at 12:15 PM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Does somebody succeed to setup FreeBSD for usage with Yubikey NEO > token without Yubico authentication service, with OATH-HOTP? > > - -- > // Lev Serebryakov > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQJ8BAEBCgBmBQJVnp4+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF > QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP9kQP/RdOqWCRxEQFVUCH/PrbHaEt > dgFGk4Y50jG2HzGXodKtdVXJ6+YIry24v/w23Ba9Z3MqOuOOX8FCfF0dTATCDGVP > La+HCai+ggT+KcZl3phUu6nuG6ucI4rPmSvwotQjqSdFYoGrwp2GqaL6PMwtpD3L > CETZnJrCH2+vl5FFeMdb0C6NwzwSFWQNvBiKfmi7Hnc3a+EA5i2KEQE1zIQHqX+N > 7aw7ncn2BUOvPpgCvqFFqmuvM9y21pJu6yLuLtLaqU2s2D5+UX8OnTTTObwadnd0 > LndlK0TKCDwHFiqBnbZIWrwQNLVKw7q4MXQFA3EbhforYtgvX/XpkqtSl1yzuohY > dAkaUXND+Na1dz0MrJqqdnD9lPjJg9JkMbtZCTxVTHZK1x4KnSi4cK4J2i3kgepx > OxtNR6T6kfeNrwF4Tph8GoM3Q/Vn9w5XMNj1ZjTQyMHCui7ip6h99UzHT+cUNG/i > Ke69TqpJ1k1GXTJVORgAbynwaciEXCTfzul0BCOWufO/kwp5Z5QcPf6QaNnr51XS > iE7N0Y7gQr+ZkdqaN+VbN2PaGi9wb4yTGDD281SKH93JgxejzAOGZG80H5izLDtu > 7OsJvDHG3WNTL5UE6LEY4dCQpiTbddvgsoqwGZtdApGqp+N5hBlDF/k6vq1J+nHA > fo2DXanU3Lr74XgVAFOJ > =mC8W > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >