From owner-freebsd-security@freebsd.org Sun Apr 11 07:58:36 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 709F05E418D for ; Sun, 11 Apr 2021 07:58:36 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from serafino.rm-rf.it (serafino.rm-rf.it [192.165.67.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJ44W0qhWz4tSk for ; Sun, 11 Apr 2021 07:58:34 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from valentina.fdc.rm-rf.it (valentina.fdc.rm-rf.it [192.168.192.1]) by serafino.fdc.rm-rf.it (OpenSMTPD) with ESMTP id 0b4fa4b1 for ; Sun, 11 Apr 2021 09:58:25 +0200 (CEST) Received: from robinhood.fdc.rm-rf.it (robinhood.fdc.rm-rf.it [192.168.192.50]) by valentina.fdc.rm-rf.it (Postfix) with ESMTP id 28C2F1F6B0 for ; Sun, 11 Apr 2021 09:58:25 +0200 (CEST) Received: by robinhood.fdc.rm-rf.it (Postfix, from userid 1000) id 9B16A601F2E; Sun, 11 Apr 2021 09:58:24 +0200 (CEST) Date: Sun, 11 Apr 2021 09:58:24 +0200 From: Gian Piero Carrubba To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm Message-ID: <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <20210406202258.1642E15C4A@freefall.freebsd.org> <20210406202303.3B6F715D1E@freefall.freebsd.org> <20210406202309.EECD015EA7@freefall.freebsd.org> X-Rspamd-Queue-Id: 4FJ44W0qhWz4tSk X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gpiero@rm-rf.it designates 192.165.67.94 as permitted sender) smtp.mailfrom=gpiero@rm-rf.it X-Spamd-Result: default: False [0.56 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[192.165.67.94:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.165.67.94]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[192.165.67.94:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[rm-rf.it]; NEURAL_SPAM_SHORT(0.86)[0.861]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:34971, ipnet:192.165.67.0/24, country:IT]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 07:58:36 -0000 * [Tue, Apr 06, 2021 at 08:22:58PM +0000] FreeBSD Security Advisories: >FreeBSD-SA-21:08.vm Security * [Tue, Apr 06, 2021 at 08:23:03PM +0000] FreeBSD Security Advisories: >FreeBSD-SA-21:09.accept_filter Security * [Tue, Apr 06, 2021 at 08:23:09PM +0000] FreeBSD Security Advisories: >FreeBSD-SA-21:10.jail_mount Security Not sure if this is the correct list for notifying about it, but none of the above mentioned SAs has been included in https://svn.freebsd.org/ports/head/security/vuxml/vuln.xml. This is a bit of inconvenience for people using base-audit like me. More in general, which is the right process for including new SAs into vuln.xml? Thanks, Gian Piero. From owner-freebsd-security@freebsd.org Sun Apr 11 19:21:31 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 205545D9411; Sun, 11 Apr 2021 19:21:31 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from serafino.rm-rf.it (serafino.rm-rf.it [192.165.67.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJMDT49b2z4VC5; Sun, 11 Apr 2021 19:21:29 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from valentina.fdc.rm-rf.it (valentina.fdc.rm-rf.it [192.168.192.1]) by serafino.fdc.rm-rf.it (OpenSMTPD) with ESMTP id 4acb8553; Sun, 11 Apr 2021 21:21:26 +0200 (CEST) Received: from robinhood.fdc.rm-rf.it (robinhood.fdc.rm-rf.it [192.168.192.50]) by valentina.fdc.rm-rf.it (Postfix) with ESMTP id 8F9041F6B0; Sun, 11 Apr 2021 21:21:25 +0200 (CEST) Received: by robinhood.fdc.rm-rf.it (Postfix, from userid 1000) id 4CAB7601F2E; Sun, 11 Apr 2021 21:21:25 +0200 (CEST) Date: Sun, 11 Apr 2021 21:21:25 +0200 From: Gian Piero Carrubba To: freebsd-security@freebsd.org Cc: ports-secteam@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm Message-ID: <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it> References: <20210406202258.1642E15C4A@freefall.freebsd.org> <20210406202303.3B6F715D1E@freefall.freebsd.org> <20210406202309.EECD015EA7@freefall.freebsd.org> <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> X-Rspamd-Queue-Id: 4FJMDT49b2z4VC5 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gpiero@rm-rf.it designates 192.165.67.94 as permitted sender) smtp.mailfrom=gpiero@rm-rf.it X-Spamd-Result: default: False [0.70 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[192.165.67.94:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.165.67.94]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[rm-rf.it]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[192.165.67.94:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:34971, ipnet:192.165.67.0/24, country:IT]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security,ports-secteam] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 19:21:31 -0000 CCing ports-secteam@ as it seems a more appropriate recipient. * [Sun, Apr 11, 2021 at 09:58:24AM +0200] Gian Piero Carrubba: >* [Tue, Apr 06, 2021 at 08:22:58PM +0000] FreeBSD Security Advisories: >>FreeBSD-SA-21:08.vm Security > >* [Tue, Apr 06, 2021 at 08:23:03PM +0000] FreeBSD Security Advisories: >>FreeBSD-SA-21:09.accept_filter Security > >* [Tue, Apr 06, 2021 at 08:23:09PM +0000] FreeBSD Security Advisories: >>FreeBSD-SA-21:10.jail_mount Security > >Not sure if this is the correct list for notifying about it, but none >of the above mentioned SAs has been included in >https://svn.freebsd.org/ports/head/security/vuxml/vuln.xml. This is a >bit of inconvenience for people using base-audit like me. >More in general, which is the right process for including new SAs into >vuln.xml? > >Thanks, >Gian Piero. From owner-freebsd-security@freebsd.org Sun Apr 11 19:36:17 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 344A25D97E5 for ; Sun, 11 Apr 2021 19:36:17 +0000 (UTC) (envelope-from SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJMYX05SWz4VRL for ; Sun, 11 Apr 2021 19:36:15 +0000 (UTC) (envelope-from SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 294152840C for ; Sun, 11 Apr 2021 21:36:08 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8D80328416 for ; Sun, 11 Apr 2021 21:36:06 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm To: freebsd-security@freebsd.org References: <20210406202258.1642E15C4A@freefall.freebsd.org> <20210406202303.3B6F715D1E@freefall.freebsd.org> <20210406202309.EECD015EA7@freefall.freebsd.org> <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Sun, 11 Apr 2021 21:36:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4FJMYX05SWz4VRL X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [2.21 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=d2j5=JI=quip.cz=000.fbsd@elsa.codelab.cz]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.988]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255]; DMARC_NA(0.00)[quip.cz]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 19:36:17 -0000 On 11/04/2021 21:21, Gian Piero Carrubba wrote: > CCing ports-secteam@ as it seems a more appropriate recipient. Vulnerabilities in base should be handled by core secteam, not ports secteam. Vuxml entries should be published together with Security Advisories. Miroslav Lachman > * [Sun, Apr 11, 2021 at 09:58:24AM +0200] Gian Piero Carrubba: >> * [Tue, Apr 06, 2021 at 08:22:58PM +0000] FreeBSD Security Advisories: >>> FreeBSD-SA-21:08.vm                                         Security >> >> * [Tue, Apr 06, 2021 at 08:23:03PM +0000] FreeBSD Security Advisories: >>> FreeBSD-SA-21:09.accept_filter                              Security >> >> * [Tue, Apr 06, 2021 at 08:23:09PM +0000] FreeBSD Security Advisories: >>> FreeBSD-SA-21:10.jail_mount                                 Security >> >> Not sure if this is the correct list for notifying about it, but none >> of the above mentioned SAs has been included in >> https://svn.freebsd.org/ports/head/security/vuxml/vuln.xml. This is a >> bit of inconvenience for people using base-audit like me. >> More in general, which is the right process for including new SAs into >> vuln.xml? >> >> Thanks, >> Gian Piero. From owner-freebsd-security@freebsd.org Sun Apr 11 19:49:35 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9C7C05D9CD0 for ; Sun, 11 Apr 2021 19:49:35 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from serafino.rm-rf.it (serafino.rm-rf.it [192.165.67.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJMrt3yJ9z4WR6 for ; Sun, 11 Apr 2021 19:49:34 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from valentina.fdc.rm-rf.it (valentina.fdc.rm-rf.it [192.168.192.1]) by serafino.fdc.rm-rf.it (OpenSMTPD) with ESMTP id a94af456 for ; Sun, 11 Apr 2021 21:49:32 +0200 (CEST) Received: from robinhood.fdc.rm-rf.it (robinhood.fdc.rm-rf.it [192.168.192.50]) by valentina.fdc.rm-rf.it (Postfix) with ESMTP id 5030A1F6B0 for ; Sun, 11 Apr 2021 21:49:32 +0200 (CEST) Received: by robinhood.fdc.rm-rf.it (Postfix, from userid 1000) id 2749F601F2E; Sun, 11 Apr 2021 21:49:32 +0200 (CEST) Date: Sun, 11 Apr 2021 21:49:32 +0200 From: Gian Piero Carrubba To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm Message-ID: <20210411194932.t4a6dtjdvhynj2uf@robinhood.fdc.rm-rf.it> References: <20210406202258.1642E15C4A@freefall.freebsd.org> <20210406202303.3B6F715D1E@freefall.freebsd.org> <20210406202309.EECD015EA7@freefall.freebsd.org> <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4FJMrt3yJ9z4WR6 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gpiero@rm-rf.it designates 192.165.67.94 as permitted sender) smtp.mailfrom=gpiero@rm-rf.it X-Spamd-Result: default: False [0.70 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[192.165.67.94:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.165.67.94]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[192.165.67.94:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[rm-rf.it]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:34971, ipnet:192.165.67.0/24, country:IT]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 19:49:35 -0000 * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: >On 11/04/2021 21:21, Gian Piero Carrubba wrote: >>CCing ports-secteam@ as it seems a more appropriate recipient. > >Vulnerabilities in base should be handled by core secteam, not ports >secteam. The maintainer address for vuxml is ports-secteam@, so my impression is that entries in vuxml, regardless if they affect base or ports, are managed by them. Am I wrong? From owner-freebsd-security@freebsd.org Mon Apr 12 10:21:41 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 164BB5CA260 for ; Mon, 12 Apr 2021 10:21:41 +0000 (UTC) (envelope-from SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJlC825MLz3pC5 for ; Mon, 12 Apr 2021 10:21:40 +0000 (UTC) (envelope-from SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4AB1E28416; Mon, 12 Apr 2021 12:21:37 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id BEC712840C; Mon, 12 Apr 2021 12:21:35 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml To: Gian Piero Carrubba , freebsd-security@freebsd.org References: <20210406202258.1642E15C4A@freefall.freebsd.org> <20210406202303.3B6F715D1E@freefall.freebsd.org> <20210406202309.EECD015EA7@freefall.freebsd.org> <20210411075824.fzrbnrtus6iiw2cq@robinhood.fdc.rm-rf.it> <20210411192125.knknarbiul3alggx@robinhood.fdc.rm-rf.it> <20210411194932.t4a6dtjdvhynj2uf@robinhood.fdc.rm-rf.it> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Mon, 12 Apr 2021 12:21:34 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210411194932.t4a6dtjdvhynj2uf@robinhood.fdc.rm-rf.it> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FJlC825MLz3pC5 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [0.21 / 15.00]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[quip.cz]; RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=IDwt=JJ=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 10:21:41 -0000 On 11/04/2021 21:49, Gian Piero Carrubba wrote: > * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: >> On 11/04/2021 21:21, Gian Piero Carrubba wrote: >>> CCing ports-secteam@ as it seems a more appropriate recipient. >> >> Vulnerabilities in base should be handled by core secteam, not ports >> secteam. > > The maintainer address for vuxml is ports-secteam@, so my impression is > that entries in vuxml, regardless if they affect base or ports, are > managed by them. Am I wrong? Because there are entries mainly for ports and vuxml is port too. But the responsible side for vulnerabilities in base is Security Officer Team. They are publishing SAs, they should create and submit entries to vuxml. They are almost always lacking behind, sometimes for months. I tried created patches with entries in the past because I am the author of base-audit script and maintainer of the port but then it was waiting for a long time to have it confirmed by Security Officer Team. I fought with this many times. Responsibilities of the FreeBSD Ports Security Team https://wiki.freebsd.org/ports-secteam Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Tue Apr 13 04:03:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EA82E5D0A9B for ; Tue, 13 Apr 2021 04:03:13 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FKBm06wLPz3lhm for ; Tue, 13 Apr 2021 04:03:12 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pf1-x431.google.com with SMTP id o123so10576741pfb.4 for ; Mon, 12 Apr 2021 21:03:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=t0AUtgIAqqWyOngGIG7GBZ/XgtrBn94eQXyYDnjTVz0=; b=r2LooPETXlELoX1rDwQTjof9KywjUWW/OrPNnBe6Q64ddlfnOW4Rx6L5NbXqHEcM2W a/XOR/g1jXSTed2RpkJlUEcDgD0eVT02TmYgrxMuiCIsJO5vZ5RUUfuNY1T6XC4YTwqp aP2SspIbK12peR4Q61+pCujj2yb2btAsd1EhYBW5DKffmJt1Vh2lFspcLwuLa/DJcr72 iwVuRsXNuQ6SYNFwLcZbNiUdV0OuMJjvUmeDoyLYQY2axzlAkLKqozL86Uwz1C+yWw4R WNBELLKDwsJQMbb/TnU94/o1EWB9LBIo//cKOat35lAoAr/u6KrzNk+OyQqOWFxE53lZ zjCA== X-Gm-Message-State: AOAM532Ert6Yd0iM/J5gSwBmznnqngBsPHE18Eg4kkCfNF6rak48BUlf K9hKh5ftc4sivAlLELDPdpOfhfpWpnj1 X-Google-Smtp-Source: ABdhPJw1l4u7PWgkNtOxNM5dWimGOl/3RofG4qp2XDN9auLYs4a6DPgOqC+VyeE3dgRqRl9RC2y5QQ== X-Received: by 2002:aa7:8a47:0:b029:24e:22de:de6a with SMTP id n7-20020aa78a470000b029024e22dede6amr5976717pfa.20.1618286590541; Mon, 12 Apr 2021 21:03:10 -0700 (PDT) Received: from ?IPv6:2603:8000:7a00:d288:9dfe:fb02:daf3:71d7? (2603-8000-7a00-d288-9dfe-fb02-daf3-71d7.res6.spectrum.com. [2603:8000:7a00:d288:9dfe:fb02:daf3:71d7]) by smtp.gmail.com with ESMTPSA id z10sm5144201pfe.218.2021.04.12.21.03.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 21:03:10 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Gordon Tetlow Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml Date: Mon, 12 Apr 2021 21:03:08 -0700 Message-Id: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> References: Cc: Gian Piero Carrubba , freebsd-security@freebsd.org In-Reply-To: To: Miroslav Lachman <000.fbsd@quip.cz> X-Mailer: iPad Mail (18D70) X-Rspamd-Queue-Id: 4FKBm06wLPz3lhm X-Spamd-Bar: / X-Spamd-Result: default: False [0.47 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::431:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_SPAM_SHORT(0.97)[0.966]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::431:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::431:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2021 04:03:14 -0000 > On Apr 12, 2021, at 03:21, Miroslav Lachman <000.fbsd@quip.cz> wrote: >=20 > =EF=BB=BFOn 11/04/2021 21:49, Gian Piero Carrubba wrote: >> * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: >>>> On 11/04/2021 21:21, Gian Piero Carrubba wrote: >>>>> CCing ports-secteam@ as it seems a more appropriate recipient. >>>=20 >>> Vulnerabilities in base should be handled by core secteam, not ports sec= team. >> The maintainer address for vuxml is ports-secteam@, so my impression is t= hat entries in vuxml, regardless if they affect base or ports, are managed b= y them. Am I wrong? >=20 > Because there are entries mainly for ports and vuxml is port too. But the r= esponsible side for vulnerabilities in base is Security Officer Team. They a= re publishing SAs, they should create and submit entries to vuxml. They are a= lmost always lacking behind, sometimes for months. I tried created patches w= ith entries in the past because I am the author of base-audit script and mai= ntainer of the port but then it was waiting for a long time to have it confi= rmed by Security Officer Team. >=20 > I fought with this many times. Hi there! Secteam has been pretty faithfully putting base issues into vuxml for the pa= st year at least, thanks to the tireless work by Philip. The current issues w= ere committed to vuxml 6 days ago. Apparently, the backend that serves the v= uxml for clients hasn=E2=80=99t been updated for the ports git transition. T= here is a pr for that already and hopefully it will be sorted soon. Regards, Gordon= From owner-freebsd-security@freebsd.org Tue Apr 13 09:12:16 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C0015D8CD3 for ; Tue, 13 Apr 2021 09:12:16 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FKKcb3qvRz4TnB for ; Tue, 13 Apr 2021 09:12:15 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 47DAE28416; Tue, 13 Apr 2021 11:12:07 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E21C72840C; Tue, 13 Apr 2021 11:12:05 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml To: Gordon Tetlow Cc: Gian Piero Carrubba , freebsd-security@freebsd.org References: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <9cb63bdb-9d71-88cb-7a6e-1dcd25609e8a@quip.cz> Date: Tue, 13 Apr 2021 11:12:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4FKKcb3qvRz4TnB X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=8X@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=8X@elsa.codelab.cz X-Spamd-Result: default: False [0.71 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.49)[-0.494]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=8X@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from]; TAGGED_FROM(0.00)[v=JK=quip.cz=000.fbsd]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=8X@elsa.codelab.cz]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; AUTH_NA(1.00)[]; DMARC_NA(0.00)[quip.cz]; SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2021 09:12:16 -0000 On 13/04/2021 06:03, Gordon Tetlow wrote: > >> On Apr 12, 2021, at 03:21, Miroslav Lachman <000.fbsd@quip.cz> wrote: >> >> On 11/04/2021 21:49, Gian Piero Carrubba wrote: >>> * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: >>>>> On 11/04/2021 21:21, Gian Piero Carrubba wrote: >>>>>> CCing ports-secteam@ as it seems a more appropriate recipient. >>>> >>>> Vulnerabilities in base should be handled by core secteam, not ports secteam. >>> The maintainer address for vuxml is ports-secteam@, so my impression is that entries in vuxml, regardless if they affect base or ports, are managed by them. Am I wrong? >> >> Because there are entries mainly for ports and vuxml is port too. But the responsible side for vulnerabilities in base is Security Officer Team. They are publishing SAs, they should create and submit entries to vuxml. They are almost always lacking behind, sometimes for months. I tried created patches with entries in the past because I am the author of base-audit script and maintainer of the port but then it was waiting for a long time to have it confirmed by Security Officer Team. >> >> I fought with this many times. > > Hi there! > > Secteam has been pretty faithfully putting base issues into vuxml for the past year at least, thanks to the tireless work by Philip. The current issues were committed to vuxml 6 days ago. Apparently, the backend that serves the vuxml for clients hasn’t been updated for the ports git transition. There is a pr for that already and hopefully it will be sorted soon. Good to hear that. I hope it will be fixed soon. Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Tue Apr 13 09:16:46 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6CD2B5D91E1 for ; Tue, 13 Apr 2021 09:16:46 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from serafino.rm-rf.it (serafino.rm-rf.it [192.165.67.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FKKjn208wz4VNw for ; Tue, 13 Apr 2021 09:16:44 +0000 (UTC) (envelope-from gpiero@rm-rf.it) Received: from valentina.fdc.rm-rf.it (valentina.fdc.rm-rf.it [192.168.192.1]) by serafino.fdc.rm-rf.it (OpenSMTPD) with ESMTP id 35949911 for ; Tue, 13 Apr 2021 11:16:35 +0200 (CEST) Received: from robinhood.fdc.rm-rf.it (robinhood.fdc.rm-rf.it [192.168.192.50]) by valentina.fdc.rm-rf.it (Postfix) with ESMTP id DD36B1F6C2 for ; Tue, 13 Apr 2021 11:16:34 +0200 (CEST) Received: by robinhood.fdc.rm-rf.it (Postfix, from userid 1000) id A34C6601F2E; Tue, 13 Apr 2021 11:16:34 +0200 (CEST) Date: Tue, 13 Apr 2021 11:16:34 +0200 From: Gian Piero Carrubba To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml Message-ID: <20210413091634.esu5d5wz5n66ogpq@robinhood.fdc.rm-rf.it> References: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9695BE88-A3E7-498D-8A5A-92BCB2E79DBD@tetlows.org> X-Rspamd-Queue-Id: 4FKKjn208wz4VNw X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gpiero@rm-rf.it designates 192.165.67.94 as permitted sender) smtp.mailfrom=gpiero@rm-rf.it X-Spamd-Result: default: False [0.68 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[192.165.67.94:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.165.67.94]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[192.165.67.94:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[rm-rf.it]; NEURAL_SPAM_SHORT(0.98)[0.978]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:34971, ipnet:192.165.67.0/24, country:IT]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2021 09:16:46 -0000 * [Mon, Apr 12, 2021 at 09:03:08PM -0700] Gordon Tetlow via freebsd-security: >The current issues were committed to vuxml 6 days ago. Apparently, the >backend that serves the vuxml for clients hasn’t been updated for the >ports git transition. There is a pr for that already and hopefully it >will be sorted soon. Those issues appear to have been merged now, thank you all. Cheers, Gian Piero. From owner-freebsd-security@freebsd.org Wed Apr 14 15:44:12 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A53135DE6D2 for ; Wed, 14 Apr 2021 15:44:12 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FL6GM31fgz3Qjv for ; Wed, 14 Apr 2021 15:44:11 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:d539:d03a:62c3:4682] ([IPv6:2607:f3e0:0:4:d539:d03a:62c3:4682]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 13EFi5A0078236 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 14 Apr 2021 11:44:05 -0400 (EDT) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" From: mike tancsa Subject: name:wrek vulnerabilities ? Message-ID: Date: Wed, 14 Apr 2021 11:44:06 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Rspamd-Queue-Id: 4FL6GM31fgz3Qjv X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [0.95 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; NEURAL_HAM_SHORT(-0.99)[-0.991]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; R_DKIM_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; SUBJECT_ENDS_QUESTION(1.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; DMARC_NA(0.00)[sentex.net]; NEURAL_SPAM_LONG(0.95)[0.946]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 15:44:12 -0000 I heard about this on the ISC stormcast podcast this AM, but I cant quite make heads or tails of if/when what was patched with respect to FreeBSD. https://www.forescout.com/company/blog/forescout-and-jsof-disclose-new-dn= s-vulnerabilities-impacting-millions-of-enterprise-and-consumer-devices/ They have a dhclient one I think is https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc= , but the report somewhat ambiguously writes there is a new one ? "Table 3 =E2=80=93 New vulnerabilities in NAME:WRECK. Rows are colored ac= cording to the CVSS score: yellow for medium or high and red for critical." Yet the CVE ref is the above SA 20:26?! So this is new or this is just a paper talking about a bug patched last August ? =C2=A0=C2=A0=C2=A0 ---Mike From owner-freebsd-security@freebsd.org Wed Apr 14 16:21:01 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B59D95E0489 for ; Wed, 14 Apr 2021 16:21:01 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FL74r6trTz3j8b for ; Wed, 14 Apr 2021 16:21:00 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x734.google.com with SMTP id d15so8995251qkc.9 for ; Wed, 14 Apr 2021 09:21:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=5fYAsweYbd7s1qqSI8ElsMGQW3bDjig2VkxQb9XG5nw=; b=HqCit57Baj/2srkh8aUI3H0cDdzfRnEyns03hDMs8BwU5oQ9YekmDJ1SRguwx05Mn3 I1QQVh8hiAlRTv27bnpdCJHOyyB9HDYegyPRIpFndNYE4Er8dVCXdCdzetxNxtNHudNH xI62NkOqM8G6tOay+I4MZ8DgvnPcdRB3tfDU1qo3BH/+nl8j5HUX9xOngstz4mFf6aey sQNxwZeZTcNfJ2OUzh+epSLLWj/hQZm5WCiPmTOLcR+a4m3nZoLKwDVbiClxhm/5t3XK VFr9JQ8JLXls1MSfc5fPIl8tF2nLCZ24l8fMr7MV5CcCI/5s1AdjzCJ8rli7mDgIafL8 zXug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=5fYAsweYbd7s1qqSI8ElsMGQW3bDjig2VkxQb9XG5nw=; b=diPg3zhH8pIUXasEB9kShUDyw6Qrr5MzQ0nw3EKDInhbwTZayU7etGrI9DtfSQB/cH 3D0VtdaxzyTInm/T+foAnXD2vNSGtRjlGL3VOBv766uUFdEg13gEb+bOEaBIsIcsjuPD 9tF5u+Mmq9cM3I0iujnPm+A/fkA8ISOjsrNQaKcUjVJiNbZtm2TcUtPtyf/HsZUilRuA UUWS4bdOSXm+37FIS12FE81eg4KkBvZcB6N0Ncebsx0StpJ+iFnmXIcfvD6uU/iZa/3k nRjYwMAPPOKyLfRgYJ/3MioIFKN1XRucgWn7M8YbUKhk4VpVLnnwVbDxp9eIhxCZtjmJ 9SPg== X-Gm-Message-State: AOAM530rDJpaQE4r6oFGZ2Cj7VH9DHF8w97cQlx53DSnyjKYkGwxIEXA PCzDc+6SrxL7d3O0obRxaXhM6NlSe/Ti+zKy X-Google-Smtp-Source: ABdhPJxcP4bn6uzdCT729hV2agHystGMhDT9wAAHY2TQGQQfxx00e2zX5PFa5cZHdwKrRozCcXJXDg== X-Received: by 2002:a37:b947:: with SMTP id j68mr32133322qkf.108.1618417259861; Wed, 14 Apr 2021 09:20:59 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id 81sm11729518qkl.121.2021.04.14.09.20.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Apr 2021 09:20:59 -0700 (PDT) Date: Wed, 14 Apr 2021 12:20:58 -0400 From: Shawn Webb To: mike tancsa Cc: "freebsd-security@freebsd.org" Subject: Re: name:wrek vulnerabilities ? Message-ID: <20210414162058.mrhv7cnyxrad5n7e@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xb2u6txeaf73mpzi" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4FL74r6trTz3j8b X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=HqCit57B; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::734 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-4.10 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::734:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RECEIVED_SPAMHAUS_PBL(0.00)[100.16.222.53:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::734:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::734:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 16:21:01 -0000 --xb2u6txeaf73mpzi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 14, 2021 at 11:44:06AM -0400, mike tancsa wrote: > I heard about this on the ISC stormcast podcast this AM, but I cant > quite make heads or tails of if/when what was patched with respect to > FreeBSD. >=20 > https://www.forescout.com/company/blog/forescout-and-jsof-disclose-new-dn= s-vulnerabilities-impacting-millions-of-enterprise-and-consumer-devices/ >=20 > They have a dhclient one I think is > https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc, > but the report somewhat ambiguously writes there is a new one ? >=20 > "Table 3 =E2=80=93 New vulnerabilities in NAME:WRECK. Rows are colored ac= cording > to the CVSS score: yellow for medium or high and red for critical." Yet > the CVE ref is the above SA 20:26?! So this is new or this is just a > paper talking about a bug patched last August ? The paper's referencing a bug that's already fixed in all supported versions of FreeBSD. A lot of hand waving just for "nothing to see here, move along" if your systems are up-to-date. The commit that fixed the vulnerability is 8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That's over a half a year ago. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --xb2u6txeaf73mpzi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmB3FmcACgkQ/y5nonf4 4foLmg//QoRJtxfZeGf7IdWnH+NefnI3Xvy7zipHFBC+H4Mo0buWNjIQL7z39vjz sTee16eIw/vsg3PmQSkqGURCVko+y1tffW19+tgW3ONVJPuL77QkMM18BjPafy4v U2DvCNSiAq6tvEhlXKgTEN5c0wTRnEp0qfBNXLDar4MOjOgVzfhTYFyJo5Gf2DnM u2HCooe76enJPv5b9ytgCxAbyxRqs2XRFiUV+aN+bPLIfRR1t3qulpe2pIpGWW/C SlMSC5KFklUU7UmWwr5pVsv/p6av/BZwRLeeEDw255kIxGyTvqbrGt5rjW33qgca HskiUv94vfKgqeRO5Our0HpMU7ASR7kr79iGD7vCfnKMsQiVjWED5fMShWnmT1Up JfAgfH342fVSK1Jij1bGRNiu+DtwonKuUicA+n0Ej/CnOA4sdoLNKB82y5MeVMVB 01+3grfTSU7Gq5HoYe+P1+HV47E4nWyYn1AenVdkOvuvna59DiwKg9bv7tix4Y7t bgzatQMvVt4IVwEYaTJC3d0uvangEBjKZfzzLpRPE5hghNt83Sr2FCqgbR+RL7Ob BRHkebWqDRtli7ZIXnPKULu9nmXzEvRyDHb1ogqoMY4feY5RPGFMH1RIoO+Xn3rh tOOq/U5ipmxCT/8xrmN6kiMD0YDjcqTBOJgsjmug4LltOTUhtuA= =Xie7 -----END PGP SIGNATURE----- --xb2u6txeaf73mpzi-- From owner-freebsd-security@freebsd.org Wed Apr 14 16:30:37 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 81AB85E097D for ; Wed, 14 Apr 2021 16:30:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FL7Hw4Bc6z3jWc for ; Wed, 14 Apr 2021 16:30:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:d539:d03a:62c3:4682] ([IPv6:2607:f3e0:0:4:d539:d03a:62c3:4682]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 13EGUZvG093628 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 14 Apr 2021 12:30:35 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: name:wrek vulnerabilities ? To: Shawn Webb Cc: "freebsd-security@freebsd.org" References: <20210414162058.mrhv7cnyxrad5n7e@mutt-hbsd> From: mike tancsa Message-ID: Date: Wed, 14 Apr 2021 12:30:36 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 MIME-Version: 1.0 In-Reply-To: <20210414162058.mrhv7cnyxrad5n7e@mutt-hbsd> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4FL7Hw4Bc6z3jWc X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f3e0:0:3::19:from]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[sentex.net]; SPAMHAUS_ZRD(0.00)[2607:f3e0:0:3::19:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 16:30:37 -0000 On 4/14/2021 12:20 PM, Shawn Webb wrote: > The commit that fixed the vulnerability is > 8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That's > over a half a year ago. Thanks, thats what I thought. Wasnt sure why this was being presented as new ?!     ---Mike