From owner-freebsd-security@freebsd.org Sun Jul 7 16:20:31 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68A1215E7B35; Sun, 7 Jul 2019 16:20:31 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 682F58CA9E; Sun, 7 Jul 2019 16:20:30 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 6322552EE9; Sun, 7 Jul 2019 09:20:21 -0700 (PDT) Date: Sun, 7 Jul 2019 09:20:21 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK} In-Reply-To: Message-ID: References: <20190705060652.GA2974@server.rulingia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 682F58CA9E X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.69 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.99)[0.990,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.97)[0.967,0]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[mx4.roble.com,mx7.roble.com]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.86)[0.857,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.01)[country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jul 2019 16:20:31 -0000 Peter Jeremy wrote: > Security Officer is a volunteer position and their time is valuable. > requiring them to do more work to provide information Problem is such communications are critical for end-users. We all know the security teams are woefully over-burdened and under-resourced but why argue for the status-quo? Wouldn't it be better to appoint a communications coordinator and/or actually PAY THE SECURITY TEAMS so they can do the job without financial sacrifice. Looking at items the FreeBSD Foundation funds which have no measurable effect on the size of the user-base, and at the former BSD shops converting to Linux because of security, I don't know, just seems like a no-brainer from here. Many years ago people recommended only updating ports which had security advisories. Now nobody recommends that. Instead they recommend updating with every patch and keeping an eye on NIST CVEs, Bugtraq and Redhat, Debian and Ubuntu advisories. Even following advisories via RSS is, unfortunately, unsustainable overhead at most organizations. A few years ago people recommended submitting vuxml entries when new advisories came out. Some of us did that and were surprised to find that even remote exploit (CVE level 7+) reports could sit in the queue for days or weeks. Follow-ups would be met with the same "we're all volunteers here". Not surprisingly we (volunteer patch and vuxml submitters) no longer do that either. Perhaps this is tilting at windmills but wouldn't it be better to at least try beefing-up security support and creating a sustainable SECURITY BUDGET? If it grew the user-base by only a few percent that would at the very least make everyone's contribution more valuable. IMO, Roger Marquis From owner-freebsd-security@freebsd.org Tue Jul 9 18:20:08 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1024315E0FE4 for ; Tue, 9 Jul 2019 18:20:08 +0000 (UTC) (envelope-from SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E164A75FB9 for ; Tue, 9 Jul 2019 18:20:03 +0000 (UTC) (envelope-from SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 34A5828416 for ; Tue, 9 Jul 2019 20:13:45 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 19ABA28422 for ; Tue, 9 Jul 2019 20:13:44 +0200 (CEST) To: freebsd-security@freebsd.org From: Miroslav Lachman <000.fbsd@quip.cz> Subject: Status of FreeBSD vulnerabilities in VUXML database Message-ID: Date: Tue, 9 Jul 2019 20:13:43 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: E164A75FB9 X-Spamd-Bar: +++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [5.04 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.94)[ip: (0.54), ipnet: 94.124.104.0/21(0.27), asn: 42000(3.82), country: CZ(0.08)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_SHORT(0.91)[0.911,0]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; NEURAL_SPAM_LONG(1.00)[1.000,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_MEDIUM(1.00)[1.000,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz]; DMARC_NA(0.00)[quip.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2019 18:20:08 -0000 What is the official status of FreeBSD Security Advisories and entries in VUXML database? I am asking especially because new FreeBSD base system vulnerabilities are not being added to the vuxml database. The last was added 2019-04-23 according to https://vuxml.freebsd.org/freebsd/ Why? VUXML is FreeBSD's own pet so why new SAs are not added there the same day they are published as SA on https://www.freebsd.org/security/advisories.html? It makes base-audit periodic useless. https://www.freshports.org/security/base-audit/ Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Tue Jul 9 18:56:27 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B8B115E2468 for ; Tue, 9 Jul 2019 18:56:27 +0000 (UTC) (envelope-from rick.chisholm@hubinternational.com) Received: from us-smtp-delivery-103.mimecast.com (us-smtp-delivery-103.mimecast.com [216.205.24.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.mimecast.com", Issuer "DigiCert Global CA G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D021A804B1 for ; Tue, 9 Jul 2019 18:56:23 +0000 (UTC) (envelope-from rick.chisholm@hubinternational.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hubinternational.com; s=hubinternational20170913; t=1562698583; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=37d48sNW3lcoQnIEnccbyuU0yr+2D/pAAy+UdU4T5Mw=; b=B8xEwxGe3wKIw1rokmXU/C0qJxHwSGdv/bMguWz0YlkRBv4I8THE2akWcVlCOt7U2gSy0k zKs+WpJj1qgNFhIVZeIZpyBXnmuDNjgCOzds3K/inWRDNAg5Lr+NTcUmW9WaWm9mPtQ2/x T1BgOJ9fpXur5DueAKrEk9Uxc4S0ULabdl2DHBbfe3PpAN+22iLV8BdEEg0FXrneYWsg+H NTzL8uZPDlPUvP9fO1Zvmd7U2EjUTfpUtLvbx7L+hcAziPCNtl0dM3ur30BV4UD3DVOZR7 cs5aFN3owNUrYjW0OsJXMA/q6jhowq33AbB1T0nWFKVkGkgHA5KK88x7Pxx4eA== Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05lp2051.outbound.protection.outlook.com [104.47.48.51]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-245-29JnnxIWPSC-1kP2Qn2h2Q-1; Tue, 09 Jul 2019 14:56:14 -0400 Received: from CY4PR06CA0055.namprd06.prod.outlook.com (2603:10b6:903:13d::17) by MWHPR06MB2624.namprd06.prod.outlook.com (2603:10b6:300:48::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.18; Tue, 9 Jul 2019 18:56:12 +0000 Received: from SN1NAM02FT063.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::203) by CY4PR06CA0055.outlook.office365.com (2603:10b6:903:13d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Tue, 9 Jul 2019 18:56:11 +0000 Received: from EDCV-XHG-MCP01.hub.local (64.14.237.30) by SN1NAM02FT063.mail.protection.outlook.com (10.152.72.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2032.15 via Frontend Transport; Tue, 9 Jul 2019 18:56:10 +0000 Received: from EDCV-XHG-MCP01.hub.local (10.130.29.195) by EDCV-XHG-MCP01.hub.local (10.130.29.195) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 9 Jul 2019 13:56:10 -0500 Received: from EDCP-XHG-HCP01.hub.local (10.130.30.60) by EDCV-XHG-MCP01.hub.local (10.130.29.195) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 9 Jul 2019 13:56:10 -0500 Received: from EDCV-XHG-TNP01.hub.local ([fe80::b084:473e:8d93:3400]) by EDCP-XHG-HCP01.hub.local ([::1]) with mapi id 14.03.0408.000; Tue, 9 Jul 2019 13:55:57 -0500 From: "Chisholm, Rick" To: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-security@freebsd.org" Subject: RE: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database Thread-Topic: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database Thread-Index: AQHVNoMinrfT6TuD6kW249GHf/SUvabCon7w Date: Tue, 9 Jul 2019 18:55:56 +0000 Message-ID: <0054FFE9E041FC4EB2D50A99E26B120A06314D8F@EDCV-XHG-TNP01.hub.local> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.130.30.9] MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:64.14.237.30; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(136003)(39860400002)(396003)(346002)(376002)(2980300002)(189003)(199004)(13464003)(7696005)(47776003)(8676002)(76176011)(70206006)(70586007)(6246003)(68736007)(50466002)(97756001)(305945005)(2501003)(37786003)(46406003)(8746002)(7736002)(8936002)(486006)(23726003)(81166006)(81156014)(126002)(55846006)(476003)(11346002)(5660300002)(9686003)(33656002)(2906002)(14444005)(55016002)(86362001)(53936002)(6306002)(110136005)(356004)(229853002)(966005)(26005)(53546011)(102836004)(6116002)(186003)(336012)(478600001)(316002)(3846002)(446003)(130980200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR06MB2624; H:EDCV-XHG-MCP01.hub.local; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f0ff40a0-1cef-47ec-6ea7-08d7049f1be0 X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MWHPR06MB2624; X-MS-TrafficTypeDiagnostic: MWHPR06MB2624: X-MS-Exchange-PUrlCount: 4 X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 0093C80C01 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: xQAPELaDBnfBkeUoFj7ifNwsjOP5vqdYCnnoTWRk7zy+ELNM9xjpE4Dnoi5VuDF2QJq0MG96XEbiwGB2A3UYOSPyKhFUKgM5qeG81+FeYnz4jLuLWUOkT2B9CYzcTUR9fohgBx3Y0rNqomk9SWPLfQOZEEIYmv4QW1pGtFD0HFmHV1a5DTSBjVqIIvxyWEAIh0T94U7tSPV9Q6My+1XWhEpGQPaLDPTvZZovg6qFL2SSeSX9zgTuHO0h4gKTVUI13IForsNPxppwaWkcZx6ts4qSw/uYKoJsK6sL7F++trB6SdF2ju/QYU8aH84weBxzOfpxUOXPppygEvoeHvmhlK3SuMUDj0VLzvidqZChAEH7rcMbPV8xYzwgNtBXfiTHgY2f18D127JA1LK6OdRKWoCkxIaY6XqMQ3KwAF0fNh0= X-OriginatorOrg: hubinternational.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2019 18:56:10.8757 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f0ff40a0-1cef-47ec-6ea7-08d7049f1be0 X-MS-Exchange-CrossTenant-Id: a18515c2-3198-4fad-97ed-29a46c974fdb X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a18515c2-3198-4fad-97ed-29a46c974fdb; Ip=[64.14.237.30]; Helo=[EDCV-XHG-MCP01.hub.local] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR06MB2624 X-MC-Unique: 29JnnxIWPSC-1kP2Qn2h2Q-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: D021A804B1 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hubinternational.com header.s=hubinternational20170913 header.b=B8xEwxGe; dmarc=pass (policy=none) header.from=hubinternational.com; spf=pass (mx1.freebsd.org: domain of rick.chisholm@hubinternational.com designates 216.205.24.103 as permitted sender) smtp.mailfrom=rick.chisholm@hubinternational.com X-Spamd-Result: default: False [-4.71 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[hubinternational.com:s=hubinternational20170913]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.205.24.0/24]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-0.34)[ipnet: 216.205.24.0/24(-0.83), asn: 30031(-0.83), country: US(-0.06)]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mimecast.com, us-smtp-inbound-1.mimecast.com, us-smtp-inbound-2.mi mecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com,us-smtp-inbound-1.mimecast.com,us-smtp-inbound-2.mimecast.com]; DKIM_TRACE(0.00)[hubinternational.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_MED(-0.20)[103.24.205.216.list.dnswl.org : 127.0.3.2]; DMARC_POLICY_ALLOW(-0.50)[hubinternational.com,none]; NEURAL_HAM_SHORT(-0.66)[-0.663,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:30031, ipnet:216.205.24.0/24, country:US]; RCVD_COUNT_SEVEN(0.00)[8] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2019 18:56:27 -0000 My understanding has always been vuXML is for ports / packages and the advi= sories page is for base. -----Original Message----- From: owner-freebsd-security@freebsd.org On Behalf Of Miroslav Lachman Sent: July 9, 2019 2:14 PM To: freebsd-security@freebsd.org Subject: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database This Message originated outside of the organization. What is the official status of FreeBSD Security Advisories and entries in V= UXML database? I am asking especially because new FreeBSD base system vulnerabilities are = not being added to the vuxml database. The last was added 2019-04-23 accord= ing to https://vuxml.freebsd.org/freebsd/ Why? VUXML is FreeBSD's own pet so why new SAs are not added there the same day = they are published as SA on https://www.freebsd.org/security/advisories.htm= l? It makes base-audit periodic useless.=20 https://www.freshports.org/security/base-audit/ Kind regards Miroslav Lachman _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman= /listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Tue Jul 9 22:04:29 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 180D515E7179 for ; Tue, 9 Jul 2019 22:04:29 +0000 (UTC) (envelope-from SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 698D789018 for ; Tue, 9 Jul 2019 22:04:27 +0000 (UTC) (envelope-from SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4477228422; Wed, 10 Jul 2019 00:04:24 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 7E33328417; Wed, 10 Jul 2019 00:04:22 +0200 (CEST) Subject: Re: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database To: "Chisholm, Rick" , "freebsd-security@freebsd.org" References: <0054FFE9E041FC4EB2D50A99E26B120A06314D8F@EDCV-XHG-TNP01.hub.local> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <1dec1b4c-e54f-ba65-c1dc-cc91b9a5dec2@quip.cz> Date: Wed, 10 Jul 2019 00:04:21 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <0054FFE9E041FC4EB2D50A99E26B120A06314D8F@EDCV-XHG-TNP01.hub.local> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 698D789018 X-Spamd-Bar: +++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [5.10 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.97)[0.975,0]; IP_SCORE(0.94)[ip: (0.53), ipnet: 94.124.104.0/21(0.27), asn: 42000(3.82), country: CZ(0.08)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[1.000,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=a4H4=VG=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2019 22:04:29 -0000 Chisholm, Rick wrote on 2019/07/09 20:55: > My understanding has always been vuXML is for ports / packages and the advisories page is for base. Support for FreeBSD base vulnerabilities was created by Mark Felder 3 years ago https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ and the past Security Advisories was published in VUXML. At this time there is no other automated system to report base system vulnerabilities - are we really in 2019? > -----Original Message----- > From: owner-freebsd-security@freebsd.org On Behalf Of Miroslav Lachman > Sent: July 9, 2019 2:14 PM > To: freebsd-security@freebsd.org > Subject: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database > > This Message originated outside of the organization. > > What is the official status of FreeBSD Security Advisories and entries in VUXML database? > I am asking especially because new FreeBSD base system vulnerabilities are not being added to the vuxml database. The last was added 2019-04-23 according to https://vuxml.freebsd.org/freebsd/ > > Why? > > VUXML is FreeBSD's own pet so why new SAs are not added there the same day they are published as SA on https://www.freebsd.org/security/advisories.html? > > It makes base-audit periodic useless. > https://www.freshports.org/security/base-audit/ > > Kind regards > Miroslav Lachman > _______________________________________________ > freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@freebsd.org Wed Jul 10 07:07:09 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 881C815CCB76 for ; Wed, 10 Jul 2019 07:07:09 +0000 (UTC) (envelope-from damian@damianek.be) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 14BC574722 for ; Wed, 10 Jul 2019 07:07:07 +0000 (UTC) (envelope-from damian@damianek.be) Received: by mail-io1-xd31.google.com with SMTP id f4so2482287ioh.6 for ; Wed, 10 Jul 2019 00:07:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=damianek-be.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=MKjlOTufMk193dZ80Y6psYbUiqKfKSbmbNVhtZHVoJ0=; b=GbUBUk4NfCoWYUMwMm+av8C6JcAkPa3AgS9syeajArnAbLkbBLStTACuy5/ooqWoGU yhPgc2iSQUAUeAKXhYhJPkp/KljxkeIBgQi9PY+7psvZ35Bvf1+xxADDrKiA6u/U1zEJ OGX446cGlkepBKU8xC67JwIcp9Brt80dhSvep3SG+prxTwPgAVcONJrSZTKWmOuxUn9m sqtcROAZZBY8haLGWbUd7XRKBogsDNjr1+1isbCOkRBsLR+mLBPjtDK+KlQ/iaEp6UbG CgxuBVSMPAQ5jP73VB4rGvJVjbwWtdEOXJmrPeC/MIE6Aiu+xppV7iAxZFP40lrRn+de xoMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=MKjlOTufMk193dZ80Y6psYbUiqKfKSbmbNVhtZHVoJ0=; b=bHXmamlJHpQOUbQDuRU+4n/gRnUvm2BXR02eu2XLAF7T9piVn8ywLmwGTyjk8IbrtG EK520pPgsLLKCsZwLUBlMf/2stgrR2531TK6aIIjzVQHtVBPQXya4q9nyttFl2l9HFze NOH3It28eXE4Sw1lU603xiMe2hbv5eMMlVKUA5QRnqaG2t80YiQIzoi2ka/k/8RE8vJN hnkvTay8S1kkvDrlPDWFvwZ7aad/CdZhm9jQVA6FXYaWDfV+RJ4dWxlmIEqL5R2l4AI9 MYJjC9y+QnkycUr4IqwilIoRGGFFPhnYIzyZ7uozJMPwHR/BTq6L4LH7Kb1WgSWKVFYY tFaQ== X-Gm-Message-State: APjAAAVS96RnMDWcEgNA6EbOqR5608BRNiwM0py8PVxEg10q0rbQpgX1 bUREkdm0a4T6RHwtAPKo5Mb5g5qxZ2opMwbQEYBubw== X-Google-Smtp-Source: APXvYqyhfbNU1HvLZCWpoHKmmGVr79YbrYr7g3Umex+cuFyn345XJCaMF/sUzYbNoRSn/qrUJIVdZTbvmuLSyGOeGHM= X-Received: by 2002:a5d:87c6:: with SMTP id q6mr30467910ios.115.1562742427028; Wed, 10 Jul 2019 00:07:07 -0700 (PDT) MIME-Version: 1.0 From: "damian@damianek.be" Date: Wed, 10 Jul 2019 09:06:31 +0200 Message-ID: Subject: FreeBSD mds mitigation. To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org X-Rspamd-Queue-Id: 14BC574722 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=damianek-be.20150623.gappssmtp.com header.s=20150623 header.b=GbUBUk4N; spf=pass (mx1.freebsd.org: domain of damian@damianek.be designates 2607:f8b0:4864:20::d31 as permitted sender) smtp.mailfrom=damian@damianek.be X-Spamd-Result: default: False [-5.42 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; R_DKIM_ALLOW(-0.20)[damianek-be.20150623.gappssmtp.com:s=20150623]; FROM_DN_EQ_ADDR(1.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[damianek.be]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[damianek-be.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx3.googlemail.com,alt2.aspmx.l.google.com,aspmx2.googlemail.com]; IP_SCORE(-3.01)[ip: (-9.40), ipnet: 2607:f8b0::/32(-3.17), asn: 15169(-2.42), country: US(-0.06)]; NEURAL_HAM_SHORT(-0.91)[-0.907,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2019 07:07:09 -0000 Hello FreeBSD 11.2-RELEASE-p11 CPU: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz (2594.05-MHz K8-class CPU) sysctl hw.mds_disable was set to 3 (Automatic VERW or Software selection), HT disabled in BIOS, and i install manually latest CPU microcode from https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/ I wonder why hw.mds_disable_state shows hw.mds_disable_state: software Broadwell instead VERW? sysctl hw.mds_disable=1 causes hw.mds_disable_state: VERW These automatic selection works correctly? -- dsk damian@damianek.be From owner-freebsd-security@freebsd.org Wed Jul 10 09:52:58 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F22A115D155D; Wed, 10 Jul 2019 09:52:57 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E17B28380A; Wed, 10 Jul 2019 09:52:56 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id x6A9qlS6089249 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 10 Jul 2019 12:52:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua x6A9qlS6089249 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id x6A9ql3D089248; Wed, 10 Jul 2019 12:52:47 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 10 Jul 2019 12:52:47 +0300 From: Konstantin Belousov To: "damian@damianek.be" Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: FreeBSD mds mitigation. Message-ID: <20190710095247.GC47193@kib.kiev.ua> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2019 09:52:58 -0000 On Wed, Jul 10, 2019 at 09:06:31AM +0200, damian@damianek.be wrote: > Hello > > FreeBSD 11.2-RELEASE-p11 > CPU: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz (2594.05-MHz K8-class CPU) > > sysctl hw.mds_disable was set to 3 (Automatic VERW or Software selection), > HT disabled in BIOS, and i install manually latest CPU microcode from > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/ > > I wonder why hw.mds_disable_state shows > hw.mds_disable_state: software Broadwell > instead VERW? > > sysctl hw.mds_disable=1 causes hw.mds_disable_state: VERW > > These automatic selection works correctly? No idea. How did you installed the microcode ? Was it loaded ? Show the dmesg output after the 'cpucontrol -e /dev/cpuctl0'. From owner-freebsd-security@freebsd.org Wed Jul 10 16:37:56 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 510F015DBF82 for ; Wed, 10 Jul 2019 16:37:56 +0000 (UTC) (envelope-from labadore@protonmail.ch) Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.protonmail.ch", Issuer "SwissSign Server Silver CA 2014 - G22" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3D1093CF8 for ; Wed, 10 Jul 2019 16:37:54 +0000 (UTC) (envelope-from labadore@protonmail.ch) Date: Wed, 10 Jul 2019 16:37:45 +0000 To: "freebsd-security@freebsd.org" From: Kevin Reply-To: Kevin Subject: FreeBSD MDS Mitigation Message-ID: <1-e0UcMiG_xiNHOUE9o3duPx3uN6Loigx376zYIhPFYNE-khNPR1vB-gu5TAG-L_V9AL7gNrWsyurZ8bBcW1zMayEPgkl2SpalOGkrGfTEE=@protonmail.ch> Feedback-ID: vVJ3pnYCRK31dm1Q4R1rf9X-8Wb2rK2QgI7ocPPo10L7nUIv7rNuZyrvNjMa_rMXgpJDlWTCrLXmUVSnNX-EiA==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Rspamd-Queue-Id: E3D1093CF8 X-Spamd-Bar: ------- X-Spamd-Result: default: False [-7.79 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[labadore@protonmail.ch]; R_DKIM_ALLOW(-0.20)[protonmail.ch:s=default]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-3.74)[ip: (-9.85), ipnet: 185.70.40.0/24(-4.90), asn: 19905(-3.91), country: US(-0.06)]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; MX_GOOD(-0.01)[mailsec.protonmail.ch,mail.protonmail.ch]; DKIM_TRACE(0.00)[protonmail.ch:+]; DMARC_POLICY_ALLOW(-0.50)[protonmail.ch,quarantine]; NEURAL_HAM_SHORT(-0.93)[-0.934,0]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; RCVD_IN_DNSWL_LOW(-0.10)[133.40.70.185.list.dnswl.org : 127.0.5.1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19905, ipnet:185.70.40.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[protonmail.ch.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2019 16:37:56 -0000 Hello list. I am reading this page about FreeBSD security [ https://vez.mrs= k.me/freebsd-defaults.html ] and it says the Intel MDS mitigation is off by= default. So I tried. % sysctl hw.mds_disable_state hw.mds_disable_state: inactive Now I see the instructions in the advisory, but what about anyone who didn'= t? Or who did a new install and didn't read past advisories? I have an Intel CPU that is vulnerable. By applying the update and installi= ng the microcode package, I thought I was safe. Why? Why does FreeBSD let its users be vulnerable? From owner-freebsd-security@freebsd.org Thu Jul 11 12:16:29 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 863ED15D13E1 for ; Thu, 11 Jul 2019 12:16:29 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtpq5.tb.mail.iss.as9143.net (smtpq5.tb.mail.iss.as9143.net [212.54.42.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A441B74FD9 for ; Thu, 11 Jul 2019 12:16:27 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from [212.54.42.136] (helo=smtp12.tb.mail.iss.as9143.net) by smtpq5.tb.mail.iss.as9143.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hlXzm-0007Fl-PF; Thu, 11 Jul 2019 14:16:18 +0200 Received: from 94-209-122-217.cable.dynamic.v4.ziggo.nl ([94.209.122.217] helo=wan0.bsd4all.org) by smtp12.tb.mail.iss.as9143.net with esmtp (Exim 4.90_1) (envelope-from ) id 1hlXzm-0006sZ-LD; Thu, 11 Jul 2019 14:16:18 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id 50807100; Thu, 11 Jul 2019 14:16:18 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLWMQgOoZhuA; Thu, 11 Jul 2019 14:16:17 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id C1834F8; Thu, 11 Jul 2019 14:16:17 +0200 (CEST) From: peter.blok@bsd4all.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: FreeBSD MDS Mitigation Date: Thu, 11 Jul 2019 14:16:17 +0200 References: <1-e0UcMiG_xiNHOUE9o3duPx3uN6Loigx376zYIhPFYNE-khNPR1vB-gu5TAG-L_V9AL7gNrWsyurZ8bBcW1zMayEPgkl2SpalOGkrGfTEE=@protonmail.ch> To: Kevin , freebsd-security@freebsd.org In-Reply-To: <1-e0UcMiG_xiNHOUE9o3duPx3uN6Loigx376zYIhPFYNE-khNPR1vB-gu5TAG-L_V9AL7gNrWsyurZ8bBcW1zMayEPgkl2SpalOGkrGfTEE=@protonmail.ch> Message-Id: X-Mailer: Apple Mail (2.3445.104.11) X-SourceIP: 94.209.122.217 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=MtAsFFSe c=1 sm=1 tr=0 a=0XONDDbZk2SpjknwKA3Xxg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=0o9FgrsRnhwA:10 a=6I5d2MoRAAAA:8 a=wZSlOVmVAAAA:8 a=dUZnytKWbsqtbj-1HGEA:9 a=QEXdDO2ut3YA:10 a=i3upAsBAIBgA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=IjZwj45LgO3ly-622nXo:22 a=FO9UfTs8MeHBG4X9rGGa:22 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Rspamd-Queue-Id: A441B74FD9 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of peter.blok@bsd4all.org designates 212.54.42.168 as permitted sender) smtp.mailfrom=peter.blok@bsd4all.org X-Spamd-Result: default: False [-4.18 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:smtp.ziggo.nl/16]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[bsd4all.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[smtp.bsd4all.org]; RCPT_COUNT_TWO(0.00)[2]; FROM_NO_DN(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; IP_SCORE(-1.28)[ipnet: 212.54.32.0/20(-4.00), asn: 33915(-2.41), country: NL(0.01)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[168.42.54.212.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:33915, ipnet:212.54.32.0/20, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[217.122.209.94.zen.spamhaus.org : 127.0.0.11] X-Mailman-Approved-At: Thu, 11 Jul 2019 13:39:57 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jul 2019 12:16:29 -0000 I=E2=80=99m sorry but if you really care about security you have to read = the advisory and stop assuming things. For every complaint why this is disabled by default, there will 10 = complaints why it was enabled by default and broke things. Having said this, I could see the benefit of reporting the fact that a = certain security measure is disabled in the daily security reports, = hoping someone reads it together with the executables that suddenly have = been setuid for root. Peter > On 10 Jul 2019, at 18:37, Kevin via freebsd-security = wrote: >=20 > Hello list. I am reading this page about FreeBSD security [ = https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS = mitigation is off by default. So I tried. >=20 > % sysctl hw.mds_disable_state > hw.mds_disable_state: inactive >=20 > Now I see the instructions in the advisory, but what about anyone who = didn't? Or who did a new install and didn't read past advisories? >=20 > I have an Intel CPU that is vulnerable. By applying the update and = installing the microcode package, I thought I was safe. >=20 > Why? Why does FreeBSD let its users be vulnerable? > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jul 12 15:21:03 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BAC715CD00E for ; Fri, 12 Jul 2019 15:21:03 +0000 (UTC) (envelope-from starikarp@dismail.de) Received: from mx2.dismail.de (unknown [IPv6:2a01:4f8:1c17:7be2::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.dismail.de", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22B48747DA for ; Fri, 12 Jul 2019 15:20:55 +0000 (UTC) (envelope-from starikarp@dismail.de) Received: from mx2.dismail.de (localhost [127.0.0.1]) by mx2.dismail.de (OpenSMTPD) with ESMTP id 28e70e89 for ; Fri, 12 Jul 2019 17:20:49 +0200 (CEST) Received: from smtp2.dismail.de ( [10.240.26.12]) by mx2.dismail.de (OpenSMTPD) with ESMTP id ea2cf210 for ; Fri, 12 Jul 2019 17:20:49 +0200 (CEST) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id c7db0a46 for ; Fri, 12 Jul 2019 17:20:48 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id de558589 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Fri, 12 Jul 2019 17:20:47 +0200 (CEST) Date: Fri, 12 Jul 2019 11:20:44 -0400 From: To: freebsd-security@freebsd.org Subject: Re: FreeBSD mds mitigation. Message-ID: <20190712112044.57e9a7e2@dismail.de> In-Reply-To: <20190710095247.GC47193@kib.kiev.ua> References: <20190710095247.GC47193@kib.kiev.ua> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; amd64-portbld-freebsd12.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 22B48747DA X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.12 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[dismail.de:s=201701]; RCVD_COUNT_FIVE(0.00)[5]; IP_SCORE(-0.75)[ipnet: 2a01:4f8::/29(-1.96), asn: 24940(-1.80), country: DE(-0.01)]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:1c17:7be2::2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[dismail.de.dwl.dnswl.org : 127.0.5.1]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; DKIM_TRACE(0.00)[dismail.de:+]; MX_GOOD(-0.01)[cached: mx1.dismail.de]; FROM_NO_DN(0.00)[]; NEURAL_HAM_SHORT(-0.86)[-0.861,0]; DMARC_POLICY_ALLOW(-0.50)[dismail.de,reject]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2019 15:21:03 -0000 On Wed, 10 Jul 2019 12:52:47 +0300 Konstantin Belousov wrote: > On Wed, Jul 10, 2019 at 09:06:31AM +0200, damian@damianek.be wrote: > > Hello > >=20 > > FreeBSD 11.2-RELEASE-p11 > > CPU: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz (2594.05-MHz > > K8-class CPU) > >=20 > > sysctl hw.mds_disable was set to 3 (Automatic VERW or Software > > selection), HT disabled in BIOS, and i install manually latest CPU > > microcode from > > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/ > >=20 > > I wonder why hw.mds_disable_state shows > > hw.mds_disable_state: software Broadwell > > instead VERW? > >=20 > > sysctl hw.mds_disable=3D1 causes hw.mds_disable_state: VERW > >=20 > > These automatic selection works correctly? > No idea. >=20 > How did you installed the microcode ? Was it loaded ? > Show the dmesg output after the 'cpucontrol -e /dev/cpuctl0'. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" I am using it long time but I didn't have enabled hw.mds_disable_state. Yesterday I did and I have now (3): hw.mds_disable_state: software IvyBridge. I am confused.I have FreeBSD 12.0-RELEASE (amd64) installed on iMac 11,1 (late 2009) and I have: "The iMac "Core i7" 2.8 27-Inch Aluminum (Late 2009) is powered by a 2.8 GHz Quad Core Intel "Core i7" I7-860 (Lynnfield/Nehalem) processor with a dedicated 256k level 2 cache for each core and an 8 MB shared level 3 cache." Thank you. --=20 =E2=80=9CHappiness is the meaning and the purpose of life, the whole aim and end of human existence.=E2=80=9D =E2=80=95 Aristotle From owner-freebsd-security@freebsd.org Fri Jul 12 19:33:38 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7F7515D4A91 for ; Fri, 12 Jul 2019 19:33:37 +0000 (UTC) (envelope-from walterp@gmail.com) Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 711E189140 for ; Fri, 12 Jul 2019 19:33:36 +0000 (UTC) (envelope-from walterp@gmail.com) Received: by mail-io1-xd29.google.com with SMTP id f4so22834733ioh.6 for ; Fri, 12 Jul 2019 12:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KV8O9mJR7mbfzTCFns464fZJk34wtRua9Pix+D1g8gc=; b=CLG1qh1cOfBGh9lBpl9RReJQbf11/NO9cRVGztGJa2MAP+Xo+p5eEuLGnmUnyAMx20 qwCO2nSbU8UX3jBPRPgKvlhznT/D97KvL/EDm0vY0zH2xgBCvXPGDgHQxJrbuVE/RA4e vOcms3KRm62DRnDV70hexXdRGSf9F4n05mTLfIDWyKbV6Gf7aBd/c3Ntxj9bzzGAI0ZF neWmPZ6cmX+WP06BuU5GqCvXMvT4zv0Rgbt9F2zgvyC3ets34kcloa9cC1V0SQW7jaek 80tOnbKZvRtHNGamWxF//kNceZfZyJAYp/kAtnMuDwedtEl1puZWud6ZzfywVII2ibBE 7zAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KV8O9mJR7mbfzTCFns464fZJk34wtRua9Pix+D1g8gc=; b=oRXtq6i8DrmkK4XO6UXKfZ6Oli2YTmVcTf+dBfHYytaV6tfk6dcucwfTtaGTltcQcQ lC3eZ7mUiwVQyfu0WtlP+s2nzpn+oBH4+x0LrNMp5ZPNLpsFU5iHMaQXCnpFmaw/2jK8 cSIsqoUbKMVWRgboJRU7WCY53ooQQwGObnAk42VdHvGydlvH9ftyucLV/u/ISP+Wavy7 4N9OgkfTziymT/6nm25B5lNRN1OSK2a9n6MaisGskYxh9Lv24NHVJU9XxbbYpipzfgFt D6YRM7OkVGFEaqolcEBNDUFrg6tFbjvHsy4dERNXYynqW+upr2zHplM2TbiEHNBmpYq9 HYSA== X-Gm-Message-State: APjAAAVGlQ8JTGxHpBR/soz9Yg3s1ypTVLTMAGi3zfRICuIk7NoSFf2Y /QCnjqp/GP9O6hmuP0dzrswkwtRKVrVN9F3IogIBVWGX X-Google-Smtp-Source: APXvYqy1Rkz0tuKjtHBvWMj73b9F3rsy5pC4oLvF+TkIH1nXzdcPAsElNrmduk4vQ9tSKZb4kEaPMhBVkSui4V30gfE= X-Received: by 2002:a02:1c0a:: with SMTP id c10mr13744111jac.69.1562960015051; Fri, 12 Jul 2019 12:33:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Walter Parker Date: Fri, 12 Jul 2019 12:33:25 -0700 Message-ID: Subject: Re: freebsd-security Digest, Vol 692, Issue 4 To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 711E189140 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=CLG1qh1c; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of walterp@gmail.com designates 2607:f8b0:4864:20::d29 as permitted sender) smtp.mailfrom=walterp@gmail.com X-Spamd-Result: default: False [-6.58 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.77)[-0.767,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-2.81)[ip: (-8.35), ipnet: 2607:f8b0::/32(-3.18), asn: 15169(-2.45), country: US(-0.06)]; RCVD_IN_DNSWL_NONE(0.00)[9.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2019 19:33:38 -0000 > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 11 Jul 2019 14:16:17 +0200 > From: peter.blok@bsd4all.org > To: Kevin , freebsd-security@freebsd.org > Subject: Re: FreeBSD MDS Mitigation > Message-ID: > Content-Type: text/plain; charset=utf-8 > > I?m sorry but if you really care about security you have to read the > advisory and stop assuming things. > > For every complaint why this is disabled by default, there will 10 > complaints why it was enabled by default and broke things. > > Having said this, I could see the benefit of reporting the fact that a > certain security measure is disabled in the daily security reports, hoping > someone reads it together with the executables that suddenly have been > setuid for root. > > Peter > > > On 10 Jul 2019, at 18:37, Kevin via freebsd-security < > freebsd-security@freebsd.org> wrote: > > > > Hello list. I am reading this page about FreeBSD security [ > https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS > mitigation is off by default. So I tried. > > > > % sysctl hw.mds_disable_state > > hw.mds_disable_state: inactive > > > > Now I see the instructions in the advisory, but what about anyone who > didn't? Or who did a new install and didn't read past advisories? > > > > I have an Intel CPU that is vulnerable. By applying the update and > installing the microcode package, I thought I was safe. > > > > Why? Why does FreeBSD let its users be vulnerable? > > _______________________________________________ > > For this specific issue (Intel MDS) there are significant performance issues on older (not 8th or 9th gen) Intel processors. Also, outside of a hosting environment, exploitation and threat/risk are lower. FreeBSD uses the principle of least astonishment, a significant perf drop for systems that are not high risk would have violated this. For people tracking the HyperTreading issue, turning off HyperThreading in the hardware was suggested last year. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis