From owner-freebsd-security@freebsd.org Tue Aug 16 16:41:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A643BBCE1F; Tue, 16 Aug 2016 16:41:21 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9F51390; Tue, 16 Aug 2016 16:41:21 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 16 Aug 2016 09:41:13 -0700 (PDT) From: Roger Marquis To: freebsd-ports@freebsd.org cc: freebsd-security@freebsd.org Subject: pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable) In-Reply-To: <84206cd3-10fb-2125-c7e9-921d74432c92@cloudzeeland.nl> References: <3f8f41ff-3262-1021-2e28-2aaae89849b6@cloudzeeland.nl> <2915322d-0b1a-d36e-0725-c10bd0d32b7c@cloudzeeland.nl> <280f6f77-ad33-6ebb-d54a-a97129f793b3@FreeBSD.org> <84206cd3-10fb-2125-c7e9-921d74432c92@cloudzeeland.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 16:41:21 -0000 On 16 Aug 2016, JosC wrote: >> In the absence of running 'pkg audit -F', only >> the"LOCALBASE/periodic/security/410.pkg-audit script updates the vuxml >> file and audit results. Until that happens, or pkg audit -F is run, pkg >> will still see an older version. > > Thinking with you I now ask myself: > - Would it be a good idea to make this vuxml file update part of the > Makefile? Then these occurrences won't happen anymore There's also an issue with older versions (perl 5.1*) no longer showing up in the vuln.xml at all. I've seen perl, php and other critical network components still in use because the site depended on 'pkg audit' but did not know that expired OR deprecated ports are not audited. Apparently this is intentional and by policy. IMO it is a serious flaw in pkg audit's design. A better policy would include expired AND deprecated ports in the output of 'pkg audit' for at least a year after they are removed from the ports and/or pkg trees. If a port had no known vulnerability when removed it should at least indicate 'no longer audited' in place of 'vulnerable'. This is, IMO, one of 3 remaining weaknesses in the otherwise excellent freebsd audit framework. The other two issues have to do with base not being packaged (so not really being 'audit'able) and the 'general rule' announced on Aug 10 that 'the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch'. This is particularly problematic as there are usually mitigations that do not require patches. Roger Marquis From owner-freebsd-security@freebsd.org Wed Aug 17 19:53:30 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16033BBC165 for ; Wed, 17 Aug 2016 19:53:30 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E1BB111FA for ; Wed, 17 Aug 2016 19:53:29 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id a6tsbjUedeXEca6ttbh2rM; Wed, 17 Aug 2016 13:53:22 -0600 X-Authority-Analysis: v=2.2 cv=T/3OdLCQ c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=7z1cN_iqozsA:10 a=AFq9uTlRAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=HJ-qWoVHyL27At1NXvsA:9 a=cHY50uSpSMoA:10 a=Zrblt91nq1U04Y6w6iPU:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTPS id 2ACC713754 for ; Wed, 17 Aug 2016 12:53:20 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id u7HJr4U8010076 for ; Wed, 17 Aug 2016 12:53:04 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201608171953.u7HJr4U8010076@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: freebsd-security@freebsd.org Subject: CVE-2016-5696 - Interesting Read Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 17 Aug 2016 12:53:04 -0700 X-CMAE-Envelope: MS4wfFKZAsHR0tkZ1wKl4CTbyVTi2Xi3XjaGI4U0+xW2YeCNXxvtnKYPtaW0wzTVLjHnJyzNNYmnX8PSqdb2s8ku0e+XLA1lnbioceUm6k+3olPrN1ai4aMx 4kJpm29r+SmzaLVWqc7rKbf2BmxOAJjXB5bmubSm8ELAzeCt5GlQPZ5xOd6VYc6g4Xe5RmeIAGwZHA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 19:53:30 -0000 Hi, Though this is not related to FreeBSD (Linux actually), the URL http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf is an interesting read. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. From owner-freebsd-security@freebsd.org Thu Aug 18 17:06:44 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 597BEBBED46; Thu, 18 Aug 2016 17:06:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C13D1C86; Thu, 18 Aug 2016 17:06:43 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 72AF72051C; Thu, 18 Aug 2016 13:06:42 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute7.internal (MEProxy); Thu, 18 Aug 2016 13:06:42 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=QnBaFnAEq108hm7 dAxtalMivaFM=; b=o5P+qqXW9hG55Y44ifwUFFIg46AwU6PjMvQg7/GgUhHVj7z J0796qqJI5G1C5pc7EvxDnpvS5zQbAbTaoSauDfxXMVoV6GlqUS5pHi7YGxWmlLA xrzDLUfP8r/+1E0DzpXG4Cn3+h3KfqouyMmndsZliYN6Y9BLhOkK6sRCQv6U= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 49898168AF; Thu, 18 Aug 2016 13:06:42 -0400 (EDT) Message-Id: <1471540002.2386051.699306993.7F1A7008@webmail.messagingengine.com> X-Sasl-Enc: 0KTNeyvxgKbecViEL/OM1ZY4w2hybCbqbY9zsyYDqZU3 1471540002 From: Mark Felder To: Roger Marquis , freebsd-ports@freebsd.org Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b25c4c74 Subject: Re: pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable) Date: Thu, 18 Aug 2016 12:06:42 -0500 In-Reply-To: References: <3f8f41ff-3262-1021-2e28-2aaae89849b6@cloudzeeland.nl> <2915322d-0b1a-d36e-0725-c10bd0d32b7c@cloudzeeland.nl> <280f6f77-ad33-6ebb-d54a-a97129f793b3@FreeBSD.org> <84206cd3-10fb-2125-c7e9-921d74432c92@cloudzeeland.nl> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2016 17:06:44 -0000 On Tue, Aug 16, 2016, at 11:41, Roger Marquis wrote: > > There's also an issue with older versions (perl 5.1*) no longer showing > up in the vuln.xml at all. I've seen perl, php and other critical > network components still in use because the site depended on 'pkg audit' > but did not know that expired OR deprecated ports are not audited. > Apparently this is intentional and by policy. IMO it is a serious flaw > in pkg audit's design. > This is hard to keep track of, but I also agree it is a problem we need to be more conscious of. Unfortunately it adds burden to our ports-secteam because often times upstream will EoL software and not state if older versions are actually vulnerable. Short of a PoC or auditing the source code of something that is EoL / removed from the ports tree there isn't much we can do but guess. It's entirely possible something EoL is not actually vulnerable to newer CVEs depending on if it's in new/refactored code or shared code. Even then it's possible that the way the code is used in the EoL version it's still not vulnerable. > A better policy would include expired AND deprecated ports in the output > of 'pkg audit' for at least a year after they are removed from the ports > and/or pkg trees. If a port had no known vulnerability when removed it > should at least indicate 'no longer audited' in place of 'vulnerable'. > Yes, a solution to create vuxml entries for EoL/removed ports with a simple statement that they're EoL and could be vulnerable is a sane approach. This way we aren't incorrectly listing software as vulnerable to CVEs we haven't validated. I welcome this, but we will need help from users and the community to let us know when this happens as we aren't always aware of the EoL schedules of software in the ports tree. > This is, IMO, one of 3 remaining weaknesses in the otherwise excellent > freebsd audit framework. The other two issues have to do with base not > being packaged (so not really being 'audit'able) and the 'general rule' > announced on Aug 10 that 'the FreeBSD Security Officer does not announce > vulnerabilities for which there is no released patch'. This is > particularly problematic as there are usually mitigations that do not > require patches. > I already solved your #2 problem: https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ #3 is being reviewed by secteam/core, so I think we're well on our way to solving these concerns. -- Mark Felder ports-secteam member feld@FreeBSD.org