From owner-freebsd-security@freebsd.org Tue Sep 15 23:32:33 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6ECE03E3F7B for ; Tue, 15 Sep 2020 23:32:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Brff92BJvz3Zbr; Tue, 15 Sep 2020 23:32:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HDEXKUBjskOUvl9pYxpNDLw07wwkmmoIabKHFOTrqUE=; b=qZEfNN3k3Qrd1oXf5Pq989CnwmIKp9WNlY60ywciHL4j0Bh9BzHCM5T66h5i66C3psVZLt q1712hkWbGumY1QYONhqVQJvj15uinjqIn9njzi0xSfEptK/wybTY5ppftngTRr68kyxF2 0SkXDRV0uYHshLCQF/DdLogfzrkAH8iTFug57BjDLPzTKL4NIFP2F/4EWM2Bq0uNl9VT1t iEpM8ctVBtSuR/wYRg6/52ZuewPohyn36TJFvmDfNU8dsIOzZx4S+YbpXOuNAhjghGMyjG eDHaUiygBasa2hTyeE3QPn1/ineaL0q1tOy3TDZiDOiIst3EQEgP9uixUVlYOA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 431CD10F0C; Tue, 15 Sep 2020 23:32:33 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:27.ure Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200915233233.431CD10F0C@freefall.freebsd.org> Date: Tue, 15 Sep 2020 23:32:33 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HDEXKUBjskOUvl9pYxpNDLw07wwkmmoIabKHFOTrqUE=; b=xAvkk2nKq4q/VPr9moOkdcpJiGfXsVXyextV9CXw85voWvlefYtUtalKL8c8wP/MMvoGOE GVfZhUGCNOof96FYQYpGBSiTZub+ySefoiimxy1KNqd2iql+n0zT45GumpGB+c3Simkc5y JgEZht7jtGBApyjd2ayjJYbPcpT4Zc1OBIzchsAYnczpOKi5Aj0tY9pRumAywaPZ/8MQag WIKQjl7WF9RLqt4Zc4QSesXawkGzVNh9i/9vXefK8VY1BJ1KJVabzZX1i1A2R3w87crkqf hq/7+QjlSwRFtq3Y6hz9CI1stDnGr0NwRMlgYmuL9vk2OB5EFHFI6WVXq5qn3A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600212753; a=rsa-sha256; cv=none; b=elcmc0wUNtFG005GySi70TuBw9FjFUdPrri1zOSMbyGn50FrELmCcQbjW2ZcQkRDy4eNCg wfV7ZnJyq3TgrKQgMOt0eWVEYFPwcVz/mlhomQH+Ky7TkN8k0PPdy5EvDbD+lSxhUoGp0d /ajWYSJy+XB7ppMSBmyFwRdONS460qIS2oebS+MMBF1j2Vec3u2FXhMVYOjHwqf3gpDSuG QH/ndnk2my0H+NPxzceI3GQACVf2JFKOmBRFabVmlJLdQUyPK11oe4LjMGu6z+oIqqaDpp 9cpbhtLa2JHwKagMk/HIfl+whBkFW5KFTfGYqDCf7uDQ5R6hyt70MCpFTl/FxQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2020 23:32:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:27.ure Security Advisory The FreeBSD Project Topic: ure device driver susceptible to packet-in-packet attack Category: core Module: ure Announced: 2020-09-15 Credits: John-Mark Gurney Affects: All supported versions of FreeBSD. Corrected: 2020-09-14 19:39:43 UTC (stable/12, 12.2-STABLE) 2020-09-15 21:42:05 UTC (releng/12.2, 12.2-BETA1-p1) 2020-09-15 21:42:05 UTC (releng/12.1, 12.1-RELEASE-p10) 2020-09-15 00:22:30 UTC (stable/11, 11.4-STABLE) 2020-09-15 21:42:05 UTC (releng/11.4, 11.4-RELEASE-p4) 2020-09-15 21:42:05 UTC (releng/11.3, 11.3-RELEASE-p14) CVE Name: CVE-2020-7464 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ure(4) driver provides support for USB Ethernet adapters based on the Realtek RTL8152 and RTL8153 USB Ethernet controllers. II. Problem Description A programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes. An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs. III. Impact An attacker that can send large frames (larger than 2048 bytes in size) to be received by the host (be it VLAN, or non-VLAN tagged packet), can inject arbitrary packets to be received and processed by the host. This includes spoofing packets from other hosts, or injecting packets to other VLANs than the host is on. IV. Workaround No workaround is available. However, an attacker needs to be able to inject large frames. If a switch can prevent large frames (>2048 bytes) from being received, or connecting the machine to a switch that does not forward large frames will mitigate this attack. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1, FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch # fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch.asc # gpg --verify ure.12.patch.asc [FreeBSD 11.3, FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch # fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch.asc # gpg --verify ure.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r365730 releng/12.2/ r365778 releng/12.1/ r365778 stable/11/ r365738 releng/11.4/ r365778 releng/11.3/ r365778 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOIxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJY9A//Z+Rt20iUnM79er+CYF4EQNrzR8dOKr2/6L5ho5L1kJt0MdZtamN+f5Bq Jpzem060oAv+0mgAiK3VR7unlkEk+wFNvMwhgItvI8l2TME3+n/A0nsYQkP9QPPp SwHmKcIAbwkdtv913zy7AGc/vE+2+D8x84WHp6WDhRmDVgU5QAPGgP4yv0qhgkpy L8ndLDte3tXMk0eWArxWTpMfxqKGmp9Cgy88QRoIpguazS+ocSVt6h3emxQPtTc/ 7SQOEqjg4IiEXW/t2SSDqB1cvNPmN82yJt4mQg1m8v/SjFjFQ2qgFC+47cYezI1F nLuoDw16kYUu65DyePiXfCsBwSjkLU1IgpBSgmmxjMzwoVgE7/9AtRqiCwe2xkEF E6c1VWAQAw2AiZmsISv8T9RNLegLnNjyhO9iSsaeuOfLbTIeQ9zbcUL6xgZB6AxO tk/fkt+NHwuRoXNx2SC959r+hwhdnrpgxTEphjCFuuMdMGKsxm3TQGdwD6ZvQ1r2 HkVV1m4ukgpxw8ONa88Lgo+2f1HZhZKWLzp3EsTA3LMpgk+5uJjIuL/ctuddscWY Do9VapPTIGxjZqABGtxJL7NrzCz2pXE0CHzAjFWD830kujgcdihe6FbJx0cJe3m8 +CxaGBXvSINHyPwgDArnKR3Hrd57/T6RSUWqsksB7fBCpmFdQaI= =S9sW -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Sep 15 23:32:36 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A23DF3E39F8 for ; Tue, 15 Sep 2020 23:32:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BrffD3qXLz3ZWK; Tue, 15 Sep 2020 23:32:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212756; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=mroCpUq5GiXAf4cE5aRc6Csh6IYEE/W1B5Jjb4tNN0A=; b=velg5oNkv83uqKaMIPf7bHYhdFXtwy6lUEddEylfF42s0ndeaIee4sAPcHDDY+2rYXtK8B pOCZYMT1lWaQqDVfx+S5w9u+hv0HXu8095Vi9V+S7NFMZ6zTv5Ntyus67BsJ/URqwv67nU NsD5i+QGXm+uXNWR53WA5FmTm8p50wKO3xBDXY9/pgc+FOat73PtAaSjwnJnm2IYNY0ekb +yxMnvDdtKZqZBOZ4h63PfeuFFV6xy+Ti1TeW2XvSx/wcf9B0diup8JaNxRWXi8dH+yWeK 08F870QaA9GduUCJ3+3+KsfXIayvx6WQt45Nm0kys3xIsbkC38QhkycPqgFHXA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7143310F85; Tue, 15 Sep 2020 23:32:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:28.bhyve_vmcs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200915233236.7143310F85@freefall.freebsd.org> Date: Tue, 15 Sep 2020 23:32:36 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212756; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=mroCpUq5GiXAf4cE5aRc6Csh6IYEE/W1B5Jjb4tNN0A=; b=JB/beE1WY5YugDySZnAH4lGFLVRxLkY3L3Huv2/hCmqKnxtf45L9MT/FKrAuBoNTw+H/AX wPimEdaEm8MTFTOrk95fLTKsyhEbA13AcWP4uweNxIzYKYlc++9PUyWa3uIVR26rDyPNQm 2DVICoxcrni4xj00h5QloZNhED/Ppz5F6pPX63DIMB/nJyNLBUtkCsGvI8Gqs76TbXuPHG 6rd5KrC5tPJyCKfnKxbNWPvVPm4HhLfm65/oVEr4rrVggfrzW5J7hIsyCHxYC1KSvGdYkm lS+3GGMbfN5efDi7HBfBfCrnEwhQu34bKrq9HDYec+fGDyniLt8ffuTtuArXSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600212756; a=rsa-sha256; cv=none; b=livOABAQFtAr5MlcZ0XPQPaM+ZNvcjljLQ9LECs3fFhwc8bMc8Tm8ktjatl2aRMMSz0Bvc zlMpf2+UmxGPjeKsJYSzK+eCfDZ3qe0HkhUHOoz8Upd5GlUIHXNuKrYO+SA3yNqNfrGnTc 4m0E57YgE2eKC+veMAOCxMVJ/jyLya8Qnwuk7Is6j79WHzA4lFKFdWnsysgXae4BmOHBEU HY6x6NfI+OR4eNIWUcEL9aOcVibl8Sewul5XRhLH7imkt39tmTGHebuytVFVcvWv+CMVY0 R3b9RBwXwZSLOVB9V+xBOQQE5poKEsg0cs+Nl6bEeAHryoIp1RsDFgs6gpUFDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2020 23:32:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:28.bhyve_vmcs Security Advisory The FreeBSD Project Topic: bhyve privilege escalation via VMCS access Category: core Module: bhyve Announced: 2020-09-15 Credits: Patrick Mooney Affects: All supported versions of FreeBSD. Corrected: 2020-09-15 21:28:47 UTC (stable/12, 12.2-STABLE) 2020-09-15 21:43:41 UTC (releng/12.2, 12.2-BETA1-p1) 2020-09-15 21:43:41 UTC (releng/12.1, 12.1-RELEASE-p10) 2020-09-15 21:28:47 UTC (stable/11, 11.4-STABLE) 2020-09-15 21:43:41 UTC (releng/11.4, 11.4-RELEASE-p4) 2020-09-15 21:43:41 UTC (releng/11.3, 11.3-RELEASE-p14) CVE Name: CVE-2020-24718 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines on AMD and Intel CPUs. II. Problem Description AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures. III. Impact An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution. IV. Workaround No workaround is available. This issue is likely of concern only to systems relying on running bhyve in jail(8) for security domain separation. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch # fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch.asc # gpg --verify bhyve_vmcs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r365777 releng/12.2/ r365779 releng/12.1/ r365779 stable/11/ r365777 releng/11.4/ r365779 releng/11.3/ r365779 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKJBQ//UOwIgcc2n+Yr0MrNIs2XzLjmKBsuVfIrFni0GGJFFSAUd7Kzw7oeY4ng e9JURtfV6NlU63QkaRw+QqgvnXm5vLbgO+oWuedsj33eNgUNdUinZinieZuFAyAt BBgfMJ3D9X7HffIw1iKN/DWaealFJ1SHtKYzVssTBx/7ju+SFj5HkwLh/7QzKBYO CoeNE7RN2kSDmvvEKMdN17QyM4+H3wYpsnylWHa89slIe1xj0eVqgnGw2NrjjKlV N2DAQM+MvdJ+W8oA0idEvBZj55uHV9OlgIwJCDi0/u5yHPJkhuYYuHsf0oyW+NT6 gWvzwTI27IAAyYKK57pGVP7x4sy8VhsDItzqubhDqa/zjNZM9SYOtLYiOnDjev2B nqC2mV08XpC9lfwd3EDPGv+FYbTTe9OzirlJBnbMnwhj/p0sPMYCtuWKp/MyQyyD 1yhUJJlZgI6HdrTOOeqhObNDtEz75MI1bpLVmjq9VMLz1PtzdNFDcNmyvtTOpMut vZDFgCqtkpcukqxfqV1EJAWr0UWnaUyPc0klbmLwrQCpTWDOBT7QK+S5ZtNLQqu4 c6UJ7CQLNPn9nEjf16D8dZ1Iy3AJyPmtv7ehEkKFjJtNIwitCx/AIzKiXXzzxe56 boJoQL0pmgJkv3tjP5dEMeSx5SA4mrhtKCL+ri3/ZFXHxtcDNsQ= =Jluz -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Sep 15 23:32:47 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 926513E3F93 for ; Tue, 15 Sep 2020 23:32:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BrffR2w97z3Zg1; Tue, 15 Sep 2020 23:32:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212767; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/DAJp4uq+7ADOTtZMf7fq/pFydSdSdhP6lk4LRnmjOs=; b=lTvQFqK9LdObN+8I5OJYBfaHoqqz8N+bxFiHZ8sTvfjeBjEeVj4qCcLz5D0e7lm1nbnK2A AYlxUsIB2SYxE0yeW9XVK7DaqzckdAgcb7zRNrASngcKaWyj972vGql51xu6hC50EcY/77 95ATYXUZ+/plO2VBKOd76suJLe/W9h3EaJYZyuvTUHw+POx5tjPYTusd5ZHVL/NC6ff6Lu 2fCBAYN3wDrW68QynA80teDdutJ2G5BGwZSCF5kY/DvSR6EUrWeMfVYG/ctep7mZEq+3so RfcAKLU1ohLwUzGonLaZdS/AOVfWUeiySq0Q0z0h09uGa33ZQA4sz3LLe0bMgA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 397FA10DF7; Tue, 15 Sep 2020 23:32:47 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:29.bhyve_svm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200915233247.397FA10DF7@freefall.freebsd.org> Date: Tue, 15 Sep 2020 23:32:47 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212767; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/DAJp4uq+7ADOTtZMf7fq/pFydSdSdhP6lk4LRnmjOs=; b=FqM9MczfC8KXTHpI4eJXevlrnjPg5vlyWEyqAioUy7cEFccYqz6Diz1TqksSSHHz2rV0SH m2JFyIF8n0HDQw+MlXHGuNgEsAigD6I+DLL/e0n5CoI8ZOuaJ1McDGiivxb9DuSvkqSx4P sNok498s5P4YPJ6ZlaejZNwYeM64tK7eVfNrA4dedi9megWUO4nwF3JSdhjLSEZpk9ZMSe t3xBzPyQysANQ/M0tTinHiZ2Kzy3E8GnsZQfPABOWlfxdKo2ffaG809FBhJA10EQAXknTP mqk372H0LesvR7+vv8tRAqO0+WuAI4ijmhHR4SVqp9366D9xudhHOUGdgUQtUg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600212767; a=rsa-sha256; cv=none; b=vTL+OOgRon+iBEa1Pi1rU2ENAawo7wQuH2KBuF3r8Jq3P66viROe2tClpmEolOzZNRkE0a JNrFYwc4Xsh9gI4EGW8oyDtE2EXEYbdx7vQde3XXzSoGXhrv3pX2cdjciGevplttXLiuKk FPSE8bxJxMI1yzOYJ6DovmatHC+PLsWmZ3S9Jt+UCs4vkdPfHgwZaszQ+sdj5RB2QUcTye 1i1v2W/FAMc0eju6vw8a/lYL1wKwAAEHdxtTsT3BhTTM76eAeukwnsxNauqp/GpZYLtY0S ooiVygrR73beyj1jScPkJc0ChmSXVMVzk1BtwT9wsqU9C58LwrjI9ZrIG2BMQA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2020 23:32:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:29.bhyve_svm Security Advisory The FreeBSD Project Topic: bhyve SVM guest escape Category: core Module: bhyve Announced: 2020-09-15 Credits: Maxime Villard Affects: All supported versions of FreeBSD. Corrected: 2020-09-15 20:25:30 UTC (stable/12, 12.2-STABLE) 2020-09-15 21:46:39 UTC (releng/12.2, 12.2-BETA1-p1) 2020-09-15 21:46:39 UTC (releng/12.1, 12.1-RELEASE-p10) 2020-09-15 20:26:31 UTC (stable/11, 11.4-STABLE) 2020-09-15 21:46:39 UTC (releng/11.4, 11.4-RELEASE-p4) 2020-09-15 21:46:39 UTC (releng/11.3, 11.3-RELEASE-p14) CVE Name: CVE-2020-7467 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines on AMD and Intel CPUs. AMD and Intel provide broadly similar virtualization interfaces, but each provides its own specific instructions for manipulating virtual machine state. II. Problem Description A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped. III. Impact - From kernel mode a malicious guest can write to arbitrary host memory (with some constraints), affording the guest full control of the host. IV. Workaround No workaround is available. Systems not using bhyve, and systems that use bhyve with an Intel CPU, are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch # fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch.asc # gpg --verify bhyve_svm.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r365767 releng/12.2/ r365780 releng/12.1/ r365780 stable/11/ r365769 releng/11.4/ r365780 releng/11.3/ r365780 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJxjxAAjy783UUnVvhtiJt4p5TGMpaU+ZrLnKaOASiTDdbp6z3IFuLZ1VbkekAM aMGgZNmYkRotcTM0mbhoeRROSrYlmO2ZHNmJyxchbOaIfKXL3iTFYP5gRirN1r+Q i8+Gr5HzTL5SkvTEx0wKUp6uRqD26nf7i4KrdOWmf5ivhB66Z2vk/56aX53eSNJ5 iPZYvlFnVIcy1wKPE1RIP67H+nqqWBApavWUMK6f01cAMr5w0BE+f4RdSvzEFnuG p2Id8A3ptt0VoIdZzbJkLKog4/dlC1C+PVPPLND2gcCY2c/+gG0nNTy9Fjdvsoor AnmRvlarCCcEVOSxGk+WNUwWdQnQPFykpZxGtid53km3Yjw1smPmfOVwvNhTkzoP tPZ568wFyaBGLI+39hC0u0AtLT93MBHpxpCMpQZ9rlFauxn5OuyBFkxgCuEyq728 GcrMVggyrzOetW7GqdlOEzFDj3nxHme+08qmbLXjv5X8N1RK+TGZDAjYFqLU1NXi cyPhbGqV4SuYw3dW7E0C8eOocuVmpXTEW82R9ff1pobUZUNVGKZse1rjT344VTSc DazL/q2TIo5fyDWEaNWsPad8mdyQGWft2cfYHYrO+Y6Smn/oKS3LmX61bGC37FEF b0rqunbDdq4775q6H6KKbRgVTKGiVyC/Nt/2xkg//GymzNnuFvY= =lplz -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Sep 15 23:32:57 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4C0313E3A7B for ; Tue, 15 Sep 2020 23:32:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Brffd10B9z3ZdS; Tue, 15 Sep 2020 23:32:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212777; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=khGkkBNb7yjne3qHCVMdixG5zQiaZcvAJX+xLcu4Yvw=; b=SBKSIX0tLa3NtKpZTFEYe7s7mSXPhJelrJrWoP0AbYm1JwVKXvPksilhYslmJKJtzabTTx 7PXLZdnwncvgfP92gtoNR+j9/2pUl0wZDmz+JFgtu4MrpkToMNivSSTLzlQgJvBT8TyEFA eZK49imsNZL5LbTAhYEIUVcVg4gVl92Hv7P+Fi8UI2TAdpAuc0Ea7Wq4fizvn8XNTMAM8U emgNNDpMnWkdCr83ZP1cJLlI836Q5G2e7W49PB+R0HVPX+pvlFvY3uZ6aD3RQ/6xHAmVGk FpuFXOuCyzhQvZFYD7YdIFyXx+eTWf/uq+0rfvrOAQp3NC1ABzF/jQhqPiYnAQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id E47FB1112D; Tue, 15 Sep 2020 23:32:56 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:30.ftpd Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200915233256.E47FB1112D@freefall.freebsd.org> Date: Tue, 15 Sep 2020 23:32:56 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600212777; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=khGkkBNb7yjne3qHCVMdixG5zQiaZcvAJX+xLcu4Yvw=; b=gmei9ShYAohSjt9CX9EWwYHc1dErWpvuoZnp0aiir2bh+KGgEkLVix8VI8EEZUrmikpDa+ oAEmT3NKoNTTTqUzgMWbwMb7dgINScbEdm/iXmAXW8/6CwvcbQtHgQrBojLFDmQ3I6gz7w VvmIlMln+QsOpMgF2e3ZUJn1EiNq/F4tmyy7268u0iGpUTac4yeRQ+a/glCduiP8iEb7H1 jXnY4CAZR+5LKjQRGXhYerk6o/oFJL1OGADXCwdDVndmWgRNVLR3LYDc+2DUB1Nk9v1mmt tM2l0SpzcOGNOQSL4gpoq/0OHPJx6Yytq3p4lHnCTHFEndtFSsbl1spDPxlZFA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600212777; a=rsa-sha256; cv=none; b=m3bV+MfONFLeMJij7NaguCUN2WhS0omeW+ODqFH0IFpT5rLwzv1sACg9xF7Q+MDRcNRNyM xaZBkroMf/GaV6CGkRKI2Ba1fd8Ylg9YQm16K1cafZXQmDrzgk2regyO7VMkQMQwsXGEDB Pt9P8KHRSDzAMqlX+EMkiwhxGSN2s7vVe/SGYn7LorAS9+zg8qsGaoibSP+K/ZfcEicVAp V+ZrLPaZvGmNd1YlJq0UIu2bg3ua6AxvKYezhhFpjzXCaWzdFMVpXHSARGDkMjo5U0kUHl xj/xpalQRkhOwsFw3jJ3czPXROf4DP+AWDQvZxLLtJcn6JRCYG8915U13X7tsw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2020 23:32:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:30.ftpd Security Advisory The FreeBSD Project Topic: ftpd privilege escalation via ftpchroot feature Category: core Module: ftpd Announced: 2020-09-15 Credits: Anonymous working with Trend Micro Zero Day Initiative Affects: All supported versions of FreeBSD. Corrected: 2020-09-15 20:55:13 UTC (stable/12, 12.2-STABLE) 2020-09-15 21:47:44 UTC (releng/12.2, 12.2-BETA1-p1) 2020-09-15 21:47:44 UTC (releng/12.1, 12.1-RELEASE-p10) 2020-09-15 20:56:14 UTC (stable/11, 11.4-STABLE) 2020-09-15 21:47:44 UTC (releng/11.4, 11.4-RELEASE-p4) 2020-09-15 21:47:44 UTC (releng/11.3, 11.3-RELEASE-p14) CVE Name: CVE-2020-7468 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ftpd(8) is a daemon that implements an FTP server. To restrict filesystem access of authenticated clients, ftpd(8) supports the ftpchroot(5) feature, which allows the system administrator to designate a root directory for each FTP user. This is implemented using the chroot(2) system call. II. Problem Description A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges. III. Impact A malicious FTP user can gain privileged access to an affected system. IV. Workaround No workaround is available. Systems not running ftpd(8) or not making use of ftpchroot(5) are not affected. Exploitation of the bug requires that a malicious FTP client have login access to the server. Anonymous access is not sufficient. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the applicable daemons, or reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch # fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch.asc # gpg --verify ftpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r365772 releng/12.2/ r365781 releng/12.1/ r365781 stable/11/ r365773 releng/11.4/ r365781 releng/11.3/ r365781 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJCRA//Zuuqyaim3BnR0Qs9mSI3fm37AQN9NyV0GzaP6ayAeCu7xuyzMzFD58jU SZAkrH16buh34dfelwofPSO8ZIAHZ0X6PpVWHwrTkrT8ADHCuJwEe0imG5MDDJn4 mMJSA9OVyQXgHXApnOhJ4hHMUfGF0QJvsOvPQ4f8J3J9K9pTa78HgekaNWkgpTzo eAGV+lug/UwsK//FrcyYaifZF1xl0ZKSAl6RVFVaqxxVXZGZ2txlew4I03NEfqjJ PAmviQ1p0BO5tMqVSG+/VkuYFJNyUGvuSrvUeIoQnoWljvKx5VnAq5KVCD6La1nn o5JzNEvlqzOC1ClribxALyv/VJHJt6PDBF4S26ATwIdr8TCzSpe2Byjj9KN/qC94 JuT6hScERpT4ARIsJiDIDe0+9zBeglJuS/3sJozI+ani+VL/7uBL6MB50twgioFG 4+5MNgc4VYgX35U0z+fStncZAScByXWdxaMDYx9brfZeaeEhiZA6wXYCf8kpaW94 zDOvBCH+GR1O2nALdlMVFrThQdTkq1AtMQ58Uuaxpu1LBGrMVfz/VCDEurWog+U1 7uxRwx9o6lJvno3oPQTfHkcuHZosOE0KdfdJ1Tcmj1pVZVjeaxu7HEW2H73YRhBN Fc4XIxaO7URyYwtzxzH9yU18wKCp+g/mm5apgbbcz1kBS+fR3Go= =zvW4 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Sep 17 19:41:26 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 384483EB0C2 for ; Thu, 17 Sep 2020 19:41:26 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BsnQY3WqZz4Tkl; Thu, 17 Sep 2020 19:41:25 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ed1-x542.google.com with SMTP id j2so3711470eds.9; Thu, 17 Sep 2020 12:41:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=1M34U1IMY3DxrsAcFwWv0zgykRh4AE6Oqb5SAQnH0vY=; b=Kwi54MinfwLhLqUOl9Y6+wt2Yz38qTHYrYGeoQ1PeKuzCXBtxaCUrP0zwd2e/eP4jT v1tTRiCktu/0ZFVXRdIQLTutQAw/p4CQEm/SEuPpi8/bLV018FDduH7jpEDXTAk6aN0T INHKJpMxlnbYMUAF1L8vLspBlrm8JPCLsMhoSN8hihiXNAXGbS3vdPqyKVvJuaj+6yC1 SQhp8hVJSSnMP1rAGI9tzYccj/Ukz8jTt8EfdqZvtFOcD8/bStpGetdt8dT7M9bG/TOT JOnvJsV5F7GZ7UbC3zvCJizkGCJi5GrYlZ0TnUVXWgkhD1OiCvqacH0E3SYWRdw0AlQu 2X4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=1M34U1IMY3DxrsAcFwWv0zgykRh4AE6Oqb5SAQnH0vY=; b=nzTR+WVmoxvr4YvEsuOeKycOPQCysd9m+AZsjfg5+1k9I1hyOx3cvCB+uSMCDtwWGo JikqG5uHtrz7XjkTmNYuBO5M1hj1/YcPjj/1e7YP2CF8suYHxJqIt+FlTSEOh6QG6zWL 2UESMshtN3rrQB1e3EIsI7lYE9cYYMDRGTKR2UonjgX5wMU7pacqe8SeFTzJqcDlPT62 hpPbcAzoMnqeHcsZ/Z0WajnlzedyIajl9saQFNhW/iydtuR8peQQaDyNCwuGE8MLYl+Z r89FG3VEzK2EcYZzFKyFWTHRDEg+tFImf5QwNfPDsbMrSJpnqXO+slU8hjGKF8Dbr57U 2FfQ== X-Gm-Message-State: AOAM532P3vtzYjyc29YXE6u6V1T6Y5L+JRmyPx7hjAAPDRwYxDBpzA6E LXT/9WOQCqpWEa7IJeoyE9RqNo/RSpZO+BgH37C4QT09CNRsgg== X-Google-Smtp-Source: ABdhPJzKjCvfhgpxeJzQ7dJmQ76IpYSuBZqvAFE6w6Lk+VBmDvVL48EnhOUsvTlxLCu12UBSiBYstWy7bJjsYzv4hro= X-Received: by 2002:a50:eb0a:: with SMTP id y10mr20229659edp.89.1600371683537; Thu, 17 Sep 2020 12:41:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:9f4a:0:0:0:0:0 with HTTP; Thu, 17 Sep 2020 12:41:22 -0700 (PDT) From: grarpamp Date: Thu, 17 Sep 2020 15:41:22 -0400 Message-ID: Subject: 12.2R Sigs To: freebsd-security@freebsd.org Cc: gjb@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4BsnQY3WqZz4Tkl X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Kwi54Min; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::542 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.63 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.986]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.004]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.36)[0.359]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::542:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2020 19:41:26 -0000 https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R/signatures.xml Is it plan that 12.x 13.x etc continue with provision of sig files for BETA and RC? If so, process can be added to releng todo docs, and the sig asc files pushed out to website, and to download areas (https, ftp, rsync, torrent, etc) alongside with the image datasets themselves. If not, the docs can make note of the labels to which sigs apply. From owner-freebsd-security@freebsd.org Thu Sep 17 20:41:05 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7B7A3ED74C for ; Thu, 17 Sep 2020 20:41:05 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BsplP3zTLz4bG1; Thu, 17 Sep 2020 20:41:05 +0000 (UTC) (envelope-from gjb@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600375265; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=N1HIGKWXRO2SkO3L5fXnLR6+lvBiboSSUZzbV80LG2A=; b=etk7qXmikWoDZLxj+YgApIbuwFhRVQ2dxzIQ/9igR2k9dqFTxltAaO2H4GJWuUDGtxJxgj mzSihK0q/PLVUOzhAMuhjM9YsMl04XTRb6Ocl+DQsK32F61rL6PgNateeWNUmG8IVz3A/M VH2dBftNr8D3WZnYD23bCHvQmgAnZpGapSSOYGfiey3VKqzgzPpyojVNF9HwEvqoyWgLJ5 GUhIdOxsUoScul4Xn0At8ds30Gd9vQ1KbIM4QOcK1b9+12z8dIAOXftvj8PD21ms5lSQyG jc01r2TqkxPFESB0uP+l1shFsw46iWxlHImpMIdpkxc3Fus+Dy2Ppk2JpWBwpQ== Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 3B2EC102C6; Thu, 17 Sep 2020 20:41:05 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Thu, 17 Sep 2020 20:41:02 +0000 From: Glen Barber To: grarpamp Cc: freebsd-security@freebsd.org Subject: Re: 12.2R Sigs Message-ID: <20200917204102.GG26726@FreeBSD.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="O8XZ+2Hy8Kj8wLPZ" Content-Disposition: inline In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600375265; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=N1HIGKWXRO2SkO3L5fXnLR6+lvBiboSSUZzbV80LG2A=; b=VYeQ/ih2dWW2jv6bnVgKDhu7kmySjbOxROu86821LvRb4nq7zBp8MvXqJP68G65cn86dhZ r2Y3rSS6TgD68520/PErAiwtzeCGWTjinl78dUnZERbmeCleK78E6u6TUEGrVBsSVMHVbH Q9OFaz/CJa3rTZypHARzB6/XMXV989fcju5ERfEmACgpxAjNw90QfUTOsbFWfT2+wobPRs KV+sp76GGx6FQdXSVc7HS6TzMYNSi8fkMZgj59W1ySLbN1J3sNWK/YXRh1+Em+iSLLhvCB 8xpuc6k3Zhw0sT1VnZ2FRp4MlT1flzI0+GOwcUNVy3mYINBzzjNikQay5YsnOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600375265; a=rsa-sha256; cv=none; b=yJRL7Sz1Hd95tQ3IdE8F0Oqu+szc5lavXU9/HGKuqU0gVtSoK4WDoj5sqK8jIXe/0ULjMy dRi59983WF309//9Z+9FqiWxRmQAniTpPEzZ7PHFl7wNgii4SQ+eLebCOLa96MXKLu7Y7n VSkwwO5aSoEBZTU7M/a2ufy+LLjVUQjcjc93aKTQ+BVUjrypHsuQ9gfdFos29JYim9J2PY dOZkxBTP4f5sbNtgcRyTdlSSHWhZvfqmyRUfE568wVHrpJBJ9WrvNImYL85U5c7CkALDEJ QDFiBmdIqa7wPoPpG35B/Fs2v4a7aa+pdP74TBF+qObGdLR9Mcw3XKahB7OOLQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2020 20:41:05 -0000 --O8XZ+2Hy8Kj8wLPZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 17, 2020 at 03:41:22PM -0400, grarpamp wrote: > https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R= /signatures.xml >=20 > Is it plan that 12.x 13.x etc continue with > provision of sig files for BETA and RC? > If so, process can be added to releng todo docs, > and the sig asc files pushed out to website, > and to download areas (https, ftp, rsync, torrent, etc) > alongside with the image datasets themselves. > If not, the docs can make note of the labels > to which sigs apply. >=20 They will be added with the first RC build, after the doc tree is tagged for the final release. Since moving the release notes and other related documentation from base to doc, this introduced a bug in the order of operations I have not yet figured out how to solve the right way. In other words, adding the signed BETA* checksums to the doc tree for the 12.1-BETA* builds, turned out to be an error. (Also note, the signed checksums were not available for previous release BETA builds. And there is the PGP-signed email to stable@ that contains them.) Glen --O8XZ+2Hy8Kj8wLPZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl9jyd4ACgkQAxRYpUeP 4pP3Rw//WF+cm1uTPPY9doEwAseAzRCTt/T06nHNrilnVZPFdF7/B9TYWiMhPi2e P97JX3m/8lRY2aAa35FJ1MuVgimVlSf9RScqW46w/tlPxBchlzFHz6+n0Zcl3XLF +aQ0ywwEDqgf2cdaqB9gwuXRGkWTFMFmpO+j5oxRdeBXMW3mAaBc7UxBVT5tmosA ef6Z63TKonqxZxMbp9QE04Nm49kOYcYmv/zuyt4zxSY4Bud98SEAPljAtDDDatKX geMp+5jeh9rSyLtsFoVtOERWoVoKriRMuc9n6v09LcgAk1froJhM/jZ0YA2ZvX82 +CuA+AWmA73wjLI9S2Oo2qhpMp4hBTsJJ1i2U4ftq4KHWgDSLh+KYHI230dg7a9C abTHvxNM7gsZbZg+zDo7yUaFrhTTeYci9OyjzJJLznHM0HvJyQqvxe/Vs0ubc7Et /jVfXhL5vCSXpcgKMGJzXopC6SSQBYVxzZSRiQ13ArTVazqKSowJQ91pELfuLh7w Q10p9c+auKphZDgWuoCn0Fu8wsug67z3ok3xMpVFMMSet++ra/pwwT0dR8Nf/CM5 KJK5gVBJh5h4Xz7ICqR2NMRzxUrBQbOpRvpkV+CbdOwidZPmM1iI6miKHR3ikesW l5/T0/JyBbS1/xrZNkERhVLrkAWf/qw7+V8P2TFwLpazlQZfMRk= =9Zy6 -----END PGP SIGNATURE----- --O8XZ+2Hy8Kj8wLPZ-- From owner-freebsd-security@freebsd.org Fri Sep 18 00:03:57 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E689F3F1DCB for ; Fri, 18 Sep 2020 00:03:57 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BsvFT0JDrz3bBR for ; Fri, 18 Sep 2020 00:03:56 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x641.google.com with SMTP id e23so5693869eja.3 for ; Thu, 17 Sep 2020 17:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Fx+qVkD3P1+9Q7Z6TSG2Iuku+cyR+9cYDbDqQVnLp8Q=; b=tdf/N86xjjP2djrRm0ycj4Eb1U/DF8183enx8suhxh9G8daADKcKEJvthQXL97uIB4 Lat8c+op6JU1RAeMcm6biY2LeIzft6EG8AmAW22Vyz9hR1Ur0JaBIW8/r5SNAiZQCwSy CXLd3o5U/9ufZBvwjxrCgOwDp1ZwCUOn6C9C5Ybp7p0ZgDK0KrPNDD0v0ELKM4g9BgJ0 Dj9xmMJMbpoQJAhm9tovj3CtNJ3/CqzzWYr/xy1UVYqs3qbbYUi1VVAJj2ie/2U5uHjo tawxzFzRymPWX5spVPH5R6sN8VoxMnCQSbEQq2ctfm2uIzTdDoQ7e4f3JA4+JwOf2HWN zv1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Fx+qVkD3P1+9Q7Z6TSG2Iuku+cyR+9cYDbDqQVnLp8Q=; b=G2TVW2v911eHwznydf4edFITG7JzqqhXbqozdpHOEE473sgJequcJ6icezyUbcOWwE r602pWVPL4Ouek8PLVWEY2m76P91f58KgbV3RSnZ3G7JZXFzt40tSYxJaUe3/KzKHQym 7k1SZfdVgQha2Kkpu6xdk2vN0A2u0PlEQtl/gDc4OTLMZ8PORFbbSVV9FoCey1zTov7G Nfwjc/C8Bqboz6KczRwRvjuFIBl5wttCUc8o3fQ4pDL9HoQYxoJBd6OsEmv2r+KFDjHm K/KhCy9lSrEYL1nsE05qXoE1OhHu81Ox/LP0R8ymepzJr3avH+kRQ1z6rkVQGJZT6UE+ YF1Q== X-Gm-Message-State: AOAM533dsP/3hBxokShPcS+hEAPg7LaxwzPoC9ReNlfplsi3f0/vs7N5 QBGfJ6Yl47YDv2dFdme/358n/h/pYUBehaEd6lelVGdbnRxTnA== X-Google-Smtp-Source: ABdhPJzKtGG5CK24pb9u2nsonvHOONtRtoOgGh9nyTGH2lOfCY+IQiGSaPA1XN/bVXeixLZRkIT1T4QMdOGc13DhBRQ= X-Received: by 2002:a17:906:c1c3:: with SMTP id bw3mr32747627ejb.516.1600387435292; Thu, 17 Sep 2020 17:03:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:9f4a:0:0:0:0:0 with HTTP; Thu, 17 Sep 2020 17:03:54 -0700 (PDT) In-Reply-To: <20200917204102.GG26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> From: grarpamp Date: Thu, 17 Sep 2020 20:03:54 -0400 Message-ID: Subject: Re: 12.2R Sigs To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4BsvFT0JDrz3bBR X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=tdf/N86x; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::641 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.21 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-0.97)[-0.973]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.015]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::641:from]; NEURAL_SPAM_SHORT(0.78)[0.779]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 00:03:58 -0000 > They will be added with the first RC build Yes RC* seems the latest point in timeline to begin excercise them. > a bug in the order of operations > And there is the PGP-signed email to stable@ that contains > them. Future noting that lists do not support foreknown path schemes for that data. Whereas repo, website and dataset locations are more predictable and programmatic... allowing fetching, validation, etc. There could be a commit subsequent to tags, to hold all relavant collected metadata results, created sigs, etc of those tagged builds. From owner-freebsd-security@freebsd.org Fri Sep 18 00:13:00 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A5FFC3F2E1C for ; Fri, 18 Sep 2020 00:13:00 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BsvRw3vqVz3bfn; Fri, 18 Sep 2020 00:13:00 +0000 (UTC) (envelope-from gjb@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600387980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wH0XoYPxCaf9/kXFQgP65j/EquSuignvppdDiDKBuEU=; b=E2XC+OPx8LF6BzAyv0+cGthNpthYEG7khJutdLnGkXRLIcDwE+a3w5o19a8XiIufHB6JDg 3gPw4T/fWR504TH/OYyRmmxzOFRI6z5hoIeU9v0YVBXj6wJNVQBeL6/S2gS7VfUwu21oyR MLA5jymf2HennzUXRB7DPfmrvk4fXtdp1dk157N5r0IFl1pWSPR8FI4kTWZigFSqXHjE8A GBrET9zqoy+F+P9XYnIvyeg1S4yVNI4GLG+SdXilKZH/WKKzNvHluix9dl6rsKZZt9bedi AXKyGSJTjY4XorhVl6260anZ4LzMeeexXpU57Qec52WvlIEpTvfv96G3t9EBrA== Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 24D8612FDB; Fri, 18 Sep 2020 00:13:00 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Fri, 18 Sep 2020 00:12:57 +0000 From: Glen Barber To: grarpamp Cc: freebsd-security@freebsd.org Subject: Re: 12.2R Sigs Message-ID: <20200918001257.GI26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7SrMUQONj8Rl9QNG" Content-Disposition: inline In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600387980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wH0XoYPxCaf9/kXFQgP65j/EquSuignvppdDiDKBuEU=; b=oe0c9QQ/K42iJ4/iz8ypWV79r5G4zClwxDOrXle7pO3/1K5Cu5wUZ2lAoWJLGHrAm1cTRf nHvPk+KKxzR+zS3TdoETReT0ML/iitwdPuHo1Md/n3VZucTnziCvV9weXdL8EEudO9PfUm 2qtmJ3shi0CaAmSMiItZTW5g+aS9tB5kag2pzWa2O7FAcwqUFE0QN0AoIqJCupVNU4q6ys SuVaQyvfvgLafYngofzU19uW+GvzZSC9qvUwglbvI8G+Ukws4oNcP1VVMT9ng0G5YFWY8n pyzqsVNhEQymx2E1NlF9Hg7VW1G49EJ2jgd8VRdHEt8iX8LhZkTrw0r8MFWVTg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600387980; a=rsa-sha256; cv=none; b=TRG+Cdg+0LWDF5Bk/Uz7EgVWLvO1cXaS40+oQB7nCOi9yBuw479e2ErRhIYUGupitiDECn qsN7d2XTqBNILy5wLqnluGiejMj6pNmK+tguMncCM1AUUGfzV2f5BJuAoMaU4ezhiV/3Mo VmbTFd4geMAlL9JWezFfGKSICzF4KduH6NttGHJm8HFGiUE5qPHKIcwJqJUryRSI0trREZ hNt/hU48A8LXOZyz1xD95OxR6rDsXnQ0WnhEtkWOUpMbwqXLVJcZ5sfheFzfuUgYY1Gc7S WUXtxvbN2HEtR2r4NbsJeGP3Dd3mQhFva+bj/KdSR6+PdpKrnmlRJLR7x8Z12w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 00:13:00 -0000 --7SrMUQONj8Rl9QNG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 17, 2020 at 08:03:54PM -0400, grarpamp wrote: > > They will be added with the first RC build >=20 > Yes RC* seems the latest point in timeline > to begin excercise them. >=20 > > a bug in the order of operations >=20 > > And there is the PGP-signed email to stable@ that contains > > them. >=20 > Future noting that lists do not support foreknown path schemes > for that data. Whereas repo, website and dataset locations are more > predictable and programmatic... allowing fetching, validation, etc. >=20 And for RC builds, they are predictable and programmatic. > There could be a commit subsequent to tags, to hold all > relavant collected metadata results, created sigs, etc of > those tagged builds. I am not on postmaster. Glen --7SrMUQONj8Rl9QNG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl9j+4QACgkQAxRYpUeP 4pPR+BAAlEJoaUywXRJU5I61cLtNvfBSvG35VF5pxONFSPBi7wYAWYxhWGzUxYCa C+udpc3naJqf2Gg0a4WKI179ABIm09HkaCtttSDnekJF76x+LYA/lqEuJq7OiVV1 rDchi87qgys4fHYoN3N7cMjfT2O6NLj/7OuiRrjfUX0jiqlomU3dSUHzLe/0zxyN 3PUQ1n/BVQq402aGR4dqLbc2IXDMA6bG3uNjLHWlTdk1W+NZ7ncFlVb0lGw2lJsW Xf9fc5wOZpSbCaLJGfBIrMPtv93+euHnbKJBS+044ije3Qjerm+hEEp07c4IZQya IsmaH0Nc7ju5MbCr/pu6YRCJ+pc9/Gao1NBhgXXzNszZfohE671W7A1Stv9KH7VD vTEd9+b/02Io5CsJ5ftHL5L3nsVrYl7XLF2QCeV5qKW9Ps3sldaJuTc3E8/da+xY FCnA2nP62ZnsKUMlWHIeqXR31aW8b3hxd2pRfuAem0T/FWProd9JCesdTogA42EH us5YoJVQQM3tiortNdUp/FtilTMYsdlQWl9NmmsHxB+1iEESvOoi/IRmO/OJMrDO yLNg8+AqI0P4yEuK0SQdFibK2F5w6THHqfXvVrZTiyIYEg5me75VCr9rJYqkvMWz nsijsRL+fjI+lDyiN08zG1govaBwV2xH4xQHkkRVyRPisgUv36U= =YtbC -----END PGP SIGNATURE----- --7SrMUQONj8Rl9QNG-- From owner-freebsd-security@freebsd.org Fri Sep 18 01:09:30 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B3DFE3F3B8C for ; Fri, 18 Sep 2020 01:09:30 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bswj55QQwz3f0Z for ; Fri, 18 Sep 2020 01:09:29 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ed1-x542.google.com with SMTP id c8so4414186edv.5 for ; Thu, 17 Sep 2020 18:09:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NuKZQ/eHc1EvxvMxH5DpkGzHdDiENNyH/x2m1WutTjc=; b=mhLJ3LQUSNgquyes0aSzoKWGSwOS/vhpMYKSq+CDld62irvhNwn8e8k/L0+2SnBkJ5 WdEExPgIFIDpSq4ct1NDXbmSEbPfM3XwLmgaaqbtNnlmZR9rEB4B/nbe59eOm8IGnvdm yz1xrgGhQz0CBN+ouTAkvNghCXLFpKxJ7I2Nu2GBu/SFHs0kylk9OjYYAQKOLem9sL6L IsVOQQsMZguPoXnDhuFF8K4NhwQoic8Rj6xgFOIWhyDRo8B52S3fNBO6Vzv2GXOifce8 Ui0luQR10DlDoTaLwWfyCUI79G/C77OyrAGDlC+zowORa+aMncNqYkxHZf5n7eR8lNiy Sg8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=NuKZQ/eHc1EvxvMxH5DpkGzHdDiENNyH/x2m1WutTjc=; b=BAHKJ7epG7YiFlN285864yg2CFkx6SzxXVMgwO/Mi7ocwzg0P91Qu71C6NwDqk4Fsx FuLqxD2Btr75LJAiHJXka+ElpA2XmgelF2h15G5mnvW41KTrrkB8tR+FAq2HyhFHDQ0R sXfqQkSiCT5KeNAXWdXdGS7aCI/79hBivyq0PF/lxym+XoQgngY2fT947hpl9bfJnuwi M880GDPgv/+6B55Y5rDathbkBa2DUR5sPHpSzDST+E6xyvdXaqvqG9xbOUrhF9pPipkt 3SViEOIiGWs2axs8XCZBqVhaDyOboruPNJPkDTR2qjpWoAHyimn2JYFKdcldjp+svX/4 S9aQ== X-Gm-Message-State: AOAM531BxKh2plZlIqUqf6sZwO8OKex7dsV/yG8E7ZLcMIPVAB7SYMjp 0wKpQJNkP2u7+lDOgVoBv67Odbx14ATPPCSz4iFNxWhyg1Vo+A== X-Google-Smtp-Source: ABdhPJyvtxnJ5mUYVQLrPugMY4zvP/s/1zwgqJWSEj0GEeVaz32LwTaz1mSrJd8c8CF/kzL6OoJG/g4M0eVH5F9SwiA= X-Received: by 2002:a05:6402:b9a:: with SMTP id cf26mr29202653edb.375.1600391366951; Thu, 17 Sep 2020 18:09:26 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:9f4a:0:0:0:0:0 with HTTP; Thu, 17 Sep 2020 18:09:26 -0700 (PDT) In-Reply-To: <20200918001257.GI26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> <20200918001257.GI26726@FreeBSD.org> From: grarpamp Date: Thu, 17 Sep 2020 21:09:26 -0400 Message-ID: Subject: Re: 12.2R Sigs To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Bswj55QQwz3f0Z X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=mhLJ3LQU; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::542 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.56 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.972]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.01)[-1.015]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::542:from]; NEURAL_HAM_SHORT(-0.57)[-0.570]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 01:09:30 -0000 >> > And there is the PGP-signed email to stable@ that contains >> > them. >> >> Future noting that lists do not support foreknown path schemes >> for that data. Whereas repo, website and dataset locations are more >> predictable and programmatic... allowing fetching, validation, etc. > > And for RC builds, they are predictable and programmatic. Users would have to get and search the entire lists content to find such sig posts, unfortunately no there are no nice predicted paths to such single emails supporting simple fetch of associated sig infos, ie: no schema :///13.x/.asc Mail are not, it can't... ie: it has no hier, path, file globbing regex *, etc. The website and distribution methods mentioned earlier are possible. (Now just for RC and RELEASE, as clarified in thread.) Website has them in nice paths today, individually... https://www.freebsd.org/releases/12.1R/signatures.html and in bulk... https://www.freebsd.org/releases/12.1R/announce.asc but they are not present in what should be their natural cohabitation set within the other distribution methods, such as the case of https / ftp / rsync / torrent / etc for... https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/ > I am not on postmaster. What that mean in context? Only some volunteer for that role, as any other, it's ok not to be in two or more of them. From owner-freebsd-security@freebsd.org Fri Sep 18 11:29:48 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4F5453E06B0 for ; Fri, 18 Sep 2020 11:29:48 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BtBSr1NGFz4RNb; Fri, 18 Sep 2020 11:29:48 +0000 (UTC) (envelope-from gjb@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600428588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=weGVaf6hi7q184GE4cgDLGtdEz8gVXd37bljjeQY8z0=; b=OC+a14t5UE7DaJBKDIsbMK2tiuQnurBflGrwx2/ms3uSzzMylocHX0dV5CNboZLCEQGLww JPaKno34JGDaad4kFeCuTwP4XfhET6PhpeYk5OLqW1h8tjky8fvWPnTN2CnIKkmcXZVgSj MGDPx8KKVaGMTPc++/KcZ9s1x/gAGUZ51P0kX+j76DR0d2Ky7D9y/Y83uyDv2B3POfdVTu pUf8Da7dA5/MJSrRgBPgjRmPFgbmUVPQssNAnFlQ6eX1dGHoCUWq0VkL5tzL/NDL94+N+h wLHo+/M6A7TZ6XF+MiksxB/9XtaB1x5gC1kJXz9NL6Fx3jmYPpAbC6zF0jH+0g== Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id CD71717B42; Fri, 18 Sep 2020 11:29:47 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Fri, 18 Sep 2020 11:29:45 +0000 From: Glen Barber To: grarpamp Cc: freebsd-security@freebsd.org Subject: Re: 12.2R Sigs Message-ID: <20200918112945.GJ26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> <20200918001257.GI26726@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VIOdPewhitSMo36n" Content-Disposition: inline In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1600428588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=weGVaf6hi7q184GE4cgDLGtdEz8gVXd37bljjeQY8z0=; b=VzKjqYSVMC3vN7S6sXVgbn22YgGOTwGNOexsT0jiKA8oKO9tJvjFH42oD3AUlKJFpJPTK8 B/HSMewXsJLYdy9QCdQfCj1riyrJzgw1RlKlUn9vvEWSzupooGTU5FgTmKOaQEQ5+6TuXH BrD7Mi71Dh7cfTP7FCKV5UbqtWiqL14lNIDmJIQza/QaRMrpjxyxq8h0E6gAWtu2YxDeZN 0dex6sEIIE0zznfK4CrGfSZQGGorDRx1QZ70x6Lm8D5W27N717ACXkM+UHdkcjxD/PcSW/ XUG1oblBFhUUKv1T6xUuJbyIN/qNt5umINqNAqvTx1/xxCwQUdqRHaJV/KONEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1600428588; a=rsa-sha256; cv=none; b=o5h68ZyW/5X13ba2mbmE1nQ52fQIGizj/klA3su+maPF6WFDf1ycVIxkTkGgUQiJREiKZC 4wuA/TYWFhUgsJghJhgzsTaqt5Z5pkCaPyAkT8A5igck+cWroaG4DH+3pG2Cp6JhPV7RZN D6Bb09n7pW3jZ8gWK2gW9DCqN192IN7UlP8IY1hlI5XEKxDZsQDo5yk1N5/y5Pxxf12CA7 ogURf8WV+pr3LqfdvDRDN+5QYAm/VdvP/AjiTbQh88c0xjrLzLNfhRfP1ezkFyk8ubqVgv gTwRIcK9gLoEmDmFacCwYH2L5+g5+J7MVGJgKqBnpJl3jdClhfpT6C5OC1PiWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 11:29:48 -0000 --VIOdPewhitSMo36n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 17, 2020 at 09:09:26PM -0400, grarpamp wrote: > >> > And there is the PGP-signed email to stable@ that contains > >> > them. > >> > >> Future noting that lists do not support foreknown path schemes > >> for that data. Whereas repo, website and dataset locations are more > >> predictable and programmatic... allowing fetching, validation, etc. > > > > And for RC builds, they are predictable and programmatic. >=20 > Users would have to get and search the entire lists content to > find such sig posts, unfortunately no there are no nice predicted > paths to such single emails supporting simple fetch of associated > sig infos, ie: no schema :///13.x/.asc >=20 > Mail are not, it can't... ie: it has no hier, path, file globbing regex *= , etc. >=20 > The website and distribution methods mentioned earlier are > possible. (Now just for RC and RELEASE, as clarified in thread.) >=20 > Website has them in nice paths today, >=20 > individually... > https://www.freebsd.org/releases/12.1R/signatures.html >=20 > and in bulk... > https://www.freebsd.org/releases/12.1R/announce.asc >=20 > but they are not present in what should be their natural > cohabitation set within the other distribution methods, > such as the case of https / ftp / rsync / torrent / etc for... > https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/ >=20 > > I am not on postmaster. >=20 > What that mean in context? > Only some volunteer for that role, as any other, > it's ok not to be in two or more of them. Sorry, something you said was misinterpreted by me, and I was answering something that I thought you had asked, but had not. So it is a bit difficult for me to explain what I meant with this part of my reply. In any case, after the doc tree is tagged (which is included on the installation medium for reproducibility), RC1 and subsequent RCs and the final RELEASE build will be programmatically fetchable. The announce.asc file is only created for the final RELEASE build, however. Glen --VIOdPewhitSMo36n Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl9kmiMACgkQAxRYpUeP 4pPSWxAAjrQWg+vjq7B4XoOQAqmPLorAFer0oZAhKT79P8R9TcWKWFcyckAkEcRH vv9D0axY0uuNvRoMZR7QUCxtuB+snshmrvT5GQ3hnnzTe20wRAUVwlZPSJLEwmOf ljLplk94LpZMyW4N1Kb8dTY004Xl+XR7kRLtpnHsww0DJAxJPgBb48shvbMv6eGB Vj8KR3HVLojUw9DinIyGffRoJEzOORgLusPlBvSOojRurIgX/Wtbol61I8NHwsi9 P4PKiwxuDhaH1X4J6mOGF3CLYNcOXjFZPnLaOrBVKXQbrJpkIOne9kFGatrJ4lQG m5Qd9ll+yvsShEDVxKjBytaIlnaka77G0ezpX6sA3Fnid0NwGu7dsJWbtSx2AF80 N5vnll9znDBo0QUQjdQxKkK4t1HcAYfpefJqcLrotBbwmB+VkflsxS/etwGlFsSV 5JsH+y+UGxqM6FxWqr+p/R40nkQAh2tmtBPmkA36v0laURJ1KWzmV2nn9vcWi91C IUB1atZjfX+JmmBsKE3qlxBUOjkJf/cjTcbUS5D8re3yFRrrrS5Pi7OEweYVwWYs eEjk7LA4xUiAnBzgeSg7EO3XxkDrcEpIvlgj+sa8krvYGifKOBHWuDY4lYCyWOn6 NtjTbI9Ts9afPSgxzhEKnjCo5GduB8cH+q3JoDZ5bmhPkD1xnrQ= =bcf4 -----END PGP SIGNATURE----- --VIOdPewhitSMo36n-- From owner-freebsd-security@freebsd.org Sat Sep 19 03:45:33 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 85B1B3F953D for ; Sat, 19 Sep 2020 03:45:33 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Btc6h2m4Dz4XPy for ; Sat, 19 Sep 2020 03:45:31 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x641.google.com with SMTP id i26so10585709ejb.12 for ; Fri, 18 Sep 2020 20:45:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ctw9XN0tpQ45poYZaiOQivyiH1adz8yBEXeggEHEuTM=; b=cu/3bk8PXXCLXuWZkYC19s8UCtFjkqZfZliH6hwdIp8hhPE9YyzAU31YRUzKv52+zM VV4ytuhWfL9CWnKWkXKAZ4LSogR5uYcumoqY27TU+/waUdN3EZc2yYswnM/8Rda3iX+C /xy3SAhfBlmMdSsqfPOF1O5bibGXH0K1vn6F/91VDrRESdn0xmhN1OlxZ8AK1vjlzUeR 69sWDlptk2eJG4QIMEkoN/xuowjNissWB0Qa56ToDChtxd22X1uUD1zqEnU558DQsD3W t5BGKjXzkhWQjF5rJDZGti5VTLWMQG/gPOA+lb5wpzGy3XMRUJLL1OEnU1KG+5ttK2mz fXfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ctw9XN0tpQ45poYZaiOQivyiH1adz8yBEXeggEHEuTM=; b=mNCtWHJYbfn41DRRTTjCFScfNOj/RLp94GzhlVHIeuA4XRCjQuos+NzMrw1KWTkXKD GO0nTUxbV4pIHqMkwkHOGhTC6dBO4kIEExURBg+atw9mtRHxoHWF5Hky1uHMZYFNprGD cMqKKIWIsJJTKeYDANlYQy5/0q6jdEt+t18Uh7y2UmagT2+fUbCgovPUOm1+AHcbRoo1 BnNOgZV3kPEFKcTbtlpuQL7qcaMWZ0whVyJBIw3c5jcui7XQsc1Izmr3wUgVZ10TkgDf rvQNyvHRjQWeMerCjAFKjUFoNfBcYJ+MhVR0qig5K1UfW90Ao1ZzXe59zyaS0r8lE/2n t/fA== X-Gm-Message-State: AOAM530doNT7WJqxOZTugu4Oy8lXegXj0ywFDeTJony5s7AAV2q8vFQB LFasJqJKXiCCa+USBSLwsk4Wo0BRDXdQo9e4ar35Qqr1S0IK8w== X-Google-Smtp-Source: ABdhPJyCYyW8hpCb52TtwyVsI7um4y5l26Q1D05HRcxb5nXjxP7uwySwsGoa4O09aPqSX+luk+tX8jx5ue/wCM2b2rU= X-Received: by 2002:a17:906:9389:: with SMTP id l9mr40159405ejx.537.1600487130380; Fri, 18 Sep 2020 20:45:30 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:9f4a:0:0:0:0:0 with HTTP; Fri, 18 Sep 2020 20:45:29 -0700 (PDT) In-Reply-To: <20200918112945.GJ26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> <20200918001257.GI26726@FreeBSD.org> <20200918112945.GJ26726@FreeBSD.org> From: grarpamp Date: Fri, 18 Sep 2020 23:45:29 -0400 Message-ID: Subject: Re: 12.2R Sigs To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Btc6h2m4Dz4XPy X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cu/3bk8P; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::641 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.20 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-0.93)[-0.930]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.025]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::641:from]; NEURAL_HAM_SHORT(-0.25)[-0.250]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2020 03:45:33 -0000 > [src's] included on the > installation medium for reproducibility Wherever the src.tgz, they should not be considered to be unbreakable reproducible bitwise duplicate authentic or traceable back to any repo since there is no provable cryptographic chain back to same, only assertions over the breaking points, which can and do fail in various ways. Distributed cloneable distributable repo's based on crypto are needed to do that, perhaps such as Monotone, or at least sign Git's init hash. https://monotone.ca/ https://git-scm.com/ > announce.asc file is only created for the final RELEASE build Yes as those are nice milestones :)