From owner-freebsd-security@freebsd.org Sun Oct 13 16:28:34 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D6F22135FEF for ; Sun, 13 Oct 2019 16:28:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (cross.sbone.de [195.201.62.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46rnDy0Zd5z4Hq4; Sun, 13 Oct 2019 16:28:33 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 4877B8D4A165; Sun, 13 Oct 2019 16:28:26 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id C7091E707C6; Sun, 13 Oct 2019 16:28:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id EkSGpX0FgqHa; Sun, 13 Oct 2019 16:28:24 +0000 (UTC) Received: from [192.168.2.110] (unknown [IPv6:fde9:577b:c1a9:31:a54b:4d4:3ca7:f628]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id AD966E707B3; Sun, 13 Oct 2019 16:28:23 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Fernando Gont" Cc: freebsd-security@freebsd.org, "FreeBSD Security Advisories" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 Date: Sun, 13 Oct 2019 16:28:22 +0000 X-Mailer: MailMate (2.0BETAr6142) Message-ID: <5D4B64BF-72B4-4D69-9EC7-432773259958@lists.zabbadoz.net> In-Reply-To: <016f565b-9281-dc14-651a-bcd2245f0544@si6networks.com> References: <20190806183211.EE35BEE16@freefall.freebsd.org> <016f565b-9281-dc14-651a-bcd2245f0544@si6networks.com> MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Queue-Id: 46rnDy0Zd5z4Hq4 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 195.201.62.131 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net X-Spamd-Result: default: False [-5.12 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.201.62.131]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[zabbadoz.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-2.82)[ip: (-8.74), ipnet: 195.201.0.0/16(-3.55), asn: 24940(-1.81), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:195.201.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Oct 2019 16:28:34 -0000 On 7 Aug 2019, at 1:05, Fernando Gont wrote: > Folks, > > Since FreeBSD ships with IPv6 support enabled by default, aren't all > systems affected, one way or another? No, you have to configure IPv6, otherwise processing is not done. See the ifconfig option (which is default if you do not configure any IPv6): ifdisabled Set a flag to disable all of IPv6 network communications on the specified interface. Note that if there are already configured IPv6 addresses on that interface, all of them are marked as "tentative" and DAD will be performed when this flag is cleared. /bz From owner-freebsd-security@freebsd.org Sun Oct 13 17:53:14 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7CA34138828 for ; Sun, 13 Oct 2019 17:53:14 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46rq6b3qjMz4MFT for ; Sun, 13 Oct 2019 17:53:10 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by mail-ed1-x52a.google.com with SMTP id r4so12831046edy.4 for ; Sun, 13 Oct 2019 10:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ofwilsoncreek-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ngXITfDAm7r8Sh507eDcj4/D8mfM5lgxogp1D55e5S0=; b=UtMyXTBWwWGQ6eCwyzc/TEDtMCFvdNiAJ3ukRMx4yCueaQ5iSiCburEcf67EvRS6IW p3YT3rXzev++SCgPSYMo6Jb+v2ebFpcOKW4k8yk9V0Ze8SzABx0YYy5ygZH7gqpfneCI Y0qlt8EvkShNE0njziafbGPZ+/Wj+lRmD77bwNf3HSzj/WJmragnvydVaL1qnJUmq4YN O3Z6ER+69WaujgbyIQyvc54l0SY9+ezfVi4YX9ywTSuXj5pLe+80JPKEr5nQOdPsNrkA XDs7I2EqAG3JDC0t5KvcYTQ0Xij2e470VrrOYCamgCXopZVWJfg0hwdR5UxQjtehxsp6 qf6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ngXITfDAm7r8Sh507eDcj4/D8mfM5lgxogp1D55e5S0=; b=oGkWaiBSHD46oFyBOBIMh4r1knc5mpQfFr2NzmSFdGpczqAJUQFNb8ZdPx9QOgQZBU YDClRNT5xwLRrUbIMGRt5zCPQVq2Af/jqHw0COKn+3Bejk8GG9Eld4Q1gRQIOsD73rd0 TaTYs9jQUF7WOBxzoeHoqOvteoxV0rt2nwEnmEVIDhI91196gmnqxlpnbdQVAhMpSb+z 5NhkvwHUXI9dTzk1dSGtaLBGEYElHj39sEcu6lsSmsJ8Ia/uPyYxB/ud0w0xMlt7lWJe 7iiVH1AzGDv0596RpTPaIC+gMD4oGVGoVg6qLELPDw1fv84mt8qydDK2P0jFHZ42k/h7 q1XA== X-Gm-Message-State: APjAAAX39eWIeEUGDefLgwvbbW9PYkbw7XmM5U4JTfTHy6c0JR/903s8 gEhIGTDYFHxsIhKYnabuYz0pLatH0+y3hXoFonk5bQ== X-Google-Smtp-Source: APXvYqwm/AUEG+RQaKYhCs/1XdrEyYkbRSy9sr/0FZGmVg7lwn9Yk45AbG+w1nD1WoldBXzY9UGtNpbK5YaQAIiNueI= X-Received: by 2002:aa7:cd0f:: with SMTP id b15mr24516058edw.3.1570989187980; Sun, 13 Oct 2019 10:53:07 -0700 (PDT) MIME-Version: 1.0 References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> <23927.10.5222.629103@hergotha.csail.mit.edu> In-Reply-To: <23927.10.5222.629103@hergotha.csail.mit.edu> From: Leif Pedersen Date: Sun, 13 Oct 2019 12:52:32 -0500 Message-ID: Subject: Re: Let's Encrypt To: Garrett Wollman Cc: Victor Sudakov , freebsd-security@freebsd.org X-Rspamd-Queue-Id: 46rq6b3qjMz4MFT X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ofwilsoncreek-com.20150623.gappssmtp.com header.s=20150623 header.b=UtMyXTBW; dmarc=none; spf=pass (mx1.freebsd.org: domain of bilbo@hobbiton.org designates 2a00:1450:4864:20::52a as permitted sender) smtp.mailfrom=bilbo@hobbiton.org X-Spamd-Result: default: False [-5.12 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ofwilsoncreek-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[ofwilsoncreek.com]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ofwilsoncreek-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[a.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.92)[ip: (-9.54), ipnet: 2a00:1450::/32(-2.87), asn: 15169(-2.12), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sun, 13 Oct 2019 19:38:01 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Oct 2019 17:53:14 -0000 On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman wrote: > < > said: > > > Trond Endrest=C3=B8l wrote: > >> > >> #minute hour mday month wday who command > >> > >> 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > >> 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > > Is it safe to run certbot as root? > > I can't speak to certbot (I currently use acmetool) but in general, > the thing that certbot does requires the ability to signal whatever > process is using the certificates, which is normally going to be a web > server but might be a mail server, name server, RADIUS server, or some > other application -- as shown in the example above. So if you don't > run it as root (probably smart) you'll need to find another way to > tell the TLS server application to reload its certificates when > needed. > > -GAWollman > A good point. One option might be to run two cron jobs. One job would run certbot as an unprivileged user, and the other would run "service apache24 restart" as root an hour or so later. (Or maybe reload is enough.) From owner-freebsd-security@freebsd.org Mon Oct 14 18:52:37 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4912913350B; Mon, 14 Oct 2019 18:52:37 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46sSNh2cYyz3F88; Mon, 14 Oct 2019 18:52:36 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9EIqYJ7021781; Mon, 14 Oct 2019 11:52:34 -0700 Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2056.outbound.protection.outlook.com [104.47.49.56]) by mx0b-00273201.pphosted.com with ESMTP id 2vmtf4rdj4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Oct 2019 11:52:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kQnFGEmKSzp/mcGzwYnFww9WnRaZ/pFWS0XJMJJJD2ZOoqrhF7mnfjj2tqg0bAmnDZSRDQJ2Vz7VdPS1haVz30x9nMH4XgyphDVcgFllTGmXJEuq4usoS+ZocKhZPHQwpIlVladmuGCVYSBPhm+dTHOr73p2D9CCWJbWhyZUfMop1EzD1m9Rcqzv6z0oupyqOdPyc+2k6pjFvjKWOAwsz03rUgpcWiw0j6YKeySk0KViO6Y1J4r8nMIst4NvDxBNTyxl4ZoPW7TJONs02Fq9cqupT6dzglyl2IGJ3Gh4tnB/B7XWQ3YQynMLuKeq4gFf/uyo7nQELMZuOF/avwBs0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7pbEtrnHkTUH1/Kq6lo58dRG1EnpGN12BLQFPBltO4I=; b=ix/tWmw36dLHf2S6gzYV76T2UBPfVQ/W9bQQXbT+Q1Fn20gqpq4BdAM9jclilMyslwE6mEgrgXu/IAUGMQy2/myLHTxK8OngUAarsiZHlgQP6ntGAaaoMCOlhTIoAzCtN91y3O0Z4o3LINF0cypz9siwySgDSLePWZEtJAetUW/qY4Tb3vEITfB5cUUQAWZXGdp0IVUNFzQmZQvH7HQ0SNKg/9Nv8nFN/0ZyjVnBGYvTkCawbIYhRPBwEVmCm2pzWRc1iebdI6FGAH3Eeu82k+bziRizqJcBfTAzL/qEWHLwSArF9x6fJ0xHO7gKDA9MvSFRCzkeGFOOh2RP3RPUMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.13) smtp.rcpttodomain=freebsd.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none Received: from SN4PR0501CA0115.namprd05.prod.outlook.com (2603:10b6:803:42::32) by BN7PR05MB4353.namprd05.prod.outlook.com (2603:10b6:406:f6::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.13; Mon, 14 Oct 2019 18:52:32 +0000 Received: from DM3NAM05FT045.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::203) by SN4PR0501CA0115.outlook.office365.com (2603:10b6:803:42::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.5 via Frontend Transport; Mon, 14 Oct 2019 18:52:31 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.13 as permitted sender) Received: from P-EXFEND-EQX-02.jnpr.net (66.129.239.13) by DM3NAM05FT045.mail.protection.outlook.com (10.152.98.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.5 via Frontend Transport; Mon, 14 Oct 2019 18:52:31 +0000 Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 14 Oct 2019 11:52:30 -0700 Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 14 Oct 2019 11:52:30 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.50.162]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x9EIqTCI028584; Mon, 14 Oct 2019 11:52:29 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id 41BAC3463B; Mon, 14 Oct 2019 11:52:29 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 401733463A; Mon, 14 Oct 2019 11:52:29 -0700 (PDT) To: Tomasz CEDRO CC: grarpamp , , , , Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? In-Reply-To: References: Comments: In-reply-to: Tomasz CEDRO message dated "Thu, 03 Oct 2019 18:10:16 +0200." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <75549.1571079149.1@kaos.jnpr.net> Date: Mon, 14 Oct 2019 11:52:29 -0700 Message-ID: <76102.1571079149@kaos.jnpr.net> X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.13; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39860400002)(396003)(136003)(376002)(346002)(199004)(189003)(76176011)(336012)(316002)(54906003)(16586007)(70206006)(70586007)(478600001)(2906002)(126002)(14444005)(486006)(97876018)(446003)(11346002)(7126003)(46406003)(4326008)(476003)(45080400002)(5660300002)(47776003)(53416004)(4744005)(50466002)(86362001)(23726003)(356004)(9686003)(6266002)(117636001)(55016002)(50226002)(6916009)(186003)(107886003)(8936002)(8676002)(81156014)(81166006)(26005)(229853002)(305945005)(7696005)(97756001)(76506006)(6246003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR05MB4353; H:P-EXFEND-EQX-02.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 85c6b498-dc7c-4cb1-47d9-08d750d7ab3b X-MS-TrafficTypeDiagnostic: BN7PR05MB4353: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-Forefront-PRVS: 01901B3451 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lR0z13dyPjSN89xCwTpEULla8Lv/MEHBhEY193I2sBd9wry8WEQV/R6QsmsbGzHDHenamf07eZo0nwpxC5O+i98WmlW2vWOOnd9TPzG96Xkmz730R3StWSFfiNeuEZRDxL/G5n6x6c+1dVaqT4XImGp/aX90FwL9gmKGdjl43jlHmAexnxor+ofMO5BxEq2UVq0MlQfGVBVDalGN5Nhen8Rm5eb856q4pPkQwfSOQhu+Ega7E1fJ20COsmWDB72czSCrM9AL8j6zIUdBmTDfMp+uhLDxOWrp0XJjcqmoW4VcR4TrZuW1n//bO6yKzodcPnHgdAuozYGk07AkosVZbEFaBFfiFXDD6gFeN4fS+snFHqJ/oqfYleADEk/rm+4d+iWRBWs6WLZrDhzfIFJuFbC+a6fseArjxnhi0uoxW5E= X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2019 18:52:31.6283 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 85c6b498-dc7c-4cb1-47d9-08d750d7ab3b X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.13]; Helo=[P-EXFEND-EQX-02.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR05MB4353 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-14_09:2019-10-11,2019-10-14 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 lowpriorityscore=0 spamscore=0 impostorscore=0 suspectscore=3 mlxscore=0 malwarescore=0 mlxlogscore=643 phishscore=0 adultscore=0 bulkscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910140153 X-Rspamd-Queue-Id: 46sSNh2cYyz3F88 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.03 / 15.00]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-0.93)[ip: (-2.15), ipnet: 67.231.152.0/24(-0.94), asn: 22843(-1.49), country: US(-0.05)]; ARC_ALLOW(-1.00)[i=1]; RCPT_COUNT_FIVE(0.00)[6]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[juniper.net:+]; DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject]; RCVD_IN_DNSWL_LOW(-0.10)[164.152.231.67.list.dnswl.org : 127.0.3.1]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US]; FREEMAIL_CC(0.00)[gmail.com]; RCVD_COUNT_SEVEN(0.00)[10]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 18:52:37 -0000 Tomasz CEDRO wrote: > would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-) Unless you are using your own BIOS, the above means getting Microsoft to sign boot1.efi or similar. Shims that simply work around lack of acceptible signature don't help. That would need to then verify loader.efi - which can be built to to verify all the modules and kernel. In my implementation (uses the non efi loader) trust anchors are embedded in loader but there is code in current to lookup trust anchors in /efi I think which would be more generally useful - I've not looked at the attack vectors that introduces though. --sjg From owner-freebsd-security@freebsd.org Mon Oct 14 19:18:31 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 34B3E1349B4; Mon, 14 Oct 2019 19:18:31 +0000 (UTC) (envelope-from clay.daniels.jr@gmail.com) Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46sSyZ2xxlz3Gxf; Mon, 14 Oct 2019 19:18:30 +0000 (UTC) (envelope-from clay.daniels.jr@gmail.com) Received: by mail-ua1-x943.google.com with SMTP id r19so5313844uap.9; Mon, 14 Oct 2019 12:18:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Gz9cgMHiiw0wJ5m7+flRU30EhwdWMFKdcrP7eM/S6K8=; b=KUdFAfDWRpZFbgsnAahNGKjEtTMnqx/RsNL4CrrORJ+3MoK6/y/mOzS3qkwnmgemSV VUehAAkwzpKkLZ7gORYDHXI6IngoaMUM94Uzlvlg6Sx5kbiRK6H/YCutL4TR5FxWc+hj Ypr+UoWciOkE8OIA/sdyvTmxm1IflhoiRrJqIup4CTrmNNMAWA2mbg43Q9G80bCDQeHU ACw4elO1Rh8nRxBtKHGThcD5trun0bvde0V9puU1/jIksVrPjFPZRa/xwONoDhC13EMY wguOLkbg1wMCx0mvtd2GErLc6RClonS1VlBJ6unPYR4/trNfvS73IMRFcFVwXwnmaA4a uf6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Gz9cgMHiiw0wJ5m7+flRU30EhwdWMFKdcrP7eM/S6K8=; b=l6TuJog9KOqNuYzs3KbLsof3zpGmNaHOhivb22X17CQOVBJm+LQTRu0YKFGHPv2yx3 L1q4Eohsj8V05Qwsy9UNY5KsZHfkqU5fNgeut5ncJyR9Oa/rGdTKpLDLNPiGYuarbSDe wp5u1s3IAfnnBHtVvKZ//UBTCe/DFzvMko1sxUGTXD91T2lv/jJcZWfDlyntK6TUNWaF vTZugYdkmS16WDnehe3uEt6oyC+fQt9y8Kf9p1tk8Vd3eW/QsmboO2xgP8tBkw+hFf+P 81iEN8jXWN80sgkV0IQrZFZ7X6o0mW0ES/bFypTHYvekEJY2xGxDSGU3MiIOQdEBcOOU 9LSw== X-Gm-Message-State: APjAAAU0omTK7BCM7xGImmhpQpNAHlwL6qN4W7PoGPmjod22dWfgj2eR KxTwenTFNhXMjpEePM5q9FXU+FQ64ymK94OqAA== X-Google-Smtp-Source: APXvYqwKi9x3tUPCGqIKAVHB8t2WQ38cy0DLw7YFCW8Mxapb2m0hIwANnWQjUgmXWJ3OK/IO/3o72emQKAMmD0Dnfu0= X-Received: by 2002:ab0:7451:: with SMTP id p17mr8969505uaq.18.1571080708946; Mon, 14 Oct 2019 12:18:28 -0700 (PDT) MIME-Version: 1.0 References: <76102.1571079149@kaos.jnpr.net> In-Reply-To: <76102.1571079149@kaos.jnpr.net> From: "Clay Daniels Jr." Date: Mon, 14 Oct 2019 14:18:18 -0500 Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: "Simon J. Gerraty" Cc: Tomasz CEDRO , "freebsd-security@freebsd.org" , "freebsd-current@freebsd.org" , grarpamp , freebsd-virtualization@freebsd.org X-Rspamd-Queue-Id: 46sSyZ2xxlz3Gxf X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=KUdFAfDW; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of claydanielsjr@gmail.com designates 2607:f8b0:4864:20::943 as permitted sender) smtp.mailfrom=claydanielsjr@gmail.com X-Spamd-Result: default: False [-1.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_FIVE(0.00)[6]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(0.00)[ip: (2.61), ipnet: 2607:f8b0::/32(-2.50), asn: 15169(-2.11), country: US(-0.05)]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[3.4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 19:18:31 -0000 Simon, please do elaborate more on your implementation. I suspect you are talking about libsecureboot? I have played with the generation of certs with OpenSSL & LibreSSL, but libsecureboot seems to take a different approach. Please tell us more. Clay On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < freebsd-security@freebsd.org> wrote: > Tomasz CEDRO wrote: > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. > > That would need to then verify loader.efi - which can be built to > to verify all the modules and kernel. > > In my implementation (uses the non efi loader) trust anchors are > embedded in loader but there is code in current to lookup trust anchors > in /efi I think which would be more generally useful - I've not looked > at the attack vectors that introduces though. > > --sjg > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Mon Oct 14 20:21:48 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0AE48136264; Mon, 14 Oct 2019 20:21:48 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46sVMZ5gHpz3Kxc; Mon, 14 Oct 2019 20:21:46 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9EKL3In003404; Mon, 14 Oct 2019 13:21:43 -0700 Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp2059.outbound.protection.outlook.com [104.47.50.59]) by mx0b-00273201.pphosted.com with ESMTP id 2vmvsn89e5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 14 Oct 2019 13:21:43 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BzjNyY0hqdJNw0JtsZQnau6OMTMmRv1LD5LNA6h2+Hgk0eKTR++kilp9CtmGFYCkywIVmObbopUReNC7/f/QAv2sgTpeJo705rhaTDhdwCsVQ23jN2x9TRc0UJZCyNwkgMxlmKyERfeZKFuQYRen2hoAdf9cmLBYc4/qAeR+wBzOlwhcP0J2P67L9zXZ5WARTuBuuUoMxRF8M+Bd54Lz/knJlplCe0OV/K8fykJ6C8AppgpSX+A89dWiz9wVLCiWOL3mcH3vmynF/eP/KZIbVSMzlQ/bChyh1K3+CdTMxbN7aIDjll/TPXfbjDXKqwER3axHL08U1wa6S+LenqL86w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QU6b2+J+lZWDOAHqhtlg3vvyfCiPZRQjdNFopsuO0u4=; b=E/QdLKDhLzB3tA15IqqdVcYuIJaJJEbgO/9WfJijFQTshlIhTTpqrcV7MMsej6ZFnZ67ndH0mERGijYK3PISm58/TK3P0qs+dIIiGe0k3KfMMJIY2Rlz4DoxPHTUpEZhEcwdXk6QxPK/9M3fVV1bPirFQjwOgKOtKLSohzfosoXkgt+Y8sf2uOiqbCxCZ1SwFY2ZR2eKUm/UUxIEfaHx3j5p5uSY8XG7Jr88731sWrQPClKVY9Vf5ukGZ4wb558bCe/Hi068wOsc8Drh1tobQAfo0kg87IlPhISaSJDEzTYqNen9P/lj5/Wy4/r8RQGTYpuCIkIAylzOdW1cxPbQ+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=freebsd.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none Received: from BN6PR05CA0001.namprd05.prod.outlook.com (2603:10b6:405:39::14) by BYAPR05MB4773.namprd05.prod.outlook.com (2603:10b6:a03:4e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.15; Mon, 14 Oct 2019 20:21:40 +0000 Received: from BY2NAM05FT028.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::207) by BN6PR05CA0001.outlook.office365.com (2603:10b6:405:39::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16 via Frontend Transport; Mon, 14 Oct 2019 20:21:40 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by BY2NAM05FT028.mail.protection.outlook.com (10.152.100.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.5 via Frontend Transport; Mon, 14 Oct 2019 20:21:39 +0000 Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 14 Oct 2019 13:21:39 -0700 Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 14 Oct 2019 13:21:38 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.50.162]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x9EKLcPb012775; Mon, 14 Oct 2019 13:21:38 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id 69FB43467A; Mon, 14 Oct 2019 13:21:38 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 6981234679; Mon, 14 Oct 2019 13:21:38 -0700 (PDT) To: Clay Daniels Jr. CC: Tomasz CEDRO , "freebsd-security@freebsd.org" , "freebsd-current@freebsd.org" , grarpamp , , Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? In-Reply-To: References: <76102.1571079149@kaos.jnpr.net> Comments: In-reply-to: "Clay Daniels Jr." message dated "Mon, 14 Oct 2019 14:18:18 -0500." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <54832.1571084498.1@kaos.jnpr.net> Content-Transfer-Encoding: quoted-printable Date: Mon, 14 Oct 2019 13:21:38 -0700 Message-ID: <56226.1571084498@kaos.jnpr.net> X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(396003)(136003)(39860400002)(346002)(199004)(189003)(23726003)(81156014)(8676002)(107886003)(117636001)(6266002)(6246003)(81166006)(97756001)(7696005)(76176011)(966005)(5660300002)(55016002)(86362001)(9686003)(6916009)(50226002)(6306002)(476003)(126002)(46406003)(7126003)(2906002)(53546011)(486006)(336012)(54906003)(356004)(76506006)(11346002)(186003)(26005)(478600001)(50466002)(14444005)(4326008)(47776003)(45080400002)(446003)(70206006)(8936002)(8746002)(70586007)(316002)(97876018)(305945005)(53416004)(229853002)(2690400003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4773; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7aedafa5-d975-4596-367e-08d750e41f14 X-MS-TrafficTypeDiagnostic: BYAPR05MB4773: X-MS-Exchange-PUrlCount: 2 X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 01901B3451 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NrpZk69hHtIEZ4YfybJ+CkAnDM6GolxLuv0x8UThUbLi4BnIff0UHF8mSym5cjZKjdo+c4SH/xeHQvLHzDTpcWQcUY1jA8gZ+zZDxfqJSGMfMC/uBLjQdyF1sTzAlBDOQwNm3gyqIwNrD46VsHySBm0hTm4YRCQga1KIDlsq5Rh7m4k25OtNpEC5005le+iScbq7uUzeGrmCU1URcGd1oSBp1pg/0LstkKPClgausQTD85jrd21Jz/MIgw7oZfJTQf7SaZumo7R+a7cA941H4dEGblwzP22xsFk5tyAeWbKtxhuoo40NV3ozXxMWX+esgQ43q01IQCGxzJLmc4W63vpAV691hegy/F3jyXSSnTcMGMBpps77tIiLUyOuQjx3kVbnvn6M6Qf4XmyTYJTklcOxcO3aiIRt5y+lmQPvjH2ArQ+f3z+Y7KladSaZrKu4IC/H4Klix8JZ+HSuEAdJUA== X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2019 20:21:39.9637 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7aedafa5-d975-4596-367e-08d750e41f14 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4773 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-14_10:2019-10-11,2019-10-14 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 clxscore=1011 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=1 bulkscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910140169 X-Rspamd-Queue-Id: 46sVMZ5gHpz3Kxc X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.53 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017]; RCVD_COUNT_SEVEN(0.00)[10]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164]; IP_SCORE(-0.93)[ip: (-2.15), ipnet: 67.231.152.0/24(-0.94), asn: 22843(-1.49), country: US(-0.05)]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[juniper.net:+]; DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_IN_DNSWL_LOW(-0.10)[164.152.231.67.list.dnswl.org : 127.0.3.1]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US]; ARC_ALLOW(-1.00)[i=1]; SUSPICIOUS_RECIPS(1.50)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 20:21:48 -0000 Clay Daniels Jr. wrote: > Simon, please do elaborate more on your implementation. I suspect you ar= e > talking about libsecureboot? I have played with the generation of certs > with OpenSSL & LibreSSL, but libsecureboot seems to take a different > approach. Please tell us more. Yes I meant libsecureboot. You should be able to create keys and certs with OpenSSL. That's all we use, but we keep all the private keys etc isolated in signing servers. The local.trust.mk in libsecureboot leverages the sign.py etc described at http://www.crufty.net/sjg/blog/signing-server.htm (which also contains a link to the src) But that does not alter the fact that the certs are simply those created by an OpenSSL based CA - there are a number of good tutorials on the net on how to setup such things. With all that said; you may find it more useful to use OpenPGP for signing we again use sign.py to retrieve OpenPGP public key, but you can do all you need using nothing more than gpg For an embedded vendor like Juniper X.509 makes a lot of sense. For an individual or small scale, OpenPGP is likely simpler. libsecureboot supports both, but you need to tailor local.trust.mk to suit. IIRC you can have local.trust.mk simply set TA_PEM_LIST etc to paths of pre-prepared pem files containing your trust anchors and ta.h and/or TA_ASC_LIST to a list of .asc files containing ascii armored openpgp trust anchors. BTW in current boot1.efi is no more, loader.efi is used. [I'm still mucking about trying to get a VM image booting using efi...] > = > Clay > = > On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < > freebsd-security@freebsd.org> wrote: > = > > Tomasz CEDRO wrote: > > > > > would be really nice also to get UEFI BOOT compatible with SECURE BO= OT > > :-) > > > > Unless you are using your own BIOS, the above means getting Microsoft > > to sign boot1.efi or similar. Shims that simply work around lack of > > acceptible signature don't help. > > > > That would need to then verify loader.efi - which can be built to > > to verify all the modules and kernel. > > > > In my implementation (uses the non efi loader) trust anchors are > > embedded in loader but there is code in current to lookup trust anchor= s > > in /efi I think which would be more generally useful - I've not looked > > at the attack vectors that introduces though. > > > > --sjg > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > https://urldefense.com/v3/__https://lists.freebsd.org/mailman/listinfo= /freebsd-security__;!8WoA6RjC81c!TLaVmP78NH0BviSHHV_3_V0-ispe2o0I7E59vmxZ_= 8XnbmOYxeHxemscoWsaXA$ = > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd= .org > > " > > From owner-freebsd-security@freebsd.org Mon Oct 14 17:13:13 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 22F451310A6 for ; Mon, 14 Oct 2019 17:13:13 +0000 (UTC) (envelope-from fgont@si6networks.com) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46sQB001Tnz4bx0; Mon, 14 Oct 2019 17:13:11 +0000 (UTC) (envelope-from fgont@si6networks.com) Received: from [192.168.3.68] (unknown [186.137.78.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 78548867F7; Mon, 14 Oct 2019 19:13:07 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 To: "Bjoern A. Zeeb" Cc: freebsd-security@freebsd.org, FreeBSD Security Advisories References: <20190806183211.EE35BEE16@freefall.freebsd.org> <016f565b-9281-dc14-651a-bcd2245f0544@si6networks.com> <5D4B64BF-72B4-4D69-9EC7-432773259958@lists.zabbadoz.net> From: Fernando Gont Openpgp: preference=signencrypt Message-ID: <5718085e-fbd7-5adc-723f-40900e75b7eb@si6networks.com> Date: Mon, 14 Oct 2019 12:00:08 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <5D4B64BF-72B4-4D69-9EC7-432773259958@lists.zabbadoz.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46sQB001Tnz4bx0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of fgont@si6networks.com designates 91.239.96.14 as permitted sender) smtp.mailfrom=fgont@si6networks.com X-Spamd-Result: default: False [-2.23 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.93)[-0.935,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+a]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[si6networks.com]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[14.96.239.91.list.dnswl.org : 127.0.10.0]; IP_SCORE(0.00)[country: SI(0.01)]; RECEIVED_SPAMHAUS_PBL(0.00)[253.78.137.186.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198644, ipnet:91.239.96.0/23, country:SI]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-Mailman-Approved-At: Mon, 14 Oct 2019 21:22:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 17:13:13 -0000 On 13/10/19 11:28, Bjoern A. Zeeb wrote: > On 7 Aug 2019, at 1:05, Fernando Gont wrote: > >> Folks, >> >> Since FreeBSD ships with IPv6 support enabled by default, aren't all >> systems affected, one way or another? > > No, you have to configure IPv6, otherwise processing is not done. You mean that, out of the box, and without any explicit configuration, IPv6 is not enabled? -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From owner-freebsd-security@freebsd.org Tue Oct 15 01:59:39 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 405C0148456; Tue, 15 Oct 2019 01:59:39 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46sdsQ1Q64z4QQq; Tue, 15 Oct 2019 01:59:37 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd42.google.com with SMTP id u8so42295720iom.5; Mon, 14 Oct 2019 18:59:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9FlJis/L80zp9NhdCoReL86OUQFSm6oYFqN9sYz4+MU=; b=RYPNT0myM6QDjochOfcobDS0rxsut6Byi3EnTEJVa9g1qXcAHoNxBziZd/9mtXEVNX jDV8lPGf5tOTAZjiU1UBU7AaIMznQx6VfCgdS29NDQ3tm+ucLhFEe75zhgm3+qB+Vtxk uMtoMcxTE/xQxR0FYUt4/3l4Q14Gl2ERWbcY2XPHXLxNDMxF/6M1bpjzi9AwULYQLCMy YgmKZpoh7/rVLzroZBq82Sx4FsFTF5SUUuhcEh0D9o3mq0CzzJOJ+bjvAWD8BMuObafj gEMP/PcSOdKfyegNQ9hgsGEu5sJoO3c6l2JuY4pRsVAWeBfEkgL43RpVRUCO7H/SAW1Y rrtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9FlJis/L80zp9NhdCoReL86OUQFSm6oYFqN9sYz4+MU=; b=RMAWJUts9OjiBe6153kEeT7M19rWNsN3YbaJivAqfuohzoi//Kr5SYVxnmwD1u3Wj4 Bt7cffA4j6SOaWaSZJQbRL+oZ5XazKLLPiwu8n9k646rlmB32Fo3nQbPiR7WKT7qxKn7 l9Om7U6ztazKmIC+hJz4ZEGwH1qJCw+mWHyGHwATWoRe6mJJRoZdbMcaI62oH0zJWSCD DnRWTUjebPv4zTz03AjHES3yH8sHS8qpHIP+k8Pn5L8obP99BBAyR1RbZVQfnfKuN7/U UDzQUkYPJh7tw5vXiFBqEKcnOab+RAwkZ7j3XYz/5sb7g8Bzk2fEuFK5veGGKSeGZBhn +rVQ== X-Gm-Message-State: APjAAAXD00OEv/VTy+EHrcbOO+/S58aGT03D24onNUifCvs+7ItfsybO jdYQrqeIBacBZdjN5/hXr4JJa68b+3/Doe2Cli3Yw8eO X-Google-Smtp-Source: APXvYqxTHEqLJsjTheADaA+8NrFqiK/AneoFbVxZVUwjVDNeKb/+sprHMSwRz8h0w/2KZ5/yHfkQTmleJ9BKxuwlJrU= X-Received: by 2002:a02:c7c9:: with SMTP id s9mr39745138jao.81.1571104776400; Mon, 14 Oct 2019 18:59:36 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Mon, 14 Oct 2019 18:59:35 -0700 (PDT) In-Reply-To: <76102.1571079149@kaos.jnpr.net> References: <76102.1571079149@kaos.jnpr.net> From: grarpamp Date: Mon, 14 Oct 2019 21:59:35 -0400 Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org, freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46sdsQ1Q64z4QQq X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=RYPNT0my; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (2.25), ipnet: 2607:f8b0::/32(-2.49), asn: 15169(-2.11), country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Oct 2019 01:59:39 -0000 >> would be really nice also to get UEFI BOOT compatible with SECURE BOOT >> :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. As before in this thread, some motherboards will let you delete the Microsoft keys from the BIOS defaults and install your own. With those boards you do not need Microsoft, or any shims signed by Microsoft, or anyone else but you. See the key management parts of the UEFI SECURE BOOT spec... https://uefi.org/ If your mobo maker does not have full key management options in their latest BIOS, ticket and bug them until they do. From owner-freebsd-security@freebsd.org Wed Oct 16 08:30:11 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 38A7215F037 for ; Wed, 16 Oct 2019 08:30:11 +0000 (UTC) (envelope-from yasu@utahime.org) Received: from gate.utahime.jp (gate.utahime.jp [183.180.29.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46tQTY4zHNz4RMT for ; Wed, 16 Oct 2019 08:30:09 +0000 (UTC) (envelope-from yasu@utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by gate.utahime.jp (Postfix) with ESMTPS id 5CF5B141B3 for ; Wed, 16 Oct 2019 17:29:59 +0900 (JST) Received: from localhost (rolling.home.utahime.org [192.168.174.11]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by eastasia.home.utahime.org (Postfix) with ESMTPSA id BC206418D2; Wed, 16 Oct 2019 17:29:56 +0900 (JST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.102.0-rc at eastasia.home.utahime.org Date: Wed, 16 Oct 2019 17:28:54 +0900 (JST) Message-Id: <20191016.172854.1266117316250112049.yasu@utahime.org> To: freebsd-security@freebsd.org Subject: Recent security update of softwares used in base system From: Yasuhiro KIMURA X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46tQTY4zHNz4RMT X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of yasu@utahime.org designates 183.180.29.210 as permitted sender) smtp.mailfrom=yasu@utahime.org X-Spamd-Result: default: False [0.57 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.39)[-0.389,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:spf-authorized.utahime.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.59)[-0.586,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[utahime.org]; MV_CASE(0.50)[]; MID_CONTAINS_FROM(1.00)[]; IP_SCORE(0.34)[ip: (0.22), ipnet: 183.180.0.0/16(0.11), asn: 2519(1.38), country: JP(-0.00)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2519, ipnet:183.180.0.0/16, country:JP]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Oct 2019 08:30:11 -0000 Hello, Recently security update are released for some softwares used in base system. * OpenSSL 1.0.2t and 1.1.1d (https://www.openssl.org/news/secadv/20190910.txt) * Unbound 1.9.4 (https://www.nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-parsing-notify-queries) * Tcpdump 4.9.3 and libpcap 1.9.1 (https://www.tcpdump.org/public-cve-list.txt) According to base SVN repository current status of these softwares is * OpenSSL 1.0.2t and 1.1.1d are imported and merged into head, stable/{11,12} and releng/12.1 but not into releng/{11.3,12.0} yet. * Unbound 1.9.4 is not imported yet. * Tcpdump 4.9.3 and libpcap 1.9.1 are imported but not merged into head, stable and releng yet. I hope these security updates are applied to all supported versions ASAP and to releng/12.1 before the release of 12.1. Best Regards. --- Yasuhiro KIMURA From owner-freebsd-security@freebsd.org Thu Oct 17 10:06:20 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 573A514CD7C for ; Thu, 17 Oct 2019 10:06:20 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46v4Z3353Xz42xP; Thu, 17 Oct 2019 10:06:19 +0000 (UTC) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: security-advisories@freebsd.org Received: from [10.58.0.4] (188-123-32-240.rdtc.ru [188.123.32.240] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id x9HA6Efb086025 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 17 Oct 2019 10:06:15 GMT (envelope-from eugen@grosbein.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 To: Fernando Gont , "Bjoern A. Zeeb" References: <20190806183211.EE35BEE16@freefall.freebsd.org> <016f565b-9281-dc14-651a-bcd2245f0544@si6networks.com> <5D4B64BF-72B4-4D69-9EC7-432773259958@lists.zabbadoz.net> <5718085e-fbd7-5adc-723f-40900e75b7eb@si6networks.com> Cc: FreeBSD Security Advisories , freebsd-security@freebsd.org From: Eugene Grosbein Message-ID: <2160efe8-3d37-e132-9a30-902ed6ed43e1@grosbein.net> Date: Thu, 17 Oct 2019 17:06:13 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <5718085e-fbd7-5adc-723f-40900e75b7eb@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DATE_IN_FUTURE_96_Q,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.8 DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: * date * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 46v4Z3353Xz42xP X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-3.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; IP_SCORE(-1.59)[ip: (-4.04), ipnet: 2a01:4f8::/29(-2.11), asn: 24940(-1.81), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Oct 2019 10:06:20 -0000 15.10.2019 0:00, Fernando Gont wrote: >>> Since FreeBSD ships with IPv6 support enabled by default, aren't all >>> systems affected, one way or another? >> >> No, you have to configure IPv6, otherwise processing is not done. > > You mean that, out of the box, and without any explicit configuration, > IPv6 is not enabled? Precisely. IPv4 too, in fact. From owner-freebsd-security@freebsd.org Thu Oct 17 18:18:10 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CE5AB15A197 for ; Thu, 17 Oct 2019 18:18:10 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46vHTY2Vfyz4X1y for ; Thu, 17 Oct 2019 18:18:08 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by mail-ed1-x529.google.com with SMTP id r9so2521214edl.10 for ; Thu, 17 Oct 2019 11:18:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ofwilsoncreek-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b2sXKXU5BN6wsJXjmSPtb98p4llP54H5yuK8Oq2Knb8=; b=gvjnCgesUeg6OUr90IS0XT73BhLkhQDKHTkEfY6HqNnXiLbCTkJHhIIQVqn7B98v/f F848UK0sxSkYVOY1Z6W/WCRnf6mlaR9rKg9SATG15OKJTBTusMpSojU9kaiFy4yR4RMO PoOGqr2mGKv7qrsrEENVQBa56oNmi3aZWHbAOLViPOFl8Y/kpYXV7knwHyv4IvOU2F3N 7VYB05HWiOjuZQeXAnfDXx5mXIr3nKFfKD/gTvhMjLB/B1ssmxzJrGRcHF+7ZdnZpMOe emCjI1gpw+rHeAEamfJG/dKTEZRl+u6XdpimIwmHShRC1iw+sGsXc17UrzLaxml9iL0E AWWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b2sXKXU5BN6wsJXjmSPtb98p4llP54H5yuK8Oq2Knb8=; b=uRFvZh+DuTg7747Uqfgcd4pjvEz/WrNz+lIM4HZiLWmiZfB45f+OoYGZD6UGr0HOR3 GcVTuJcFfIYWNGn1Kakmk3/aSSKpI25R78yDAEwQuxooNjHutVLhvuj0BF+5L//U6wMw LlhVylL2bJRyHBCk5pciHmgq7+VxgHIJywmBlbzDl0eCcQsKOt1DY+p5HLbubeBKpIM0 7Kp0v5XEzraoxuOss+dz2zjRUwYBVXtVWURI1t8ZdQTKg0D2ZtAIsH8+TdfIuwIiCSn3 mlaaMjiLOaOEkDpojelcUCjvYcpswwz91vcdok6St+Q8cqE7+m2AxypdpyM1FsMCbUi+ HpuQ== X-Gm-Message-State: APjAAAXrJPdc61W9EAzurRC8PniuoSmAjP5FcPp0bXIWHUz+5PO25zIV nN5z1dBcjuD3GwF7QclQRh9hUbItWgdjjZ2mFzSn4w== X-Google-Smtp-Source: APXvYqyXsKRRXbPcgc4ln9QC2Tle/qgiJMGgU9S3m8Eh3lvfr4rbSnvB/FiG3W5JfRqrWBSyaAnAD/K6qyprJfI7ruc= X-Received: by 2002:a17:906:2584:: with SMTP id m4mr4867315ejb.287.1571336285769; Thu, 17 Oct 2019 11:18:05 -0700 (PDT) MIME-Version: 1.0 References: <20190806183211.EE35BEE16@freefall.freebsd.org> <016f565b-9281-dc14-651a-bcd2245f0544@si6networks.com> <5D4B64BF-72B4-4D69-9EC7-432773259958@lists.zabbadoz.net> <5718085e-fbd7-5adc-723f-40900e75b7eb@si6networks.com> <2160efe8-3d37-e132-9a30-902ed6ed43e1@grosbein.net> In-Reply-To: <2160efe8-3d37-e132-9a30-902ed6ed43e1@grosbein.net> From: Leif Pedersen Date: Thu, 17 Oct 2019 13:17:29 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 To: Eugene Grosbein Cc: Fernando Gont , "Bjoern A. Zeeb" , FreeBSD Security Advisories , freebsd-security@freebsd.org X-Rspamd-Queue-Id: 46vHTY2Vfyz4X1y X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ofwilsoncreek-com.20150623.gappssmtp.com header.s=20150623 header.b=gvjnCges; dmarc=none; spf=pass (mx1.freebsd.org: domain of bilbo@hobbiton.org designates 2a00:1450:4864:20::529 as permitted sender) smtp.mailfrom=bilbo@hobbiton.org X-Spamd-Result: default: False [-5.12 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ofwilsoncreek-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[ofwilsoncreek.com]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ofwilsoncreek-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[9.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.92)[ip: (-9.59), ipnet: 2a00:1450::/32(-2.85), asn: 15169(-2.10), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[leif@ofwilsoncreek.com,bilbo@hobbiton.org]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Oct 2019 18:18:10 -0000 On Thu, Oct 17, 2019 at 5:06 AM Eugene Grosbein wrote: > 15.10.2019 0:00, Fernando Gont wrote: > > >>> Since FreeBSD ships with IPv6 support enabled by default, aren't all > >>> systems affected, one way or another? > >> > >> No, you have to configure IPv6, otherwise processing is not done. > > > > You mean that, out of the box, and without any explicit configuration, > > IPv6 is not enabled? > > Precisely. IPv4 too, in fact. > True, except both IPv4 and IPv6 are configured for localhost by default. That exception doesn't seem relevant to this SA, but it could matter in others. -Leif