From owner-freebsd-security@freebsd.org Wed Sep 2 05:20:25 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5653B3CC4D7; Wed, 2 Sep 2020 05:20:25 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-il1-x142.google.com (mail-il1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhC201zr1z4G6v; Wed, 2 Sep 2020 05:20:24 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-il1-x142.google.com with SMTP id t4so3928726iln.1; Tue, 01 Sep 2020 22:20:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a9H556P5vNsCNTepSHbah4pYSxE5UMifPqs0vnuVcpU=; b=A+oqr8z0GS8PxrBiwNYl/8NV1nLlj7Pr1oYIB57VF43IjBGY7II4Ga6FasUCDFheIn C0UIU/BE9mZ3WyySjClDpBlCoMDdIqjn2allNpuU6xFUNuCK/edsrq/Px2aF7i6ztPRm MfOIwxR//ZjsR1WyeUUHh7BHmYFM4IJ1IVnAUgVYiiaM5vlpfY1C5n7UkYnyDjNkNDan jy3JpCtIRjtChNEDUeLtPVbJXPGTQXhsoTjS0C0X5k98QhrsamRo77zTv31JMnFCbpgB 4ycfwFayKngBFxarcqXH9B3kBOHb+VbLUKrQXFM0IlXnQV1C1kYqFgBcmDPvgyIt0Zqo R7uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a9H556P5vNsCNTepSHbah4pYSxE5UMifPqs0vnuVcpU=; b=oUhJAwJXNEnt+tiffVjZJU1rjR8br0frI18sUcviNew1Sdx1jG0M6BauBTVKIbKLW/ yYhG9t3iWpEC6CQR8p5GSewZUy1G00yAZQGqVvEzdbmcPjxfvPu+6WlxG96psgHpj8h3 FKJY/U8zvZcnaGi+BrCF+FvFJOtQBKAcmp3R2myL1PsmexykZ8SUJjrtm+Jy3m6o6mKQ X5wfnCUZGf6JLY2mJjPCWOJBW9EVM1E3nse/r+ralq1LopRsKFMGP+Uav4qLzlEBtqBV brMTD5bC/KvpOFLTR6pmVSk8ELygpiHwwRrYakQ658crldQ6tLlU1O+W40uGD00AH/RK tzLg== X-Gm-Message-State: AOAM530QMXDZKEJAF/BYqKrHZGlVIi1+XEXC5CLaSK+67Yk7xL/ud/Y7 il1rfDMzPUCjWaFZGtx6N9I0p55j0I3My2Fit/EnKq/Oigti2A== X-Google-Smtp-Source: ABdhPJyLF8v0JXEOP84qYFZFXMWyVNcD+2KkWkzarRC6eQwKy6781w8qR/KmfG570BABKjnnD1OWWf6YpyhMXkDz9uU= X-Received: by 2002:a92:d452:: with SMTP id r18mr2325866ilm.174.1599024022757; Tue, 01 Sep 2020 22:20:22 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a908:0:0:0:0:0 with HTTP; Tue, 1 Sep 2020 22:20:22 -0700 (PDT) In-Reply-To: <20200902045939.GA15897@eureka.lemis.com> References: <20200902045939.GA15897@eureka.lemis.com> From: grarpamp Date: Wed, 2 Sep 2020 01:20:22 -0400 Message-ID: Subject: Re: Plans for git (was: Please check the current beta git conversions) To: freebsd-security@freebsd.org Cc: Ed Maste , FreeBSD Current , freebsd-git@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4BhC201zr1z4G6v X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=A+oqr8z0; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::142 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.17 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.037]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.033]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::142:from]; NEURAL_HAM_SHORT(-0.10)[-0.101]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-current,freebsd-git]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 05:20:25 -0000 The underlying initializing 'git init' commit hash must be signed by security officer key having sufficient human PGP-WoT. Git also supports sha-256 soon now, adoption should be researched from various online article series and work product before committing plans... https://lwn.net/Articles/823352/ https://git-scm.com/docs/hash-function-transition From owner-freebsd-security@freebsd.org Wed Sep 2 17:45:53 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6D4E83DE67A for ; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhWZ928n3z3b7H; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=C4dRGwuWhez1fWjM/RHESUX6MtZdf93Eu0sUb6CMtLBw76AvsTmtRwNJHwA3yGo6U7T0mV pU9WPSkUl8mc9aXGBTRjKYkXyAk4YqEkuavmsgFXSVoUfVH6rXYUV66+aoq8ZSuc1DULnk YzfvIhK1pc0xgRpEFZzx5TRYIp2ZsNoi6Qz6adFdVcvHzDUK8xlmqpctVW9PI0Npk5kq9f 7Vnc0pASdfbaCIuwpNPF2X3tHNgY6kwKDKZKxJ+EuMJNrNTxmF/GX1UPJXmWV8YMPwloHc 8yxD9uFRDLZ1U5yzXioYjWNA2ZPBFp5k1a/YlG2UEk7gDejwIztISlrHWWjMmg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 412F5C7D8; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200902174553.412F5C7D8@freefall.freebsd.org> Date: Wed, 2 Sep 2020 17:45:53 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=eD7HbRsqddYV8e49lfnQsxKJ+iQEnGWEF9ZNp41H+iJkgeWT7/2WDnqr6vEgJIVZAFvHWu Cdj9DsuLd3XkjYjzFNychyGCJTEoNbSv1YZh8cRlvPsYeTghLnb3nKQ+bYsYpSlMFUQnFI g9BwmE7uGXqvB/h/M5j+Vf+TScOFUl7cIsJt2G8Xc9aGqb5o8/MOkOHW/yO2B/O7KXhhxt KbqY2DvIyd+SBkcexeoQR2iK6pztqnZI0rGUXnMECBWtifnVo9O4Um3pZaOPNhgEVpim9A 2rAgyQ0YYPryNzgPjAwRPdwjILAhkKrOUJ7QnIyfbmS1Q3ax0kCJRVRP8d+MYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1599068753; a=rsa-sha256; cv=none; b=mQXlFHbk3+hM1tlIE+dZUEeYiu3G0j7zUomgUdOKbQGxdo6Gzchj6qZgd1PsKXzYQipINj 8pk3sQSGIDZfD8ulAXxPB/dR/IVmxD8xDJUY4Cc+EQ4NN80uqbjXLpXSWV/9RZtgCOR4Cf VzsQHbFm5ZEcVv1pDWE0ADEVrBDNE75h7tisH7Hhky7OUCX4HunFbcWhDDmDdjD5ykvOen 3zmLVTMShweFqXZSubUO70f8o/VjVZVZ9ZhzKs/XjG8CeMJIvgMDrtMMXYO0rTiahTpxnx kqi2JtpGEV8OJgBSnGeXvHbfyBhevuHWwNEWSUW/zOAyZvv15pOJECrimygGLg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 17:45:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:24.ipv6 Security Advisory The FreeBSD Project Topic: IPv6 Hop-by-Hop options use-after-free bug Category: core Module: kernel Announced: 2020-09-02 Affects: FreeBSD 11.3 Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE) 2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7462 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by applications via the socket API. The memory management for packet handling is done using mbufs. II. Problem Description Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface. III. Impact Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r360733 releng/11.3/ r365255 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk// NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE /OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0 lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs= =kFlz -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Sep 2 17:45:58 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B8BB23DE8C6 for ; Wed, 2 Sep 2020 17:45:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhWZG3NZDz3bFF; Wed, 2 Sep 2020 17:45:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068758; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=B+JyZ1omRR/4OG3IUGrw8uGoMffGrzMCvg1PmGCd5Oo=; b=ZoqFa1YSdaDX/b17vPgB55Dc47nLXI/vppcd/fhtcXubV04I5DHAvglSdo8DWtoFSiKbUZ L9HcrjwaJ8boSx9kqdjapZT9MUEyKB/oKLNkSHuZ3rPkW2fZ2LZIkmV1nKM41KPA0Y/fSR 3gf3BKcPN085kCZPgTvq7fq1Galhe86d50GfuaRy4o7nia4zXi/IAQMdQpuPNIK8HnMWDL +rl+QbxgFvdeguTDpItSopQMRNtsh7vqrZFi+9LduoUIf8IZvQTGoXU3DC9sx90Lk6+7Zc 6xBHi5j8wlUlEm/cd8ySLn3xEBQwxXOdNwGfGEKt500YU7Gtsol8d0tnP3z0vw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3B6CACA27; Wed, 2 Sep 2020 17:45:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:25.sctp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200902174558.3B6CACA27@freefall.freebsd.org> Date: Wed, 2 Sep 2020 17:45:58 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068758; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=B+JyZ1omRR/4OG3IUGrw8uGoMffGrzMCvg1PmGCd5Oo=; b=j+3xGdKftSgP8j+TnNg/Y2dRH/gycmH9Bkfu7yqtTKwCbsHo6k8W4a86XhlKpbjR4OMSH3 bE/qovbkBqFvTBr1dSa32HGwwzO/H+uXWzZOR8PDT9Y1MNKOqjHjUFdON7ldop9m0D6PZr ZVvABGjjx3gvmAgUAyhFHTI7UprYtN9TZo4/XITbGcXn+FQrBe7HgjQAITADjVGZzC07Lt 9GyHW/8VNDg88nfp/wi1qNoRm7Dz5VPEiWqm0KuqvzFFLJWIZdgpb0vvftbJPJOFmum29s xNjCkxSPAG8asC6nKjGBBs3iEDZR1IaaiNyotd2R1forcKLHpS3i/VJqR7mIfA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1599068758; a=rsa-sha256; cv=none; b=kPp/RKvQgQau/2gC6bSA+zg2k3IQEt0ASOcLqvJFtQooRsaFPeMbthNd5qQiS9vWzquwpu E8aPc9XFTF8APi5HwimlybNxExzTNzpwsHQdCrKRTKcq6sFe9nR2+xTx+BsS55GISgg0NV PCZ7DxZMGXbHSQhIpfZcuHqbvmnYpj2Jm36jqRRF47xh2AP8eYVcSpT/kAzFjsvywhI+kz qjhLsUtRU2pXT2+NSxOfmGe16ZLvsk0gbeTHZS6CTRu0+UUTu39lPJxm5ac2plHT2jVTZS 9xeVZMi7IdCJhknCdiC+yB9/wnkFY0q2sQWPUlV3wrVeTyECqjdwFNsQpyYF9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 17:45:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:25.sctp Security Advisory The FreeBSD Project Topic: SCTP socket use-after-free bug Category: core Module: kernel Announced: 2020-09-02 Credits: Megan2013678@protonmail.com Affects: All supported versions of FreeBSD. Corrected: 2020-08-24 09:19:05 UTC (stable/12, 12.1-STABLE) 2020-09-02 16:24:32 UTC (releng/12.1, 12.1-RELEASE-p9) 2020-08-24 09:46:36 UTC (stable/11, 11.4-STABLE) 2020-09-02 16:24:32 UTC (releng/11.4, 11.4-RELEASE-p3) 2020-09-02 16:24:32 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7463 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Stream Control Transmission Protocol (SCTP) is a message oriented transport protocol supporting arbitrary large user messages. It can be accessed from applications by using the the socket API. II. Problem Description Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket. III. Impact Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch.asc # gpg --verify sctp.12.1.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch.asc # gpg --verify sctp.11.4.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch # fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch.asc # gpg --verify sctp.11.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r364644 releng/12.1/ r365256 stable/11/ r364651 releng/11.4/ r365256 releng/11.3/ r365256 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIMPw//ZOYh7TQdwvreQ/iZbJphPp7hBVJqFWPE9M72Yfo87/vkl+T5/GW9wiLT MQlknQ7SDyzE7i8RpGvX0lmXLbr1e2rkvin1ZFdCbWkPzC7w0WVH7XX6+I+RJmkh E4dtmHrYhLRwmVtW5WYZdfO+iYVTJl/h43eYbYvNgJZSuKkvl2Vk6DqyseHx7xR6 gc7/41AIpMiqRLQI9ZnRvZCEiLq4G+q5z499ACfAutT9o+1T9L6QLCPuyY+fziiq cI2E/pQA5uxOY/z3ejKHeOzErjycY6GEhMiBKmsJqV6oU/cZd5hZ1qsmE9Xbi3/c Ax+OZr+Ve2a78dD7jOrmCrpBtG1Pg39c6VuQqHD3UN3seBNEkn4kto9vDX9fLceD GZbueV97boFxjnXu1B6C8ufqEZDqTaf/SU3+vCobBgydP+V8c1P5LbP6qcFHOUrk k7ijiJv03aYyY1Z6XtqbRsudZzIaTt+jneUA1eA46iWQqVZQHKo2liw5kAtsGu0k injGcazWRphV6xgOHIMCfrGcLLf0j+4UjiDUk30cansLGewuk/uEh6FlA4NzyRWA 4L3Q0l/XQWvO2sNMtF9LbBUUujDyy93Vy8BouSp59v7+bAYrRHfcIAmaQnE4jev2 BY7/JsrfQ9rG/Anzg49Hec8pw9VEvv4kA1STqXcpMt9Fq+0DslA= =2ET6 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Sep 2 17:46:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 850C73DE8D5 for ; Wed, 2 Sep 2020 17:46:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhWZM53FXz3bFW; Wed, 2 Sep 2020 17:46:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068764; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=hiRsugYPJy1sq0ut/ZvHuE7PwGuNJXYoiAnGaL8jmkQ=; b=aPnwxLhizSZzgS81cQMgQfcb50Ph9HeIrK2Lz3dEstEpI0zt2dZ/ylP49JGvzALxxcrdh8 7TImAUwpUqZhEeKGZqIiMRhVUxfUUhFrzd2OoW3t5Rk+nRVxHoUHWWNh0s2Xg9FX6z0Qgr 4Yg4Ukrsnel0KzV1rKHtzNaJDkJ4yQrXexcphlOiyR6mS80Jggs4MZ3A08PHIlcFoHI8Kp KdYXlaQl669tlaNWmRrFgORJZwWZxCBO6+PRf0fJWoszHnkWk2F4AG3SAEC+mMGb7ouKFM VU+4jMP7eLHA4MC4QJ57EKvNetPccrvsTLkG0S5Xo5hsDRlmFIsfSdXbTJh4MQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 982C6C8CB; Wed, 2 Sep 2020 17:46:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:26.dhclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200902174603.982C6C8CB@freefall.freebsd.org> Date: Wed, 2 Sep 2020 17:46:03 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068764; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=hiRsugYPJy1sq0ut/ZvHuE7PwGuNJXYoiAnGaL8jmkQ=; b=kAgXtnVylatjGgpZ0SjHPtBpgznWWfWFjoEjFnympgobJy30ab+dpA/KCOdO9B4uTFd1GK cwfyhNf/oBnnuQ/5mYjQRYMCCNizxV+kcSeo6iRxFeCSaKfT+AtPOvLeFk3Ea9YHf9520p hQiacKIUtferqMWCVvahKVNqACaGwo8moio+seFbjjWrPEvwSvdo3CbpSO7CA0AXFXc8fc xKy58BBIhB5KrHds7ATpmFXBUla4lCRvMnJROhkdQLnK3j8YZy40EbA5p3Qr/n1o2bzfg1 OfX72h+5JTxsxE2k9uSOlX85hTWyEJzWBJyUl03e91LrtsZg9eBji1fvEZlRFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1599068764; a=rsa-sha256; cv=none; b=iZDhP2pblftlO9EHR/WJeyE5uavjz+kfADh/0j5jaH6xbeCZpwpJC4v8zKEueSLKNC52SN BGLir85zJszAzJJFlIXVPaYBbwCSrFj6HQxT/MUM6fSl0tEpSwmwW8iJL06NjJd+U4ptJO zPeJMLLnMtQL+1yd0h0LD2kEerYyIi/HXexteJqZlShyLM31uMzt68Ic8owtBIBH4C5kBQ bihTyiyvXtm3DKUQhDcYQIFa+ciGAoIMhOpNt8Oi39qHTfYJtjtwrn4raZ1aQWhYTtsm8j hOHqQrwn8sDk+SJ/YTsqHOydFRR8zGUNXw1BGYLk1vaLxtQt+p2nMzZoaCUMQQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 17:46:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:26.dhclient Security Advisory The FreeBSD Project Topic: dhclient heap overflow Category: core Module: dhclient Announced: 2020-09-02 Credits: Shlomi Oberman, JSOF Affects: All supported versions of FreeBSD. Corrected: 2020-08-31 21:28:09 UTC (stable/12, 12.1-STABLE) 2020-09-02 16:25:31 UTC (releng/12.1, 12.1-RELEASE-p9) 2020-08-31 21:28:57 UTC (stable/11, 11.4-STABLE) 2020-09-02 16:25:31 UTC (releng/11.4, 11.4-RELEASE-p3) 2020-09-02 16:25:31 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7461 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment, and for initializing and configuring network interfaces and configuring name resolution based on received information. dhclient(8) handles DHCP option 119, the Domain Search Option, which provides a list of domains to search when resolving names using DNS. The option data format uses a compression scheme to avoid transmitting duplicate domain name labels. II. Problem Description When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer. III. Impact The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox. IV. Workaround No workaround is available. To trigger the bug, a system must be running dhclient(8) on the same network as a malicious DHCP server. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart dhclient or reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r365010 releng/12.1/ r365257 stable/11/ r365011 releng/11.4/ r365257 releng/11.3/ r365257 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLLPxAAhg/FSqWLykYAiQ8czoy98X00VIWAP1f4InfUKm8qOB8/7ptzv3A+2Hov 7lHlyN0D4OwhJFt7fw9oTwNe4UgxShso6QrezaTJZR7juFELy9WODbRFnNK4i8w9 NCBab+NIn1o7nFZnB0M5TMKfa4gc1jAV+Q/U/zi+ONvwZegmjXJxuop3Sq8wfBd2 Vp9VAvEJvvBlQKExR2xNRDKV/0LpW+VffIuzlWT2ex3WwGpFVeVSL0ZNJsPbzMYX j0aqGo9B/mHfXtKSQ415kGxiaQctnu5FqjNgSc00byzOU0YTiLsPwPdUgIt+nuQd WFSePoZsDYstkkJ8YaCA/LVzmZo0tNR8m+z7xmhCszUbMIV+iRSycUexEbCXoPx/ Ebg6ycyYMwguK7rL2dkjNWTkr3hP5CgLD7VnzVBYGiBY7ha0zOgbaYWl/33Az5Fb 0eaIyJRFCDmI32NZfri1WLc06K1gFcVcR6VO+BUqRHG6bkYnF/4xlla8ERhYgNeC Y9cs4Y9TNRges79k7jovpu9B5nicTEqMRQBubcARX5+w9zLg8h2aKH6inuVy1srn M9H/mjdCHMkySpSSrENw9Jk5I7RAgHHRgA1OTkB6Da02aMzPEh6fYHWeR7IpvxPc 2A/hxnZy0tTeZ4aKbds1GYZWUVDd3I8DlSVcT5Bq1g5kk6I+PN8= =jfay -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Sep 3 01:56:22 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 68E9A3D1001; Thu, 3 Sep 2020 01:56:22 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhkS52xyMz4YkL; Thu, 3 Sep 2020 01:56:21 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id d18so985995iop.13; Wed, 02 Sep 2020 18:56:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=HFgqH82Xt69oG3iVz2eFrspbQAPmaXUvdwTAGO5JWFo=; b=S1G0TndygtO7B5NWKtFr/xRPkfrHmADhLtt/aLtrIcvyYfG0A/Ly7k/7aybytqAuZW OfgnZ+4KumCr6fH+grfyTGiH97pTCaxlKfZvaqxvAKPHPSONdKt2fcichbCOcaIPSBo+ bkfzAgIFdCcOnFzyGiRzOK1b7mYHLEsSNw9Ps6s2iS70JhkqCQe4OliWxCVcTDjx0cIY Rbny1P87J9QOikZFSsXdfeBttrfuZwZWKBL9SfcZO1INryXjL7XHP7Jp8LI5jW7HB+90 qqsgpZ4RFs5FWcJ/6lBMIuDLxZE2PTeE18rypKWFL9yp+IlD1as+fA4qeddsltW/qG1l gPTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=HFgqH82Xt69oG3iVz2eFrspbQAPmaXUvdwTAGO5JWFo=; b=aWjFBpTf25ikX4+4Bxw7i/ubisC00IVvo5sRHZkcrglCORq/3ASClhGzPp0aeQViYa bESZG+k6j70MbrHtnIu+4QyVxAuZV6cPoa9dbJCcQHcrPN0sDvHQ1ejPm32Zge0H8yw6 whmeHhtVi9/b0gWcjege9Ss6y/zGEJDq2ZSnJSxR6JUhPSxoa1PFtRtzuk6FuFg5ctsb ibTsgCYR/qv33EwXkxSf8zdQ2m7xT1Orli2cOLfaoFHyBDF5IAVNlwIx0vU8hbZpF2Xk f4D2K873TI7M6z6b1h1EXXlpTXLxMypDFHFmOxgUJzZJzBGaV5lU8o1/lCGKpD5RqR87 NJHw== X-Gm-Message-State: AOAM531LAryJfKbaJzcTyxEuTb6RXnOOwuyXFfXXTsnGeFb3MeRJ/I9v x/F3OExZIcVtiTEjdGTNCMUZv+rdct/U+GVf/WREkwngqpRUu6Pg X-Google-Smtp-Source: ABdhPJyvO+85xy7LnoKXS+OsaOxz8Mw3dr4FHG1myv4oNvIuhT15UjP7qUwMZ2WtKSTl4zFRYG37NiYKOe0AgXx/3RQ= X-Received: by 2002:a05:6602:1616:: with SMTP id x22mr1076286iow.65.1599098179994; Wed, 02 Sep 2020 18:56:19 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a908:0:0:0:0:0 with HTTP; Wed, 2 Sep 2020 18:56:19 -0700 (PDT) From: grarpamp Date: Wed, 2 Sep 2020 21:56:19 -0400 Message-ID: Subject: Where's the fingerprints and sigs? (was: Please check the current beta git conversions) To: freebsd-security@freebsd.org Cc: shawn.webb@hardenedbsd.org, Ed Maste , FreeBSD Current , freebsd-git@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4BhkS52xyMz4YkL X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=S1G0Tndy; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.11 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.04)[-1.038]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; NEURAL_HAM_LONG(-1.02)[-1.021]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d41:from]; NEURAL_HAM_SHORT(-1.06)[-1.055]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-current,freebsd-git]; SUBJECT_HAS_QUESTION(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 01:56:22 -0000 On 9/1/20, Shawn Webb wrote: > I'm curious if there's any plans for read-only access over ssh. > Trusting FreeBSD's ssh key material is likely easier than trusting > HTTPS in certain regions. A bit moot when such key materials of all services, and repos, and ticketing, and reviews, and builds, and downloads, and packages, forums, and git hashtree initialization first hashes, and pubkey modulus not just the larger DER's by untrusted/attacking CA's, etc... are all not sha-256 fingerprint signed and attested to in a base included textfile, in repo and on website, etc by security officer keys having good WoT... for users to reference, import, validate, pin down, etc. And tools for accessing such services often not have fingerprint pinning options. Woes be to those using such untrustable massively MITM'd and spied upon networks as the Internet, Workplace, Home, Travel, VPN, WiFi, Tor Exits, etc not having any way to authenticate fingerprints and pin such services back to their favorite OS project's security apostille office yet. Security vaunted OpenBSD still serves up via cleartext non-hashtree anoncvs on non-ecc harware on non-zfs-skein filesystems etc... So the BSD world must still be thought secure, bit integral, and trustably accessible without any of these infrastructure tool fingerprint sig and pin basics... still no need to supply them since decades since TLS/SSH/etc were deployed... Right? Not. Cheers all :) [Same for Linux ;] From owner-freebsd-security@freebsd.org Thu Sep 3 02:41:15 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EB4DC3D3A87; Thu, 3 Sep 2020 02:41:15 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhlRv2cTVz4dQp; Thu, 3 Sep 2020 02:41:15 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd42.google.com with SMTP id r9so1150206ioa.2; Wed, 02 Sep 2020 19:41:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=h8a0zZ4prmPwlVHmIS91VKcj/a46mr+lyGaFGDAUTgs=; b=UU5oPuooKdHvgHavS2Q0JZRoGuRC5Ks1Iy3RujFbd3eBCp01rQ5GaIa7cvvT1NL3D+ hqbJpW+3qd18MS+oM66BWD93NAEiRnrzw6crQ93WYB1OMfN0+dCJv7NI+zWRWUDrafUU h+H8yUmASLlAiA4nPfDJtsyV/ziHq6eYi9X3EpE4PMnTPTSBzgviGvl+787qR3EpdpBI thKsbhRj6ocdSTujyXev1quKcbfihEZCiDEgdx7uzjT0YBzfYc6eEGucWDx2EBuARcmK FJyTjyRqDytCI8z8mpNSq2qDCMW1Zt5o+MWNnT9M0dTo4rXqT8SnTWFPMhR2wCoL2ge6 c6Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=h8a0zZ4prmPwlVHmIS91VKcj/a46mr+lyGaFGDAUTgs=; b=eAsF7Qy+4ZrXKaClkJX00LYVK3deCwGABY4whf7bxZFxg76TdCtLilYdXA4XSh6etV Djvh/7STSXgwMGKBgJsu8RPoZvT6gVKanmaVIMofA8pik+88Le+c1aUGn4Qr+GomNnZU oum35WD6D8b6NFK5nTiFaeQTjykg4AFUExAu7jzsWdEgWNFhM3E3FIXPUUe7qvPHezyI hROi8k5QnXRWFNKxyyfpAhCSHZP7XZw34qAK7d42oCcWu4KGFZ/jzBYNxjxEveJR1OoG g/gDaFcH3alNngZJDKwo8ngU+sQFXbk2oQoCexxyumClSphVEqRohPqmF4VR0Z4N/x0a NoIg== X-Gm-Message-State: AOAM531o9EzrWASS0qHJY17CTaG9jygzPJSh4Oi+8mAUXOQiqZk5z5px RnKI+Ghu0IneD56EFPHX02JGSrPgJfCJ0UMTsApQB+PJq43f3OKW X-Google-Smtp-Source: ABdhPJz2yRN5HUVz/9240EPgstisuxoeNv0GAqA2OLGfQbD1FDAgV+w5W9Vwp/00oIfWEZVU+byJHEPeemW8RYmXfWA= X-Received: by 2002:a5d:9ed3:: with SMTP id a19mr1245014ioe.28.1599100874176; Wed, 02 Sep 2020 19:41:14 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a908:0:0:0:0:0 with HTTP; Wed, 2 Sep 2020 19:41:13 -0700 (PDT) In-Reply-To: References: <20200902045939.GA15897@eureka.lemis.com> From: grarpamp Date: Wed, 2 Sep 2020 22:41:13 -0400 Message-ID: Subject: Re: Plans for git (was: Please check the current beta git conversions) To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org, freebsd-git@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4BhlRv2cTVz4dQp X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=UU5oPuoo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.51 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.050]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.05)[-1.048]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d42:from]; NEURAL_HAM_SHORT(-0.41)[-0.411]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-current,freebsd-git]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 02:41:16 -0000 > The underlying initializing 'git init' commit hash must be > signed by security officer key having sufficient human PGP-WoT. > > Git also supports sha-256 soon now, adoption should > be researched from various online article series and > work product before committing plans... > https://lwn.net/Articles/823352/ > https://git-scm.com/docs/hash-function-transition For those interested, additional topical from same site... https://github.com/bk2204/git/tree/transition-stage-4 https://lwn.net/Articles/823352/ Updating the Git protocol for SHA-256 https://lwn.net/Articles/811068/ A new hash algorithm for Git https://lwn.net/Articles/715716/ Moving Git past SHA-1 https://lwn.net/Articles/813646/ Attestation for kernel patches https://lwn.net/Articles/821367/ Merkle trees and build systems https://lwn.net/Articles/663875/ Changes in the TLS certificate ecosystem, part 1 https://lwn.net/Articles/468911/ Sovereign Keys for certificate verification https://lwn.net/Articles/652580/ Decentralization for the web From owner-freebsd-security@freebsd.org Thu Sep 3 12:16:26 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 641C83E4566 for ; Thu, 3 Sep 2020 12:16:26 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bj0CY48mQz4LXd for ; Thu, 3 Sep 2020 12:16:25 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 808DAF7A for ; Thu, 3 Sep 2020 08:16:23 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 03 Sep 2020 08:16:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=Hb9xtZIYRjEd31VWieWqAlblapT +4viFg8vWvM2K7Nw=; b=G7Cs8mXqAblr1+A7SXBQMYWycAJJFUNcwdnJARSe85O CrAaFi1lquOlI/1TlT8Ho5c0DXx5XHKLuuAR+ike8pI5VLE3f+TIwpm49nfXyJV/ ouV2DXFX964MIE75C4eNQ+oqp8G2eC64Rc8srqOouTu4H0g6QHUU+B8jgBxfBLHz fZpa4y6KNQOVbGO1auu0JlQOT0y/O16mrl5/bqWGzUel4ZPs5aSh+LPPsdJrV96M isd6yM3+ZoeJ04OifAEwC5TpQyO10bYG7T8SQqzrtsL5L/Js3P94SlIBc1tSfHQm nH2+nO15bYObxqrOY5VjOUudL/7z5h8dJb2wyd2jjpQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=Hb9xtZ IYRjEd31VWieWqAlblapT+4viFg8vWvM2K7Nw=; b=tt9mnzHrXgujnB0OcsZlWP jJzTPe008yT/IGI99btEZ68z/vXOLU5upw28mZiQz/s6G47izNn3G2cvRUp3KlNI V6Yyf1Xjtfc82UuA7BZJfK/Qbvc+SONOn5S2IssMHKDNZijTwUw36N6IGgXp2D3q zoAVaZQ4YleUFJErfbuJR6qxmhp6FoCZHvX9HZGeTX1vjTZBqK4vXQB0uI9Rsbkb rqBrJGe03D6nj7chasbJGWQdOdixuMlOPIk7KO75gneaMPhN5CJ1fCVzF+u9t42+ H537nZ6ZP1F8mR9tFGuWlCC8xati7YRZlcXYoaOrSxQxCzIJtc43OxP259tdADtw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeguddgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre ertddtudenucfhrhhomhepthgvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseii hiigshhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevffeujefggefhfeekudetvdehtd ehudfgffeigeefveefheegvddvtdehffeljeenucfkphepkedvrdejtddrledurdelleen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehtvggthh dqlhhishhtshesiiihgihsthdrnhgvth X-ME-Proxy: Received: from bastion.zyxst.net (bastion.zyxst.net [82.70.91.99]) by mail.messagingengine.com (Postfix) with ESMTPA id 6EA693280060 for ; Thu, 3 Sep 2020 08:16:22 -0400 (EDT) Date: Thu, 3 Sep 2020 13:15:53 +0100 From: tech-lists To: freebsd-security@freebsd.org Subject: Re: A question about Security Advisories Message-ID: <20200903121553.GA80905@bastion.zyxst.net> Mail-Followup-To: freebsd-security@freebsd.org References: <49a1d50c-34d1-239f-1d52-1ebba6799d62@shurik.kiev.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <49a1d50c-34d1-239f-1d52-1ebba6799d62@shurik.kiev.ua> X-Rspamd-Queue-Id: 4Bj0CY48mQz4LXd X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm3 header.b=G7Cs8mXq; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=tt9mnzHr; dmarc=none; spf=pass (mx1.freebsd.org: domain of tech-lists@zyxst.net designates 64.147.123.25 as permitted sender) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-4.57 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm3,messagingengine.com:s=fm3]; NEURAL_HAM_MEDIUM(-0.98)[-0.980]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[64.147.123.25:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.25]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.997]; RCVD_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[zyxst.net]; NEURAL_SPAM_SHORT(0.11)[0.107]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.25:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 12:16:26 -0000 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Tue, Aug 11, 2020 at 10:21:07AM +0300, Oleksandr Kryvulia wrote: > > =A0Hi, >Last years all Security Advisories regarding base system in the "update >your vulnerable system via a source code patch " section recommends to >rebuild a whole world instead of an affected part of a base system. This >is in a most cases an overhead. > >For example 9 years old SA-11:04 [1] offers: > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch ># cd /usr/src/usr.bin/compress ># make obj && make depend && make && make install ># cd /usr/src/usr.bin/gzip ># make obj && make depend && make && make install > >What is a reason we stop to do it? I understand that the preferred way >now is a binary upgrade. +1 I've been wondering this as well. What is the reason for it? --=20 J. --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAl9Q3ogACgkQs8o7QhFz NAWyCw//ZyK+2ph6IVr+0IdgpzaTvxp6rwz2ocg9alyTVvJBB+ijCcxdO7i1w2yF 4AWf5RYuJAUht5aYRIJ0ev0IBMmnoWaoP84z/fUr/lqYcD1JP4LRi1l3022KApQ8 pgyQ9JpI3AOfJHCmmRVtbZa2iXdExMCkix648QLZ7MnsbNuBGMCKXGt9AVaMcoPM 5VjmHctodedDRa7enr5o7r7SNy/0I9TcbhgYlxqPv5cwcEhz/yT6bD8+xbqpfwa7 quxCaHyqzDvqmnJKG2tups6tmDjsPd/3ON6puajUimDFg4F5Ey0eZuD8QWw7Zv0R T4zhc+7FTzVjiJzVJYB8OLQv2ssjA1DEfNVyWeHxjko+UBzvHkOBgp/QamrNcwvV xJomFibrLqAqZOBgicYWEDrAaugqkx3O3IXQEv+zlBJQE+FbS0Vm2/X5ftmwrqOi Ng3cjE6a8D4Ex5a7UEnyjUxaLyRpy1LpFea38V4j4f+nfIK8ESV0dBMThGBQ/tir UhwFDAt80kPO9dRPchCRz+jztMd5FBxpld/LhyH0wvI4A6GCenctEaWqe2JKDPq5 DkEeDfcTtL4sKfg34CSwSVw81hkfnoybp7aBQD1A3gWHbFJU3BLm2wgb1y2Lwqov 1QlR45+2ww89lqHvChYB+hUAl6rxPub1sT5Ws0/BSvYMWJQuZVE= =baJn -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- From owner-freebsd-security@freebsd.org Thu Sep 3 14:22:25 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E2C293E79DB for ; Thu, 3 Sep 2020 14:22:25 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bj30w6qjQz4W0D for ; Thu, 3 Sep 2020 14:22:24 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 1961330221; Thu, 3 Sep 2020 07:22:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1599142937; bh=X/GnhB1Val1D9ArbZXUu+dwWd+4yBsvtYRZzD//Y50Y=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=WGnaFaUc+W0ADKeLXWzSBablT7feABFN4aoFt1Y0XuBC1RahdLkaQnUJy/luZ5aHS 2rCs3H5KSAWOtdWXB830Gd4e9gU98A3oBNvfbhDruNa31KGNk/+1/kMt//DMgIRbJv dTWP15mGQAu8ewX0iT9AZHYU1Q60vBiKOLvYcz2A= Date: Thu, 3 Sep 2020 07:22:17 -0700 (PDT) From: Roger Marquis To: tech-lists cc: freebsd-security@freebsd.org Subject: Re: A question about Security Advisories In-Reply-To: <20200903121553.GA80905@bastion.zyxst.net> Message-ID: References: <49a1d50c-34d1-239f-1d52-1ebba6799d62@shurik.kiev.ua> <20200903121553.GA80905@bastion.zyxst.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4Bj30w6qjQz4W0D X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b=WGnaFaUc; dmarc=pass (policy=none) header.from=roble.com; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com X-Spamd-Result: default: False [-3.82 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.982]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; NEURAL_HAM_LONG(-0.97)[-0.970]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[roble.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; NEURAL_HAM_SHORT(-0.86)[-0.863]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 14:22:25 -0000 The SMUP (single monolithic update procedure) was implemented several years ago IIRC. At the time it was explained that there were insufficient staff resources to continue doing QA for incremental builds, even ones as simple as usr.bin/gzip. That said it is still just as straightforward to it yourself. What I wonder is why staff is so resource constrained? Is it fundamentally due to a broken funding model? Are potential volunteers turned away for not having submitted enough patches and other questionable policy hurdles? Are there other organizational reasons why such burdensome upgrades are left for end-users? A lot of this maintenance hassle will someday be resolved with base packages but even that project has been resource constrained. The FreeBSD Foundation has not, to the best of my knowledge, commented on these resource constraints or potential resolutions. Quarterly and Annual reports occasionally mention them but only in passing. How do we get someone on the Board/Foundation who is willing and able to prioritize these important issues? Roger Marquis >> Hi, >> Last years all Security Advisories regarding base system in the "update >> your vulnerable system via a source code patch " section recommends to >> rebuild a whole world instead of an affected part of a base system. This >> is in a most cases an overhead. >> >> For example 9 years old SA-11:04 [1] offers: >> >> b) Execute the following commands as root: >> >> # cd /usr/src >> # patch < /path/to/patch >> # cd /usr/src/usr.bin/compress >> # make obj && make depend && make && make install >> # cd /usr/src/usr.bin/gzip >> # make obj && make depend && make && make install >> >> What is a reason we stop to do it? I understand that the preferred way >> now is a binary upgrade. > > +1 I've been wondering this as well. What is the reason for it? > -- > J. >