From owner-freebsd-security@freebsd.org Thu Aug 13 20:28:38 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47D189B80E2 for ; Thu, 13 Aug 2015 20:28:38 +0000 (UTC) (envelope-from mason@blisses.org) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F50DD0E for ; Thu, 13 Aug 2015 20:28:37 +0000 (UTC) (envelope-from mason@blisses.org) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id A47601491CA; Thu, 13 Aug 2015 16:20:09 -0400 (EDT) Date: Thu, 13 Aug 2015 16:20:08 -0400 From: Mason Loring Bliss To: freebsd-security@freebsd.org Cc: info@freebsdfoundation.org Subject: Quarterly packages and security updates... Message-ID: <20150813202007.GC4093@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 20:28:38 -0000 A recently quarterly report: https://www.freebsd.org/news/status/report-2015-04-2015-06.html and last week's BSD Now episode both hint that quarterly packages will be the default for 10.2. I just looked, and sure enough: https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup So, my issue here is that I run quarterly branches, and they are awful in terms of security updates. With FreeBSD 10.2 imminent, are we expecting users to install vulnerable versions of things like Firefox right off the bat, and then wait for whatever fixes exist at the time the next quarterly branch is cut? A pkg audit against an up-to-date package set is pretty disappointing: /usr/ports# pkg audit -F vulnxml file up-to-date libvpx-1.4.0 is vulnerable: libvpx -- multiple buffer overflows CVE: CVE-2015-4486 CVE: CVE-2015-4485 WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html libxul-38.1.0 is vulnerable: mozilla -- multiple vulnerabilities CVE: CVE-2015-4493 CVE: CVE-2015-4492 CVE: CVE-2015-4491 CVE: CVE-2015-4490 CVE: CVE-2015-4489 CVE: CVE-2015-4488 CVE: CVE-2015-4487 CVE: CVE-2015-4484 CVE: CVE-2015-4483 CVE: CVE-2015-4482 CVE: CVE-2015-4481 CVE: CVE-2015-4480 CVE: CVE-2015-4479 CVE: CVE-2015-4478 CVE: CVE-2015-4474 CVE: CVE-2015-4473 WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html sox-14.4.2 is vulnerable: sox -- memory corruption vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html subversion-1.8.10_3 is vulnerable: subversion -- DoS vulnerabilities CVE: CVE-2014-8108 CVE: CVE-2014-3580 WWW: https://vuxml.FreeBSD.org/freebsd/f5561ade-846c-11e4-b7a7-20cf30e32f6d.html subversion-1.8.10_3 is vulnerable: subversion -- DoS vulnerabilities CVE: CVE-2015-0251 CVE: CVE-2015-0248 CVE: CVE-2015-0202 WWW: https://vuxml.FreeBSD.org/freebsd/8e887b71-d769-11e4-b1c2-20cf30e32f6d.html subversion-1.8.10_3 is vulnerable: subversion -- multiple vulnerabilities CVE: CVE-2015-3187 CVE: CVE-2015-3184 WWW: https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html firefox-39.0,1 is vulnerable: libvpx -- multiple buffer overflows CVE: CVE-2015-4486 CVE: CVE-2015-4485 WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html firefox-39.0,1 is vulnerable: mozilla -- multiple vulnerabilities CVE: CVE-2015-4495 WWW: https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html firefox-39.0,1 is vulnerable: mozilla -- multiple vulnerabilities CVE: CVE-2015-4493 CVE: CVE-2015-4492 CVE: CVE-2015-4491 CVE: CVE-2015-4490 CVE: CVE-2015-4489 CVE: CVE-2015-4488 CVE: CVE-2015-4487 CVE: CVE-2015-4484 CVE: CVE-2015-4483 CVE: CVE-2015-4482 CVE: CVE-2015-4481 CVE: CVE-2015-4480 CVE: CVE-2015-4479 CVE: CVE-2015-4478 CVE: CVE-2015-4477 CVE: CVE-2015-4475 CVE: CVE-2015-4474 CVE: CVE-2015-4473 WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html 5 problem(s) in the installed packages found. -- Mason Loring Bliss mason@blisses.org Ewige Blumenkraft! (if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene I From owner-freebsd-security@freebsd.org Thu Aug 13 20:37:40 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E15A59B82CC for ; Thu, 13 Aug 2015 20:37:40 +0000 (UTC) (envelope-from mason@blisses.org) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C8559151 for ; Thu, 13 Aug 2015 20:37:40 +0000 (UTC) (envelope-from mason@blisses.org) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 05C151491CA; Thu, 13 Aug 2015 16:37:38 -0400 (EDT) Date: Thu, 13 Aug 2015 16:37:37 -0400 From: Mason Loring Bliss To: freebsd-security@freebsd.org Cc: info@freebsdfoundation.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813203737.GD4093@blisses.org> References: <20150813202007.GC4093@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150813202007.GC4093@blisses.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 20:37:41 -0000 On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss wrote: > subversion-1.8.10_3 is vulnerable: To clarify, I had this one artificially held back. The up to date quarterly package vulnerability list for Subversion looks like this: subversion-1.8.13_2 is vulnerable: subversion -- multiple vulnerabilities CVE: CVE-2015-3187 CVE: CVE-2015-3184 WWW: https://vuxml.FreeBSD.org/freebsd/57bb5e3d-3c4f-11e5-a4d4-001e8c75030d.html -- Mason Loring Bliss mason@blisses.org Ewige Blumenkraft! awake ? sleep : random() & 2 ? dream : sleep; -- Hamlet, Act III, Scene I From owner-freebsd-security@freebsd.org Thu Aug 13 20:40:25 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5286F9B8365 for ; Thu, 13 Aug 2015 20:40:25 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 41A8530B; Thu, 13 Aug 2015 20:40:25 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id AE6861B76; Thu, 13 Aug 2015 20:40:24 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Thu, 13 Aug 2015 20:40:23 +0000 From: Glen Barber To: Mason Loring Bliss Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813204023.GJ24069@FreeBSD.org> References: <20150813202007.GC4093@blisses.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="j+MD90OnwjQyWNYt" Content-Disposition: inline In-Reply-To: <20150813202007.GC4093@blisses.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 20:40:25 -0000 --j+MD90OnwjQyWNYt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [info@ removed, not sure why that email address was included.] On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss wrote: > A recently quarterly report: >=20 > https://www.freebsd.org/news/status/report-2015-04-2015-06.html >=20 > and last week's BSD Now episode both hint that quarterly packages will be= the > default for 10.2. I just looked, and sure enough: >=20 > https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view= =3Dmarkup >=20 > So, my issue here is that I run quarterly branches, and they are awful in > terms of security updates. With FreeBSD 10.2 imminent, are we expecting u= sers > to install vulnerable versions of things like Firefox right off the bat, = and > then wait for whatever fixes exist at the time the next quarterly branch = is > cut? >=20 The reason this change was made is because the quarterly package set receives less intrusive updates, but it does still receive security updates. This is documented in the 10.2-RELEASE release notes, which also shows how to change back to the 'latest' branch, if you so desire. https://www.freebsd.org/releases/10.2R/relnotes.html#releng-changes Glen --j+MD90OnwjQyWNYt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVzQC3AAoJEAMUWKVHj+KTMkwQAIvJ53QFGWywCGrqld0obLFC MKFNDhCUjpfu5JttkKJClxNDIdB2mtyeq8ZezGgyxk5JldkbinYlGl/b0XYjW32z 2+DVnTtlj9QPJxuns5/hCnGslruzH27SOcA86TxfrR0tkzGchRimUg9qwOfhofad jCnjqfVfIt/e3gga0mZZrpdBHPGOVMnaXY8TkYHaIP8ZD/wwEjh9NAi7A84ljBrX s9WpDSYGIx13zrllmu7S3gde1O2eKoGImKX/ni61r+4/NUH8D4d6AhoQc6ruW/u/ /xSEm8p88bZK7l9qyuNifkHl/XtBEJrN+bWd1G9Rj4fuERCVKvSvvRHl8U0AXjNv Nmn7PdCxc464lpob/MbyqdXNZ5QeUw0Hcn1t3nBsiNGeY2rj++WP7zT7MT3QnyQ+ iN1toaX+dEeZxPJCzqLCprohUKVMOR78buZL1O19p/3WR0dqszOmGnjqfGTo2000 PA7UHdjEcI9tUnERtJAyFv3F1TJNHzeB2A6HjQJvx/AjAoSeZWhfVh4YNCg4QJxl L+Q2vvFgm/X3NeoKfHiz36AMbiPHC05SGtP6yH7IFRPOttOZjrBe1oIYu37o9aMD xwkUu/zkOZsuxbxN+PltwZZ9oDH/VTtUiQQk+TWdHheO6HLSSeXQOYSgDymnGhZ/ L/AUI4d3+VRxiLfntxPY =IVdi -----END PGP SIGNATURE----- --j+MD90OnwjQyWNYt-- From owner-freebsd-security@freebsd.org Thu Aug 13 21:01:33 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79B479B86EC for ; Thu, 13 Aug 2015 21:01:33 +0000 (UTC) (envelope-from mason@blisses.org) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5FD1E16D; Thu, 13 Aug 2015 21:01:33 +0000 (UTC) (envelope-from mason@blisses.org) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 2ADE11491CA; Thu, 13 Aug 2015 17:01:31 -0400 (EDT) Date: Thu, 13 Aug 2015 17:01:29 -0400 From: Mason Loring Bliss To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813210129.GF4093@blisses.org> References: <20150813202007.GC4093@blisses.org> <20150813204023.GJ24069@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150813204023.GJ24069@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 21:01:33 -0000 On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: > [info@ removed, not sure why that email address was included.] I'm hoping for pressure from above, as this is an important step that's evidently being taken without quarterly branch security being bumped up in priority. It seems to come as a surprise to many folks, and certainly I wasn't aware of it until last week. (Also, board@ is now deprecated.) I think the change to a default quarterly branch a fantastic idea, but without additional security updates it's got an ugly element of risk associated with it, too. It will be the default, so as it stands, more folks will be running vulnerable software. > The reason this change was made is because the quarterly package set > receives less intrusive updates, but it does still receive security > updates. I included the "pkg audit" output explicitly to demonstrate that there are some gaping holes that will be deployed starting next week. > This is documented in the 10.2-RELEASE release notes, which also shows > how to change back to the 'latest' branch, if you so desire. As noted, I'm already on the quarterly branches, because I think it's a great idea generally. Falling back to the high-churn option to get access to security patches when what you want is a stable environment is an awful idea. I'm hoping that we do this, but do it right. I can't see how anyone could find fault with my expressing this concern, honestly. -- Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abelson From owner-freebsd-security@freebsd.org Thu Aug 13 21:15:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15BBC9B89EC for ; Thu, 13 Aug 2015 21:15:31 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 04435AF4; Thu, 13 Aug 2015 21:15:31 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 8959C12FE; Thu, 13 Aug 2015 21:15:30 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Thu, 13 Aug 2015 21:15:29 +0000 From: Glen Barber To: Mason Loring Bliss Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813211528.GK24069@FreeBSD.org> References: <20150813202007.GC4093@blisses.org> <20150813204023.GJ24069@FreeBSD.org> <20150813210129.GF4093@blisses.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="T4Djgzn3z2HSNnx0" Content-Disposition: inline In-Reply-To: <20150813210129.GF4093@blisses.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 21:15:31 -0000 --T4Djgzn3z2HSNnx0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 13, 2015 at 05:01:29PM -0400, Mason Loring Bliss wrote: > On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: >=20 > > [info@ removed, not sure why that email address was included.] >=20 > I'm hoping for pressure from above, as this is an important step that's > evidently being taken without quarterly branch security being bumped up in > priority. It seems to come as a surprise to many folks, and certainly I > wasn't aware of it until last week. (Also, board@ is now deprecated.) >=20 "Putting pressure" isn't the role of the Foundation. Quarterly package builds happen every few days (two, if I remember correctly), and as I was writing this reply, and updated package set for 10.x i386 was made available. So the appropriate steps are to contact the committer that resolved a vulnerable port in the latest branch to remind them to also fix it in the quarterly branch, and failing that, contact ports-secteam@ (similar to how one would report an issue in the base system to secteam@). Glen --T4Djgzn3z2HSNnx0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVzQjsAAoJEAMUWKVHj+KTyFsP/iz2w4uocBIzJteNZUIzepS3 F80czix3utU/9dLKzqEXPu+6fV9zSpSe9y3PWYa6uJHvXPSC+sARt0/BSmDIAzBN AlzEfNqvbNclvr2q8hW3OZvySrbalqYa8djpwXF9WMjEH1yLNGICoPwSzWM3waDv GlbKluTJ3hmxQmNUVeC6h6146+AftxFilibS+myZ/9WrR6dymV8ybPrSHl7aE4xx u8HOCp+8OXg4NGZlc0BMTlt7n98urJCtQx9tjC4naruhxrJySQ3k3OVJes3NeuLY fIGBQsoGdkQwpMjB9tc4gLmGxG7zUEPMP5wiOk/pYWZtRFGMJVcD5echpkZye08f iB6cbCA+jCWR3GPsawIgWjKsZVcqPLkyQcJ0J3yrz/KFJ1lL8AspWcLcTGuSO6RD pOYMT+AhBwQLYsmShWZC1g8K4Fr4lDwmHNOk4V8RYWD4iRb+dbJbDVbAqPZZRLTe IbBBKczH7v+VHnGqvxd33CMcca0SKaAwU2tFSvhRlPIBEq/+9KjyxMuf+f5YE7OJ LAa6OfFUh99LHyhWt8CpP9cJ0eilNDKPGcNIqnkb5G4EHNmSBDWuJ4v6RPntMVuX 99U2l5gTJq3FZQUdEf831QUTzyNBldDAhtOdbgqHtzmQMoU1+42+L91cW2iqQfc8 n6tMYHfygWPSEwZghsCc =JZDq -----END PGP SIGNATURE----- --T4Djgzn3z2HSNnx0-- From owner-freebsd-security@freebsd.org Fri Aug 14 11:19:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F0789B89CB for ; Fri, 14 Aug 2015 11:19:09 +0000 (UTC) (envelope-from starikarp@yandex.com) Received: from forward16p.cmail.yandex.net (forward16p.cmail.yandex.net [IPv6:2a02:6b8:0:1465::bf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33D731C12 for ; Fri, 14 Aug 2015 11:19:08 +0000 (UTC) (envelope-from starikarp@yandex.com) Received: from smtp19.mail.yandex.net (smtp19.mail.yandex.net [95.108.252.19]) by forward16p.cmail.yandex.net (Yandex) with ESMTP id 25D4F21666 for ; Fri, 14 Aug 2015 14:18:57 +0300 (MSK) Received: from smtp19.mail.yandex.net (localhost [127.0.0.1]) by smtp19.mail.yandex.net (Yandex) with ESMTP id 0206FBE0114 for ; Fri, 14 Aug 2015 14:18:56 +0300 (MSK) Received: by smtp19.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id H5L5fNNqlB-ItaaASog; Fri, 14 Aug 2015 14:18:56 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1439551136; bh=3QJVFWgoM2sejvzS4jrNN2EweXv464JCfyu5BvE9/LY=; h=Message-ID:Subject:From:To:Date:Content-Type:X-Mailer: Mime-Version:Content-Transfer-Encoding; b=j6DAc+KbJ4TyrK2Jwu34o7GyW8aAAM1oWByXQ0bUxfMNudk5JPJH8pazNBMc8g8Z+ 8gmyTQkjvXmng6GGDJJnBqFhyy0oyBPJKJUVi/zGobjDjeiYeo8KpaP9+uH+XdelrX eAdoz8TqNaVscQvlKKRu9Cpa3etiB+gMuldl+e0I= Authentication-Results: smtp19.mail.yandex.net; dkim=pass header.i=@yandex.com Message-ID: <1439551130.1961.5.camel@yandex.com> Subject: rkhunter - GET From: Stari Karp To: FreeBSD-Security Date: Fri, 14 Aug 2015 07:18:50 -0400 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.16.4 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 11:19:09 -0000 Hi! My system (updated today from FreeBSD 10.1-RELEASE): FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I did run rkhunter -c today and I have one warning which I am confused: [06:36:50] Warning: The command '/usr/local/bin/GET' has been replaced by a script: /usr/local/bin/GET: a /usr/local/bin/perl -w script, ASCII text executable The file GET has date February 18 and size is 15071 It started with: #!/usr/local/bin/perl -w eval 'exec /usr/local/bin/perl -w -S $0 ${1+"$@"}' if 0; # not running under some shell # Simple user agent using LWP library. =head1 NAME lwp-request, GET, POST, HEAD - Simple command line user agent =head1 SYNOPSIS B [B<-afPuUsSedvhx>] [B<-m> I] [B<-b> I] [B<-t> I] [B<-i> I] [B<-c> I] [B<-C> I] [B<-p> I] [B<-o> I] I... =head1 DESCRIPTION This program can be used to send requests to WWW servers and your local file system. The request content for POST and PUT methods is read from stdin. The content of the response is printed on stdout. Error messages are printed on stderr. The program returns a status value indicating the number of URLs that failed. The options are: =over 4 =item -m Set which method to use for the request. If this option is not used, then the method is derived from the name of the program. =item -f Force request through, even if the program believes that the method is illegal. The server might reject the request eventually. =item -b This URI will be used as the base URI for resolving all relative URIs given as argument. =item -t Set the timeout value for the requests. The timeout is the amount of time that the program will wait for a response from the remote server before it fails. The default unit for the timeout value is seconds. You might append "m" or "h" to the timeout value to make it minutes or hours, respectively. The default timeout is '3m', i.e. 3 minutes. =item -i