From nobody Sun Dec 12 20:40:23 2021 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B514418E6C63 for ; Sun, 12 Dec 2021 20:40:37 +0000 (UTC) (envelope-from cli_junkie@protonmail.com) Received: from mail-40137.protonmail.ch (mail-40137.protonmail.ch [185.70.40.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBxNh5Jgqz4ZMt for ; Sun, 12 Dec 2021 20:40:36 +0000 (UTC) (envelope-from cli_junkie@protonmail.com) Date: Sun, 12 Dec 2021 20:40:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail2; t=1639341628; bh=sm93p0LV/qtUjqZr47BqADc4XSBypiuf9u/Ug0wAqtg=; h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References: From:To:Cc; b=AQxk8yDztRRi7m4m1IpYA7d5zaotK+oW03FHjFAgXERo5/ZI/TWaBrYzOHwMgBVK1 tXYlr3PIWfktRjg81RLbFoe1aOFX2wwWO5WWRSCYN9C801lTqrIg6uMvd9kLXTbTqu 1jmRMJuqJp3v0flWj2MEk0O6git9HFLGckivLmza6xFP2yNHEeoHl6zUcMydCDzDH5 0m2T1DcXQ+nRmadZ/ULLALs1eFA2mFyxaEFhtQ7GRZRqzZqceMC/TXsain87d/dnP3 6vHWxtfIwbxtdd0wN11QOcYl4S66tHFfAZk11GK2LhuY/mcec0YA5swbHAMPL0EeWK oAdZ/aErIdYzg== To: "freebsd-security@freebsd.org" Reply-To: Pat Subject: Re: Expired key for signed checksums Message-ID: In-Reply-To: <20211104191742.GK69504@FreeBSD.org> References: <20211104191742.GK69504@FreeBSD.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FREEMAIL_REPLYTO shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Rspamd-Queue-Id: 4JBxNh5Jgqz4ZMt X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=pass header.d=protonmail.com header.s=protonmail2 header.b=AQxk8yDz; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (mx1.freebsd.org: domain of cli_junkie@protonmail.com designates 185.70.40.137 as permitted sender) smtp.mailfrom=cli_junkie@protonmail.com X-Spamd-Result: default: False [1.81 / 15.00]; HAS_REPLYTO(0.00)[cli_junkie@protonmail.com]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[protonmail.com:s=protonmail2]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[protonmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_REPLYTO(0.00)[protonmail.com]; NEURAL_SPAM_SHORT(0.81)[0.813]; NEURAL_SPAM_MEDIUM(1.00)[0.998]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24]; DKIM_TRACE(0.00)[protonmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[protonmail.com,quarantine]; NEURAL_SPAM_LONG(1.00)[0.996]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[protonmail.com]; ASN(0.00)[asn:62371, ipnet:185.70.40.0/24, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[185.70.40.137:from] Reply-To: cli_junkie@protonmail.com From: Pat via freebsd-security X-Original-From: Pat X-ThisMailContainsUnwantedMimeParts: N =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Thursday, November 4, 2021 7:17 PM, Glen Barber wrote: > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wrote: > > > Hello, > > I am trying to verify the signed checksum file for FreeBSD 13, but the = key that > > gets checked is showing to be expired: > > $ gpg --keyserver-options auto-key-retrieve \ > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubuntu.= com > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing key= s > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org" imp= orted > > gpg: no ultimately trusted keys found > > gpg: Total number processed: 1 > > gpg: imported: 1 > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > gpg: Note: This key has expired! > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0B9 4= 6A3 > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E293 > > It does not matter what keyserver I try, I get the same expiration mess= age. Yet > > I see the key expiration was bumped[0]. How would I go about getting th= e updated > > key? Or am I just going about this all wrong? > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd_org > > Glen Thank you Glen, and apologies for the extreme delay in acknowledging your reply and my success at importing the key. I do appreciate you having taken the time to reply, despite taking five weeks to say that. :) From nobody Tue Dec 14 11:15:06 2021 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2478F18E186B for ; Tue, 14 Dec 2021 11:15:17 +0000 (UTC) (envelope-from david@isnic.is) Received: from mx01.isnic.is (mx01.isnic.is [193.4.58.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx01.isnic.is", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JCwlR2z2Gz3kRk for ; Tue, 14 Dec 2021 11:15:15 +0000 (UTC) (envelope-from david@isnic.is) Received: from localhost (wg-client01.isnic.is [185.93.159.98]) by mx01.isnic.is (Postfix) with ESMTPS id 5606E22AA7 for ; Tue, 14 Dec 2021 11:15:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isnic.is; s=20200921; t=1639480507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J5DH3mR322vML/+g/gCFVru2+26Dxl2Q4lG8UBZxTEc=; b=ZjK4RxnBpX/9AOwfjaJflaCdd3QJfl3dUJQ842N3z5RRZNlWwUoKuPVu1fnDrFGm2cphUU vThQOk7QjuIsU6Mm5WosWpUDLeB+IUtrhQmh4KQRQKkI+Z9TxlagsyCQ/lIjX+raFQigqE F9YZFzRBJduPC0Rtvma3rZgkLoycWP1Ovzi5/UVvPJmR56CZgGTL7DYnwX4bZLFi57MzPT iBnTY764KCmL47wWhQCR0t0iDSFxnpKGLTZdHvF9OJWelBPHAwAXI/PLXQ9uqxmrOjsDb1 83bBkWQl2Vms0zx2Jj6XSnDdGhuPaUN/U2rI6jLXoDUh0vr8tjN6G48MwZ8pCQ== Date: Tue, 14 Dec 2021 11:15:06 +0000 From: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson To: freebsd-security Subject: Re: Expired key for signed checksums Message-ID: References: <20211104191742.GK69504@FreeBSD.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4IyCy8Ey7W0PJnCI" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4JCwlR2z2Gz3kRk X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=isnic.is header.s=20200921 header.b=ZjK4RxnB; dmarc=pass (policy=none) header.from=isnic.is; spf=pass (mx1.freebsd.org: domain of david@isnic.is designates 193.4.58.133 as permitted sender) smtp.mailfrom=david@isnic.is X-Spamd-Result: default: False [-2.49 / 15.00]; MID_RHS_NOT_FQDN(0.50)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[isnic.is:s=20200921]; FREEFALL_USER(0.00)[david]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:193.4.58.0/23]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[isnic.is:+]; DMARC_POLICY_ALLOW(-0.50)[isnic.is,none]; NEURAL_SPAM_SHORT(1.00)[1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_MIXED_CHARSET(1.11)[subject]; ASN(0.00)[asn:1850, ipnet:193.4.58.0/23, country:IS]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --4IyCy8Ey7W0PJnCI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote: > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original = Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > On Thursday, November 4, 2021 7:17 PM, Glen Barber wrot= e: >=20 > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wrot= e: > > > > > Hello, > > > I am trying to verify the signed checksum file for FreeBSD 13, but th= e key that > > > gets checked is showing to be expired: > > > $ gpg --keyserver-options auto-key-retrieve \ > > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubunt= u.com > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing k= eys > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org" i= mported > > > gpg: no ultimately trusted keys found > > > gpg: Total number processed: 1 > > > gpg: imported: 1 > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > > gpg: Note: This key has expired! > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0B9= 46A3 > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E293 > > > It does not matter what keyserver I try, I get the same expiration me= ssage. Yet > > > I see the key expiration was bumped[0]. How would I go about getting = the updated > > > key? Or am I just going about this all wrong? > > > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd_o= rg > > > > Glen > Thank you Glen, and apologies for the extreme delay in acknowledging > your reply and my success at importing the key. I do appreciate you > having taken the time to reply, despite taking five weeks to say that. >=20 > :) >=20 I think the website could use some better guidance on this. That page has a lot of keys for a lot of people. Are they all trusted to sign FreeBSD releases? Assuming that they're not, it would be great if the signatures page were updated to include a list of keys that are expected to sign a release. https://www.freebsd.org/releases/13.0R/signatures/ I say this because I had problems finding this as well when writing our deployment automation. It's the reason why I did not automate grabbing new releases and verifying them, and still leave that as a manual human step. -Dav=C3=AD=C3=B0 --4IyCy8Ey7W0PJnCI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEvylfYbt7o3c60Grm/+HlKLuPmJoFAmG4fLoACgkQ/+HlKLuP mJrxcgf8DuejJv87oKg5vxub6RZNUh7n6wkxqqvPK3TZbOLZfwXQ9zcWOxv6eE6m Ysgl12QSvb9NofvY2hKLGavfOs6n4fK8mf0gJW6YpVr1Ch6ot1pWGv/AOH6lYThs /zbQugRw24nIVHKIXY0PZEgklHBaMab9GgqxCg1kHxpFjEOjZ9fH+aDhOVfn5ooC wCFQxOPJKbcvDMtLnLbgeUUM++hqgP1USUyDpsgtHcnk4VerP4EGV6mfCrO1lis0 RLSISlE+moFlEaG8gDjOJtVh8/Zl+Yri5YKGAkWaaxriQJvjlVTIa0EGeUVHzpLi aBsg9mK/Zm+jymxrrX2NHuQAfGtj1A== =DDnN -----END PGP SIGNATURE----- --4IyCy8Ey7W0PJnCI-- From nobody Wed Dec 15 22:38:48 2021 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 931A718E4C8E for ; Wed, 15 Dec 2021 22:38:58 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JDqss5HHxz4m34 for ; Wed, 15 Dec 2021 22:38:57 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 1BFMcn2H078378 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 15 Dec 2021 14:38:49 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 1BFMcmQi078374; Wed, 15 Dec 2021 14:38:48 -0800 (PST) (envelope-from jmg) Date: Wed, 15 Dec 2021 14:38:48 -0800 From: John-Mark Gurney To: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson Cc: freebsd-security Subject: Re: Expired key for signed checksums Message-ID: <20211215223848.GZ35602@funkthat.com> Mail-Followup-To: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson , freebsd-security References: <20211104191742.GK69504@FreeBSD.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Wed, 15 Dec 2021 14:38:49 -0800 (PST) X-Rspamd-Queue-Id: 4JDqss5HHxz4m34 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-3.87 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.973]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dav Steinn Geirsson wrote this message on Tue, Dec 14, 2021 at 11:15 +0000: > On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote: > > ????????????????????? Original Message ????????????????????? > > On Thursday, November 4, 2021 7:17 PM, Glen Barber wr= ote: > >=20 > > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wr= ote: > > > > > > > Hello, > > > > I am trying to verify the signed checksum file for FreeBSD 13, but = the key that > > > > gets checked is showing to be expired: > > > > $ gpg --keyserver-options auto-key-retrieve \ > > > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubu= ntu.com > > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing= keys > > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org"= imported > > > > gpg: no ultimately trusted keys found > > > > gpg: Total number processed: 1 > > > > gpg: imported: 1 > > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > > > gpg: Note: This key has expired! > > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0= B9 46A3 > > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E2= 93 > > > > It does not matter what keyserver I try, I get the same expiration = message. Yet > > > > I see the key expiration was bumped[0]. How would I go about gettin= g the updated > > > > key? Or am I just going about this all wrong? > > > > > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd= _org > > > > > > Glen > > Thank you Glen, and apologies for the extreme delay in acknowledging > > your reply and my success at importing the key. I do appreciate you > > having taken the time to reply, despite taking five weeks to say that. > >=20 > > :) > >=20 >=20 > I think the website could use some better guidance on this. That page has= a > lot of keys for a lot of people. Are they all trusted to sign FreeBSD > releases? >=20 > Assuming that they're not, it would be great if the signatures page were > updated to include a list of keys that are expected to sign a release. > https://www.freebsd.org/releases/13.0R/signatures/ >=20 > I say this because I had problems finding this as well when writing our > deployment automation. It's the reason why I did not automate grabbing > new releases and verifying them, and still leave that as a manual human > step. Yeah, I recently updated snapaid.sh to point to the new location. https://funkthat.com/gitea/jmg/snapaid I do wish there was better guidence on this as well. Because if/when the existing signing key is compromised, there is not a documented way (that I know of) to handle updating all the past release's signatures to the new, uncompromised key. Because if/when the existing key is compromised, it's easy to sign a new announcement that verifies w/ hashes of compromised images. --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJhum52XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraw40P+wS8IMFGheoT0VHbLXu585up zpYnf8igJHGTOi8WG/Zm/ofCicYPVf9jpZq8d1gHSBfHVAHTiLrPs5rEwb1ZC6pz Ubp5QXqLf4MdG87b9wE4/ia9yOH5UA4NBAP2T2UyozU+KDsrByR6RmxTnehxgzux A3Ephu16/NE7WS904h01iVzo4mjMPqavqn39CsZCEwzbKL2hWlCsJsbEbR3sE8qJ Ns/qBxYcVyIMVpvti0lBwBPHDA2j3dkYENiDIdj8+TosqgcT51QOzLAeO8oYI6kV Ju54OSp5gT3Lwd67qt9gKoUei/2In62sq8WE+qTJIOKW5lOA+KcQvHTRCAe0yaI7 qTzVgDXsf5SYy7oiGKuC1cJVVWAoBCMZZZlqF8n8xNKC3fp6S+Bd/FekCMK5uH48 bnq58tHDRyXc3QxYYX4cscjbB64wDX78jt+tlv8GDOUK3dgCP0bCrlvRUEF/cjAn /bcvBhrT2oGpKociilxmgQYrBYjLsNZp0w/Rn0//jwvs1PonJyAWV7oy/+PcDdzm IZovQNwhLmvQN3lOcyWWrgTG+SGtmKLHtR4LKuZrzQhriyr+Zv5yelNUcUP8TqMa FXR/bmnnbULbE5X6c9qsFXlNPjWrqIlqn9mBxiyR4ukvxpfcErXIXkxYy3C/X4s1 BdvwZDxc6iIPBefnmjU7 =BSNd -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm-- From nobody Wed Jan 12 10:56:47 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4B1091943021 for ; Wed, 12 Jan 2022 10:57:05 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailout5.lrau.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYkz43BTwz3GQm for ; Wed, 12 Jan 2022 10:57:04 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de; s=email1; h=To:Date:Message-Id:Subject:Mime-Version:Content-Type:From:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CmJn5T8NPhBNfzz+gcgfxxD70SYHKYT1SVdERPcCM0g=; b=P8f9L+x/Z9VtLSrAILFCh/+jER vacC5AyZdRjweyj9kvgnI9f9bQpn3h6lLlYogY4+JkdPpClZFcoFDdlzrWvGJ80bzkmEvQ7pDnjhe QKrJGpzmkSeqPWh5cd9Gb/DVSE0gKI2YgXcaPZLYaRHlh+mtHfc21XG+kEP7+C6QkuV/JZoCh1jkf +189jZ/Un6GuIv0PffXGviFTi+MLK16RtW41RBiPyGe5iwlqllNLZPU5aL1XC24+9xlBs881EVQhv 7BDMjP9uXdMqhPhn3whdzcT2GzG/x0N6AjAvbTVavORawA/7yL1vEav8At6DQ0QWzIR0cuyiAnDFh V1l88lJg==; Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net) by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1n7bJH-000GAE-3U for FreeBSD-security@FreeBSD.org; Wed, 12 Jan 2022 10:56:55 +0000 Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx 3.2.0) with esmtpsa id 1641985014-79947-78689/7/41; Wed, 12 Jan 2022 10:56:54 +0000 From: Axel Rau Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4"; micalg=pgp-sha256 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Subject: Random failures: "unable to get local issuer certificate" Message-Id: Date: Wed, 12 Jan 2022 11:56:47 +0100 To: FreeBSD-security@FreeBSD.org X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4JYkz43BTwz3GQm X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=chaos1.de header.s=email1 header.b="P8f9L+x/"; dmarc=none; spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE X-Spamd-Result: default: False [-4.88 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[chaos1.de:s=email1]; NEURAL_HAM_MEDIUM(-0.92)[-0.922]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[chaos1.de:dkim]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.97)[-0.968]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[Chaos1.DE]; DKIM_TRACE(0.00)[chaos1.de:+]; NEURAL_HAM_SHORT(-0.99)[-0.993]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi all, I=E2=80=99m running the download curl https://sh.rustup.rs -sSf | sh this works fine, but the rust installer it calls fails on random hosts and jails with error sending request \ for url = (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256): \ error trying to connect: error:1416F086:SSL \ routines:tls_process_server_certificate:certificate \ verify failed:ssl/statem/statem_clnt.c:1915: \ (unable to get local issuer certificate) All tested systems/jails are running 12.2p7 and habe identical cert = stores, kept up-to-date with freebsd-update. OpenSSL 1.1.1h-freebsd from base. Which knobs are influencing local issuer list? Where can I dig to resolve this issue? Any help appreciated, Axel --- PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius --Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEl5evOTfnjZdhkBzKaPxTRM3nQSAFAmHes/AACgkQaPxTRM3n QSC8og/9GMAAuPAMUORighjhfP2lAPJbknEuwW1rrAZP+XQctk7z8zg3XnJqAf2Z bfU4d+4pUzxKFkzr6Fru0KVSuZbxB0rDFR9l0oHUVUXUTVzOJIy5XwGzYlVBzyGV Y4D5gW2Wjwm9uOSnbJZ975DHjTHdvTjjSaXPxx3p5GdwfNM2Uab3DcfTwXvif/t7 J1vZmmuPuJFo4EhgNsOCKuXFtMFnz/2luSAgysxbJNGtqbAYNuNQhAc97yFG7Xmm GxJ+4o+B/Vdwn9nijFHTDkmB5/r6FJ+0nCOjAfq8Rt0kqJL05v6p0yldVfQXz72U dyRnWZ4Tj5tvH3fT10KLaNWq2IeS41eWQWLm+0dnZ0D6ax0WGM7ZnKIPKVKbSVRe 7LtLhgaLBvI0hNiWeT1JkvvxD6N3uIblNYme+2Irw2s7csJQZlGVFM4GMH0NXTV6 JQ5ZGoQzd7jBb4TVqK8wwjJB6Zj/thJDAmQ/j/+TM7vj8MwPA4J3F8j4dcggoHfL q8E+I5HPhMs+Cnmal83WdUBMmfBuBCeb1R2Ow2Xn54rUB8hzwLLaxTwL61CPXAhS t3xng9XCE53mY0iyIDID0PuIAbUIYgM2sUolO95jJkTBjQL+MqbiDHe0cpqC1iQA 51fJyCI1lOTUylwD4EMt1Z5yvwKKlLSXCo6x5yrAfHhdsI3A67Q= =M07K -----END PGP SIGNATURE----- --Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4-- From nobody Wed Jan 12 11:05:43 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E47EB19481A9 for ; Wed, 12 Jan 2022 11:05:53 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "patpro.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYl9F5Ydsz3Lkw for ; Wed, 12 Jan 2022 11:05:53 +0000 (UTC) (envelope-from patpro@patpro.net) X-Virus-Scanned: amavisd-new at patpro.net Received: from mail.patpro.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id 988BD230F8; Wed, 12 Jan 2022 12:05:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=202112-36538bdf; t=1641985543; bh=iPDV9G9mtOxc9T51/E8WsviZmrGvhPPULarTSrlpGp4=; h=Date:From:Subject:To:In-Reply-To:References; b=iFDyrNlBlbaZxbFIAD7h5wkM0Yt6Z6WY6XUGEPsLBy0FQPD6RKR9VEMNVZJRJPCaH HpW61wS+6F3GoTpE8pYxSux6l2Ttuen6vTVjDHUv/Dh2sZySTrM0pFM7mb/DgSpsNm h11WTg2TaSrudP+XdVOSN/+QubKve+yRQqqi9CCmY+Wbu/WPRgN51dK9wuX/eNyguU 6vyCjbLGzMrUkmxrrM4tml8uaKg3fOFuajuc2gXqvTdCBAOT9SFd0W2LXJ9oDoyiIv j5G8cbdicjuvs+lexiUzwIErZTwF935T0a4kR/rV5HucyXJuZhhxdOwVK25JSdPayA 6U5LTBazv3ILw== List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Date: Wed, 12 Jan 2022 11:05:43 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: RainLoop/1.16.0 From: patpro@patpro.net Message-ID: <3a5cd966011999f62c7d66a263f12500@patpro.net> Subject: Re: Random failures: "unable to get local issuer certificate" To: "Axel Rau" , FreeBSD-security@freebsd.org In-Reply-To: References: X-Rspamd-Queue-Id: 4JYl9F5Ydsz3Lkw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, Is that possible that the destination is the culprit? $ host sh.rustup.rs sh.rustup.rs is an alias for dks7yomi95k2d.cloudfront.net. dks7yomi95k2d.cloudfront.net has address 54.192.66.29 dks7yomi95k2d.cloudfront.net has address 54.192.66.52 dks7yomi95k2d.cloudfront.net has address 54.192.66.99 dks7yomi95k2d.cloudfront.net has address 54.192.66.5 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:b200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5e00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:ee00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:f600:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:1200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:a400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:2600:0:9a61:= 7540:93a1 may be (I have not tested) the result is different depending on DNS reply= . patpro January 12, 2022 11:56 AM, "Axel Rau" wrote: > Hi all, >=20 >=20I=E2=80=99m running the download > curl https://sh.rustup.rs -sSf | sh > this works fine, but the rust installer it calls fails on random hosts > and jails with >=20 >=20error sending request \ > for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha= 256): \ > error trying to connect: error:1416F086:SSL \ > routines:tls_process_server_certificate:certificate \ > verify failed:ssl/statem/statem_clnt.c:1915: \ > (unable to get local issuer certificate) >=20 >=20All tested systems/jails are running 12.2p7 and habe identical cert s= tores, > kept up-to-date with freebsd-update. > OpenSSL 1.1.1h-freebsd from base. >=20 >=20Which knobs are influencing local issuer list? > Where can I dig to resolve this issue? >=20 >=20Any help appreciated, > Axel > --- > PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius From nobody Wed Jan 12 12:29:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B1019195D403 for ; Wed, 12 Jan 2022 12:30:03 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailout5.lrau.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYn2L2BWMz3qrK for ; Wed, 12 Jan 2022 12:30:02 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de; s=email1; h=Message-Id:In-Reply-To:To:References:Date:Subject:Mime-Version: Content-Type:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+eLEFTsp7bqqsk2sd2Hv/N7v1qc6mwgw/wKf9YsNA6c=; b=z1S89K2AKoEbuuZWpxHdC8j2LM 0poW0xoEJREs5oG/OaHVH3utcXbJj7TgDLeJhkJlKUQYV6j6aYYSX1VzwQ6625e9r8Y92BbvqqmiV t1ewHIR/9HCER2XxFq4rgCiSS8pBJ0qfvwBeqh82lQLDZDScZu/B2nXjL6x5jECvC67jxlXIV9pMV fmzsavq5n12zzA0ghBH+uXknFMtxjANmNU6GtqY/BBGN2PHxv5kZFSxaW8hmE5KWJ5iinWSyo2lU9 KIQ8+hJCmMavY0fwPa4u8ogm5uF1LycGotrjiD37fbyRRZeCZgfuah/8i2hjoWpPhc0guLTByUXtL o9F/wRcA==; Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net) by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1n7clM-0007IF-3d for FreeBSD-security@FreeBSD.org; Wed, 12 Jan 2022 12:30:00 +0000 Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx 3.2.0) with esmtpsa id 1641990599-79947-78689/7/44; Wed, 12 Jan 2022 12:29:59 +0000 From: Axel Rau Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="Apple-Mail=_46AF78E5-BD2C-43D5-BDDF-1BF5167F147F"; micalg=pgp-sha256 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Subject: Re: Random failures: "unable to get local issuer certificate" Date: Wed, 12 Jan 2022 13:29:48 +0100 References: <3a5cd966011999f62c7d66a263f12500@patpro.net> To: FreeBSD-security@FreeBSD.org In-Reply-To: <3a5cd966011999f62c7d66a263f12500@patpro.net> Message-Id: X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4JYn2L2BWMz3qrK X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=chaos1.de header.s=email1 header.b=z1S89K2A; dmarc=none; spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE X-Spamd-Result: default: False [-4.91 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[chaos1.de:s=email1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[chaos1.de:dkim]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.92)[-0.919]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[Chaos1.DE]; DKIM_TRACE(0.00)[chaos1.de:+]; NEURAL_HAM_SHORT(-0.99)[-0.986]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_46AF78E5-BD2C-43D5-BDDF-1BF5167F147F Content-Type: multipart/alternative; boundary="Apple-Mail=_BA4CA67E-8199-4721-9942-92D1F920C151" --Apple-Mail=_BA4CA67E-8199-4721-9942-92D1F920C151 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Am 12.01.2022 um 12:05 schrieb patpro@patpro.net: >=20 > may be (I have not tested) the result is different depending on DNS = reply. I don=E2=80=99t think so, as I have local resolvers which should have = cached the AAAAs. But they have no valid reverse mapping. I just saw 1 jail failing which succeded always in the past. Strange. Axel --- PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius --Apple-Mail=_BA4CA67E-8199-4721-9942-92D1F920C151 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

Am 12.01.2022 um 12:05 schrieb patpro@patpro.net:

may be (I = have not tested) the result is different depending on DNS = reply.

I don=E2=80=99t think so, as I have local resolvers = which should have cached the AAAAs.
But  they have = no valid reverse mapping.

I just saw 1 jail failing which succeded always in the = past.

Strange.
Axel
---
PGP-Key: CDE74120 =  =E2=98=80  computing @ chaos = claudius

= --Apple-Mail=_BA4CA67E-8199-4721-9942-92D1F920C151-- --Apple-Mail=_46AF78E5-BD2C-43D5-BDDF-1BF5167F147F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEl5evOTfnjZdhkBzKaPxTRM3nQSAFAmHeybwACgkQaPxTRM3n QSC3Ag/+Pqbc4EbFrdsoj2WMus657UIbKg9wV26lB4heIjC1zTUlsgZ5lfi0+Ik+ pJmyXwCYTVDd4+gt7j983Vpfp99FOg4u0HDOPolf5Br2of/ZMxzVAB6Z0PWHeEpj ev3t45OASIvL7CjpgjZ00shwsJz1J8HxojYwcjuX54G2A+6ffHa8eiW0zBrb0F4d uyLWKVcX3rg5v4/rrwhrQhFLCnBzzV8M9xGxN9qwPZrRXSnv+r3L/VLplWIstn6q ZuthX4W3jsxnsJTroiDL1CWyr4xkOY26IomeXUCN8Xsx+sg3FYfKuO564p/t2E08 kJLY3YAa0HqQ593eiqCq9wkqiqqRR16I0pTdOZpTUdwc9kReM4tP4Fm6jSO+k288 2QOJJL2B7mRo1tumE62hRq8KzUxchZoq763S4n05PycuhS7gqYw83ckTjCf0i/pO TuKUUL4v0mnLhij49/UFM9gTd6+UJ3bGqXoPaqfMjr3XPzCrvJBQWTqlS+h4/9t8 W7IK1a8DMDoBoji7iiC9VulHN53vSc0uk2s8XL6CkktrNkySVctjFs/VPrF1AnJj V+HrItUahvlL/h0YfcHR/v2SPAJrKUHww5W3eFvEMF5qyXw8vtQbRLdX5hokH8Q7 MsvAwTlt67eIuZxXwwxS2A5xW0EJLsgs0NaYYuMyxRaj0CA3owY= =xbUt -----END PGP SIGNATURE----- --Apple-Mail=_46AF78E5-BD2C-43D5-BDDF-1BF5167F147F-- From nobody Thu Jan 13 17:48:10 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F36A61955964 for ; Thu, 13 Jan 2022 17:48:25 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4JZX3F00c9z51v8 for ; Thu, 13 Jan 2022 17:48:24 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.16.1/8.16.1) with ESMTP id 20DHmBSq020461; Thu, 13 Jan 2022 17:48:11 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 20DHmBbP006307; Thu, 13 Jan 2022 17:48:11 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 20DHmAES006303; Thu, 13 Jan 2022 17:48:10 GMT Date: Thu, 13 Jan 2022 17:48:10 GMT Message-Id: <202201131748.20DHmAES006303@higson.cam.lispworks.com> From: Martin Simmons To: Axel Rau CC: FreeBSD-security@FreeBSD.org In-reply-to: (message from Axel Rau on Wed, 12 Jan 2022 13:29:48 +0100) Subject: Re: Random failures: "unable to get local issuer certificate" References: <3a5cd966011999f62c7d66a263f12500@patpro.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4JZX3F00c9z51v8 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.90 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.02)[-0.020]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[46.17.166.21:from]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.92)[0.917]; MLMMJ_DEST(0.00)[FreeBSD-security]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.160.0/21, country:GB] X-ThisMailContainsUnwantedMimeParts: N >>>>> On Wed, 12 Jan 2022 13:29:48 +0100, Axel Rau said: > > > > Am 12.01.2022 um 12:05 schrieb patpro@patpro.net: > > > > may be (I have not tested) the result is different depending on DNS reply. > > > I don’t think so, as I have local resolvers which should have cached the AAAAs. Since sh.rustup.rs has multiple adddresses, the order in the DNS reply can change each time it is resolved (even from a cache), so might be using a different adddress each time. __Martin From nobody Fri Jan 14 00:19:12 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4AE6A195E327 for ; Fri, 14 Jan 2022 00:19:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZhk90QFdz4TSX; Fri, 14 Jan 2022 00:19:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642119553; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=i2heb9FW7HS/vs9rz3y2QunA4kbolCGEO1wOJDkhE+M=; b=kxIW1WHiy/yglJdSxQS2dVHumgWvfNb528a+8xcjAyDAOlRRjOr6VeW/QRtjG6gZTk2ZNP Ze4+PYVPd/4Jo2ptAKd3ZM3b9U3rjcJDEgv4owbahiXMrTbX0Ny4UDNZNmmjzY8WmjxoRr heV6ymTf0s+cNbOVTRRUxt38gSuntFLz9YYqCP+gtzy0EBx6vQOuM2Yu0jMSywTUWq+3Fg gBzyTTz7AY2cwuNCMZ5e1QHGfWeawBV/G/VDg/g+r/0KdwaJuFRKEp1c8HfC02eAPtbka+ zUMJfcL2OrAU+5HGmXdLSESx1tgC8YhWTW4EeYSyd+WaQZlleqCGxgoRtCIJdw== Received: by freefall.freebsd.org (Postfix, from userid 945) id F2F6D770A; Fri, 14 Jan 2022 00:19:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:01.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220114001912.F2F6D770A@freefall.freebsd.org> Date: Fri, 14 Jan 2022 00:19:12 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642119553; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=i2heb9FW7HS/vs9rz3y2QunA4kbolCGEO1wOJDkhE+M=; b=ADwhudgOReKSITahrlgKd+Dx/MnS1eha/u8JJbGLjS4OQIAhR59H9cA5RuRmWnEraLK8BH 0mpTgPPIWPoPmgWPbuoiLRbwU8lAw/dqhf9rOzuy6+lflGOn8EuhYTxKyI4mGmiF1Omc0r 6f/ZfkXoKO/hXH5paAXGU5MktVj3ls6qh1uossn6veRj+dYRTqp5wKrfv4yABzG0kC7/hV JuphpDc3UMSrS9d/K9joFKg2fPptkHhB+6/N4Fx2k5Tvj2lmMnOcClVaYE0yVeGS2elsnh TN+e3VNVO9++4L2qQD4SqDPsijztRZlT+5MJ6NcAvgp4z4/SKItpugyHGA+Rlg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642119553; a=rsa-sha256; cv=none; b=EZyflQOLFo5TbUwcLgA+H36OG8gu1EKY1AsNLKNGvjan85+gdzXwOCTv46j+M/XWItXFs9 +EmuKWUgHf0zMj/Ehr9AgEPxgzAEO5WZxDzkVKYeiaQ9q+LfkF0+uGj4hYjg+/bBTR2pZO P81fqLC0+v6COx7IXm7Pr2gec24X/3JfoJOQGGKv3OgR8dqw0jvdxLzr91Iwp4iJQancus BA9S/M04pIyncHC3AjNX1Uv3qy7asjhbPF39Z5t98KDcPlLv3RBH422SYba+zJ/61ZUk8l OqMFLDjLjD9EweF7gx+jEcoyRzXq42pAjuZtKn0s9WJjPDCZ2YiUNRQp5o9MnA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:01.vt Security Advisory The FreeBSD Project Topic: vt console buffer overflow Category: kernel Module: vt Announced: 2022-01-11 Credits: Oleg Bulyzhin Affects: FreeBSD 12.2 and FreeBSD 13.0 Corrected: 2021-09-22 18:41:00 UTC (stable/13, 13.0-STABLE) 2022-01-11 18:15:03 UTC (releng/13.0, 13.0-RELEASE-p6) 2021-09-25 18:15:49 UTC (stable/12, 12.2-STABLE) 2022-01-11 18:33:21 UTC (releng/12.2, 12.2-RELEASE-p12) CVE Name: CVE-2021-29632 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's system console is provided by the vt(4) virtual terminal console driver. II. Problem Description Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. III. Impact Users with access to the system console may be able to cause system misbehaviour. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9352de39c3dc stable/13-n247428 releng/13.0/ 3e0a1e124169 releng/13.0-n244773 stable/12/ r370674 releng/12.2/ r371491 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n 5cIgEBAAkXpnKSElsT96dj4RYWJLkqB4+OBkGoOGrsZj8zd5Ei85oohhL38xiYAE jQpSwblgYCqmOxRL4hGgKN6fBPMnc/zXCdZhJzAfgkKXsn4eY5mObN1jus7owsmC RnFNOLSr1VVJZs8H1RAeAjJT2I6DF0oLb/f1u3ik+bPFJ8Y4hvPEliSH7rpzVBq7 hpmiH1HxAArVwtJ15N+7u6vNUce57dWSh4NzPHLduzMRpatPKVqtkC7UJIvqisxl bQTK46MYo454SgbZjRPistwnV9NFKjuKy5Rh38/FURbnBxg8w2HVkabidMy5lJyU geSOvV4wc2LraRdSvJHZlNXu1BJKnPpTpsl6XNr8ePzAl9rRPjZKo8cEBMmTlqK0 KdMeKsf1OfspA/8L6mCpg4NDeOoHktCrICWTi4/E6nGX/e1hZrCXKcxf0KYbhcfO xNvrYtKkCtCbEnbzZbW6rjY/RAmRwwMNngVw2FWRuSWU6BCmfKZndUXFO7aghj6Q JKISfctwtcHWn/QzI2BN9pNWZlzAJ8BfxR+/bV6VJNuRILOhrvgjnUzpies1xv7z GRN9JlpxzqihhlX8JED7jDOm99YflEG0Ep7Cr1OYXLDVx1xxh8dQLCOwl5qjnKgd ELae8IKnUn5pI1Og44AsjY9xWOvxxz28luwFxsbYf+3UMo6M4eE= =hcWy -----END PGP SIGNATURE----- From nobody Fri Jan 14 00:23:23 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 77631195F668 for ; Fri, 14 Jan 2022 00:23:36 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZhqC57zRz4WJj for ; Fri, 14 Jan 2022 00:23:35 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-ua1-x92b.google.com with SMTP id h11so14335414uar.5 for ; Thu, 13 Jan 2022 16:23:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2+THtEVS9jgqvdzY5vxnCXTGSadfkbParbVvL/uOOQ0=; b=PrCnW/KmmMLQsrh3lzX5BAJpPVTt8dm0FMDGCwQ4TQkxWnU5S0lEg6Bw6G3niOoPIH BAsmBndBWRT0i25iJo53Cubj+qTWwv7BQ5bg+6jCnDy+kkj0pI39kcPUrSatgoNLjV4M B1haCtO+S/441wjhm6vJVyhsm2V43r3s8kAMo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2+THtEVS9jgqvdzY5vxnCXTGSadfkbParbVvL/uOOQ0=; b=2qDOYpm1HhcEYm35lau/+p13s1odwnDOq3g2nYeckFyaT6tomlqCIl+8qVGRk6F0ni jR6PyymDBc4wU9yCXlHMLsJdKpSH7s4YyoMGEPSBgAzXxAF1AXxbXhLh9kO14I7GqVWt m/xMqih3+WR63OtpKV9orfvE0WgHue3syiQtx1lxZMutQbHd/Y/cT2+1teVOJkrzeq9V PcERPSaIP3Nt0P83DKNWqGx+Ecr4T80DVsU6P4aLe7Resq4/tui54/NiEYIVRiTW0zAF AO+/PNz91q4uI2BX5mK8ieplbJyOjIdCooYyvurGu3ud/QgGd6OQ1W7N5VCYCcn61jYA sKNg== X-Gm-Message-State: AOAM530mNPK1FJFLlqQuNuprZkUD/wVXQlg4H6t5vm6IkeQN5ghV8+FG rA/nBUXMPEeRpf6DkCNmc5dX3J03ERdcG5WCZrRwMaO65Q== X-Google-Smtp-Source: ABdhPJzSPeyMCqX4a/r8TwRMqfI9j6YQfO+DvtdlE8YmXK4ow5oqXtvQLxgjML1tkFZHyMrL1atqVv19Bdb+Ewq7IkI= X-Received: by 2002:a67:a409:: with SMTP id n9mr3170048vse.74.1642119814597; Thu, 13 Jan 2022 16:23:34 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: <20220114001912.F2F6D770A@freefall.freebsd.org> In-Reply-To: <20220114001912.F2F6D770A@freefall.freebsd.org> From: Gordon Tetlow Date: Thu, 13 Jan 2022 16:23:23 -0800 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:01.vt To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4JZhqC57zRz4WJj X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=google header.b="PrCnW/Km"; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 2607:f8b0:4864:20::92b as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-0.50 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_SHORT(0.50)[0.496]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92b:from]; NEURAL_SPAM_LONG(1.00)[1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Sorry for the delay in sending this to the security mailing list. Since the mailing list change over, we've had a few hiccups on delivery to the lists and with this email, we should hopefully be back to a state where we consistently deliver. Again, apologies for the weirdness, but I believe we have ironed out all the wrinkles and will be in a better spot going forward. Thanks to the postmaster team for the work in getting this all sorted. Gordon Hat: security-officer On Thu, Jan 13, 2022 at 4:19 PM FreeBSD Security Advisories wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-22:01.vt Security Advisory > The FreeBSD Project > > Topic: vt console buffer overflow > > Category: kernel > Module: vt > Announced: 2022-01-11 > Credits: Oleg Bulyzhin > Affects: FreeBSD 12.2 and FreeBSD 13.0 > Corrected: 2021-09-22 18:41:00 UTC (stable/13, 13.0-STABLE) > 2022-01-11 18:15:03 UTC (releng/13.0, 13.0-RELEASE-p6) > 2021-09-25 18:15:49 UTC (stable/12, 12.2-STABLE) > 2022-01-11 18:33:21 UTC (releng/12.2, 12.2-RELEASE-p12) > CVE Name: CVE-2021-29632 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD's system console is provided by the vt(4) virtual terminal console > driver. > > II. Problem Description > > Under certain conditions involving use of the highlight buffer while > text is scrolling on the console, console data may overwrite data > structures associated with the system console or other kernel memory. > > III. Impact > > Users with access to the system console may be able to cause system > misbehaviour. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch > # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch.asc > # gpg --verify vt.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > This issue is corrected by the corresponding Git commit hash or Subversion > revision number in the following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/13/ 9352de39c3dc stable/13-n247428 > releng/13.0/ 3e0a1e124169 releng/13.0-n244773 > stable/12/ r370674 > releng/12.2/ r371491 > - ------------------------------------------------------------------------- > > For FreeBSD 13 and later: > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > For FreeBSD 12 and earlier: > > Run the following command to see which files were modified by a particular > revision, replacing NNNNNN with the revision number: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n > 5cIgEBAAkXpnKSElsT96dj4RYWJLkqB4+OBkGoOGrsZj8zd5Ei85oohhL38xiYAE > jQpSwblgYCqmOxRL4hGgKN6fBPMnc/zXCdZhJzAfgkKXsn4eY5mObN1jus7owsmC > RnFNOLSr1VVJZs8H1RAeAjJT2I6DF0oLb/f1u3ik+bPFJ8Y4hvPEliSH7rpzVBq7 > hpmiH1HxAArVwtJ15N+7u6vNUce57dWSh4NzPHLduzMRpatPKVqtkC7UJIvqisxl > bQTK46MYo454SgbZjRPistwnV9NFKjuKy5Rh38/FURbnBxg8w2HVkabidMy5lJyU > geSOvV4wc2LraRdSvJHZlNXu1BJKnPpTpsl6XNr8ePzAl9rRPjZKo8cEBMmTlqK0 > KdMeKsf1OfspA/8L6mCpg4NDeOoHktCrICWTi4/E6nGX/e1hZrCXKcxf0KYbhcfO > xNvrYtKkCtCbEnbzZbW6rjY/RAmRwwMNngVw2FWRuSWU6BCmfKZndUXFO7aghj6Q > JKISfctwtcHWn/QzI2BN9pNWZlzAJ8BfxR+/bV6VJNuRILOhrvgjnUzpies1xv7z > GRN9JlpxzqihhlX8JED7jDOm99YflEG0Ep7Cr1OYXLDVx1xxh8dQLCOwl5qjnKgd > ELae8IKnUn5pI1Og44AsjY9xWOvxxz28luwFxsbYf+3UMo6M4eE= > =hcWy > -----END PGP SIGNATURE----- > From nobody Sun Jan 16 01:06:14 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 994061958FAF; Sun, 16 Jan 2022 01:06:16 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JbxgW3pmzz4ssS; Sun, 16 Jan 2022 01:06:15 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ua1-x935.google.com with SMTP id l15so23777375uai.11; Sat, 15 Jan 2022 17:06:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=PAPGpNRrlz6s0sAzuqZ2Km4ZvDj6UkLaqs/UaGB3GFA=; b=c9S85tsOr0crxPsuT+f3Lo+EKhLs8lrSxkED31VG2F6prPsqHVP2KlkZq7kKXka6Ak HJxFc8athHDxhTV9x4azl+vPyutuyujM8UgdKoI97thxMHtIzVwOwFVV8CQdLSdSEUA8 VtPwqmhgCI1xP8NuFlM+s+9sCXS8UhWA7qVXbx7x/uumyY/2K2VtW54DCc8YfdeMGHVR t7IGBwNEn2LaCR8HtFk+RaDYVuwIWlD2WSn5c3t0YwbUIYdqMwRTf/XcHFRbZ+G7wbBx cz4KHdtFiOuEZ8iBopLHZJ1r/VFqIyoqIzM1qnQJRdFdl+C/bkTTjPDG+IzrnlmAX1Oh JXKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=PAPGpNRrlz6s0sAzuqZ2Km4ZvDj6UkLaqs/UaGB3GFA=; b=cO7rhPHgYDpgUNxq48nK4bZNXufz8M80zryq7zzbf4K/BzZ1LhkuKJCLCv7udXks5m BjRPUBazPcp+aAL1ESunm8T0qniADlPfundgY1EYhPm0m7brnd2OkDGEMNQ55uoB208C FALwXTtKp8kklF7BuNPCn1qOXV4/B/8HnKkpKV1lZot7zFSm9XoMt0Fn757Qc6nZGSK9 c6D6KxZNpm6Aos8kaT87aolqP+XMwmXNzWAT1/q/Z+R8n1NJL+fkcegVOCdQXLnGml1Q AFaWCgfmsab4sA4cly1Ik+HWEtFZcRQ1o0Fm3XHXKziMHbeDgZVz2CJGoZRVx6lZ8l9j AfFg== X-Gm-Message-State: AOAM530gmg5nnLjQq91n35shp+UUSz9dOYTl8GfHASkjz+5R8YISiETu ltvNzmAtqCTlp9oD0QNVPPsRnYNXtIxqSFKgIAZlW1G1FqrvEIGS X-Google-Smtp-Source: ABdhPJwOFFzdVOaGDahED79x1SUmhzzFHY8NPCImSJHQFL9zJydNObrgdke5f1Izv4sHnttUI5uLw3gxKY6S0J6IbIE= X-Received: by 2002:ab0:130e:: with SMTP id g14mr6195370uae.124.1642295174622; Sat, 15 Jan 2022 17:06:14 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:cda4:0:b0:278:7001:4412 with HTTP; Sat, 15 Jan 2022 17:06:14 -0800 (PST) From: grarpamp Date: Sat, 15 Jan 2022 20:06:14 -0500 Message-ID: Subject: Zeroing Storage Devices [re: dd, #OpenFabs #CryptoFunding #Meshnets] To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org, freebsd-hardware@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4JbxgW3pmzz4ssS X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=c9S85tsO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::935 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::935:from]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MLMMJ_DEST(0.00)[freebsd-questions,freebsd-security,freebsd-net,freebsd-hardware]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N > Nothing on the operating system side of the [disk] controller (and its > firmware) has got direct access to what's under the hood of the [disk]. Modern disk, tape, usb, ssd, etc... Some of them now show different read or write speeds depending on whether zero or random data was read or write from them... (users may need to eliminate system/random bottleneck by pregenerating random data into say 1GiB file on ramdrive source and going to/from there, /dev/null, /dev/zero.) Not since decades ago advent of badblock management in firmware has zero been even a remotely trustable method, now it's even worse. Minimum, effective, simple, at-rest data security protocol for the masses is now... buy drive dd if=/dev/random of=drive bs=1m encrypt drive use drive destroy key dd if=/dev/random of=drive bs=1m reuse or destroy drive None of today's CPU, NIC, plugin-hw, networks [1], etc are even the slightest bit trustable, at all, period. So while that protocol will always be needed, you really must start improving the hardware situation by routing around and displacing the old top-secret owners of the legacy system with completely new models... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoFunding , #OpenTrust High demand exists for a magnitude shift in HW trustability, a new open platform... total greenfield, highly profitable to whoever does it first, free-market voluntaryism at work. [1] While you're at it, lay your own P2P fiber/RF meshnets too. The legacy internet has refused to encrypt and fully chaff all its links, and censorship spyveillance control is rampant. So now you must route around that too with something much better, built by, for, and with openhw components piecewise owned and operated by... you, the individual users, outside central control, p2p, together in freedom, decentralized distributed encrypted, all around the globe. The economics of these things are all now possible, saved from cancelling decade of monthly subscriptions, crypto crowdfunding and even share ownership via privacy-enabled cryptocurrencies DAO's, etc... And of course, FreeBSD runs on and powers part of it too. Free your mind, get started, have fun :) From nobody Mon Feb 7 17:53:59 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8FD3C19B995C for ; Mon, 7 Feb 2022 17:54:10 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailout5.lrau.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jsv0K4Tqqz4V5G for ; Mon, 7 Feb 2022 17:54:09 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de; s=email1; h=Content-Type:In-Reply-To:References:To:From:Subject:Mime-Version: Date:Message-Id:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LqQ9LACQ0GRqnDe2HDSZjW7KQcOQX2/Kf1USx+Y5pVc=; b=vWxqvrJP/whQIbqVylaewCMC/I ZLEoSMEYojrjnwwcDVq0nWjFaW8L+fP4JHokiDjTc0CDNIUprViMtsqJNEuDOzh1/7zKFuxao94Z2 fOm8gAZ8a+sgwDi81ZtOUqyCcKkZ2Q/jEj45Awnhv5kaukXL0DA6s+vuFG0s1DLUYgCpt0PHj7FLm RFDCvTkfRX1X1rMbEXxKNlSWnodWjb8r2mV8D4CDJbNoYKGX3bQW2h3aA6dzgEE7XwVOfyCZs2pcC 3ze+dr6/ng1IJo1wKxUoxAyqroEpdSkxvERBsD2bIWw7dLw4Wx++aHgqN55h86znz9O+tBJhoiMmJ 8xNPNKJw==; Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net) by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nH8DB-000GJQ-6p for FreeBSD-security@FreeBSD.org; Mon, 07 Feb 2022 17:54:01 +0000 Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx 3.2.0) with esmtpsa id 1644256440-12882-12226/7/4; Mon, 7 Feb 2022 17:54:00 +0000 Message-Id: <26097968-0861-4bef-5d95-20b20c3e40d6@Chaos1.DE> Date: Mon, 7 Feb 2022 18:53:59 +0100 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: [RESOLVED] Re: Random failures: "unable to get local issuer certificate" Content-Language: de-DE From: Axel Rau To: FreeBSD-security@FreeBSD.org References: In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary=------------zap700Mb9JZ0IyOaKyLTFQuA X-Rspamd-Queue-Id: 4Jsv0K4Tqqz4V5G X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=chaos1.de header.s=email1 header.b=vWxqvrJP; dmarc=none; spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE X-Spamd-Result: default: False [-4.90 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[chaos1.de:+]; MIME_BASE64_TEXT(0.10)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[chaos1.de:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[chaos1.de:s=email1]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; DMARC_NA(0.00)[chaos1.de]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[FreeBSD-security] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------zap700Mb9JZ0IyOaKyLTFQuA Content-Type: multipart/mixed; boundary="------------xVkevNun5gKPjnnax3V25U9q"; protected-headers="v1" From: Axel Rau To: FreeBSD-security@FreeBSD.org Message-ID: <26097968-0861-4bef-5d95-20b20c3e40d6@Chaos1.DE> Subject: [RESOLVED] Re: Random failures: "unable to get local issuer certificate" References: In-Reply-To: --------------xVkevNun5gKPjnnax3V25U9q Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 QW0gMTIuMDEuMjIgdW0gMTE6NTYgc2NocmllYiBBeGVsIFJhdToNCj4gKHVuYWJsZSB0byBn ZXQgbG9jYWwgaXNzdWVyIGNlcnRpZmljYXRlKQ0KPiANClRlbGxpbmcgcnVzdHVwIHRvIHVz ZSB3Z2V0IGluc3RlYWQgb2YgY3VybCwgcmVzb2x2ZXMgdGhlIGlzc3VlLg0KDQpUaGFua3Mg TWFydGluIGFuZCBwYXRybyBmb3IgeW91ciBoZWxwLA0KQXhlbA0KDQotLSANClBHUC1LZXk6 IENERTc0MTIwICDimIAgIGNvbXB1dGluZyBAIGNoYW9zIGNsYXVkaXVzDQo= --------------xVkevNun5gKPjnnax3V25U9q-- --------------zap700Mb9JZ0IyOaKyLTFQuA Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEl5evOTfnjZdhkBzKaPxTRM3nQSAFAmIBXLcFAwAAAAAACgkQaPxTRM3nQSCA xw/5ARJcKG17NvuBAHb56ppfhKweqXUt/+eYtJauFdOxl07r41SvxWbJaEK1QfGECi0LPt80akyK 0ecwQspBrLtJT1frMgHy8wMpYy3k30gWdlU//vO7jipgFmsWZ2fti2ePaNlTnFNUroz4aV5yqb5L fi232ICOhkmaO0lvubJ1NxCieVLorx+lHN9YNC6EDdIzVigKPd58NI6p3wQPoh4LfSsohutPZ7B2 UKP25E1ZkqXwIab2yP4FOogh0qh+beBt8LemlFyR/O96Y1i3/5PV999Jr0CSKolvwYQqYu9hwyiv eIeZfORFRQeV9tbzcoj1bsXxw4yj9lGUgwhlArIjRnnT4EGjcd0XHpKbhL1nYY61VfyEPnD7+PF4 FEOrRZokpsjpc089k03g6orqTJieyYDdWcZqLjCmGXzbRioBzWGL5tV5XBJMDGd1GEgak8jQalCq dfJnDkox3VvzLnN3BO1KiFLeyVKeKhoYfQMI4Tmz1sd0hBCVysTCSxdQo/Xp9fbeZ34yVAYOckJT 5oerBH7EN3JQeX1vyANRSXhG3ehGMFagdJU+aA4ptZmEYSa8Lb4g+UogSg57eTahca/8kiQUMaYZ HzI/taBZtQAmhLG+/pdikMM/dSWwO2JZ5sHKh2+/ZA5X+Ur9dlybvqAzghslqtWwpnqa33OkZRcx shE= =Hk5b -----END PGP SIGNATURE----- --------------zap700Mb9JZ0IyOaKyLTFQuA-- From nobody Thu Feb 10 15:46:27 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 50E3D19B00E0 for ; Thu, 10 Feb 2022 15:50:16 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jvh5y5k8xz4T5k for ; Thu, 10 Feb 2022 15:50:14 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mips.inka.de (news@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1nIBhu-00DPKO-Gw; Thu, 10 Feb 2022 16:50:06 +0100 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.16.1/8.16.1) with ESMTP id 21AFkRTA016251 for ; Thu, 10 Feb 2022 16:46:27 +0100 (CET) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.16.1/8.16.1/Submit) id 21AFkRB4016250 for freebsd-security@freebsd.org; Thu, 10 Feb 2022 16:46:27 +0100 (CET) (envelope-from news) To: freebsd-security@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.security Subject: Post-quantum crypto now in SSH Date: Thu, 10 Feb 2022 15:46:27 -0000 (UTC) Message-ID: User-Agent: slrn/1.0.3 (FreeBSD) X-Rspamd-Queue-Id: 4Jvh5y5k8xz4T5k X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of news@mips.inka.de has no SPF policy when checking 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c) smtp.mailfrom=news@mips.inka.de X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[news]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_NA(0.00)[inka.de]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FORGED_SENDER(0.30)[naddy@mips.inka.de,news@mips.inka.de]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE]; FROM_NEQ_ENVFROM(0.00)[naddy@mips.inka.de,news@mips.inka.de] X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Ed Maste has MFCed OpenSSH 8.7 to 13-STABLE, so I thought I'd point out a new feature. If you are concerned that adversaries might record SSH sessions and later decrypt them should quantum computers become practical in a number of years, well, you can take action now: KexAlgorithms ^sntrup761x25519-sha512@openssh.com This key exchange algorithm combines sntrup761 and x25519 (aka curve25519). The strength of the combined algorithm is determined by the stronger component. sntrup761 should be able to withstand attacks by quantum computers, but has not been as thoroughly researched. x25519 is a classical algorithm and vulnerable to quantum attack, but it is well established (it's already the default SSH KEX). There is no downside to enabling this KEX, other than a slightly larger overhead when a connection is established. This is measurable but not noticeable on a machine as slow as a PCEngines APU2. For the server, add KexAlgorithms +sntrup761x25519-sha512@openssh.com to /etc/ssh/sshd_config. (This will no longer be necessary starting with OpenSSH 8.9.) For the client, add KexAlgorithms ^sntrup761x25519-sha512@openssh.com to ~/.ssh/config. Note that the code has been in OpenSSH since 8.5, so there are any number of non-FreeBSD machines where this can also be enabled. -- Christian "naddy" Weisgerber naddy@mips.inka.de From nobody Tue Mar 1 22:39:59 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1A43519F8031 for ; Tue, 1 Mar 2022 22:43:13 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K7XMg2fqXz3mpl; Tue, 1 Mar 2022 22:43:10 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 221MdxSj017526 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 2 Mar 2022 09:40:00 +1100 (AEDT) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1646174400; x=1646779201; bh=c+bKW7P4+9CxHygkLnI+npK5b530/x9qyaUuaDJ7jBo=; h=Message-ID:Date:Subject:To:From:Cc; b=HEGVEOkazcKd4pwqr5h2B5R8R1nft+DrO6Nb24xbkeIhGG0/u0csHIE82n8SLcs06 wdeRirXP2Q/lHT144vlSrcMg73szBabVZ9TUqttFyhwsCvpVNyB2fHPwdCaxie0qrd 8qmg+3yOcy4c/2QK2fVvI/nvXgirtV5wNgqWT/7nKbCLhqNXGk+43 X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Message-ID: <9bed1ee5-9d0c-8df1-96a3-5b06776cb43a@heuristicsystems.com.au> Date: Wed, 2 Mar 2022 09:39:59 +1100 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: FreeBSD 12.2 end-of-life Content-Language: en-GB To: freebsd-security@freebsd.org References: <20220301043857.40E0C6C51@freefall.freebsd.org> From: Dewayne Geraghty Cc: ae@freebsd.org In-Reply-To: <20220301043857.40E0C6C51@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4K7XMg2fqXz3mpl X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=HEGVEOka; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-6.20 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_NA(0.00)[heuristicsystems.com.au]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; MLMMJ_DEST(0.00)[freebsd-security]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Seriously?  There appear to be either routing or ipfw issues that thwart forwarding on 13 and possibly (???) 12.3. Refer to following which also references two other PR's https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256828 Have these been addressed in 13? Regards, Dewayne. From nobody Fri Mar 4 07:47:21 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C228B19F8456 for ; Fri, 4 Mar 2022 07:48:02 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward500j.mail.yandex.net (forward500j.mail.yandex.net [5.45.198.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4K90MP25sHz3tyy for ; Fri, 4 Mar 2022 07:48:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from sas1-37a29cf4dc11.qloud-c.yandex.net (sas1-37a29cf4dc11.qloud-c.yandex.net [IPv6:2a02:6b8:c08:121b:0:640:37a2:9cf4]) by forward500j.mail.yandex.net (Yandex) with ESMTP id 289366CB7550; Fri, 4 Mar 2022 10:47:22 +0300 (MSK) Received: from sas1-37da021029ee.qloud-c.yandex.net (sas1-37da021029ee.qloud-c.yandex.net [2a02:6b8:c08:1612:0:640:37da:210]) by sas1-37a29cf4dc11.qloud-c.yandex.net (mxback/Yandex) with ESMTP id 5TQMCqRFFk-lLfKfAjY; Fri, 04 Mar 2022 10:47:22 +0300 X-Yandex-Fwd: 2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1646380042; bh=3cRpLtw7aDsAfzD8AP4YM2BP/4uDdJFjPYyhhxl/8M0=; h=In-Reply-To:From:To:Subject:References:Date:Message-ID; b=qbe/gNXYUgDy2ugRNE1qHhv8FgvFHfduJcVaw2atiwWz4/MMAxI3B+eCBw8r5ShW6 PBrUP+rRyjd1lzj84uCUvBj4q5v0q3Lm+so6kr5drF+59MWP9FgsGFhUaBVaL0EwyH P0k8KktOBT0rxjqgujZo4i0E+Pzs7mtmvFKRLIzk= Received: by sas1-37da021029ee.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id X5NXLavXZS-lLJOAaOB; Fri, 04 Mar 2022 10:47:21 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Message-ID: <1d432b2b-9597-b322-bb66-8ab4fc30ef15@yandex.ru> Date: Fri, 4 Mar 2022 10:47:21 +0300 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Content-Language: en-US To: Dewayne Geraghty , freebsd-security@freebsd.org References: <20220301043857.40E0C6C51@freefall.freebsd.org> <9bed1ee5-9d0c-8df1-96a3-5b06776cb43a@heuristicsystems.com.au> From: "Andrey V. Elsukov" Subject: Re: FreeBSD 12.2 end-of-life In-Reply-To: <9bed1ee5-9d0c-8df1-96a3-5b06776cb43a@heuristicsystems.com.au> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------S92y2whGa1zqtx4SXMirkfNi" X-Rspamd-Queue-Id: 4K90MP25sHz3tyy X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b="qbe/gNXY"; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 5.45.198.250 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-5.82 / 15.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru]; R_SPF_ALLOW(-0.20)[+ip4:5.45.192.0/19]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RWL_MAILSPIKE_EXCELLENT(0.00)[5.45.198.250:from]; DKIM_TRACE(0.00)[yandex.ru:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:5.45.192.0/18, country:RU]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[yandex.ru:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.91)[-0.908]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-0.91)[-0.914]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------S92y2whGa1zqtx4SXMirkfNi Content-Type: multipart/mixed; boundary="------------LfqsMU5l2i6AffkmYR0pipTL"; protected-headers="v1" From: "Andrey V. Elsukov" To: Dewayne Geraghty , freebsd-security@freebsd.org Message-ID: <1d432b2b-9597-b322-bb66-8ab4fc30ef15@yandex.ru> Subject: Re: FreeBSD 12.2 end-of-life References: <20220301043857.40E0C6C51@freefall.freebsd.org> <9bed1ee5-9d0c-8df1-96a3-5b06776cb43a@heuristicsystems.com.au> In-Reply-To: <9bed1ee5-9d0c-8df1-96a3-5b06776cb43a@heuristicsystems.com.au> --------------LfqsMU5l2i6AffkmYR0pipTL Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 MDIuMDMuMjAyMiAwMTozOSwgRGV3YXluZSBHZXJhZ2h0eSDQv9C40YjQtdGCOg0KPiBTZXJp b3VzbHk/wqAgVGhlcmUgYXBwZWFyIHRvIGJlIGVpdGhlciByb3V0aW5nIG9yIGlwZncgaXNz dWVzIHRoYXQgdGh3YXJ0DQo+IGZvcndhcmRpbmcgb24gMTMgYW5kIHBvc3NpYmx5ICg/Pz8p IDEyLjMuDQoNClRoaXMgcHJvYmxlbSBhZmZlY3RzIG9ubHkgc29tZSB0cmFmZmljLiBUaGlz IGlzIHByb2JhYmx5IHdoeSB0aGVyZSANCndlcmVuJ3Qgc28gbWFueSByZXBvcnRzLiBBbmQg aXQgZG9lc24ndCBhZmZlY3Qgc3RhYmxlLzEyLg0KDQpJdCBzZWVtcyBpdCB3YXMgaW50cm9k dWNlZCBieSB0aGVzZSB0d28gY29tbWl0czoNCiAgIGh0dHBzOi8vcmV2aWV3cy5mcmVlYnNk Lm9yZy9EMTk4MDQNCiAgIGh0dHBzOi8vcmV2aWV3cy5mcmVlYnNkLm9yZy9EMjM4ODYNCg0K PiBSZWZlciB0byBmb2xsb3dpbmcgd2hpY2ggYWxzbyByZWZlcmVuY2VzIHR3byBvdGhlciBQ UidzDQo+IA0KPiBodHRwczovL2J1Z3MuZnJlZWJzZC5vcmcvYnVnemlsbGEvc2hvd19idWcu Y2dpP2lkPTI1NjgyOA0KPiANCj4gSGF2ZSB0aGVzZSBiZWVuIGFkZHJlc3NlZCBpbiAxMz8N Cg0KSXQgaXMgc3RpbGwgYnJva2VuIGluIDEzLg0KDQotLSANCldCUiwgQW5kcmV5IFYuIEVs c3Vrb3YNCg== --------------LfqsMU5l2i6AffkmYR0pipTL-- --------------S92y2whGa1zqtx4SXMirkfNi Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAmIhxAkFAwAAAAAACgkQAcXqBBDIoXpb 8Af/amcrmw+fSivinufPL2TOEWVUaIjChkYDL9ntAUkEeF9X+WmWcO0LRTDzwRkEOMS2i6nN01O6 6eC0DH1CdSx6HPAb3IcK2OVoV5hUFc4JCG9QPTmz7fyzGl3XCYD3vmAGveTLme9HKNsxArQe3oxf aupf6fA489DLSsLYhr1NFjhVgXYjPkPCc4397x7D55VPLfZex+/YSpbCrRbVOZO7YhAgwhfEothB n8T5Ra8xNgyBBbbTaZKD37JNH6BrVgJwv5VOKpjJ+48yxcE41Oq1vu7Tv1+tAN3z0RqocX9ZHatj ZZNkGEF9pZabRcRQ2JdydBUd+63BMayzIyOoBilcKg== =uFb2 -----END PGP SIGNATURE----- --------------S92y2whGa1zqtx4SXMirkfNi-- From nobody Tue Mar 15 04:01:02 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C7CEA1A1077B; Tue, 15 Mar 2022 04:01:04 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KHfpR6q65z3GR4; Tue, 15 Mar 2022 04:01:03 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vs1-xe36.google.com with SMTP id d64so19410349vsd.12; Mon, 14 Mar 2022 21:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IbRrkX07OJwXUIevLPICdr0nBxwT1a1WJI6GubTw51o=; b=ewrd6VemfjSfHaeOaPpTPCfugo42hgh7n9mwZfkoLhpvJQ97aV9KHcvahL/UTU6Go5 sYOsw5p8RvYuqoJnGXvA/Nxk75DSWwiYPe5XJnskpr3Q97GFXk+0BltZXAamwbZBYJ7A 3HXODfFn8W6tDyVDNR3RgwN59nce7VBug7uCfyOsSLSQFzT623M4eRzbd8r0Xxh1vHMO SjH1DNMDLmBly3xG4ucnqkpX15x9QIp/HSZBTv3HhZSKDCS8CaStSOZZfQHrtGGuIMBR vhTZx48GD10paSJCTlABjnjoXz38BqzORkSPYS+s6il/9B8j5g0+fmCL43XO5p75P11V WqvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IbRrkX07OJwXUIevLPICdr0nBxwT1a1WJI6GubTw51o=; b=OFoFWEOp6S46NqcpV91wJbPxSvfx9VcXAwBaKaxJv2cLXc4k4fvhA0d9N9JFf3AfnZ eSuxfxN5hnZU3MDuKqlEluiQpt6Dj4Hlo+83+xSqu2QJZtTYuvNsnEiJ57FPG/wcVGG8 5aDeaMa8dN63bUOJZrtI1aj/P80UoVjkqLtaCQiPXyVdEjoIHgwtiqvqNlvaNscEfYAC RomfmHyIKlitANq+OwcdTUzdxvjw2qlry2fdPxDafO84VZWhzBXTMa/6ke1QlDOwuP05 ojUX/SWoHZVKIE2LM7MuKFqH5SFBs8Rvi2idH7isS4g6QdHnaE5OoJZfH2wnOj77ySjo qltw== X-Gm-Message-State: AOAM5327HeQ7dsA4VNxStS6Kh86PHIPLZW9WYIfrZJgb7rKri21rArDZ 1leOgDMRLcM3pCB/XXOLylmX5BOIJ5DDc6k7TAFh6O5QyERH6fFvB+/HoHWz X-Google-Smtp-Source: ABdhPJxXpZLVooobfPbRZob3DLQYAaR4ukpIS1eusMWhSd84utFmk9rksEjzZzwcvdxQ2DuoCzrTXMbdhS19EmUlyuY= X-Received: by 2002:a05:6102:3a10:b0:322:3bf6:a54d with SMTP id b16-20020a0561023a1000b003223bf6a54dmr9996095vsu.51.1647316862940; Mon, 14 Mar 2022 21:01:02 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:d703:0:b0:297:bdd7:cb22 with HTTP; Mon, 14 Mar 2022 21:01:02 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Tue, 15 Mar 2022 00:01:02 -0400 Message-ID: Subject: Re: I am worried about security in FreeBSD To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KHfpR6q65z3GR4 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ewrd6Vem; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e36 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e36:from]; MLMMJ_DEST(0.00)[freebsd-questions,freebsd-security]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N > https://web.archive.org/web/20210401214138/https://lists.freebsd.org/pipermail/freebsd-arch/2018-March/018892.html The planet's computing prioritization problem, not even 2018 but back to 1998 and before. "Responsible Disclosure" "Embargoed Releases" etc... these are nothing more than scams, a whitewashing coverup over peoples eyes, an illusion of well run security, literally security theatre, a subjugation, whose sole purpose is to keep dirty vendors from getting embarassed, and a prayer, a race already being won by unseen competition, and nothing more than a cover shell for GCHQ CIA Mossad FSB and worse, to keep exploiting you via their Zerodium etc. The better thing to do is "full disclosure" "0-day" FreeSpeech and vendors to own up their crappy security or get rightfully abandoned by the market, instead of continuing artificially propped up like worthless unneeded politicians with their propaganda censorship partnership buddy friends cabal bullshit. Either way, your security is still the same today... none, every OS kernel and userland from every vendor... exploitable at will. But at least with full disclosure it is forced to be honestly admitted, and you have forces working in your favor, and status out in the open to help you evaluate choices, that all can expose and help support and fix that festering abcess. And when did you last setup recurring significant monthly donation stream to your vendors, money specifically dedicated for and exclusively directed to security... And when did you last demand, create, and refuse to buy anything that was not... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , ... Until you open your wallet and invest and do and prioritize all the security things... you won't be getting any improved security. Good news is that given the pathetically sad state of computing security, even modest investment in it and new models of doing it can yield outsized results. It's greenfield early days with reward to first movers, so which will you choose... From nobody Tue Mar 15 19:29:14 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 72E341A16ED4 for ; Tue, 15 Mar 2022 19:29:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJ3PQ2Z8Vz3jqr; Tue, 15 Mar 2022 19:29:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372554; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZYd2AZeFW88plFlPLxqBL7aAQGoKEKNhn8TWL0SPEy8=; b=mn1t+zeplt8x0uuCPaYWiL0EO38VgS35jS3p86i5jjzrYJWuX2s8d7gWm8wsaWSYkR+K7W JUuRrb+pbXhAph2xB8DR7EhS2iKavnxIi9hEscQoQ3oY42CO7LKtPtPlZVpso/ctkfqMuE ceeqDHiVhLMprkPYDsc2EBHFDaURxhbwviYyl4n9LUSif7FXYdKH6NI8owzLMCXjxeHQgk sADwaLdt/TW7bCB3dGHJk46HPwYVC/pPIcDOBd4iJKCuckYh7hsFEEGQ7xX6l0IAG7P0zs dY7uAuOFEQ0Cb4KDt1Ova6a5iPh3vM2+Xkg0UqHzF3q3/8gNPCVTYXrE3rwQjA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 4193D460E; Tue, 15 Mar 2022 19:29:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:02.wifi Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220315192914.4193D460E@freefall.freebsd.org> Date: Tue, 15 Mar 2022 19:29:14 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372554; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZYd2AZeFW88plFlPLxqBL7aAQGoKEKNhn8TWL0SPEy8=; b=V2GvDutzPomUqysOda/LTQvKD7WuCa1/pC+7CRJjhVdA6akVsVLYkuCS7b5hjvS5/6xTnD WB6Ieag3hwCMfJRns0L9rMPFxfEpq+CjFGETva7gBsM12YU0f4HFJ1wQVLqE4lKu33sw0f kpbYaaS1uJlIjUnkFajen794sdGXXicf7MHpWu32ALGuDPAnpvVKk2efwHVeO3ezLXBI6m 6I+fv3NscLkCqMWaJG//jP8sFkeJzJWQ5Am9aPjGfhnjAudCNDuWHDy3T+oZ/Wk+rMyLml VS9K2Uo85D2t6twDBdyJanR9QTnlpJx+E+DywqwWMMa3MNoKd2rY7UuYg1oGHA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647372554; a=rsa-sha256; cv=none; b=qAbNObb6kr4QHAEegg718QQVJWMv2QfDrWyY2IgOqJr37xO0Qi/fmTSnAp5kKp08VDATSS wwvdHeAr7OCZo1/sA+zBr7QMg0G3cnLSVBT8vMO+oKPLMXvlttk8obHmBj087e80bsnS6w hCASj+RZrQBrNM+/UAPggYBvupDvArJuzXQiyYlIWOky5sMJCl/DWy7R0xf2kKFXWQc9pt /OubZ8fzNyPiCLNw4+thJmXC5DF2V6/5qKDR/nLgpmXvsMaAKzKLclaPvJQ1BsaRQy66PS qU8uAMhvslZ5t6HYRCaYF7bajrvfGuJp6siXjxbf3Zpr+Jwj3+Je+iaptboebA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:02.wifi Security Advisory The FreeBSD Project Topic: Multiple WiFi issues Category: core Module: net80211 Announced: 2022-03-15 Affects: FreeBSD 12.x and FreeBSD 13.0 Corrected: 2021-11-19 00:01:25 UTC (stable/13, 13.0-STABLE) 2022-03-15 17:45:36 UTC (releng/13.0, 13.0-RELEASE-p8) 2022-02-15 16:05:49 UTC (stable/12, 12.3-STABLE) 2022-03-15 18:18:08 UTC (releng/12.3, 12.3-RELEASE-p3) 2022-03-15 18:17:30 UTC (releng/12.2, 12.2-RELEASE-p14) CVE Name: CVE-2020-26147, CVE-2020-24588, CVE-2020-26144 Note: This issue is already fixed in FreeBSD 13.1-BETA1. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's net80211 kernel subsystem provides infrastructure and drivers for IEEE 802.11 wireless (Wi-Fi) communications. II. Problem Description The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in 802.11 specificaiton related to frame aggregation and fragmentation. Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs). III. Impact As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data. IV. Workaround No workaround is available, but the ability to extract or inject data is mitigated by the use of application (e.g. HTTPS) or transport (e.g. TLS, IPSEC) layer encryption. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch # fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch.asc # gpg --verify wifi.13.patch.asc [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch # fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch.asc # gpg --verify wifi.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 6acb9d5f955b stable/13-n248098 releng/13.0/ 0d1db5c3257e releng/13.0-n244782 stable/12/ r371640 releng/12.3/ r371748 releng/12.2/ r371740 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5aoACgkQ05eS9J6n 5cLuYw/+OtkGeEYFTmwoZrFn105OOhi1MHjopUmW3B3FDeIMP2BnULkCodLKpDqx WNROwaLBZ/FSHdX+rwcFhZVKksGuXafRY2bywDfJNCRmSIRjSEiSozIkJbihmKYq SAWxUwbZxkg+MPtgoiUNocXZhFplN4E1VmfZl6XDfcd9jrFTuNiMKPKWzW8haI7R H3Tovh6GgRLFfP5nnY2X8xZSSrxqkzXj4iRHJDedu6nmBFtsB34kjhW42fpycM/c irhHBApfgl9XW31sLSFP2lwhq36AVD27SaYKDWxAv4ywp6PiwPTTNr8lwk05Z0jp z76f3ZIBDhz3M3qzphMQ5wj6CB7SqTrgSD0WDZchdgDk904BdNum3vNRTO4x9iSB czlXk/utMbupW8AU9rjdKWeMz0DBpDGckjZq1Ot8+fSwbiLkPCjpYTDsxqiLZs6i xp/qjDW8rUKbgQSztSq3svF58dY74TLZ34rN0cqVPgvfpG1/fbM4W63vR0b4YG/5 mv4OKXe5whJmh1OVrrVSX/ttyTFm6JpNFRxpXCkRKOgNICevw9yHlvx8uE6rVKde P7PXAdRT48gcmN9gIscFuRwt2glvChYuH6ncF1jMQmfoAMTlDGRATQUuDy81fIw9 va3fiGDy2FsenAQYa4UwaA/iCodjaC0cNjNnf2cc9nZEnuq86l8= =Cjzd -----END PGP SIGNATURE----- From nobody Tue Mar 15 19:29:17 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F417E1A171AB for ; Tue, 15 Mar 2022 19:29:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJ3PT6byPz3jjs; Tue, 15 Mar 2022 19:29:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372557; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=jRlHERJdmJKDzIlnMla8byHaRXnG6yYBeMPPDzyeqkM=; b=jkJLUAdmdBxyl+CXDNEXSdorswq8BXJb5gl6C1j37pkIJcigHzTIHu3kZ0PODkJXO6xCz2 Gz6GNiOzVIsRSzfNL4y3mW2U1Qeo+LjjHkxnCq8QhQj2in1sHTLpHeuaOwaHO5pgW78ftN yrsCAaRvRrTp0cXbpDw8jen2LENdQYWuIBR3ywdikiVw8Wnd5hhEqe2+drv1YqyZN0nYXu 8aOBh28s53PLd8ndtRq74y2+JufX/UFJsvefL5QezhJ9d/SMWPacXJckhVAwpmtuyBBsEW VWrzBYmVi16xqLPjn8xXWacmhVSm6NBl1ajaGMWujLCFI7W09RNaXWzbOp+3KQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id BCE014611; Tue, 15 Mar 2022 19:29:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:03.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220315192917.BCE014611@freefall.freebsd.org> Date: Tue, 15 Mar 2022 19:29:17 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372557; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=jRlHERJdmJKDzIlnMla8byHaRXnG6yYBeMPPDzyeqkM=; b=UT2yTWYD+T8KCgP1vMzxUHMVPurUo1soIc47VlFByUltG3YwEWdAvsOalunHwwHpPOGuy+ q4b1MTnMaSY9w1Tz0POLGr48s9cE3jZ2TsHoXS2ZxxNiiQV9JBgZqBMXaK532PXCrYy9bw xkRH/72hS0txHxJGA1GHl05dsbUvk8nl/fRwqMuhA4CIZi9WtHr4tKtocihh7cGlNUbsTk b9ZJIAiRSCXGVTl5uIymou7hIo8AZWQb6uoO+n1MB+yqFvS9SFCWkSkQiltx4gRS80f+CI 7ww75iLYJH+tC/zWASakI5Md0LtH34lsXmwBawFtRvfxwLIbAsiF7no8V4Nx7w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647372557; a=rsa-sha256; cv=none; b=ItltOkTvfKgDEYnWw62c+NFvz+EXCCzE7XJqpN93N5XAGjBvl39zr7c5Dbe3Jy0+UgDR3x 8sYdJ3kvYyUJwPMnwN0C4wo9+H2t3e1nVJNmE6pEsyOnz6kJzNJ6s6hAJDwGcwiTfFAK6B FwDV2C6MItYbwGAQWm6RO69QrXkPmMv8Ri5gj8ihrhKRXFN8XkosPf68Dt9AdQnBimpcpf hvBnw1nmYJNGiKxzLYK4YGgwdNDDlkDgtb/lGULPTZ98gJxSJ5ennZ5oGp0ixm1Te3saNq MZ+AmAKv6vEHMuiBKeEdsFqxD86hg9ImwHD1aGNspE1+Q1LqXH0VZBqff9qcSw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:03.openssl Security Advisory The FreeBSD Project Topic: OpenSSL certificate parsing infinite loop Category: contrib Module: openssl Announced: 2022-03-15 Credits: Tavis Ormandy from Google Affects: All supported versions of FreeBSD. Corrected: 2022-03-15 16:51:46 UTC (stable/13, 13.1-STABLE) 2022-03-15 17:42:48 UTC (releng/13.1, 13.1-BETA1-p1) 2022-03-15 17:43:02 UTC (releng/13.0, 13.0-RELEASE-p8) 2022-03-15 16:56:09 UTC (stable/12, 12.3-STABLE) 2022-03-15 18:17:50 UTC (releng/12.3, 12.3-RELEASE-p3) 2022-03-15 18:17:16 UTC (releng/12.2, 12.2-RELEASE-p14) CVE Name: CVE-2022-0778 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. This function is used when parsing certificates that contain certain forms of elliptic curves. III. Impact A specially crafted certificate with invalid explicit curve parameters may trigger an infinite loop, leading to a denial of service. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may be affected. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 5f3d952f6e6b stable/13-n250020 releng/13.1/ 942b5e156d41 releng/13.1-n249979 releng/13.0/ 3847c17aa23a releng/13.0-n244777 stable/12/ r371734 releng/12.3/ r371742 releng/12.2/ r371735 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n 5cKZqQ/8D7qHRsnXGENtJqjN9Nt2VRiBeO5GKrhBJFVS8/cgVvlgDPFIrWOA/b7v p386eSIRPA3BGpEzP6cQddM/pogHFjSuskSznkNvfsUeZ7B9avODNvHykiODMajU ACv/JZ8IU9rWR2C3DqtlnVqKt3N8Pa8ZpxUCpYDeBEMIaYn/UOUZ9PmZZtaCJ1jz ZSsel99VvA7RdSd58ahb9Mga6KLDdp4bVVftfpepihTOu7pfmxZqrG7W+1pld/wd R88yGEDxyDD9/qDToA13i8+gAU5P5ASmzfNNqVwzJ4QLlkk2OrJBFKCLl+1BrR2p w6r3eZzx9SexCSJ9jLw54rezpXgLyJ/+fURHtKVOu39ELqZmftBgBYS0gxWiQ6jH Wx3lrPjjskFBp4MO5uBChnF8BIpGZN2guLpQkPtHCiaa469OI/NI5zarvXYvGPJL j4BMZtQQWGj2WIFWmMu7fvkhYOgVWmyjS4SWEwom7UGLq1EJKb9Rau9e4TOr8bYw EQV5c71Wn7IV9Oga1rPVRUe2hHAX1VkvhVm49G47V2gyvmPwXwwbVe7byW8Mz46j znkTSmAzHNbXFcJV+aPXejGRDvg0H+wfDyQFlN32IXdyVrbphRjekOu2Ftn8eWS9 SkEdbvYP5x192NpBgfpHo5tc2CJHcM4xKg7WAIUk0vrK7aSgPoc= =TDUh -----END PGP SIGNATURE----- From nobody Fri Mar 18 19:16:03 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DBC381A2145D for ; Fri, 18 Mar 2022 19:16:23 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KKtzB4v63z3JXn for ; Fri, 18 Mar 2022 19:16:22 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f182.google.com with SMTP id r11so6442415ila.1 for ; Fri, 18 Mar 2022 12:16:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X3oo3iKc1+m4j43EJvqP63ErEsEQqmphV+ihrff4udY=; b=UDUHlLTNjWZrF531kzj05q7UsI8C1oB/isqRvseQslwzhpYEG8w/fzjCbRx0eAU+Yt Ihkq0tYUiVlGkCSRY3Z2NOwGVF44npEo0gI18Q8SPK182Pb2bPCf5jwywAtivK6wtnmn HRV3n6IzINCf9Dh09BayI+P7vfQt2K71/NM/qtKZLs5P1owsOb4G/NvHcotNj6jzQ6v8 I3O/Ls+4oUWja2JpwtHWXmNcmGAhCn/0JzPRhE8UKhmM4pzijByxxGRIhoPHXOCmTDa6 7xr1qcVUEOOfpP6pMWfQRkbkhgdfPgceyT/fO1xnexvZLYFMRJYR4RGD8y+11h38S71R spXA== X-Gm-Message-State: AOAM531YQOXHb3QHta/rDUq7JkhwGDtrjm/ENAB9nBxI2cQtBPFXJOU4 MOd+VHSSPxJIeSCtmuiRwjPgHBni3egaulR2ZjD/Argx X-Google-Smtp-Source: ABdhPJzvZUu/ALepT2OjlekIiu3rflo3mWH3O7GzwvVu9w+UKfrHt7MthZgM6qNLMKb4PbFAsneh/t0ghQDBnoi/4co= X-Received: by 2002:a92:ca0c:0:b0:2c7:7983:255f with SMTP id j12-20020a92ca0c000000b002c77983255fmr4676887ils.252.1647630975424; Fri, 18 Mar 2022 12:16:15 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Fri, 18 Mar 2022 15:16:03 -0400 Message-ID: Subject: Re: I am worried about security in FreeBSD To: freebsd-security@freebsd.org Cc: iio7@tutanota.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KKtzB4v63z3JXn X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.47 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-0.47)[-0.468]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.182:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.182:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Mon, 14 Mar 2022 at 16:11, wrote: > > I have just finished reading through tons of security bug reports in the FreeBSD > bug report archive, and also normal bugs, and I am "scared" about the lack of > attention these issues get. Please provide some examples of the issues you're referring to - I won't argue that issues never fall through the cracks, but I expect that the security team consistently reviews and triages incoming reports. If you can provide concrete examples it will help determine if there is in fact a real issue, and perhaps how to address it. From nobody Mon Mar 21 12:14:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 090B11A26B1F for ; Mon, 21 Mar 2022 12:14:48 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from thyone.hiz-saarland.de (thyone.hiz-saarland.de [134.96.7.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMYTL6nqMz3lwN for ; Mon, 21 Mar 2022 12:14:46 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from localhost (localhost [127.0.0.1]) by thyone.hiz-saarland.de (Postfix) with ESMTP id BD8DF4019827 for ; Mon, 21 Mar 2022 13:14:39 +0100 (CET) Received: from thyone.hiz-saarland.de ([127.0.0.1]) by localhost (thyone.hiz-saarland.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqpev5QExnRJ for ; Mon, 21 Mar 2022 13:14:38 +0100 (CET) Received: from triton.rz.uni-saarland.de (old-smtp.uni-saarland.de.local [134.96.7.25]) by thyone.hiz-saarland.de (Postfix) with ESMTPS for ; Mon, 21 Mar 2022 13:14:38 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by triton.rz.uni-saarland.de (Postfix) with ESMTP id 6280760001BB for ; Mon, 21 Mar 2022 13:14:38 +0100 (CET) Received: from triton.rz.uni-saarland.de ([127.0.0.1]) by localhost (triton.rz.uni-saarland.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XgZ8TMZDvK8 for ; Mon, 21 Mar 2022 13:14:36 +0100 (CET) Received: from htw-mail.htwsaar.de (htw-mail.htw-saarland.de [134.96.210.140]) by triton.rz.uni-saarland.de (Postfix) with ESMTPS for ; Mon, 21 Mar 2022 13:14:36 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by htw-mail.htwsaar.de (Postfix) with ESMTP id 0E9C682AA62 for ; Mon, 21 Mar 2022 13:14:36 +0100 (CET) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at htw-mail.htwsaar.de Received: from htw-mail.htwsaar.de ([127.0.0.1]) by localhost (htw-mail.htwsaar.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6QsN7mTYCsw for ; Mon, 21 Mar 2022 13:14:35 +0100 (CET) Received: from isl-dw.htw-saarland.de (isl-dw.htw-saarland.de [134.96.218.251]) by htw-mail.htwsaar.de (Postfix) with ESMTPS for ; Mon, 21 Mar 2022 13:14:35 +0100 (CET) Date: Mon, 21 Mar 2022 13:14:36 +0100 (CET) From: Damian Weber To: freebsd-security@freebsd.org Subject: SSD erase question Message-ID: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 4KMYTL6nqMz3lwN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of dweber@htwsaar.de designates 134.96.7.232 as permitted sender) smtp.mailfrom=dweber@htwsaar.de X-Spamd-Result: default: False [-3.40 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:134.96.7.0/24]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[htwsaar.de]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:680, ipnet:134.96.0.0/16, country:DE]; RCVD_COUNT_SEVEN(0.00)[10]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[134.96.7.25:received] X-ThisMailContainsUnwantedMimeParts: N Hi all, I'd like to have an answer on a secure FreeBSD way to erase SSDs before giving these away to someone for reusing it. Is the following enough to protect confidential data previously stored there? 1) dd : overwriting with random bits (complete capacity) 2) gpart create 3) gpart add 4) newfs Details for an example with /dev/ada1 see below. Thanks a lot, Damian # fdisk ada1 ******* Working on device /dev/ada1 ******* parameters extracted from in-core disklabel are: cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: sysid 238 (0xee),(EFI GPT) start 1, size 488397167 (238475 Meg), flag 0 beg: cyl 0/ head 0/ sector 2; end: cyl 1023/ head 255/ sector 63 The data for partition 2 is: The data for partition 3 is: The data for partition 4 is: # gpart show ada1 => 40 488397088 ada1 GPT (233G) 40 1024 1 freebsd-boot (512K) 1064 480246784 2 freebsd-ufs [bootme] (229G) 480247848 8149280 3 freebsd-swap (3.9G) # dd if=/dev/random of=/dev/ada1 bs=512 count=488397088 # gpart create -s gpt ada1 # gpart add -t freebsd-ufs ada1 # newfs -U /dev/ada1p1 From eugen@grosbein.net Mon Mar 21 12:45:18 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5E4521A2FC90 for ; Mon, 21 Mar 2022 12:45:53 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMZ9C5H58z3t2j for ; Mon, 21 Mar 2022 12:45:51 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.16.1/8.16.1) with ESMTPS id 22LCjlnh017069 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Mar 2022 12:45:48 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: dweber@htwsaar.de Received: from [10.58.0.11] (dadv@dadvw [10.58.0.11] (may be forged)) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 22LCjLhf095331 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 21 Mar 2022 19:45:46 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: SSD erase question To: Damian Weber , freebsd-security@freebsd.org References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> From: Eugene Grosbein Message-ID: <12d76150-d3e8-a31b-c67d-c9c8e0a9bb12@grosbein.net> Date: Mon, 21 Mar 2022 19:45:18 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 In-Reply-To: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT autolearn=disabled version=3.4.2 X-Spam-Report: * -0.0 SHORTCIRCUIT No description available. * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4KMZ9C5H58z3t2j X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-0.07 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; FREEFALL_USER(0.00)[eugen]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.988]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.986]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N 21.03.2022 19:14, Damian Weber wrote: > > Hi all, > > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it. > > Is the following enough to protect confidential data > previously stored there? > > 1) dd : overwriting with random bits (complete capacity) > 2) gpart create > 3) gpart add > 4) newfs First, there is a command trim(8) that is easier to use but it gives no guarantee of "secure erase" in TRIM. Second, there is "camcontrol security -e" for secure erase, see camcontrol(8) manual page, EXAMPLES section. From nobody Mon Mar 21 12:52:20 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5B99F1A31E36 for ; Mon, 21 Mar 2022 12:52:28 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMZJq4cByz3vhP for ; Mon, 21 Mar 2022 12:52:27 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-il1-x12c.google.com with SMTP id e18so1297588ilr.2 for ; Mon, 21 Mar 2022 05:52:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=/wVHlxo9eMKR0TGehNEwJ+lYGcwapTggsh2plEj2EYU=; b=s9pfIHar/Vn5oJobYRhjwZiAIGsz1dx3MRL+5Dk/h9fCZHGOAsWOvjVjD/F6azatZ1 pieTqAIKLqkx1oZ/qJqT7mF96mRuA0XvoHDQGbbvjKlZXnCkPGpNJ4ULo0wyoTTkPrBR cUsHWvLgm1IlbixZpMEOHsR6YHjASXm/9Hgl4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=/wVHlxo9eMKR0TGehNEwJ+lYGcwapTggsh2plEj2EYU=; b=8LUiqcwrHUazWnbmIJqD9nLeF6T7ZiGU1IWbxVggU9/d6u/fEWpaYZ6wucIkQ787jf 27qIaHIgDkPuRU5CLPVEJwhU9lTIy+rtC+XG03k7Fd8itZ+y4m52WxKQJfQZxcRtLyM/ C48HsfaJ8MI4rjTWUD61hLP0cQr4nb34eGNIw4v39qupibPEfBQ2RbQBZaZ43ztBL6fR 7mMllQuG39alaeFMjIATjVXMRm8AgNI/si0cwTiOfDhBDmpfYKh48uNWNDecKTENOXZL zR85+z/uIgLLIkP0aed0BgJMYBdCFpd0hNkPODQ8WINN7O+cofSZTGaElgQ2EXC6P1+V psSw== X-Gm-Message-State: AOAM532ysEuHRHdjUEzUpilAeM2wAAR6FXhaTPPI2aoJX00ZDgaG3tdh 6nbGbT8AaZPkyswsJhv18U3c9TUSDaZ4hw== X-Google-Smtp-Source: ABdhPJyn1HgMLoIganoTxLQGcVCpOQ4Yram/rsimM/gmoL4jwB1ed8any093/2hf9ilbpPxZgRU+nA== X-Received: by 2002:a05:6e02:20e3:b0:2c8:1e7b:529c with SMTP id q3-20020a056e0220e300b002c81e7b529cmr3533625ilv.34.1647867141151; Mon, 21 Mar 2022 05:52:21 -0700 (PDT) Received: from smtpclient.apple (2603-6000-ca01-b73e-6559-99dd-8426-df0e.res6.spectrum.com. [2603:6000:ca01:b73e:6559:99dd:8426:df0e]) by smtp.gmail.com with ESMTPSA id c6-20020a056e020bc600b002c6731e7cb8sm9313622ilu.31.2022.03.21.05.52.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Mar 2022 05:52:20 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: SSD erase question Date: Mon, 21 Mar 2022 07:52:20 -0500 Message-Id: References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> Cc: freebsd-security@freebsd.org In-Reply-To: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> To: Damian Weber X-Mailer: iPhone Mail (19E241) X-Rspamd-Queue-Id: 4KMZJq4cByz3vhP X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dataix.net header.s=net header.b=s9pfIHar; dmarc=pass (policy=reject) header.from=dataix.net; spf=pass (mx1.freebsd.org: domain of jhellenthal@dataix.net designates 2607:f8b0:4864:20::12c as permitted sender) smtp.mailfrom=jhellenthal@dataix.net X-Spamd-Result: default: False [-3.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12c:from]; NEURAL_HAM_SHORT(-1.00)[-0.995]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Personally I would use dc3dd from ports and you'll be plenty alright. While dd would be enough in most occasions I won't assume your data is of a t= ypical user. It only writes the random bits to the disk once. In some scenar= ios it's possible to reverse that. dc3dd takes care of that by writing multi= ple times. There is also dcfldd which was superseded by dc3dd. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Mar 21, 2022, at 07:15, Damian Weber wrote: >=20 > =EF=BB=BF > Hi all, >=20 > I'd like to have an answer on a secure FreeBSD way to erase=20 > SSDs before giving these away to someone for reusing it.=20 >=20 > Is the following enough to protect confidential data=20 > previously stored there? >=20 > 1) dd : overwriting with random bits (complete capacity) > 2) gpart create > 3) gpart add > 4) newfs >=20 > Details for an example with /dev/ada1 see below. >=20 > Thanks a lot, >=20 > Damian >=20 >=20 > # fdisk ada1 > ******* Working on device /dev/ada1 ******* > parameters extracted from in-core disklabel are: > cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) >=20 > Figures below won't work with BIOS for partitions not in cyl 1 > parameters to be used for BIOS calculations are: > cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) >=20 > Media sector size is 512 > Warning: BIOS sector numbering starts with sector 1 > Information from DOS bootblock is: > The data for partition 1 is: > sysid 238 (0xee),(EFI GPT) > start 1, size 488397167 (238475 Meg), flag 0 > beg: cyl 0/ head 0/ sector 2; > end: cyl 1023/ head 255/ sector 63 > The data for partition 2 is: > > The data for partition 3 is: > > The data for partition 4 is: > >=20 > # gpart show ada1 > =3D> 40 488397088 ada1 GPT (233G) > 40 1024 1 freebsd-boot (512K) > 1064 480246784 2 freebsd-ufs [bootme] (229G) > 480247848 8149280 3 freebsd-swap (3.9G) >=20 > # dd if=3D/dev/random of=3D/dev/ada1 bs=3D512 count=3D488397088 >=20 > # gpart create -s gpt ada1 >=20 > # gpart add -t freebsd-ufs ada1 >=20 > # newfs -U /dev/ada1p1 >=20 >=20 From nobody Mon Mar 21 13:05:35 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4386F1A35298 for ; Mon, 21 Mar 2022 13:05:44 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMZc73msqz4Sh5 for ; Mon, 21 Mar 2022 13:05:43 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-io1-xd36.google.com with SMTP id r2so16578237iod.9 for ; Mon, 21 Mar 2022 06:05:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; h=subject:mime-version:disposition-notification-to:from:in-reply-to :date:cc:content-transfer-encoding:message-id:references:to; bh=1lZ3Y/xy0bPIP3KunE5opWnzaW8ea4wppl8unRQox1c=; b=W8vLp4hqWNWEJrcA+AtfN41ngS/fqulkBuK7hgZlz1gyPorItfI0F9tYgrPZ4GLcXk O0dpG0xxhufPlacZSxhGcnvHfKhs6Px46j+yYVo3QVGdXY7gFAQPQSczhIG3h99GJkt3 6HyG8yvCeHIRA8KJOSjCc9cTTtVsUfkWr9fM0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:mime-version:disposition-notification-to :from:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to; bh=1lZ3Y/xy0bPIP3KunE5opWnzaW8ea4wppl8unRQox1c=; b=lwUfkZjdNgKcbv3pm9sQT0OaHyhKj3zlFtZpYBSJLpDBMmAtVmewc0TENY+lhxxGk5 4I3418TYCIxFvXrx5exXwBGOzj/5v0S2PZTRGlLKOqVrPA7zGk4bEvjbdGtrfeK3GBQl KXT63lu8zGaZnrUPbkpFPALAGJZTHIR0Sz5dDVKCVD8sKd1yXA1ZEqL7ESAYbu7hvVqO BU8I96sTAIAwPFZv1EehvxkouHn8vJHetpVKjVBfLMlrLbfmTuCyvYHrHNAMvkYVixJU 43ormYauyH3zzYKZxoWb95mhcIhy4WAvRe0Jx9QTIL8moDfu542QQhhmAdIGOvSKiTKe CDxA== X-Gm-Message-State: AOAM533avQwPQoQyufHlZY+H7onUBFc6njrK6x5Qi6EUwqk7LWFhR5M4 xzOF21nJyIRevbPjVsGLC+OClQg8+y32TQ== X-Google-Smtp-Source: ABdhPJyQdU5JlUj1DgPQds2mZG/vNE8iNr3Zsk0s0KemaSMesfsi/Jw/J3Y5pOay1gNPcCFvbMVXTA== X-Received: by 2002:a05:6638:1453:b0:319:c928:5ccd with SMTP id l19-20020a056638145300b00319c9285ccdmr11221620jad.136.1647867937068; Mon, 21 Mar 2022 06:05:37 -0700 (PDT) Received: from smtpclient.apple (2603-6000-ca01-b73e-78c8-90fe-0265-114e.res6.spectrum.com. [2603:6000:ca01:b73e:78c8:90fe:265:114e]) by smtp.gmail.com with ESMTPSA id r4-20020a92cd84000000b002c83a11e471sm258218ilb.67.2022.03.21.06.05.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Mar 2022 06:05:36 -0700 (PDT) Subject: Re: SSD erase question List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: REDACTED Content-Type: text/plain; charset=utf-8 Disposition-Notification-To: J. Hellenthal From: "J. Hellenthal" X-Mailer: REDACTED In-Reply-To: Date: Mon, 21 Mar 2022 08:05:35 -0500 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> To: Damian Weber X-Rspamd-Queue-Id: 4KMZc73msqz4Sh5 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dataix.net header.s=net header.b=W8vLp4hq; dmarc=pass (policy=reject) header.from=dataix.net; spf=pass (mx1.freebsd.org: domain of jhellenthal@dataix.net designates 2607:f8b0:4864:20::d36 as permitted sender) smtp.mailfrom=jhellenthal@dataix.net X-Spamd-Result: default: False [-1.71 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_SHORT(0.78)[0.780]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d36:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Think I've mistaken dc3dd for bcwipe from ports. See bcwipe instead... = https://www.jetico.com/news/jetico-delivers-new-bcwipe-solution-wipe-drive= s-supporting-mac-nvme-secure-boot --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. > On Mar 21, 2022, at 07:52, J. Hellenthal = wrote: >=20 > Personally I would use dc3dd from ports and you'll be plenty alright. >=20 > While dd would be enough in most occasions I won't assume your data is = of a typical user. It only writes the random bits to the disk once. In = some scenarios it's possible to reverse that. dc3dd takes care of that = by writing multiple times. >=20 > There is also dcfldd which was superseded by dc3dd. >=20 > --=20 > J. Hellenthal >=20 > The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. >=20 >> On Mar 21, 2022, at 07:15, Damian Weber wrote: >>=20 >> =EF=BB=BF >> Hi all, >>=20 >> I'd like to have an answer on a secure FreeBSD way to erase=20 >> SSDs before giving these away to someone for reusing it.=20 >>=20 >> Is the following enough to protect confidential data=20 >> previously stored there? >>=20 >> 1) dd : overwriting with random bits (complete capacity) >> 2) gpart create >> 3) gpart add >> 4) newfs >>=20 >> Details for an example with /dev/ada1 see below. >>=20 >> Thanks a lot, >>=20 >> Damian >>=20 >>=20 >> # fdisk ada1 >> ******* Working on device /dev/ada1 ******* >> parameters extracted from in-core disklabel are: >> cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) >>=20 >> Figures below won't work with BIOS for partitions not in cyl 1 >> parameters to be used for BIOS calculations are: >> cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) >>=20 >> Media sector size is 512 >> Warning: BIOS sector numbering starts with sector 1 >> Information from DOS bootblock is: >> The data for partition 1 is: >> sysid 238 (0xee),(EFI GPT) >> start 1, size 488397167 (238475 Meg), flag 0 >> beg: cyl 0/ head 0/ sector 2; >> end: cyl 1023/ head 255/ sector 63 >> The data for partition 2 is: >> >> The data for partition 3 is: >> >> The data for partition 4 is: >> >>=20 >> # gpart show ada1 >> =3D> 40 488397088 ada1 GPT (233G) >> 40 1024 1 freebsd-boot (512K) >> 1064 480246784 2 freebsd-ufs [bootme] (229G) >> 480247848 8149280 3 freebsd-swap (3.9G) >>=20 >> # dd if=3D/dev/random of=3D/dev/ada1 bs=3D512 count=3D488397088 >>=20 >> # gpart create -s gpt ada1 >>=20 >> # gpart add -t freebsd-ufs ada1 >>=20 >> # newfs -U /dev/ada1p1 >>=20 >>=20 From nobody Mon Mar 21 15:17:33 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0F1C01A37A85 for ; Mon, 21 Mar 2022 15:17:38 +0000 (UTC) (envelope-from sam.ricchio@gmail.com) Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMdXJ58Y9z4s28 for ; Mon, 21 Mar 2022 15:17:36 +0000 (UTC) (envelope-from sam.ricchio@gmail.com) Received: by mail-ot1-x32d.google.com with SMTP id x8-20020a9d6288000000b005b22c373759so10701368otk.8 for ; Mon, 21 Mar 2022 08:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=5wgRbzIEp0GIdfPPaPBehWuUOyF0mCKBKZRfWta2N/U=; b=hy1gnpEmE1cjQobXwue8B6CCYgouCXV22HEPw2HfFPD4KbO5/Q7eNBpCcXoqdtAv6u Tp5cDN+7TgHlhGjTs7KxT6csK8Kf3NN5xIe/PPbeP8JO8X81wE/h9yfCH35hm0/KAdpY AVoPdg57N6w6YxMFCtIREQWhhxhNRXYm3m1de5p47hPK/MFmGp8VhM7wIVFySlOqfYQa GaNnLKVmIhajIHJB5QxlCOKaqjsI2r7x34vmC4szABXA1ghz2GE1VTCbqWiIR8ZHqBo7 vYwHPO+k9H1Rf1T1ob5RQxxolZd3ljr3WC3ebim5FcNpMGEsOHk2ryhUZbunRp8wOH19 FdeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=5wgRbzIEp0GIdfPPaPBehWuUOyF0mCKBKZRfWta2N/U=; b=q0JQWVvBRKWXukaB30WxRmOAPO3/p8NyG020scfJ3h+LqNoi1rKlGibzlK2IostlmT Q0cn24B3HdEm4h6tKRapk1JmcWsjBMVQ+dg8T54LWZaq+sKO4ePon6KkmiwkDym4fMY5 nmLL7UdYdpEAtGwStz2F68HRo4TS3APcxuM0Qiv93X4YN7JCORUrbrSTwViUwdBv0QRG BAy52i4oXDAMtofuWNu/kSolQHUD8jT2Cw8CYd4roI5UDnICQ4kZBTsXPpcsI9RmvYj0 xN2b3Aoso9QZWWn/ZISbKr6MMcaq6sG/Td4XfoKxoDypTJjz4VVdsE1RbYyE+sBg3aiT GjkQ== X-Gm-Message-State: AOAM533z+46yifYQQTS7T1Mf0MzZdDJHtLZJyuBKrv6fHvrbNxvIO7Bl p/kykm2D7fATI0GFo+BF+q56AVjbHQ== X-Google-Smtp-Source: ABdhPJxl+lX2rXcymFQ6XlMXGy5EGgy7FFDFqeBMtmnh3iDDVrpwuvVGCDhZ+/yHa0xMpnPSvHm2lA== X-Received: by 2002:a9d:6189:0:b0:5b2:4da6:30e2 with SMTP id g9-20020a9d6189000000b005b24da630e2mr8091332otk.141.1647875855795; Mon, 21 Mar 2022 08:17:35 -0700 (PDT) Received: from [192.168.2.55] (96-8-248-196.block0.gvtc.com. [96.8.248.196]) by smtp.gmail.com with ESMTPSA id f7-20020aca3807000000b002eef684bd2fsm7454605oia.40.2022.03.21.08.17.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Mar 2022 08:17:35 -0700 (PDT) From: Sam Ricchio Content-Type: multipart/alternative; boundary="Apple-Mail=_F0850484-1739-4CA6-8CAF-A4F9D327999F" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: Re: SSD erase question Date: Mon, 21 Mar 2022 10:17:33 -0500 References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> To: Damian Weber , freebsd-security@freebsd.org In-Reply-To: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> Message-Id: <1ACC7A67-BDBA-4CD3-87EC-822C38CD7CE7@gmail.com> X-Mailer: Apple Mail (2.3445.104.21) X-Rspamd-Queue-Id: 4KMdXJ58Y9z4s28 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=hy1gnpEm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of samricchio@gmail.com designates 2607:f8b0:4864:20::32d as permitted sender) smtp.mailfrom=samricchio@gmail.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; RECEIVED_SPAMHAUS_PBL(0.00)[96.8.248.196:received]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::32d:from]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_F0850484-1739-4CA6-8CAF-A4F9D327999F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On and SSD if you have erased everything ssd =E2=80=9Cgarbage = collection=E2=80=9D should help you if the drive it powered on. But if you want to overwrite the drive A simple overwrite with a text pattern with dc3dd. dc3dd wipe=3D/dev/sdb tpat=3Dnothingtoseehere However if you are still worried that some controller optimization is = interfering with and actual memory location overwrite. Go old school with dd and = write a file of random to the existing file system until it runs out of space. dd if=3D/dev/urandon of=3Dgarbagetxtfile.txt On Mar 21, 2022, at 7:14 AM, Damian Weber wrote: Hi all, I'd like to have an answer on a secure FreeBSD way to erase=20 SSDs before giving these away to someone for reusing it.=20 Is the following enough to protect confidential data=20 previously stored there? 1) dd : overwriting with random bits (complete capacity) 2) gpart create 3) gpart add 4) newfs Details for an example with /dev/ada1 see below. Thanks a lot, Damian # fdisk ada1 ******* Working on device /dev/ada1 ******* parameters extracted from in-core disklabel are: cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: sysid 238 (0xee),(EFI GPT) start 1, size 488397167 (238475 Meg), flag 0 beg: cyl 0/ head 0/ sector 2; end: cyl 1023/ head 255/ sector 63 The data for partition 2 is: The data for partition 3 is: The data for partition 4 is: # gpart show ada1 =3D> 40 488397088 ada1 GPT (233G) 40 1024 1 freebsd-boot (512K) 1064 480246784 2 freebsd-ufs [bootme] (229G) 480247848 8149280 3 freebsd-swap (3.9G) # dd if=3D/dev/random of=3D/dev/ada1 bs=3D512 count=3D488397088 # gpart create -s gpt ada1 # gpart add -t freebsd-ufs ada1 # newfs -U /dev/ada1p1 --Apple-Mail=_F0850484-1739-4CA6-8CAF-A4F9D327999F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On and SSD if you have erased everything ssd =E2=80=9Cgarbage = collection=E2=80=9D should help you if the drive it powered = on.
But if you want to overwrite the = drive
A simple overwrite with a text pattern with = dc3dd.
dc3dd = wipe=3D/dev/sdb tpat=3Dnothingtoseehere
However if you are still worried that some controller = optimization is interfering
with and actual memory location overwrite.  Go old = school with dd and write
a file of random to the existing file system until it runs = out of space.
dd = if=3D/dev/urandon of=3Dgarbagetxtfile.txt




On Mar 21, 2022, = at 7:14 AM, Damian Weber <dweber@htwsaar.de> wrote:


Hi all,

I'd like to have an = answer on a secure FreeBSD way to erase
SSDs before = giving these away to someone for reusing it.

Is the following enough to protect confidential data
previously stored there?

1) =  dd : overwriting with random bits (complete capacity)
2)  gpart create
3)  gpart add
4)  newfs

Details for an = example with /dev/ada1 see below.

Thanks a = lot,

  Damian


# fdisk ada1
******* Working on = device /dev/ada1 *******
parameters extracted from in-core = disklabel are:
cylinders=3D484521 heads=3D16 = sectors/track=3D63 (1008 blks/cyl)

Figures = below won't work with BIOS for partitions not in cyl 1
parameters to be used for BIOS calculations are:
cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 = blks/cyl)

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for = partition 1 is:
sysid 238 (0xee),(EFI GPT)
=    start 1, size 488397167 (238475 Meg), flag 0
       beg: cyl 0/ head = 0/ sector 2;
=        end: cyl 1023/ head 255/ = sector 63
The data for partition 2 is:
<UNUSED>
The data for partition 3 is:
<UNUSED>
The data for partition 4 is:
<UNUSED>

# gpart show = ada1
=3D>       40 =  488397088  ada1  GPT  (233G)
=         40 =       1024     1 =  freebsd-boot  (512K)
=       1064  480246784 =     2  freebsd-ufs  [bootme] =  (229G)
 480247848    8149280 =     3  freebsd-swap  (3.9G)

# dd if=3D/dev/random of=3D/dev/ada1 bs=3D512 = count=3D488397088

# gpart create -s gpt = ada1

# gpart add -t freebsd-ufs ada1

# newfs -U /dev/ada1p1



= --Apple-Mail=_F0850484-1739-4CA6-8CAF-A4F9D327999F-- From nobody Mon Mar 21 17:26:25 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 207491A328F2 for ; Mon, 21 Mar 2022 17:27:04 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMhPg36zZz3Hwg for ; Mon, 21 Mar 2022 17:27:03 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: by mail-qk1-f170.google.com with SMTP id s16so12191661qks.4 for ; Mon, 21 Mar 2022 10:27:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=hLOsabhXplDODONbg61OtruRxGpEyA658ITY2V7dpDc=; b=qlTfybMSq/EYzZ3EI3Q9hppKKLs1ea8x2svoTMl80ti6NhZxVlcFEJfXSRrrf686sw GSt0dvm838ZMSJKyKLp7U4BL//zrlNNMs5D8gTZdKeIDbipfn10uVq21ZG1GEg+XZtoO neqHblEgBbI+H1UV6PospLls+zUE44/OcD8kl8PC8ykR0FivVPYftiDq84CGottKQtsq ndJdHzXiUgiQYp03WSIsCp7axO/H/HdoXVAOtw9PrVH/5lJST7xaPh7hW3Hy6c6p/H/6 4Ah0vhEGLD7HpNFHFBT3Mj+avxMCMMj3AWpNeQ/lanaxBMvaoTXfhalN/U5RaSXzGBD5 nkMQ== X-Gm-Message-State: AOAM532D0FWCk1BXU63g6OLB4KmyRIk9Ptf4qNSp2JlHGzAHJWBafvtz gHbdZwIGhY3+89FRl9GArgZgKFqq1avwbuhSRMYl8I6VFX4= X-Google-Smtp-Source: ABdhPJzZlTxaknrpgvrkR5v6GS8wovvY/fxI7wQ9632QgnFRW1Vo5s9iNzKVvHVe4ZcEY85IZhVIZ5LXHGyfXqAl+IU= X-Received: by 2002:a05:620a:e0b:b0:60d:d4b3:6afa with SMTP id y11-20020a05620a0e0b00b0060dd4b36afamr13505102qkm.503.1647883622311; Mon, 21 Mar 2022 10:27:02 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> <1ACC7A67-BDBA-4CD3-87EC-822C38CD7CE7@gmail.com> In-Reply-To: <1ACC7A67-BDBA-4CD3-87EC-822C38CD7CE7@gmail.com> From: Royce Williams Date: Mon, 21 Mar 2022 09:26:25 -0800 Message-ID: Subject: Re: SSD erase question To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000f06fb505dabdcdb7" X-Rspamd-Queue-Id: 4KMhPg36zZz3Hwg X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=techsolvency.com (policy=none); spf=pass (mx1.freebsd.org: domain of roycewilliams@gmail.com designates 209.85.222.170 as permitted sender) smtp.mailfrom=roycewilliams@gmail.com X-Spamd-Result: default: False [-2.90 / 15.00]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DMARC_POLICY_SOFTFAIL(0.10)[techsolvency.com : SPF not aligned (relaxed), No valid DKIM,none]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[209.85.222.170:from]; MLMMJ_DEST(0.00)[freebsd-security]; FORGED_SENDER(0.30)[royce@techsolvency.com,roycewilliams@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.222.170:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TAGGED_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[royce@techsolvency.com,roycewilliams@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --000000000000f06fb505dabdcdb7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Even multi-pass overwrite of SSDs is not a sufficient purge, due to how writing is distributed / optimized on SSDs. So dd / dc3dd is insufficient. Only invoking the on-controller ATA Secure Erase / sanitize command (using 'camcontrol security -e' as Eugene said elsewhere in the thread) is the validated[1] method: camcontrol security -s anypass -e anypass -y ada[X] This also happens to be much faster than an overwrite, because it's implemented as "encrypt the entire medium with a random key, then discard the key". 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf, p. 36, Table A-8 --=20 Royce On Mon, Mar 21, 2022 at 7:19 AM Sam Ricchio wrote: > On and SSD if you have erased everything ssd =E2=80=9Cgarbage collection= =E2=80=9D should > help you if the drive it powered on. > But if you want to overwrite the drive > A simple overwrite with a text pattern with dc3dd. > dc3dd wipe=3D/dev/sdb tpat=3Dnothingtoseehere > However if you are still worried that some controller optimization is > interfering > with and actual memory location overwrite. Go old school with dd and wri= te > a file of random to the existing file system until it runs out of space. > dd if=3D/dev/urandon of=3Dgarbagetxtfile.txt > > > > > On Mar 21, 2022, at 7:14 AM, Damian Weber wrote: > > > Hi all, > > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it. > > Is the following enough to protect confidential data > previously stored there? > > 1) dd : overwriting with random bits (complete capacity) > 2) gpart create > 3) gpart add > 4) newfs > > Details for an example with /dev/ada1 see below. > > Thanks a lot, > > Damian > > > # fdisk ada1 > ******* Working on device /dev/ada1 ******* > parameters extracted from in-core disklabel are: > cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) > > Figures below won't work with BIOS for partitions not in cyl 1 > parameters to be used for BIOS calculations are: > cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008 blks/cyl) > > Media sector size is 512 > Warning: BIOS sector numbering starts with sector 1 > Information from DOS bootblock is: > The data for partition 1 is: > sysid 238 (0xee),(EFI GPT) > start 1, size 488397167 (238475 Meg), flag 0 > beg: cyl 0/ head 0/ sector 2; > end: cyl 1023/ head 255/ sector 63 > The data for partition 2 is: > > The data for partition 3 is: > > The data for partition 4 is: > > > # gpart show ada1 > =3D> 40 488397088 ada1 GPT (233G) > 40 1024 1 freebsd-boot (512K) > 1064 480246784 2 freebsd-ufs [bootme] (229G) > 480247848 8149280 3 freebsd-swap (3.9G) > > # dd if=3D/dev/random of=3D/dev/ada1 bs=3D512 count=3D488397088 > > # gpart create -s gpt ada1 > > # gpart add -t freebsd-ufs ada1 > > # newfs -U /dev/ada1p1 > > > > --000000000000f06fb505dabdcdb7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Even multi-pass overwrite of SSDs is not = a sufficient purge, due to how writing is distributed / optimized on SSDs. = So=C2=A0 dd / dc3dd is insufficient.

Only invoking the on-control= ler ATA Secure Erase / sanitize command (using 'camcontrol security -e&= #39; as Eugene said elsewhere in the thread) is the validated[1] method:

=C2=A0 =C2=A0 camcontrol security -s anypass -e anyp= ass -y ada[X]

This also happens to be much fas= ter than an overwrite, because it's implemented as "encrypt the en= tire medium with a random key, then discard the key".

On Mon, Mar 21, 2022 at 7:19 AM Sam Ricchio <sam.ricchio@gmail.com> wrote:
=
On and SSD if you have erased everything ssd = =E2=80=9Cgarbage collection=E2=80=9D should help you if the drive it powere= d on.
But if you want to overwrite the drive
A simple o= verwrite with a text pattern with dc3dd.
dc3dd wipe=3D/dev/sdb tpat=3Dnothingtoseehere
However if y= ou are still worried that some controller optimization is interfering
with and actual = memory location overwrite.=C2=A0 Go old school with dd and write
a file of random to t= he existing file system until it runs out of space.
dd if=3D/dev/urandon of=3Dgarbage= txtfile.txt


<= /span>

=

On Mar 21, 2022, at 7:14 A= M, Damian Weber <= dweber@htwsaar.de> wrote:


Hi all,

I= 9;d like to have an answer on a secure FreeBSD way to erase
SSDs before= giving these away to someone for reusing it.

Is the following enou= gh to protect confidential data
previously stored there?

1) =C2= =A0dd : overwriting with random bits (complete capacity)
2) =C2=A0gpart = create
3) =C2=A0gpart add
4) =C2=A0newfs

Details for an exampl= e with /dev/ada1 see below.

Thanks a lot,

=C2=A0=C2=A0Damian=


# fdisk ada1
******* Working on device /dev/ada1 *******
= parameters extracted from in-core disklabel are:
cylinders=3D484521 head= s=3D16 sectors/track=3D63 (1008 blks/cyl)

Figures below won't wo= rk with BIOS for partitions not in cyl 1
parameters to be used for BIOS = calculations are:
cylinders=3D484521 heads=3D16 sectors/track=3D63 (1008= blks/cyl)

Media sector size is 512
Warning: BIOS sector numberin= g starts with sector 1
Information from DOS bootblock is:
The data fo= r partition 1 is:
sysid 238 (0xee),(EFI GPT)
=C2=A0=C2=A0=C2=A0start= 1, size 488397167 (238475 Meg), flag 0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0beg: cyl 0/ head 0/ sector 2;
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0end: cyl 1023/ head 255/ sector 63
The data for partition= 2 is:
<UNUSED>
The data for partition 3 is:
<UNUSED><= br>The data for partition 4 is:
<UNUSED>

# gpart show ada1<= br>=3D> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A040 =C2=A0488397088 =C2=A0ada= 1 =C2=A0GPT =C2=A0(233G)
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A040 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A01024 =C2=A0=C2=A0=C2=A0=C2=A01 = =C2=A0freebsd-boot =C2=A0(512K)
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0106= 4 =C2=A0480246784 =C2=A0=C2=A0=C2=A0=C2=A02 =C2=A0freebsd-ufs =C2=A0[bootme= ] =C2=A0(229G)
=C2=A0480247848 =C2=A0=C2=A0=C2=A08149280 =C2=A0=C2=A0= =C2=A0=C2=A03 =C2=A0freebsd-swap =C2=A0(3.9G)

# dd if=3D/dev/random = of=3D/dev/ada1 bs=3D512 count=3D488397088

# gpart create -s gpt ada1=

# gpart add -t freebsd-ufs ada1

# newfs -U /dev/ada1p1


--000000000000f06fb505dabdcdb7-- From nobody Mon Mar 21 20:59:13 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0FEF01A1BAD0 for ; Mon, 21 Mar 2022 20:59:21 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from thyone.hiz-saarland.de (thyone.hiz-saarland.de [134.96.7.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMn6c1VwGz4q1Q for ; Mon, 21 Mar 2022 20:59:20 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from localhost (localhost [127.0.0.1]) by thyone.hiz-saarland.de (Postfix) with ESMTP id 192CA405FC88 for ; Mon, 21 Mar 2022 21:59:19 +0100 (CET) Received: from thyone.hiz-saarland.de ([127.0.0.1]) by localhost (thyone.hiz-saarland.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7UIUhkXEMad for ; Mon, 21 Mar 2022 21:59:17 +0100 (CET) Received: from htw-mail.htwsaar.de (htw-mail.htw-saarland.de [134.96.210.140]) by thyone.hiz-saarland.de (Postfix) with ESMTPS for ; Mon, 21 Mar 2022 21:59:17 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by htw-mail.htwsaar.de (Postfix) with ESMTP id D60C08031DA for ; Mon, 21 Mar 2022 21:59:15 +0100 (CET) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at htw-mail.htwsaar.de Received: from htw-mail.htwsaar.de ([127.0.0.1]) by localhost (htw-mail.htwsaar.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCZAZhoUXasw for ; Mon, 21 Mar 2022 21:59:12 +0100 (CET) Received: from isl-dw.htw-saarland.de (isl-dw.htw-saarland.de [134.96.218.251]) by htw-mail.htwsaar.de (Postfix) with ESMTPS for ; Mon, 21 Mar 2022 21:59:12 +0100 (CET) Date: Mon, 21 Mar 2022 21:59:13 +0100 (CET) From: Damian Weber To: freebsd-security@freebsd.org Subject: Re: SSD erase question In-Reply-To: Message-ID: References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> <1ACC7A67-BDBA-4CD3-87EC-822C38CD7CE7@gmail.com> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="3258863753-675410087-1647896353=:58805" X-Rspamd-Queue-Id: 4KMn6c1VwGz4q1Q X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of dweber@htwsaar.de designates 134.96.7.232 as permitted sender) smtp.mailfrom=dweber@htwsaar.de X-Spamd-Result: default: False [-2.30 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:134.96.7.0/24]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[htwsaar.de]; NEURAL_HAM_SHORT(-1.00)[-1.000]; CTYPE_MIXED_BOGUS(1.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:680, ipnet:134.96.0.0/16, country:DE]; RCVD_COUNT_SEVEN(0.00)[7]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3258863753-675410087-1647896353=:58805 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT > camcontrol security -s anypass -e anypass -y ada[X] Thanks to all who answered to my question, I'll stick with camcontrol, having dc3dd as a second option in mind. Best wishes, Damian On Mon, 21 Mar 2022, Royce Williams wrote: > Date: Mon, 21 Mar 2022 18:26:25 > From: Royce Williams > To: freebsd-security@freebsd.org > Subject: Re: SSD erase question > > Even multi-pass overwrite of SSDs is not a sufficient purge, due to how > writing is distributed / optimized on SSDs. So  dd / dc3dd is insufficient. > Only invoking the on-controller ATA Secure Erase / sanitize command (using > 'camcontrol security -e' as Eugene said elsewhere in the thread) is the > validated[1] method: > >     camcontrol security -s anypass -e anypass -y ada[X] > > This also happens to be much faster than an overwrite, because it's > implemented as "encrypt the entire medium with a random key, then discard > the key". > > 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.p > df, p. 36, Table A-8 > > --  > Royce > > > On Mon, Mar 21, 2022 at 7:19 AM Sam Ricchio wrote: > On and SSD if you have erased everything ssd ?garbage collection? > should help you if the drive it powered on. > But if you want to overwrite the drive > A simple overwrite with a text pattern with dc3dd. > dc3dd wipe=/dev/sdb tpat=nothingtoseehere > However if you are still worried that some controller optimization is > interfering > with and actual memory location overwrite.  Go old school with dd and > write > a file of random to the existing file system until it runs out of > space. > dd if=/dev/urandon of=garbagetxtfile.txt > > > > > On Mar 21, 2022, at 7:14 AM, Damian Weber wrote: > > > Hi all, > > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it. > > Is the following enough to protect confidential data > previously stored there? > > 1)  dd : overwriting with random bits (complete capacity) > 2)  gpart create > 3)  gpart add > 4)  newfs > > Details for an example with /dev/ada1 see below. > > Thanks a lot, > >   Damian > > > # fdisk ada1 > ******* Working on device /dev/ada1 ******* > parameters extracted from in-core disklabel are: > cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) > > Figures below won't work with BIOS for partitions not in cyl 1 > parameters to be used for BIOS calculations are: > cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) > > Media sector size is 512 > Warning: BIOS sector numbering starts with sector 1 > Information from DOS bootblock is: > The data for partition 1 is: > sysid 238 (0xee),(EFI GPT) >    start 1, size 488397167 (238475 Meg), flag 0 >        beg: cyl 0/ head 0/ sector 2; >        end: cyl 1023/ head 255/ sector 63 > The data for partition 2 is: > > The data for partition 3 is: > > The data for partition 4 is: > > > # gpart show ada1 > =>       40  488397088  ada1  GPT  (233G) >         40       1024     1  freebsd-boot  (512K) >       1064  480246784     2  freebsd-ufs  [bootme]  (229G) >  480247848    8149280     3  freebsd-swap  (3.9G) > > # dd if=/dev/random of=/dev/ada1 bs=512 count=488397088 > > # gpart create -s gpt ada1 > > # gpart add -t freebsd-ufs ada1 > > # newfs -U /dev/ada1p1 > > > > > --3258863753-675410087-1647896353=:58805-- From nobody Tue Mar 22 00:14:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 282E81A08ED1 for ; Tue, 22 Mar 2022 00:14:44 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 4KMsS30SqBz3wXs for ; Tue, 22 Mar 2022 00:14:43 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 7F9874E6E5; Mon, 21 Mar 2022 17:14:36 -0700 (PDT) From: "Ronald F. Guilmette" To: Eugene Grosbein cc: Damian Weber , freebsd-security@freebsd.org Subject: Re: SSD erase question In-Reply-To: <12d76150-d3e8-a31b-c67d-c9c8e0a9bb12@grosbein.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <40188.1647908076.1@segfault.tristatelogic.com> Content-Transfer-Encoding: quoted-printable Date: Mon, 21 Mar 2022 17:14:36 -0700 Message-ID: <40189.1647908076@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 4KMsS30SqBz3wXs X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [-1.33 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[tristatelogic.com]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(0.24)[0.240]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-0.27)[-0.273]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US] X-ThisMailContainsUnwantedMimeParts: N In message <12d76150-d3e8-a31b-c67d-c9c8e0a9bb12@grosbein.net>, you wrote: >First, there is a command trim(8) that is easier to use but it gives no g= uaran >tee of "secure erase" in TRIM. >Second, there is "camcontrol security -e" for secure erase, see camcontro= l(8) = >manual page, EXAMPLES section. This is the guide I follow when doing secure erase on drives generally under Linux: https://grok.lsu.edu/article.aspx?articleid=3D16716 From nobody Tue Mar 22 01:39:05 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BACD91A22ABA; Tue, 22 Mar 2022 01:39:07 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KMvKR0Nhyz4g3P; Tue, 22 Mar 2022 01:39:07 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ua1-x929.google.com with SMTP id v20so6165628uat.9; Mon, 21 Mar 2022 18:39:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5MAOBw825fEf1bPHXGHYaOsYnLGKWhKjcUa39kM2yKk=; b=WMoIqxlmBWVdCaiCbv19sqsfrBmkdJRwOPawWbzdvjCvsZE0W30zwxarNRG//ugU7J ADY7+v7NpRkYvqpp1kdp3Q1Z7lJpNPn+g1y7mP0ZER4A1rLBxKhLlDgWCcLjw+Fl+5Fr VVsVpjpP4hIryUyjKmuQZOvvqxGz56RT6Z/hEmmwnAEQHzFD1UNjTkXrotiwGiLQb6O9 F0SxQKKvKSFyLJWQwOiNBUXkPPZ+Gh+LzXVMhxFKrgLG715yMbxrQxCrqzOU22Ajhk/f jGIYYfZmVYD+NViw9TJZVrgAPD8AFjWDfz9WNzS5D9Nl4cW26P1QdV9EwThgxtXzprsn e2cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5MAOBw825fEf1bPHXGHYaOsYnLGKWhKjcUa39kM2yKk=; b=PODSRvAcGBisegcwY5zziMRVz68OPfVlzZ4UHksedVOWywIqhOJ3P1ZNfpeaI2UK56 rk/naYZHCdq4nB2PiRAzsJLSJk2fWg7GVIZgsNUiIvooT+lx3aU+eGgoWjThgyM/JaU1 w6ngJNsOjW7m6W2JUG5h9LpqGV7fCLp3pZBO5u9riIJ0GHQMgoLSPGevR6siBHcg1rJ8 /+hu2Ri3st31IOQP36CRiUI3GbyrLkYaWXvfwgvGLogzRVwN/HVsxX0R4JOOyN3xYdD7 21vP9F/fzSF70ulkqzyclxgJmisnniakNN6aCpbI9n8sVrRcZ65ExmfIxGJN5GMICdgB au2A== X-Gm-Message-State: AOAM531kwkGmbUpepvaTaxeUP6QqViHqp9/isJMvrKiJEbe53lcSz+v8 Cu3a8yaRit3Wu/1b49RNBsy9VjahwgYAlugy6AYuh6wfZ3S2Wh94ess= X-Google-Smtp-Source: ABdhPJythqN+qFlJuc1fDjQOyH/LyTTr3IIhMwKzvvPtHT2zuV/iBSnXAk4z7o/D6r9FjapPI/0a9QBVRoO0jYyTPew= X-Received: by 2002:ab0:4ac1:0:b0:351:ed7d:e65c with SMTP id t1-20020ab04ac1000000b00351ed7de65cmr7925201uae.36.1647913146225; Mon, 21 Mar 2022 18:39:06 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:14c1:b0:2a2:beee:4b76 with HTTP; Mon, 21 Mar 2022 18:39:05 -0700 (PDT) In-Reply-To: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> References: <274c8cca-80b0-9460-6754-6bb77efbb4dd@htwsaar.de> From: grarpamp Date: Mon, 21 Mar 2022 21:39:05 -0400 Message-ID: Subject: Re: SSD erase question To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KMvKR0Nhyz4g3P X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=WMoIqxlm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::929 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.07 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::929:from]; MLMMJ_DEST(0.00)[freebsd-security,freebsd-questions]; NEURAL_HAM_SHORT(-0.07)[-0.068]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 3/21/22, Damian Weber wrote: > https://lists.freebsd.org/archives/freebsd-security/2022-March/000022.html > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it. https://lists.freebsd.org/archives/freebsd-security/2022-January/000013.html All data storage devices are completely untrustworthy closed source opaque black box blobs, nor will any insurer write a policy over, nor any manufacturer indemnify, those products keying / erasure / inaccessibility claims. If you want at least some level of opensource verifiable independent "secure erase" function you have to integrate the crypto of 4 below before using the drive... 1) Buy drive [1] 2) Apply drive hardware based encryption 3) dd if=/dev/random of=drive bs=1m 4) Apply OS based full disk encryption 5) Use drive 6) Destroy OS FDE keys 7) dd if=/dev/random of=drive bs=1m 8) Run drive hardware based blackening and/or sanitization 9) Reuse, or destroy, or release if desired 2,8) Many storage devices do not offer embedded hardware encryption, and many users don't use it, some users use it in composition with the OS FDE (4) since OS's are unaudited and change, nor are opensource crypto algos guaranteed either. And there have been some news of instances where hardware crypto and/or wipe were broken thus recoverable. Defense in depth. As always... not your keys, not your crypto... https://www.youtube.com/watch?v=IwP1DOHYLaE nyknyc [1] Via secure and/or anon channels as desired to avoid interception backdooring by various actors, this is realworld and in the news since years. From nobody Sat Mar 26 17:29:40 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F41371A3B861 for ; Sat, 26 Mar 2022 17:29:49 +0000 (UTC) (envelope-from freebsd-lists@sensation.net.au) Received: from satin.sensation.net.au (satin.sensation.net.au [203.20.114.253]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "satin.sensation.net.au", Issuer "satin.sensation.net.au" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQmDX3Qr9z4fT8 for ; Sat, 26 Mar 2022 17:29:45 +0000 (UTC) (envelope-from freebsd-lists@sensation.net.au) Received: from satin.sensation.net.au (localhost [127.0.0.1]) by satin.sensation.net.au (8.16.1/8.16.1) with ESMTPS id 22QHTe5f035518 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sun, 27 Mar 2022 04:29:41 +1100 (AEDT) (envelope-from freebsd-lists@sensation.net.au) Received: from localhost (rowan2011@localhost) by satin.sensation.net.au (8.16.1/8.16.1/Submit) with ESMTP id 22QHTeBF035515 for ; Sun, 27 Mar 2022 04:29:40 +1100 (AEDT) (envelope-from freebsd-lists@sensation.net.au) X-Authentication-Warning: satin.sensation.net.au: rowan2011 owned process doing -bs Date: Sun, 27 Mar 2022 04:29:40 +1100 (AEDT) From: freebsd-lists@sensation.net.au X-X-Sender: rowan2011@satin.sensation.net.au To: freebsd-security@FreeBSD.org Subject: Adding entropy from external source into random number generator - how? Message-ID: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: inspected by milter-greylist-4.6.2 (satin.sensation.net.au [0.0.0.0]); Sun, 27 Mar 2022 04:29:41 +1100 (AEDT) for IP:'127.0.0.1' DOMAIN:'localhost' HELO:'satin.sensation.net.au' FROM:'freebsd-lists@sensation.net.au' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (satin.sensation.net.au [0.0.0.0]); Sun, 27 Mar 2022 04:29:41 +1100 (AEDT) X-Rspamd-Queue-Id: 4KQmDX3Qr9z4fT8 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-lists@sensation.net.au has no SPF policy when checking 203.20.114.253) smtp.mailfrom=freebsd-lists@sensation.net.au X-Spamd-Result: default: False [-1.09 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.986]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; FROM_NO_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; R_SPF_NA(0.00)[no SPF record]; DMARC_NA(0.00)[sensation.net.au]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2764, ipnet:203.20.114.0/24, country:AU]; SUBJECT_ENDS_QUESTION(1.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi all. I was pointed to this mailing list, so I hope my query is reasonably on topic. I've developed simple firmware on a microcontroller which uses the values of multiple floating analog inputs to generate random numbers. I'd like to use this as an external source to add entropy into a FreeBSD system. I think the best way to do it would be to call random_harvest_queue(...), but what do I use as the source enum (see /usr/include/sys/random.h)? ENTROPYSOURCE, I guess? I believe it's also possible to open /dev/random for write to inject entropy, and I'm sure I saw mention of this being available around 12.0R, but I cannot find any mention of that scenario in the man pages. I guess the other question to ask is whether ~45 kilobytes per second of additional entropy is even useful in a typical situation? There's no strict security requirement or anything like that, it's really just a fun project that I'm hoping to actually use. :) All entropy is good entropy, right? Thanks in advance. From nobody Sat Mar 26 23:13:29 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 244201A3F468 for ; Sat, 26 Mar 2022 23:13:32 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQvs66Dnmz4Z5t for ; Sat, 26 Mar 2022 23:13:30 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vs1-xe2e.google.com with SMTP id l128so12026884vsc.7 for ; Sat, 26 Mar 2022 16:13:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=luZM6bfGfPJt5EsiK0xxEszTahwcLHxblgCKuebyAhU=; b=mzo8JuK6gBNtMdq08n5wBvKAysU64WdXgxs7BTNHHZkAkQq6VM4Oi1OtEcvqazE2lQ nw4tVXcFPeNQvQk2V1j8cjUyFAItV8iK6BrfVT8LkOFTPANiLhnIg7KeZMKSNrS8W6Lt C1ulj8ubwt2zrG65w9RLGGEa/PazuyrSSmpJNE5uG1121aacqTlZlhGHVzUBx+4jElVm LHiPPK8G+LOOoUItibo/9/YvXmDRbx05PaKZICHZIV/hndSQ8b5/wkARi/Zas7Dwjr9Y LAkhHZpfwESLuJUh/3mr6ayHaxy3tJ7D0QSqA8i/gYUwvHLsUtAJA0rrdZ/i/5EnFFRu sf3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=luZM6bfGfPJt5EsiK0xxEszTahwcLHxblgCKuebyAhU=; b=ID8PxltMjGK00HYk0l6VieqOyELm+DB4bBmXiRmAtrKEPumHRv4TuBHsWrpGq+OaVC MtDrlOlRep2dMxqW3DLjG9a5de3iSHhoC3vgwfmoY7IESnqtyfyNvfTd8Lq/HdIsAI7X d9LR4ZwtSkiI91zV1MPAvJNHxkUbx0ums3z+QY4tSPlJoXz9uSlR3pPddEuIyICqLoPZ FgWuPucTjveBiDiuV0grBoZw9plqTWsxF4jbn50D0z5hDC/nxO2t2cy9Tre2AdcFwk+1 YkDMawCbVGSFrqOufmh9SGoeyBOf3WbfnYJ1inhu1+xtzwdi+q6u9Ph50yHm2bAUozkQ i+zA== X-Gm-Message-State: AOAM5337wixs8j7cZ7tFfEaWPjerrdOxTt6MKLabqpmXOIlrNkoFgdqR qBXM6BDLTmdGUXS9bBwCYxVGiqsmWaI6rWUBQ1q+4NhLR/t8nI/J/No= X-Google-Smtp-Source: ABdhPJwNTe39kKXUpctZRcpygXjV+HiKeAd1rhNseSVprpKC4aSdPR1tCDk7S8h7YHD5MJ1fErGLzhbw0h30lUpBUk0= X-Received: by 2002:a67:efc3:0:b0:325:4fcf:60bf with SMTP id s3-20020a67efc3000000b003254fcf60bfmr7126690vsp.51.1648336410102; Sat, 26 Mar 2022 16:13:30 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:14c1:b0:2a2:beee:4b76 with HTTP; Sat, 26 Mar 2022 16:13:29 -0700 (PDT) From: grarpamp Date: Sat, 26 Mar 2022 19:13:29 -0400 Message-ID: Subject: RNGs in Operating Systems To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KQvs66Dnmz4Z5t X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=mzo8JuK6; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2e as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2e:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Generally speaking, surveying fieldwork of other OS, in whatever areas of the OS, may be informative / comparative / useful. Random number generator enhancements for Linux... https://www.zx2c4.com/projects/linux-rng-5.17-5.18/ From nobody Sat Mar 26 23:18:17 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1EE591A413E1 for ; Sat, 26 Mar 2022 23:18:31 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQvyv0Gmwz4bhm for ; Sat, 26 Mar 2022 23:18:31 +0000 (UTC) (envelope-from kevans@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648336711; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nYCENLgewcj2jp0D13wdaz8ayZ2nSUM4rke+erA2lgQ=; b=ApfXEf+0He3Q5TU1sW/RLev5Mg8/Iw40LNmNtIp8GSLWLxhfJvRWPxYXXW1ti6qKwEl5vy PTij+Tuakyu/0OIYNP+QH3nhuf55W4QMtJKJ3oxt6r2CwVbOzFPIviAevEj2dcWLHeV4iw 2a9SO4n05VMIT7s9iS6iBfk4A5oGfXXRMcxkVUSmcONLRRH8ShDao1z0PsZWjtkLtv2WvU RUSZAKlt2NgXNM5JVxNnwfIgonFVYlf4POrGeCqGnM5h5LAaYvVhgeB8O7sgtzq849WHmX o1iheI9lvWEtGbGi5l2YQjS/zEQWSBpJsd2biZ+dhCcgAAXo37YZCwyuOTDlGQ== Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id D9F442F17E for ; Sat, 26 Mar 2022 23:18:30 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-lj1-f181.google.com with SMTP id 17so14649518ljw.8 for ; Sat, 26 Mar 2022 16:18:30 -0700 (PDT) X-Gm-Message-State: AOAM5328UWd4d4J2G2Fj5/9KhKArRUG6kyaPFH74XsFG5H9c6Q3By33Y lJRfcbXF3fP+SPD7xWYsFWWdwwmKIjtoBToavqM= X-Google-Smtp-Source: ABdhPJyThG980i7vT4d59xkTUzzzuiIwknPh6CvFXmdedu122OVnVBG2rH0fJyVdU5c/7c9LVSxybmW9JnwPLXevt7g= X-Received: by 2002:a2e:84cc:0:b0:247:e395:7948 with SMTP id q12-20020a2e84cc000000b00247e3957948mr13563884ljh.499.1648336709509; Sat, 26 Mar 2022 16:18:29 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Kyle Evans Date: Sat, 26 Mar 2022 18:18:17 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: RNGs in Operating Systems To: grarpamp Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648336711; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nYCENLgewcj2jp0D13wdaz8ayZ2nSUM4rke+erA2lgQ=; b=yL1DQXctb5GfdOmVKhr+gPEgAlcJHBp0yA5qwnKKrCvud6D2S6/+v2egaHX0mK7iNn+JBZ lyPdfqrKx5w8e4pNOkdemBe4TswzUzFAIWyeaYeVRP5jiYpGQLmBpNw+1pdyuyNsYPWZep gzmL6SlR1SEvrWTimOz6p8H7sgvXyEOXx/6qfKqjMZXGtoBqrtHeMya/ho9W+A6AwcaSIi BndaHwmhLTs90fJoVNM6oKS018YtAm3sa/DQdV+RlS+Xwn+BHVKx2pvhYCegp6HPvSY5/s 6tTlV0D2Xr/E5Ro3EKJPwPsBddHxrrc25bUdwSepkbRkN8YmbjSV9n5twgAdEQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648336711; a=rsa-sha256; cv=none; b=bj/MrWJ1QgYH149ckGR37+vR/6TdS9VKRshRf76UTUI65Z5j6VqQLsUPiBEjY/tLVktA3F qKoKrlSaZDB1bTJKnT4cmZ4AlJceiAXp0HfrVQXk2x4xtNt0S1l6M7UrZTUdNrAv2A77PW qCIbfJophwaZxra/5nK+Ka1+18lMDPhDUHgQZwvLYwoJYwEA+O6XqXXOP4N7s0ICvU9jAx Zlh86rDymMF9McIy+huVP06Krpf/1XJcscbC2TT2+f7ZxsfJV+DWjnKaJxSoPSOwMMI9jb 4EGYF+WhdaAbINVtx+sjRnNSQogC4MmVEuBEzJGILWjdDu/apK9SIujdup8tvg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On Sat, Mar 26, 2022 at 6:15 PM grarpamp wrote: > > Generally speaking, surveying fieldwork of other OS, in whatever > areas of the OS, may be informative / comparative / useful. > > Random number generator enhancements for Linux... > https://www.zx2c4.com/projects/linux-rng-5.17-5.18/ > FWIW, Conrad (cem@) wrote up some compare/contrast notes on the topic here: https://cemeyer.github.io/2022-03-19-FreeBSD-random Thanks, Kyle Evans From nobody Sun Mar 27 02:16:17 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4E04D1A5155D for ; Sun, 27 Mar 2022 02:16:19 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQzw2460Nz3HsK for ; Sun, 27 Mar 2022 02:16:18 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vs1-xe31.google.com with SMTP id v206so12270018vsv.2 for ; Sat, 26 Mar 2022 19:16:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=GgAy+JsX8oqYVPhUK6cgjZf1cIQjA8VDl5zl5fXiSUI=; b=Nao4ZJSzmSADfeFhQhcC5ZVZc3w9FPKl1kKmWwJSxHO8DqMRfXClUqLsyoMkcfHhqh IaIMZN2ubZsmij67z3DOiL9yKiJvoGN4xOhlh8982bGAIF3SiWvlZBt9rfOBo+ZDNINO l9EjxJDibgHS3zq+L4jXmCYO31NB33TLqZ2vgOuAOkoN9F6DflgbNY98TUTKwP0WLTTl MtlVSvh9MCupNJQyvEL6ReMFwykETPXxZQI/Id6YzZY/PdjidI72YNHsD7+h7/a4SaHL +ukDGmM3087Yd8GwSTPzU1RAv91gnVKFftNoOvMhHSnzOB2bzLVyDlaWhHZ2dvKLJpTD oo5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=GgAy+JsX8oqYVPhUK6cgjZf1cIQjA8VDl5zl5fXiSUI=; b=5a11CsaAo0QMhwhly6e0YH1a8fPWlhB4EoIqQAICruE1nukNu+rJ2ZG0+sICmo53St FgyTtjcwYNvnGlywz9BlQIMOPUzlmT+v510nab4fCDXd5Wx8sURLZFDmCDOjOwE5YM5b WLJ80G3B+oqO8myHINK6C2nAWtP53QYF645I+wXjRanwT03I+7PRarRCsHq7NgGevocQ +WSN43Pn6wI3bX496T9L2+fQvhUXpMQFDc518WuqrSyeca6xNsf8ga2RFcRx6RjbRiyF wtAFxdy6uAT8d9GlIk71s5UUMQ4M8fJsGrCyB9g6SLgnWamDbGSYcmiCvoGbPkUMt5Rl Afkg== X-Gm-Message-State: AOAM530/aUaPjRM1adTF7t1F4xKmZHJpAij4qz9xGSJH7qS7dS8Yeyyj Un9OdIpCTvUrU3BjtMyiDys1tNaWeKS5JokzH7hjUkj0yaBanCla6Ak= X-Google-Smtp-Source: ABdhPJxo6yuhZ0DYTM7GSCB7HUzZe5Nt0QHZYol9/d50o2up8TMplJSiegK4Jn8mkXhIlxuqpB0hZrWgtyXyrs9atBA= X-Received: by 2002:a05:6102:3f8a:b0:325:557a:7817 with SMTP id o10-20020a0561023f8a00b00325557a7817mr8096878vsv.46.1648347377884; Sat, 26 Mar 2022 19:16:17 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:14c1:b0:2a2:beee:4b76 with HTTP; Sat, 26 Mar 2022 19:16:17 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Sat, 26 Mar 2022 22:16:17 -0400 Message-ID: Subject: Re: Adding entropy from external source into random number generator - how? To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KQzw2460Nz3HsK X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Nao4ZJSz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e31 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.97 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.973]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e31:from]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 3/26/22, freebsd-lists@sensation.net.au wrote: > I think the best way to do it would be to call random_harvest_queue(...), > but what do I use as the source enum (see /usr/include/sys/random.h)? > ENTROPYSOURCE, I guess? Try search for use of that function in the source, and maybe look into how RNG cards attach even in /dev... random(4) random_harvest(9) random_fortuna kern.random.harvest.mask_symbolic crypto(4) crypto(9) rndtest(4) > I believe it's also possible to open /dev/random for write to inject entropy > but I cannot find any mention of that scenario in the man pages. Using serial port as entropy source (either as interrupt and/or data), even USB video audio radios environmentals, might already have a handbook or wiki page, if not then interested users could make one. If injecting that data isn't in random(4), a script example of that is in... /etc/rc.d/random Along with some entropy file parts mentioned in... loader.conf(5) rc.conf(5) The choice of 4096 bytes should be documented. Search also ports for RNG things. > whether ~45 kilobytes per second of > additional entropy is even useful in a typical situation? CSPRNGs often try not to break no matter how much output is read, accept a bit-equivalent amount of random seed (ie 256-bits), and are speed limited only by cpu system. If doing only this: "HWRNG_stream XOR plaintext_stream", then in that case you could only get ~45kB/s throughput. > All entropy is good entropy, right? At least one source must be good. Having more good sources monitored and feeding into things can serve as redundant coverage. Search: Claude Shannon, one time pad, XOR, CSPRNG, HWRNG, applications such as casinos bitcoin keygeneration fobs, fun sources to collect, etc. From nobody Sun Mar 27 10:01:08 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 299B11A4E3BC for ; Sun, 27 Mar 2022 10:01:12 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRBDS0fd9z3JvM; Sun, 27 Mar 2022 10:01:12 +0000 (UTC) (envelope-from markm@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648375272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QtKZlmoPmCZeZzf3zUITNr5oqPJjC+eytjIkvdqCw7A=; b=bs2M7e5xuYcawTnAOyqIo4G4GHIXmz5gL36q6oyJdo2LrsA0chD2RVQqNYf9n9U5at9a7c HIlDWmecGQhB9oPJt4YArVPwJxgHb1NmGvZBorDBYuwpvkmij1uGuZLSlRsNzLkwVa9MiA f4JrnOkJWa45f3D7leg+J+gIWNNSCBFkVS2QpNzTvb1e2iX9uK9wJ303eiyCmwmoxCTUp5 w6k8mjfK0g9kvlp/3JHI51G74MPSHEXwR4wtBOjy21wMlCfUTgCPOfqRjzmvrisSG7mn3W ibwEwMyX+74ictU4xdJsmUou+le9UgWzW4W2Wn6FI2CEzD5zVn1q3Zwui4xytA== Received: from smtpclient.apple (unknown [IPv6:2a02:8011:300b:42:a15e:6817:9c82:eaeb]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: markm) by smtp.freebsd.org (Postfix) with ESMTPSA id 5DF245D6F; Sun, 27 Mar 2022 10:01:11 +0000 (UTC) (envelope-from markm@FreeBSD.org) Content-Type: multipart/signed; boundary="Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: Adding entropy from external source into random number generator - how? From: Mark Murray In-Reply-To: Date: Sun, 27 Mar 2022 11:01:08 +0100 Cc: "freebsd-security@freebsd.org" Message-Id: References: To: freebsd-lists@sensation.net.au X-Mailer: Apple Mail (2.3696.80.82.1.1) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648375272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QtKZlmoPmCZeZzf3zUITNr5oqPJjC+eytjIkvdqCw7A=; b=maU9cSrYF5v9bDjnD0mTXghbVyTgtsBHqbWborGRB+ACcLpy+4Vc3C5rKsovfm4WXaLBG6 9zRuXm6XDSNKtBBftXii/Z2IleSAgITCi1ZPMGWkFbfRKI5s1V5wlzK3flK4PdCbwbGKMP t6OyJ+JX5Ih1BgDrlwcLzDWuWMbvbkshRV6lSnPMxaPxVAqzmbn7fFBcTGvi+2H7Rblub1 M+1IrKhw99+Hd7st1RCo9LQrOYG0NAlndQCrNwvLVzOtTISavYmzW0cWAPjbjPgyrz121n kIhlkwRuhILTZTaQgHaFxeZaf8QeQTLfeZbbjc3yhpQmZ9XOOY/1qhbcZn0J2Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648375272; a=rsa-sha256; cv=none; b=o+mLvBKbD0T5CEZ4K1i6l852nx4cg4xsddnmQOn8PSim5kTLPkoftboSAEoX/5RPnMMyXb 3aXoRupge5UZySb1xir1SVWp9vZ9SttNdA9iizBvgkkHN4cU0VWjGLshZl2F5gAY6b8rvO tZMgFs7NiHg45BAodAgf1RX5VGhYecn+y88n3oqsj6K96PbmqQRY4KUzpkoM3dmNn3XGpw a3xQd/4o+7Qrvx+KxOqy7xlLvfByfj48gd/8gUSHP4gXr6WdG7b9YAoPib2KAQnmY972n1 6B0f3JMiCqqiTlNRGwVSB2Uw6ExX9QgGZDpVie2Vgv0bgjKuqQo9yYMX2QwyGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B Content-Type: multipart/alternative; boundary="Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B" --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 26 Mar 2022, at 17:29, freebsd-lists@sensation.net.au wrote: >=20 > Hi all. I was pointed to this mailing list, so I hope my query is = reasonably on topic. >=20 > I've developed simple firmware on a microcontroller which uses the = values of multiple floating analog inputs to generate random numbers. = I'd like to use this as an external source to add entropy into a FreeBSD = system. OK. Good. > I think the best way to do it would be to call = random_harvest_queue(...), but what do I use as the source enum (see = /usr/include/sys/random.h)? ENTROPYSOURCE, I guess? Add a new one for your source. > I believe it's also possible to open /dev/random for write to inject = entropy, and I'm sure I saw mention of this being available around = 12.0R, but I cannot find any mention of that scenario in the man pages. This is for userland sources. If you are in-kernel, use = random_harvest_queue(9), and be careful that you don't run at high rate = - i.e. if your harvester spends a lot of time waiting for its source, = then good, otherwise sleep to keep the rate down to a trickle. You don't = need more than a maybe a few tens of harvested events per second = maximum. If your source is good, even ten events per second would be = excessive. > I guess the other question to ask is whether ~45 kilobytes per second = of additional entropy is even useful in a typical situation? There's no = strict security requirement or anything like that, it's really just a = fun project that I'm hoping to actually use. :) All entropy is good = entropy, right? What's your threat model? Guessing 256 bits by brute force alone is such a good approximation to = impossible in human timeframes that even a demigod would not bother = trying. Supplying that much entropy per second may be good for = generating "true" randomness only if you believe the accumulator and = generator were broken cryptographically, but for everyday use that would = be excessive by very many orders of magnitude. Having an idea about how good your source is, would be a useful = exercise. A basic and easy measurement would be to calculate the Shannon = entropy of your source. This will give an estimate of the equivalent = number of bits of entropy that it supplies, under the conditions of your = measurement. See = https://en.wikipedia.org/wiki/Entropy_(information_theory) = - H(X) is = the Shannon entropy, measured in bits if b =3D 2 (see lower down in that = page for the definition). M -- Mark R V Murray --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 26 Mar 2022, at 17:29, freebsd-lists@sensation.net.au wrote:

Hi = all. I was pointed to this mailing list, so I hope my query is = reasonably on topic.

I've developed simple = firmware on a microcontroller which uses the values of multiple floating = analog inputs to generate random numbers. I'd like to use this as an = external source to add entropy into a FreeBSD system.

OK. = Good.

I think the best way to do it would be to = call random_harvest_queue(...), but what do I use as the source enum = (see /usr/include/sys/random.h)? ENTROPYSOURCE, I guess?

Add a new = one for your source.

I believe it's also possible = to open /dev/random for write to inject entropy, and I'm sure I saw = mention of this being available around 12.0R, but I cannot find any = mention of that scenario in the man pages.

This is = for userland sources. If you are in-kernel, use random_harvest_queue(9), = and be careful that you don't run at high rate - i.e. if your harvester = spends a lot of time waiting for its source, then good, otherwise sleep = to keep the rate down to a trickle. You don't need more than a maybe a = few tens of harvested events per second maximum. If your source is good, = even ten events per second would be excessive.
 
I guess the other question to ask is whether ~45 kilobytes = per second of additional entropy is even useful in a typical situation? = There's no strict security requirement or anything like that, it's = really just a fun project that I'm hoping to actually use. :) All = entropy is good entropy, right?

What's = your threat model?

Guessing 256 bits = by brute force alone is such a good approximation to impossible in human = timeframes that even a demigod would not bother trying. Supplying that = much entropy per second may be good for generating "true" randomness = only if you believe the accumulator and generator were broken = cryptographically, but for everyday use that would be excessive by very = many orders of magnitude.

Having an = idea about how good your source is, would be a useful exercise. A basic = and easy measurement would be to calculate the Shannon entropy of your = source. This will give an estimate of the equivalent number of bits of = entropy that it supplies, under the conditions of your measurement. = See https://en.wikipedia.org/wiki/Entropy_(information_theory)&= nbsp;- H(X) is the Shannon entropy, measured in bits if b =3D 2 (see = lower down in that page for the definition).

M
-- 
Mark R V Murray

= --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B-- --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 Comment: GPGTools - http://gpgtools.org iQEzBAEBCgAdFiEEyzPHvybPbOpU9MCxQlsJDh9CUqAFAmJANeQACgkQQlsJDh9C UqC1rQf/WXHX3T6IZdvRgfbr1hexjSCD/rSAeyMN+Td3/AH8InbTuQzm50wKyz0u MDNJ8MFDAxfcCihJjkA5G7vnnkTN7AMes1zCWdfW+pmnu0VXgQN90NDZbAsJUZ7d Gtf1k7IHdRgNb1ZOmqDnwzY626aFUM1lak/Hq9/AEfRjdS3D3LnRhGp4v5Www5tG qrwKRptN+RIi2cd8L1pi9Rh+bblotjvG6d5EMfJYg68chS7/6LrvF938hkwEBJwB h3r1KsqsQ13k1AHRLuXEuOjlbXnr9GyVbA+S3d/Xx32pbSUvZ2t2+bfxwNc71+AJ HIb9cnnW9cJ2n2/4UxY7f3UGZKmTCA== =tu1c -----END PGP SIGNATURE----- --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B-- From nobody Wed Apr 6 04:07:59 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C3F271A98D5C for ; Wed, 6 Apr 2022 04:07:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9wH3pvBz3HwB; Wed, 6 Apr 2022 04:07:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218079; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SC4f6Jaol9TdyQKjkyEwg3S+0NbYv3oc+jlGUH8Ov/E=; b=Gb9r2q434ejXWPDRsu7oLcx6UeKLSQJ6M/JHB7NKDTZDQ9V0esbBIqQN/blFMu4Owfdl2Q cr345N+MACRVrhT4moHY17KDK6PWA02hgGBKgnUIh9bYBBNp6CMC3w3RN7rU+1E1qfPfLs 0z01V4LhLdOM0sJIOwRrYrencoGdCgIQyY1H6XDDCurToZJFfnfchiDszPw3QVYpLeFHuw Z7i6/NV+BKLUjYn2Ptoszk+PLsZvpfArH1QSDTubR8Wg2Kk3qvcp8iG7LAAlR2ubIwo1Ds PTFxHUaYBK5Q7XXXbn/bmOK0IVYPkUO4GSN+5qg+hFFrauaEmvG+YFsshQOyAQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 318B936AD; Wed, 6 Apr 2022 04:07:59 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:04.netmap Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220406040759.318B936AD@freefall.freebsd.org> Date: Wed, 6 Apr 2022 04:07:59 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218079; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SC4f6Jaol9TdyQKjkyEwg3S+0NbYv3oc+jlGUH8Ov/E=; b=k9m6S0qd1b3wmPBGvlWeyiTtlXe8QvXXfYNjaeP+E3299BRHNrhRIOR1HrdP4sCrNzYXTN NSO67w9vg+XHQWnP66eWUctFssztPb98G7cJSznLCezoMen3a5uVqSZZSc00b9Ec/LqNCz dmJJZofgUmkuQTmsVS3k8P4QyvNRwRTaTjBfGosQ6GmRc5CG78bBPRKEHDKdpfVFYcg++X PIr+u30S2csjVM2AFNpbVXMF783JMZzGLyHqbFxNOo2EOTQdRgKpdE9fEgmxcAt7UC+uSI g3oPIboxVC2oyahP4opJEcJb7fCiWbecWLTc/jpOXEubiw5n65bjXc1sX04QYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649218079; a=rsa-sha256; cv=none; b=xgoc5YcaP1ByxLVbZmPumMh87mc862JEmWXtXdqXBUWTJ81vW9DqySnzUv0yaHoGm1Mbjx pry9WWA+8klaS6k0bxCoy5WIH8MLnVJG8kNGRd47lXTPvZHUz8VMC3YZ47lsOpG7Bxl1Lq lHMmofZUiH27nxEvofnzKvmfsDC7AoKHpsXDM9xXOFGgfifmXoIRlFC1rFFjJcbiIe2u9t hKXPVhJh1j27iwsGinaoFRDu2ZHcC5XWrSLLjtaV/VR9plZuT1DxCu75YStOW/KYXa2z2l BdqT0RrQwcsgPkqOLla3FvQGoXtvakXC1G2988KuGrDAQRglOTjHlON19miQww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:04.netmap Security Advisory The FreeBSD Project Topic: Potential jail escape vulnerabilities in netmap Category: core Module: netmap Announced: 2022-04-06 Credits: Reno Robert and Lucas Leong (@_wmliang_) Trend Micro Zero Day Initiative Affects: All supported versions of FreeBSD. Corrected: 2022-03-19 17:53:35 UTC (stable/13, 13.1-STABLE) 2022-04-06 03:26:07 UTC (releng/13.1, 13.1-RC1-p1) 2022-04-06 03:04:13 UTC (releng/13.0, 13.0-RELEASE-p11) 2022-03-20 09:08:23 UTC (stable/12, 12.3-STABLE) 2022-04-06 03:06:25 UTC (releng/12.3, 12.3-RELEASE-p5) CVE Name: CVE-2022-23084, CVE-2022-23085 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background netmap is a framework for extremely fast and efficient packet I/O for userspace and kernel clients, and for Virtual Machines. II. Problem Description The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084] A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085] III. Impact On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. IV. Workaround No workaround is available. Systems that do not include netmap in their devfs_ruleset are unaffected. A default installation of FreeBSD does not include netmap in its devfs_ruleset. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:04/netmap.patch # fetch https://security.FreeBSD.org/patches/SA-22:04/netmap.patch.asc # gpg --verify netmap.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9f600a260a73 stable/13-n250049 releng/13.1/ 7c55c52696d2 releng/13.1-n250081 releng/13.0/ 4996f46e03a4 releng/13.0-n244794 stable/12/ r371757 releng/12.3/ r371870 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgUACgkQ05eS9J6n 5cJ5oA/7BbWWbR3NEYYOSYBYDGtuRVUFFQYFLh35qcammhfATek0yMyqN47wHwq1 /Nh+91ZHJBV/wNkr5aFsMcNda9c/a9CVQLjWwiT5wtOGHt3tip0dy4Kalc1bwewI tGhlCX5bROy0x7xP0+qNHmDRvEVDviash3Wp7Ysk2uzpZsXl0bew1dBwH/9dxnYv XwfCHfU3fUdeyWtAvswwTlx5XXXBdgvGAShsdZTjYlowUioL6E+m3w0xFdyae7q+ MjaI9w06p+WJ89WTnwefLq5DwAi6eS+3qmZNJaU3Shq6tQo0TqrOfIuT3l8Id8tv f6XJBjZHDFJBbEofUREHjl0q7qAbZ2tBzxvDJWzGmBp98lSg0diIzyMmgOeUBT/1 MG8LLK3e4Z+l5ZknDRJJ38yiUCR4ANaUEygYFVXAcb7QylMhmqcJ6hIAMpCiJ7NJ S+ftBNjC1S6RccATBJUX3/IyTvwigvQIybNzKlqIMEjSPd8mVSTpbir43dK8Vr5v kKmaqSsTN5Df3s+yPn8uBG9VXhO0cNtLBxFJ8eWsI5mLigpCFD2KkvO06oLE9ALa fhEZxIy0bD4GbambenfZ2xxaSoZSIeAh1pM5aL4x/C4r7R0p8dH3ldkTDKWfqtfE /gaVGCSle/K0I6y1LUhWLdD7FlOLScHRkVF2sIGSDP4KTbH7H18= =EwyH -----END PGP SIGNATURE----- From nobody Wed Apr 6 04:08:05 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6DC8D1A98F21 for ; Wed, 6 Apr 2022 04:08:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9wQ0T64z3HtH; Wed, 6 Apr 2022 04:08:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218086; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=NpCIqbrm1lde/9zE7Q0qGctwUqG0FpHbjJUsO8Zh1g8=; b=pxsEuKXxqQqKus6O0Loxsd3xFT06VY8U+kZ5k8ykPNqUaZ23atfTCz3UOczWEWgWqdjJ6Y eF61Nq25b+QxEAdI/9jfJ3auOJrPXK743L7XBIyiselWyZfy8dQIDbVXTrJ6Xm6Qy9VE5j v/eZ96f/nClEWbZs2vU8TSMR/p9IfShYTkYFfokbWxs7W99DYh9jLZtJZtXu7xzpdnhCkJ lOZCNvwxX1jqg81PjCHq7GM1NQRhMRdVQnoH5oYuJmIw3L7huSFFc8dfD/2W2utXXNdR4X 6DasK/KoUu70F4FPLDjjjonlGSV0yyva5VIWzIwjpsbIEoE23WJPjsmx/16FAA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 91E933646; Wed, 6 Apr 2022 04:08:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:05.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220406040805.91E933646@freefall.freebsd.org> Date: Wed, 6 Apr 2022 04:08:05 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218086; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=NpCIqbrm1lde/9zE7Q0qGctwUqG0FpHbjJUsO8Zh1g8=; b=NCZMffo6xn1KbuX8T8z04KIw1qnrntc37XpX/Exmty8GC7qq597o37cR7RsFhCBvB3tvFW dsUBpF25IO2TJSwAzk2CZsS2EDUSCa7U5ANiCcXD8F4pbRf7YpSnv9ezHdYg5TPkhSWZSh IpYpSVtJUfXSAzPa1xw3vKqbNMuHicGsEd7VcXnw45EQPFTAPtnpItYDqsiJ/Kn7oIBjoN ZsOPlRRxmRm0hvaVcfKjyY0PLKMQzlUhw1Fm5WEJr2cQf5IhwavpOlmIKupp6xVuMhqTQj HCVuuaRx49ISGqFes297n4R854gMkhDoiRkcbt4oplft/fhE9zyaoaQv4axEFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649218086; a=rsa-sha256; cv=none; b=HKBT1r7e3be2E7TvEhFvPdLsRKNP68K7u5c6jBfhVPA5rkX4WcxeDYD+dHf0aO3YX5iLsQ do8p7mSxA/vvwIyAJWpiscS4UjqsVFQ5EIWKCowxO4q+6G/Rtr1dTBcJjUk+N14TjY/YRU 5qNFxx+Gb8uP+WyYI7WugTsFSURNQxo0R3KXw6UgtTm6AaMFIpv190Ph5OVnZt0SA+saad iO18ovrX2HIGcp+//tYWs5nYndSA6qIgd7odIuGnRL3AW8TvIBMvdgjjXpVx8kO7KVAwQW epr2UcjXKuGA2+XmbupYmlYQXn2kmarJ8vcPfEBUE3kYbqAtUJG5HxgkQrlmEw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:05.bhyve Security Advisory The FreeBSD Project Topic: Bhyve e82545 device emulation out-of-bounds write Category: core Module: bhyve Announced: 2022-04-06 Credits: Mehdi Talbi, Synacktiv Affects: All supported versions of FreeBSD. Corrected: 2022-04-05 22:59:52 UTC (stable/13, 13.1-STABLE) 2022-04-06 01:56:57 UTC (releng/13.1, 13.1-RC1-p1) 2022-04-06 03:04:14 UTC (releng/13.0, 13.0-RELEASE-p11) 2022-04-05 23:03:35 UTC (stable/12, 12.3-STABLE) 2022-04-06 03:06:28 UTC (releng/12.3, 12.3-RELEASE-p5) CVE Name: CVE-2022-23087 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. It implements a number of device models, including an emulated Intel 82545 network interface adapter. II. Problem Description The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on- stack buffer. The offset was not validated for certain packet types. III. Impact A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context. The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue. IV. Workaround Only the e1000 device model is affected; the virtio-net device is not affected by this issue. If supported by the guest operating system, presenting only the virtio-net device to the guest is a suitable workaround. No workaround is available if the e1000 device model is required. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart bhyve virtual machines. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable bhyve virtual machines, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 53f722094798 stable/13-n250272 releng/13.1/ 5a28d8befda0 releng/13.1-n250078 releng/13.0/ b85c68857da3 releng/13.0-n244795 stable/12/ r371867 releng/12.3/ r371871 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n 5cJERBAAoqZXVIwucgIMLepm3hQdmYsuYGDhfp12ggOR8GO/a9oL9c21u5JSSNUq w966VU8u2Tv3JjKhNpXWSR9hbUSTuEWarkcrutNDe69GwcWv0Q8DU3DwhfrT6e9K +IO/yMNUUBL9LlWRW4XftiowNV2r9KvqzYsGbk8Wi+bN1Vd9gXo1r31Nu3Y3JBls EOjk8aoDuCCUqZKVjKw7VNXDjAo3MKnnt7s6nRLSJRvJH7iDGxttWGbAiREqLO07 Aqg0ZUbbtUs8PvOL38yj/eiC4tLdOGna+Nm7VNoiS+Ee2uL/tbGU079UCgqgSJ7k /0U8nrDss8NRirsFEbpYiNFs2zi+6dtRKjAzMGKxMU6TTnHodzfLBGsrOws5TmlS bblLVykXBT1egNT180gCNjBRdK2mYaF23wVEPbd8bg0+JPfG5MyylG137uJJw2B0 24RZpY3ciRCUw6xn9mRk//SOQh4fvtLSdNPfGtoYtHmzhao8wvWBqPw7SvkMkUP4 hsdNeutyIZjqTCDvtUD4Ge81BPLnW8fUkd7yNLbWFLGBqZGlCs/xBdmTqCS/XLF7 y9cPEsS7wb1sZS087uULgUrEDFPCnktozZ1ycCwoqCZy7dt6/zYFrYH1xu3AN+Ji hso4aoM18gVNadHfMRqHNClBDO0iaxuXPrg+SMqffOrdQCznQ3k= =CgB+ -----END PGP SIGNATURE----- From nobody Wed Apr 6 04:08:10 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AF4761A9921F for ; Wed, 6 Apr 2022 04:08:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9wV1mhyz3Hq1; Wed, 6 Apr 2022 04:08:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218090; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=T+5674eor00pjuj0iGeY+OzY8xjueiPuV8+yaoUVyy4=; b=pBJsltLxAVvE+ZFiPX8IauULwwosv9Mlc6oqRmBMcSH6V0XEmXi+1EPEvpeN9Nf2ypfb6J yk+484Zp9RT+PsFrS/x4d7MmAseSpRnpGnyC1VDYaVt/DH7x4r855Jk0QgD8kYS7sa8p9h 0EkKomXyDJJvqmKGNAeVv0rtOlBzvriehqyq55pZNeJh3n2u7H0TBBS71osF6Yrz2YEmYS URiDxYoll3pd2bglYepZZVFtQxgfd4eAl4EStYBXnhqKQDcaj3l+ioT11zxh6QZ+34ZcIc JDvUCmbddlv6NFwCB7BEmVOX4aaCC75w3wIq3or39kA1qLk588z7XKqegU2qcw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 06096388D; Wed, 6 Apr 2022 04:08:10 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:06.ioctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220406040810.06096388D@freefall.freebsd.org> Date: Wed, 6 Apr 2022 04:08:10 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218090; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=T+5674eor00pjuj0iGeY+OzY8xjueiPuV8+yaoUVyy4=; b=YnMcrv+trGKB4B9yWU5JUoWjRAUjgSNMrLi1vPr01aiNTlha8Z+Jpt5aDQijhsL6kJ/72E /ImcTQ7RC6AuToFmJ0OldoUKrHp/0pj2UjUSFQr50TMEKD4IjTgKphRVsX/znNAsfgodja 8uRTG7pC07EigvA5VRnSlUt24mU9jakW5nrJlv0Gy53KncRSP6GXVSHdnOpAOlQffz0kcz +adPTgFDj1nTa3Cw9jZa2yKcqNZoDhrkHscoSh+SiCtX0GfFolnCaIO8cLQGzKhaamQKDK qJfeCAWQntanNs4FPj+x5/O5EV6bnzqWZwrgP43Kl7lJhF1egdXUmS36rmFrwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649218090; a=rsa-sha256; cv=none; b=TzVXD54P5INjd9xnVCCO0dZ8r/Ss+GdMPT6q77W3nbBYpUB6mUoF4ZqF/mfuGDK/NYCrgO HuUPxfnITyxtIAMcQJx/hqp0gZn+SaJe0mBGDCFsh5RCfC2WvpcMyHVFzIWXn2vFoGIUqY aQSzNFGm5DCUPDqqE9HB41g68SnSd3hpKpvD5LO//+6ICyDQsmz0p5EanZIRZDM0swgBdk K8Dn3d333/VfXppDMWhJI2TMT6d6aipwNy18A6whnD2smy0HinPhIm3ncJuMLgcFmjqElw AL53mUf0qlKNthox0AhgCqrabZQVVlgM58Wo0RjVIt0O4EQQW6oFg0fzA7GzgQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:06.ioctl Security Advisory The FreeBSD Project Topic: mpr/mps/mpt driver ioctl heap out-of-bounds write Category: core Module: mpr, mps, mpt Announced: 2022-04-06 Credits: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Affects: All supported versions of FreeBSD. Corrected: 2022-04-04 00:46:25 UTC (stable/13, 13.1-STABLE) 2022-04-04 16:24:36 UTC (releng/13.1, 13.1-RC1-p1) 2022-04-06 03:04:16 UTC (releng/13.0, 13.0-RELEASE-p11) 2022-04-04 00:47:44 UTC (stable/12, 12.3-STABLE) 2022-04-06 03:06:31 UTC (releng/12.3, 12.3-RELEASE-p5) CVE Name: CVE-2022-23086 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background mpr(4), mps(4), and mpt(4) are disk controller drivers. They export an ioctl(2) interface used by command-line utilities to query or set properties on the device. II. Problem Description Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. III. Impact Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group. IV. Workaround No workaround is available. Systems that do not use mpr(4), mps(4) or mpt(4) are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:06/ioctl.patch # fetch https://security.FreeBSD.org/patches/SA-22:06/ioctl.patch.asc # gpg --verify ioctl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 0b29e1b9f9df stable/13-n250225 releng/13.1/ aef190f298af releng/13.1-n250066 releng/13.0/ e724f3ce7970 releng/13.0-n244796 stable/12/ r371855 releng/12.3/ r371872 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n 5cJ1FRAAopRAsQL1viniZ9DvKUbq5cDwRvvaoTn4nzTs5+T51KoTwkzwfsAZy6jR ixOlaGTSRxWzTrLa5Kq6DxHEevrzxmJRc03YZ0GrfbSQNoaW6SGv+lXY9SEbm86K T3D//J42pSAmxLOteQDXqds5I4Xd9eDrrLzQjATxb9KqO1BYCWXCvPUQfRNksL6t eXnwT0+1AluGOw0YkyZ4nB62mtO5qwFPI1T/paIRAe8G38gW5xn821fYcJUR/fbd K6GUDdHvVsobI99nohiZcPoMH8peAoBntmWsOxMtd2goc6useAGE5xdvXB1EDBMe W/4ZCUNg5jhw+ceVIPw248DcvT9YVp6NtYbqvxcz2SQ5MNY3B4sgZCSuYeDUqtYF uYmJN5EHALyQPe1vPwTqM+INm5/T3Ft3Y3kWKgk5+PNSrClJNpkOASPps3hnJmM+ i7kK/GnH0TEZbinPY4J//8o6IuZpX1o+5JWWbSZPcDo/2IxlR+sAe72hOVq5w/Bp 2GT9aJmktRlJ8Spfr7QYy2LJBRUVN9zAlnfyZJ2Hil4i03lrmP/nByEBiAWxSfo4 ECIs5viR34U0gTJ8qbl6YJQrikWqUcYPcrPcx3iMT0fLXCaVGfB7jxZZc7jXsVc+ nf+uJPY4z95eqbCrTHuLj9ReBLOA7nG3Vi/FI0N3sEJkBOb1tHU= =kPAj -----END PGP SIGNATURE----- From nobody Wed Apr 6 04:08:18 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 547DB1A99935 for ; Wed, 6 Apr 2022 04:08:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9wg0VdJz3J1k; Wed, 6 Apr 2022 04:08:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218099; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=xt8St5SLkSy4XGtNV1AuM4LbQrh/Gq6STG9P5DrsH6Y=; b=jz2/F9cP4aCuYsQcOoCSew5rkcXxxNQRViqDsuPka2BblnOJ5JHn+LxSEX3zRd7dGJkTLt R2EdEDpKVjMM9OElKaA/fwXmYXSPUSpyvXYqN6RMsGWiQ2m+vVnGcBa9ovo3l/VRBbPQ7i N+ygRk/OIJuiA9TJwBXwoSay3TCFvjnVV2PEU/Ql3CGHLwngdp0/0N8td3jD7ZleBNNVd2 zdP48nvXh5yBFDQguv5UzVjLaxvQAB6aV0OLXeQJ+pq9bNHoiFZQMkX4S3ZIpUisY+n+0r numZUBxIdMamf7gUBqFPpuUcIDmxTFlJRmFEIL+XyGm8rzzBok83NSTHHbekSw== Received: by freefall.freebsd.org (Postfix, from userid 945) id AA6503814; Wed, 6 Apr 2022 04:08:18 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:07.wifi_meshid Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220406040818.AA6503814@freefall.freebsd.org> Date: Wed, 6 Apr 2022 04:08:18 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218099; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=xt8St5SLkSy4XGtNV1AuM4LbQrh/Gq6STG9P5DrsH6Y=; b=b+fTdDUzo8+61WqCjbZrkn9hz4v8zgNjJ+DypTDr2W6gKdo2m7iZkKc0wRMnfzrSobwVau /AK6uohX9WWm4bhYGA3AVoPKjLVJ8Db+DdG5NFI2RGk+Df3j2nXxNdo6z5Pd8XQz/sj1dh 92vJg6y/zvnthJ2SyixVkSU2FZCNTUpyC4mkQUpH+WPANnrEIFew4IrmwdOvZnC8wbo3+p /2dRehD6eUUSRohskBNxcV0U23z6MVZWO+3lk/8YnvLJCaV+e7QVw7LFA81qs6+xdsCPVK Wt5HO3bOake6E5vJBaC73Aldw2fFhwXClowZPsf4b7L+syo6TpuosWWMFtN8bw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649218099; a=rsa-sha256; cv=none; b=PsH3J2cedjoySsiH878TlFNVMWeY4wV91M8t7za7yuYmGGD+eUVKKRhJ742GVjEv6I7F7t ePW1JU0Ac4aRtTXDJWn0lXmNioAcagctQk+ezgHVJoRzWPqKYDqlc+Y2iXscJrG/+Dr+Vc d4mXoxGrcZtOR1AN4yWwZi8vBlBnGuxquWx9qfddmkoUPEkJngaluw6XmpziR7PXsQ8Qf2 N82W2pM7kjdGgjRPuvYePMGWtO8kgc9y1rSGONjoAfwrqCENSxbGxzE/unQgPOk8Yoh4aR txt8suNIpkq1Ack3mdFDXusv85tXDT01rZsBHZftfABh1eJb1ml/dqtZ4T2yaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:07.wifi_meshid Security Advisory The FreeBSD Project Topic: 802.11 heap buffer overflow Category: core Module: net80211 Announced: 2022-04-06 Credits: m00nbsd working with Trend Micro Zero Day Initiative Affects: All supported versions of FreeBSD. Corrected: 2022-04-05 22:59:53 UTC (stable/13, 13.1-STABLE) 2022-04-06 01:56:58 UTC (releng/13.1, 13.1-RC1-p1) 2022-04-06 03:04:17 UTC (releng/13.0, 13.0-RELEASE-p11) 2022-04-05 23:03:40 UTC (stable/12, 12.3-STABLE) 2022-04-06 03:06:33 UTC (releng/12.3, 12.3-RELEASE-p5) CVE Name: CVE-2022-23088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's net80211 kernel subsystem provides infrastructure and drivers for IEEE 802.11 wireless (Wi-Fi) communications. II. Problem Description The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. III. Impact While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution. IV. Workaround No workaround is available. Systems not using Wi-Fi are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:07/wifi_meshid.patch # fetch https://security.FreeBSD.org/patches/SA-22:07/wifi_meshid.patch.asc # gpg --verify wifi_meshid.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 72617f9246e3 stable/13-n250273 releng/13.1/ 00cc1ce78da3 releng/13.1-n250079 releng/13.0/ b2b23824272d releng/13.0-n244797 stable/12/ r371868 releng/12.3/ r371873 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n 5cL+FQ/9FPr6zxTpQ9HMQym2BYnZZHXLFWE2ALDLXE8UYiNa6vLaeIvO4f/bzS6b StHq4YoLTU6tPtTVXu1MTv+BZmDcavtKtBohppkcSdV2Xs2zHrlcUGNBlJdWWUR6 vgcRsI8EhdrFltKoeJ+L7bfHCzE4oGAFKhvap7DL8URrt+a7S0mkfdaX9o7RSQi3 vku98kns+ylV4T+DgY5KO21rnzwopIkmw3XlRO+S0XILK/h+7EWvcrOTTEV+byQM vZL17NlumXhrZvg3nQIgpTmai7B8hFCVvRYy8aT8ygRSgEWG5ZtJVuPtgmJ7TMPg mZneNAQ3eJep4l53nRu3mlxvwJYm9KR/RYDIf6iHhkVStPGv4+9wPSqHZXzn/bDy MLTHNcOi6wBmRMi+JsR4QkhS6VukFlZvNl4UhXRG7Lx2Tss5CG/SKXCEHcwOYcZY TEIJY2iDoTTU3jEYWclvcmLMKn3yRfyox1vpv71Ugh33L0lgM22P/5+p/jebeQvL xl62ZEZZUzOeHfDzMNKi4yFhi4RvRA8exmVTKjPbqiDPIpUQFrCLWvbzeQhUbeSm zsldDRAf51jeJbahwSfujqjJ7NOum0iY1qTSqgV3JLvAjShQHCMYCK12zlwT42CM 3Op+ruTU7mx9UhjerQtklrzP1qE9i6A9D5Kk/MZSOA4zRbuFTRw= =uFZx -----END PGP SIGNATURE----- From nobody Wed Apr 6 04:08:24 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9D0DA1A9A071 for ; Wed, 6 Apr 2022 04:08:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9wm63ZHz3J8v; Wed, 6 Apr 2022 04:08:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218105; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Ig125PJ9SJMRutSniqGeD7Cw5Wosi89E59d0CFUgkII=; b=XrV7XZRehy76lSNr3K+yjmbT7FxPAJK5RVZrCBDkh1O+hLgaIBUjCXOb0lfTYuOlPIougZ ivLDzDeuo65P0pwp/k8JcolmBQXh2AtcA9yOJixb/HCfgpb93jxQFjTm0teOgIrsp02JoR qdrt/ZimnLONN4531gV63H4Q31cLe+JcAVhy42Jfdx8cAHWTfATQSNStkOFsivbdj713z2 rW8+e9Fi6ddWNja7WhNX/ZlUTwEa+zI7J0PIMT6BibRqhK5xT2MCfc6bJs+Af9mJD3+osl 9sB7NdUAKUhUPwpu+tapM7POS9yZDRnPHVZx+C9+jhs00mxKQT5KNIKeN9PrzQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 13EC935EA; Wed, 6 Apr 2022 04:08:24 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:08.zlib Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220406040824.13EC935EA@freefall.freebsd.org> Date: Wed, 6 Apr 2022 04:08:24 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649218105; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Ig125PJ9SJMRutSniqGeD7Cw5Wosi89E59d0CFUgkII=; b=p7vz76TachrbAqUXnyQP1PeNctgH4MQm01+h9YV3yColCfWjh73D3rf+yfjwl6ucoRyzMs g4PfUYLAvy+RNyd3bXzG90Ro4wJiKuZ5eKe5+4kjotlwuqE5pOUsPmjf3BNJFzunQ2JuUy mSrOvcFcqeYW4hDZFY5xUaL7k3FNaDozgxnBhM9m7g9/T6NNxBfwQFjPym9YVJHa/tmTbI Y/GAMmZ4594vBF/EoHiYK+pGtI987e6yEIMUZyX8YXn5PEFMHdFRKCl9BB1bn80fo/rXZe t9zN882GDThhXu54TH86ChEdBIqD4l6+962C+9q7LEYYUcr9TGqLqoKVjBDubQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649218105; a=rsa-sha256; cv=none; b=eY45fTb6t34R+sJJDVYyM+9yE539hCsw5gSK8qjkf16k1fAhagjawwTFjlDAcDR8Th9Sja TFzvOGRzTq0v8Ui7iZquhvjj3IwIJFBnuUHeAMm4sNUNj3xXKfBSc3IjpOhH/wiEh9rbGZ sQ9qp5QW2HOOVCrAK+mCzZm/vDsYn8vTHP5vZJNT6qNMsI4dsA+zaAJ9zr85pENmDPSVeT CxjlosqT9/wULdzdTspErfYAPJh+bc/ubpJLs9LRy701fNTy1oQPJwnUT3gYCGcB4D/X9o lIuKz1nMKGVmbJD1IWE28jTAUluk2W36mvk+32YyhLwqYpdHkSmTlCe2FWzcYw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:08.zlib Security Advisory The FreeBSD Project Topic: zlib compression out-of-bounds write Category: zlib Module: contrib Announced: 2022-04-06 Credits: Danilo Ramos of Eideticom Tavis Ormandy of Google Project Zero Affects: All supported versions of FreeBSD. Corrected: 2022-04-04 19:30:33 UTC (stable/13, 13.1-STABLE) 2022-04-04 20:02:42 UTC (releng/13.1, 13.1-RC1-p1) 2022-04-06 03:04:19 UTC (releng/13.0, 13.0-RELEASE-p11) 2022-04-04 01:07:59 UTC (stable/12, 12.3-STABLE) 2022-04-06 03:06:39 UTC (releng/12.3, 12.3-RELEASE-p5) CVE Name: CVE-2018-25032 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background zlib is a compression library used by numerous applications, as well as some FreeBSD kernel components, to provide data compression/decompression routines. II. Problem Description Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters. III. Impact The out-of-bounds write may result in memory corruption and an application crash or kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:08/zlib.patch # fetch https://security.FreeBSD.org/patches/SA-22:08/zlib.patch.asc # gpg --verify zlib.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Recompile the operating system using buildworld and installworld as described in . Reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ c4727a47f18c stable/13-n250251 releng/13.1/ f5196112e8bd releng/13.1-n250070 releng/13.0/ 9854ff088002 releng/13.0-n244799 stable/12/ r371856 releng/12.3/ r371875 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgcACgkQ05eS9J6n 5cKzTxAAm61INadG6kdCuFYEYez9Fb3bT0L+bVElfmVhiQ80BqVKwE7EpeNN+OUC 820eYu5KnSGT2SKq6IIi605MUvhjpECLdjmdIEbER6G97nWxwSEEhpQ64br+3ely J7SJWYpR5ydsxOYitICHV6YDJNK2mIMl0IYhSPgJqwb0zMWIupGPYisgdlqUSJV4 SVxqQL8Z1GE+rUW2Br3QamENXkRRZwIUNpAxGfGK+YWjqjZ+378y6R5nj4+TL3c8 +kDKL4jLyyQxnmkhLjfdX2sFOhI7bxcsmj0JuutAaCwvxlZ8gPglKMKZLEz4fula hA6AuFFGpgoPpP2ZCThXglJ4UWYrPJhRX7c5G1W/mdaLZACeHwz+1SOW6v0Ud0GI fxI6uweov8zDp5RIjWHU5Ir40nE3WqwYVGamy4xWN0PnrfzYlMidP7bV9pakalUn lkXPIcFmgY6Yc8efPsHGoyskIjarquZ8gNqAv6CmumaHiu20PcPNXbwuMIVGABcf p1WEIOYD8C1eDsPnR+QiFj9/8JcN/MyElJOz8wFr/XdRkixGx2mqCxQt9d8QDAaF 84/phYipwC1rdPjQs9HTcI6x52+MiyJGU+W6o27uS2vIQYycqkCjc08viZP5bNKT kt281rEoIcvmv9HUzMXvjLzWGTGvGLw9lf5PueMzZwbkGV4o1fY= =7Iaq -----END PGP SIGNATURE----- From nobody Mon Apr 18 19:57:12 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7052711E712F for ; Mon, 18 Apr 2022 19:58:16 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KhyRC39ZCz4lgq for ; Mon, 18 Apr 2022 19:58:15 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-oi1-x22b.google.com with SMTP id 12so15879668oix.12 for ; Mon, 18 Apr 2022 12:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=BbD8UzNwZCJBBpFiujug1Xnkc3/hJHQxy+RqhdIkRrE=; b=L9uC7Uhz17R+702zDLvbruVh2QHKX2olZDVMWPUfCyjBz1HSGtle/bFZh9YkW0/POm v/sqbbwLpL8Gf1Gsdu4zw455FfUvD+0nsQCOoEns9emRSl8EEVr7f35I33SyaV/vgpv/ i7/nkXYpnCMfA+gvkbkNCapFgkWrcg3Kfdj97bHkl4c4gYTJhdkM4KmKNwN0mwjLKjvl zu7gJMM9oswGFU7msRZIZzWMVvDF3I/+YNz7CF7Gj5VekCRdyo5YwhsKb1Lh5YLTGGau +ugH1oknmUUJiJbHhKDCz8xJWJJJTcr7HH1LZCC3yK43HFPlcWPBDA8wRNUoM2NxVy57 9CtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BbD8UzNwZCJBBpFiujug1Xnkc3/hJHQxy+RqhdIkRrE=; b=HYfQlyF2xuG/givGan9zXVW1rf/gJ/4CSTDEFdbsUTejgmzmMO/NQ3QYfvrA7MrzoK uoMXX77Sc+9gMbvdAO/XArm6YtpYpBx+KqDXdDvuzF6jiAalrB9pEvCIDXcyE65QttqE jXfHeXWCuKDIM1RaXMAI8CdxWI4tGDGyoz4LsSgNnlTMQtt0QGLe7Bap/vbqoxlSmZNy loYbvoPGFZCO5GBjH2zAQE9lYLE06fzdpzGYhqf/h1mN84wFpqpY/3N43EtjUeCdn+WD BC7UNlhuo9/C6EWpSr6UGUUc3ERRfUljA3vVpOcZUTfhdWSY0ThuA8W6pwfvFZBBy/41 w92A== X-Gm-Message-State: AOAM532PvDKCDt/iUlNVli8SkvblptWdtnSfzLxE9zoT385hGBhJi+RY 9mB71PKALYzCz6NfHFRLSE3NIeUVJ5TG6f3Ip1lYYq9FkqU= X-Google-Smtp-Source: ABdhPJw/PWTBx988ubt723oJIjgt24gSZArhsZuUFMxMN3XSO/5pdZZf7wJnAKQkx2bZ8Kx3IYBPPcztUWJ+Q4WKf4E= X-Received: by 2002:a05:6808:1305:b0:2da:5086:fa34 with SMTP id y5-20020a056808130500b002da5086fa34mr5768586oiv.230.1650311894438; Mon, 18 Apr 2022 12:58:14 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 From: Kevin Oberman Date: Mon, 18 Apr 2022 12:57:12 -0700 Message-ID: Subject: Lack of notification of security notices To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="0000000000003c961505dcf32e43" X-Rspamd-Queue-Id: 4KhyRC39ZCz4lgq X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=L9uC7Uhz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of kob6558@gmail.com designates 2607:f8b0:4864:20::22b as permitted sender) smtp.mailfrom=kob6558@gmail.com X-Spamd-Result: default: False [-3.70 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[rkoberman@gmail.com,kob6558@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[rkoberman@gmail.com,kob6558@gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::22b:from]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --0000000000003c961505dcf32e43 Content-Type: text/plain; charset="UTF-8" As per the FreeBSD Security Information web page , security notifications are sent to: - FreeBSD-security-notifications@FreeBSD.org - FreeBSD-security@FreeBSD.org - FreeBSD-announce@FreeBSD.org This policy has lately been ignored. No postings show up in the archives of FreeBSD-security-notifications@FreeBSD.org since January. Likewise for freebsd-announce. The only list showing the April 6 announcements is this one, freebsd-security@freebad.org. In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not mentioned. This delayed the update of my systems by several days. Fortunately, only one of these vulnerabilities was relevant to my systems. Even though the announcements are almost 2 weeks old, it is still likely that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists. In passing, I will note that the same issue appears to be occurring with posts of Errata Notices. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --0000000000003c961505dcf32e43 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
As per the FreeBSD Security Information web page<= /a>, security notifications are sent to:
This policy has lately been ignored. No postings show= up in the archives of FreeBSD-security-notifications@FreeBSD.org = since January. Likewise for freebsd-announce. The only list showing the Apr= il 6 announcements is this one, freebsd-security@freebad.org.
In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not menti= oned.=C2=A0 This=20 delayed the update of my systems by several days. Fortunately, only one=20 of these vulnerabilities was relevant to my systems.
Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and=C2=A0 FreeBSD-Stable=20 lists.

In passing, I will note=C2=A0 tha= t the same issue appears to be occurring with posts of Errata Notices.
--=
<= div dir=3D"ltr">Kevin Oberman, Part time kid herder and retired Network Eng= ineer
E-mail: r= koberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C169= 4B318AB39EF1B055683
--0000000000003c961505dcf32e43-- From nobody Mon Apr 18 20:19:19 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4E8765D5782 for ; Mon, 18 Apr 2022 20:19:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-ztdg06011901.me.com (mr85p00im-ztdg06011901.me.com [17.58.23.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KhyvY3lSDz4qPG for ; Mon, 18 Apr 2022 20:19:21 +0000 (UTC) (envelope-from gordon@tetlows.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1650313160; bh=XadbuWK+EBwNEjkD514khnXjcgEAs0/SX1FZhThc6fg=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=AiktFmX+V1PpXB7Z71xz8ZSD0NNog5ab7+HQGvcKvYxtWzzvs+i9/RSvX217SjVEr OE5TvAAbMco2RrZGGsPSNQvy0mUGa+3JQZe02Amrrn1sCfiezpFLklPa8Ylb7YX2N8 oc3ZI/d/tyWT+6yusvG9Lo6fKWijGCRkHm7wdB9oXnw+ghcOWfr9aivKkY46l/3EDB T3vqrW84czViiicN1tZKfshLdYddilji2Uc0t5uzeuqJiRjlQsB92cmw0L5gbJZUCj FX7G0VpbklVBfg2vU74nM3xyDXHf52msnjt3bwriWyEiAFqJpsxaktALvOnzihhp9D yzMImjBXg1DVw== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-ztdg06011901.me.com (Postfix) with ESMTPSA id EC85990014B; Mon, 18 Apr 2022 20:19:19 +0000 (UTC) From: Gordon Tetlow Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: Lack of notification of security notices Date: Mon, 18 Apr 2022 13:19:19 -0700 In-Reply-To: Cc: freebsd-security@freebsd.org To: Kevin Oberman , postmaster@freebsd.org References: X-Mailer: Apple Mail (2.3696.80.82.1.1) X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.425,18.0.572,17.11.62.513.0000000_definitions?= =?UTF-8?Q?=3D2022-01-14=5F01:2022-01-14=5F01,2020-02-14=5F11,2021-12-02?= =?UTF-8?Q?=5F01_signatures=3D0?= X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 mlxscore=0 clxscore=1030 phishscore=0 adultscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2204180118 X-Rspamd-Queue-Id: 4KhyvY3lSDz4qPG X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=AiktFmX+; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.198 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-3.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.198:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RWL_MAILSPIKE_VERYGOOD(0.00)[17.58.23.198:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =46rom the secteam point of view, we haven't changed anything in the way = we send messages to the mailing lists. I have double checked and all SAs = are sent to the three addresses listed. I suspect this is likely fallout = of the mailing list change over. I can say for my part, I have gotten a copy of the messages from both = the freebsd-announce and freebsd-security mailing lists for the SAs I = have sent out (I'm not subscribed to the freebsd-security-notifications = list). I just confirmed the headers for the 2 copies of SA-22:08.zlib = that I received that it is routing through the lists.=20 It does appear as though the messages are not properly archiving into = the mailing list archives. Adding postmaster to the thread for them to = dig into why that might be. Gordon Hat: security-officer > On Apr 18, 2022, at 12:57 PM, Kevin Oberman = wrote: >=20 > As per the FreeBSD Security Information web page = , security notifications are sent to: > FreeBSD-security-notifications@FreeBSD.org = > FreeBSD-security@FreeBSD.org > FreeBSD-announce@FreeBSD.org > This policy has lately been ignored. No postings show up in the = archives of FreeBSD-security-notifications@FreeBSD.org = since January. = Likewise for freebsd-announce. The only list showing the April 6 = announcements is this one, freebsd-security@freebad.org = . >=20 > In the past, Security Announcements and Errata Notes have also been = copied to the stable and current lists as appropriate, although this is = not mentioned. This delayed the update of my systems by several days. = Fortunately, only one of these vulnerabilities was relevant to my = systems. >=20 > Even though the announcements are almost 2 weeks old, it is still = likely that some people are unaware of them, so I would strongly urge = that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable = lists. >=20 > In passing, I will note that the same issue appears to be occurring = with posts of Errata Notices. > --=20 > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii =46ro= m the secteam point of view, we haven't changed anything in the way we = send messages to the mailing lists. I have double checked and all SAs = are sent to the three addresses listed. I suspect this is likely fallout = of the mailing list change over.

I can say for my part, I have gotten a copy of the messages = from both the freebsd-announce and freebsd-security mailing lists for = the SAs I have sent out (I'm not subscribed to the = freebsd-security-notifications list). I just confirmed the headers for = the 2 copies of SA-22:08.zlib that I received that it is routing through = the lists. 

It does appear as though the messages are not properly = archiving into the mailing list archives. Adding postmaster to the = thread for them to dig into why that might be.

Gordon
Hat: = security-officer

On Apr 18, 2022, at 12:57 PM, = Kevin Oberman <rkoberman@gmail.com> wrote:

As per the FreeBSD Security Information web page, security = notifications are sent to:
This policy has lately been ignored. No postings = show up in the archives of FreeBSD-security-notifications@FreeBSD.org since January. = Likewise for freebsd-announce. The only list showing the April 6 = announcements is this one, freebsd-security@freebad.org.

In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not = mentioned.  This=20 delayed the update of my systems by several days. Fortunately, only one=20= of these vulnerabilities was relevant to my systems.

Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and  FreeBSD-Stable=20= lists.

In passing, I will note  that the same = issue appears to be occurring with posts of Errata Notices.
--
Kevin Oberman, = Part time kid herder and retired Network Engineer
E-mail: = rkoberman@gmail.com
PGP= Fingerprint: = D03FB98AFA78E3B78C1694B318AB39EF1B055683

= --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD-- From nobody Mon Apr 18 21:06:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 00B0B11D22C3 for ; Mon, 18 Apr 2022 21:07:57 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Khzzc5cRVz3FF0; Mon, 18 Apr 2022 21:07:56 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-ot1-x32f.google.com with SMTP id c11-20020a9d684b000000b00603307cef05so7110381oto.3; Mon, 18 Apr 2022 14:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tGjuzG/sdVjAX2SGBZXdJ6RLQ4Xv+OswlH5naixrpto=; b=FbXDTWkpXm7ua1y/g5vloc+jeAixOOSkUKOR7cqxVBdWITQCGGWBGLn706l4FFBOwD sFA8M34o/YEfYx1PDqfU04pYsFcG0DmQjRjtgai3A9dyBB9Dv/vYWTzdTgzy/fta6qLK 8CFdSBuF+OXQfTjYZ+gJzYwbYoUIcnsFlHj7g5p2faGyY/ppVNPwGy8JOInc1FtRimzh e679QIjkrFtVV7JcSyANfF3PfK/DT2JaDPi7NVdPz94r81oCNZ+YLkOVUGLnGTkbgwNZ NX8kc1TxndvZGSPbiACWAUfJ5IE2IFBoW8VgUhOdcecKwdXSfRPrHR+Q8g/2chJ2+dOb wEOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tGjuzG/sdVjAX2SGBZXdJ6RLQ4Xv+OswlH5naixrpto=; b=4qzAB1m8NwwkH67Wqon49qFZ5xJ2wQQbIe7ikvz6SgXMs4kzn/QjX052kx+wP7B/d9 Q0UxnsaNXCHLr5KCUFKALsA0MaWrATDUBZVRqEigw22dWIk/ZweAfEW341osKM0LQC9K IElF9lqh5qdGfXTGsonUEWlkkZdwsrBWGn5ZjXCM/Q1XB6SEYjNmzh/kkKNSu1v/l8RR 8/adVeTv/2sl+iyK2V4RFB5AtNLRHVm5OAKQPajiBeG9DzT5GqHFxPLQMeOKP3Z2FjCc 8Ye89I1ZASzqAVN5qmH00j6Jt3Zr0FJzxSOsf84ecbK7LYY13RDDyW65+TtYg64586VA ol3Q== X-Gm-Message-State: AOAM532DW4jNJERlBwtTK207TVFXRA+Q02zLjFsKpVytqJVqmx13Sq5i W0T21o1jGHHBNQ5b3cOIH/nkoqVGAj2kO5PMl26AX9ns X-Google-Smtp-Source: ABdhPJw3OpeRpRavFiFf/dXFbhKJx7OB/vC5HNJszpV0i/z42zWvflPUgKBpEN0aQX6JRXdWe1q30L/3r60F8CiQEHs= X-Received: by 2002:a05:6830:1cc8:b0:5e6:f41c:f157 with SMTP id p8-20020a0568301cc800b005e6f41cf157mr4627768otg.82.1650316070459; Mon, 18 Apr 2022 14:07:50 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Kevin Oberman Date: Mon, 18 Apr 2022 14:06:48 -0700 Message-ID: Subject: Re: Lack of notification of security notices To: Gordon Tetlow Cc: postmaster@freebsd.org, freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000259d1105dcf42764" X-Rspamd-Queue-Id: 4Khzzc5cRVz3FF0 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N --000000000000259d1105dcf42764 Content-Type: text/plain; charset="UTF-8" On Mon, Apr 18, 2022 at 1:19 PM Gordon Tetlow wrote: > From the secteam point of view, we haven't changed anything in the way we > send messages to the mailing lists. I have double checked and all SAs are > sent to the three addresses listed. I suspect this is likely fallout of the > mailing list change over. > > I can say for my part, I have gotten a copy of the messages from both the > freebsd-announce and freebsd-security mailing lists for the SAs I have sent > out (I'm not subscribed to the freebsd-security-notifications list). I just > confirmed the headers for the 2 copies of SA-22:08.zlib that I received > that it is routing through the lists. > > It does appear as though the messages are not properly archiving into the > mailing list archives. Adding postmaster to the thread for them to dig into > why that might be. > > Gordon > Hat: security-officer > Clearly, something has failed. The archives show no messages to stable, security-notifications or announce for security advisories or errata notes since an errata note on March 22. There was an e-mail on stable sent on the 7th asking why the April 6 messages did not get posted to stable, so it is not just me. The issue is new this month, so the change in mailers last year is not directly responsible. If I was to take a guess, I suspect something changed between the March ENs and April 6 in how the mai;er treats cross-posts. Looks like something changed in hte two weeks between March 22 and April 6. Mr. Postmaster??? > On Apr 18, 2022, at 12:57 PM, Kevin Oberman wrote: > > As per the FreeBSD Security Information web page > , security notifications are sent to: > > - > > FreeBSD-security-notifications@FreeBSD.org > - > > FreeBSD-security@FreeBSD.org > - > > FreeBSD-announce@FreeBSD.org > > This policy has lately been ignored. No postings show up in the archives > of FreeBSD-security-notifications@FreeBSD.org since January. Likewise for > freebsd-announce. The only list showing the April 6 announcements is this > one, freebsd-security@freebad.org. > > In the past, Security Announcements and Errata Notes have also been copied > to the stable and current lists as appropriate, although this is not > mentioned. This delayed the update of my systems by several days. > Fortunately, only one of these vulnerabilities was relevant to my systems. > > Even though the announcements are almost 2 weeks old, it is still likely > that some people are unaware of them, so I would strongly urge that they be > posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists. > > In passing, I will note that the same issue appears to be occurring with > posts of Errata Notices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --000000000000259d1105dcf42764 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Apr 18, 2022 at 1:19 PM= Gordon Tetlow <= gordon@tetlows.org> wrote:
From the secteam po= int of view, we haven't changed anything in the way we send messages to= the mailing lists. I have double checked and all SAs are sent to the three= addresses listed. I suspect this is likely fallout of the mailing list cha= nge over.

I can say for my part, I have gotten a copy of= the messages from both the freebsd-announce and freebsd-security mailing l= ists for the SAs I have sent out (I'm not subscribed to the freebsd-sec= urity-notifications list). I just confirmed the headers for the 2 copies of= SA-22:08.zlib that I received that it is routing through the lists.=C2=A0<= /div>

It does appear as though the messages are not prop= erly archiving into the mailing list archives. Adding postmaster to the thr= ead for them to dig into why that might be.

Gordon=
Hat: security-officer

Clearly, something has failed. The archives show no messages to stab= le, security-notifications or announce for security advisories or errata no= tes since an errata note on March 22. There was an e-mail on stable sent on= the 7th asking why the April 6 messages did not get posted to stable, so i= t is not just me. The issue is new this month, so the change in mailers las= t year is not directly responsible. If I was to take a guess, I suspect som= ething changed between the March ENs and April 6 in how the mai;er treats c= ross-posts. Looks like something changed in hte two weeks between March 22 = and April 6.

Mr. Postmaster???



On Apr 18, 202= 2, at 12:57 PM, Kevin Oberman <rkoberman@gmail.com> wrote:

As per the FreeBSD Security I= nformation web page, security notifications are sent to:
Th= is policy has lately been ignored. No postings show up in the archives of <= a href=3D"mailto:FreeBSD-security-notifications@FreeBSD.org" target=3D"_bla= nk">FreeBSD-security-notifications@FreeBSD.org since January. Likewise = for freebsd-announce. The only list showing the April 6 announcements is th= is one, f= reebsd-security@freebad.org.

In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not menti= oned.=C2=A0 This=20 delayed the update of my systems by several days. Fortunately, only one=20 of these vulnerabilities was relevant to my systems.

Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and=C2=A0 FreeBSD-Stable=20 lists.
In pas= sing, I will note=C2=A0 that the same issue appears to be occurring with po= sts of Errata Notices.
--
Kevin Oberman, Pa= rt time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
<= div>PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683



--
=
Kevin Oberman, Part time kid herder = and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint= : D03FB98AFA78E3B78C1694B318AB39EF1B055683
--000000000000259d1105dcf42764-- From nobody Tue Apr 19 02:09:24 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 43ABECFA158 for ; Tue, 19 Apr 2022 02:09:28 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kj6gW0jxNz4jCJ; Tue, 19 Apr 2022 02:09:27 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x635.google.com with SMTP id u15so29984820ejf.11; Mon, 18 Apr 2022 19:09:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qxoviXpnR1/DI3muVy9mVCntedoTmZwGBVbUMKFO8TI=; b=RnG/OwZqp5DBUXSQteli3TdPaL4Pk17GNUA1J2PQDo96xxWd4r/czEEZ7kSunGxRLa COiWTj2qWyV+/VE/ycdFuUFm2UXT+y0JCqNowbGNSJTWhYQ3l7Y83DlLjg1wyt7ZOfHh Auf2/th01/VNoQjKL2uNEVO+2nRuQbx3A+CjQmTNFFyqQ+LxXJizGWVsBqKUByWXHtIh h77Nl11OU0t+cxRv4EkxkyzFvB+83zmXlPvnZ4OIPwEOQpvfihUipBV5lWaNwnSVJb9m RPgGO5QgXng5VK3IXeiHisfF1sojy9RTNe9oZv4v5pI9zHGRhKqCQm1KeRV1OncSdsCW CqHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qxoviXpnR1/DI3muVy9mVCntedoTmZwGBVbUMKFO8TI=; b=M3thUUka8c6bnQETGDQTyBNfNA7cUPfW5yvqWwDtbZVvzBzCI0X+qTtIivwK0haZTd 1Y0v4JO2stDiBtlZqO5gZysd19qDhA9F5oE46kqwVVOnvX3NrzsZQUxV76Gkma1ra28t MEfOCu3t5pdTXZaeSnHvUFfkvJnHorS7oes0jPPtOUG5UOdRBl2/ZPFJxgT3L9bTnXtU SjmFbeMGwEW7QDaqPG+Ol4FBLHdh/5ZMaH63Fq6+09bwhT8czW6gvunaYqRNhID0DQcd NdXcjG2yw2ecckuL57rEsOOQlG2j3Ac8MgKaLlqh5fGbVjrbwWsi+TapOpTY2pFURp5v N6+A== X-Gm-Message-State: AOAM530b+bkV3b8OOYn0cBAVOAqFMT/+ej19a00pwqCkVw2zb65S4paM QuGukNnxDmlIzD9pt48APhzrizdGYHeN6rv6tibOYnvno8/KFXUbBz0= X-Google-Smtp-Source: ABdhPJxXygetn+Rb2GWJgdz+YgnjJCosXARvSabmwGUsimQBD898C0ZkNHXmZjcr/6HL04RXAey7Ix3AIUSaQ9vqU+o= X-Received: by 2002:a17:907:6e1b:b0:6ef:d995:11ac with SMTP id sd27-20020a1709076e1b00b006efd99511acmr1174312ejc.244.1650334165556; Mon, 18 Apr 2022 19:09:25 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:ab4:9c81:0:0:0:0:0 with HTTP; Mon, 18 Apr 2022 19:09:24 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Mon, 18 Apr 2022 22:09:24 -0400 Message-ID: Subject: Re: Lack of notification of security notices To: freebsd-security@freebsd.org Cc: postmaster@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Kj6gW0jxNz4jCJ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b="RnG/OwZq"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::635 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::635:from]; MLMMJ_DEST(0.00)[freebsd-security]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N > Clearly, something has failed. The archives show no messages to... Do they show up here... rsync -nHaxi bit0.us-west.freebsd.org::FreeBSD-mailarchive/ That is supposed to be the ultimate raw history archive of all freebsd mail since forever, or at least should be such a sort of independent delivery copy. Try importing the raw mboxes in question to search for the messages in question. > how the mailer treats cross-posts. Bcc's should also be enabled to deliver and show up, Bcc as reduced form of Cc still helps with inclusion, and also helps keep 'group / all' replies going to primary. From nobody Tue Apr 19 08:28:53 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0090F11D85BF for ; Tue, 19 Apr 2022 08:29:05 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) by mx1.freebsd.org (Postfix) with ESMTP id 4KjH5X0fFCz4YYK for ; Tue, 19 Apr 2022 08:29:04 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from [194.32.164.25] ([194.32.164.25]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id 23J8Suhj020031 for ; Tue, 19 Apr 2022 09:28:57 +0100 (BST) (envelope-from rb@gid.co.uk) From: rb@gid.co.uk Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: Lack of notification of security notices [via digest] Date: Tue, 19 Apr 2022 09:28:53 +0100 References: <20220419081952.2278811D6AE4@mlmmj.nyi.freebsd.org> To: freebsd-security@freebsd.org In-Reply-To: <20220419081952.2278811D6AE4@mlmmj.nyi.freebsd.org> Message-Id: <67782447-C01D-44DA-B676-DD7FF1E924B5@gid.co.uk> X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4KjH5X0fFCz4YYK X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rb@gid.co.uk designates 194.32.164.250 as permitted sender) smtp.mailfrom=rb@gid.co.uk X-Spamd-Result: default: False [-2.70 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[gid.co.uk]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_NO_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42831, ipnet:194.32.164.0/24, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, > From: Kevin Oberman > Subject: Lack of notification of security notices > Date: 18 April 2022 at 20:57:12 BST > To: freebsd-security@freebsd.org >=20 >=20 > As per the FreeBSD Security Information web page, security = notifications are sent to: > =E2=80=A2 FreeBSD-security-notifications@FreeBSD.org >=20 > =E2=80=A2 FreeBSD-security@FreeBSD.org >=20 > =E2=80=A2 FreeBSD-announce@FreeBSD.org >=20 > This policy has lately been ignored. No postings show up in the = archives of FreeBSD-security-notifications@FreeBSD.org since January. = Likewise for freebsd-announce. The only list showing the April 6 = announcements is this one, freebsd-security@freebad.org. Purely as a data point, I=E2=80=99m seeing the same symptoms here. > In the past, Security Announcements and Errata Notes have also been = copied to the stable and current lists as appropriate, although this is = not mentioned. This delayed the update of my systems by several days. = Fortunately, only one of these vulnerabilities was relevant to my = systems. >=20 > Even though the announcements are almost 2 weeks old, it is still = likely that some people are unaware of them, so I would strongly urge = that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable = lists. >=20 > In passing, I will note that the same issue appears to be occurring = with posts of Errata Notices. > --=20 > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 -- Bob Bishop rb@gid.co.uk From nobody Mon May 9 07:37:10 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D0F091AC69D6 for ; Mon, 9 May 2022 07:37:19 +0000 (UTC) (envelope-from natalino.picone@nozominetworks.com) Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2086.outbound.protection.outlook.com [40.107.20.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KxY0Z607sz4X6f for ; Mon, 9 May 2022 07:37:18 +0000 (UTC) (envelope-from natalino.picone@nozominetworks.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ga4jwkwmO74rx98kHOt48U9wJS/TC9xdUpK0ilbpOxv9B4yoNKHzdhYRuDkB0Z/AVfIeuyhNCCDX6rPpPEauVL5cEi3jK2cSwc5UPVtGOMdTDzWWHA6NRptu8uBIOysGvNJ+2s9xi2atboRsL4dWIJWXqUlAXtQRbhXdqOhCGyBltre5O7I4j2oL9ZYvvryYzaLvKyPDd45UNGLUiPtlT3HY+p61YgRJqVvi9E8rROlNl7teQzQruuB222etG7M4NRYRdMOZEmM1Hmq8GeHKqKrwvWinVsObyKqoYm+4juGO/auxbVUJYFCbrQ+i1M6XkMJFUwJ3Y+RcOM3pZLJUeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1GLD/e/g0sRfctU/yG4gDjLICRu6CD6g8POrv7Mqmfg=; b=bHq0IFumND0CvKgQWkHdPWZGxkhHf/kzfOONM0iYXMk7BNb1rDaEMOcLJKQOWbA9wh3DiNfsRI1oNQ+b01zlDkNmSYG2hKSkTHhVkjA95olEI6Y8+KczMB+2cuo9ou+zKALxgsPD700gnD146ftpcHo9WQI2ZFgj2b3rS+o87AqqiV3S2Ucq842+fQB+F/sc75QjtAnCHQzRlY/JmW4xDkaFbNt00lk//0e22C07m6Xn7MZoEJqfLeICWafsHyqGOCTkDUGVfofoeu6S6Iehu0qOXbMj/gW/lQGdoEb9MKsOMi4o2ftZOsJfgNPoUyPl+X06HP6BJCc5NyJb82mQfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nozominetworks.com; dmarc=pass action=none header.from=nozominetworks.com; dkim=pass header.d=nozominetworks.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nozominetworks.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1GLD/e/g0sRfctU/yG4gDjLICRu6CD6g8POrv7Mqmfg=; b=btT1d/hKm5mBc53+ZA3/je4O5iUUprdcW+Xu3ahBCcV1VYQLeSePu4pQrYZ/Tvs/yzRovkjoZ99pTxulVW4YFpmHKaIZ6sInDa1/vBCF0mSPyd1/1sCdMxauMzmWTRc4vAmZHS8r7N1oD+VdQb0Z3BlG/bnvaFLTWe0MjSZ9PCU= Received: from AM6PR07MB5816.eurprd07.prod.outlook.com (2603:10a6:20b:96::22) by DB7PR07MB5769.eurprd07.prod.outlook.com (2603:10a6:10:84::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.12; Mon, 9 May 2022 07:37:10 +0000 Received: from AM6PR07MB5816.eurprd07.prod.outlook.com ([fe80::609e:7617:f53e:94ef]) by AM6PR07MB5816.eurprd07.prod.outlook.com ([fe80::609e:7617:f53e:94ef%6]) with mapi id 15.20.5250.012; Mon, 9 May 2022 07:37:10 +0000 From: Natalino Picone To: "freebsd-security@freebsd.org" Subject: OpenSSL 1.1.1o in 12.3? Thread-Topic: OpenSSL 1.1.1o in 12.3? Thread-Index: AQHYY3dMP5QJC0OFa0uJQjpaYkPamA== Date: Mon, 9 May 2022 07:37:10 +0000 Message-ID: Accept-Language: en-US, it-IT Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: suggested_attachment_session_id: 89756dee-f2e4-b2d6-5579-e50c1ab41efb x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 36483dfa-9ce7-43ce-103d-08da318eb9f9 x-ms-traffictypediagnostic: DB7PR07MB5769:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: y1XXFU+hxSIBTCF8wGJ4M7tSsnIWbdURj2+K2QGP3EVwo+puqAboPCUom2lHxTH2oq1c4vQmYfAnJt0bE9XBkYdJJsUpfuuxk6b840LBolVhEEkwR2oCaEDGPpLTzRyNfSzzoSVKyZq/hKCSVYzQdO1qIIOBwrVUIdpGxLlWinYrJM10x33Upem0o86LuFhaMB3yC84X0IWq7zw0TczNkjHA3HVFLfzyuM90M5/pmU1Nji0JysJhvPCyD1upNJlKbcwpzFS94Wehdqa4z/ZSZ2Yc9+oKRJYfCH7JGAI9iZ7iaaeeg0JbNq1KcY2uuOpv/MDtU/xBW43wB/GG1bG/BRCmE7hD4VebQzFlxoyB959iOpVFZOLdp/fIk7caYg7Kp2XYnhMUEUjEPFoKTU4YS4IPB+aj/trsZsr5WQ9pBuysAUMQDreHts0bKYxHgMuGmZT+1XI0Vfhf7lNNFuq7aq/ioeRkfUN1YkS0Cdpe1jCggocsWrpt8B5BR5wAvMrQthzzMtmdXoibgLjKGwT33YeEu/TpD1TUaxofuzG/fKsOlYifcMmyGSeVmFS6iCvQxHsBjzfIkLzpd0YV+d0wmlI30VmtW/WjPqGSoq/+ixiep356XlXejdv9KMCReqttDdwvYAFVVIZy7d5OaQGDIir36DOcRJd17ZLMRaJ+ckHLRmaxOVT9e4RG4U2UayJwGxU3YsLjwN4Kb7PYiLNkVJLYqehXObzxudcVoJ4BKW52jqkT7baOqQvVrHI+mQqyxh4odCrnV4onaGfcdvGs/V8nAVho4RAjqf4LU/sJLkRjo+DiN+WW0DxG12ungSnTBZ+U89DJLA5L/T3BQWUwrY9T/LMW/5BYiv123EZMHlOyFBnZuvw7+Uvhhi4fbO3Z x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR07MB5816.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(76116006)(91956017)(186003)(66946007)(19627405001)(66476007)(44832011)(33656002)(64756008)(66446008)(8936002)(52536014)(66556008)(26005)(83380400001)(5660300002)(9686003)(8676002)(4744005)(6916009)(86362001)(71200400001)(38100700002)(508600001)(6506007)(45080400002)(55016003)(7696005)(166002)(966005)(99936003)(38070700005)(2906002)(316002)(122000001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?jGoxbwVIV0QPmJ4EOYfLMZGoRneuNAsE8vcqE2sTsGLRzivWTpkJqyGZ?= =?Windows-1252?Q?5pG17Aohs6Ntxx17c/mVFWlLvdsR/RZeMlNqqV9IRakUZCT1X7qoO2CU?= =?Windows-1252?Q?91sQhqpp6tt6zGgWTC2obD9pt3KfXKp0YAPimWiBEZ5jULP5xoKtHeDZ?= =?Windows-1252?Q?W+q6n8FdDGD6qi5vsvSvGI8fOsQbyQR+l6RSjNjWplGUfta9SuMsTZd2?= =?Windows-1252?Q?dOfZSSiNQSoleMLgOxm4iuQGePKtuKYyneCJ6U4y8FjNdmCuFW2QRNly?= =?Windows-1252?Q?zYfxm1+TeaVVsf70fgMP245Myu9PwwFvcFvCx+w+a9JNufWlTcEZsouB?= =?Windows-1252?Q?NbuiHg0fpmTUjxzGdiIst2mFwhDxY7VF19LbZ6Py2lm1ivgdXj/0l+l+?= =?Windows-1252?Q?w9CyEm0rB6gnI7cU0TTceSOJTSHpr3BlgHSMKBFRIFZJTKUuyzKE7MIf?= =?Windows-1252?Q?6C7Eh1ZdGbp7pS2TtAYSv3dRgXZZstFh9F3S2yYlru89sB9e1aD0tFR9?= =?Windows-1252?Q?m4RaT2gCZk6tMhysl/XwsnXKBWOPsCzDkxXze1ZnHEUZLyRkPBlH6T8J?= =?Windows-1252?Q?O56oHrav+TYtEdgnxUARSMvx0XjrMzBvvJ0ht0z/40IcFGO6CzKhV+Dv?= =?Windows-1252?Q?wpqFKwoz1EVWetrmRjSSfJm38Nt6X2NyHsS8dM8ejGCDZuj3HkD+e3TR?= =?Windows-1252?Q?5k3bhl+39njWP/zF4prFz8iNU4VBTmtIaPSnxywLaXw4lt3UXmQ3eMiO?= =?Windows-1252?Q?OEh5ToJdZZ80u2T/To8kMIlduGhGJ6ZCh9uB/W+bfuKdzkGDi3xQtyIA?= =?Windows-1252?Q?obFXJ4WhqNQ41B0u6Wi5euRfAl4Hz+/1Ro3O2/dfq80/Mm5nZ6/cPMUS?= =?Windows-1252?Q?q7kgejSkjrPTQ19MHxeKMpHvhliJQ9+ghfbwD9d6YYO2d2kfhjCYKZ0C?= =?Windows-1252?Q?Y7mNtWjeQjpX3CjYXAQv9SLEcX44aMP7xv1KyZOQGwCH3+5PqljT7fOd?= =?Windows-1252?Q?pBPcXaNUe/4pNByIwcm8SMwSaWDUyOOmoBDt2RGYOfRQDgb4KT91epmS?= =?Windows-1252?Q?ImN+7wsbUISa+fi2rqYn9DC9jcKS+VRilqKEQzT27bDT8sDmAcCqapHj?= =?Windows-1252?Q?XztRl9/TVr/1EZBxxGzshmbw8lcbyFAZq+uvm2T1B0I3YrnEckrkI3Am?= =?Windows-1252?Q?4BstwTxavpr29hYXg9/+sPpwNrq0aeIG0bAKAeaZZiK+Lm5sBmIuUoT5?= =?Windows-1252?Q?nJ6RRQYJ7ANdBStDmwnaaSU+f4KThaj9GS2sSKTUYP4yYOKfc9rOvEgW?= =?Windows-1252?Q?0AuPFan/8owj+O1HKJUm/hm6xHCJmV+cttc+WDjMzYdwPGnYTbLfA4Bd?= =?Windows-1252?Q?HLW+/1K6uDJHpSbSvUrgnZFuYTa7lMrAfFj19qb86kj4X64N+TUbq3Gk?= =?Windows-1252?Q?wWj0OgUD8j5lzKK8X04W3qEc9RO5k5weZ4IldAzYiv2n4WHSyU0hkt00?= =?Windows-1252?Q?vssN+IdpOZSEKKjbxeYecRAPe1++NXB0zKLtb42yR1uRrgBGpJ8K1vI2?= =?Windows-1252?Q?sMb+oc/xKyzkqpa3tRSdSfGIwHYHl/rAKhMKbNV40ilYO6Q31cjOmE0e?= =?Windows-1252?Q?GxfHwx4agw2sIMmNO0LShXeLZTbULNVip6g8/79cYOntXWkldErytLy2?= =?Windows-1252?Q?Pgzoyyjldl/4kSbksrhcHKo9DvTlOUoCIiuj26Z6LyjXbRgzsi3EkeSi?= =?Windows-1252?Q?MZBQhgFpVh9EDs0RXUGLEKQkdbjyAyZGF+WjVTVpo/7W13BZMM2jZ1pN?= =?Windows-1252?Q?jm7oRQsqBKoAKNMQLhFj5J+sVCWL8ddf43zMGkJQfN3x6yNsvT3bLgq7?= =?Windows-1252?Q?TXUabJLFnRWO9uCQz157pWttRmVpniqbw0TEj4LajT7DthtjJIljS/VR?= Content-Type: multipart/related; boundary="_004_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_"; type="multipart/alternative" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: nozominetworks.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB5816.eurprd07.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 36483dfa-9ce7-43ce-103d-08da318eb9f9 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2022 07:37:10.1258 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 6f04d14b-0796-4b81-b7fd-779778e05341 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: SwP3WHCevquRUS4ABq0hi75WfQu+MX7i1KZaEPworyvQ04P/w45v0cgyw54pdhtDEvUXLImR7n0Vxjt1pAc5g+GaVfK7+tTBBEYaAB8xOlDMPLHXRQ+IgWiszUS3Y2I3 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5769 X-Rspamd-Queue-Id: 4KxY0Z607sz4X6f X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nozominetworks.com header.s=selector2 header.b="btT1d/hK"; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=nozominetworks.com; spf=pass (mx1.freebsd.org: domain of natalino.picone@nozominetworks.com designates 40.107.20.86 as permitted sender) smtp.mailfrom=natalino.picone@nozominetworks.com X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[nozominetworks.com:s=selector2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; MIME_GOOD(-0.10)[multipart/related,multipart/alternative,text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[nozominetworks.com:+]; DMARC_POLICY_ALLOW(-0.50)[nozominetworks.com,none]; RCVD_IN_DNSWL_NONE(0.00)[40.107.20.86:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.20.86:from] X-ThisMailContainsUnwantedMimeParts: N --_004_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_ Content-Type: multipart/alternative; boundary="_000_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_" --_000_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi, I was looking at the latest OpenSSL CVE. Should this also be merged on 12.3? right now it has been done only on 13.1 https://github.com/freebsd/freebsd-src/commit/2e121bd7c73932ac52332b53ebd78= 24965e6a7b4 Thanks, Nat Natalino Picone Senior Product Security Engineer =95 Phone: +41 (0)91 647 04 06 =95 natalino.picone@nozominetworks.com Nozomi Networks | The Lea= der in OT & IoT Security Website | Blog | Twitter | Linkedin | YouTube | Podcast [cid:ebf60110-aadd-4447-9be4-4f415a1c031f] --_000_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
Hi,
I was looking at the latest OpenSSL CVE.
Should this also be merged on 12.3? right now it has been done only on 13.1=

https://github.com/free= bsd/freebsd-src/commit/2e121bd7c73932ac52332b53ebd7824965e6a7b4

Thanks,
Nat



Natalino Picone
Senior Product Security Engineer
=95 Phone: +41 (0)91 647 04 06
=95 natalino.picone@nozominetworks.com

= Nozomi Networks<= /strong> | The Leader in OT & IoT Security
Website | Blog | Twitter | Linkedin | YouTub= e | Podcast  



--_000_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_-- --_004_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_ Content-Type: image/png; name="Outlook-ivda3igo.png" Content-Description: Outlook-ivda3igo.png Content-Disposition: inline; filename="Outlook-ivda3igo.png"; size=5079; creation-date="Mon, 09 May 2022 07:37:10 GMT"; modification-date="Mon, 09 May 2022 07:37:10 GMT" Content-ID: Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAGYAAAAeCAYAAADermvOAAAAAXNSR0IArs4c6QAAAJBlWElmTU0A KgAAAAgABgEGAAMAAAABAAIAAAESAAMAAAABAAEAAAEaAAUAAAABAAAAVgEbAAUAAAABAAAAXgEo AAMAAAABAAIAAIdpAAQAAAABAAAAZgAAAAAAAABIAAAAAQAAAEgAAAABAAOgAQADAAAAAQABAACg AgAEAAAAAQAAAGagAwAEAAAAAQAAAB4AAAAA879mzwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAm1p VFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0 YS8iIHg6eG1wdGs9IlhNUCBDb3JlIDUuNC4wIj4KICAgPHJkZjpSREYgeG1sbnM6cmRmPSJodHRw Oi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4KICAgICAgPHJkZjpEZXNj cmlwdGlvbiByZGY6YWJvdXQ9IiIKICAgICAgICAgICAgeG1sbnM6dGlmZj0iaHR0cDovL25zLmFk b2JlLmNvbS90aWZmLzEuMC8iPgogICAgICAgICA8dGlmZjpPcmllbnRhdGlvbj4xPC90aWZmOk9y aWVudGF0aW9uPgogICAgICAgICA8dGlmZjpYUmVzb2x1dGlvbj43MjwvdGlmZjpYUmVzb2x1dGlv bj4KICAgICAgICAgPHRpZmY6UGhvdG9tZXRyaWNJbnRlcnByZXRhdGlvbj4yPC90aWZmOlBob3Rv bWV0cmljSW50ZXJwcmV0YXRpb24+CiAgICAgICAgIDx0aWZmOlJlc29sdXRpb25Vbml0PjI8L3Rp ZmY6UmVzb2x1dGlvblVuaXQ+CiAgICAgICAgIDx0aWZmOllSZXNvbHV0aW9uPjcyPC90aWZmOllS ZXNvbHV0aW9uPgogICAgICAgICA8dGlmZjpDb21wcmVzc2lvbj4xPC90aWZmOkNvbXByZXNzaW9u PgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KC/gx OQAAEGdJREFUaAXtWXt4VNW1/81k8k7Ii4SEhLx4BBD1grYIKKhgS0AKIrXVe61+Xiz0qqV4rSiC fNZCa/3u/dR7W63SCtWKVC1YQASE8BIxIUEJlLxD3u/3a5JJMv2tfebMnJkEkrT0r7LzzTn77L32 Wmuv994x2dkwoqaB22Hin51/JoAoTCa+r7WrJgHzyDFpCnA9RTnX2tWWgGWkCAtbevB1fRcy+Xv8 +tGICbDQW0aK5Rr8UBIYpsdoPpHT1I3ZHxSirMOGzForbvugAGXtvaQh89pv+P6j4RxxJB1kRyMN xu4oND7cxzy+FAFPOM9vjzXqU2D0nwywrz5FStK5fBumYkzKS761uxi1HT3w9zIjwGJCYYMV9+67 hOJWGylIxpHncJsjGHq4m8auJ9Oe3/1uRDxQOOY817gtMXyQD6dmBe8g64a/KQNe6cpCbbGThBpi fiaZKxnlsEKZtbcP6bVdqKKnmKkUaX2yB/YzajpxFxV27N5kxAZ6c3CQjckCjyYWU9jaA2tvP6aF +ztndfX29fcho64bCUHeiFF4nSDsmNHU3YcTVR2o7exFHGHmjQ2Ev8VoZybUdNpQ1GajaAaRLNkU 8BsifOHjJfPCt7Y+o7YD5xt74Gs2498i/TA1zNdIXPW7++w4y3A+jXNBPl4D5mWgmTzmNHfjJuIQ WkLhXH0nvElvapgfvwbhSxayDamYL6o7sPlMPVZMGKXrHv2kkBxCJdAMTKRY2NKNOQxxB5clYVII NyHmQGjtqegMeIhiX0yvxR++bsCee8fj7sRghU9PWF19ZszakY8tt8Xg2ZuiuF7D1kPiL2fV48WM avT39MOXxtFh64e/vwVbZo3BY9dHKCEI/R35LXg6rQL9ZoMAiKZPcJGB0ABvXHgwBWMdij9FRa8i /HkaYSDx9nN/XeQzdfwovH57LBKCKS47cXF/lTSIWTsKcEd8EI4sTzbsT+NT1t65q5i4OlG6ciqi mYt7yXvqnlIasAUZ9024glqGUMxn5W24b18pJo/2g7dhcx22Xrw4Mxr9ZPq1s/XEYkJJazdWfFKC T76TpCxYBKnpxyAUA/vSDRQz4u/BA6U4zM3NiDR4DpeZaYkieL1ZaaUPHizFh3kteG7mGCxLHoUI KqSy3YbtOU34yeEKVNBDfjEnGuIE35sQgm9EBWiGQnmJyMyMe29eaMT27Ab8kkrXlXKkvB2pHxdh dkwQ9t6TjJRQX4hXfFnTgQ2nqnHbnwpwiAaUEupDLCaIj4RR2GlFrXghvQabvjlGZ1O9//tkFc6W tSEq3Jc0XVPBPmYEerv25Jpx713WYw6WtuF7+0vRbO2Fn3J1faEJ/t4WrDlRiZVTw+FHwf4qo0Z5 TnadlfmmBxF+XlpYUZrR1w18d9OCJlHpssmVh8pw/LvjEeQ9eFgQYWy72IAPqYBtCxPx0JRQrhJR A0nB3pgTE6DC3gYK5N6JIZg5JkCFQM8w+HlVJ7ZTMZtmRWPVdRFqvY0Wdv/BMswdG4SdixIQ7qvz YMd1FOz00QGY92EBHj1SjuMG72CkQ2KUP16mYubHB+PWaBoB+TxQ2o7ffFWPaXFBNJoeRWOkDw/V abVCcVsP0wfVrGdVbf9O3HQQ1HX1Yj5d9YGUEDw8bTTszBXkCcE+JjxypBISAtWAc9XADg2S1mPC viWJuMiKb1VapQvIg2Yn8X9ET5lB4WlKEVAxRflp7fEbIxBLJW37a6M+5HhryMrpWYv+UoxFCcFY /w0Jj1rbyZBX29yDNTMiDUqROeLm0unMET+YFoHMsnacpfHJoBysuxgO/38uvY7etY4G0caQKrnv GRrtLbFB2HJLFLpsHhvRSA75dFOMENtV2IKb/5gPce0/L45HmJ8FPX2CRwg4iPBloeK6rDYs3VuC J26IwKZbosEgqnRZ0d6N+z4pZUndNSQDPdRO0igf/HZ+HN4734gNX9aoNZqJuDYlYaWQiXRBXOBl cfqQpxsZDjOV8NzBGiiwJVRKOEPJG/NjIbB6k8JmFMenUMADmgMslbmkk551iUYrCpNhsUUJS+9/ Ox7plZ14k/z/79k6FDFqbFsQp3KxawcDMF9xwC2UlTA+rz5SgUZWYb88Uwu+8BlddxOTtCSuAY2+ LGtu/6gA+5Ymk1+7YsaHeaGcQly89xJKHprMPOESwgAcjoEfTA5DdkMPNn9ehevD/VT+UInWMS/U 9d/gOGRW6JhUHjHCiADXHq/AOZb3X//7JIwLkjzhanZJ6IJdsanj0ee1b7MDt3EnElC6eu24PdYf 62dGYeOpKqIx4aW50crYzrBi1UogHdfw32YhK9aZVdeFNrpGq+xC0NGifsXY+XFxK3alxivrEI9y bxzhkLjwwt1FuJMxdfpof9gkRnF9PfOTuHYBbwukCS39qboej5fnjMHiSaH4cVq5KjMNeV/lufEh PjhcJiFSbxr3Cie7HeQ9m+XozDGuIkIgt15sxDvnm/Dh4kSW5lKm6k3jaHqkL1pZ4YniHNpxAGh+ Kx8HylpZrJggPAzWfnpTJJLocTNi/FVlKDB6JhgMfqgxsxxyfnehCQ8fLlcJW8U2Ctsu+qGb/uzz aqw9WQ3KfoBalAKFAjnopDJWfFKG0zVdjnOBDJuUsO5n1XWsst2x3lO5DhY1GakQEMXyVQoPyWX6 5uRAu5RJPauiA7/O1nOIjksDfO3repR39OHhKWEOpFCG9QSjwKbZ0biHVZx709Z/n3gjR/nif87U oVmL2w4wCVkmZPG88jaruLlJwbg+QhTrYNaALIhF0LvfHqf4l8rvH23mcw1dWE2l9NAlBaEiSWUF MuYKAyYm89fPybmhFv2D0POlZ0jVK2eaOuac1L9cYkii5UlhQ+1KFKthZXIHC4UKjwpF0Dn34MA9 mhXd23eNQxljucYTgaSRMamiFvA89cShUvz4RJWK5b1k6mKTFQ8cKMOLn1diIxPuDfRaWSD3eY+y 2pvC5H3P+BD8tdHq9pPDn40hOoAb2LFwHL6oasedHxXSO9oYovqVkraxClz45yKEMNdumz9OsUKu HW/Di/xJtJgg57iBenMCqj07vy7fscgJ9FEeyg5XtBOhAyOVtGhiEFJC/PCLjDoe0ORAJSdoD5YI L4r5IDUB/8WKSg6ayuIEjUmiMhWt+ia8dttYxHrEdrknMKv4bmTQhJtZgv6eyfPhT0sNezTRE4FD S5Pw+PFKbKWx/F9WnTpDgd4azMlXKLg1N7JCJDqJyG/SyjvoAYWNdkzfkWckovqRFHbm/RMRRw+d zzC8f1kyVh2txOKPitAnZw3ZHxU3L2kU3l0wDpE8M+lNIo0YHbevNf0tX46+vPyclqfJVsHrY0o2 2nLPp8lu77ez8sXbF5swLzYQN+/Mh5V54bsMB39itbHhdDU28weLlwpNJnrB67fH4VNa1a7cZvj5 mnGBCVUSqFhtejVDFpODKMRCBooeSuEhrRMraLHGJtE7jyVqO2P7TVSEq2kbkN1JWIwL9FIHVj2/ 6fuXvJVNb2/h+igKbAZxRIvghDCB5JVPmCqe0PU1LhravFyNyHWJqzgxoZ0xO4OndSmtvWlck8J9 MEN5oHE1YGWpLBe5U3nOCXOee9xh5EiRy2PATJ5vlJ7JiVSqcli/cbReAQ7GHbdAzStJyDOPFj/t j3noJXOimCW8JpnMhJZBZI99Vg4TGTCxZHQqJq8Z/hy78MBEVm51vDqJxHLeFORQYOraiTRbV01D sHA17KbYIfTgDA+NhionCs0oh8IhtHQYY39oKsOHEBMUGvLUacnqK9NzSkw2MoHniWdvjlLLJd80 WPtwC6/2JbTInZVFlcwEZFksaNWDHR+WzYfoQc+y1E1bnojr5NKOWN65K/6yShF7yM/LQ1UVvZGt tLRU/TRBaRuw2WxIT0/HyZMnceLECVy6dEnB6o/c3FwcO3YMp06dwtGjR9HQ0MApbp+823htlJWV BavVyr4N58+fV+/u7m589dVX6O2Vf1e4BNXW1q7opKWloaWlRSfhfDc1NeH48eOKj9zcHMd657Ra k5mZqQYqKysV3319cgB0qINyKikpwcGDB5HHffcPdvxwoXNcpzoGvLihn/EOat03o1TJK65sJ265 PZ7Og9uWOTHoZ/6Rati1JU0/cm3zMUPbD3kJ+O63xuHjJQn4jxS5Nhm89dPz3t+5EytX/icaGxtw 6NAh7Nu31w24tbUVW7ZsxpkzZ5CdnU0l8pxgaDk5Odi7dw+ef36j2rCmGA1AhPLWW2+ptTU1NXjk kUdQUVGBs2fPYuvWrdCEpsF2dHTgqaeewp49e5SCV69erYRoIIVz585h/fr1yMzMIr3nsX37duM0 xEg2b97MvfCQvGEDamtr4eWlX+1AfT/33HNUSi7eeecPEJ6u1Jweo4CUtO34Oe+RtsyKQhtPmJIv WiW0sXwVz3l3keNMo1zGiJqLWdLuyW9FS3c/FiVKaToAyLgAfn7+CAkJxpNPPgmxZItFygFXE8uX sebmZojFRkZGuibZW7JkCdas+QkSEhKwbt06TJw40Tnv5+eHefPm0cKPK6+yMEd+8cUppKUdxa23 3gpfXz3GA/v374cYwUsvvYQXXngBU6dOxYEDB5y4pCO8REVFYfnyexATE6Os3gjg7e1NZffiRz9a jdTUhbj77ruN0zAzqgiNwsIiLFhwl8LhBuDx4a4YNcmbUzKREuqnrqd9HReRkhTvYLUiiVauYMRr jG4jocmXZefupYmqiNDoGP3KgzI/rdYubuQxxMcn0AK3KeaNUIJTrG7s2LGIi4ujIo2HQ6YxblZg JCwInAjP2GbNmoXTp08rT3j66XXYtWs3PSgds2fPMYKptRLutPBmR09PDw3CVYEJsOAXjxVvysnJ xcaNG91wCG0RfGJiAml+ifZ2VrmGFh4ejldeeUUpfdOmTcpYDNMDuoMoRofhFTtD0WaGL5MeD6mk pXuKeUHZqZTnhKSS/Jngf8/zx1KWlsNtEk4kBzzzzDPcUOKAuC14RGASHurr61FQUKAU4YlflDNY E0+Kj4+nAk1YtmwZhWumkmM5pp9HtFWpqalK+WvXroUosKKCJfPixW4oe3ttSujvvfcewsJCVcgz AgifYWHh9LqXlTe+8cYbxmml1FdffRVdXV2Ijo5GYODl7/xkobMqc8OiPlwu8T5vdR/4tAR25hFe FeA3/KfRp7za3p3Pcpnnh6zvT1AXnUOVgEYaIszy8nIEBwcjNDQU1dXVyuLHjHH9X0MsWBKlWLA0 CSXiPcYmIVAKh+TkZGXVxjnpS16R9UlJSSguLlZC88QhcJ2dncjPz1e5Z/LkyQgIkCt8V2ttbaFw a5CSMkkJWQqElJQUp5eKh8h+ZG1bW5uiNWXKFEiIkyZGKHlFeI2NjVURwNPDXdSuqBgjGPBb3pw+ yYtAKw9ur98xFvtLqJi8JsTwKuPUivFIZEV3rV09CVwhlBmJ2LFqWjheo6dYmNCZbli19WOUrwW/ 43V9wij3pG1cea3/90ngCqHMgFBFNS207eVtczVP00crO/BD/gdzLm8LrrWrL4HhKcaDrlz89fEn /1a+1v45EhixYrQLBilLXcXBP4e1f22sIzZ5uWDQLmTczwz/2mK8+rv/G0Vs5lnGv874AAAAAElF TkSuQmCC --_004_AM6PR07MB581685FA32B09E3F2B36BF0886C69AM6PR07MB5816eurp_-- From nobody Mon May 9 18:31:01 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EE5D11AE31F1 for ; Mon, 9 May 2022 18:31:09 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06011501.me.com (mr85p00im-zteg06011501.me.com [17.58.23.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KxqW104wGz3MkM for ; Mon, 9 May 2022 18:31:08 +0000 (UTC) (envelope-from gordon@tetlows.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1652121062; bh=ENzP0kVz0Lcyw2ZsWOAtzvlCDAF6tBFCXNsxy199IN0=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=odplGbsLnzwaqjhbYjzjTEOpI9FOgRVZ2+XL02vSTlEqB5f0udX6d1m1vKXuGBGov mQIbbECpSdWTWDFu3sEtTV/CuDC5uJiF3BiIJ7hATSsgW+4+Qx/XMLZGHq9/ilhpTI nuelg0X7QvD+n2SXKbCIybtrYmtnuc5vjVJKpG2OFy0TsadjqbFOHUMnIEa2ogvqgK BcvBgAAw1IkUThWAawAhKU8y+vxEwlWcr5Upa633nBKNnS2A85ni4XHQt9TKI6iw6e A9TsFmO5x4OnXOVfnHc8mk5ChWlmwl7eher+3iIJmFcIgsGQBvKxpW7Yr70k6kjObj 4VdxiQivMdkjQ== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06011501.me.com (Postfix) with ESMTPSA id 34D5A480B6F; Mon, 9 May 2022 18:31:02 +0000 (UTC) From: Gordon Tetlow Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: OpenSSL 1.1.1o in 12.3? Date: Mon, 9 May 2022 11:31:01 -0700 In-Reply-To: Cc: "freebsd-security@freebsd.org" To: Natalino Picone References: X-Mailer: Apple Mail (2.3696.80.82.1.1) X-Proofpoint-ORIG-GUID: y56Gk8ERDGf3anAz9UGdNA8wane006-h X-Proofpoint-GUID: y56Gk8ERDGf3anAz9UGdNA8wane006-h X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.138,18.0.816,17.11.62.513.0000000_definitions?= =?UTF-8?Q?=3D2022-01-18=5F01:2020-02-14=5F02,2022-01-18=5F01,2021-12-02?= =?UTF-8?Q?=5F01_signatures=3D0?= X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=936 bulkscore=0 spamscore=0 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205090097 X-Rspamd-Queue-Id: 4KxqW104wGz3MkM X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=odplGbsL; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.182 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-2.60 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.182:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RWL_MAILSPIKE_POSSIBLE(0.00)[17.58.23.182:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 The only vulnerability in 1.1.1 was regarding the c_rehash script, which = we don't ship as part of FreeBSD. As such, we didn't push it into = so-maintained releng branches. Best, Gordon Hat: security-officer > On May 9, 2022, at 12:37 AM, Natalino Picone = wrote: >=20 > Hi, > I was looking at the latest OpenSSL CVE. > Should this also be merged on 12.3? right now it has been done only on = 13.1 >=20 > = https://github.com/freebsd/freebsd-src/commit/2e121bd7c73932ac52332b53ebd7= 824965e6a7b4 = >=20 > Thanks, > Nat >=20 >=20 >=20 > Natalino Picone=20 > Senior Product Security Engineer > =E2=80=A2 Phone: +41 (0)91 647 04 06 > =E2=80=A2 natalino.picone@nozominetworks.com = >=20 > Nozomi Networks | = The Leader in OT & IoT Security=20 > Website | Blog = | Twitter = | Linkedin=C2=A0|=C2=A0 = YouTube = | Podcast = =20 >=20 > --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 The = only vulnerability in 1.1.1 was regarding the c_rehash script, which we = don't ship as part of FreeBSD. As such, we didn't push it into = so-maintained releng branches.

Best,
Gordon
Hat: = security-officer

On May 9, 2022, at 12:37 AM, = Natalino Picone <natalino.picone@nozominetworks.com> wrote:

Hi,
I was looking at the latest = OpenSSL CVE.
Should this also be merged on 12.3? right now it has been done = only on 13.1

https://github.com/freebsd/freebsd-src/commit/2e121bd7c73932ac5= 2332b53ebd7824965e6a7b4

Thanks,
Nat



=
Natalino Picone 
Senior Product Security = Engineer
=E2=80=A2 Phone: +41 (0)91 647 04 06
=E2=80=A2 natalino.picone@nozominetworks.com
Nozomi = Networks | The Leader in OT & IoT Security 
Website | Blog | Twitter | Linkedin | YouTube | Podcast  

<Outlook-ivda3igo.png&g= t;

= --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C-- From nobody Thu Jun 9 23:15:07 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8DA1483ABEF for ; Thu, 9 Jun 2022 23:15:26 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from msc11.plala.or.jp (msc11.plala.or.jp [IPv6:2400:7800:0:502e::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4LK0Lh5dQDz4byD for ; Thu, 9 Jun 2022 23:15:24 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from localhost ([2400:4050:9320:7a00::8]) by msc11.plala.or.jp with ESMTP id <20220609231515.KVBN31769.msc11.plala.or.jp@localhost> for ; Fri, 10 Jun 2022 08:15:15 +0900 Date: Fri, 10 Jun 2022 08:15:07 +0900 (JST) Message-Id: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> To: freebsd-security@freebsd.org Subject: Is apache24-2.4.54 vulnerable ? From: Masachika ISHIZUKA X-Mailer: Mew version 6.8 on Emacs 28.1 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-VirusScan: Outbound; mvir-ac11; Fri, 10 Jun 2022 08:15:15 +0900 X-Rspamd-Queue-Id: 4LK0Lh5dQDz4byD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ish@amail.plala.or.jp designates 2400:7800:0:502e::21 as permitted sender) smtp.mailfrom=ish@amail.plala.or.jp X-Spamd-Result: default: False [0.84 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.985]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[plala.or.jp]; R_SPF_ALLOW(-0.20)[+ip6:2400:7800:0:502e::/60]; MID_CONTAINS_FROM(1.00)[]; NEURAL_SPAM_SHORT(0.52)[0.521]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:4713, ipnet:2400:7800::/32, country:JP]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N % uname -a FreeBSD peach.ish.org 13.1-RELEASE FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC amd64 % pkg audit -F vulnxml file up-to-date apache24-2.4.54 is vulnerable: Apache httpd -- Multiple vulnerabilities CVE: CVE-2022-26377 CVE: CVE-2022-28330 CVE: CVE-2022-28614 CVE: CVE-2022-28615 CVE: CVE-2022-29404 CVE: CVE-2022-30522 CVE: CVE-2022-30556 CVE: CVE-2022-31813 WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. Is this report true for apache24-2.4.54 ? -- Masachika ISHIZUKA From nobody Thu Jun 9 23:51:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C761F8446DA for ; Thu, 9 Jun 2022 23:52:08 +0000 (UTC) (envelope-from moto@kawasaki3.org) Received: from flyingdutchman.kawasaki3.org (EE0475lan5.rev.em-net.ne.jp [124.109.182.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4LK1936rtHz4ps0 for ; Thu, 9 Jun 2022 23:52:07 +0000 (UTC) (envelope-from moto@kawasaki3.org) Received: from localhost (feiyan.kawasaki3.org [192.168.29.73]) by flyingdutchman.kawasaki3.org (Postfix) with ESMTPSA id 1E6FD40ABF; Fri, 10 Jun 2022 08:51:32 +0900 (JST) Date: Fri, 10 Jun 2022 08:51:55 +0900 (JST) Message-Id: <20220610.085155.1636577084047793852.moto@kawasaki3.org> To: ish@amail.plala.or.jp Cc: freebsd-security@freebsd.org Subject: Re: Is apache24-2.4.54 vulnerable ? From: moto kawasaki In-Reply-To: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> X-Mailer: Mew version 6.8 on Emacs 28.1 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.103.3 at flyingdutchman.kawasaki3.org X-Virus-Status: Clean X-Rspamd-Queue-Id: 4LK1936rtHz4ps0 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of moto@kawasaki3.org designates 124.109.182.21 as permitted sender) smtp.mailfrom=moto@kawasaki3.org X-Spamd-Result: default: False [1.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.28)[-0.283]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:124.109.182.21]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[kawasaki3.org]; NEURAL_SPAM_SHORT(0.48)[0.478]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2516, ipnet:124.109.182.0/23, country:JP]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Hi ISHIZUKA san, It seems like true for apache24-2.4.53 and prior, and fixed version is ...2.4.54. See also Apache httpd's Security Reports page: https://httpd.apache.org/security/vulnerabilities_24.html Thanks. -- moto kawasaki on Fri, 10 Jun 2022 08:15:07 +0900 (JST), Masachika ISHIZUKA wrote: > % uname -a > FreeBSD peach.ish.org 13.1-RELEASE FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC amd64 > % pkg audit -F > vulnxml file up-to-date > apache24-2.4.54 is vulnerable: > Apache httpd -- Multiple vulnerabilities > CVE: CVE-2022-26377 > CVE: CVE-2022-28330 > CVE: CVE-2022-28614 > CVE: CVE-2022-28615 > CVE: CVE-2022-29404 > CVE: CVE-2022-30522 > CVE: CVE-2022-30556 > CVE: CVE-2022-31813 > WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html > 1 problem(s) in 1 installed package(s) found. > > Is this report true for apache24-2.4.54 ? > -- > Masachika ISHIZUKA > From nobody Fri Jun 10 00:54:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 79C788551E7 for ; Fri, 10 Jun 2022 00:55:03 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from msc11.plala.or.jp (msc11.plala.or.jp [IPv6:2400:7800:0:502e::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4LK2Yd452wz3Dkd for ; Fri, 10 Jun 2022 00:55:01 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from localhost ([2400:4050:9320:7a00::8]) by msc11.plala.or.jp with ESMTP id <20220610005457.LCKL31769.msc11.plala.or.jp@localhost> for ; Fri, 10 Jun 2022 09:54:57 +0900 Date: Fri, 10 Jun 2022 09:54:48 +0900 (JST) Message-Id: <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> To: freebsd-security@freebsd.org Subject: Re: Is apache24-2.4.54 vulnerable ? From: Masachika ISHIZUKA In-Reply-To: <20220610.085155.1636577084047793852.moto@kawasaki3.org> References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> <20220610.085155.1636577084047793852.moto@kawasaki3.org> X-Mailer: Mew version 6.8 on Emacs 28.1 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-VirusScan: Outbound; mvir-ac11; Fri, 10 Jun 2022 09:54:57 +0900 X-Rspamd-Queue-Id: 4LK2Yd452wz3Dkd X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ish@amail.plala.or.jp designates 2400:7800:0:502e::21 as permitted sender) smtp.mailfrom=ish@amail.plala.or.jp X-Spamd-Result: default: False [1.06 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[plala.or.jp]; R_SPF_ALLOW(-0.20)[+ip6:2400:7800:0:502e::/60]; MID_CONTAINS_FROM(1.00)[]; NEURAL_SPAM_SHORT(0.74)[0.741]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:4713, ipnet:2400:7800::/32, country:JP]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N >> % pkg audit -F >> vulnxml file up-to-date >> apache24-2.4.54 is vulnerable: >> Apache httpd -- Multiple vulnerabilities >> CVE: CVE-2022-26377 >> CVE: CVE-2022-28330 >> CVE: CVE-2022-28614 >> CVE: CVE-2022-28615 >> CVE: CVE-2022-29404 >> CVE: CVE-2022-30522 >> CVE: CVE-2022-30556 >> CVE: CVE-2022-31813 >> WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html >> 1 problem(s) in 1 installed package(s) found. > > It seems like true for apache24-2.4.53 and prior, and fixed version is > ...2.4.54. > > See also Apache httpd's Security Reports page: > https://httpd.apache.org/security/vulnerabilities_24.html My question is that apache24-2.4.54 is shown vulnerable on security/vuxml 959028638c9e3236ab91a2d8865fb3893775a28a. vuln-2022.xml: apache24 2.5.54 <------- 2.4.54 ??? ~~~~~~ -- Masachika ISHIZUKA From nobody Fri Jun 10 12:16:15 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5C95683E221 for ; Fri, 10 Jun 2022 12:16:28 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from msc11.plala.or.jp (msc11.plala.or.jp [IPv6:2400:7800:0:502e::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4LKKgt4pdSz3qsT for ; Fri, 10 Jun 2022 12:16:26 +0000 (UTC) (envelope-from ish@amail.plala.or.jp) Received: from localhost ([2400:4050:9320:7a00::8]) by msc11.plala.or.jp with ESMTP id <20220610121622.NYJX31769.msc11.plala.or.jp@localhost> for ; Fri, 10 Jun 2022 21:16:22 +0900 Date: Fri, 10 Jun 2022 21:16:15 +0900 (JST) Message-Id: <20220610.211615.2181623761441101839.ish@amail.plala.or.jp> To: freebsd-security@freebsd.org Subject: Re: Is apache24-2.4.54 vulnerable ? From: Masachika ISHIZUKA In-Reply-To: References: <20220610.085155.1636577084047793852.moto@kawasaki3.org> <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> X-Mailer: Mew version 6.8 on Emacs 28.1 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-VirusScan: Outbound; mvir-ac11; Fri, 10 Jun 2022 21:16:22 +0900 X-Rspamd-Queue-Id: 4LKKgt4pdSz3qsT X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ish@amail.plala.or.jp designates 2400:7800:0:502e::21 as permitted sender) smtp.mailfrom=ish@amail.plala.or.jp X-Spamd-Result: default: False [-0.62 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.99)[-0.988]; DMARC_NA(0.00)[plala.or.jp]; R_SPF_ALLOW(-0.20)[+ip6:2400:7800:0:502e::/60]; NEURAL_HAM_SHORT(-0.94)[-0.935]; MID_CONTAINS_FROM(1.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:4713, ipnet:2400:7800::/32, country:JP]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N > seems to be tagged so by vulnxml, but all this CVE are addressed and > fixed=A0 by 2.4.54 (https://downloads.apache.org/httpd/CHANGES_2.4.54= ) > = >>>> % pkg audit -F >>>> vulnxml file up-to-date >>>> apache24-2.4.54 is vulnerable: >>>> [snip] >> >> vuln-2022.xml: >> >> >> apache24 >> 2.5.54 <------- 2.4.54 ??? >> ~~~~~~ >> Thank you for reply. vulnxml was fixed by 0bb1abdb20498df239e15e7f9e9eec33e2eec499. -- = Masachika ISHIZUKA From nobody Fri Jun 10 13:20:01 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5C91085F6A9 for ; Fri, 10 Jun 2022 13:20:09 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2055.outbound.protection.outlook.com [40.107.89.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LKM5N3tNCz3GbK for ; Fri, 10 Jun 2022 13:20:08 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WDok5WRgIy6Yq+gxaGs92JT+XvpcuTbET3lZ+JKXU3sfaT1f0StxY+45oxtUovOYIIu720kc/e5ab/XOef5YXJFIm/C5ys+YxSp852N8s0cPU77fdrXuJ1GwTzL014PgkxlCwHAC2aEIc2p+Bz1/HrfE5ycSjFAUotmLHGzP3I6MWm4jFsd7t9Fnm5oxGEyA3CVLfFiu73oBWv5SKXD2AjD90+PjvFTu3xjihvZK08jNjExSdD+J1Vem1TeC5ZpI/oJu0rIEJvoUt3TWmgVX6V0aGxU6ONA4z0ja3WesIImRIM+8O2Ad0cyk6jGhbIoTzQEM/cfTyFwMXz2XtEkzbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sk0Bdb5dAj4gH7dMDbTlhcI4KoTd19MemMVsc32mt4s=; b=jBo60PfrCVNxRyGxcLBM0mJBJhUEPM5ho5INWBgiDmxETZLwnG/CFgDReESaI4+MSb9WgY1vd25RfS3N6NE+GOgQ47JB4ZecsziOnxcm5fPsjw3OZDtt5GCwjxVQabCajN8HLSXiBajkw/ya1gN0IbGi/SEWA+z3x43I/ZtfZUHDMb43X1nbQUoJcJtAAeuOIN5q//sssh3EVlkpjKauXktxFC4pDg0b7v3Uq8glaCMj5EXXo6rROy7m+AJg/o5lZBicOj9gEdC+55yB9KI8t8TozjDpACZMFvYt5Gu4k4WROtD44CUJQWt2SCbmPls2e2QOSaymtp4po1tg8hWY1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sk0Bdb5dAj4gH7dMDbTlhcI4KoTd19MemMVsc32mt4s=; b=EaJUyOOCXNUMwdErY9qiX6kw4/xcwnd1TgOBd1YAX6rcE2fHFLYFlcahTdbZlXHpNRAsTPaaxoiPcCrfEW4Xrhowp+E4Ldl45+/akPuM4dPFe1+id7rQsSLBXQqJ/b+GwsrEOdu7DkX+LWAkNEPYkKnbd5yvkxETBUY9q9ICM6Pj5IIkn2W7C9br/XwskffvVhXDFJuxBx23eY5EVkpRc95yYiXDgnJhMbSHZPqanOpSPAICJKwYQXx8C+dp7ifJ4FwnAjs1wJcggw0ZlaK8vJffbPplcN+ajxoILrgDfhpuuVf0j6kNMOu9Rd3WE/s3VoJC15fjezoex/1Iku1bsg== Received: from MN2PR09MB4667.namprd09.prod.outlook.com (2603:10b6:208:216::16) by BLAPR09MB6532.namprd09.prod.outlook.com (2603:10b6:208:2a6::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.13; Fri, 10 Jun 2022 13:20:01 +0000 Received: from MN2PR09MB4667.namprd09.prod.outlook.com ([fe80::1ca4:ca52:3d0c:e474]) by MN2PR09MB4667.namprd09.prod.outlook.com ([fe80::1ca4:ca52:3d0c:e474%7]) with mapi id 15.20.5332.014; Fri, 10 Jun 2022 13:20:01 +0000 From: "Wall, Stephen" To: Masachika ISHIZUKA , "freebsd-security@freebsd.org" Subject: RE: Is apache24-2.4.54 vulnerable ? Thread-Topic: Is apache24-2.4.54 vulnerable ? Thread-Index: AQHYfFbzQK77xHL2AkGVdWaRvSZaRK1Hvx6AgAARkQCAAM/1UA== Date: Fri, 10 Jun 2022 13:20:01 +0000 Message-ID: References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> <20220610.085155.1636577084047793852.moto@kawasaki3.org> <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> In-Reply-To: <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1bb789f4-7ddf-4e60-c359-08da4ae3ec96 x-ms-traffictypediagnostic: BLAPR09MB6532:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lYe7dJ7cc4rSqpPRApN8gTUU7DrS74za7IXhMbrh83FsXP1sH4TEsbckVdgmQpbFCzGm60y9sFWKSnYj3z5ifUDzTY7fCykggXBIYGUTDvHeDTSNTuNxtE0f31tD2oMX0ZmiFsHLjUEd7qBTeCQADcOv+tsm3n+h+JfHROP7sS12vAxpn/96OabmP2fLRvmt1jTBtkIiS2CclQVapXQOQeBr3GqPmxXPlhRQof9TMP0nodWideUC8NHbpV0Si1WMtPsADMHvc+4qfg78j/pyjA7CjplPhu0AdLnb8Bgu9gaPEd39YHdxlrsuM0USAOqafH31+g4I7AmkMXJR1zLWPl+ROlHVEcJskien3z+RlbnVpvViqE5e6isfNtFr0tWIuEpdFNR9ujmxkp8DYHZCjYXorXFxFMsjGRaLy157kwLaE5O4LyS1hhfiel4xaq2lTpw1vxUPvFSpYDUN6OySbGQyXyDmlFQpITUyuTB9TNbLyzxuL9qErylILBKDB2/i2/S4U/8EIP/Wj+Be+tBnj6h+UjnQJDn9yPo9IWa59XPc5c7/CLSVDCUXH0ht9bhYSA2U4cQaLAK7Dyhao9QWWrQeONLj5GaNnjf9rqNLjHEDDr7Dzqve7CUqmn7ZeGm/0VVrJ/LG55kX+rdqwXe1lfPh0qHcFsO9BarVYClRp6kqnIkvPN48AC4i4r0JIM0ErIK586sb98aKlwda7HnVBw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR09MB4667.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(558084003)(110136005)(71200400001)(38100700002)(86362001)(8936002)(5660300002)(76116006)(508600001)(316002)(8676002)(52536014)(66946007)(26005)(186003)(55016003)(2906002)(38070700005)(33656002)(6506007)(7696005)(64756008)(122000001)(9686003)(66446008)(66476007)(66556008);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?cHl3Q2NOaE8wbXk2SUhLa3ZwaWJWVXpmY3R3dFgwN1JNNWlOcWlnMmQrbmRG?= =?utf-8?B?Nm15K29EZVRkdlgyK1lVZ1BJZ1gzVDRlVE1TMmd1M09TbndKRTV6V3lRRDdn?= =?utf-8?B?d1Z3V1BEMDJ2TG9kMndFQ2Z6dGpoZTFseGtkWFVYcThGMk16YkltbW9mcGxD?= =?utf-8?B?MWtNaXBxL2dqd1YrMnI3YTNVMGhlUTVTV3Vnb09UTDFkeEE4OVZ4WnFNWk9H?= =?utf-8?B?WkJtY1RyVW42cEhOME1XSGx2QTltY3FJcFdZQ3lybUNuRGlrb3luU0lYblRE?= =?utf-8?B?TFBVQURXeFRhNjBNZ0JTRE9SVTR6UmgraHd0VzFGNUVvTE1tVnZyaFZRQVdW?= =?utf-8?B?S08wTDdEZ2JRdjJMamdMY0xvNFk4ZHBvenllSUJSVUpaTTNrT3FkZVdDNWI5?= =?utf-8?B?OCt0elQwNkpXRUdkblBVcHYyQlpRYWtmYmtPcEFrd2pFMi83NjAwcnl3cHNn?= =?utf-8?B?TVlqQjBqeHo2Ty9iVks1N3IrL291T3pPTEgvT2FrVWVIUlBWS0FpdUVhcmJZ?= =?utf-8?B?TUs4VWV3b2x2akxLZU1CM3p4VDNZZ29VdmZ5YjgrRnNWTTNkU2YySFpSUG5N?= =?utf-8?B?UUs3Sm02TS9PckFHZGhPcGpMeWgwaUlYSjVCWW9KVlI4YmlRVm9LWE5lb3VX?= =?utf-8?B?QVFyaWp5bEpjek9ydEdzOUJ2TlJMYzhuMlhEUEJqUGMzRTcxYkhROEpodUFP?= =?utf-8?B?OGsxRWJJNXNyQWRSclRZcUUvYXhBVHhYTDg5cGZuTFIrR3p5TG9ZZ1g4aWJE?= =?utf-8?B?OFJpdkJTM1RjWXlkZDlJSXJuOFBPdEdNQm1YVnJXVTNMSWNkQW9qaWt4YnNa?= =?utf-8?B?a2R2UTdmMkZnWEVGSU9WVmtSZFh4SUpwY1NqN2RYWGhub1Fxa25KQ1lKMmsy?= =?utf-8?B?aDJNRldmY1J1VmhLYUM0cURZZXUrbWF3S3AzL1kwSlJCcDBsb0NNTVNyUHZP?= =?utf-8?B?OFIrMEc2OEM4SEZqZm9NY25oM3NmbGN3VVF5SFRVUDVqcVZ6WXRqREdta2dF?= =?utf-8?B?WUIxY04xNkJiMUczVTg2RnREOGtBSDR2SmVMUldKL2oydU5vN0NHZnRWQ1Ax?= =?utf-8?B?ejJHSEN2WHFoTWxuTWZhb0NRQkFGZlovM0pGTktLM2oyRUVMQUwzSXRNNFpk?= =?utf-8?B?TVMyZjVPQ1g2dEtVNmFkbFFPSkhpd1hyUXVIMU40RnFLN2JIaFcvTTVkd2V0?= =?utf-8?B?ZzFZUFMwcndLck0wZVFFbGhWc2ZmU29HQUJvNWJBbGFscHNPMFJyZmViY1NN?= =?utf-8?B?TGFXNGZzZ0huYlFHN2xUc25YUTJyUVl3MkZTMUJIVEVCZDlheDMzVStpZ0ll?= =?utf-8?B?Q1pqbWVzd2Fuem0xY2N0blBhZTlPOUNFMUozOER6Z2dIOGhKdXVKWS95M2xv?= =?utf-8?B?aVY4ejdsZDRCWGplTExGOXRpUElZWnUzcVd0RmFwU2JtQkp0L3RoV1BZem1W?= =?utf-8?B?dXdmRmpPV2hIeXlZVlZLYjNwUGg1czl4c0xFNmR0eXRCQVU3YkwrUG5zYkdI?= =?utf-8?B?UzJ5YjM4b1ltMVB1cHVDN252T29IY2h1bXZOYlY1ZFl2aWU4Y3ArOXE1bmZP?= =?utf-8?B?MEoydzgvdnhKZDlYTXkwVkxyT0hHU1dydzlGdk5EKytqc3hKYzhKRC9RYU5q?= =?utf-8?B?bGdnRUZyU285dDAyMkgxUGdGbmlyRFpYai8zbkhhaVA3RDhCWHE1cmxhNEVI?= =?utf-8?B?b29nMVlpSE9yTTEzN0pSbUVCVW9XRitqYmMxaWMyRjkwL2hIb09HcXNZZ2xD?= =?utf-8?B?T0YySWhCSjFHL2dqSkZlMkV4aHRmSlZoUXo4bUZsQW9ScVluVGFMTTNpNGV5?= =?utf-8?B?NUxuWFE4b0RDQmNpaHFyRVFhTlFZK0V4bGxDaHlqVUNMM2pRemc0SElKRjRR?= =?utf-8?B?YXdEQzlia05IbHNFQm9SaXFNVXljT2lnRE9sUGlFMHNkOWNlbzNyRWRuOWpj?= =?utf-8?B?V2hoUW5tdTBCQkp6dGVYWjNzSm9QeElQMytqVzQ4MmRjL3pxWWpaMGM2dXp4?= =?utf-8?B?WWxoWXV3c1o5ME9sOGNYRDRRRDY0SCt0SUpkY1BqQWRsZFovdDVYV2grVTBy?= =?utf-8?B?Q3l5cit2aVJKNGFDelBkb21IVE81Z3lJblovSGFDN1cxK21MMmZITjN5c0Mx?= =?utf-8?B?a3ZhR0MxZC8rZS9HSUsycWRNTEVjbWNiRlZOMUNqeWRZdnRZYUlqNjlyUlBN?= =?utf-8?B?TWZPZTJCbDBxSUlTSHpZVHl3cElLS2xMNVBhazJQVlIzc0loakRvenhjRVVY?= =?utf-8?B?Y29xalZNNldHMlNqNzhZdzJrMTZEZXpsRzVuTFNYZG1VL2haMTRUMlNYUDdK?= =?utf-8?Q?YswA6uzQvhwn3aP1PU?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR09MB4667.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1bb789f4-7ddf-4e60-c359-08da4ae3ec96 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2022 13:20:01.3212 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6532 X-Rspamd-Queue-Id: 4LKM5N3tNCz3GbK X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=EaJUyOOC; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 40.107.89.55 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-0.72 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.89.55:from]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[redcom.com]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_SPAM_SHORT(0.68)[0.677]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[40.107.89.55:from]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; RCVD_TLS_LAST(0.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-ThisMailContainsUnwantedMimeParts: N PiB2dWxuLTIwMjIueG1sOg0KPiAgIDxhZmZlY3RzPg0KPiAgICAgPHBhY2thZ2U+DQo+ICAgICA8 bmFtZT5hcGFjaGUyNDwvbmFtZT4NCj4gICAgIDxyYW5nZT48bHQ+Mi41LjU0PC9sdD48L3Jhbmdl PiAgIDwtLS0tLS0tIDIuNC41NCA/Pz8NCj4gICAgIDwvcGFja2FnZT4gfn5+fn5+DQo+ICAgPC9h ZmZlY3RzPg0KPiAtLQ0KPiBNYXNhY2hpa2EgSVNISVpVS0ENCg0KYDxsdD5gIGluZGljYXRlcyBp dCBhZmZlY3RzIHZlcnNpb25zIGxlc3MgdGhhbiAyLjUuNTQuDQoNCg0KLXNwdw0K From nobody Fri Jun 10 14:36:16 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9A61083B646 for ; Fri, 10 Jun 2022 14:36:25 +0000 (UTC) (envelope-from pblok@bsd4all.org) Received: from mail.bsd4all.org (mail.bsd4all.org [88.99.169.216]) by mx1.freebsd.org (Postfix) with ESMTP id 4LKNnN50K6z3jKc for ; Fri, 10 Jun 2022 14:36:24 +0000 (UTC) (envelope-from pblok@bsd4all.org) Received: from mail.bsd4all.org (localhost [127.0.0.1]) by mail.bsd4all.org (Postfix) with ESMTP id F037A581A; Fri, 10 Jun 2022 16:36:19 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from mail.bsd4all.org ([127.0.0.1]) by mail.bsd4all.org (mail.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ab4WQjF_ZUCa; Fri, 10 Jun 2022 16:36:19 +0200 (CEST) Received: from [192.168.34.65] (pony_ip [136.143.2.230]) by mail.bsd4all.org (Postfix) with ESMTPSA id 0DA5A5818; Fri, 10 Jun 2022 16:36:18 +0200 (CEST) Content-Type: text/plain; charset=us-ascii List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: Is apache24-2.4.54 vulnerable ? From: Peter Blok In-Reply-To: Date: Fri, 10 Jun 2022 16:36:16 +0200 Cc: Masachika ISHIZUKA , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org> References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> <20220610.085155.1636577084047793852.moto@kawasaki3.org> <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> To: "Wall, Stephen" X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4LKNnN50K6z3jKc X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pblok@bsd4all.org designates 88.99.169.216 as permitted sender) smtp.mailfrom=pblok@bsd4all.org X-Spamd-Result: default: False [2.10 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[bsd4all.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_MEDIUM(0.80)[0.797]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:88.99.0.0/16, country:DE]; SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I think the question is this a typo in the vuln-2022.xml, because the = changelog shows the CVE are fixed in 2.4.54 > On 10 Jun 2022, at 15:20, Wall, Stephen = wrote: >=20 >> vuln-2022.xml: >> >> >> apache24 >> 2.5.54 <------- 2.4.54 ??? >> ~~~~~~ >> >> -- >> Masachika ISHIZUKA >=20 > `` indicates it affects versions less than 2.5.54. >=20 >=20 > -spw From nobody Fri Jun 10 17:23:20 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 68A06833BCA for ; Fri, 10 Jun 2022 17:23:29 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [176.9.100.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LKSV83SRYz4dWq for ; Fri, 10 Jun 2022 17:23:28 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from [192.168.188.77] (p57993354.dip0.t-ipconnect.de [87.153.51.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by toco-domains.de (Postfix) with ESMTPSA id C1EAF8A0A8; Fri, 10 Jun 2022 19:23:20 +0200 (CEST) Message-ID: Date: Fri, 10 Jun 2022 19:23:20 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: Is apache24-2.4.54 vulnerable ? Content-Language: de-DE To: Peter Blok , "Wall, Stephen" Cc: Masachika ISHIZUKA , "freebsd-security@freebsd.org" References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> <20220610.085155.1636577084047793852.moto@kawasaki3.org> <20220610.095448.1735421952196505841.ish@amail.plala.or.jp> <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org> From: Jochen Neumeister In-Reply-To: <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4LKSV83SRYz4dWq X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=softfail (mx1.freebsd.org: 176.9.100.27 is neither permitted nor denied by domain of joneum@FreeBSD.org) smtp.mailfrom=joneum@FreeBSD.org X-Spamd-Result: default: False [-2.10 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FREEFALL_USER(0.00)[joneum]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; DMARC_NA(0.00)[FreeBSD.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.998]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[87.153.51.84:received] X-ThisMailContainsUnwantedMimeParts: N Am 10.06.22 um 16:36 schrieb Peter Blok: > I think the question is this a typo in the vuln-2022.xml, because the changelog shows the CVE are fixed in 2.4.54 See: https://cgit.freebsd.org/ports/commit/?id=0bb1abdb20498df239e15e7f9e9eec33e2eec499 > > > >> On 10 Jun 2022, at 15:20, Wall, Stephen wrote: >> >>> vuln-2022.xml: >>> >>> >>> apache24 >>> 2.5.54 <------- 2.4.54 ??? >>> ~~~~~~ >>> >>> -- >>> Masachika ISHIZUKA >> `` indicates it affects versions less than 2.5.54. >> >> >> -spw > From nobody Thu Jun 16 07:51:56 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DB7E185AFA2 for ; Thu, 16 Jun 2022 07:53:05 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LNvYD3KYNz3Gd6 for ; Thu, 16 Jun 2022 07:53:01 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from pps.filterd (m0170398.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25FM0ebC004325 for ; Thu, 16 Jun 2022 03:53:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : subject : date : message-id : content-type : mime-version; s=smtpout1; bh=zcg+C7Ch8+R9S2znL+Ab/gcchn2PJ87R4NTaQOk5FRw=; b=gGtJ+fUY/KQmWu9f79CgxxjZgx7sKlKYQTZ858RNXRVYNlwAmQz4P/TeKUiLL/jZnRbu rlyxe7SdY9Die7ZqY3G6ubdeuMHryheNQkGbZ7Kqxtu/OILa3b+ukCYa35eGMN5UNTzT VYyxLs3R1hLZOiXnnm9Fe2vs8gxZxSZ0tz6C4Bb7VztS44N4tOf6m7mSeUPKtePPmq3e Ts//a8l9Dc12VBfgVe+Vv96pcHVb4EWsTFIuQDLKDEUoBlK2Xqzr2F/n8XB8bWPSDAS6 ihecaHoS4AOd+PPf/qzYAczSO+LSyOnHkTqRaRghToi5NGt6Os3ac02vk/v5PB+cc7Yp 8w== Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0b-00154904.pphosted.com (PPS) with ESMTPS id 3gqcxx4ybv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 16 Jun 2022 03:53:00 -0400 Received: from pps.filterd (m0134746.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25G4jD3n030731 for ; Thu, 16 Jun 2022 03:52:59 -0400 Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) by mx0a-00154901.pphosted.com (PPS) with ESMTPS id 3gqws2jap2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 16 Jun 2022 03:52:59 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PONp69quaq2iJkZudRSisZqk0MvLGsmTY0uaUCjt98OcR891+v1kfhT4K34hfQ6rADHoDB1YBXerYiVLED8c55csD2mLTJFR3jNfSjxvhlNDlymMlIXxghw9+Oe/8KGnw9dGbtc8vDgh0i7rvTDTQpZsmoSrqJzA2/vu7ifYnDjK+VNM7C5KwsM2FGHYrKo+4b6Egyys1+lyJPQfzG7vMLRRKLzUPlPw/blPfyfPsuE3pnuxzUs6PLidMasJJDcjubBZQJrsFzd+48Kmf44Ql07xEG/MYD0RLiWKp1TqsI6kNXKxYFGQXmT/xfWjkad6hMmyA/0WKhzRS4zTXe959g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zcg+C7Ch8+R9S2znL+Ab/gcchn2PJ87R4NTaQOk5FRw=; b=B5pEF9U4pZsbjSPeVLihl5Ttm6Z0QOepNFKypUILfrqLR2oIl+3zfWUOUXBGEYRJshHc2nVyfv09JadkYwFuV3jXyGm7jYpOqjdkxv1b/KWpkPla9sWXdjs/BHPYhZQIdU24IXWSdt7OScMnme4Pn8qmb68bbIP+DF+Kq7mBUPurY53VM0IgEewS6xxORjllf/niFnCBoLh1Gzs7GAE+pB5hHnWpv2hKp+bVLUyF3Myx/x55ETEtN1WMwS30C0R06IS+cMm+JXk7G0bz7zDNojDNnYnXUFA3YmWtrLaE+6CvXlQI/kCwH3Z+ta1S46p3G+CgY6D3ykCqY4deq5IHQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none Received: from PH0PR19MB4938.namprd19.prod.outlook.com (2603:10b6:510:94::9) by CH2PR19MB3605.namprd19.prod.outlook.com (2603:10b6:610:40::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.15; Thu, 16 Jun 2022 07:51:56 +0000 Received: from PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803]) by PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803%3]) with mapi id 15.20.5353.014; Thu, 16 Jun 2022 07:51:56 +0000 From: "Chen, Alvin W" To: "freebsd-security@FreeBSD.org" Subject: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Topic: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Index: AdiBVdM9/KAA2uYYQ5+23q5kxmwC2Q== Date: Thu, 16 Jun 2022 07:51:56 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2022-06-16T07:51:53Z; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No Protection (Label Only) - Internal Use; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=b45230e0-af7c-4ac6-a29a-9e67642b3b0b; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=2 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4af24572-3fbe-4ef5-35ac-08da4f6d162c x-ms-traffictypediagnostic: CH2PR19MB3605:EE_ x-microsoft-antispam-prvs: x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 38RG8QinJ8DC/n69LGsjMzLQf/Xe81sKPj353z9mDXyW/PeD2N8J6+t7l+1cP5aBXatcxMdM0CwZD4clP0UhC6I38t34FyMBQ2EdM37jO2Gk5hyLpJ0gWB49WQy/AImQcboMO1ZfEJDRbMx6OW6zc+1SMg/MpOrfkGyfofqD5XqMPUfGE/xKZA9uJwl41Hscg7BkoMMiHXhhe0QJnTpZAs9EmB0o/fw45kgTFHTinRCtCD7BZzty4asmBN3BN6fmxFnkVdlrCbiV6MZCJmcqjx6G9ttQJNJqTNEu7h8hLBYV/lczBXM3ZB/of0nsgtt3DxGjgY/S9chPR3U0hQAi0rGObwkMdHVplqlaQEvFIkzbvdbp+jPRfU6xWb7UOVQeXJosf2X31R088oS2tu+D4KPlfagYPk9waPpCjcD2hM1/82861gFxjmN19kupWbge6m3sTPQQfmXVwdH3ElfNtPHzb8BVLjvirPVmUkEMrAhGUsHs5qVDxpTSZXSr1tyyS6ZNxIwmP2GDWjHSSXM1IKEXpAut3jJdD5k0F/lF2/kSjB6z66KMXchB4TGNqwpxaF+2+GVn19U7pLCsv+aLu5Kwe8aTgln9Y3gvviuml7eSmDlT6N8DnqXygD3zPK5PVp1MuhRmXG/413s5PP3pOrYEHdLaA0lykBhywcYjSpNKWgEQ8CqOkAo79Hi3e6rndss/gzDmjzfpFPKXuvDzrw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR19MB4938.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(366004)(76116006)(66476007)(66446008)(64756008)(8676002)(66946007)(186003)(66556008)(71200400001)(508600001)(6916009)(33656002)(8936002)(52536014)(316002)(558084003)(786003)(82960400001)(122000001)(2906002)(5660300002)(9686003)(6506007)(55016003)(38100700002)(26005)(7696005)(86362001)(38070700005);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?a9QqqO4bdRHidXy+QnyvSmA4uVboWcDUKPNya4IqCfQJvuutYQJANOHEB5tf?= =?us-ascii?Q?xouWPatW5waXPgvkeK1jUDdWVkc3B9mV35mPZkqw02zqlRT05V5gGMYFrDdX?= =?us-ascii?Q?GZmu+t+Ub1LwErEgFdkFuiGKEq7V0A6DRIa6699J+LFbBZRDUMuCBkMf2FnR?= =?us-ascii?Q?TZX7VQCvlPBFD5PW/vudcl+TE2hVBbZkuq+V9AtDoIf9BgDsasf/NxPvOxGD?= =?us-ascii?Q?ZiaDk8ycN1/WiQYNBM3eI7RuAhTeHh7uIbAKS2ye8MRXKNnyZMZI+gV6Iiwx?= =?us-ascii?Q?ZHM5lY76L/IRCQPD5q0lBM9hGV0vt3I+FLHsRrsVLa2ZsIgGvhZ3YXP3K4Bl?= =?us-ascii?Q?VzjQSirhvxzvM/pk1TuGDsGxyZoE0h4N7lAZ4SdhsvZqubEGkkEhvru2MBku?= =?us-ascii?Q?nO28RZzBRHrRQtEx4d/z8RKwme+4U8emW28dpbQH2EO+T5EJY4s5cJbpRtp5?= =?us-ascii?Q?1GSLT5hYd0Z2hfRWlISUq/xurfeyh+YlJa3wyNmyitZoH0te5uBRBqEgqb8U?= =?us-ascii?Q?LcGG7EcjdQ/6vIJY6Uh0T2cK0B7xQqH5IxT6qEEa18JVd/xCBa5b+Z5Yu43Z?= =?us-ascii?Q?0i7C2nMDo7BNnI6LJv3xknCVo8sDF36ItquWUzvwtIhpf54Jia23ywaQcyMG?= =?us-ascii?Q?z601rjavyMd8NE6litlvNnc+O60FSJWiiS+eKoi9YiyMD6Y5I7bdnA72DHBT?= =?us-ascii?Q?Qkt+mtAMyDW/kYwEGNs3l9YcBPpwgPhtzf912gKULh85Y0lkH7rc9JPHQxeP?= =?us-ascii?Q?ho0zWUHcSXrSmmhH6yflrP4hl3WbH+/EybRzUuzINYYtTTt75ZQ3olpLJ77c?= =?us-ascii?Q?Ld37TmaJ70LHoXMck5q+uKngposlmbXaUrfUOaBe0FSaoEu4pVog/ml1Xk0A?= =?us-ascii?Q?D1dtEspreucLh4XVrJZ1bjEvzOHgLazv2OOtvCIKCfbLQrDlzytQk2YUfaQt?= =?us-ascii?Q?s3ohEtJuslcZTEzF+zo58hmM6VM1Wcjd9mFIRovCcGHiXomWJTes2Q0v2a7z?= =?us-ascii?Q?XgCd8K1PCNqPB+4XTtMjvyGoPqJ9vOYOqSQ6a0x+Wydlwfpd719UCDPBpfcK?= =?us-ascii?Q?nMHuETtnQ3ZHb15IkA/JRp910agE473zd0g3bgaMppt/wX+2eWN2nxQ3Yaem?= =?us-ascii?Q?l8qxLMAjrlw+vWroKFDeh1/wr15sF+OsGhhYd8Jn8F5+rUHRDNxoxeEip53B?= =?us-ascii?Q?VvSDDN6Iws1S2AzPmCp9k9zhQoh1s2Cmhz3ahQbeIVDKi9hTnhc35maFM9Fm?= =?us-ascii?Q?bkWTaFsKMaeX8I58hB7ueAslmSfzIG+2ejBTp3MKDVjhNQ9OYHzejdgyuo5/?= =?us-ascii?Q?ZP9vNvc3DTXZc0JzTcVQYodDd2SkTrxRHJpWtueOwURRYoroWXD3qO1Mp6VD?= =?us-ascii?Q?euKV/VmUV+ZACLy2IQXxi/Td0yIS10JOcM+Ai2LczpCKQF1kmLmnI5DPkAm7?= =?us-ascii?Q?WFPnDC67M2irjU/iXNa1dCBNsxcdQ6+1+Mxxeshi+1lKtPmrTDrCcP+eYOge?= =?us-ascii?Q?er1xj9KNp046EjoDBIdaqqeFhj5jVxhc8VIpfmP0l2upsc68sZNV+Ej+SJf8?= =?us-ascii?Q?siwXhy466h8wI4/iW+qQxF9NWkgOT/eoh7GErZR4xgBfl5HHWQSEFsAaOltZ?= =?us-ascii?Q?wlnNWy1+gCL56PBdw948FwBATux6puHIUaqQdFOaYeFX5P65JEG4iSHeP2/3?= =?us-ascii?Q?bjBQ4oK8UYEvQ+6vzKVSf7hqugHDi3c/LX4r0xJWEGgRpCXsAo0H5QVtxZoX?= =?us-ascii?Q?IMlmVJHOkg=3D=3D?= Content-Type: multipart/alternative; boundary="_000_PH0PR19MB49384EE776F9B4B73BDDCB719EAC9PH0PR19MB4938namp_" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: Dell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR19MB4938.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4af24572-3fbe-4ef5-35ac-08da4f6d162c X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2022 07:51:56.8215 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: RrMWFCNrdo+tjc8sU/HgaCFqUQ2VGEu8XBhoAFEy9p08+0gM6G0HJgc6nMb0qehYpWgPhdUxOjMM9Oqt6lU6RQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR19MB3605 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-16_04,2022-06-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 mlxscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 bulkscore=0 phishscore=0 impostorscore=0 malwarescore=0 mlxlogscore=493 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160029 X-Proofpoint-ORIG-GUID: YdttdvED6z33VI4tmvilDSwiQS-ASfRb X-Proofpoint-GUID: YdttdvED6z33VI4tmvilDSwiQS-ASfRb X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 mlxlogscore=611 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160030 X-Rspamd-Queue-Id: 4LNvYD3KYNz3Gd6 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dell.com header.s=smtpout1 header.b=gGtJ+fUY; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=pass (policy=none) header.from=Dell.com; spf=pass (mx1.freebsd.org: domain of Weike.Chen@Dell.com designates 148.163.137.20 as permitted sender) smtp.mailfrom=Weike.Chen@Dell.com X-Spamd-Result: default: False [-6.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dell.com:s=smtpout1]; WHITELIST_SPF_DKIM(-3.00)[dell.com:d:+,Dell.com:s:+]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:148.163.137.20]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:microsoft.com:reject}]; DWL_DNSWL_LOW(-1.00)[dell.com:dkim]; RWL_MAILSPIKE_POSSIBLE(0.00)[148.163.137.20:from]; DKIM_TRACE(0.00)[dell.com:+]; DMARC_POLICY_ALLOW(-0.50)[Dell.com,none]; RCVD_IN_DNSWL_NONE(0.00)[104.47.57.168:received]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22843, ipnet:148.163.137.0/24, country:US]; RCVD_COUNT_SEVEN(0.00)[7]; RCVD_IN_DNSWL_LOW(-0.10)[67.231.149.39:received] X-ThisMailContainsUnwantedMimeParts: N --_000_PH0PR19MB49384EE776F9B4B73BDDCB719EAC9PH0PR19MB4938namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi community, Are there any fixes available to fix this Intel CPU CVE issues on FreeBSD? Regards, Alvin Chen Dell | Comercial Client Group office +86-10-82862506, fax +86-10-82861554, Dell Lync 8672506 weike_chen@d= ell.com Internal Use - Confidential --_000_PH0PR19MB49384EE776F9B4B73BDDCB719EAC9PH0PR19MB4938namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi community,

Are there any fixes available to fix this Intel CPU = CVE issues on FreeBSD?

 

 

 

Regards,

Alvin Chen

Dell | Comercial Client Group

office +86-10-82862506, fax +86-10-82861554, Dell Ly= nc 8672506 weike_= chen@dell.com

 


Internal Use - Con= fidential

--_000_PH0PR19MB49384EE776F9B4B73BDDCB719EAC9PH0PR19MB4938namp_-- From nobody Thu Jun 16 09:23:06 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5FA4683B8A4 for ; Thu, 16 Jun 2022 09:23:19 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark2.inbox.lv (shark2.inbox.lv [194.152.32.82]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LNxYL1pdzz3lSW for ; Thu, 16 Jun 2022 09:23:18 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark2.inbox.lv (localhost [127.0.0.1]) by shark2-out.inbox.lv (Postfix) with ESMTP id 0C069C00E1 for ; Thu, 16 Jun 2022 12:23:10 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inbox.lv; s=p20220324; t=1655371390; x=1655373190; bh=wfsHfXMlh89JV/SmBcmGMyaczl0/fFCujaWdKHPN7hw=; h=Message-ID:Date:Subject:To:References:From:In-Reply-To: Content-Type:X-ESPOL:From:Date:To:Cc:Message-ID:Subject:Reply-To; b=InpqSRShoeJwYW35KLBRSQoQESoxXNaSAJycoOj+j+GPCjFsOxG9dq/LwpmNvANJs zFvCbTr/JZZxbuDy9kjlt41KpT15Gcz5eQcsJowO0RQB9HJSAmNy9BVEXlUFARqhyZ 7Cu1AVXD69f4fcUvjHw92LkRuswP093sj3t3LnAA= Received: from localhost (localhost [127.0.0.1]) by shark2-in.inbox.lv (Postfix) with ESMTP id 027E0C00C9 for ; Thu, 16 Jun 2022 12:23:10 +0300 (EEST) Received: from shark2.inbox.lv ([127.0.0.1]) by localhost (shark2.inbox.lv [127.0.0.1]) (spamfilter, port 35) with ESMTP id xnJ91L8sH0OB for ; Thu, 16 Jun 2022 12:23:09 +0300 (EEST) Received: from mail.inbox.lv (pop1 [127.0.0.1]) by shark2-in.inbox.lv (Postfix) with ESMTP id D23EAC00D2 for ; Thu, 16 Jun 2022 12:23:09 +0300 (EEST) Message-ID: Date: Thu, 16 Jun 2022 09:23:06 +0000 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Content-Language: en-US To: freebsd-security@freebsd.org References: From: John Long In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: OK X-ESPOL: G4mEQ3EYh3hOvt68LoRy5uf4tai+FgVjoVSJw85a9RAtu7LCt951cm6WE4Pze3G0c38= X-Rspamd-Queue-Id: 4LNxYL1pdzz3lSW X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=inbox.lv header.s=p20220324 header.b=InpqSRSh; dmarc=pass (policy=quarantine) header.from=inbox.lv; spf=pass (mx1.freebsd.org: domain of codeblue@inbox.lv designates 194.152.32.82 as permitted sender) smtp.mailfrom=codeblue@inbox.lv X-Spamd-Result: default: False [-4.10 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_FIVE(0.00)[5]; R_DKIM_ALLOW(-0.20)[inbox.lv:s=p20220324]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[inbox.lv:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:194.152.32.82]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DKIM_TRACE(0.00)[inbox.lv:+]; DMARC_POLICY_ALLOW(-0.50)[inbox.lv,quarantine]; NEURAL_HAM_SHORT(-1.00)[-0.997]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12993, ipnet:194.152.32.0/23, country:LV]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[194.152.32.82:from] X-ThisMailContainsUnwantedMimeParts: N Does Intel fund OS and application level mitigations of their never-ending failure to design or implement anything properly? It's hard to understand why the victims should pay... /jl On 16-Jun-22 07:51, Chen, Alvin W wrote: > Hi community, > > Are there any fixes available to fix this Intel CPU CVE issues on FreeBSD? > > Regards, > > Alvin Chen > > Dell | Comercial Client Group > > office +86-10-82862506, fax +86-10-82861554, Dell Lync 8672506 > weike_chen@dell.com > > > Internal Use - Confidential > From nobody Thu Jun 16 09:57:53 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 100C684238C for ; Thu, 16 Jun 2022 09:57:59 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LNyKK6x74z3r9f for ; Thu, 16 Jun 2022 09:57:57 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from pps.filterd (m0170398.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25G8MZXG004264; Thu, 16 Jun 2022 05:57:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=WKzo+VMbF4KBPi7WQxJiUdzyzni5IdFShGRHJXiHTu8=; b=H5b/RRFixCTuAGXEWLEy4MD1Ga6Nopk40AnemPOILyJbSS0a4Ont/6sG47KuVe9IrjtI 0tdkQQHfncCE77npoueLU8cso3Uai6Exz1bUPf63w7PhhlO+uvJnNOWCIKZMyCV3rzrr zNqcmQvHD83GYQ45kGGemJqdJIhEMxaRQNhZpI5ZbNYnk6Y2ljm9Ye4q0hr2tz/fnwdk kpTn80EKRr1uxcrnERu8eCDk9TTRJo1uzA1MSQ2Ebte393y/HhsS1McQjcjXtE/uba9Z tLplDLpdjndBz8ZiCuSzxuZlSYvp/+c395amxB4wO/eD36IXGzMMdjRKw/1wXsOPcS8B SA== Received: from mx0b-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0b-00154904.pphosted.com (PPS) with ESMTPS id 3gqcxx5exp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Jun 2022 05:57:57 -0400 Received: from pps.filterd (m0090350.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25G8xQ3v028907; Thu, 16 Jun 2022 05:57:56 -0400 Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2049.outbound.protection.outlook.com [104.47.66.49]) by mx0b-00154901.pphosted.com (PPS) with ESMTPS id 3gqb8h5nma-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 Jun 2022 05:57:55 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NjPAEp6bbIjnyU+OL3yZHHRRNUBzam8bOiUgRF19bE5B6wkvUAinvdFmCg0+tffmrrkwdFE3cdQ4ATjlLLUSuxlxM3L/+FragkBZCJGP0rHnWy553SQxlpkQko2ktIZ1cW9NhfmbzEcdd7GC/9yFB9MP8snZ4jJ4ABPxJvKhbEG2O4LnMcB4gEky1muZYx4SSXErL6DGlpXbqUygPMTeeo9vxuHLVBXsgB8y+uELhnbgQnDb5aXLYrQ894hBOzwRkUOJ9oTSStAOMThBtbLzwyfXVCai/S/GPaQbzzIHR5gAo32vt/PFmxuh96PV5sAHzhDqcGgYXPQwEAYdXo5diQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WKzo+VMbF4KBPi7WQxJiUdzyzni5IdFShGRHJXiHTu8=; b=TXA+O53MysgHWNEiI9UplmyN5u3k3bAS6w0UXZ5GE4T+bWTOnolZBpOrA/Y6dMYYZH7jGOdstYVbVmC8m1GX9pV5wJIOz1598bsZ+XbZB1ZHvyeFZV/U3DhrG/+3HLP6zMABhVf7M8bF+TfRPI23zTY5kZks7e5fWNGnzCNjCFCwkkjRdaBhsiRvDAFKfm8nQClMI3FjSfhJu2ef5O1vb4wX3VtvGh+hg+TW5mOVraBPqxCd7Xp0WHIOiecRK79ogT63NenX1ucCv3nJWdsnSGd3+JvXpRfH/6clqWQkD45PB3BGJy13FjNsfKd3Za43ZvtxlPaDdBBRp4dKsSiscQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none Received: from PH0PR19MB4938.namprd19.prod.outlook.com (2603:10b6:510:94::9) by DM5PR1901MB2069.namprd19.prod.outlook.com (2603:10b6:4:a5::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.14; Thu, 16 Jun 2022 09:57:53 +0000 Received: from PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803]) by PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803%3]) with mapi id 15.20.5353.014; Thu, 16 Jun 2022 09:57:53 +0000 From: "Chen, Alvin W" To: John Long , "freebsd-security@freebsd.org" Subject: RE: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Topic: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Index: AdiBVdM9/KAA2uYYQ5+23q5kxmwC2QADNxYAAAEKNhA= Date: Thu, 16 Jun 2022 09:57:53 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2022-06-16T09:57:50Z; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No Protection (Label Only) - Internal Use; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=cc1f74aa-7247-4920-88ee-4096d867cc71; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=2 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5ad250c6-cb0c-4855-0a97-08da4f7eae7a x-ms-traffictypediagnostic: DM5PR1901MB2069:EE_ x-microsoft-antispam-prvs: x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Sk15UvNhLyEus8NJfsKXbnk2TsndbcT4RJ9JkX3mLvISteOpQVwBr0wtG4Ywerd/q8MVSV13fqEflkgEoFV2Pwu8XahaLMh8mBeZt9mgQnvELF59Z/5gv+NCE74vgx9b11B0J+VFcqdANc2BIufr8Fgu/fOKdWbPJTtusMFq/mC9otZeHlpMNqG75csNdX4U7jZl+NkwE4s0GtNFUGcvLHm6ZZph8cR6LE8+/ecW0LxUF6jG2Vw6h9Lm8Nk8d95K4ny+qqSjQQRWVVNaMJ/Cl80+p6pn4bxue+hIdryXwLzWmCQHlIdpML5hQFhDU+KyJ8ODuNO6E6S0/gxxrFwwmtkXGNyFrBzACvQe9QemxcRwnb0RSP0kGNwH8NfFnqrqsGu9o7FkxwmITozKID73p49BcpKO5bfrz83h8c/Yv538rHV37qXR4xWLMFQJj06uanmnkUHlhDY43oaBfxSJ/XxdFLDiND/CTzK2ghhr618ImTJ6N3XNdoJDlQSfdzbRc5bGjTSgyySuxR1PSRf7mA4Ji3a/YOi+buTdVcezGb+KHeTkVF1ncZLvb0B+zQLsM/GPpV2fsrwiJykT/FWxPnbr9bw/8iJlWq4Goj9csqALRnLDanTf6SuIGLvHENBquLHxKEjvR7ahsRgoyG13RYiQYinT3/nHhelWB7F48vpNg5bdIoY60pJgEwdlRHsGeU5wtr1oYiZ59b7lD+NfcUw3OYpYu+ZHr3859k4HCKrxnNNmjkfUCKTtG1D7dJHhucsk4j8zSrQRQA6yQiu7fpV3FjvhqKw5tFr6RIJzoGk= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR19MB4938.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(366004)(38100700002)(186003)(86362001)(66446008)(66476007)(66556008)(76116006)(64756008)(110136005)(316002)(66946007)(71200400001)(38070700005)(8676002)(786003)(82960400001)(9686003)(53546011)(5660300002)(508600001)(122000001)(966005)(52536014)(26005)(8936002)(33656002)(83380400001)(55016003)(4744005)(7696005)(6506007)(2906002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?TWtuRHFTSjc3aUtGYXlGWktmWFYyVlZzSUxTYTU1OXoxbEdZeElGY2c3Q3pq?= =?utf-8?B?SFdnNTlDSExhN1NNaE85MlBlUGxtTU1SeWRYMlZReGJTRlJERnlMaGxQSEw3?= =?utf-8?B?anYvbTFDazZTbDhwaUFzeXROUUo5Ti9KSVVxY3laVFhKeVlxTmVzYXh4clZw?= =?utf-8?B?NFN6a2hvck5uN3d6bi9GeDZzV3B0ekVyYXhoK2pvOWNhNXJVU0RPRXVHdTAy?= =?utf-8?B?eFh5UFBLOFY2ZVcwMEVQM2ZlM0xPdUxhZ0d4ZVJsZHdkd2lybWhNWE0wWWNp?= =?utf-8?B?M1oybm8vN1pPWGRSSG52RXR4bFpvM0lYVUhDY1pnMGZvWUhCd2g4MURqWWpT?= =?utf-8?B?MitGY3o4ZDd0elhhTThtUnZwL2xwUnV2SE5nbE45aDV6aHBHZlNYZzEyTExh?= =?utf-8?B?OGNVcUtTVStxNGlUcmkvWHg5NG9QMmhQaXdPNnF5U1FGclZ2N3RlM0ZEMVF4?= =?utf-8?B?WVNCT21OUkNhVVVWelFFWmg1NWNMd1BLWDF5M3dSUXdDT1l4NDdvYzlCZFg1?= =?utf-8?B?eTd0MW5KYmtjS3h4ZjRySFFBY1NBSUNUTTBhdG1MQitTdGhwa2JBZjVXU3Fo?= =?utf-8?B?elhhNStONFR4TUk1RHFtRUlFWjNybkV0T3BsM3ZvRUVDYjRra042bmRFMGdP?= =?utf-8?B?aU9DQmVrNW9nWWVsUEVYaFBGS1h1RDRtbkRvdnlnd0NwZjNnUlp6SFd6czJI?= =?utf-8?B?ZktjcGxueDRKcDZOTmFLcUhoZnBXOFIwak1wMktOcG5NZzdMaXgydHNUS2ov?= =?utf-8?B?dXFudUdPZjBqMkJDb25tSWZIM01PU1NGamlTbEhncko5NGNMSGV5VDdyWjZm?= =?utf-8?B?ME9BVnpzdTZvUFJwdTJQNmpoV2pROGMvUUJsRVBaaldnSW1jdTNrTWtOdGEy?= =?utf-8?B?dVlsSFRmTm53TnZVaitLVlVRLzJTQ001TWRHYndqeE04UzVwakdTVEdsSExE?= =?utf-8?B?TVMyK0l0Nm9UQ2pCOFNnV2FKcGM4RGxSVTN1WTVCMzFTVUhPYllPMnlSMUVu?= =?utf-8?B?NG9TVTFuOG5wZkxHTENyalNtUjVaVURMWUM2NjJMOTdRcVp0WDRiMTUvOTdN?= =?utf-8?B?dlFTSVlOeThRLzZuazlyT0dDSTlCNzdFVGw0SUs3aENlUHFxVklVUW4wSzZ1?= =?utf-8?B?M3RHZmVldERFWFlPVDhtVmd4cFVFdStDRnlLMkVFK251a1R5SG5sejh5RjRn?= =?utf-8?B?L2xqb3FGVkRieU90dUxEU0ZCc0FvTXc2UTJWTlVaSWg5RzFtVW9XaGxNU1JD?= =?utf-8?B?S2o3Z2VLeDdGbHc3TjB1bkVVVDdSQ0NJUFplNEIyVms2R01lSGxmYUV2bDI2?= =?utf-8?B?Mi9kOXNFbGFxUWp6SjhpbGZ0b2pVVENuN2I5WWt4R3BYRklrSXFoM0RPeloz?= =?utf-8?B?QVhrQzEyOGdWbGh1S2RMRTgwKzNLZERkbzJydnhURkNiVmJVWE9kaDZRcGpY?= =?utf-8?B?RzQ4ZUQ2OUpZa2V0MTJQeWo0NzJlb1lrbXFzMWFkdmcyNFAzZ1h1bzIza0E4?= =?utf-8?B?dFVSd3RENTlPNHpiY0ZXaUk0a0ZBNzVkekZQSFpvc2JHN3ZLQUhmaCsyNGxi?= =?utf-8?B?R0I3MXgrbFlUd1JYSFZJaDdjeWJqV0JPZm12N1Y3TmxyZ21nbTlCM0E0SG0z?= =?utf-8?B?MlgwTUxtL3dHallkZTZVQ3I4ZUF2b0FmSkU2aWc5V2ZrSWdBUEdzVmVuend3?= =?utf-8?B?UFRlUFFCamJKdnErUWpTRG54Ni9sbldualZRNGREWUN5OWh0TnpPdmpKdjN0?= =?utf-8?B?ZCtaWkRoZmlJd0Z3ZEdqb3dKNUZ3NVk3SWpuaDlISVUyTXZoc3V5K2tNQUtm?= =?utf-8?B?eEsxNDE1M0VHR0xyMFpEbU5melV5RmdabFpObm1IRDZXRk5venJJa1UxRlZ3?= =?utf-8?B?TGhhK0hiTU8yMk9GeWl2Z1FBSi81VGhzNGFDczltcDdDbWlhakQ4ZDZuRWZz?= =?utf-8?B?U0paMmQ2QXZUckRLL2Z4Yi9JOE9Bc3JtRCt6bWl6c2dhT2pIVExHRUlOUVBl?= =?utf-8?B?SXZralVmenRyS2lGMEF4R2JGVDVuY1hUdGJWeEZhYUlMTmh3RkYwaVVWUlJN?= =?utf-8?B?NWlGV3A5MXh4S3lQWElNcGVEVGtkTEtPQkkxeE1HQ1MzL0hsVnlUWXFNWnlH?= =?utf-8?B?VTZxbldFMWNhMlVRbnMzV3VMeFBXZmhCSDVJKzdLUTUxNFhjT3RwOXh0ZVlk?= =?utf-8?B?UFozc0tOTitkUUZkUEdEZGpSeTFyRGJzZFV2MVRpbHB5a1JLcVViYnNEVlNt?= =?utf-8?B?bWtmTldBRkVtYVpnK3d6S2xHTUJxYnl6c3BGN003Q25rMHRyU2drRVRCdlVs?= =?utf-8?B?VE4xWmUxU0IzanluUk9TZnlGTStXc2tqUWkwcXNUa01aYW9RYlQ0UT09?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: Dell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR19MB4938.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5ad250c6-cb0c-4855-0a97-08da4f7eae7a X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2022 09:57:53.7741 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: u8Ng69np4VMpL4yPl+HCIt62b0z4rGOa0mkFhlue0C6VpiJoyPiyqovFIgpnWPrP4yY6R1k7QWWn2M8mfVpmWg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1901MB2069 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-16_06,2022-06-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 malwarescore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 mlxlogscore=634 phishscore=0 mlxscore=0 bulkscore=0 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160039 X-Proofpoint-ORIG-GUID: fBt5rsRKsbgzZvzJPEMfLXOQERtlWyBH X-Proofpoint-GUID: fBt5rsRKsbgzZvzJPEMfLXOQERtlWyBH X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 mlxlogscore=763 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160039 X-Rspamd-Queue-Id: 4LNyKK6x74z3r9f X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dell.com header.s=smtpout1 header.b="H5b/RRFi"; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=pass (policy=none) header.from=Dell.com; spf=pass (mx1.freebsd.org: domain of Weike.Chen@Dell.com designates 148.163.137.20 as permitted sender) smtp.mailfrom=Weike.Chen@Dell.com X-Spamd-Result: default: False [-4.79 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:148.163.137.20]; MIME_BASE64_TEXT_BOGUS(1.00)[]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:microsoft.com:reject}]; DKIM_TRACE(0.00)[dell.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.79)[-0.789]; DMARC_POLICY_ALLOW(-0.50)[Dell.com,none]; RCVD_IN_DNSWL_LOW(-0.10)[67.231.149.39:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22843, ipnet:148.163.137.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dell.com:s=smtpout1]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[dell.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[104.47.66.49:received]; MLMMJ_DEST(0.00)[freebsd-security]; RWL_MAILSPIKE_POSSIBLE(0.00)[148.163.137.20:from]; WHITELIST_SPF_DKIM(-3.00)[dell.com:d:+,Dell.com:s:+]; RCVD_COUNT_SEVEN(0.00)[7] X-ThisMailContainsUnwantedMimeParts: N SW50ZWwgcHJvdmlkZXMgdGhlIG1pZ3JhdGlvbiBndWlkZWxpbmUsIHBsZWFzZSByZWZlciB0byA6 IGh0dHBzOi8vd3d3LmludGVsLmNvbS9jb250ZW50L3d3dy91cy9lbi9kZXZlbG9wZXIvYXJ0aWNs ZXMvdGVjaG5pY2FsL3NvZnR3YXJlLXNlY3VyaXR5LWd1aWRhbmNlL3RlY2huaWNhbC1kb2N1bWVu dGF0aW9uL3Byb2Nlc3Nvci1tbWlvLXN0YWxlLWRhdGEtdnVsbmVyYWJpbGl0aWVzLmh0bWwNCiBJ dCBsb29rcyBsaWtlIExpbnV4IChVYnVudHUmUmVoYXQmU3VzZSkgYW5kIFdpbmRvdyBhcmUgcmVh ZHkuDQoNCj4gDQo+IA0KPiBbRVhURVJOQUwgRU1BSUxdDQo+IA0KPiBEb2VzIEludGVsIGZ1bmQg T1MgYW5kIGFwcGxpY2F0aW9uIGxldmVsIG1pdGlnYXRpb25zIG9mIHRoZWlyIG5ldmVyLWVuZGlu Zw0KPiBmYWlsdXJlIHRvIGRlc2lnbiBvciBpbXBsZW1lbnQgYW55dGhpbmcgcHJvcGVybHk/DQo+ IA0KPiBJdCdzIGhhcmQgdG8gdW5kZXJzdGFuZCB3aHkgdGhlIHZpY3RpbXMgc2hvdWxkIHBheS4u Lg0KPiANCj4gL2psDQo+IA0KPiBPbiAxNi1KdW4tMjIgMDc6NTEsIENoZW4sIEFsdmluIFcgd3Jv dGU6DQo+ID4gSGkgY29tbXVuaXR5LA0KPiA+DQo+ID4gQXJlIHRoZXJlIGFueSBmaXhlcyBhdmFp bGFibGUgdG8gZml4IHRoaXMgSW50ZWwgQ1BVIENWRSBpc3N1ZXMgb24gRnJlZUJTRD8NCj4gPg0K PiA+IFJlZ2FyZHMsDQo+ID4NCg0KDQpJbnRlcm5hbCBVc2UgLSBDb25maWRlbnRpYWwNCg== From nobody Thu Jun 16 10:25:19 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 237E0846BD2 for ; Thu, 16 Jun 2022 10:25:32 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark3.inbox.lv (shark3.inbox.lv [194.152.32.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LNyx70fyCz3vvQ for ; Thu, 16 Jun 2022 10:25:30 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark3.inbox.lv (localhost [127.0.0.1]) by shark3-out.inbox.lv (Postfix) with ESMTP id 9C18C280138 for ; Thu, 16 Jun 2022 13:25:23 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inbox.lv; s=p20220324; t=1655375123; x=1655376923; bh=+nIosUabi3URs1djsYoKo+KAiBl8LzJxlN7tCA5r514=; h=Message-ID:Date:Subject:To:References:From:In-Reply-To: Content-Type:X-ESPOL:From:Date:To:Cc:Message-ID:Subject:Reply-To; b=T/9i4miMpAmNDFJumyvC44bpwB8PvPRm6d9O59Y8VPX/k/SoMNHwcEuoozuFQg0p0 njO9KfxUuJvK7tf21xDhiDFGaP+3RbYirkbe0R/QyjhhTLvB2fzrp5gGTxrJSy0HQ6 SYs9EMtITUmkQX/xk2vJJgFbemICOaFbtVpzb8lE= Received: from localhost (localhost [127.0.0.1]) by shark3-in.inbox.lv (Postfix) with ESMTP id 99A5A280135 for ; Thu, 16 Jun 2022 13:25:23 +0300 (EEST) Received: from shark3.inbox.lv ([127.0.0.1]) by localhost (shark3.inbox.lv [127.0.0.1]) (spamfilter, port 35) with ESMTP id mHcXfnUcCFQm for ; Thu, 16 Jun 2022 13:25:23 +0300 (EEST) Received: from mail.inbox.lv (pop1 [127.0.0.1]) by shark3-in.inbox.lv (Postfix) with ESMTP id 0660728012F for ; Thu, 16 Jun 2022 13:25:23 +0300 (EEST) Message-ID: <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv> Date: Thu, 16 Jun 2022 10:25:19 +0000 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Content-Language: en-US To: "freebsd-security@freebsd.org" References: From: John Long In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: OK X-ESPOL: AJqEQ2V/7XRHu8S+K4Zt5Ovj2q/TW1sruDn7xrsu63dZqLLFr60GfRz/B/eRFELmMn8= X-Rspamd-Queue-Id: 4LNyx70fyCz3vvQ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=inbox.lv header.s=p20220324 header.b="T/9i4miM"; dmarc=pass (policy=quarantine) header.from=inbox.lv; spf=pass (mx1.freebsd.org: domain of codeblue@inbox.lv designates 194.152.32.83 as permitted sender) smtp.mailfrom=codeblue@inbox.lv X-Spamd-Result: default: False [-4.10 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[inbox.lv:s=p20220324]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[inbox.lv:dkim]; R_SPF_ALLOW(-0.20)[+ip4:194.152.32.83:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[inbox.lv:+]; DMARC_POLICY_ALLOW(-0.50)[inbox.lv,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12993, ipnet:194.152.32.0/23, country:LV]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[194.152.32.83:from] X-ThisMailContainsUnwantedMimeParts: N 1st of all, my comment was because of your post but was not directed at you. Sorry if that was unclear. 2nd of all, great that they give advice. Not so great that people have to actually do the work. This costs everybody *besides Intel* a lot of money and there is no end in sight. How about if Intel gives refunds to people afflicted by their defective products and pays remediation costs to software projects similarly afflicted? Maybe that would give them incentive to do a better job with the junk they're selling. /jl On 16-Jun-22 09:57, Chen, Alvin W wrote: > Intel provides the migration guideline, please refer to : https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html > It looks like Linux (Ubuntu&Rehat&Suse) and Window are ready. > >> >> >> [EXTERNAL EMAIL] >> >> Does Intel fund OS and application level mitigations of their never-ending >> failure to design or implement anything properly? >> >> It's hard to understand why the victims should pay... >> >> /jl >> >> On 16-Jun-22 07:51, Chen, Alvin W wrote: >>> Hi community, >>> >>> Are there any fixes available to fix this Intel CPU CVE issues on FreeBSD? >>> >>> Regards, >>> > > > Internal Use - Confidential From nobody Thu Jun 16 10:43:11 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C414B8529B3 for ; Thu, 16 Jun 2022 10:43:16 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LNzKb2cSJz4T85 for ; Thu, 16 Jun 2022 10:43:15 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from pps.filterd (m0170391.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25G83qmB011303; Thu, 16 Jun 2022 06:43:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=e+Lceyke4Qib4B8UJIEXVqgsX8A1CG08xZFU+kv747E=; b=fZyZm4SCY8VOXYj0LJkkMvUAB9b/ImTq3zE9vH7qMZf5evgFYs2jN2KCSZfesspk/zXB UAEhPflK4xuP+RxcFOY6MbpfTN+ZmGSr2kz/MlEW+wLXl6CowriY3iXaM+MK1IUcqtVR Mg7LCzm+MrGlUn4AwK0SgyfVewoHgD0wT8tJ/msoiSGOQsAYD6RrvoMkQovQQ9bFhHcc 5weJ9IwAX36vuq8rUIR67E2vh9WCqO5YDizertLRiM2QtFh6/+B/HDd072rTfCS2lI/Q cM9IaR5eptnhUVVgcNgpweMbkJ4Qk1Ff3Sn24t7CZ778Y4bSlXSiaZrD5LAnhgkMQv3Z jg== Received: from mx0b-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0a-00154904.pphosted.com (PPS) with ESMTPS id 3gmp70dgge-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Jun 2022 06:43:14 -0400 Received: from pps.filterd (m0090350.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25GAQe5w010424; Thu, 16 Jun 2022 06:43:13 -0400 Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2103.outbound.protection.outlook.com [104.47.58.103]) by mx0b-00154901.pphosted.com (PPS) with ESMTPS id 3gqb8h6901-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 Jun 2022 06:43:13 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=blRh0ZFoxcKydS0HBWVKUYNOyfgYmZOpeNxvwtPq0zLhQqnNP+2dgSmV5qvqV6RQpKtrLZSJ6GmNOaW/RIlEZAe/ThZ5yPX0zPpVvlqA/bvQ75184AD5NaiAlq5vWFb5ZFrYqd7tcOdeI5CGPlFHLBLh52cvNJdGn4mnayNF632mD2BkYmQkHH3luOwpKh95RzPn4uSF5MtAqraUnUY84XdaSc3NGeU35GIu5kuCMLI694rVrjNJZnBgpKJ7VrARyNSAiTC44IPL6vd28WUAKgtRV3j++5VcapxcJbMXWQQWLzXdH7AYocNIRgDtT4il+wRylElsiUgwOsYI/ao9kA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e+Lceyke4Qib4B8UJIEXVqgsX8A1CG08xZFU+kv747E=; b=nKDcuvskvziXYtcWz+nE18nnesCm5HSdj1VI9g680BagS6See4bQvevbsRasqANTPqPU/+6NPUYGl7lBgKPFr/ePvXbhpYjTpZcpfsa76w+S2fkY1c5AwkM6z5lAVJg9oS3bw2fPzbzBqJQoXUpqnAl0TxuRKK9trReqPs9/ZyC8Qq9JqSi/2UJXxBi0jPnw+3k2cJnyH1yyF6Wyc2Jt9K/uEtJhCnJAJhSAJ3oBYkxyVmvy//xcg0YbjAKI2pBGDqKJ+DbO3K8Jqy/FGqR65npQ7ZUIf77gtwbzQuRQWQF6cavxsVJ7pXTZuPrncjYycYNKsgsGyXy0cxhOyTzLqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none Received: from CO1PR19MB4934.namprd19.prod.outlook.com (2603:10b6:303:f9::7) by DS7PR19MB4536.namprd19.prod.outlook.com (2603:10b6:5:2d1::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.15; Thu, 16 Jun 2022 10:43:11 +0000 Received: from CO1PR19MB4934.namprd19.prod.outlook.com ([fe80::a4bb:e6c7:cf98:4dab]) by CO1PR19MB4934.namprd19.prod.outlook.com ([fe80::a4bb:e6c7:cf98:4dab%9]) with mapi id 15.20.5353.013; Thu, 16 Jun 2022 10:43:11 +0000 From: "Chen, Alvin W" To: John Long , "freebsd-security@freebsd.org" Subject: RE: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Topic: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Index: AdiBVdM9/KAA2uYYQ5+23q5kxmwC2QADNxYAAAEKNhAAASIMgAAAJCRQ Date: Thu, 16 Jun 2022 10:43:11 +0000 Message-ID: References: <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv> In-Reply-To: <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2022-06-16T10:43:08Z; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No Protection (Label Only) - Internal Use; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=e60da6e2-81b5-4cff-9322-aff69adb6c70; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=2 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b1a1fe74-17d1-4fe1-bae7-08da4f850217 x-ms-traffictypediagnostic: DS7PR19MB4536:EE_ x-microsoft-antispam-prvs: x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Ef3Z3io1X3IQl0eQ1q7eUQiPrzVYerAk7n3hTdARCD2YZ4pw/iop6nK0oKB5RfuF9bIuJ+gnnAof3OtGLVGZ1FMnUGL+g2ntOw9T6D/TbdT0uCHgYS0r1zCIIZFFf8xAeVrvM5MWm4DkmiZhSqeBoQx6e+GP9HqN99+ZbzKjXrv/ghKjelGJCpW8OvZCZCE80/pp28KdVwGTo8lVaJYaISzmrOITRzUmSCMtAdukox0Iw4haqf3r8PytjCLjqf9N5KyGbEvlvcG/05o00f/hLulmFrXHdiDJeFy8vzY92S+WMcqHJGGR8UKh8+nkF09zo6mXW0mN1YLSTPBL6V8McqdpSDkJTwBuJDk3MpVm26MeVCBYPwJ0fzWuJjwqPO8YJiGc+lCwR8/OouxKX18mYCdB/XJt7TXOR+bEC6Eq55K8yZdsa0ZAB6RskleDrM6V2LcxGBT8uJV4ddwc9KZj6wXyjk6YL9YoyHM4yjoJCJJGAbqb860mCbIVwlqNH4Lxa+rQH10WAqFkWgG9mjG3Zpck6W3FdhTdGBfzK2ZL9myIET/uSUUGnzmh0AU5omlA6sy+V8uSIzpNpowYVxlSIU4dJGvSZ6PNPqvvJ+t6iUAJK9NH1eMTaUKv8RY5vz4fzIZVuiebS77dUEgEzXNh6ojkTVGcLfCb1ZH5T9KoEGNpR77j20v4g0x2peN/ZPunU1R5UyOaO2o0ggYz+0Ryr7LcOGSArMUgHk1QO1vt8zpXWl3HcCrkmzs6El7RLbqZGyeixTVvZuM6YyCV4aNEnapKmYC4cwZ0PwpOYlxFNQY= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR19MB4934.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(366004)(82960400001)(38100700002)(55016003)(86362001)(186003)(83380400001)(316002)(66556008)(786003)(66446008)(110136005)(71200400001)(66946007)(64756008)(76116006)(8676002)(5660300002)(966005)(52536014)(66476007)(7696005)(38070700005)(53546011)(26005)(9686003)(6506007)(122000001)(33656002)(508600001)(8936002)(2906002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?YW9aQndNa2R0b0c5dW9jZ1dybHZXcldOWDN1cHhTY0JJNzJQNEttTkxmRy9E?= =?utf-8?B?Skd2ZVRPb1gvOE1NMzBoM2lyeGNVeVgzNU8yaEhPZUNDQ0FEZWdSU2RaL1V0?= =?utf-8?B?eHRtRGRLZHlORnBXbWlqT285dnIyRU9kT2dwL2NtRW8xc3ErQldhU3pjZktQ?= =?utf-8?B?YkxGVlpwcDF0UWZUa2lVL3NoRnFmS3lvcWt5b1A3YWpTeGdDK2JHbk40aHpp?= =?utf-8?B?YWozTHpzZk9KcG1Mdm00ZngzQlhuZ3dDQXczNEgzdG9kMHR6aWVDZ1NxWWRR?= =?utf-8?B?UCsyc2NGbEk2UzhVL3JYelJoYUZwanZpRm02cS9IZUpHUmhCQzBjTGNHRXBz?= =?utf-8?B?VE1xWHZKV1kwWW14dHFIOCs0Sittc2N3anpuWlJCZ284VVFVbGwwQWtQZ2Rs?= =?utf-8?B?TzJTMU0zTEh6OUY1T2FWa1p1bVFmOGtTUmFWa0JobTFmdUFTaU9SMGRFbnVr?= =?utf-8?B?bzhKMlNTeUlERnY3M25jMEtLVjBOV3ltbGJsVmp4Tk9rbGNNS0xiRDFCTG1P?= =?utf-8?B?L1pTVGovMXhiZm9ScWg1SEtmc0lCVkxXVEw3Wmc3Z1FIOHB2eUZMd3NadUdP?= =?utf-8?B?dnQ2dEdCdmNqZ1Y0ZVpBeEs5R2dzSHhqS3ZSWE9nWjUrdElDaTQ4K3N1bE9W?= =?utf-8?B?QzNCVHN0YVVtMWNSSit1TWRDRVgyTzgrR2l2UFdpZ1JjSnlLL3lyajZhVmpn?= =?utf-8?B?eGtadzBlMEI2eU1KZHYyT3pTME54QXVmTmRYRStPUEFqQzZ1VjNUd21ZRmJN?= =?utf-8?B?YkFMTDRFSjl2M0pPdUFjNWRJYmxwM1ZhVnlKYlFqRkJJWHhiWjlzVXgvVGVF?= =?utf-8?B?VDE1bG5nMlZONnpraFBCNWgzRStLa3BFOTdwamcweUZvOU1FRUJuYzJPVUdy?= =?utf-8?B?QVo4NEhCT0ozMmZKY0tMMTRDYUxNbkQ3WGhmTGxUanhpaTh1SllyeGYrY1lN?= =?utf-8?B?QW9pSmNBSzhZYjNUL0N2R3NjUWVFZG5YbnRiWGhma2hsSURjWDdtUjZCUXJm?= =?utf-8?B?UmcyMHlyemZ3YXhPMFJob1hLM1pyemt3MGJpYnJ3bTlScWxzandzOS9jVVVq?= =?utf-8?B?N3l3ZlRkcHIxZjF6bXlvTG5LNmRPZnhmSWJYNU5ndW9VWXQwSEFOZzJHNk1E?= =?utf-8?B?TG5zeFlxbkpDRmRTM2xDeHdhd0RGV3ZOTTJxWXBwdG0xa3pXSGdRdFlVRjBV?= =?utf-8?B?Tk9HaEtCSWs0am5IZ3h2bkU4aWR0N3ZwTGp5Z2g1ZWdqdzVrMFI1cFVKRENz?= =?utf-8?B?NitlT2JDTkVJdE5SRENPRGpHR295d1hWTFByZndTTlJhdkQ5TFoxOUVQeUkw?= =?utf-8?B?Q1Zwa0FsT2JJODJPN3BqcFFPeXc1eHNoazdjWVFSNGVORFdnYndYZjF0VXVI?= =?utf-8?B?cHB1d0crUjlyLytuS1NVUGxDaEJjQTA0eHZhQUU3UHRsUzRKUllDVFRtMml2?= =?utf-8?B?amF5NGJaVTFEaHBYTUUwTEUzejRMYXJjNXNGZlM1Z2V6S1NoUjgySXhkMEhM?= =?utf-8?B?MWdEYVZ5WU5TTkZWWndXcWhtb1JjVUhOc2h0SGJ5WURJcEx6dWxpN2NlYURq?= =?utf-8?B?Mkx4UzFqTmRMTjV3bFJHR21WRUVLWlJSOFdubm1RaEk0RE8xTUpZTVE0ZFhS?= =?utf-8?B?YkRlTW4yNVJuUlk5bEhJck9UNTMwSHpaY3A3YkZMd0tCL3B4V1duN2gxREtJ?= =?utf-8?B?SHdrVmg2OHNjVXM5WGN2TjgvalVIVzBkRkc2NU80NEc2aFl1cmdvTmMyYmJm?= =?utf-8?B?enJNaGdBMzF1UTdDd01JOWVoWjFPc3RDQjVmSVM3NjdGMmdiOWN1aytSQmx3?= =?utf-8?B?QU1EbHZXRnpKcmNOTXBSZGM3YmxIK0QrN2Q0d1VrK1ZPVnZYUVJ0cFY5N200?= =?utf-8?B?cHRHeTQ2M2tpbFovYmVqcVVoeGNnT283bURYZ00zTTczaEp3Vk9LSEdxZUVh?= =?utf-8?B?RDVQazYzZ29vYmMrSSs3Mkw3OStDeElHNXY2ZXMwcWFpdVNIeWFUV0lhV090?= =?utf-8?B?ODBaL3Y0VEVFQkNvQTVlRWJYMEdlN3RuL2JGK3Z1YkIzQTNxTlluUXhmTmFZ?= =?utf-8?B?ZU92OS9wVjErWFdjWUtVei9scE1mK3JGTElRZXZXN0RpMGI5OW5XU0lhbXBj?= =?utf-8?B?WkZxNUZFaCtMZ2VqVjhOaVNkbzhPY2pzczBTd2hGUnlJbndyaDJ1WnRCaDJ5?= =?utf-8?B?Ym1oTFdOWDJVMGgrVmpTbXBIeVVuc3B4VUkrMW1WUm4rVlV6bVVCY0tYeFpw?= =?utf-8?B?SjdUTXFYTyt5SzIyVEQ4UDhZT1JuQWtIYlEyY0srV2hiR2l4N2VUK1JmZWtY?= =?utf-8?B?dzdLSVQvUGVORFdVcVhxVEc3QWptRW9VTWRWSUhtZktLeE5BMEQ5Zz09?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: Dell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR19MB4934.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b1a1fe74-17d1-4fe1-bae7-08da4f850217 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2022 10:43:11.0232 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ztZzlcRp20ukYZ/p02H3+WB42fKrOdZxf+X7sxbqzP4HEM94UpDFTa9IKUEJ2jucJcEpeAr7sbYB7Ofou4QRTg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR19MB4536 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-16_06,2022-06-16_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 malwarescore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 mlxlogscore=823 phishscore=0 mlxscore=0 bulkscore=0 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160042 X-Proofpoint-GUID: 6yFpVOkw9S-M7CZ7Z_dg12utG3CLH20o X-Proofpoint-ORIG-GUID: 6yFpVOkw9S-M7CZ7Z_dg12utG3CLH20o X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 bulkscore=0 phishscore=0 spamscore=0 adultscore=0 mlxlogscore=952 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206160043 X-Rspamd-Queue-Id: 4LNzKb2cSJz4T85 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dell.com header.s=smtpout1 header.b=fZyZm4SC; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=pass (policy=none) header.from=Dell.com; spf=pass (mx1.freebsd.org: domain of Weike.Chen@Dell.com designates 148.163.133.20 as permitted sender) smtp.mailfrom=Weike.Chen@Dell.com X-Spamd-Result: default: False [-5.09 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:148.163.133.20]; MIME_BASE64_TEXT_BOGUS(1.00)[]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:microsoft.com:reject}]; DKIM_TRACE(0.00)[dell.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.99)[-0.992]; DMARC_POLICY_ALLOW(-0.50)[Dell.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:26211, ipnet:148.163.133.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.20)[67.231.149.39:received,148.163.133.20:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dell.com:s=smtpout1]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[dell.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[104.47.58.103:received]; MLMMJ_DEST(0.00)[freebsd-security]; WHITELIST_SPF_DKIM(-3.00)[dell.com:d:+,Dell.com:s:+]; RWL_MAILSPIKE_POSSIBLE(0.00)[148.163.133.20:from]; RCVD_COUNT_SEVEN(0.00)[7] X-ThisMailContainsUnwantedMimeParts: N SXQgaXMgdGhlIHNpdHVhdGlvbiB0aGF0IHRoZSB3aG9sZSBGcmVlQlNEIGNvbW11bml0eSBmYWNp bmc6IHRoZSBsYWNrIG9mIHN1cHBvcnRpbmcgZnJvbSB2ZW5kb3JzLCBub3Qgb25seSBmb3IgSW50 ZWwuDQpNYW55IG5ldyBIVyBmZWF0dXJlcywgbGlrZSBtb2Rlcm4gc3RhbmRieSwgSHlicmlkIENQ VSwgbmV3IGNoaXBzZXRzIGRyaXZlcnMsIG5lZWQgYmUgZG9uZSBieSB2ZW5kb3JzIGJ1dCBGcmVl QlNEIGNvbW11bml0eSBuZWVkIGRvIGl0Lg0KDQpGcmVlQlNEIGNvbW11bml0eSBuZWVkIGluZmx1 ZW5jZSBIVyB2ZW5kb3JzLCBsaWtlIEludGVsLCBBTUQsIE5WLCBSZWFsdGVrLCBldGMsIHRvIHN1 cHBvcnQgRnJlZUJTRCBrZXJuZWwuDQoNCj4gDQo+IDFzdCBvZiBhbGwsIG15IGNvbW1lbnQgd2Fz IGJlY2F1c2Ugb2YgeW91ciBwb3N0IGJ1dCB3YXMgbm90IGRpcmVjdGVkIGF0IHlvdS4NCj4gU29y cnkgaWYgdGhhdCB3YXMgdW5jbGVhci4NCj4gDQo+IDJuZCBvZiBhbGwsIGdyZWF0IHRoYXQgdGhl eSBnaXZlIGFkdmljZS4gTm90IHNvIGdyZWF0IHRoYXQgcGVvcGxlIGhhdmUgdG8NCj4gYWN0dWFs bHkgZG8gdGhlIHdvcmsuIFRoaXMgY29zdHMgZXZlcnlib2R5ICpiZXNpZGVzIEludGVsKiBhIGxv dCBvZiBtb25leQ0KPiBhbmQgdGhlcmUgaXMgbm8gZW5kIGluIHNpZ2h0Lg0KPiANCj4gSG93IGFi b3V0IGlmIEludGVsIGdpdmVzIHJlZnVuZHMgdG8gcGVvcGxlIGFmZmxpY3RlZCBieSB0aGVpciBk ZWZlY3RpdmUNCj4gcHJvZHVjdHMgYW5kIHBheXMgcmVtZWRpYXRpb24gY29zdHMgdG8gc29mdHdh cmUgcHJvamVjdHMgc2ltaWxhcmx5IGFmZmxpY3RlZD8NCj4gTWF5YmUgdGhhdCB3b3VsZCBnaXZl IHRoZW0gaW5jZW50aXZlIHRvIGRvIGEgYmV0dGVyIGpvYiB3aXRoIHRoZSBqdW5rDQo+IHRoZXkn cmUgc2VsbGluZy4NCj4gDQo+IC9qbA0KPiANCj4gDQo+IA0KPiBPbiAxNi1KdW4tMjIgMDk6NTcs IENoZW4sIEFsdmluIFcgd3JvdGU6DQo+ID4gSW50ZWwgcHJvdmlkZXMgdGhlIG1pZ3JhdGlvbiBn dWlkZWxpbmUsIHBsZWFzZSByZWZlciB0byA6DQo+IGh0dHBzOi8vdXJsZGVmZW5zZS5jb20vdjMv X19odHRwczovL3d3dy5pbnRlbC5jb20vY29udGVudC93d3cvdXMvZW4vDQo+IGRldmVsb3Blci9h cnRpY2xlcy90ZWNobmljYWwvc29mdHdhcmUtc2VjdXJpdHktZ3VpZGFuY2UvdGVjaG5pY2FsLQ0K PiBkb2N1bWVudGF0aW9uL3Byb2Nlc3Nvci1tbWlvLXN0YWxlLWRhdGEtDQo+IHZ1bG5lcmFiaWxp dGllcy5odG1sX187ISFMcEtJIWhtRHU1N0pwY3lYOGJMQ1ltZ3dNRTVITXRGajZ5NHZlU09WWA0K PiBEelBpb1cyQVFxYzk1bkZ0dkVKU1dzcGFta1RoOTFrMFRJWjBxTl91cWtDQmUxSSQgW2ludGVs Wy5dY29tXQ0KPiA+ICAgSXQgbG9va3MgbGlrZSBMaW51eCAoVWJ1bnR1JlJlaGF0JlN1c2UpIGFu ZCBXaW5kb3cgYXJlIHJlYWR5Lg0KPiA+DQo+ID4+DQo+ID4+DQo+ID4+IFtFWFRFUk5BTCBFTUFJ TF0NCj4gPj4NCj4gPj4gRG9lcyBJbnRlbCBmdW5kIE9TIGFuZCBhcHBsaWNhdGlvbiBsZXZlbCBt aXRpZ2F0aW9ucyBvZiB0aGVpcg0KPiA+PiBuZXZlci1lbmRpbmcgZmFpbHVyZSB0byBkZXNpZ24g b3IgaW1wbGVtZW50IGFueXRoaW5nIHByb3Blcmx5Pw0KPiA+Pg0KPiA+PiBJdCdzIGhhcmQgdG8g dW5kZXJzdGFuZCB3aHkgdGhlIHZpY3RpbXMgc2hvdWxkIHBheS4uLg0KPiA+Pg0KPiA+PiAvamwN Cj4gPj4NCj4gPj4gT24gMTYtSnVuLTIyIDA3OjUxLCBDaGVuLCBBbHZpbiBXIHdyb3RlOg0KPiA+ Pj4gSGkgY29tbXVuaXR5LA0KPiA+Pj4NCj4gPj4+IEFyZSB0aGVyZSBhbnkgZml4ZXMgYXZhaWxh YmxlIHRvIGZpeCB0aGlzIEludGVsIENQVSBDVkUgaXNzdWVzIG9uIEZyZWVCU0Q/DQo+ID4+Pg0K PiA+Pj4gUmVnYXJkcywNCj4gPj4+DQo+ID4NCg0KDQpJbnRlcm5hbCBVc2UgLSBDb25maWRlbnRp YWwNCg== From nobody Fri Jun 17 07:33:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CE6F084169F for ; Fri, 17 Jun 2022 07:33:44 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 4LPW4R1jx3z3tFg for ; Fri, 17 Jun 2022 07:33:43 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 398B44E7CE; Fri, 17 Jun 2022 00:33:36 -0700 (PDT) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 In-Reply-To: <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <41716.1655451216.1@segfault.tristatelogic.com> Date: Fri, 17 Jun 2022 00:33:36 -0700 Message-ID: <41717.1655451216@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 4LPW4R1jx3z3tFg X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [0.08 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[tristatelogic.com]; NEURAL_HAM_LONG(-0.67)[-0.671]; NEURAL_SPAM_MEDIUM(0.42)[0.422]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_SPAM_SHORT(0.62)[0.624]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US] X-ThisMailContainsUnwantedMimeParts: N In message <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv>, John Long wrote: >1st of all, my comment was because of your post but was not directed at >you. Sorry if that was unclear. > >2nd of all, great that they give advice. Not so great that people have >to actually do the work. This costs everybody *besides Intel* a lot of >money and there is no end in sight. > >How about if Intel gives refunds to people afflicted by their defective >products and pays remediation costs to software projects similarly >afflicted? Maybe that would give them incentive to do a better job with >the junk they're selling. There's neither any need nor any point to being rude to the guy. He just asked a couple of simple simple questions. It's not his job to issue refunds for Intel's broken & insecure processors. (He doesn't even work for Intel.) Regards, rfg From nobody Mon Jun 20 02:51:00 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8FA118650AF for ; Mon, 20 Jun 2022 02:51:10 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LRDg140l9z3k4b for ; Mon, 20 Jun 2022 02:51:09 +0000 (UTC) (envelope-from Weike.Chen@Dell.com) Received: from pps.filterd (m0170398.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25JKrZAI013958; Sun, 19 Jun 2022 22:51:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=VdHU4my+1t67hlphBJWE01CrhnVI+RrLjc8g8qZ7ei4=; b=Dg1M1xF29IlH02lN8YMdzvJpg+MURv1WF73OXnbH1c5VXTAYMR+beDiuYkwsS6TowSrF DFOs+FZAXgL4NfEhA8SSxaGccyM83VK2yGRwwefH+W8x7Ppls5QucUucNNFffNy8UfMr 8Ynk9SWlAuLnR6+elkW8WyVKJMW6HHBTrE33HLbYd6iKhQ/FCbdgx0tASX8nJyhVWTpN V5yASiMXmyIQK917pMT97MOBH4yWM/9i6qb7iCuh1qpmfVl/ClIbGrPk21RrOlxU6HyH ptLIaOO9zwfDNatSPliYgQXVa3Us6p2u9SQB7360NJmnHXStnPIK7u15PinKbc9lE0pX jg== Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0b-00154904.pphosted.com (PPS) with ESMTPS id 3gs9x9uhcx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jun 2022 22:51:03 -0400 Received: from pps.filterd (m0144104.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25K1olGY000316; Sun, 19 Jun 2022 22:51:02 -0400 Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2049.outbound.protection.outlook.com [104.47.56.49]) by mx0b-00154901.pphosted.com (PPS) with ESMTPS id 3gsuq0t0gq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 19 Jun 2022 22:51:02 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OeGBe+ZUgy8t7zLHHw3eTXjobclHsGGBH63YUkbQmCS+KEicFdRMaar+/MicmJRX46rybbR9TerYltd8aTaoNnQdpUzW/649lP6nwPtIGkieXqn1Sqnov5z5MVIJWoqfBDJ3ks+RgwnmKxRRPqsyRcuHJLwMk3ufQ0R2qW4dqju9Z1EUvntctNe4bDJ8k7WoytBEvoMufYlFNrANqzyM3MwsbWGq83kMUVAvpxDoUFG5tdXVQcKtdBUBxtlFqidJ4IIlRzbbunH+/IlkCdM+BpSOZahXxM1mlbJpbtPIi/FeGYaxK0CRpTFo42jxkWTZg8Voc8euadXtdXGEu+TKnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VdHU4my+1t67hlphBJWE01CrhnVI+RrLjc8g8qZ7ei4=; b=M8tH6LdX0JcSWqjGrZVDhVCuwjTCCL95zebdtKT3lHjxIytez0EjzaEWG7VcED/s6aNvveVNs3/2rovbIO1HiNXQLNGw7G43bghiovlSxOiMrSAqKDExK3ilIIDU7UFDeZQeXyIPaHVakia2dBLzMwxDbjXLHrPfpPmm7c8rUp6GlcVw8csdX6aaD46Lavq/VbJQavL2aNbofBpLKjjcZNJy/Htca5bYyy/SOT3HVqn2/xN3fk2tQ2VU8mOBXqheEHYeqD+yDLh7R/LK8gkSaq9uGAKVRNjp0zNjvhPSrE8WGBgYMgdt9jMGZC2IFkTERuHYeYaHMhvMOcVkzWnPiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none Received: from PH0PR19MB4938.namprd19.prod.outlook.com (2603:10b6:510:94::9) by MN2PR19MB3805.namprd19.prod.outlook.com (2603:10b6:208:1e9::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.20; Mon, 20 Jun 2022 02:51:00 +0000 Received: from PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803]) by PH0PR19MB4938.namprd19.prod.outlook.com ([fe80::c11f:9b25:ff5f:6803%3]) with mapi id 15.20.5353.021; Mon, 20 Jun 2022 02:51:00 +0000 From: "Chen, Alvin W" To: "Ronald F. Guilmette" , "freebsd-security@freebsd.org" Subject: RE: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Topic: Intel CPU CVE Issue: CVE-2022-21166/CVE-2022-21125/CVE-2022-21123 Thread-Index: AdiBVdM9/KAA2uYYQ5+23q5kxmwC2QADNxYAAAEKNhAAASIMgAAsS1YAAIzXSDA= Date: Mon, 20 Jun 2022 02:51:00 +0000 Message-ID: References: <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv> <41717.1655451216@segfault.tristatelogic.com> In-Reply-To: <41717.1655451216@segfault.tristatelogic.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2022-06-20T02:50:57Z; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No Protection (Label Only) - Internal Use; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=1c475440-5d7f-4f35-b83b-1178b67951f6; MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=2 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 945aa029-7254-4206-3f28-08da5267b53c x-ms-traffictypediagnostic: MN2PR19MB3805:EE_ x-microsoft-antispam-prvs: x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 54e5Xde4cBabH5XJ/dT0/FNb7Gj4RPEwt2A/u+rWx24wlIjwz4HgLgoZzXpwQs9ORJP3QW3uQUjCY8RGNnChVp2gLPWe1PiqzJ+XkPWyqLIUwIbYBngvLpJ5oZ/lsd0qh3ddb8OH7hAEh9O0qSu7SUTUOdXB2maUfopb87kURR+JBPLTh1FVYpjpft7pchukQ7HMchRSU64GtwG4JKn+u9oDzsG1zdel9ui+wzXpQyXAeSqZN1LPtyR2yUzzUBxiRDbbyQzNw1+KqUst4c2EL4HxlbFPnsvxqvRuBcVvdkUaxQbcb0p9dY97TtS6CSjJLs3m2NHGKfBGYujdkGbYCUplS+vZgVAMVX1t+72cV0fDZKYdR5Ao6PyzDbvNDMOTnolmvw647Y2KsntDG3AmvWa7YrXIsne48gOtyTDNRsLVDmi+W01d7bIeXHaap83tSpHk1Wda7vBO+LwqWqlCs9AqJg2t3OBWvAWk+YlruhplpW4pNq7c1K9xxnsK1xPmz0hliyIwsSfrYuguZ9p4A7KsbdK7T+w67WUPtH6NMx2T2JHvWXvl8reRHri3pZCo+PRh0ZlZSjEPUYF0+0FxIh1gjR+PoU8/Y7W1zf/RqXP4Aoz4ENfD2prldagdYx96n1DDdBNG+Rxw2VTXyA2OUexFB8ZwWlkWk0t542LcOKsF59LojFD2LgI7dG1qqRtzt0TYrOc0046JYUIP9857ag== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR19MB4938.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(366004)(38100700002)(52536014)(498600001)(8676002)(2906002)(6506007)(8936002)(5660300002)(7696005)(186003)(83380400001)(66476007)(66446008)(55016003)(38070700005)(71200400001)(110136005)(33656002)(122000001)(86362001)(76116006)(316002)(66556008)(66946007)(64756008)(786003)(82960400001)(9686003)(26005);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?bhW6Y/0+lB9CkF8G4wU39thVj7l+ExaXdq/EsrKf9xTAJ3ql19EWSY8jxH0c?= =?us-ascii?Q?o5py2+kx50bYhrx8U2YCfdsq3llscmo26Ylo42Xd4NBaUpFXVy4A0/5I3FB+?= =?us-ascii?Q?Xg/ih6JjgZcTUeJ6nE7GDhbb62+3S6jnu5oNKXeR5X11QEmz3LbYFvxZa2pC?= =?us-ascii?Q?ZUbZ4Jt8xg/m+JLETnEGmPfu8IqH7/YTUSd773fln47+okcyjZlPcM6a0taj?= =?us-ascii?Q?kCvQ9e+SLZ0zW5w4Ky1EPZcdQDGkRH2AoUDzk8aT0mP73GNSf3ceet+miIPd?= =?us-ascii?Q?Td+CvjZFrt1B1i6XjZdTvsQ7qfigxC6rGWBA8ZCzXjjGrt1hFj22WDXUWjmq?= =?us-ascii?Q?VgOZ0yxEVRqikVBGOfvL5fEDkx+VHJKh5VYpryhSJIuFwOR3g+emfXwnx1Ha?= =?us-ascii?Q?AfREuuIcllUSzqbqJXaKs7PgIu577O0IexhcuhzTDxndb2HYVXetvdLtN5PO?= =?us-ascii?Q?8f7bWpnB8PxLqpzTAg2B5F21KlQu00OhixJ44MlmeYLM1CdCtRq0bSA8XOoc?= =?us-ascii?Q?y7cmHLgjk7U8/r6Mr7EjvNdMV2FF1zF9g4VRDXzFa4v314d1BUm12/6oIca7?= =?us-ascii?Q?9i+sZ/pjKmikKpvG8r2mqUfHcMGdlqgTV7qlpoBi2tOkXNxwAQ0jq2gEHQTl?= =?us-ascii?Q?b2siFcMDDSEfuQPNd9vCti+HXLi9KbitvcRp+54yi/s+hps+o7T73WmTZ4jY?= =?us-ascii?Q?J3Ly1zOEST1ua+JTHGooc7cWiAbwlikW02Yzh+KMrY0dYML/RSYE6TZizlFZ?= =?us-ascii?Q?Ffd8Tna46bOzSt+epzAoKVxPEetIQ1pMl4p/nG/+MqEXawAOkEusgnQmYKTu?= =?us-ascii?Q?ehwN9MQgBCWDzGfPxTaRKBkYfAq37JW84htAjSPncxb5bSemUZWQn0kCA/+D?= =?us-ascii?Q?GdhcKCoRYHxefBm0u1IeYTWcOVhhox8EDlo3HiEwutL5hEavOuOJYcmHwW/u?= =?us-ascii?Q?mlOMDeb51ZhEfqPz8PKeck1vF7fdfyT+8l10SOyXI4EoMBlLAJeHQcXcfCjI?= =?us-ascii?Q?jzBlvqUG/pLfAfTj0qhYSubz58WJczjEQznnyl+Qv7xgF0y1L5NWOXp8d5X4?= =?us-ascii?Q?uM8RGyXdIW/Ov2JYq32tj0n6e5etvr5/AIo1A7kAtceFD8kOT7ZHpz7qL6yY?= =?us-ascii?Q?S73RjfAxpCU76T8FFqVFqYiJIHs7wVHYY13YLupCZbmE/JAn0KpwkJekH1tL?= =?us-ascii?Q?b6y9mzHfjxJgrPamz0OAHpFdEEkDlXJcsqMFLbjTT8sDuymVorLgcBKxeDNl?= =?us-ascii?Q?Szk2yUjRd7qipZnHLCDYn9cI2HowpuM8ccMUPWMZ5qPbzCKfd/wdXg0L2zr9?= =?us-ascii?Q?T/thAlXOEjQbQv8SrPWHBNTT5h99AUne25RjlNyjONX53vBCX5wBfuniu/rU?= =?us-ascii?Q?oehCvluXHBZ6sNc1K+R5qQiajMwq3Qr9ffn+htNo1cYDu1wqgcYvcAac4rp2?= =?us-ascii?Q?1y9qCUnqOSLLpsWNbihmJ70rLmzVF1V9etwNnliPqi4KUgUmOuV4mmctslC6?= =?us-ascii?Q?XutT/+Bsk1G2rmeLTmvmWCi5IbP1nMFjPbZCwinYgv3twigdF0f79Q7PWCPO?= =?us-ascii?Q?EFqwKddrCJUn9unPJM3b1gxVuIeQfsSjvNe7teHR+1yt/ZVc4i6PCQh+UFCJ?= =?us-ascii?Q?TvfOwT6WdEpqfYqNGn63+Lwc9RcwQYv8sb6Ye3hoIH9PWmEefrPktmqSl96n?= =?us-ascii?Q?a/fWQD6S9zdj/ynTsKNWgLjfEX+b1uu/8x56hg8mroMlrGQdPKV7fRrTqxBV?= =?us-ascii?Q?SSYab9jSgw=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: Dell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR19MB4938.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 945aa029-7254-4206-3f28-08da5267b53c X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2022 02:51:00.1454 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 5h0s1TzHTYpVD8fAQjZXkqswy9YKDnZVOTPa5VYPGd22dTMY+QEUp+PzHkWu8T42vSsy83xipywR5vbDh+YAJQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3805 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-19_17,2022-06-17_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 malwarescore=0 mlxlogscore=645 clxscore=1011 mlxscore=0 bulkscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206200011 X-Proofpoint-ORIG-GUID: x7AMvL2fsd8x5knzsuRgI2psXay8wgRl X-Proofpoint-GUID: x7AMvL2fsd8x5knzsuRgI2psXay8wgRl X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=765 bulkscore=0 suspectscore=0 mlxscore=0 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206200012 X-Rspamd-Queue-Id: 4LRDg140l9z3k4b X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dell.com header.s=smtpout1 header.b=Dg1M1xF2; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=pass (policy=none) header.from=Dell.com; spf=pass (mx1.freebsd.org: domain of Weike.Chen@Dell.com designates 148.163.137.20 as permitted sender) smtp.mailfrom=Weike.Chen@Dell.com X-Spamd-Result: default: False [-5.97 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dell.com:s=smtpout1]; RWL_MAILSPIKE_POSSIBLE(0.00)[148.163.137.20:from]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:148.163.137.20]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:microsoft.com:reject}]; DWL_DNSWL_LOW(-1.00)[dell.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[dell.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[104.47.56.49:received,67.231.157.37:received]; NEURAL_HAM_SHORT(-0.97)[-0.966]; DMARC_POLICY_ALLOW(-0.50)[Dell.com,none]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22843, ipnet:148.163.137.0/24, country:US]; RCVD_COUNT_SEVEN(0.00)[7]; WHITELIST_SPF_DKIM(-3.00)[dell.com:d:+,Dell.com:s:+] X-ThisMailContainsUnwantedMimeParts: N >=20 > [EXTERNAL EMAIL] >=20 > In message <90e55cbc-a0f7-7220-3759-e05dee2daaf9@inbox.lv>, > John Long wrote: >=20 > >1st of all, my comment was because of your post but was not directed at > >you. Sorry if that was unclear. > > > >2nd of all, great that they give advice. Not so great that people have > >to actually do the work. This costs everybody *besides Intel* a lot of > >money and there is no end in sight. > > > >How about if Intel gives refunds to people afflicted by their defective > >products and pays remediation costs to software projects similarly > >afflicted? Maybe that would give them incentive to do a better job with > >the junk they're selling. >=20 >=20 > There's neither any need nor any point to being rude to the guy. He just > asked a couple of simple simple questions. It's not his job to issue ref= unds > for Intel's broken & insecure processors. (He doesn't even work for Inte= l.) >=20 >=20 > Regards, > rfg Hope FreeBSD mail list is only for technical discussion with no individual = emotion. Internal Use - Confidential From nobody Tue Jun 21 08:45:38 2022 X-Original-To: freebsd-security+bounces-digest-pmelo=fe.uc.pt@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A628986F6E0 for ; Tue, 21 Jun 2022 08:45:52 +0000 (UTC) (envelope-from admin@fe.uc.pt) Received: from smtp-int.ci.uc.pt (smtp-int.uc.pt [193.137.200.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.uc.pt", Issuer "TERENA SSL CA 3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LS0Tp1ssLz55Hd for ; Tue, 21 Jun 2022 08:45:46 +0000 (UTC) (envelope-from admin@fe.uc.pt) Received: from mbx-h.ci.uc.pt (mbx.ci.uc.pt [193.137.200.76]) by smtp-int.ci.uc.pt (Postfix) with ESMTP id F0DE240A1C47 for ; Tue, 21 Jun 2022 09:45:38 +0100 (WEST) Received: by mbx-h.ci.uc.pt (Postfix, from userid 205) id E9BE074EC13; Tue, 21 Jun 2022 09:45:38 +0100 (WEST) From: =?utf-8?Q?Manuel Paulo Albuquerque Melo?= To: srs0=qgjl=w4=freebsd.org=freebsd-security+bounces-digest-pmelo=fe.uc.pt@uc.pt X-mailer: GNARWL List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: Subject: =?utf-8?q?Digest_of_freebsd-security=40FreeBSD.org_issue_18_=2856-62=29?= Message-Id: <20220621084538.E9BE074EC13@mbx-h.ci.uc.pt> Date: Tue, 21 Jun 2022 09:45:38 +0100 (WEST) X-Rspamd-Queue-Id: 4LS0Tp1ssLz55Hd X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of admin@fe.uc.pt designates 193.137.200.41 as permitted sender) smtp.mailfrom=admin@fe.uc.pt X-Spamd-Result: default: False [1.31 / 15.00]; FORGED_RECIPIENTS_FORWARDING(0.00)[]; XM_UA_NO_VERSION(0.01)[]; FORWARDED(0.00)[srs0=qgjl=w4=freebsd.org=freebsd-security@uc.pt]; R_SPF_ALLOW(-0.20)[+ip4:193.137.200.0/25]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-0.20)[-0.199]; SUBJ_EXCESS_QP(1.20)[]; FROM_EXCESS_QP(1.20)[]; FORGED_SENDER(0.00)[pmelo@fe.uc.pt,admin@fe.uc.pt]; RCVD_IN_DNSWL_LOW(-0.10)[193.137.200.41:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1930, ipnet:193.136.0.0/15, country:PT]; FROM_NEQ_ENVFROM(0.00)[pmelo@fe.uc.pt,admin@fe.uc.pt]; FORGED_RECIPIENTS(0.00)[m:srs0=qgjl=w4=freebsd.org=freebsd-security+bounces-digest-pmelo=fe.uc.pt@uc.pt,m:srs0=qgjl=w4=freebsd.org=freebsd-security@uc.pt,s:freebsd-security@freebsd.org]; FAKE_REPLY(1.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[admin]; FROM_HAS_DN(0.00)[]; FORGED_SENDER_FORWARDING(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[bounces-digest-pmelo=fe.uc.pt]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[uc.pt]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; XM_CASE(0.50)[] X-ThisMailContainsUnwantedMimeParts: N I'll be away, possibly without access to the email, until the 26th. Any questions regarding exams during this period should be sent to the other teachers of the courses. Estarei ausente, provavelmente sem acesso ao mail, até dia 26. Quaisquer questões relativas aos exames das minhas disciplinas durante este período deverão ser encaminhadas para as restantes docentes da disciplina. Best regards, Paulo From nobody Wed Jun 22 06:44:41 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 32B2A86FEB5; Wed, 22 Jun 2022 06:44:44 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LSYlb1hQbz3nT4; Wed, 22 Jun 2022 06:44:43 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ed1-x52d.google.com with SMTP id eq6so15142912edb.6; Tue, 21 Jun 2022 23:44:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=P5ivtUA9TcR1fDakyTrQLOxD+wKLUKAlO2QGmm83hpI=; b=BLRi1ypaRjCWb1JS3Nb13jEy702/7MaDOApc/Rc68CQdtHSEwgoFtuE3/dSjV5C0zj 5a32F+o4wQd0HYu3rJn4qvMkaqI743nYrY7eLtGZ2FumGNxPzFJL4uhzgrZmK2yO1f0z nWG0fEfmhbPZHkB7ZV/wK98J6WUsUcS+totgSoYZoVuKdzVPhrmP1+UOhWN9UJaieYPr +t47m76Cj/JwCzWbHCMpGsgtLEt7tA8PD0/O8B483QMTCsKk8xbfpuSUi7lkVHOmmnt9 mBs5J4oe844IQKPs94igvc8dxvxe2vfY3wJp+GmmSYM1ZsusCi/f57WAX6Eufr96WcIq G12Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=P5ivtUA9TcR1fDakyTrQLOxD+wKLUKAlO2QGmm83hpI=; b=yJ2oKLf4J7B52XeoW7izHIIXEBcN2bfIMn0EIUli7Ay2laCrqlc8twEKzhXs5jpvxQ gdPkuQUhN4fJWwLPHVuF9RTV0/aVONyoVlq3nIqUzsRtgOWPH2WvAzuiiUOxrWm0LJL+ H76cQd5YAcLP5LwxUbVtuSmyqpIS6Ef1E6A5Tbw4n68hijhj5q2QUFqAyNp81GWmjubP IPHnNJaMoVovIUHU++b8pRZ2un5bx0O6YxUxVBsofKcWIPoulHpXWKkn4TGKf6I9xGLd CER4BhagaXj67L8sVWdF/dFxIs41icBwg4bZfenETvmtcTgl9SN1M/xqRM9l79onAuBz cQgQ== X-Gm-Message-State: AJIora95zU0z1DyhNAsR/H6ci9ftS4DInRQ0kF8fO1+Qf0n4sDoMcQQx arCOJc6cdNwS3XSNasfOmW8B4sQj61EZZ4j4l5HOOBs+KRBMSK8wxLU= X-Google-Smtp-Source: AGRyM1vRci9PhbiLKftjbiFsc+RLWGOaT+zxL2Ys+uAF9XcfxTWqW5PcdvJ2CoUji8K3xPv8gcKowhkDQQ7zoRkGxSc= X-Received: by 2002:a05:6402:42d5:b0:433:1727:b31c with SMTP id i21-20020a05640242d500b004331727b31cmr2322716edc.9.1655880281837; Tue, 21 Jun 2022 23:44:41 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:ab4:a183:0:0:0:0:0 with HTTP; Tue, 21 Jun 2022 23:44:41 -0700 (PDT) From: grarpamp Date: Wed, 22 Jun 2022 02:44:41 -0400 Message-ID: Subject: CPU "Bugs" Hardly Considerable As Inspectably Innocent [Re: Intel/AMD CVE's] To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4LSYlb1hQbz3nT4 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=BLRi1ypa; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::52d as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.89 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.89)[-0.895]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52d:from]; NEURAL_HAM_SHORT(-1.00)[-0.997]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MLMMJ_DEST(0.00)[freebsd-security,freebsd-questions]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N >> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html > Intel ... their never-ending failure to design or implement https://www.forbes.com/sites/richardbehar/2016/05/11/inside-israels-secret-startup-machine/ https://techcrunch.com/2015/03/20/from-the-8200-to-silicon-valley Never fail the chance that NSA GCHQ CIA FSB Mossad/MID etc may consider the inexplicably continuing long history of "bugs" as friendly and conveniently embedded features, partnerships if you will... And that you can't escape that, nor have anything other than a black box, by continuing to foolishly rely on either of those Govt Corp... TOP-SECRET and Corporations have sordid opaque history of snakeoil, malware, spyware, suspect changes, etc. You can't see inside it, you cannot trust it. Abandon those old invisible models and sketchy indoctrination programs, reboot your brains to the open, connect the webcam to the microscope and push it at least 10x closer for all to see, do something different, and profit, ftw... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust Have fun :) From nobody Tue Jul 5 04:15:13 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 176921D08A2D; Tue, 5 Jul 2022 04:16:04 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4LcTr32PM7z3Dvb; Tue, 5 Jul 2022 04:16:03 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o8Zxx-0003WK-Rc; Mon, 04 Jul 2022 22:15:13 -0600 Date: Mon, 4 Jul 2022 22:15:13 -0600 From: The Doctor To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: openssl Vulnerabilities Message-ID: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4LcTr32PM7z3Dvb X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=nl2k.ab.ca; spf=pass (mx1.freebsd.org: domain of doctor@doctor.nl2k.ab.ca designates 204.209.81.1 as permitted sender) smtp.mailfrom=doctor@doctor.nl2k.ab.ca X-Spamd-Result: default: False [-1.80 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.995]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; MLMMJ_DEST(0.00)[freebsd-questions,freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; INTRODUCTION(2.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Are the openssl vulnerabilities going to be addressed 5 July 2022? -- Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Those who will do evil for power will do evil with power. -unknowni Beware https://mindspring.com From nobody Wed Jul 6 00:53:38 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6D9D41D0E4D8; Wed, 6 Jul 2022 00:54:15 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gold.funkthat.com [IPv6:2001:470:800b::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ld1Jk3rrZz4sYG; Wed, 6 Jul 2022 00:54:14 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 2660rdKw040683 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Jul 2022 17:53:39 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 2660rciU040680; Tue, 5 Jul 2022 17:53:38 -0700 (PDT) (envelope-from jmg) Date: Tue, 5 Jul 2022 17:53:38 -0700 From: John-Mark Gurney To: The Doctor Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: openssl Vulnerabilities Message-ID: <20220706005338.GE88842@funkthat.com> Mail-Followup-To: The Doctor , freebsd-questions@freebsd.org, freebsd-security@freebsd.org References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Tue, 05 Jul 2022 17:53:39 -0700 (PDT) X-Rspamd-Queue-Id: 4Ld1Jk3rrZz4sYG X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 2001:470:800b::2) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [2.08 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.93)[0.926]; NEURAL_SPAM_SHORT(0.96)[0.956]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions,freebsd-security]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N The Doctor wrote this message on Mon, Jul 04, 2022 at 22:15 -0600: > Are the openssl vulnerabilities going to be addressed > 5 July 2022? It looks like there is no need. FreeBSD is still on 1.1.1, and per OpenSSL's SA: OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. See also: https://cgit.freebsd.org/src/commit/?id=64cbf7cebc3b80a971e1d15124831d84604b9370 FreeBSD just merged in OpenSSL 1.1.1q -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From nobody Wed Jul 6 08:36:42 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AF9A91D045E9 for ; Wed, 6 Jul 2022 08:36:55 +0000 (UTC) (envelope-from tdtemccna@gmail.com) Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LdCZb1k54z4qXJ for ; Wed, 6 Jul 2022 08:36:55 +0000 (UTC) (envelope-from tdtemccna@gmail.com) Received: by mail-lf1-x129.google.com with SMTP id bu42so4827043lfb.0 for ; Wed, 06 Jul 2022 01:36:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=qNJS8bXJjIJEOjJk4e4xeTOXLNTgbklFiRogoFnIe/0=; b=Da2yk7b3nne8P6Qwqol0biI07kUtzpjaErWsGPvShA9Lth3YJRzxENRaNSHendFSYa sKoATVWe/C1nldB6z0c2l5XeMkucTpHQ9hW0WsWYipC9cH4q/+/o8mGYFM9dgHuBk3r2 nmd39C2X1qGpqoXvbFUrl/STAKXV4nDjFlNLnE6pDcXRL0zLW77sTrszNg92HOxoJxOf yB5/lzP6IVeJZK50u5BaMt1qNKoJTkdm7CtKHLvMvizfZ7eLbYAfJmxGm+qr+kWh35e+ P/ftw8oweeNmG5IEWrwpUuyiIpzwqNsf7caMjqFHAbRVYlBBjx1oMYYPoEUwxda2PTmM H9ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=qNJS8bXJjIJEOjJk4e4xeTOXLNTgbklFiRogoFnIe/0=; b=CWie7CRvEFPm/gvCLRv1b69+I0Ty/Q/DAE7+8VbUVpMYOQ0SjTg/y9b+/U3Dni2CEO 2zSZYEX+U0u+xFQ9464hEq8H8dNQDB7St7LaxQVLNRgmNCDAYV5+CZ52Ftpt3IKsCXtA KoOoy02YARh8FCFnM7dz0rTy4EEgfUwDPxVm06l2oB8TgzWvVob6+thMFpYAOKGSUwbK jP3EHaVq+awEwL5g3Z1eXRUUwW4VBuqq7Di8dLp7dr+vLHcsOxSbPyUgIsBEp/RWSoPq g8Yg+ZtV/1UjLd95L/06WAJ2fniOanW/ChnwPKK7GWgxLZFRNkEkNTJh0jsBN00xbbNB CaBQ== X-Gm-Message-State: AJIora/Kvgcxtzg8Sriu96Vxgf90dq6NK2VeFyEavbS5q/T1eyq36OgX TlBxg+YSDzD4DoPpn8pH0io4JczLbWEHjbXp5DooR/dm8Fq8GA== X-Google-Smtp-Source: AGRyM1tHIsqPVgcOPmC2zz+Q156MGKLX9uHZzNyIezRurDjr3K5lPUdvu99jj1v23WvNCycuRF6NKitsqluMx57gKRI= X-Received: by 2002:a05:6512:3d0a:b0:47f:73c2:bf7e with SMTP id d10-20020a0565123d0a00b0047f73c2bf7emr25989260lfv.192.1657096613777; Wed, 06 Jul 2022 01:36:53 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 From: Turritopsis Dohrnii Teo En Ming Date: Wed, 6 Jul 2022 16:36:42 +0800 Message-ID: Subject: FreeBSD is a great operating system! To: freebsd-security@freebsd.org Cc: ceo@teo-en-ming-corp.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4LdCZb1k54z4qXJ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Da2yk7b3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of tdtemccna@gmail.com designates 2a00:1450:4864:20::129 as permitted sender) smtp.mailfrom=tdtemccna@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SUBJECT_ENDS_EXCLAIM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::129:from]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Subject: FreeBSD is a great operating system! Good day from Singapore, I think FreeBSD is a great operating system! I support FreeBSD because the most popular pfSense firewall, the extremely popular OPNsense firewall and the BSD Router Project are all powered by FreeBSD! macOS is also based on FreeBSD! I use pfSense community edition firewall in my home. I am planning to try out OPNsense firewall next. I will continue to support FreeBSD! It is a great operating system! FreeBSD is a very good network operating system. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 6 July 2022 Wed Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com From nobody Tue Jul 12 19:51:13 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2E57617F8F37 for ; Tue, 12 Jul 2022 19:51:21 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjBG02WCgz3ymf for ; Tue, 12 Jul 2022 19:51:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 26CJpD2A092534 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 12 Jul 2022 15:51:13 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:35a5:84cd:7861:f62] ([IPv6:2607:f3e0:0:4:35a5:84cd:7861:f62]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 26CJpD6q046189 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Tue, 12 Jul 2022 15:51:13 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: Date: Tue, 12 Jul 2022 15:51:13 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.0.1 Content-Language: en-US To: "freebsd-security@freebsd.org" From: mike tancsa Subject: Retbleed, another speculative execution attack Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 64.7.153.18 X-Rspamd-Queue-Id: 4LjBG02WCgz3ymf X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; FREEFALL_USER(0.00)[mike]; DMARC_NA(0.00)[sentex.net]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Just wondering how this might impact FreeBSD ? From nobody Tue Jul 12 19:53:46 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4618C17FA794 for ; Tue, 12 Jul 2022 19:53:48 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjBJq1TMBz419v for ; Tue, 12 Jul 2022 19:53:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 26CJrkMT095088 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 12 Jul 2022 15:53:46 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:35a5:84cd:7861:f62] ([IPv6:2607:f3e0:0:4:35a5:84cd:7861:f62]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 26CJrk82047056 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Tue, 12 Jul 2022 15:53:46 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <6b8953b3-eaa8-22aa-7dc9-0f07875a9588@sentex.net> Date: Tue, 12 Jul 2022 15:53:46 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.0.1 Subject: Re: Retbleed, another speculative execution attack Content-Language: en-US From: mike tancsa To: "freebsd-security@freebsd.org" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 64.7.153.18 X-Rspamd-Queue-Id: 4LjBJq1TMBz419v X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; FREEFALL_USER(0.00)[mike]; DMARC_NA(0.00)[sentex.net]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 7/12/2022 3:51 PM, mike tancsa wrote: > Just wondering how this might impact FreeBSD ? > Forgot to include the link https://news.ycombinator.com/item?id=32071949 https://comsec.ethz.ch/research/microarch/retbleed/ From nobody Wed Jul 13 06:42:59 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9240D1D094C5 for ; Wed, 13 Jul 2022 06:43:01 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjSjw6Pn8z4NFk for ; Wed, 13 Jul 2022 06:43:00 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-pj1-x102f.google.com with SMTP id o5-20020a17090a3d4500b001ef76490983so2036563pjf.2 for ; Tue, 12 Jul 2022 23:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=575HzjbPNDpvGJh8y/vFKhF7CqyzY102pT97N1uKQy0=; b=ZSmRPHeuQ6V13x/FZWjGG3izOeX/AFxEf9eEQpcemkYppJUD5iUnzO60NgURJ1dZY1 MjO2wdQEh0iBXhIMP6KLpB8lZryiQbO8N7iznbWhu2SCUwQl0UDFAKf82PvOZ7hHQk1p J6otp56unf/FDAmqa4k9i2UpcwXwxfFKd+AoBcOWGA/D1EnKksO/A4QEXPW8QVs+JgjH PLUY/TyVQvqTi7G9ShzujkeeqYtlpc9dXHVVTx8iNokgAj6krEKskkGVftmUjGWZdp3E CFwEgKFGraGKu3ou9dXcb+/WZkCiSWyczr6PltSoAXsmP3NinHHc2vdnsjO57Qu45u+E 5KDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=575HzjbPNDpvGJh8y/vFKhF7CqyzY102pT97N1uKQy0=; b=Tm2jXgQzdQmur2OyaD3dyW+VWtjrOeWnxlm/LqLOsPT/DyylC+QprqGgWStvstbQZB 4yw6qnT5d6gCL1BO1bCRPi4V1ehtniwR/2iL4cDdXtxzhEl1KjAQe6CLC2NhDIIrWKDy kdwqjie+mm6WADFX22KrwVHRRW4w8LvdHJWa55eLqx5R3GBmLEaqetIOI31AdEXW2VE7 ErS6/NURMc2p1XhL5/yRs1NLlc+JBdLp+snuCwCaTYvmEiU4L+66EIOld6fNxTi6JK7D Ey5q08ekzMyLxhXc1JEVWeljNNWx/iNZMUU7Uq32C6YvnBMSDNyoHKwTQfzvfSh1h1gP Fnqg== X-Gm-Message-State: AJIora/GesfD6ntjm9aova5q91h6QRY27V4EcifHNeQi0w6V1XSKI7jl tA/b41t2DP6xE76hEK3IckcsI3h0u+y/+zS0OFcW9p8Ac5zv4R2O X-Google-Smtp-Source: AGRyM1u5jM+SzYa18A58IxoyWCOeWOwTKUBZg5Qsa8uZw9QrWjIsiVUkx8uPkf8Tm/Je0PnbMHOCK4y2oFF8fUpI4ew= X-Received: by 2002:a17:90b:4c87:b0:1f0:30fa:12bc with SMTP id my7-20020a17090b4c8700b001f030fa12bcmr8655883pjb.66.1657694579587; Tue, 12 Jul 2022 23:42:59 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a17:903:1cc:b0:16c:4f00:65b3 with HTTP; Tue, 12 Jul 2022 23:42:59 -0700 (PDT) In-Reply-To: <6b8953b3-eaa8-22aa-7dc9-0f07875a9588@sentex.net> References: <6b8953b3-eaa8-22aa-7dc9-0f07875a9588@sentex.net> From: grarpamp Date: Wed, 13 Jul 2022 02:42:59 -0400 Message-ID: Subject: Re: Retbleed, another speculative execution attack To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4LjSjw6Pn8z4NFk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ZSmRPHeu; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::102f as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.77 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.957]; NEURAL_HAM_LONG(-0.81)[-0.808]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::102f:from]; MLMMJ_DEST(0.00)[freebsd-security]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 7/12/22, mike tancsa wrote: >> Just wondering how this might impact FreeBSD ? > > https://news.ycombinator.com/item?id=32071949 > > https://comsec.ethz.ch/research/microarch/retbleed/ FreeBSD should keep a wiki table of all these HW attacks with at least three columns... - The exploit - Were mitigations published - Were those or others applied Point everyone there. From nobody Wed Jul 13 07:23:39 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0C6AD1D20A84 for ; Wed, 13 Jul 2022 07:23:45 +0000 (UTC) (envelope-from johngray.au@gmail.com) Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjTcw1WQMz3GNX for ; Wed, 13 Jul 2022 07:23:44 +0000 (UTC) (envelope-from johngray.au@gmail.com) Received: by mail-pg1-x52f.google.com with SMTP id f11so8826417pgj.7 for ; Wed, 13 Jul 2022 00:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:in-reply-to:to; bh=EXYEyz3Py6nd/ZvxtQgYsq1d30HI0JEk7tYEwT0tza8=; b=cGQxp2juGfyqArJ/1leebJ1oPeWM2wiSmPGauFM4mURaA9gyo+uOKMQM+vluGmAjbE 9OMbu69a+IEnYwbtNmuiHNVvFdTW08C8G2djoQpZ0DshBN1V6nafttZ56Vl9HZGu373u 6G/L3JlEzEadYyUIwueqdsNvz13gDUBaV6DaGaDrgMwmBurLs6PlNvSNz0j7+/kZWKVC ZI+bYOi+MCGuW7aS4k1Z9mk7xw1I7iwjuXqE1mxOVLLdbgOeV3elY9aL9HYo37FBqAH0 aOnRbpqkL7JeU4ns4cDFvo0vhLScIsIBPUVp3NyHC7mv1sLp9uXQY3xVw7ufpDzcmXnn Y4/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:in-reply-to:to; bh=EXYEyz3Py6nd/ZvxtQgYsq1d30HI0JEk7tYEwT0tza8=; b=ev1YpA37mcEiam7JL5NySzvS1DXclTNFICgHFt5L7gCKOx8qFIL5V3VKnNDkbhMHUf 4QH5eOjDo2NDB/kMINr1ThRsfBx9speXmchHhuz73qDunQtGj15aKJ/EP1tOlDiJ/KXI N/+Obpynfs6NNczZ0Ev4TMyNKBv4tqt4ukHzGbbhDD9/6fb2NdFmMe3m1PDSjIGRSiex Ynr+LB0uxLF9W18f6wuoDZdQA6r6oSLMVlHD5DCPxu+QNSpU3Je3N8x4nROErr5zAGnt IHC2RWqsoMJq5Ncrin1sHBCH/lpnNNzMIQAGHw3D/x/9TmxZ2w9enPtrrkX51JEBhAn3 DwrQ== X-Gm-Message-State: AJIora8Y9T/7wuXuAtgY6t2vVmkdHwHBp8u5+M0Ejoa163V8RJgREvHg oVGVDwJULWYsMyNbnkq1GB3UXJFH+no= X-Google-Smtp-Source: AGRyM1vD3Q2DSdUIjw7Fj/Hevqj0+W46wL2aLQHOEi/KMw8I4E9CePgHGkeq26LFfXqF2iq40T4SsA== X-Received: by 2002:a63:1710:0:b0:40d:dd27:789b with SMTP id x16-20020a631710000000b0040ddd27789bmr1796135pgl.386.1657697022458; Wed, 13 Jul 2022 00:23:42 -0700 (PDT) Received: from smtpclient.apple (27-33-246-20.static.tpgi.com.au. [27.33.246.20]) by smtp.gmail.com with ESMTPSA id c4-20020a056a00008400b0051bc36b7995sm8069470pfj.62.2022.07.13.00.23.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Jul 2022 00:23:41 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-D774FFA4-44E6-417B-86C6-5CDC146CF69A Content-Transfer-Encoding: 7bit From: John Gray List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: Retbleed, another speculative execution attack Date: Wed, 13 Jul 2022 17:23:39 +1000 Message-Id: References: In-Reply-To: To: freebsd-security@freebsd.org X-Mailer: iPhone Mail (19E258) X-Rspamd-Queue-Id: 4LjTcw1WQMz3GNX X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=cGQxp2ju; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of johngray.au@gmail.com designates 2607:f8b0:4864:20::52f as permitted sender) smtp.mailfrom=johngray.au@gmail.com X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.994]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MV_CASE(0.50)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::52f:from]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TAGGED_FROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-security] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail-D774FFA4-44E6-417B-86C6-5CDC146CF69A Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Like this one? https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities > On 13 Jul 2022, at 16:44, grarpamp wrote: >=20 > =EF=BB=BFOn 7/12/22, mike tancsa wrote: >>> Just wondering how this might impact FreeBSD ? >>=20 >> https://news.ycombinator.com/item?id=3D32071949 >>=20 >> https://comsec.ethz.ch/research/microarch/retbleed/ >=20 > FreeBSD should keep a wiki table of all these > HW attacks with at least three columns... > - The exploit > - Were mitigations published > - Were those or others applied >=20 > Point everyone there. >=20 --Apple-Mail-D774FFA4-44E6-417B-86C6-5CDC146CF69A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Lik= e this one?


On 13 Jul 2022, at 16:44, grarpamp <grarpamp@gmail= .com> wrote:

=EF=BB=BFOn 7/12/22, mike tancsa <mike@sentex.net> wrot= e:
Just w= ondering how this might impact FreeBSD ?

https://news.ycombinator.com/item?id=3D32071949

https://comsec.ethz.ch/research/microarch/retbleed/

FreeBSD should keep a wiki table of= all these
HW attacks with at least three columns...<= br>- The exploit
- Were mitigations published- Were those or others applied

Poin= t everyone there.

= --Apple-Mail-D774FFA4-44E6-417B-86C6-5CDC146CF69A-- From nobody Wed Jul 13 09:58:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0C5761CFEF42 for ; Wed, 13 Jul 2022 09:58:45 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 4LjY3l6rJ1z3bH5 for ; Wed, 13 Jul 2022 09:58:43 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id EC8E94E7D0; Wed, 13 Jul 2022 02:58:36 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: Retbleed, another speculative execution attack In-Reply-To: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <95025.1657706316.1@segfault.tristatelogic.com> Content-Transfer-Encoding: quoted-printable Date: Wed, 13 Jul 2022 02:58:36 -0700 Message-ID: <95026.1657706316@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 4LjY3l6rJ1z3bH5 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [-3.19 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.992]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[tristatelogic.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N In message , = grarpamp wrote: >On 7/12/22, mike tancsa wrote: >>> Just wondering how this might impact FreeBSD ? >> >> https://news.ycombinator.com/item?id=3D32071949 >> >> https://comsec.ethz.ch/research/microarch/retbleed/ > >FreeBSD should keep a wiki table of all these >HW attacks with at least three columns... >- The exploit >- Were mitigations published >- Were those or others applied > >Point everyone there. I second that emotion! Regards, rfg From nobody Wed Jul 13 17:39:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B08D81D00533 for ; Wed, 13 Jul 2022 17:39:58 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjlHx4JW3z3lCb for ; Wed, 13 Jul 2022 17:39:57 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-pj1-x102b.google.com with SMTP id o31-20020a17090a0a2200b001ef7bd037bbso4853218pjo.0 for ; Wed, 13 Jul 2022 10:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Oyar7NB8/9QxTwSPjrap9IJqPwmXeCx9wEwjAJoy8b4=; b=JuX6M6qMTdR0DjMyLzpFTYKJgGtfd/NCH21SaKxBZmkpa945YuYilwNZC+nalve85W EW1xyLaia79GSWJyYOXRyI/Tk1koGkJ+QlqVvkAMW/nFIeVZwGysKfUGv/Zc1su7wiqT fom3ERqQKHrMlDOT2kBqLojkdQUyS65M9nGDC6lh44XOcir4clKQEO1cix+QobxrL83L 0JvfT0uaU0E42H5CHiQk1YnUlIYGJxNXT9Ss15SGVYC5uifjMoftXxnSSP3snedJASGd tCyHLmn1NkzWFSuqoCgmNlSt9yvrH/ycgSodlmdQqqyP5j7uQ+d+naiAhaolEmybIacO Jr/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Oyar7NB8/9QxTwSPjrap9IJqPwmXeCx9wEwjAJoy8b4=; b=Ha2JspdiFiVxLDKokkQ8HzWvIDJ8H4ErGiZqxVJxWVRwjxoKfNGtv26ngOb+K+STpP N7JqSMKLvCijfk1qAIanf7e8XsQinrCDHspT8fSe6DVSHV49Og3aHw8lTrHWaW/KXbFr 2dEYgpcUD69oKGkBJXDX/6adGBY3x4GRWhsRMHMrwzXHoaJQct4ZA9Aq9ybvP7DSkge4 0hm3qCzDxWe++ZXrtdmGMScOqKiRjlTcGqaEcBzqhiudiiS2kSY8NQJFKHoJjQfV9zHW o33zce2lZN+dj+yOPLFPcBE1krDrpktjB3UI2d5XasniByXzLE37OXxUEuWs+WBCbwRo 9s3w== X-Gm-Message-State: AJIora+oS0YSfqlMTsMgQnumUFsssbuFW/Fi3X6Y+swKxYIX/XAKH4Fi rLmO/XD22q1skZgL99AR0QaRphERBk6o4QnXHiSd0eT/KowtQimD5rI= X-Google-Smtp-Source: AGRyM1v6Z84//b1gbn9l8Y5CYKKRYAyM1f1xhghZHQVX8Ut4VncC+UPsJrkjtLy3cixD6Yx/KuqVMI43Su856eWQWSw= X-Received: by 2002:a17:90b:3ece:b0:1f0:6b2e:6fbf with SMTP id rm14-20020a17090b3ece00b001f06b2e6fbfmr8851476pjb.203.1657733996005; Wed, 13 Jul 2022 10:39:56 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a17:903:1cc:b0:16c:4f00:65b3 with HTTP; Wed, 13 Jul 2022 10:39:55 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Wed, 13 Jul 2022 13:39:55 -0400 Message-ID: Subject: Re: Retbleed, another speculative execution attack To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4LjlHx4JW3z3lCb X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=JuX6M6qM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::102b as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.89 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.990]; NEURAL_HAM_LONG(-0.98)[-0.980]; NEURAL_HAM_SHORT(-0.92)[-0.923]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::102b:from]; MLMMJ_DEST(0.00)[freebsd-security]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N >> FreeBSD should keep a wiki table of all these >> HW attacks with at least three columns... >> - The exploit >> - Were mitigations published [by hw vendors or sw communities] >> - Were those or other [mitigations] applied [to freebsd] On 7/13/22, John Gray wrote: > Like this one? > https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities Cool, yes, more or less. Though that one may be missing some number of hardware (HW) vulnerabilities. They are a distinct space imposed on OS's by upstream HW makers (as opposed to self-imposed SW kernel, user, app, compiler, etc bugs), ambitious wiki'ers could track them all the way back to F00F, etc. Though only those HW bugs with actual or suspected potential for an exploitable security vector would need listed, not simple lockups, reboots, incorrect return status or data, as in the typical HW errata sheets. Maybe some organizing updates... Background and other generic upstream literature could by now be replaced with a few overall wikipedia links. Try one bug per row by its canonical links and name (usually CVE) to show BSD saw and signed off in what ways on each (whichever among ticket, review, commit, mail thread). Only the per bug list of 'fixes/mitigs available' and 'fixes/mitigs applied' matters to users. 'Vulnerable' or 'not vulnerable' is meta curation that really only matters to legacy hardware shoppers and critiquers of HW makers, and is already available in the offsite literature. The HEAD signoff is more important to track for long term reference than maintaining list of EOL major.minor's when that info already flows from and within links to the head work anyway. In the interest of importance on first glance "seen and signed off, didn't totally miss a CVE somewhere" aspect. >From there, whatever level of work-from flow matrix and detail can then follow. Someone failed to post their reply to the list... " FreeBSD doesn't have a fix for that one, but it also doesn't have fixes for Spectre V1, Spectre-BHB, or MMIO Stale Data. FreeBSD is still a sitting duck for these CPU vulns, so adding yet another one on top doesn't really matter. " And please quit top-posting... replies belong below what you are replying to so people can linearly follow entire context like a book top to bottom, and don't have to labor to fix the disorderly mess you created when they reply to it. From nobody Tue Aug 9 22:35:26 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZQ22wqz4YRZ4 for ; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZQ1VNdz3MDS; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084526; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YswOvJxnYtdaZZYzevfxWJLI07NFwkw26DXChuzGysU=; b=RyZkVkFX7Ei/PAdkbjjj5edrbIpLNCjpMAzqdyf1tibX9AOYgPHdyR85Sn9wDjIE0IPdVD YwkORMdytdcQCd1g4EDFt0xHdcjelMG7R45UwJoCbdZk5l9ogBQFmswtI90/xEdb7LvXmw fWVP5h8x+sqjp7CSNfn4rxCZdBGLokVz3lVCOy/BHHUtNwOyXC6AHIRIZGW8qx7i+fV20K /7jPdEPKwHdrlgT3+iSoW4xDy7rLauNL1gZmvXaTP36R0pKvDufIdXA6KLnG0DS9I6qSqh j78YvOb3aYpZ3lgGoOOByj0mN969ACSxx2Bnw2AAbX99nndTzHpgIZ33WlSmnQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0E5F717496; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:09.elf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223526.0E5F717496@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:26 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084526; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YswOvJxnYtdaZZYzevfxWJLI07NFwkw26DXChuzGysU=; b=ZebY5aAhJcj+E/z/bPRdvSvCwhqM2WZmHZWpILChg9b7tH/xp8XteK6PhFBMQH7LSMs7t/ 3UL/0QWj9qwxCSgfaEc/Avnbdl7bg9ESy2UZCHfNjVdlvvQZzd1DcXc5MrBl0miArNMH0m NF/LRwWHurrzOeLnS6x9aFOoQEUN4p4Mq4plXd4yUYv5eQVZHVK22rnDEy1Z/Vmrbu6twm kN4mfh7/tu37OFutDScYE0aQ+ggZ2MEFE3/2Aeg0QS7Ddxn/uF9Tx+nNzZrnI8c48FB0Cg 1HsCU91U331Th2bEeqk5PIT2GcLd0aH3ZOOnOWJXQY7XEqteQU1JfIUnKoDV6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084526; a=rsa-sha256; cv=none; b=IVuBYiYradnjza1iKnVrp6pVvBXYOtSqg3eICvFW/sd3PIA/s2UgqGIoqUTAw+GMlyem7f MYGfY26or8VbKJt+JBTlYvw28TF88B+KSiRL3yB7qg4PhED20rUsMhrOWk0y8IH+F6+4zT wMdGO4QILfP+wQ+ryqAifNICm/mJGzFmdRismTzzWHSfDa8U4jGmVxlYu1Qu5EXg7hWjKQ 6D74r0kY/Kxeg8oVvCKYzfN6EO/iTLZA9cjAthC4r4vP6WJTi7uegf1baTamfkkSvMLOIN bz2l2eI6zPR6NVExpy9ZczXiZl8sDNm+E2dDeADLiIY327UUezhQoSGWHnN/Gg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:09.elf Security Advisory The FreeBSD Project Topic: Out of bound read in elf_note_prpsinfo() Category: core Module: kernel Announced: 2022-08-09 Credits: Josef 'Jeff' Sipek Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 19:47:32 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:00:43 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 19:59:14 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-08-09 19:57:35 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:47 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23089 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Process information known as "prpsinfo" is written when dumping core of a process as an ELF note. The sbuf family of functions allows one to safely allocate, compose and release strings in kernel or user space. II. Problem Description When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. III. Impact An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash. IV. Workaround The system administrator can workaround this issue by disabling coredump. This can be done by adding: kern.coredump=0 to /etc/sysctl.conf and run `service sysctl start`. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is required after applying the fix. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:09/elf.patch # fetch https://security.FreeBSD.org/patches/SA-22:09/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 8a44a2c644fc stable/13-n252079 releng/13.1/ 69a456c0b60b releng/13.1-n250152 releng/13.0/ 056ffc74a769 releng/13.0-n244804 stable/12/ r372376 releng/12.3/ r372380 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cJ6tw//VycxB1Il6TKajIo9VQE5lN1M/h1j0fbyUokXWpcGH/+iGl4sLkxtrFuv Ekjshp9AezGgSIWCEdcwx8ck3LUeU0kVhAjcJjI/p+YfSWcWlLTQk13/Z3FsF6pv EK1VjKDiMpZHbddbkvY2q4JKIdO2UXgBYwtshvwHL+Y8Ev2cxvJdQfwtclf+N0Q6 Shgf25XPqkrG9vCJ30ldlJs902PoHKyGUOqU0+4741rcaZBjeF26RQPOXT+z4yQz RpVQvyQ01OnXgXO8X+7hoW83m3C7hNz5KnmX5YLMQCBUgYjBk4edeOlnq1wnRTtW k0qPdkIa5Rj8Yq8k+VP3PMiKezXOmxrmXUV16j64KZM9+r0eNPYx0C8sgkLZSrRe osk57jIYtI0M7fTVNlhMY7uCLFaK3xHb+/Md+ExpCs79ZbH+CxgnU+HPyIIVV4zX RhDRAh/w/MVKcHJM7y2TM6VDDhiLNqWeV9ruMj92ZnkB+QnRqrah53JUlo8PQcFn oDfe/pSGhchpjwyhwHoXTBQNQjUlbm/7iC95D0UdtfuH2eFcSdDq6aWMO5amxui0 Kkm+nswlYIpJsq3Addu2pEEhh2DHIwF9wiz8DKFJ1et+BF+GW+V4XKvXSd8sO7j3 19GK3xtf9cGnYYoPBpNSxuFLP+zcb+1gXTX+N9gG1EqQfXdjMtI= =lK0G -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:31 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZX1YbPz4YRWB for ; Tue, 9 Aug 2022 22:35:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZX0bXQz3MXd; Tue, 9 Aug 2022 22:35:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084532; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PLggPPiTmTIGc61O9vC2bsdgFhLKovXCqaSFsOIwp34=; b=iz7dYCnSH52acEw3bAwgdUIH4DCYOvrTvOq1HZjyte4rjXVVarolb0S+NSkCDwHbGtRxMS DyxWReK/3hsjwYZxhB9kqxvxip9pPL6/W5BvOaKRqf1fQv6ov+IvXxESi/g4tG5NJMTXsQ o/wKjwmdFVLypJpHO2HImgRtpCmvDlbgziCH+q6LzeY4oa9zTANEYhwNtWl+PPkIIe0aDl rBtSdcaiAPXHLCx7PrXUpEUFk69+0LbTRHeNEiGU4mWh2qykAk5JAWhVsgT8gG9iRDjBDX DHQeC9LfWhcYEmKaS1FIj0NWGVWZ6VJUGbAfWAC54Ldp1SbeH5dPIi++9gG7Hw== Received: by freefall.freebsd.org (Postfix, from userid 945) id CDF73173A6; Tue, 9 Aug 2022 22:35:31 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:10.aio Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223531.CDF73173A6@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:31 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084532; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PLggPPiTmTIGc61O9vC2bsdgFhLKovXCqaSFsOIwp34=; b=moVDXwm+3nadPC2O1OUqmsGdcdLJUWzuxcLbpo9GzN4bHDiM9LOvpnWVqZBVMFhQdgM/1g DGy/tWnolEBmwZkO41tMx8BKABKY79IFwkkNppF5Lem+75yhIcgry/j8UQu3t7i9rj4TCn 7B7B4HsH2P6vhbXqb/gYoYqOZr8Bd1CCzCx3lzzIDYEEJVPfdSWm4SBeVITYT2IgYqkKZY Akj08JCbLbobuHIcrJs82+qOVpXWxTbaR9dwlau5X/7YCONLLja+sqHmIPutkM0hDh8PN2 /POxWhxW27mE3+RmmgceO/hgmjEmi87DabQyrR1VNWObzhAZsAoyPIIGuLDI6g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084532; a=rsa-sha256; cv=none; b=xQaKL8o7Jqz6iEEzUOJi7cN4xCVOhjbfCnWJPKfPwWEycgclPM08hRgaxvAVmArB5myofN aHdZXZ3yjwW1dU/ttjEX7aBqLaXfOhlMd5oGAh7GP8ldipDa66mc3fHc14TsENET3PoEv5 21d3Gu+1p2GvZoxDA1F8YX7a//JnEGPTmcuT6VHmolH5HTcT+u7/lffi9Yu9lulgxlcypM HKoJ5Rs0MTmwi9TxyVrADNwDOKsydlyqXAvUBpD90gmlQ1M9kPoRPQfXwdJ21lEgE8+xRJ FFVfiyrjA/aQ8Lx6KnFlUWyeOzT7sO/Kr8y13dtOpuFt9sBP4ok6kE+ZxN+nLw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:10.aio Security Advisory The FreeBSD Project Topic: AIO credential reference count leak Category: core Module: kernel Announced: 2022-08-09 Credits: Chris J-D Affects: FreeBSD 12.3, FreeBSD 13.0 Corrected: 2021-10-01 00:32:22 UTC (stable/13, 13.0-STABLE) 2022-08-09 20:00:24 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-06-27 17:27:50 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:44 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23090 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's aio(4) subsystem implements asynchronous I/O. II. Problem Description The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. III. Impact An attacker may cause the reference count to overflow, leading to a use after free (UAF). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.3] # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.12.patch # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.12.patch.asc # gpg --verify aio.12.patch.asc [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.13.patch # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.13.patch.asc # gpg --verify aio.13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9499d3c1e40d stable/13-n247480 releng/13.0/ c864c8cf08a9 releng/13.0-n244801 stable/12/ r372172 releng/12.3/ r372379 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cI0ZBAAi90yUPtPxBcshN+DldO6WSuQEWBE5XU+7Ivesns80PMF+QuQ9S/YfurC I0LNfjGe48Q4/CIfixLf3Xsari9IBmHpUPvJS3+TaoxrOLRTLv2uTCZl6mGj1iqL H4ufrtMCbaA830EAKlEfCfI6eY8eDJpKh+he86adW3qNPWewTKGeEK8Mi4st009F DcCcHquy+IC2DnZaeoO+dttKyMoyEJgvo8F0oej8Jg7OBPdW6yTuabutQkuxSur/ JChz+Gn0tKj9qtN6023T/JvDXBKsQVlURbGofHhcm5JkpFFVd0A4+2MLbAO24gJa fnYRJDaWbRHvF0joy3qbZWZ/a3iHHC+yq7jupHoOkP7yULUQRftoj2kdPPZic6eQ XcyZE3rKgk7CHJq1ofg/Ye6WTgEghWjUlp5yrTniL+uWp6YuSVZNKPvXweDpi45M segQvlLoDWG3GEhaRyvaeBkA4v1lLucdkLQCM9bAFPhq5S27lcHPf9r4jiWBR5HB yQKddJZGa5lzsiYhKfX+pJ4rQa3QPN7N1NRygXDp4WRcPCqV3r4owZNJs6rsPkVM c0+wyGZhv4jH8lRrludMeXkiusoYOHEE+hslA+xU3M+19ak7W3DkJZKvEZQgBMNs bobKi/rl0GmAJthxd+vLXmdRK8g50RhPP+Fq80eLct151DDBdd0= =7sbf -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:35 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZb3n2Tz4YRWc for ; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZb2xCwz3Mh4; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084535; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=LfBVSNQ0it1+f/r4SteoTFtVidc6Tr3hYyRi93Xkc2M=; b=IquMHwehBNMxkFnaXNxk6Mohe3mFLxq4KxbDxgQa9pVRqm8PwWdA14kdj1qdkUc7ZuOx7E Mum7zjIfmZB5RQymyQn6qdHlMjTncnPx0irp6F6iC2KK/oitRFq4ZWReVw+8/Ma0IzOjFR Tz2XPLzhD7XJYpSQz7/MmTpO1Ura0Om3p+Pt8CIAJnCuY4gh8CZDYvSn0AvDct0kp764o9 G7pu5WpBakPBrqmSoxWl+E6/l1QlaxlT3ZGv516T5oOpfbb774GxeSJ3NuIG+n1zX4AFBg uwVaEm5+FRgwAX9xksd2aDvbmAZd839OCXP2H628Jh9MVFWfuBX7H6RDIYbS3g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 521C51724B; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:11.vm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223535.521C51724B@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:35 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084535; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=LfBVSNQ0it1+f/r4SteoTFtVidc6Tr3hYyRi93Xkc2M=; b=jO1TVVn4N9ZNlSgbiga27MSShIQrGG12JwzDjFQuBAWj1/dapW/Nf9BJN7k130jf5+d/+R A+5DWjYzL95jkugSYUTOWG/FsLgDIw5/n5dC2c5Axo0xWuFHTj+Uy6XaMkV9BYrdrHVPDB d0GrvMOkHVDJFPkh03HljVxOmMVp1ohQDMdmE5fikgFkkgo1cKaYRoaf9hKrFQGAFj3fr5 4lGva2k2TTNvxZYBZYyAgttad5ZdGegNZDqSY919DeBnQeGJ0HorJ85QNZRVljDitLBYzA VnFAfQluC1DR5m1l4NFtuLxClTokbIlEfmVsy3fu2C1DNhX70LVNmSwR8np/wg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084535; a=rsa-sha256; cv=none; b=ENDyP3PMovO4J0S21GOkoa5dE31Yg7Toe95A9ebmJYAfs/Osz8FgqtxQGe9g438r/+4shx p0bHV57QcYsCwi3lsNvevjjuYro6XuikGAEdfFbsn1W5NDO0OyCtR1hzJwPI9aUtzyAnS3 50UCuhDCo5uS1T32bIKtNtxwhDpu6UpoNlwQW/QZElQSJh8+bpqKye4n2NvFeN+V6ILbdd eLGS7tUmYLhyZOzLfr9P7vu40Se4haVZ/i7YJAa17UUaZ/Q05XvxDJuyC5Gj6iMKItUY33 RH86Q19tq0s8EA8jBSbqyZU1Lb5kTNZQuTvgjebaSIC98mKQGD9EM4fJyBCjDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:11.vm Security Advisory The FreeBSD Project Topic: Memory disclosure by stale virtual memory mapping Category: core Module: vm Announced: 2022-08-09 Credits: Mark Johnston Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 19:47:40 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:01:00 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 19:59:49 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-08-09 19:57:38 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:48 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Memory mappings shared between processes are a feature of the FreeBSD virtual memory system. They may be established by unprivileged processes with the mmap(2), fork(2), and other system calls. II. Problem Description A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. III. Impact An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:11/vm.patch # fetch https://security.FreeBSD.org/patches/SA-22:11/vm.patch.asc # gpg --verify vm.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3ea8c7ad90f7 stable/13-n252080 releng/13.1/ 0c88ecaa1255 releng/13.1-n250153 releng/13.0/ dd349089ff92 releng/13.0-n244805 stable/12/ r372377 releng/12.3/ r372381 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cK+mQ//V5ZGy6Hx4dfngafOWuSnC/5usXbu69iKnHQONPVZoVO72ZZKbm1fyMn7 HlDyAfhEtYuh67JNROH7KJUf3lPeHQUd/rfSbTv8usXhxeAu09/kWi74/kviDLd5 5Ocaja6DSN457c4gd6Lght1IrzDjnrL/oR8sHf7QWP0UAPjzi9CAcN5R90e7UP0u J5/w76zl4ApGu4na3CNi3OTCf4xOf4ncosOXFyZHOAsnbyXjjl0qp17MtxDpsvNn xAXOF3PvtFsO8r2MyLqRkcvPZE3n1LNvAPaI5jlVaXS6Nw7enZMqokj8XLmiUxcg FXipr9nhdL+Rihj3JjIY3uSXv7x+ZacET9cM03a9LlI7kSzfuWA+hkiDExfITJZ5 jJFqZ+PV+TvNqXfeatnOC9o2iyW0tAj7j1JPO3NEowdJSh/cpgzDfniDhm5dMA7G TTFyxCrX5ZwhbPgHwKdb6J6oVYc0v8Rlnbb4bIpIeFO/OP0QwAU0f/GnxCeTEoXn 0s26Azsi2l31HKhSha7KVz66IWCdyBjwGApC2lNM9G2zKlD4NXEr976mG9WA09wS jUM290y1uj2igdfq6gcgno37c6xQiAypDpOnOCGAL0+sbPT5ak7y/NFDFppR0uB4 x7USiGEonMNswkKHtaOf7df6RAwNQZG7F+ADwtaMlC/C+c6hlUk= =WXZW -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:40 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZj10klz4YRxW for ; Tue, 9 Aug 2022 22:35:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZj0Mt6z3N7G; Tue, 9 Aug 2022 22:35:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084541; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zvZj2P75YII4T/vBzSCrwWRXkfaeqKmdx6X+pkF34Jw=; b=jfsTB49xhK/kI1zxqS9oVH8VffcN2v9pb2SPgBOcf311UogtL5cWXvUWd9x9QKFwHiRKAU g65DEaPklJeDviUjnOrhtnASvSwKXbYCpZOxEWSphMPw17+s+UWBkYTjOxxEZO2J3GJbNe HmzCsttjXxTV/oXybZm60+LIRInp1+E2rKd+9ZNAPejSjpiFXdqtpildIkppVSSSgs9dPV g6x/u7ePjaVTdFEWsFoyfEiSa9Zv5uNuPfkopFQU2wBltXqvFA1zIV7an3oBAa+9IdL+5h SVNRK8lxCkkf6FHdUFscgWfSLtOq2WWTX8gMF3VyWwhi6f5qt78v8tAKw9FW9w== Received: by freefall.freebsd.org (Postfix, from userid 945) id E015C1724D; Tue, 9 Aug 2022 22:35:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:12.lib9p Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223540.E015C1724D@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:40 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084541; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zvZj2P75YII4T/vBzSCrwWRXkfaeqKmdx6X+pkF34Jw=; b=w8bMErT5Kiqbh33Jwmq1xI3xMmpm05kXyUXplSqZ//d5Bomo4T80ZcwpQMmmKYEO0pROdN BWxL3PdTGp7mQ3V1CI8wQBW9WLXFTJ1uoauLumC5qaP0sku1k1xYUXfUVqDHUrP2rRNdwI Fx1B5dOeKDs+UNwWL2WyzDsp97JoZYuRfDxVXp69dvfV0hmJzzfawE/O70RFO+v50uzanX f+xU0n5VPHjDYQrlq9QsvEdgDeGUzbJ7B1jd1KEWzOCEt6ITjyOn5zlOx9fmVNj/Z9I8rG kj056vjqlcpxrxwYvX21TKwnFzIyTlZZIiRkufc9Ar8n3lmU/gq3NG+9+zPrHQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084541; a=rsa-sha256; cv=none; b=jfH171uE0++Ct3PQ/l3vtsEvlFjxI5gY+6vpN7RUlEWfkL3EWDCvTZJNUi3Um6NvBTyFhg DPVTUTdgrpQJQFFmic7rTQhZedtjY42VVM1YXeaSzCCPEYuIp9L13ljzzHF8XHoE69Nan4 QPPWY0RxZOssL1o1IZyEj4cHXYUlEPEImOehRWGPtsWAZ85JH8/+t8bjLxdGLrfVKY6EXK I1bdTeL4l2VwbsBzKV5XOyfVxHU+uP4rRxwEXeFi3wPgJty3ysEJG0VNuVsC4/6rjveApE rxyhpoJYvlDjX+3YJ1XNLsVXoaEumHONjFL3DKPYGWfN7sD1H2VNHoEWWNI8rQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:12.lib9p Security Advisory The FreeBSD Project Topic: Missing bounds check in 9p message handling Category: contrib Module: lib9p Announced: 2022-08-09 Credits: Robert Morris Affects: FreeBSD 13.0 and 13.1 Corrected: 2022-08-09 13:33:14 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:01:13 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 20:00:03 UTC (releng/13.0, 13.0-RELEASE-p12) CVE Name: CVE-2022-23092 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background lib9p provides an implementation of the 9p file system protocol. It is used by bhyve(8) to provide guest access to a host file system tree via the virtio-9p device model. The FreeBSD base system does not contain any other users of lib9p. II. Problem Description The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. III. Impact The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. IV. Workaround No workaround is available. Systems not using bhyve's virtio-9p device model are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any VMs utilizing virtio-9p devices. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:12/lib9p.patch # fetch https://security.FreeBSD.org/patches/SA-22:12/lib9p.patch.asc # gpg --verify lib9p.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart restart any VMs utilizing virtio-9p devices, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ c536045c51da stable/13-n252071 releng/13.1/ 7dfe949791e7 releng/13.1-n250154 releng/13.0/ 70a2cf7bb2e0 releng/13.0-n244806 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1IACgkQ05eS9J6n 5cI0vxAAoIkoKbB7T2cGS3k4sNM0SCB8/akhccPCVLgDc5aNnCJSD21gSWVY//Qc IoxNgYBiP5Y0t2f8y6pzE4f9IuNRwhiLMAVgNHJgf7oRvsQyUAAqv+kXiXuutYQm qYZOYM6vYk7bw6yLPwyS1S0QPWFZraBA3wRxAXLn3NcU3blKc6psPPqLuqfdR+0a 13s305/lw1uoaMYHtlS5S4rcnZm9uLPVMQZL6NMVtkLjRbuN2vUrZy81zSHVGQUN RAN8qAPXjeD22a5gy7ZIqgt07OjYn331rAPPIpNtADU0vaYzVUkwrilY8ogIIJH2 Be2NPmqbZEWTHFYcOQHWW/16rDXYXx7ZfvHHYzsrId+9G97I/nTMmN8dPeUJTtgh syG6DSsbrYmssfGDXFX/nTdKDcT5UkNE3W3er7+RwQ54d9SlUwuY5SyycPJNBDim 018+Gb3GobScJGwSID+DyYEHxaj9e0WmLC6tpm8ZBlZnUTrdBqxEX+xhfxsm0Yds dPVXHICXebgXzHs9RO5s4eNa+miu3W8QRkbyLmL8ReUHwsWSLS5p91hgOheHji4e 0vO5T99f11+lp1FFw9iLlpo09klsN26nGTJ4/XXtlCjD85GIJINR7JI/Fg1NRF4N S5CmUPVutyvzGPkrNVUI9QwL/O0CEg55KTiqtQKjgjCCHhChZ+0= =ILeT -----END PGP SIGNATURE----- From nobody Tue Aug 30 23:58:03 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHPQ41Vmbz4bc4t for ; Tue, 30 Aug 2022 23:58:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MHPQ360DMz3v6D; Tue, 30 Aug 2022 23:58:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661903883; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6rssDb3T9BBX2U+/3k1dpfkKUxPhuPclLo5guXBvpSk=; b=UJ6M7p5dL3MHrf9gDwSf5q5CsdAZcLol8F+ooQRGA1vcrBDK91++Ze3Wil3E2QsWTTEa2B LDZwnFKQKlbomEujWCc3o/ncs6cOt9VR5stwK5Xlho945+T3IHoHW1kqZU/k5tbkQTH4v/ OV2ccLaNZVQ6CcietzpTNTGNPwy4DLOQIUmNaJMpOvBzCy/9xrN0h7Ix+UDQb6r4DcwQhj GsCtfydx4En/rhE0bgghhuFzDGxbnpI1UPcEuwNwL5dz1hcg+XJJAfAlMSD/pwK5eKrxqs iGJLsqPXWnBsOVByaY34u69lvKTkTq8itU+FIyzMncI6Q/xrY4Xp43tB5s+yOQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id B76B110DAC; Tue, 30 Aug 2022 23:58:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:13.zlib Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220830235803.B76B110DAC@freefall.freebsd.org> Date: Tue, 30 Aug 2022 23:58:03 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661903883; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6rssDb3T9BBX2U+/3k1dpfkKUxPhuPclLo5guXBvpSk=; b=G4KI+5kY36WPR3SHtsDzoH0sprJ2jtdxSoNx8VKYmDeaB8lCgjucQ6dTU4o5M/fNb8i9D/ nQc8CJwB/f/eHXK3K4k3qwTqFZkXaWSQ8Z0VrTWaVYPrmgg7R8PSMcJTeZF5ueSP8oqhNr 1PGwhHhj0vRnpYMzpmU198fsczZe6Q4lixStOi0bDCoJ2KoPfGxXoa/l4VaPqLc/u322Gi jEruy5JjIDczT6ZePHDzg28vml8aiofXEFez6QJIUIOWfwMVqaGH+mD67oLGsL/efFeiTf YFgSRbWTYb+sKnYjJ13uPvfbyqdEJrqsOzBSiYJltvRXIAFWGe/hT8dV7DNdsw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661903883; a=rsa-sha256; cv=none; b=e+yHnikH++WW5RnLf1bYQmRAIPwn3a5QW2B0j5FAEnVq1pMDU/Q5IB70Hpaf2DX6gCK71I fLEkGWRLvD17ySThvxw7FXjFpVt9yJcYgDjHl3ac7yJ1fwzDJAIcAmnfPeJb1LL1oJgnli UcbxsiiJVoqIfWT6thbJXFmvWVrEf8XnoTE0caJLz1Hz4KaUCrIyq1nfkJ+8RJYvBBnsAF uQmdiSeeHjlx3KBqWUbTf8Kx/Ys9T1YO4E6SKFl0k62AUeEbjWMerCug/wuj7pVP2LYGqK aGOYLOY46tAdJzyRC967cSA93JMrX/a04XhO/vVGt3uobUrl52gUygR/CVnpMg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:13.zlib Security Advisory The FreeBSD Project Topic: zlib heap buffer overflow Category: contrib Module: zlib Announced: 2022-08-30 Credits: Evgeny Legerov of @intevydis Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 14:40:35 UTC (stable/13, 13.1-STABLE) 2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2) 2022-08-30 22:57:49 UTC (releng/13.0, 13.0-RELEASE-p13) 2022-08-09 14:45:04 UTC (stable/12, 12.3-STABLE) 2022-08-30 23:16:45 UTC (releng/12.3, 12.3-RELEASE-p7) CVE Name: CVE-2022-37434 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background zlib is a software library implementing compression and decompression. It is used in various places in the FreeBSD kernel and userland. II. Problem Description zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. III. Impact Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software. IV. Workaround No workaround is available, but applications that do not call inflateGetHeader are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch # fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch.asc # gpg --verify zlib.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 10cc2bf5f7a5 stable/13-n252073 releng/13.1/ 289231c9634a releng/13.1-n250156 releng/13.0/ 77cd23716ffb releng/13.0-n244808 stable/12/ r372370 releng/12.3/ r372460 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoG4ACgkQ05eS9J6n 5cIITA//WMND8i3L8agw4QBMZTmL8M6bbbKK+eua7bhH4MNxguruULwcWNoHvhuO +ebgomd4cWlPfY2TJcpd9OCXCjuMGMLvwE6XmPlGzW5DuMdD893wWPdsYJtDK+6p yMSihFyZP+ELWFbLeO3SFedRRKBQiDEmO3X2oOR1Ukj5wjsUOFPv0/dLphyBiq3t 3tn/0O9NfAmyONvHSozoVs34MIFC9Qc/8oxlp5wKjomFn6OifPRwNu4yeWDfVL/c 11IwotsKNTR6QNckdNBwbFC2NwdWfl8Tqv7gbJ3PhXDlzCDC5hOQoIeOol3Nf8et 9+FjCr9y/jTH0tzEHCgevO3U711UZYIu2s+STHTlJRNly/n+2CMG+YOn1XkKtu6A 4x4Pw+YRHl5VesQCNcJOkwVwRiyrirp5yOaaUPhSKo0teykypgV/WS9Z1U0VVfGP xgxJ7ElcT2HoNiz06QUSG374dPyEBKqoZTo/g2tJ0mL17JLW7IAtlUpIHzU475YR 1itARL0z7O3bbUa/h35LxRTCxT2Ojt0qZO9WsS4dIraz2gb8QbHkgUXETnLAx9Ih UwaPrLGkzqpMjkQFASDS+LeacFOZARdxT/tUFwTRCQI27Aujl1OJzy7t0drL5I9f pO529OH4plSsT0x4j89tAUZxIHB2RQet94777vP4T0J5UcBegxc= =y87U -----END PGP SIGNATURE----- From nobody Sun Sep 4 16:42:24 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MLHWC3DbQz4c9Sw for ; Sun, 4 Sep 2022 16:42:31 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailout5.lrau.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MLHWB4NGcz3tMT for ; Sun, 4 Sep 2022 16:42:30 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de; s=2022; h=To:Date:Message-Id:Subject:Mime-Version:Content-Transfer-Encoding: Content-Type:From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VRzxJ4elhEMtghhlh+geOj+C/kB3ciAetoxirvK+1Q4=; b=QfEItGScup2UzbzrJeKjb9RgHJ Y46vy20gSG0A54Rs6hd5FMde0+PIO8+pcMfVm4ed1yFX02IRoO0FZTWXhv0no+sywjl02uxuALrlG zaXdfwwNOeG0Pyg0M8tQuOuiiW+57JWZHHM0NUqGgyMA+AQf/PhD4M25yf9ql4mBcQHMZ/ZG+Cql1 sKhTAFAkhwDWAPF8OiPWEJ/vmHDGvSNL8wIjGkVep+0poggN5X6w7JjZqkDItlzv2EXKnNxe6wuCG /wAv8fxYHBx4sRdaS876mddszjxV2UkVIiW1t/PQyzeJ9N6yTbzguPdGJww6fy9kvX5KDyL5HGxiZ DSWcqhXg==; Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net) by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oUshW-000HMa-7D for FreeBSD-security@FreeBSD.org; Sun, 04 Sep 2022 16:42:26 +0000 Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx 3.2.0) with esmtpsa id 1662309745-10753-8168/7/2; Sun, 4 Sep 2022 16:42:25 +0000 From: Axel Rau Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Subject: pkg 1.18.4 refuses local CAcert on 13.1-RELEASE-p2 Message-Id: Date: Sun, 4 Sep 2022 18:42:24 +0200 To: FreeBSD-security@FreeBSD.org X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4MLHWB4NGcz3tMT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=chaos1.de header.s=2022 header.b=QfEItGSc; dmarc=none; spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE X-Spamd-Result: default: False [-2.90 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MV_CASE(0.50)[]; R_DKIM_ALLOW(-0.20)[chaos1.de:s=2022]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from]; DWL_DNSWL_NONE(0.00)[chaos1.de:dkim]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[FreeBSD-security@FreeBSD.org]; RCVD_IN_DNSWL_NONE(0.00)[2a05:bec0:26:5::74:received]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[chaos1.de:+]; DMARC_NA(0.00)[chaos1.de]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N While accessing my local poudriere repo I=E2=80=99m getting - - - Bootstrapping pkg from https://some_fqdn/131amd64-default, please wait... Certificate verification failed for some_internal_CA 34391269376:error:1416F086:SSL \ routines:tls_process_server_certificate:certificate \ verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: - - - but openssl verify shows successful verification: - - - # openssl s_client -connect some_fqdn:443 -6 -verify_return_error | grep = verify depth=3D1 some_internal_CA verify return:1 depth=3D0 CN =3D some_fqdn verify return:1 - - - some_fqdn is defined in /etc/hosts only. related repo.conf has: - - - some-repo: { url: "https://some_fqdn/131amd64-default" , mirror_type: "HTTP", enabled: yes, IP_VERSION =3D 6, signature_type: "pubkey", pubkey: /usr/local/etc/ssl/certs/repo.cert priority: 5 } - - - Any help appreciated, Axel =2D-- PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius From nobody Sun Sep 4 17:37:46 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MLJl75t8yz4cHtG for ; Sun, 4 Sep 2022 17:37:55 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MLJl65HsSz41MW for ; Sun, 4 Sep 2022 17:37:54 +0000 (UTC) (envelope-from ml@netfence.it) Received: from [10.1.2.18] (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.17.1/8.17.1) with ESMTPSA id 284HbksW040281 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Sun, 4 Sep 2022 19:37:46 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be [10.1.2.18] Message-ID: Date: Sun, 4 Sep 2022 19:37:46 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: pkg 1.18.4 refuses local CAcert on 13.1-RELEASE-p2 Content-Language: en-US To: freebsd-security@freebsd.org References: From: Andrea Venturoli In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4MLJl65HsSz41MW X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-3.80 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_XAW(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 9/4/22 18:42, Axel Rau wrote: > While accessing my local poudriere repo I’m getting > - - - > Bootstrapping pkg from https://some_fqdn/131amd64-default, please wait... > Certificate verification failed for some_internal_CA > 34391269376:error:1416F086:SSL \ > routines:tls_process_server_certificate:certificate \ > verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: > - - - > but openssl verify shows successful verification: Can you try getting /usr/local/etc/ssl/cert.pem out of the way? Possibly /etc/ssl/cert.pem too, if you have it. I have the same problem and I solve it by deleting that file. Unfortunately it's recreated every time ca_root_nss is upgraded. bye av. From nobody Sun Sep 4 17:44:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MLJv75Xnnz4cJdK for ; Sun, 4 Sep 2022 17:44:51 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:510a::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.burggraben.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MLJv70vf1z4308 for ; Sun, 4 Sep 2022 17:44:51 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from elch.exwg.net (elch.exwg.net [IPv6:2001:470:7120:1:127b:44ff:fe4f:148d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "elch.exwg.net", Issuer "R3" (not verified)) by smtp.burggraben.net (Postfix) with ESMTPS id D5D25C0031A; Sun, 4 Sep 2022 19:44:48 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id 515443AB1D; Sun, 4 Sep 2022 19:44:48 +0200 (CEST) Date: Sun, 4 Sep 2022 19:44:48 +0200 From: Christoph Moench-Tegeder To: Axel Rau Cc: FreeBSD-security@freebsd.org Subject: Re: pkg 1.18.4 refuses local CAcert on 13.1-RELEASE-p2 Message-ID: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.2.7 (2022-08-07) X-Rspamd-Queue-Id: 4MLJv70vf1z4308 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of cmt@burggraben.net designates 2a01:4f8:140:510a::3 as permitted sender) smtp.mailfrom=cmt@burggraben.net X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; RCVD_IN_DNSWL_MED(-0.20)[2a01:4f8:140:510a::3:from]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:140:510a::3]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org]; R_DKIM_NA(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; FREEFALL_USER(0.00)[cmt]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[burggraben.net]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N ## Axel Rau (Axel.Rau@Chaos1.DE): > but openssl verify shows successful verification: > - - - > # openssl s_client -connect some_fqdn:443 -6 -verify_return_error | grep verify > depth=1 some_internal_CA Home-brewed CA? Sure that the extensions have been set correctly? (Most commonly missed/wrong is the CA flag in Basic Constraints). Standard openssl verification is not helpful, you'll need at least "-strict -policy_check". TL;DR: use Let's Encrypt. Regards, Christoph -- Spare Space From nobody Thu Sep 15 13:45:14 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MSz3m0x3Hz4cJ87; Thu, 15 Sep 2022 13:45:24 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [95.217.20.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MSz3l1TVdz3vSq; Thu, 15 Sep 2022 13:45:23 +0000 (UTC) (envelope-from des@des.no) Received: from ltc.des.no (unknown [84.211.31.80]) by smtp.des.no (Postfix) with ESMTPSA id AE3CF25C81; Thu, 15 Sep 2022 13:45:14 +0000 (UTC) Received: by ltc.des.no (Postfix, from userid 1001) id 3763E92A05; Thu, 15 Sep 2022 15:45:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Putting OPIE to rest User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (berkeley-unix) Date: Thu, 15 Sep 2022 15:45:14 +0200 Message-ID: <86h718sqdx.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MSz3l1TVdz3vSq X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of des@des.no designates 95.217.20.81 as permitted sender) smtp.mailfrom=des@des.no X-Spamd-Result: default: False [-2.58 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_MIXED_CHARSET(0.71)[subject]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-hackers@freebsd.org,freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[des]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[des.no]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I will be removing OPIE from the main branch within the next few days. It has long outlived its usefulness. Anyone still using it should look into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). https://reviews.freebsd.org/D36592 DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From nobody Thu Sep 15 13:52:11 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MSzCd6csxz4cK0W for ; Thu, 15 Sep 2022 13:52:13 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MSzCd2dpTz40Vm for ; Thu, 15 Sep 2022 13:52:13 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-qk1-x732.google.com with SMTP id o7so9551556qkj.10 for ; Thu, 15 Sep 2022 06:52:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date; bh=5LkgE3tDrox8rJYQ3si1VV6Ena9Gl81g/dVaXnMeNxc=; b=TJSKBnQUrPacr8r8siAYq5ODN5cju3U1epxhUClUuLFiic0cx8Iz4wBnJ0Hjp+VsSx Q7nu5L+IO/Od4Yedzs29eR55yR5j5zHQP2OqTYCxSYixXqynffT5vzkJ15D80Q5phqmO yWBPgGP/NnxhLEYGzc6RYlhMcTipCxVMk3Ijg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=5LkgE3tDrox8rJYQ3si1VV6Ena9Gl81g/dVaXnMeNxc=; b=lU09+PG9E24t12GYqapp+PwekF9WT+HKQzXEIEKxwIRT4RCySVVohCb5xf9NjyHV8/ sm2Tb1jZG2PeeRiDOHf3aPMRnKbfQzXbMrPZpo/ORuT43PZsTqPI3qFH7TpQ/L1ePuJc GFs5DGm2OwToo9pOCFql7ahFVYonMBNxpQJ6eyoiIbl/MnaRM1ZjKjTgm9sq7Wil2saj TKrkndcAB8N8NlvUhFWMM+P5hKUgMwU20wC9ljoCTR7TnydVHBcXKAMj+wMILQRyWTK5 zpZbBW+hwZlk07hgBTeWCysFCgWfkQfAI0HgjLtHolvo5LmP6GnN/u2VkSkjZXPOYEQy e+VA== X-Gm-Message-State: ACrzQf2Xn4KRnX+kVDt0az/ksAX3KGwA0F0cCzOPg3bmW6LGbgtJJCuQ YFGhYVW57R7I+XGSNRVkK3I+ZQ== X-Google-Smtp-Source: AMsMyM659m4X9I7FxKzZvcot+T4pnVR+GYbPh+gseMco51cWmDy+NiiYVGCexjx2/17+UtF1TUN5Ng== X-Received: by 2002:a37:b8e:0:b0:6cb:e112:b9b0 with SMTP id 136-20020a370b8e000000b006cbe112b9b0mr62446qkl.155.1663249932679; Thu, 15 Sep 2022 06:52:12 -0700 (PDT) Received: from smtpclient.apple (2603-6000-ca01-b73e-0c2d-5461-9672-0ab5.res6.spectrum.com. [2603:6000:ca01:b73e:c2d:5461:9672:ab5]) by smtp.gmail.com with ESMTPSA id f11-20020a05620a280b00b006af3f3b385csm4493701qkp.98.2022.09.15.06.52.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Sep 2022 06:52:12 -0700 (PDT) Content-Type: text/plain; charset=utf-8 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: REDACTED Subject: Re: Putting OPIE to rest From: "J. Hellenthal" X-Mailer: REDACTED In-Reply-To: <86h718sqdx.fsf@ltc.des.no> Date: Thu, 15 Sep 2022 08:52:11 -0500 Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <86h718sqdx.fsf@ltc.des.no> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= X-Rspamd-Queue-Id: 4MSzCd2dpTz40Vm X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dataix.net header.s=net header.b=TJSKBnQU; dmarc=pass (policy=quarantine) header.from=dataix.net; spf=pass (mx1.freebsd.org: domain of jhellenthal@dataix.net designates 2607:f8b0:4864:20::732 as permitted sender) smtp.mailfrom=jhellenthal@dataix.net X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,quarantine]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::732:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Condolences to OPIE & his family of devs ! =F0=9F=A5=80=F0=9F=A5=80=F0=9F=A5= =80=F0=9F=A5=80=F0=9F=A5=80=F0=9F=A5=80=F0=9F=A5=80 ;) > On Sep 15, 2022, at 08:45, Dag-Erling Sm=C3=B8rgrav = wrote: >=20 > I will be removing OPIE from the main branch within the next few days. > It has long outlived its usefulness. Anyone still using it should = look > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). >=20 > https://reviews.freebsd.org/D36592 >=20 > DES > --=20 > Dag-Erling Sm=C3=B8rgrav - des@des.no >=20 --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. From nobody Thu Sep 15 23:00:32 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTCNP1Y1Dz4ccTf; Thu, 15 Sep 2022 23:00:37 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTCNN3ZZTz3xhp; Thu, 15 Sep 2022 23:00:36 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-pl1-x62c.google.com with SMTP id l10so19750158plb.10; Thu, 15 Sep 2022 16:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:from:to:cc:subject:date; bh=gLruk2nidha8R62TkgaOHg0e26WXRaBz3m5BXBrVhoo=; b=G+LD/RKdVCweubJZ8OqPVD+lS6expHB+ecnO/BJYeuw1CGsYfypoUTSLCu5p0UGdSj /8Zh9YitukTG5y8qeXte+gQbtQ4UlRkpToPMyWpwQoXZnQ2QHJNb0/+CnqAy88p1R8OW ntzh64FVYfb96OBZ8qmjBesnMJoaRHVZ3bikZfPXd1h5dIl4iGdgYfnpTV3mYA6+Fuad mcuTbnwslkmD1otpOYjEztQzxCADTQ2eb60tVMEFFL/MeZ5RqVVnE9t+Ms5WfuBgYixB jve7uxIeAmz8qXhtzdUfzdyaFgA/DNWcCi0gs9GgBw5FHIeu607FGewANv9TQ2IlCkN2 V/kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=gLruk2nidha8R62TkgaOHg0e26WXRaBz3m5BXBrVhoo=; b=FkXk7AVzIla3AqmrszoSxQZX/Zt5cNq0wL/bxeaWnhULmT6LbNi2hSTQpV0zfnBXRW v4xFfaIl1kkEmD/ae6rmRHPpiqkUyZrmb0VbdSWyjZQHUYGeR8ZEHCnOdJRf+cfwQy28 RGi8+oT0PLShmfSsNur5Fq+PD4jDZAtbKTHEmRgIWGeoWkemsh7I1i3xeE7hc/DD4T8I O+XDSJN92FYP+eVTtbsyRxRq5CWoQBkvveIdOkLIqjpiTKZXZU5ORQeitVMb7r8sqKmT MH2ljlbsPtX3lneLNKSfHl2DxYyot8GuHMOvvBMBnYHomrBvwb5s7x9l/wAqgLB/3W2N Tetw== X-Gm-Message-State: ACrzQf1FTWdJLyyvk3VB5Ohxd5hYSn6W4YJEHUaOXIzsE8Lz6XQbWFcc I1vxD5CQbcOP5FbMtzRZMCJKXlbgKOM6psDdjcunVmcT/Zen1c3Sj38= X-Google-Smtp-Source: AMsMyM4N7Vm064HzmmxQ4iU4V/a5hF2nVDIZRdQ0fmLAB/FPeclm+1E6rswlQ0njFisCA9FdkU2OVv/sDs4XODDRYPE= X-Received: by 2002:a17:902:f682:b0:178:3ede:a12f with SMTP id l2-20020a170902f68200b001783edea12fmr1857064plg.26.1663282833258; Thu, 15 Sep 2022 16:00:33 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a17:902:ccc9:b0:175:41cd:2693 with HTTP; Thu, 15 Sep 2022 16:00:32 -0700 (PDT) In-Reply-To: <86h718sqdx.fsf@ltc.des.no> References: <86h718sqdx.fsf@ltc.des.no> From: grarpamp Date: Thu, 15 Sep 2022 19:00:32 -0400 Message-ID: Subject: Re: Putting OPIE to rest To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, des@des.no Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MTCNN3ZZTz3xhp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b="G+LD/RKd"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.53 / 15.00]; NEURAL_HAM_MEDIUM(-0.86)[-0.857]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_LONG(-0.48)[-0.475]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; NEURAL_HAM_SHORT(-0.20)[-0.199]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::62c:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 9/15/22, Dag-Erling Sm=C3=B8rgrav wrote: > I will be removing OPIE from the main branch within the next few days. > It has long outlived its usefulness. Anyone still using it should look > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). > https://reviews.freebsd.org/D36592 At least so long as PAM remains available, OPIE should be maintained as a PAM option, and be updated. OPIE is the only PAM that allows printing out the future secure tokens. Old school, secure, it just works. HOTP requires hardware, TOTP requires time, neither are printable, both of those require some other [hackable] hw/sw device that costs $$$ money, and those devices all have different threat/failure/admin models than simple paper. If people don't like... - The hash algo, a volunteer committer can update it to sha256. - The list of words, a volunteer committer can update it to read from a list of admin supplied words in: /etc/opie_words.txt - The number of words, a volunteer committer can add an option to the config for that. - The writeable state breaking in a read-only root, a volunteer committer can add a config option to point that elsewhere. - The randomness, a volunteer committer can update it to modern randomness. And if people still don't like it, then commit those simple updates, and push it out to ports, instead of killing users use of it. From nobody Thu Sep 15 23:38:35 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTDDS5yNsz4cjNY; Thu, 15 Sep 2022 23:38:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [IPv6:2a01:4f9:c011:3eaf::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTDDQ4L09z46Rd; Thu, 15 Sep 2022 23:38:46 +0000 (UTC) (envelope-from des@des.no) Received: from ltc.des.no (unknown [84.211.31.80]) by smtp.des.no (Postfix) with ESMTPSA id A302D26161; Thu, 15 Sep 2022 23:38:35 +0000 (UTC) Received: by ltc.des.no (Postfix, from userid 1001) id 435B4924D4; Fri, 16 Sep 2022 01:38:35 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org Subject: Re: Putting OPIE to rest In-Reply-To: (grarpamp@gmail.com's message of "Thu, 15 Sep 2022 19:00:32 -0400") References: <86h718sqdx.fsf@ltc.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (berkeley-unix) Date: Fri, 16 Sep 2022 01:38:35 +0200 Message-ID: <86czbwryx0.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MTDDQ4L09z46Rd X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of des@des.no designates 2a01:4f9:c011:3eaf::2 as permitted sender) smtp.mailfrom=des@des.no X-Spamd-Result: default: False [-2.67 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_MIXED_CHARSET(0.62)[subject]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_TO(0.00)[gmail.com]; ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-hackers@freebsd.org,freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEFALL_USER(0.00)[des]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[des.no]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N grarpamp writes: > OPIE is the only PAM that allows printing out the future > secure tokens. Old school, secure, it just works. > > HOTP requires hardware, TOTP requires time, > neither are printable, both of those require some other > [hackable] hw/sw device that costs $$$ money, and > those devices all have different threat/failure/admin models > than simple paper. Neither HOTP nor TOTP require dedicated devices. HOTP codes are sequential and can be pre-generated and printed if that's what you prefer. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From nobody Sun Oct 16 17:51:37 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mr73c0VYFz4fjSs; Sun, 16 Oct 2022 17:51:40 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mr73b0kqbz3rGF; Sun, 16 Oct 2022 17:51:39 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vs1-xe2d.google.com with SMTP id k6so9525060vsc.8; Sun, 16 Oct 2022 10:51:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sxK6oqqPu5Ol/+0lvQQb486TkPrbd/nR/j3PEc89wpc=; b=ZvDB0N1uFEBI+FXd6sTcml7XKWx05YWd1QUthGf647nBWAw31EpdUn5TTNsR2mfVkz 8GL032D9ObegT8kgwNe/QFGsie9iXzoqgIMlUZGyF7by+zJj0IXaaRgJdrJ6pykaFNsk /6beaZjP9hZzRocJ64GM/tHzN9Cov8n6mkBYKzlhjL7HgUvHPty+2uAg3OO0pkTDI2Sh 7K7bRCuHZN6DqoZ2xtSoeDyDEl2kkaJziUP5BjE31vmh9GHKvX8tJzbYgLNxjkmbWwBE LkYtFmMeMo/vOas4XSZ7iyydcqGDN2YqQxG4nlD7Q+TR5W+BXyGfiDuqVYahKJlQVfDj I45g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sxK6oqqPu5Ol/+0lvQQb486TkPrbd/nR/j3PEc89wpc=; b=Frmukbhot5iY95kQxoxHBZ7gmsXipc3ijH5yJsZ5nt6mtv4XH764xfO8T3yqTQELJ8 GpkaBssurU1pW6tOUryxW8FjsLAOJrCm8ystv4n3WHQ/LOCGFpu4B4zeV3IDiahgmc2l gRygL9vKlKdbNu3Vq1M/CtyPVpTt4a29jeXyilwe7T9WY5loslX5ycAxuQFf9HfGv75S Ns37KlkLFAEZBJGz2qI3Q6xqGfdCuuwxzSSh4cpALcsfkPcGiTRccE4gXYkcdj7ZB2jv 85VNY+QNojHoQTL07Ekvf5ler/X5cK1vOJZKwmC66Xk/WKJ9bYAdE2LawQ4igWN5n4y+ T9fQ== X-Gm-Message-State: ACrzQf38opa/zn4yesMTHk7kFOuBCFKNcC/s7+uELyPdKknq43TszZ3Z shBefVMsyfY/NLa5zh4fm4ShAc+e18Wa7eFPhrTwzXyHHkyxH9lu X-Google-Smtp-Source: AMsMyM7rGNZVK6c6m3A/OtlWqEaMQ+L0yi0iNVkbGmt1/neZ5YDA1Oa+Rr+HMlyhGYkCN65emFoBW35C5WnkPrSVHEw= X-Received: by 2002:a67:b74a:0:b0:399:4161:9f94 with SMTP id l10-20020a67b74a000000b0039941619f94mr2494132vsh.1.1665942698019; Sun, 16 Oct 2022 10:51:38 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:8cd1:0:b0:319:151e:7726 with HTTP; Sun, 16 Oct 2022 10:51:37 -0700 (PDT) In-Reply-To: <86czbwryx0.fsf@ltc.des.no> References: <86h718sqdx.fsf@ltc.des.no> <86czbwryx0.fsf@ltc.des.no> From: grarpamp Date: Sun, 16 Oct 2022 13:51:37 -0400 Message-ID: Subject: Re: Putting OPIE to rest To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-questions@freebsd.org, des@des.no Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4Mr73b0kqbz3rGF X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ZvDB0N1u; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2d as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; NEURAL_HAM_LONG(-0.99)[-0.993]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2d:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org,freebsd-stable@freebsd.org,freebsd-questions@freebsd.org]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RCPT_COUNT_FIVE(0.00)[6]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 9/15/22, Dag-Erling Sm=C3=B8rgrav wrote: > Neither HOTP nor TOTP require dedicated devices. > HOTP codes are sequential and can be pre-generated... Those aren't really their intended or advertised usage models, nor do common implementations support those modes. Is FreeBSD contributing and supplying ones that do? OPIE's model already intends for and supports no-device and printout. To emphasize and extend... https://lists.freebsd.org/archives/freebsd-current/2022-September/002573.ht= ml It should also be noted that the affected scope here is not just 'FreeBSD u= sers logging into FreeBSD shell', there are also applications out there that com= pile against and use FreeBSD's libopie, some of which are in ports some are not. OPIE does not exist as a port+package, thus re POLA for users, it should not be removed until such time as one is provided. Where is discussion on these. And why isn't every other 'old, outlived, non-hipster' pam authentication plugin being arbitrarily removed and non-portified, such as say tacacs, radius, krb, rhosts, etc. And if those pam are there, why then are hip OAUTH HOTP TOTP etc type thing= s not added, lib-ified, etc. From nobody Tue Nov 8 14:56:05 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N6B4S18fYz4XNgV; Tue, 8 Nov 2022 14:56:08 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) by mx1.freebsd.org (Postfix) with ESMTP id 4N6B4R0jJgz3j1M; Tue, 8 Nov 2022 14:56:07 +0000 (UTC) (envelope-from rb@gid.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of rb@gid.co.uk designates 194.32.164.250 as permitted sender) smtp.mailfrom=rb@gid.co.uk; dmarc=none Received: from smtpclient.apple (gw.br-thn-01.caladan.net.uk [80.71.4.65] (may be forged)) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id 2A8Eu5Gn091971; Tue, 8 Nov 2022 14:56:05 GMT (envelope-from rb@gid.co.uk) Content-Type: text/plain; charset=us-ascii List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:13.zlib From: Bob Bishop In-Reply-To: <620a28b1-4c54-3eb5-2869-f8ecc86345aa@m5p.com> Date: Tue, 8 Nov 2022 14:56:05 +0000 Cc: "freebsd-security@freebsd.org" , FreeBSD Hackers Content-Transfer-Encoding: quoted-printable Message-Id: <28957C58-7FD0-42DE-9395-13C02BB59240@gid.co.uk> References: <20220830235803.BEF1110B7E@freefall.freebsd.org> <620a28b1-4c54-3eb5-2869-f8ecc86345aa@m5p.com> To: George Mitchell X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.70 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; MLMMJ_DEST(0.00)[freebsd-hackers@FreeBSD.org,freebsd-security@FreeBSD.org]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42831, ipnet:194.32.164.0/24, country:GB]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[gid.co.uk]; TAGGED_RCPT(0.00)[freebsd]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4N6B4R0jJgz3j1M X-ThisMailContainsUnwantedMimeParts: N Hi, > On 8 Nov 2022, at 14:42, George Mitchell = wrote: >=20 > On 8/30/22 19:58, FreeBSD Security Advisories wrote: >=20 > > [four extremely delayed security notifications] >=20 > It appears they all got hung up in mail queues on the machine named > mlmmj.nyi.freebsd.org, arriving on that machine on August 9 in three > cases and August 30 in the fourth. Fortunately, notifications from > the daily security run on my machine alerted me, though I was quite > puzzled at the time to not see corresponding messages from the mailing > list. Their delayed arrival now makes me suspect that this was not > an intentional policy decision. Does anyone know what's up? > -- George Similarly several hundred messages from bugzilla-noreply@FreeBSD.org = that hit my inbox this morning. -- Bob Bishop rb@gid.co.uk From nobody Tue Nov 8 16:01:45 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N6CXD27xVz4YM2Q; Tue, 8 Nov 2022 16:01:48 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N6CXD1P7Qz3qdw; Tue, 8 Nov 2022 16:01:48 +0000 (UTC) (envelope-from bapt@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667923308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QRradMcfGu5vSbVxcVitjZpfHvX//vniZuvBso2CU0U=; b=Kd0DfWU96wgZ5VdmxU9k58bSHfA5a5+05x7z9D0n4Q4pm+sYAGu/GexNVk+tvJ021Ye/F8 PxnYEsEy3+HG10nAJVB5gch1xzo0oSxX2a6KwFr9MIxtKcjzljqVbOhpZNBxz2ngL/kT7z KJR3P/r3f1jOp6k92x6BBQtteb2uysvd9/L+zcnNMXrd3n3TZKzzqVT7DiVrjj94oI0BmJ x0RqoWLazM8VmUWK/O82bPQhsvNpvtfUpZgNBa+U+AGWVHTedQ6NYB/4HKt1a02G8p5vng ZZ+If6zmIHydCRgDi6OUticLzN/muwCgIKoWXr7hDNontGtuOxi/vuu/zgEH2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667923308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QRradMcfGu5vSbVxcVitjZpfHvX//vniZuvBso2CU0U=; b=wDvaxEl70LYSSP4G+JOlidVzUns10tMyY/Fn3Oymdro4bkp4apQ4hbMIAidwKGd4rxtu38 mAyqfoJOHBSjHHK4rH7/TaEyWblujZAheoo24VW+VjXlyH9vcnsWo1ruOpFFfAuBC0ORFq w3lyn+Hw3gNQ1dCAFKMC8JdmM2DzxzrA/OX0RTHBDkb5AupLbH6FNLbJ0HLBgDXiZBW4+l /966XduFOVdgp3EZCvxHV+DMUR2AxS/r6bVPj9lCOhhN9CA0VrnKxk+3lGtopMgnXHnjL3 d4fwkSVqPbF+4DhhjpMEoS/P/0v/uD/SmeVzBSTztCTw0vCIrABGnvTtya1w2w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667923308; a=rsa-sha256; cv=none; b=jn4ffRHezXPCwYO81eUplsSdYx1n64wNjdmC1SK7ovwU6C5ft3+0FNwJyy0wIUp//Uw8ww /3U/cDKlD7O0MpCbNAOzCH1ZAc9+jSwPC9BGKlhQX+olAlIqkX3GG/04Nrwiph+MAXIpHo Y266szc57KNbN5J++FyMzX1BaJLR7DApdlxZVXSQzePBLGFlZDhLjpilmxzBQ1DuxQzlK+ ZvQfAmu5Rr36GylTr2M1yiTq4hE6XYSMZNu7l+Jlzc//3FfDIE2+BjkT0lmo8u150HKfxn AzA3heHHw1EG14aUT1LfdYRJBcNOzg1KvOg62wR/GEiIDQp/KuDUJL9YtghGJQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from aniel.nours.eu (nours.eu [IPv6:2001:41d0:8:3a4d::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 4N6CXC6r7Fz111f; Tue, 8 Nov 2022 16:01:47 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id BA8741B4747; Tue, 8 Nov 2022 17:01:45 +0100 (CET) Date: Tue, 8 Nov 2022 17:01:45 +0100 From: Baptiste Daroussin To: Bob Bishop Cc: George Mitchell , "freebsd-security@freebsd.org" , FreeBSD Hackers Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:13.zlib Message-ID: <20221108160145.xcoacbo7ohdxyyc3@aniel.nours.eu> References: <20220830235803.BEF1110B7E@freefall.freebsd.org> <620a28b1-4c54-3eb5-2869-f8ecc86345aa@m5p.com> <28957C58-7FD0-42DE-9395-13C02BB59240@gid.co.uk> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <28957C58-7FD0-42DE-9395-13C02BB59240@gid.co.uk> X-ThisMailContainsUnwantedMimeParts: N On Tue, Nov 08, 2022 at 02:56:05PM +0000, Bob Bishop wrote: > Hi, > > > On 8 Nov 2022, at 14:42, George Mitchell wrote: > > > > On 8/30/22 19:58, FreeBSD Security Advisories wrote: > > > > > [four extremely delayed security notifications] > > > > It appears they all got hung up in mail queues on the machine named > > mlmmj.nyi.freebsd.org, arriving on that machine on August 9 in three > > cases and August 30 in the fourth. Fortunately, notifications from > > the daily security run on my machine alerted me, though I was quite > > puzzled at the time to not see corresponding messages from the mailing > > list. Their delayed arrival now makes me suspect that this was not > > an intentional policy decision. Does anyone know what's up? > > -- George > > Similarly several hundred messages from bugzilla-noreply@FreeBSD.org that hit my inbox this morning. We were hit by a bug fixed in https://www.postfix.org/announcements/postfix-3.7.3.html Mails which have been piling have been flushed today. Best regards, Bapt From nobody Tue Nov 15 08:03:30 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBJbB1VBJz4hGQ5; Tue, 15 Nov 2022 08:03:34 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBJb92LWcz3rKM; Tue, 15 Nov 2022 08:03:33 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=MUfwuStu; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e29 as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe29.google.com with SMTP id t14so13905818vsr.9; Tue, 15 Nov 2022 00:03:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VQa2CzeALC4pUXujsTEoWTLIvhgvNQGmv+0pWHtj3Tw=; b=MUfwuStu4E0TGj0nWrhhsC0bh9R+F5NiwF9Sj2a9Kl3rc9mkbRoJrkISzxBeEqkdnt dIfFbX8q80UWsUyvwtKs3dlSJ+GMgGc9Hlg8Kq1clJejJ1yWnmDhSoxdGK9d5eYBqD8O 4NjEeSBmCF3jkz9i2Dg1A+hXDeaiOwmsiCUj7gVwKxF7lZqa4Uelg1kSZqgK5jZduSXu mmjl5yZfPpeIyZbGt5EbnRpmUdB0VVoKIU+/gLmfnZvw+u72VcuPo70BTG2hTL8z4s6s TWMwoOKmaQbycCSeeFCrC9g4NaYGfkhYJbefsAnMXELYNtg7k5cJyW6PTzWCZkGrRcIz pOIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VQa2CzeALC4pUXujsTEoWTLIvhgvNQGmv+0pWHtj3Tw=; b=Jvzx7k/hyKZhuNuWY4OugbNjR6pLe3yLCRKvcw3yzqp4b9CG2FGoBidnywXp8MpSj4 8EIb0rDn2f9Y4QLvpm7vlZB+DQKGh9iacHuh0TLVJ6H8Cfp4BCBK/Wk0lWrN6TpKYt6q yq9gD8PQftwMstd0fF+CS5ILTaTPJNHrvzjd51NmtBLjXsqTAlDzgKldtQsN/IgRy7Lx ouFwHoDAOYgTrLLCQX4RNoxGWW+7EPIPZG/ueAkwXqWAznioelU15XojbQ4tjTPY1ap4 lwJehYO1Z/AgLIDSNFNJnhcK3EAc9KbptI9HqqFdvs6+aGNj0+MkCeOqVy6RNuA4FrEw MODA== X-Gm-Message-State: ANoB5pnsnQgH83PnJQY1KeLNq/qJfff01Fpt40MAmHaYmMnJftrkn2Jl 6XQHv3r/QN+2dP0iDebLWj5RPpa8VWXd4t/9w9fJY+GdW82WeItDL7o= X-Google-Smtp-Source: AA0mqf5v8J8N7+bD4HOHlhtUy4ony0JMHYsNqpiB4EkQfdi0vvfA0qJkFzkLcNecV9U5/ClSyYCKCodlqjE1CkEjtnw= X-Received: by 2002:a67:ec86:0:b0:3ad:451e:936 with SMTP id h6-20020a67ec86000000b003ad451e0936mr8360616vsp.84.1668499410984; Tue, 15 Nov 2022 00:03:30 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:1504:0:b0:32a:c833:f266 with HTTP; Tue, 15 Nov 2022 00:03:30 -0800 (PST) From: grarpamp Date: Tue, 15 Nov 2022 03:03:30 -0500 Message-ID: Subject: Black Box Executes Assembly ABI, Yet Which Masters Loom To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-2.00 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org,freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e29:from]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NBJb92LWcz3rKM X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N > gives ... sense of ultimate control ... we are still the masters of the c= omputer. Tens of billions of gates on modern CPU's NIC's GPU's HDD's, every single one of them a closed source hw black box, same for thousands upon thousands of lines of firmware, hundreds of undocumented opcodes some now found with fuzzers, "bugs", exploits, off by one "oops" in that ancient commit, "Will Not Fix "Errata"". A world full of agents spies moles and crypto-corrupting GovCorps, phones remotely controllable via baseband, package interception mitm, etc. The average kernel bigger than Encyclopedia= . No, it's entirely plausible that what you think is "your" black box to play master level of Tetris on, is actually someone else's just waiting for that magic packet or execution pattern, always on, backed up to the connected cloud, auto updated, AI enhanced, datamined, and oh my those alluring honeytraps... Cortana Alexa and Ring. " Communication in a world of pervasive surveillance Sources and methods: Counter-strategies against pervasive surveillance architecture ISBN: 978-90-386-5471-3 March 2022 The Adversary 4.4 - Standardization of cryptographic sabotage p.81 4.6 - ANT Catalog p.92 " Demand and participate in the creation, startup, and purchase of... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , #GuerrillaNets , ... Your Freedom may well depend on it. "Wer die Wahrheit nicht wei=C3=9F, der ist blo=C3=9F ein Dummkopf. Aber wer= sie wei=C3=9F und sie eine L=C3=BCge nennt, der ist ein Verbrecher." 1 -- Bertold Brecht, Das Leben des Galilei, Seite 71 From nobody Wed Nov 16 03:17:46 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBpBy6h3zz4hMRx for ; Wed, 16 Nov 2022 03:17:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBpBy68QSz47bQ; Wed, 16 Nov 2022 03:17:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668568666; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=wzo2GBiDzNBsBElCWRQ2b8Psk/jCRpqJ3KvsJI4PKjk=; b=bw1mDTic5jBWomHKwvEFZktjTcZszUPBqYPwma/oGwxft0B0a1FmI3jkFP3kA5GILUYPwF tkUWlJoK/M5sDfOW64KLx7mkvMdhp2eTL7E1AUAdUxdcLQ4y1UW3CaTcJ0AxC2qSRX9MEZ htMrwgkTpnfZNgs4Xxd4a/gdFKP3AYklW4xyM/CybKTjVV/SlLRXbA9fFc7Q2gCWOrIBsz qQBbJODajRpOZg7cgh2ponTJ+g/K1IO2+CumgIYYb/n4hItAqdCiYYNZ/UMzninNs26CZP +I0SvVI5YIWNkOcerRwJlb0Ly4+kCH3vqE6CCf3EBRQa+gPQ8Vj1qRJMe2BDjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668568666; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=wzo2GBiDzNBsBElCWRQ2b8Psk/jCRpqJ3KvsJI4PKjk=; b=FTbiK4YwOxNwQN/a+B3rjw/x9dPU0uSKghdV/h0R64Bdsf8MF5KU8yfxBCYyhJ+VbSrTud O53y5//lveY07MAtH/Ee3aVhUQE3MX5hWOZ+iOZc0Wd6NsMJSblk2sSupFCiJCjIxqTRJr PstF1zFchol748wZCFi9hMxbK8bU+PiJy60BlMBeeZoUDL518mwFtImmiD9P6UjJlu5goe yLF9JWMR2ON8QLbzdNj/qUBxJHnnevgvS6zsiQAAX9IB3Mfmib89B88AZruG8fBDozMoI2 RslGtPgsHOD4kZLU4EAPjnxLpJFl95TLYTVCT1P7HyivbwOU4lSwgkaVuv6i6A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668568666; a=rsa-sha256; cv=none; b=LZfREM3GvnccIc6dLH9YR8XPQPaxNxHpOL42RzT5ekNh42bT/+0XGGcIyUQqutV17XDUkL qskPBLyqYsegWvcbqbwILTH+XdyylRsLV7MG78+S6X3xA5H3sr+HD2E5/vttAzGgRUbYEn 2aRv2zcEEkoX289qMt8ex+B3nxOrCOdLLAYbfPcfoSTTuD4nbauhoKco4Fc2yuVo0Fx3qO EZRS5cGzkGwsJLWNXfPTqVMncb9CTf7W88Gk4LvxChMrPqVXbBywWLt4C/Rd8y6lqf1NkX 0cZ9vnggSQ6WEZfs4HYF9Zti0KpMgoXHOuNZ1Nio1ylxDcRQBpwmLea9NGGGcQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id BC20920B23; Wed, 16 Nov 2022 03:17:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:14.heimdal Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20221116031746.BC20920B23@freefall.freebsd.org> Date: Wed, 16 Nov 2022 03:17:46 +0000 (UTC) X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:14.heimdal Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in Heimdal Category: contrib Module: heimdal Announced: 2022-11-15 Affects: All supported versions of FreeBSD. Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE) 2022-11-16 01:50:27 UTC (releng/13.1, 13.1-RELEASE-p4) 2022-11-15 21:16:56 UTC (stable/12, 12.4-STABLE) 2022-11-16 01:47:57 UTC (releng/12.4, 12.4-RC2-p1) 2022-11-16 01:40:21 UTC (releng/12.3, 12.3-RELEASE-p9) CVE Name: CVE-2019-14870, CVE-2022-3437, CVE-2022-42898, CVE-2022-44640, CVE-2021-44758 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Heimdal implements the Kerberos 5 network authentication protocols. A Key Distribution Center (KDC) is trusted by all principals registered in that administrative "realm" to store a secret key in confidence, of which, the proof of knowledge is used to verify the authenticity of a principal. II. Problem Description Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC. - - CVE-2022-42898 PAC parse integer overflows - - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec - - CVE-2019-14870 Validate client attributes in protocol-transition - - CVE-2019-14870 Apply forwardable policy in protocol-transition - - CVE-2019-14870 Always lookup impersonate client in DB III. Impact A malicious actor with control of the network between a client and a service using Kerberos for authentication can impersonate either the client or the service, enabling a man-in-the-middle (MITM) attack circumventing mutual authentication. Note that, while CVE-2022-44640 is a severe vulnerability, possibly enabling remote code execution on other platforms, the version of Heimdal included with the FreeBSD base system cannot be exploited in this way on FreeBSD. IV. Workaround No workaround is available, but only systems using Kerberos are affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is recommended. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is recommended. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch.asc # gpg --verify heimdal.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the Kerberos, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d0b6550173d2 stable/13-n253097 releng/13.1/ a1e014e89282 releng/13.1-n250170 stable/12/ r372752 releng/12.4/ r372755 releng/12.3/ r372753 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmN0Ud0ACgkQ05eS9J6n 5cKIKA//bRccdsoilKJvyQw9RazwJ0HENGbPF1RdjyG1nmMsp5wG+rqAdnN0LF8p SgEqfZjCx+KXNJBkzblKzduFK9VQ211dbjouwd/BVCbMYemUIs1DqobF6uvYnMbn vhQ2lUtZ46WbgvjXOcfsHakmCV2V2kCzBFsCKCQFPcYSch5n9gGW+I4cfewF8+fB +sjvhz7MDyLaCVB3UpxPUIMc3w/G18zzyhHdhuJOaCrCjf00Mt4Er40ICr+IkRy5 PpwdX60yvwk3uxzzMyIC5zcS3CD6qFUOaSIXfEuGWGl7Wo7MjoCXECE1sbwLVat8 K1FJtNIADZJkURzkgjvp9rHQHwZFkLMawrkyik4apHgGsY2pXktZGhcw/qN2BNNn uo3HILrjbYK5eU5zLU17FS9X5qTurIcqdVJCIklvjNqW7DAuN3K1I9ryat4w5sST ToW5LpLtP9DoI9M9Bh3Mqba629iuXRmQ6LZ6p9EGSFr2i7e3VDEcvMxkGO6Sh8M3 w67FpqWzeQ1RT2q2YL013emKq6C+oYDjMDDejAqH2Wwwae/7yQiNnXBqvokIXmi4 KLupHptt0CPFPOFBLloxXBPenYu/49SRWeUoxBqspQuvCY708j1mUntaVtAFm/ax QElUUEEmcuJhsBzTzBnS82oe7IRwv3NQm55zkOn+DQZ2HjV/GaY= =jmOK -----END PGP SIGNATURE----- From nobody Thu Nov 17 18:38:47 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NCpbN5txJz4hypg for ; Thu, 17 Nov 2022 18:38:56 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (tunnel82308-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "garrett.wollman.name", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NCpbM6RBwz46PD for ; Thu, 17 Nov 2022 18:38:55 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of wollman@hergotha.csail.mit.edu designates 2001:470:1f06:ccb::2 as permitted sender) smtp.mailfrom=wollman@hergotha.csail.mit.edu; dmarc=none Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.16.1/8.16.1) with ESMTPS id 2AHIcllD072996 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 17 Nov 2022 13:38:47 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.16.1/8.16.1/Submit) id 2AHIclc8072995; Thu, 17 Nov 2022 13:38:47 -0500 (EST) (envelope-from wollman) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <25462.32695.665376.679464@hergotha.csail.mit.edu> Date: Thu, 17 Nov 2022 13:38:47 -0500 From: Garrett Wollman To: freebsd-security@freebsd.org Subject: vuxml entry error for krb5 X-Mailer: VM 8.2.0b under 28.1 (amd64-portbld-freebsd12.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (hergotha.csail.mit.edu [0.0.0.0]); Thu, 17 Nov 2022 13:38:47 -0500 (EST) X-Spam-Status: No, score=-0.8 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS,T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on hergotha.csail.mit.edu X-Spamd-Result: default: False [-1.69 / 15.00]; NEURAL_HAM_SHORT(-0.99)[-0.987]; NEURAL_HAM_LONG(-0.98)[-0.982]; FORGED_SENDER(0.30)[wollman@freebsd.org,wollman@hergotha.csail.mit.edu]; NEURAL_SPAM_MEDIUM(0.28)[0.279]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:1f06:ccb::2]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_COUNT_THREE(0.00)[3]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; FREEFALL_USER(0.00)[wollman]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[wollman@freebsd.org,wollman@hergotha.csail.mit.edu]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DOM_EQ_FROM_DOM(0.00)[] X-Rspamd-Queue-Id: 4NCpbM6RBwz46PD X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N Not sure who to address this to, so hopefully someone more knowledgeable about vuxml can explain what needs to be fixed here. https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html gives incorrect "affected packages" for the main `krb5` package: it claims that all versions < 1.20_1 are affected, but in fact the vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR x < 1.19. This means that if you have KRB5_VERSION=119 set in make.conf, you will get packages that are *not* vulnerable, but `pkg audit` will claim that they are. -GAWollman From nobody Thu Nov 17 19:10:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NCqJL4hstz4j3ZZ for ; Thu, 17 Nov 2022 19:10:58 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NCqJL2MJ0z4Dd0; Thu, 17 Nov 2022 19:10:58 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTP id veWQoqYK2yQ9evkHpoQcau; Thu, 17 Nov 2022 19:10:57 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id vkHoo9dVHCRu9vkHpocGoE; Thu, 17 Nov 2022 19:10:57 +0000 X-Authority-Analysis: v=2.4 cv=QIh7+yHL c=1 sm=1 tr=0 ts=63768741 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=9xFQ1JgjjksA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=zfMmPGIKi98dKCotuq8A:9 a=CjuIK1q_8ugA:10 a=SGtfeGh8WZUA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id B401D734; Thu, 17 Nov 2022 11:10:55 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 6AB41243; Thu, 17 Nov 2022 11:10:55 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Garrett Wollman cc: freebsd-security@freebsd.org Subject: Re: vuxml entry error for krb5 In-reply-to: <25462.32695.665376.679464@hergotha.csail.mit.edu> References: <25462.32695.665376.679464@hergotha.csail.mit.edu> Comments: In-reply-to Garrett Wollman message dated "Thu, 17 Nov 2022 13:38:47 -0500." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Nov 2022 11:10:55 -0800 Message-Id: <20221117191055.6AB41243@slippy.cwsent.com> X-CMAE-Envelope: MS4xfN6Grgkd54akCZMOgkUrk5u83cbZu5QbhEIauVeLV0Xu370Ley7v8q1vlJIYHMJgW+pM5xMQJwnCRfFP5BSDHca8K+tmLI6aYV3iOxRjal09qwOxLMUH CU/iiYhMoO4bnXPCGmdyOz4ssUy9k6QYhFNqOvxZCXNpyjgdQ4NxqGdvIMLTFiN1bmiZsXAEVor7jvKv0ul6LYUYUxfPhsZbl0WgtnWBjHr4mDh5Lz+5Cfy7 tTsT3Ydrr4KZhLUX812e2g== X-Rspamd-Queue-Id: 4NCqJL2MJ0z4Dd0 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N In message <25462.32695.665376.679464@hergotha.csail.mit.edu>, Garrett Wollman writes: > Not sure who to address this to, so hopefully someone more > knowledgeable about vuxml can explain what needs to be fixed here. > > https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html > gives incorrect "affected packages" for the main `krb5` package: it > claims that all versions < 1.20_1 are affected, but in fact the > vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR > x < 1.19. All versions < 1.20.1 and 1.19.4 are vulnerable. If you've put 119 in your make.conf and rebuilt krb5-1.19.3_1 or 1.19.4 you will be fine. I had to do a bit of digging around but looking at an example from two y ears ago the vuxml syntax seems to support multiple ranges for a single port. > > This means that if you have KRB5_VERSION=119 set in make.conf, you > will get packages that are *not* vulnerable, but `pkg audit` will > claim that they are. This is correct. MIT released patches for 1.20 and 1.19 and within half an hour they released 1.20.1 and 1.19.4. The krb5-120 and krb5-119 branches are fully supported by MIT. vuxml has been fixed. To answer another question not asked here but I'm sure someone will: I typically keep krb5 N-2 -- in this case krb5-118 -- in the tree for a year after N is released for those needing extra time to bring their krb5 up to level. But since 1.18 is no longer supported by MIT and is also vulnerable its expiry date has been accelerated to the end of this month. MIT supports only N and N-1. I'm currently considering reducing this from a year to six months when 1.21 is released. > > -GAWollman > > -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 From nobody Wed Nov 30 00:46:00 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NML9P12jJz4j2R7 for ; Wed, 30 Nov 2022 00:46:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NML9P0YsLz47QL; Wed, 30 Nov 2022 00:46:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769161; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w6KDHn3E2A8Xa2AQiCUv1Hl/I3U/ccaaMRsMejP6CLo=; b=DyW4EvR0d+96yuEpafWCU/Zi9d9dtVF9AcL70tnci9tDyGhPAqgsvwPD/uyfXoKS8+1d00 xdAzJUGNGblJU5P+M+E4I/y270qP7fb/A7WzkgHXKd5kt7xCefv1qDnZDycGMed18nO7KD iPVuf2noiIbbwxbd1pVQQHb/SD9IJ0YovysJdNsvR45QWM3IHT7slVWR/cHw2I7ow0AUuw kyjt3Xs3UBZAwEVfvey1EYcpnooX7TDBpWEb5oZxlBrakp9sLYZ0aWPuzKUY2Awg+NSaLa rG44LliEgAxUA2nkTuyJNXVxgQrARkE1kS80jT2sKUxo04q5KQgUxTPFiw66Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769161; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w6KDHn3E2A8Xa2AQiCUv1Hl/I3U/ccaaMRsMejP6CLo=; b=QNwYL+NLAgzsW6XNfRJkGOfuhsiX9K3DDP82pKZL9ZqFTKa0GHbIwug/phIdFmd9lFyAAi FMvHGL7jlOJRtdLW8chiTdUmK/oGx3f3oUSyYHs7bVeq+FF6R3qYsip9toN/NQTGA5R2RH v13GPhxuGcTHbLSdyHdPbML+6MrmGDpQDegyxAOmj1aPNVZ2sUkNdW+9lpghUs2h98jio6 3j4+EO3AJ+RkOPcFPdc6zZ1V8rdlyAIm5+fLSVEABqK/A5kNWcshfS1159I6J0XAYB6hfe nvdsNyFohTA4m5jhfVNk/AdyFKxU6Urh9yMW0yGIEuOqy1Lpq4FGEFHDmO1u7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669769161; a=rsa-sha256; cv=none; b=Bteo0dukTQd8D13BfsIs1fGR6B4J/KHiGYglXdnFeINWyDSTJ1KYlUEAT7cAOJbAe4WGJS wzKOoWmJ9atb6WQkypc6Y2+UI7D1uWK7RvYS5hl6ftREZCrfznBwWWnKMbtBDEjXFQzGYG lPfEWspXE2umAwKto78aIkbSam7jC/hYY7eNVYq9zwkS5vSACpe2AC6J7VAgxdPTiiwa4t 7eGGic1a7YHKBfhMueRfNay+WzzhDikPeHctoq/nX5Q4kvl6ausSRzGV6sUvctja4nunS7 q5eGiYKs3Ivgx1f5RjpoaiIRgi9ZQ8Y8QDDC2QtEuO7qRCkuSkQ+dzSLc2tnkg== Received: by freefall.freebsd.org (Postfix, from userid 945) id EFDFF1C46E; Wed, 30 Nov 2022 00:46:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20221130004600.EFDFF1C46E@freefall.freebsd.org> Date: Wed, 30 Nov 2022 00:46:00 +0000 (UTC) X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:15.ping Security Advisory The FreeBSD Project Topic: Stack overflow in ping(8) Category: core Module: ping Announced: 2022-11-29 Credits: Tom Jones Affects: All supported versions of FreeBSD. Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) CVE Name: CVE-2022-23093 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ping(8) is a program that can be used to test reachability of a remote host using ICMP messages. To send and receive ICMP messages, ping makes use of raw sockets and therefore requires elevated privileges. To make ping's functionality available to unprivileged users, it is installed with the setuid bit set. When ping runs, it creates the raw socket needed to do its work, and then revokes its elevated privileges. II. Problem Description ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header. The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes. III. Impact The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash. It may be possible for a malicious host to trigger remote code execution in ping. The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc # gpg --verify ping.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 186f495d4be1 stable/13-n253187 releng/13.1/ 66c7b53d9516 releng/13.1-n250172 stable/12/ r372774 releng/12.4/ r372778 releng/12.3/ r372775 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n 5cIQGw//ZiF50YbtOc7oYgVcJTGlBEAbKWV6OteTDpXWb/OlwkznGxwzrG0DPvWN wHyItOPSAmdxqC4xZUsZh9HNxlim80r5TR1y4BE22Lsg2vL5Ir0h3tcqOKKpHYLS KzNgishF1+J56JeU3TpTjOe5QbXK3EZiw092lH8uSXTp3PqcHxBfFuW9Cjc1Rq/u ewjHWI7zNCMOpGh3w/v14ZxGl3aFusL1jmrcyi5kZub2Pr0N3bUKgS3/3wXfWF6o hcFhl1ChmAwpT/1313LNE7SHPl4HCC5XK4r3w+wniLjOJUhnioOBjay29QLt5O53 0rYaINNvo7ooBSpcPO9ixta+7dqah+uuW3vnFewuahqNCaAGLhMDSPqyZW7KfYgU F7TIDoBRHPHASFb3FOiAAcCNMCvmGl7vFyVoWe0xJ1ion2jqO83R8XOGgnHsPL/l cTYTPdECPMIDMvmfIH9UAbNCzKEYdNjWsXUjFJKkxCBtwUcBRsn1TEu24zU2j9mS hRlY1DAYVy8raYUnQp/f6Llroim5DKyUYpJpeB3j//Fk6KACRnZKsqsSIj9U3OYf KD6zfJ35RrolPHePMPmy6vGPDYFocDo+YQSm1eauwfSeDGnsjBmIdzxahkgEav4Z 5agsPd2naEntMiJkGGgeuYCifEvkCttJbuTn2s+7VkuTap0uTuA= =rown -----END PGP SIGNATURE----- From nobody Wed Nov 30 00:46:58 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMLBV4Yxgz4j2tS for ; Wed, 30 Nov 2022 00:46:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMLBV3Lwcz4DVk; Wed, 30 Nov 2022 00:46:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769218; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PE8+p24Wl+W9Dx5WmU6DGNoC2h5QED7uRNVEV01acIE=; b=B7l4aP0FkSJrg9mGmTHQaiB5DiY/ieA/JFDh0zeuqD6WmzzmbDZKVtHMFwyxVPbGoEPgnj 0j5YxhDFTviUw+aglEa0gIm+Zui930oWVHjUdSaBLwvVg/A5rVVaWL0TzLQeQs2E4m5fOx N5b2tLIIhAtK7MyDY/hQVV3LFOK4b3ruj3Cz02/FBqNaVekf0qHj7+7/w1XQMWifv8qJs1 JsxSBpY19tM3IIfb7Fjl/nmQOURnoOQQuF1SlgUiIL55tWwUUVl2WuDkLvUfW7fgB1r463 3B4Ex0XE3KWU1jC0YfMKflKGU0jRpYFKexHW8N6DTT4ibybIueUmGo2N2ruykQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769218; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PE8+p24Wl+W9Dx5WmU6DGNoC2h5QED7uRNVEV01acIE=; b=k1ncP0y0XBv0ROM3X18Sc2CqBsBYnGdDhekvNWrqEcG2p+367xg2cE4+E0EWLTDJ77E8HX amVVHPQ+676TN4qrARN2E489QB68fnY4zaoxQDqeRTVUVHbNR1n3TjgD3s8wd3Te2ibbt2 fjl6lG2WqrOH7hC+PiuDeyNHLJ6Je+naSWxKJGB4Zgf6EEd5MrI23uihbX6/wZj0bcpUju 2kESuWGFxdRGpKxU85GrWRCUhQRaE0VtH7lxxHYkgdJ9H4+wX8vKFkbSayfLTgLBilaStK Pf2a8W6xU4wScqDzbV8xsRC35evGcVEfAehzvLbvb+0F06fFPg1qexAX4ksEoQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669769218; a=rsa-sha256; cv=none; b=YYrV0CxAc3OeFIutebDSI9eR32DutqWTOEoPAZyj9mBLIyaortwSgTDLORXgN0ZRdwaT5K p35o+BZhG3/C4XJklspGyNugpvMaH40GsMNDoZj3T5wG5Y/FxznskzMwaUAlfs5W3k5WCT Ny0hYkKUnu/i2+tHf8alBFaG9Rh0XH/akC7ZmOPwjMKDpA1eASUWUqELt0MIP8dCAgvirN +1AZXefZjdGekur1CgqGe5kLuxUVSsxIZgRip7kizRTgzWQN5RfJaZkBrQhmi2k6lsmHD8 2sBekw5CNEmm86DWM9KgLUQfO0ajNQvHnsPa+cmC/AxW83oQ9eETxxfDJPA6ag== Received: by freefall.freebsd.org (Postfix, from userid 945) id 454791C472; Wed, 30 Nov 2022 00:46:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:14.heimdal [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20221130004658.454791C472@freefall.freebsd.org> Date: Wed, 30 Nov 2022 00:46:58 +0000 (UTC) X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:14.heimdal Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in Heimdal [REVISED] Category: contrib Module: heimdal Announced: 2022-11-15 Revised: 2022-11-29 Affects: All supported versions of FreeBSD. Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE) 2022-11-16 01:50:27 UTC (releng/13.1, 13.1-RELEASE-p4) 2022-11-15 21:16:56 UTC (stable/12, 12.4-STABLE) 2022-11-16 01:47:57 UTC (releng/12.4, 12.4-RC2-p1) 2022-11-16 01:40:21 UTC (releng/12.3, 12.3-RELEASE-p9) CVE Name: CVE-2019-14870, CVE-2022-3437, CVE-2022-42898, CVE-2022-44640, CVE-2021-44758 0. Revision history v1.0 2022-11-15 Initial release. v1.1 2022-11-29 Updated with reference to FreeBSD-EN-22:28.heimdal. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Heimdal implements the Kerberos 5 network authentication protocols. A Key Distribution Center (KDC) is trusted by all principals registered in that administrative "realm" to store a secret key in confidence, of which, the proof of knowledge is used to verify the authenticity of a principal. II. Problem Description Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC. - - CVE-2022-42898 PAC parse integer overflows - - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec - - CVE-2019-14870 Validate client attributes in protocol-transition - - CVE-2019-14870 Apply forwardable policy in protocol-transition - - CVE-2019-14870 Always lookup impersonate client in DB III. Impact A malicious actor with control of the network between a client and a service using Kerberos for authentication can impersonate either the client or the service, enabling a man-in-the-middle (MITM) attack circumventing mutual authentication. Note that, while CVE-2022-44640 is a severe vulnerability, possibly enabling remote code execution on other platforms, the version of Heimdal included with the FreeBSD base system cannot be exploited in this way on FreeBSD. IV. Workaround No workaround is available, but only systems using Kerberos are affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is recommended. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is recommended. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch.asc # gpg --verify heimdal.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) The original revision of this advisory included a patch which renders the KDC inoperative. This was corrected in FreeBSD-EN-22:28.heimdal. Systems using the KDC must download and verify an additional patch: # fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch # fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc # gpg --verify heimdal.patch.asc d) Apply the additional patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch e) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the Kerberos, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d0b6550173d2 stable/13-n253097 releng/13.1/ a1e014e89282 releng/13.1-n250170 stable/12/ r372752 releng/12.4/ r372755 releng/12.3/ r372753 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlpAACgkQ05eS9J6n 5cJFGQ//TbsJox2faNwQaBoQy/gFSP6TgauZTZJR5A5Y6bRMcvkNJyl3KIM2XlWD W+lJlxL7kERjv9zD6iI8rns4+FOO2p9f4ICZsWy88ABQrmpuz2N22MSd8NyXeRv0 30HyftaUMZdAPHVk5Piu7l3U6S4tPiO1BZEoMucG8cby1eWlPMtuH3K/0/CLZmPc F8U+oRDwB5KnZgP39JmvejvGoXik1lhCrvaLZ5fG1QEmyb1xtjHfT+QSkh9FWLxz jrHfwgpZFERprpMzqZAicbinV/LjZMfEbckJygzGNzSTTPD+uqT/jDmY+iHnkdF1 Lw9R8pJoJIpvckRrPLQIOZZuz/Xd4FRB7Gc/q4/x4HTP/8y/x1uKZmcbrh86W9xu 9jCLMgpqETEjHhqADX7Z4+7oxhCPmgSJP8dX5o0HvORs4bqqxbkLqkCsp8QXdcES vftJGgpt1IPO8MBcr4pG6+cEcZQuk7qX0/D3PArxLkwU2coimP2MmjxyeWBX5GrI zgdF2HiUYvuZXyt1FMgve+8JkS1RYEE+yPWeOJ5RnIuHnIaNTD81o1gIYuFL3ECb UAREi6FYskzeJQ/W2ZRMwQPGMPDQI901+msfStjxgx92rKhxLW+rDsg0EUsApoOv DzIaeCtOGCZMG/mLvVhOLYbqmFrHDbWy8cMoSti/lnx7OdLpnn4= =L299 -----END PGP SIGNATURE----- From nobody Wed Nov 30 13:01:47 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMfVX19ytz4fwhB for ; Wed, 30 Nov 2022 13:01:56 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMfVW6JM4z3Pc5 for ; Wed, 30 Nov 2022 13:01:55 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 2AUD1mJc012884 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 30 Nov 2022 08:01:48 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:245f:fc1c:f100:a232] ([IPv6:2607:f3e0:0:4:245f:fc1c:f100:a232]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 2AUD1lRD086339 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 30 Nov 2022 08:01:48 -0500 (EST) (envelope-from mike@sentex.net) Content-Type: multipart/alternative; boundary="------------r88lAbUYkRp0y8Naqc6QqThD" Message-ID: <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> Date: Wed, 30 Nov 2022 08:01:47 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Content-Language: en-US To: freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> From: mike tancsa In-Reply-To: <20221130004601.043CE1C623@freefall.freebsd.org> X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4NMfVW6JM4z3Pc5 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------r88lAbUYkRp0y8Naqc6QqThD Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit How likely is this bug exploited ?  I am guessing Man-in-the-middle makes this a little more of an issue potentially     ---Mike On 11/29/2022 7:46 PM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-22:15.ping Security Advisory >                                                           The FreeBSD > Project > > Topic:          Stack overflow in ping(8) > > Category:       core > Module:         ping > Announced:      2022-11-29 > Credits:        Tom Jones > Affects:        All supported versions of FreeBSD. > Corrected:      2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) >                 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) >                 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) >                 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) >                 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) > CVE Name:       CVE-2022-23093 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I.   Background > > ping(8) is a program that can be used to test reachability of a remote > host using ICMP messages.  To send and receive ICMP messages, ping makes > use of raw sockets and therefore requires elevated privileges.  To make > ping's functionality available to unprivileged users, it is installed > with the setuid bit set.  When ping runs, it creates the raw socket > needed to do its work, and then revokes its elevated privileges. > > II.  Problem Description > > ping reads raw IP packets from the network to process responses in the > pr_pack() function.  As part of processing a response ping has to > reconstruct the IP header, the ICMP header and if present a "quoted > packet," which represents the packet that generated an ICMP error.  The > quoted packet again has an IP header and an ICMP header. > > The pr_pack() copies received IP and ICMP headers into stack buffers > for further processing.  In so doing, it fails to take into account the > possible presence of IP option headers following the IP header in > either the response or the quoted packet.  When IP options are present, > pr_pack() overflows the destination buffer by up to 40 bytes. > > III. Impact > > The memory safety bugs described above can be triggered by a remote > host, causing the ping program to crash.  It may be possible for a > malicious host to trigger remote code execution in ping. > > The ping process runs in a capability mode sandbox on all affected > versions of FreeBSD and is thus very constrainted in how it can interact > with the rest of the system at the point where the bug can occur. > > IV.  Workaround > > No workaround is available. > > V.   Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch > # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc > # gpg --verify ping.patch.asc > > b) Apply the patch.  Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > VI.  Correction details > > This issue is corrected by the corresponding Git commit hash or Subversion > revision number in the following stable and release branches: > > Branch/path                             Hash Revision > ------------------------------------------------------------------------- > stable/13/                              186f495d4be1 stable/13-n253187 > releng/13.1/                            66c7b53d9516 releng/13.1-n250172 > stable/12/ r372774 > releng/12.4/ r372778 > releng/12.3/ r372775 > ------------------------------------------------------------------------- > > For FreeBSD 13 and later: > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > For FreeBSD 12 and earlier: > > Run the following command to see which files were modified by a particular > revision, replacing NNNNNN with the revision number: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > --------------r88lAbUYkRp0y8Naqc6QqThD Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

How likely is this bug exploited ?  I am guessing Man-in-the-middle makes this a little more of an issue potentially

    ---Mike



On 11/29/2022 7:46 PM, FreeBSD Security Advisories wrote:
=============================================================================
FreeBSD-SA-22:15.ping                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Stack overflow in ping(8)

Category:       core
Module:         ping
Announced:      2022-11-29
Credits:        Tom Jones
Affects:        All supported versions of FreeBSD.
Corrected:      2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE)
                2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5)
                2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE)
                2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2)
                2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10)
CVE Name:       CVE-2022-23093

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

ping(8) is a program that can be used to test reachability of a remote
host using ICMP messages.  To send and receive ICMP messages, ping makes
use of raw sockets and therefore requires elevated privileges.  To make
ping's functionality available to unprivileged users, it is installed
with the setuid bit set.  When ping runs, it creates the raw socket
needed to do its work, and then revokes its elevated privileges.

II.  Problem Description

ping reads raw IP packets from the network to process responses in the
pr_pack() function.  As part of processing a response ping has to
reconstruct the IP header, the ICMP header and if present a "quoted
packet," which represents the packet that generated an ICMP error.  The
quoted packet again has an IP header and an ICMP header.

The pr_pack() copies received IP and ICMP headers into stack buffers
for further processing.  In so doing, it fails to take into account the
possible presence of IP option headers following the IP header in
either the response or the quoted packet.  When IP options are present,
pr_pack() overflows the destination buffer by up to 40 bytes.

III. Impact

The memory safety bugs described above can be triggered by a remote
host, causing the ping program to crash.  It may be possible for a
malicious host to trigger remote code execution in ping.

The ping process runs in a capability mode sandbox on all affected
versions of FreeBSD and is thus very constrainted in how it can interact
with the rest of the system at the point where the bug can occur.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch
# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc
# gpg --verify ping.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
-------------------------------------------------------------------------
stable/13/                              186f495d4be1    stable/13-n253187
releng/13.1/                            66c7b53d9516  releng/13.1-n250172
stable/12/                                                        r372774
releng/12.4/                                                      r372778
releng/12.3/                                                      r372775
-------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc>
>
--------------r88lAbUYkRp0y8Naqc6QqThD-- From nobody Wed Nov 30 21:58:09 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMtPN5QfGz4j6wF for ; Wed, 30 Nov 2022 21:58:16 +0000 (UTC) (envelope-from devnull@apt322.org) Received: from gateway20.websitewelcome.com (gateway20.websitewelcome.com [192.185.58.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMtPN2V30z3vbH for ; Wed, 30 Nov 2022 21:58:16 +0000 (UTC) (envelope-from devnull@apt322.org) Authentication-Results: mx1.freebsd.org; none Received: from atl1wswcm02.websitewelcome.com (unknown [50.6.129.163]) by atl1wswob01.websitewelcome.com (Postfix) with ESMTP id 256934013A40B for ; Wed, 30 Nov 2022 21:58:15 +0000 (UTC) Received: from br366.hostgator.com.br ([108.167.188.48]) by cmsmtp with ESMTP id 0V5rpXYl84ZGb0V5rpCfHI; Wed, 30 Nov 2022 21:58:15 +0000 X-Authority-Reason: nr=8 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=apt322.org; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From: References:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=q+ZknU4KpE/pylzU/CYB0r0KaNwLZ5fgPTH952g0zjI=; b=Y4dw0xEsW0EWmUxy7NUJn9kTiP lvQnaQhiklnqtf2nA8kuCy2hLuFJRtG3FrlyWazMYNuwXuaJzwvatF71OY5yBL+zQw96GLyXWMp4A ZUVhdMaQM7r7l/mA/DV7abDIK/Jt6y2R/julME70uBSSMKOflFFy7hEoEp7aAFD/mQcNF3tFdwRsJ MkGzhYZJMEe9cYikwBhEvnubxZAVkWxBwABUwyyieecRs+t/PBo4nrN9KGcslxHsr1DTgsmJ6MRt2 6mD0Bd1iFBY12JCCnb+HdQR2Nte7MeZDkEWA4LufNuyBqRqtP1IOUJ8AyG/9Xe9RRGTNBcNqvBhoO XnNJ0GcQ==; Received: from [45.238.229.20] (port=14606 helo=[192.168.0.100]) by br366.hostgator.com.br with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from ) id 1p0V5q-001UPr-QL; Wed, 30 Nov 2022 18:58:14 -0300 Message-ID: Date: Wed, 30 Nov 2022 18:58:09 -0300 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 To: mike tancsa , freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> Content-Language: en-US From: Dev Null Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping In-Reply-To: <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - br366.hostgator.com.br X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - apt322.org X-BWhitelist: no X-Source-IP: 45.238.229.20 X-Source-L: No X-Exim-ID: 1p0V5q-001UPr-QL X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: ([192.168.0.100]) [45.238.229.20]:14606 X-Source-Auth: devnull@apt322.org X-Email-Count: 1 X-Source-Cap: bXVuZG9zODg7bXVuZG9zODg7YnIzNjYuaG9zdGdhdG9yLmNvbS5icg== X-Local-Domain: yes X-CMAE-Envelope: MS4xfO36zBrfjrD9nnijsEx5S50EEb2Az9gXxr5kcy4mTsWdV5/RLrfnLXCgPS612qu9QucdONiMn1Y96xi/1ExaYi83LtjNXfSnEm1/GteEupWZxhP6nDcP nMcwhDyVNpOQu+8pRwmiOwVxubuOcTVM7JNlmeHlDXwvSavcFBW2R8111D+CbDjPC1DhEZJv9DZ4soAtr7/1qHfwpJgXvnYWSw0= X-Rspamd-Queue-Id: 4NMtPN2V30z3vbH X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:19871, ipnet:192.185.58.0/23, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N Easily to exploit in a test environment, but difficult to be exploited in the wild, since the flaw only can be exploited in the ICMP reply, so the vulnerable machine NEEDS to make an ICMP request first. The attacker in this case, send a short reader in ICMP reply. -- Rafael Grether On 30/11/22 10:01, mike tancsa wrote: > > How likely is this bug exploited ?  I am guessing Man-in-the-middle > makes this a little more of an issue potentially > >     ---Mike > From nobody Wed Nov 30 22:03:10 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMtWH68x3z4j7V5 for ; Wed, 30 Nov 2022 22:03:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMtWH497gz3xwR for ; Wed, 30 Nov 2022 22:03:23 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 2AUM395Z018525 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Wed, 30 Nov 2022 17:03:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:245f:fc1c:f100:a232] ([IPv6:2607:f3e0:0:4:245f:fc1c:f100:a232]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 2AUM39X3060228 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 30 Nov 2022 17:03:09 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> Date: Wed, 30 Nov 2022 17:03:10 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Content-Language: en-US To: Dev Null , freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> From: mike tancsa In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4NMtWH497gz3xwR X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 11/30/2022 4:58 PM, Dev Null wrote: > > Easily to exploit in a test environment, but difficult to be exploited > in the wild, since the flaw only can be exploited in the ICMP reply, > so the vulnerable machine NEEDS to make an ICMP request first. > > The attacker in this case, send a short reader in ICMP reply. > Lets say you know that some device regularly pings, say 8.8.8.8 as part of some connectivity check. If there is no stateful firewall, can the attacker not just forge the reply on the chance their attack packet could get there first ?  Or if its the case of "evil ISP" in the middle, it becomes even easier. At that point, how easy is it to actually do some sort of remote code execution. The SA implies there are mitigating techniques on the OS and in the app.  I guess its that last part I am mostly unclear of, how difficult is the RCE if given the first requirement as a given.     ---Mike From nobody Wed Nov 30 22:38:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMvJR0HXZz4jDHP for ; Wed, 30 Nov 2022 22:39:03 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMvJQ56dNz4FSG for ; Wed, 30 Nov 2022 22:39:02 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Authentication-Results: mx1.freebsd.org; none Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 491A03C0199; Wed, 30 Nov 2022 22:38:55 +0000 (UTC) Date: Wed, 30 Nov 2022 22:38:55 +0000 From: Brooks Davis To: mike tancsa Cc: Dev Null , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 4NMvJQ56dNz4FSG X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: > On 11/30/2022 4:58 PM, Dev Null wrote: > > > > Easily to exploit in a test environment, but difficult to be exploited= =20 > > in the wild, since the flaw only can be exploited in the ICMP reply,=20 > > so the vulnerable machine NEEDS to make an ICMP request first. > > > > The attacker in this case, send a short reader in ICMP reply. > > > Lets say you know that some device regularly pings, say 8.8.8.8 as part= =20 > of some connectivity check. If there is no stateful firewall, can the=20 > attacker not just forge the reply on the chance their attack packet=20 > could get there first ??? Or if its the case of "evil ISP" in the middle,= =20 > it becomes even easier. At that point, how easy is it to actually do=20 > some sort of remote code execution. The SA implies there are mitigating= =20 > techniques on the OS and in the app.?? I guess its that last part I am=20 > mostly unclear of, how difficult is the RCE if given the first=20 > requirement as a given. It's probably also worth considering it as a local privilege escalation attack. The attacker will need to control a ping server, but it's often the case that enough ICMP traffic is allowed out for that to work and in that case they have unlimited tries to defeat any statistical mitigations (unless the admin spots all the ping crashes). -- Brooks --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJjh9t+AAoJEKzQXbSebgfASvIH/jNVfXbAcuK9GcxBn+EaJIxk 3bVFou5EfndYTtLjl+6zIOAnFs3qFcy1IuQoz7WW14m0a8XhLDUd18eF/spVSTOc bJ1Rfqc65rwpYD0/f/R3qH4k//eF1lrb0t0JEAbCUwNTZ5ciklhBlANtPYuzCyJy M6kIl5v8My8IV3ZlioGJs7aNOXI5SJc8cP76DxsqfUzmeP4EFk/Nwaf2wlAEBaH9 YgZocCRoY+xlUOi4SZc3kdPDvUh1F3kGr98tqZJtwLn0uyvmaWmZcsvwwRkel++Z 9PzbgwYKUAl3F7x9iMVef1VOVmGP1PennSNNVSF8Tya31495H8szELrLTgnI8do= =ewxW -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- From nobody Wed Nov 30 22:47:05 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMvTv4Fczz4jFQ5 for ; Wed, 30 Nov 2022 22:47:15 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMvTt212Wz4JWQ for ; Wed, 30 Nov 2022 22:47:14 +0000 (UTC) (envelope-from marquis@roble.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b=iJuOo+6Q; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com; dmarc=pass (policy=none) header.from=roble.com Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 642DBE004 for ; Wed, 30 Nov 2022 14:47:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1669848425; bh=sqbDQoSOTiNdQPopkPilQPX6qxTFmK4OgdFB3MW1FDA=; h=Date:From:To:Subject:In-Reply-To:References; b=iJuOo+6QNEyJA0pLHw0iZI68N/+KQtgSVFHzllxkW0x+imm3EZWvkDRcfZ48YMip+ eW7BnZS0O9LrzZ9Urk96ToFdQMzugkmsiTZMNI9WczpI0kPLGRmDytKfNGMul+sK6s yfJCBUd8XdNIVtbDLtm4JlbFQe1wjUIWWfKNM/SY= Date: Wed, 30 Nov 2022 14:47:05 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> Message-ID: <9n9n775o-2rp4-5q7q-3500-61q18235qs5q@mx.roble.com> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[roble.com:+]; ARC_NA(0.00)[]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4NMvTt212Wz4JWQ X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Also note that the update can be as easy as: gitup src cd /usr/src make buildworld cd sbin/ping make install ls -l /sbin/ping /sbin/ping ... Roger Marquis > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: >> On 11/30/2022 4:58 PM, Dev Null wrote: >>> >>> Easily to exploit in a test environment, but difficult to be exploited >>> in the wild, since the flaw only can be exploited in the ICMP reply, >>> so the vulnerable machine NEEDS to make an ICMP request first. >>> >>> The attacker in this case, send a short reader in ICMP reply. >>> >> Lets say you know that some device regularly pings, say 8.8.8.8 as part >> of some connectivity check. If there is no stateful firewall, can the >> attacker not just forge the reply on the chance their attack packet >> could get there first ??? Or if its the case of "evil ISP" in the middle, >> it becomes even easier. At that point, how easy is it to actually do >> some sort of remote code execution. The SA implies there are mitigating >> techniques on the OS and in the app.?? I guess its that last part I am >> mostly unclear of, how difficult is the RCE if given the first >> requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). > > -- Brooks > From nobody Thu Dec 1 06:06:08 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NN5DM2yQvz4jPJZ for ; Thu, 1 Dec 2022 06:06:11 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NN5DL5BxSz41ZB for ; Thu, 1 Dec 2022 06:06:10 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=fZSEKd1h; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::933 as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ua1-x933.google.com with SMTP id n9so236529uao.13 for ; Wed, 30 Nov 2022 22:06:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=3dgYqagFa6QRa+UEb1L43IWR8USdyFYEUoQ6jaG2e5k=; b=fZSEKd1hrFhvFLQ3AQveppcffrTQq4T/qfbB+cKWUFJBBPSb4Li3YyRQ3dUPr8VXd7 Zt3xR21TFkrRhOn/sgWGLCA/1pvrBN8ajA/cdiZS6e0VYKnK9Tf3X/yI3f1Ed0ICQV6j iPNSjM1Ir6K9wNgSkTOiKeUE7bg9X79pkb0EHneDu+1SaAq+5ik0I+WB3EBeGndfCB1A w1+7L6EHo8ovxbFAF6aMbN6YKKt349sgN8kqdb0HCuOekz6a0+pxKgbmqbzxxmYTIw51 ZdHWGUe9wnJdnuaxcdkSLoVzgjDHANMFK93AJkdaRyfoKapkujlUrvkSYwAH9CRfNBYA fl1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3dgYqagFa6QRa+UEb1L43IWR8USdyFYEUoQ6jaG2e5k=; b=g9xrFLhYaRUShFK9zYRNRrMLx34N+S6un6tPldef5qnZPULwQBo+W9GkQ8MUpMSGIU qkrG93Xo6aB40Mfj6SWpm83PuZ3ZQRQSy5kgSEwiWKYkMlpJ9I7rWH+B0EAm5OvQgVXK ciu8TzxrGH17hvWy+0R6NMxLey0n1pKtfBnkSASChlagpM5z3H8CUjbu09ZsXCbAqDH7 UsfCkKvqwuGylszOzE5yLqMxChCUh3x3arqKE6XFJ6g8Go4EpX9xUKBuQzi5p6aaBJMW MZCapK5j103lNPl+GM6vlHorNyh4Nzw1ALaVB4vKGMybL8CVqOzpn6MP4HQN/33z4i1R ivJw== X-Gm-Message-State: ANoB5pkMhxrlvzx9yKSO5JzTnlfibIXEe+sKDz6JSfTGN3mp3EWnAv53 pu0/KguiZxAL/ZWlX5WbvlFWOzabxVcfnCsBkfBpvr/ahVtkw3voS0s= X-Google-Smtp-Source: AA0mqf7NaQz4YL/tjfVyrM0PtQ/phIJ8z1r7Gxw1KeVbwrn7pjafN5FiV6hSxkSLPqv4P6TDyNnB6nkfBqBNyDhMGeg= X-Received: by 2002:ab0:6ce6:0:b0:419:2207:3472 with SMTP id l6-20020ab06ce6000000b0041922073472mr11204150uai.42.1669874769592; Wed, 30 Nov 2022 22:06:09 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:acc2:0:b0:32b:33ff:fbc3 with HTTP; Wed, 30 Nov 2022 22:06:08 -0800 (PST) In-Reply-To: <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> From: grarpamp Date: Thu, 1 Dec 2022 01:06:08 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.89 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.89)[-0.895]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::933:from]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NN5DL5BxSz41ZB X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Generally, that ping has no end-to-end security (neither does TLS if relying solely on the silly CA model), and that TLA's [and Tier-n ISP's, VPN's, Tor's, WiFi's, etc] can all MITM at will, and that everyone is a target of some one/entity these days... then this is bad. Which if it applies to Micro$haft Crapple Phones would be even more a convenient gift to various actors. Perhaps the real question is... Why is ping, repeatedly over history, like sendwhale, still being written such that it remains exploitable... From nobody Thu Dec 1 15:27:44 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNKhj29pmz4jV2K for ; Thu, 1 Dec 2022 15:28:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNKhj05NYz46Zy; Thu, 1 Dec 2022 15:28:04 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 2B1FRi8Q012690 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Thu, 1 Dec 2022 10:27:44 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:f844:467d:3d45:5f70] ([IPv6:2607:f3e0:0:4:f844:467d:3d45:5f70]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 2B1FRio3013987 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 1 Dec 2022 10:27:44 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4ce47f73-c48f-22f6-e0c0-0bd03452bcda@sentex.net> Date: Thu, 1 Dec 2022 10:27:44 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Content-Language: en-US To: Brooks Davis Cc: Dev Null , freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> From: mike tancsa In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4NNKhj05NYz46Zy X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 11/30/2022 5:38 PM, Brooks Davis wrote: > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). My concern is the "evil server in the middle" ... Things like route highjacking are not that uncommon. I have a number of IoT devices out there I will need to patch, some still based on RELENG_11.  The patch doesnt apply cleanly, but looking at the source code, there are a bunch of spots where #ifdef IP_OPTIONS If I put on the top of sbin/ping.c undef IP_OPTIONS will the code that is problematic get compiled out and avoid the issue ? ping.c:#ifdef IP_OPTIONS ping.c:#ifdef IP_OPTIONS ping.c:         if (setsockopt(ssend, IPPROTO_IP, IP_OPTIONS, rspace, ping.c:                 err(EX_OSERR, "setsockopt IP_OPTIONS"); ping.c:#endif /* IP_OPTIONS */ For now, I would rather push a patched ping which I can do quickly to a few hundred devices     ---Mike From nobody Sun Dec 4 01:26:16 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NPpt40KPYz4k0F1; Sun, 4 Dec 2022 01:26:20 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NPpt26mnVz3qkC; Sun, 4 Dec 2022 01:26:18 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=j6Nj0hpw; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2e as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe2e.google.com with SMTP id b189so2159839vsc.10; Sat, 03 Dec 2022 17:26:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=686NIf1KIBcl9er/S5vKPY7QqZKJCo2i9rFrcKo6W6c=; b=j6Nj0hpwLA5tI7O8V/AZy//pv7jCZ9Nn5xWpTpeFuwjnlk+z4+pUfLNazRNn+oR/nT 2l1jYCwQw41fsRSySzbAu1dscw7mvvtoQRZilTkp3FbXlxGNG+z19v55sNhadH9EDYml W00QT7nbs85Id4ggxK7m7YnMdHQAgv5kICsRiuFBrk3GJphPe9hggWJKddDIBXkhK3d2 z9mW2Ag6QTJpmiLRFC5hUWrTCjHSj3Np81rimbflr2ITjCo7rprPag2Qh0h79/g79my5 MuMOWLYZ7JNP5cz6k0kbGjfKqKm7XBaZpYgzcjsZmp/glwPnTCHwXrlh1Y9vxRKMES0h /Lnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=686NIf1KIBcl9er/S5vKPY7QqZKJCo2i9rFrcKo6W6c=; b=qCp9Dme7PgKn1s1f95tB0T2FttAkSYYv9rD2cmL1sPrLWcd+Nrfd0aNaYvBSvhN/U8 zvTYgDiVy8TSLouaKsXDs5UbU5AGCFi7+IKbTf+1ouUkazq5nIDr9jakwz6LqVNB8Vvy 1vWuhn4QOx6Is92On5JBCR+saOqkZP/grP0P1Srifl7xOzjrYtDtl/ZzySvg0icAj4Iz yE4rR3iz6PcClrBlPlGt+s9yuqShICvsbrtZ9hkauvwQaF3u/pqmHsg7Pi14A0mQ6vmH Nt3z3umxQrWJD5LirvVMQKKVVx/eD24z0fDI8irMEsy+2p0g9Z1dAxzFVqxFv1YnX+bQ 3/Bw== X-Gm-Message-State: ANoB5pmEKPZmxFtZgKN5oUZeRwJk3gx4JGe0w2/0rW1bC9zlUAn+MwGr K6EwlPqtYJFHij5oXEt70+VZ7BiNgURQyFFveJDa5a3qvZzO1ZgAUDY= X-Google-Smtp-Source: AA0mqf4obSX09BCQpTbBN5nwz/5dDkzqpUNmZYTgL0N2t67hzWDHbeUEA3IO4i68GU2SEJKvm30y0Fb7BWVPbNUyWSw= X-Received: by 2002:a05:6102:502:b0:3b0:df43:87af with SMTP id l2-20020a056102050200b003b0df4387afmr8751071vsa.1.1670117177359; Sat, 03 Dec 2022 17:26:17 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:acc2:0:b0:32b:33ff:fbc3 with HTTP; Sat, 3 Dec 2022 17:26:16 -0800 (PST) In-Reply-To: References: From: grarpamp Date: Sat, 3 Dec 2022 20:26:16 -0500 Message-ID: Subject: Re: CA's TLS Certificate Bundle in base = BAD To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-pkg@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-3.97 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.986]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2e:from]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-questions@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org,freebsd-pkg@freebsd.org]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NPpt26mnVz3qkC X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Again, FreeBSD should not be including the bundle in base, if users choose to, they can get it from ports or packages or wherever else. Including such bundles exposes users worldwide to massive risks. You need to do more gpg attestation, pubkey pinning [1], tofu, and cert management starting from empty file... and quit trusting bundles of hundreds of random CA's, all of which are entities who have zero duty or care to the user, and often exist/corrupt/break to present evil [2] ... [1] https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_PINNEDPU= BLICKEY.3 FreeBSD pkg(8) (aka, and: fetch(3)) don't even support this simple option, thus they're incapable of securely fetching packages, iso's, etc from servers in re [2]. Nor does FreeBSD even post sigs over its servers pubkeys for users to get, verify, and pin out of band. Even pubkeys were swapped ou= t on FreeBSD servers without announcing for users if any exploit or loss occu= rred there or for some other reason. That's all bad news :( But can be fixed :) [2] https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addr= esses-government-connections https://www.msn.com/en-us/news/technology/mysterious-company-with-governmen= t-ties-plays-key-internet-role/ar-AA13RwPh https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4= /m/etbBho-VBQAJ Major Web Browsers Drop Mysterious Authentication Company After Ties To US Military Contractor Exposed TrustCor Systems vouches for the legitimacy of websites. But its physical address is a UPS Store in Toronto. Mysterious company with government ties plays key internet role An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google=E2=80=99s Chrome, Apple=E2=80=99s Safari, nonprofit Firefox and othe= rs allow the company, TrustCor Systems, to act as what=E2=80=99s known as a root certificate authority, a powerful spot in the internet=E2=80=99s infrastructure that guarantees websites are not fake, guiding users to them seamlessly. The company=E2=80=99s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. The Pentagon did not respond to a request for comment on TrustCor. TrustCor also did not respond to a request for comment. [Minutes before Trump left office, millions of the Pentagon=E2=80=99s dorma= nt IP addresses sprang to life] TrustCor=E2=80=99s products include an email service that claims to be end-to-end encrypted, though experts consulted by The Washington Post said they found evidence to undermine that claim. A test version of the email service also included spyware developed by a Panamanian company related to Packet Forensics, researchers said. Google later banned all software containing that spyware code from its app store. A person familiar with Packet Forensics=E2=80=99 work confirmed that it had used TrustCor=E2=80=99s certificate process and its email service, MsgSafe,= to intercept communications and help the U.S. government catch suspected terrorists. =E2=80=9CYes, Packet Forensics does that,=E2=80=9D the person said, speakin= g on the condition of anonymity to discuss confidential practices. Packet Forensics counsel Kathryn Temel said the company has no business relationship with TrustCor. She declined to say whether it had had one previously. The latest discovery shows how the technological and business complexities of the internet=E2=80=99s inner workings can be leveraged to a= n extent that is rarely revealed. Concerns about root certificate authorities, though, have come up before. In 2019, a security company controlled by the government of the United Arab Emirates that had been known as DarkMatter applied to be upgraded to top-level root authority from intermediate authority with less independence. That followed revelations about DarkMatter hacking dissidents and even some Americans; Mozilla denied it root power. In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites. With Packet Forensics, a paper trail led to it being identified by researchers twice this year. Mostly known for selling interception devices and tracking services to authorities, the company is four months into a $4.6 million Pentagon contract for =E2=80=9Cdata processing, hosting and related services.=E2=80=9D In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users=E2=80=99 phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps. Measurement Systems=E2=80=99 website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing. After the researchers shared their findings, Google booted all apps with the spy code out of its Play app store. Tremel said that =E2=80=9Ca company previously associated with Packet Forensics was a customer of Measurement Systems at one time=E2=80=9D but th= at there was no ownership stake. When Reardon and Egelman looked deeper at Vostrom, they found it had registered the domain name TrustCor.co, which directed visitors to the main TrustCor site. TrustCor has the same president, agents and holding-company partners listed in Panamanian records as Measurement Systems. A firm with the same name as one of the holding companies behind both TrustCor and Measurement Systems, Frigate Bay Holdings, filed papers to dissolve this March with the secretary of state in Wyoming, where it was formed. The papers were signed by Saulino, who listed his title as manager. He could not be reached for comment. TrustCor has issued more than 10,0000 certificates, many of them for sites hosted with a dynamic domain name service provider called No-IP, the researchers said. That service allows websites to be hosted with constantly changing Internet Protocol addresses. Because root authority is so powerful, TrustCor can also give others the right to issue certificates. Certificates for websites are publicly viewable so that bad ones should be exposed sooner or later. There have been no reports so far that the TrustCor certificates have been used inappropriately, for example by vouching for impostor websites. The researchers speculated that the system is only used against high-value targets within short windows of time. The person familiar with Packet Forensics=E2=80=99 operati= ons agreed said that was in fact how it has been used. =E2=80=9CThey have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address,=E2=80=9D Egelman said. =E2=80=9CIt=E2=80=99s scary this is being done by some shady = private company.=E2=80=9D The leadership page of the TrustCor=E2=80=99s website lists just two men, identified as co-founders. Though that page does not say so, one of them died months ago, and the other=E2=80=99s LinkedIn profile says he left= as chief technology officer in 2019. That man declined to comment. The website site lists a contact phone number in Panama, which has been disconnected, and one in Toronto, where a message had not been returned after more than a week. The email contact form on the site doesn=E2=80=99t work. The physical address in Toronto given in its auditor= =E2=80=99s report, 371 Front St. West, houses a UPS Store mail drop. TrustCor adds another layer of mystery with its outside auditing firm. Instead of using a major accounting firm that rates the safety of internet infrastructure companies, TrustCor selected one called Princeton Audit Group, which gives its address as a residential townhouse in Princeton, N.J. In addition to TrustCor=E2=80=99s certificate power, the firm offers what purports to be end-to-end encrypted email, MsgSafe.io. But researchers said the email is not encrypted and can be read by the company, which has pitched it to a variety of groups worried about surveillance. MsgSafe has touted its security to a variety of potential customers, including Trump supporters upset that Parler had been dropped by app stores in January 2021, and to users of encrypted mail service Tutanota who were blocked from signing on to Microsoft services. =E2=80=9CCreate your free end-to-end encrypted email today with over 40 domains to choose from and are guaranteed to work with Microsoft Teams,=E2=80=9D the company tweeted in August. Reardon sent test messages over MsgSafe that appeared unencrypted in transmission, meaning MsgSafe could read them at will. Egelman ran the same test with the same result. Jon Callas, a cryptography expert at the Electronic Frontier Foundation, also tested the system at The Post=E2=80=99s request and said t= hat MsgSafe generated and kept the private key for his account, so that it could decrypt anything he sent. =E2=80=9CThe private key has to be under the person=E2=80=99s control to be end-to-end,=E2=80=9D Callas explained. Packet Forensics first drew attention from privacy advocates a dozen years = ago. In 2010, researcher Chris Soghoian attended an invite-only industry conference nicknamed the Wiretapper=E2=80=99s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers. The brochure was for a piece of hardware to help buyers read web traffic that parties thought was secure. But it wasn=E2=80=99t. =E2=80=9CIP communication dictates the need to examine encrypted traffic at will,=E2=80=9D the brochure read, according to a report in Wired that quote= d Saulino as a Packet Forensics spokesman. =E2=80=9CYour investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption,=E2=80=9D the brochure added. The brochure told customers they could use a decryption key provided by a court order or a =E2=80=9Clook-alike key.=E2=80=9D Researchers thought at the time that the most likely way the box was being used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of an impostor communications site. They did not conclude that an entire certificate authority itself might be compromised. Obtaining trusted root certificate authority takes time and money for the infrastructure and for the audit that browsers require, experts say. Each browser has slightly different requirements. At Mozilla=E2=80=99s Firefox, the process takes two years and includes crowdsourced and direct vetting as well as an audit. But all of that typically focuses on formal statements of technological steps, rather than mysteries of ownership and intent. The person familiar with Packet Forensics said the big tech companies probably were unwitting participants in the TrustCor play: =E2=80=9CMost people aren=E2=80=99t paying attention.=E2=80=9D =E2=80=9CWith enough money, you or I could become a trusted root certificat= e authority,=E2=80=9D said Daniel Schwalbe, vice president of technology at w= eb data tracker DomainTools. Mozilla currently recognizes 169 root certificate authorities, including three from TrustCor. The case gives new focus to problems with that system, in which critical tech companies outsource their trust to third parties with their own agendas. =E2=80=9CYou can=E2=80=99t bootstrap trust, it has to come from somewhere,= =E2=80=9D Reardon said. =E2=80=9CRoot certificate authorities are the kernel of trust from wh= ich it is all built on. And it will always be shaky, because it will always involve humans, committees and decision-making.=E2=80=9D Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they have heard little back. Google did not respond to a request for comment. Mozilla said it would say more after reviewing details from the researchers= . Major Web Browsers Drop Mysterious Authentication Company After Ties To US Military Contractor Exposed This week several major web browsers quickly severed ties with a mysterious software company used to certify the security of websites, three weeks after the Washington Post exposed its connections to a US military contractor, the Post reports. TrustCor Systems provided 'certificates' to browsers to Mozilla Firefox and Microsoft Edge, which vouched for the legitimacy of said websites. "Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware," said Mozilla's Kathleen Wilson in an email to browser security experts. "Trustcor=E2=80=99s responses via their Vice President of= CA operations further substantiates the factual basis for Mozilla=E2=80=99s concerns." According to TrustCor's Panamanian (!?) registration records, the company has the same slate of officers, agents and officers as Arizona-based Packet Forensics, which has sold communication interception services to the U.S. government for over a decade. One of those contracts listed the =E2=80=9Cplace of performance=E2=80= =9D as Fort Meade, Md., the home of the National Security Agency and the Pentagon=E2=80=99s Cyber Command. The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be. -WaPo Also of concern, TrustCor's small staff in Canada lists its place of operation at a UPS Store mail drop, according to company executive Rachel McPherson, who says she told their Canadian staffers to work remotely. She also acknowledged that the company has 'infrastructure' in Arizona as well. McPherson says that ownership in TrustCor was transferred to employees despite the fact that some of the same holding companies had invested in both TrustCor and Packet Forensics. Various technologists in the email discussion said they found TrustCor to be evasive when it came to basic facts such as legal domicile and ownership - which they said was not appropriate for a company responsible for root certificate authority that verifies a secure 'https' website is not an imposter. The Post report built on the work of two researchers who had first located the company=E2=80=99s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. Those two and others also ran experiments on a secure email offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafe=E2=80=99s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company. McPherson said the various technology experts had not used the right version or had not configured it properly. -WaPo In a previous case which illustrates the importance of trusting root-level authorities - a security company controlled by the United Arab Emirates, DarkMatter, applied in 2019 to have top-level root authority from their status as an intermediate authority with less independence. The request followed revelations that DarkMatter had hacked dissidents and even some Americans - after which Mozilla denied it root power. "Received email from DDNS no-IP, they offering free TrustCor Standard DV SSL certificate." "Free, comes complete with spyveillance and exploit, lol." "Imagine that even the most trusted CA's are actually rogue!" From nobody Sun Dec 4 02:44:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NPrcp6WsWz4hwrC; Sun, 4 Dec 2022 02:44:58 +0000 (UTC) (envelope-from grahamperrin@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NPrcp6437z43hM; Sun, 4 Dec 2022 02:44:58 +0000 (UTC) (envelope-from grahamperrin@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1670121898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J/kYN5WtcAGBw19XPuaAnc6JHiAz2NH644md2dTU80I=; b=Ge0UdghnZpRay7eOWRxgjG4h+n5lT/RzghDCVZw8BdjOAPKquXNjoGBCDciJfJO/9ayKli eYt5Lv0+By4cclQTO/at0toM3oya12yabkBosatez4MXyK97Bc15hOJ07cSrd4yKVj+q0v wVIZhVbI5G3YWqDR5Nk6f2pxZ9b82SLZsMEqwXbrOP7u5XTi0idpfEslbx0VekaBiEeWHF c12t4D1IzItiwDZnOb+BMGM82K4Ecy1k6ZekuXOv+zJajvZKocIGrUOo0BfIS97pd5lQ6o WP9fQmv41VD2AE6AtMYjTQ9WiSSLY741r+ph8PqH8+G/KnEehrqFODYJ9l7Dfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1670121898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J/kYN5WtcAGBw19XPuaAnc6JHiAz2NH644md2dTU80I=; b=QHHM78h/W2+pkeqzu5ysxeAxmvZEiN73Npy+8QYrWooa2uQyJ/VBrO+Xb/0RNCE+wbNG9o piCsgwIoP8Pfzt0hv37J+J8iuXbGtVN+K7efZKjUbUVcfahhUK2kHSSeTYa69rBv0tZjUe QoiJcuSqYL4aNurOsy7tq57aIhLvmKPshF2Ue31SEBYe4MX/fUbf88uRZ2Wxpef8hj1HZW fO78QEXYVBpOaKbeFHjoAAIIGzLPZitm+Tbpz8yV8cO6VeXwuB3tjyd/mFtb7NLpdqLQU7 ESpCEUYjPb7G7fjvT71IAIgLe9z7j5y8xWe/SFAmZaaz6qjqf75l5CjFgXV1LA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1670121898; a=rsa-sha256; cv=none; b=xwskyS9EgQne2qcEYCaYtHxkmPYtyu9osR24WkG5ixcHI0oNjNAIj2V0p8c73cb/elK4xe Wa4+z8rwSF51q6cDtkCfUtZeQQxApGKa5VjgBhjb2sGCP+GzXdpPEHdQ2NHOofYOmJ0yCl YtuHE3wwjEWwkpwqxdU48fcxmX3HggNBjllEH+JfUZ576HKJNu/chlCCIVs7SRd0NrSUcn vcG/MtJMBojargGXD2ANfpZT3/lwxJGRiVmqav5mon3AD48D1BpC9ZTCJiOcd+8t5585e1 yJUgGonr15Zth4QG5oFsEG7EtXNaNc1F6FHPHXAW4d9Vlx3uwkIgNb6d9RtDDg== Received: from [IPV6:2001:470:1f1c:a0::2] (tunnel642390-pt.tunnel.tserv1.lon2.ipv6.he.net [IPv6:2001:470:1f1c:a0::2]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: grahamperrin) by smtp.freebsd.org (Postfix) with ESMTPSA id 4NPrcn6ktRzLLF; Sun, 4 Dec 2022 02:44:57 +0000 (UTC) (envelope-from grahamperrin@freebsd.org) Message-ID: <1a9c360a-195a-14f2-7c22-6fdd668aa5cc@freebsd.org> Date: Sun, 4 Dec 2022 02:44:55 +0000 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: CA's TLS Certificate Bundle in base = BAD To: grarpamp Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-pkg@freebsd.org, freebsd-security@freebsd.org References: Content-Language: en-GB From: Graham Perrin Organization: FreeBSD In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------DZ1HHh8wOH3EbeKhDixHtHhU" X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------DZ1HHh8wOH3EbeKhDixHtHhU Content-Type: multipart/mixed; boundary="------------c1EQBIrLvyNIvY0maI9pzRMI"; protected-headers="v1" From: Graham Perrin To: grarpamp Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-pkg@freebsd.org, freebsd-security@freebsd.org Message-ID: <1a9c360a-195a-14f2-7c22-6fdd668aa5cc@freebsd.org> Subject: Re: CA's TLS Certificate Bundle in base = BAD References: In-Reply-To: --------------c1EQBIrLvyNIvY0maI9pzRMI Content-Type: multipart/alternative; boundary="------------1Ig5uKkPBzAjJHbGvg3OjSV7" --------------1Ig5uKkPBzAjJHbGvg3OjSV7 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 Z3JhcnBhbXAsIHBsZWFzZSByZWZyYWluIGZyb20gYWRkcmVzc2luZyBzbyBtYW55IGxpc3Rz Lg0KDQpTbyBtYW55IGlzOg0KDQoqIGdlbmVyYWxseSBwb29yIG5ldGlxdWV0dGUNCiogY29u dHJhcnkgdG8gcnVsZXMgb2YgdGhlIHJvYWQgaW4gdGhlIEZyZWVCU0QgSGFuZGJvb2suDQoN CjxodHRwczovL2RvY3MuZnJlZWJzZC5vcmcvZW4vYm9va3MvaGFuZGJvb2svYm9vay8jZXJl c291cmNlcy1jaGFydGVycz4NCg== --------------1Ig5uKkPBzAjJHbGvg3OjSV7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
grarpamp, please refrain from addressing so many lists.

So many is:

* generally poor netiquette
* contrary to rules of the road in the= FreeBSD Handbook.

<https://docs.freebsd.org/en/books/handbook/book/#eresources-charter= s>
--------------1Ig5uKkPBzAjJHbGvg3OjSV7-- --------------c1EQBIrLvyNIvY0maI9pzRMI-- --------------DZ1HHh8wOH3EbeKhDixHtHhU Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEWT/lssMHB+28ly8Kt2dIb0oY1AsFAmOMCacFAwAAAAAACgkQt2dIb0oY1Asu bBAAjFHnzRhKyZP5BdgDlM+iDPBKAr9ZnBwryBrklZMXUwJ8XllvqRztUpD9adT5BZmvyqdKmu7X ElXHbkjlpzxtJ8CgE9BTzgjz8KtpCnJw6b+h1XdEs3VoU9zJecqxLnIn4wDBuf4EYqeBk6ZzB/e/ 1F34TyFBg8YHM2qVPp+/f4PyFwNFHsAhganeM6tyIGafw82CnKXnGAgO+z54ov0oEcMIgdXumdQX 1oKTlz958j/SqMJAgDkznDP9990s5lsQCp7dU1T217efI7dIgbQP7J4kKMawclCy3eoPhy8j0T2x 0hCF3HogTZ4mvcjyonboxbF93saONviEUEkLX/SYItZ0hkxEqJYS0hdLFS75BKP0ltsQ6HbeHRLF idsDwIgLb7T5X410EZZGljZ14NplWbbqM0CnJwXnGMNbq1aJV8vxneRaS4HxI6zTcqcSauE67b8p Jset3DvwoTQSn9Cgrr2qlUxukvusw40dVOy5kq5/7aZPnqVmwtOX7MYI3vgaKhqkPPWRwzzwaL74 3yLCdaJ0Oh/z7vTK38rtXdEjTyDtrdkJOBWRJ19xoZOjbwt72oGt+KJWnBUJRfnmESkBg0YjfSPv qKXIfFIGsTFz+ej+UZWM4LjIRn8ALkotzn0TznbTPNb88SWC3uTk+w88Py0Ac0PqeEqVWxvRn8Se 5K0= =LO7a -----END PGP SIGNATURE----- --------------DZ1HHh8wOH3EbeKhDixHtHhU-- From nobody Sun Dec 4 06:16:45 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NPxKT10Srz4jTJt for ; Sun, 4 Dec 2022 06:17:01 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NPxKS4jFZz4Wmt for ; Sun, 4 Dec 2022 06:17:00 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1670134619; bh=wVaLjZc+H7aC5nF+TF4Y+bffPGR0jwjMsHIppMvSeho=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=qqIicwSEkmH2HqLBB69h+CcOgIZUJorpc0DsawV3ezBdaMtAyGw4w/azWzztNBJUS 0ryvA1UYRgdPPJtmEwBik1/hciCGNOCcwkOS+kmql9hU8ZYm52GTzTQi4K1HtXtNZ4 fxTmwrg4bhWdjzgtcIi40NsDHrmPIRfnbaaoW0Lhu5D+xnMuLvwSUpGxp6CDkpj6NZ PmzjvXR2NcjdD3A4GCd2zglolyhv1lhI3mArJBe1f9FtuO9xsrL/NWxMX2uf7Velsc acSg9bdhyAg+e6fgh+dSEqmLpHdZ9+UMktAawPE5ip/iqPWMT7lubBQ18Rwj6DizpP Wp8ETyJLRnpRQ== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPSA id 7B33D320795; Sun, 4 Dec 2022 06:16:58 +0000 (UTC) From: Gordon Tetlow Message-Id: <3FD4E3F3-EAAB-41E9-9381-D98971A9B928@tetlows.org> Content-Type: multipart/alternative; boundary="Apple-Mail=_FDFA50E6-4E04-4D5A-B496-04FE5C561A0F" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\)) Subject: Re: CA's TLS Certificate Bundle in base = BAD Date: Sat, 3 Dec 2022 22:16:45 -0800 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-pkg@freebsd.org To: grarpamp References: X-Mailer: Apple Mail (2.3731.200.110.1.12) X-Proofpoint-GUID: JdfdEwSXJIZROAN6ZP9MzHqHobNhHuNt X-Proofpoint-ORIG-GUID: JdfdEwSXJIZROAN6ZP9MzHqHobNhHuNt X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.138,18.0.816,17.11.62.513.0000000_definitions?= =?UTF-8?Q?=3D2022-01-18=5F01:2020-02-14=5F02,2022-01-18=5F01,2021-12-02?= =?UTF-8?Q?=5F01_signatures=3D0?= X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 adultscore=0 clxscore=1030 phishscore=0 malwarescore=0 spamscore=0 mlxlogscore=385 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2212040058 X-Rspamd-Queue-Id: 4NPxKS4jFZz4Wmt X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_FDFA50E6-4E04-4D5A-B496-04FE5C561A0F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Dec 3, 2022, at 5:26 PM, grarpamp wrote: >=20 > Again, FreeBSD should not be including the bundle in base, if users > choose to, they can get it from ports or packages or wherever else. > Including such bundles exposes users worldwide to massive risks. > You need to do more gpg attestation, pubkey pinning [1], tofu, and > cert management starting from empty file... and quit trusting bundles = of > hundreds of random CA's, all of which are entities who have zero duty > or care to the user, and often exist/corrupt/break to present evil [2] = ... >=20 > [1] > = https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d > = https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_PINNEDP= UBLICKEY.3 >=20 > FreeBSD pkg(8) (aka, and: fetch(3)) don't even support this simple = option, > thus they're incapable of securely fetching packages, iso's, etc from > servers in re [2]. Nor does FreeBSD even post sigs over its servers = pubkeys > for users to get, verify, and pin out of band. Even pubkeys were = swapped out > on FreeBSD servers without announcing for users if any exploit or loss = occurred > there or for some other reason. That's all bad news :( But can be = fixed :) Key pinning is a bad idea that 100% will cause outages. As a thought experiment, let's suppose I (as the Security Officer) use = the system you propose and require users to pin specific keys on our = publicly available servers. Now let's further suppose that the project = is compromised such that we believe those certificates might be in the = hands of the attacker, but we aren't sure. I'm now stuck between a rock = and hard place. Should I rotate the pinned certificate? In your proposed = system, rotating that pinned certificate will cause massive downstream = failures for all users. Since we aren't sure, maybe I'll leave the = existing certificate in place, because I don't want to cause those = outages since I'm not sure it's a problem. In the publicly trusted CA system, I can easily rotate the certificate = even if I don't believe it was compromised. It incentivizes better = behavior. Also, please don't lecture me on the problems with the = publicly trusted CA system: I'm very familiar with them. That said, it's = the system we have and I have no interest in trying to tilt at that = particular windmill. In any event, nothing is preventing you from doing this on your own as = the system ships with the tools to do so. Recognize the project has a = need for cryptographic agility and ability to change certificates = whenever we need to. Running our own root CA infrastructure necessary to = provide a similar level of assurance to a professionally run CA is = non-trivial and I don't believe we as a project are in a position (or = interested) in taking on such a burden. Gordon= --Apple-Mail=_FDFA50E6-4E04-4D5A-B496-04FE5C561A0F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On Dec 3, = 2022, at 5:26 PM, grarpamp <grarpamp@gmail.com> = wrote:

Again, = FreeBSD should not be including the bundle in base, if users
choose to, they can get it from ports or = packages or wherever else.
Including such bundles exposes users worldwide to massive = risks.
You need to do more gpg = attestation, pubkey pinning [1], tofu, and
cert = management starting from empty file... and quit trusting bundles = of
hundreds of random CA's, = all of which are entities who have zero duty
or care to the user, and often = exist/corrupt/break to present evil [2] ...

[1]
https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpub= key.d
https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_P= INNEDPUBLICKEY.3

FreeBSD pkg(8) (aka, = and: fetch(3)) don't even support this simple option,
thus they're incapable of securely fetching = packages, iso's, etc from
servers = in re [2]. Nor does FreeBSD even post sigs over its servers = pubkeys
for users to get, = verify, and pin out of band. Even pubkeys were swapped out
on FreeBSD servers without announcing for = users if any exploit or loss occurred
there = or for some other reason. That's all bad news :( But can be fixed = :)

Key pinning is a bad idea = that 100% will cause outages.

As a thought = experiment, let's suppose I (as the Security Officer) use the system you = propose and require users to pin specific keys on our publicly available = servers. Now let's further suppose that the project is compromised such = that we believe those certificates might be in the hands of the = attacker, but we aren't sure. I'm now stuck between a rock and hard = place. Should I rotate the pinned certificate? In your proposed system, = rotating that pinned certificate will cause massive downstream failures = for all users. Since we aren't sure, maybe I'll leave the existing = certificate in place, because I don't want to cause those outages since = I'm not sure it's a problem.

In the publicly = trusted CA system, I can easily rotate the certificate even if I don't = believe it was compromised. It incentivizes better behavior. Also, = please don't lecture me on the problems with the publicly trusted CA = system: I'm very familiar with them. That said, it's the system we have = and I have no interest in trying to tilt at that particular = windmill.

In any event, nothing is preventing = you from doing this on your own as the system ships with the tools to do = so. Recognize the project has a need for cryptographic agility and = ability to change certificates whenever we need to. Running our own root = CA infrastructure necessary to provide a similar level of assurance to a = professionally run CA is non-trivial and I don't believe we as a project = are in a position (or interested) in taking on such a = burden.

Gordon
= --Apple-Mail=_FDFA50E6-4E04-4D5A-B496-04FE5C561A0F-- From nobody Tue Dec 6 22:36:49 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NRZz80z83z4k6mN; Tue, 6 Dec 2022 22:36:52 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NRZz72FFJz3KDy; Tue, 6 Dec 2022 22:36:51 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b="HN/icL32"; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::a2f as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vk1-xa2f.google.com with SMTP id l17so2322837vkk.3; Tue, 06 Dec 2022 14:36:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Y0KieX0vs/awEVLTg3SpdLfcwwMini+bi41hP4Was8A=; b=HN/icL32n9he4YFawBuV4Ia4jmEeqijFeerVwvD1vv6TUBy+mDb0i5HX34IJrPHPhJ kTSI7kbqaZiO9dOVE7uJMUgk9sKcbbLJHbcohbm30R0ZR5PCP2rgeFfbmOLtRzMsacPg vsVBiT297Y1yKzm3cakc6kgJymgK+YrZhvcT82pFFo/eJrIEwOhek1nrE3pF5yWiZ58p lRXKMl5F6O1p7712TsgEBHpcJ1LDVPy2Wwo03ww5UXLHVWl3doM/dsPECgiXtAN7sDDE k2VvlY/DLZ5x+30poxan8a197JxJXT47WjfpWwGMKr+PNqE+mEPxuTNISV779O3ytK47 zE7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Y0KieX0vs/awEVLTg3SpdLfcwwMini+bi41hP4Was8A=; b=qEeVWzK3CcNv1yQBD26m9vVwU55oTNRRnUTkBLag+Le04mWG7cXHmsBlj6uSuUZneG F77x/6YQYPTvATJtEIGQj00HQHWSg2rF43/vcB9P7Owx7BTSt/RehkalRc4r9/PMSdIZ 4d68WlmW1IdUWbTqcBK+45AAVeGq4Td2/Oug+1kPj6fWZ+rshDlN8QYlAwqFFsdLvlVR mvM3wdynOceB5K7v6NbRKP6yCk3uygh6nyw60UDRPY3Rxd7+4o628zPQzAAsJJk73PcT K4n1ypxMesHyTI8Ih+zebBaTNcJ8FgV0EMY1Rn2mZ+7uKmH71yLPzINngGnuZtG4y4jg d3Iw== X-Gm-Message-State: ANoB5pn1Zpb3VM7zRrc9PvSqOwh5ix1tYbTw7jK+SRbDrg/UW8Bg3HnU PWMHvub2TpKUHPojhypI9Zq2mvr0Ie8WeD7Mi9HxfJyPMfp074CeF6k= X-Google-Smtp-Source: AA0mqf6c9KdwqQ6v9cur5hbMLaJFOaGGJ5UQBPghF3HGFZ+jXmBjEa+ZdO0ADzkgC2MumHZRcjQYjFCRckwldUUCpWA= X-Received: by 2002:a1f:bfd2:0:b0:3bc:99b5:21b with SMTP id p201-20020a1fbfd2000000b003bc99b5021bmr13448280vkf.24.1670366210107; Tue, 06 Dec 2022 14:36:50 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:acc2:0:b0:32b:33ff:fbc3 with HTTP; Tue, 6 Dec 2022 14:36:49 -0800 (PST) In-Reply-To: <6d973f68-7904-5c23-6c6b-73a76e0a4ef5@gmail.com> References: <6d973f68-7904-5c23-6c6b-73a76e0a4ef5@gmail.com> From: grarpamp Date: Tue, 6 Dec 2022 17:36:49 -0500 Message-ID: Subject: Re: Add BLAKE3 hash to ISO checksums To: freebsd-hackers@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.83 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.83)[-0.827]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org,freebsd-security@freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::a2f:from]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NRZz72FFJz3KDy X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N > On first run, BLAKE3 runs at the same speed as SHA-512. > On my system, the second run is 17x faster. > for hash in b3sum sha256sum sha512sum > Executed in 5.05 secs > Executed in 7.46 secs > Executed in 4.84 secs > for hash in b3sum sha256sum sha512sum > Executed in 280.16 millis > Executed in 7.39 secs > Executed in 4.84 secs Any given hash function will take the same time for the same data. Something in the system or test setup is likely returning any "17x" difference or lack thereof... ie caching. Until that outlier difference is investigated and identified, any speed differences between hash functions wouldn't necessarily be reason to add or drop any of them. Use ramdisk on dedicated or non-busy testbeds, specify exact cpu model if testing cpu features or desiring others to scale results to their own cpu's, average results across multiple runs, don't publish outliers unless exploring degenerate edge cases, etc. > I recommend using https://crates.io/crates/b3sum The actual reference implementation source code is here... https://github.com/BLAKE3-team/BLAKE3 > Can we please add BLAKE3 hashes to > https://www.freebsd.org/releases/13.1R/signatures ? Two well chosen hash functions should be enough to cover a break in one, and a third seems a bit overkill. FreeBSD doesn't really use or embed them much and it can swap out broken algos faster than entities in the world that may have hardcoded them in non-modular things. https://en.wikipedia.org/wiki/Cryptographic_hash_function https://en.wikipedia.org/wiki/Cryptography If choosing crypto algos, the obvious will be one that are recognized by crypto standards bodies, competitions, and communities worldwide, and are in wide growing adopted use as a result of those processes. Some of them may be listed starting from the above links. Then whatever alternative competitors based on reviewed security estimates, speed, family isolation by both authorship and algorithm approach, cross platform, multi-thread, simplicity, programmability, arbitrage of threat model/actor/geopolitic, Post-Quantum, etc chosen from among the different algos. FreeBSD's current choice of sha-256 and sha-512 do fail some of those differentiators, thus it is probably reasonable to consider swapping one of them out. More of the leading competitors reference crypto implementations could be added to FreeBSD ports and packages for people to play with. There are also some dedicated all-in-one multi-hashing apps that volunteers could also make ports of. Tools like 'openssl dgst' already do include some, and there are crypto libraries for Python, etc. From nobody Wed Dec 7 21:06:06 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NS8w56nH7z4jqhw for ; Wed, 7 Dec 2022 21:06:13 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NS8w51ql9z3q5W for ; Wed, 7 Dec 2022 21:06:13 +0000 (UTC) (envelope-from marquis@roble.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b=IOWphMAs; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com; dmarc=pass (policy=none) header.from=roble.com Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 5067F72C62 for ; Wed, 7 Dec 2022 13:06:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1670447166; bh=qG1drqybmLO1QyZ5KWapvW61zQCjxK2NYFW16h/8aCA=; h=Date:From:To:Subject; b=IOWphMAsG4BtJqz2nlWrRa9mtstMvS+T6Oaall+IL6KHyy9qzzEqksb3p0F7522Dv Jx5Wh2yLhw0uYmdtzAEGjbnabQ2AuKGU/acDM2i2CkOMw/m1FXK796mr6XIcaUtw2W Wjs32HYrcDn1cIekJAAWu1Ex9+6BLbJBx80/wgys= Date: Wed, 7 Dec 2022 13:06:06 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <4n4804p0-n4nr-1q6s-5842-69qr287rqrq5@mx.roble.com> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spamd-Result: default: False [-2.99 / 15.00]; FAKE_REPLY(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.985]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[roble.com:+]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4NS8w51ql9z3q5W X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N After running a 12.4 installworld found TrustCor certs had been reinstalled. Out of curiosity, were these known bad certificates intentionally left in RELEASE? If so it does appear we could use a ports-based solution. At this point all the port would need to do is periodically "rm /usr/share/certs/trusted/TrustCor*" but there's sure to be room for options to better harden PKI. Roger Marquis From nobody Thu Dec 8 16:38:07 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NSfwM43hyz4jtVg for ; Thu, 8 Dec 2022 16:38:11 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NSfwL5wPhz42JV; Thu, 8 Dec 2022 16:38:10 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id 3HctpgCI6MsxD3JuUpC6NE; Thu, 08 Dec 2022 16:38:10 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id 3JuSpooItibmA3JuTpEI3A; Thu, 08 Dec 2022 16:38:10 +0000 X-Authority-Analysis: v=2.4 cv=YPCMdDKx c=1 sm=1 tr=0 ts=639212f2 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=sHyYjHe8cH0A:10 a=y3olD_i8AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=le4KEiomOWmtCBGRa-AA:9 a=CjuIK1q_8ugA:10 a=2GdgqtpztZvaxdPX1XqS:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 3674D194; Thu, 8 Dec 2022 08:38:08 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id EE91F7C; Thu, 8 Dec 2022 08:38:07 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Brooks Davis cc: mike tancsa , Dev Null , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping In-reply-to: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> Comments: In-reply-to Brooks Davis message dated "Wed, 30 Nov 2022 22:38:55 +0000." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 08 Dec 2022 08:38:07 -0800 Message-Id: <20221208163807.EE91F7C@slippy.cwsent.com> X-CMAE-Envelope: MS4xfLv0QEEnGV48GfpudXqvnurDY9Kkh9f6lGIXOLSrnU9ZITid1XUyRJ0YLIf3c/VYu7j38OJGFE99cDnOQ9paBOJcDjZDO5ZqPQZTtNIxXlQ/X1daJyf0 GHaXKb2ag8KNOXGkAqIZuJyAvF0mzkalPU7BNSgv0bm/RJ5U2XEKJwYlme/TihHMJ+ufgo+NMATW5KAEnQxCYTgHfko9dE5NcePdenocnzosBchPjtknhoGZ EOkLHr6CXUXTpV8XCu+LoyjU2PErD3F955f1kZBXXoqM3SSe754j0dGZ9m6mo0J+ X-Spamd-Result: default: False [-1.69 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; R_SPF_NA(0.00)[no SPF record]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com] X-Rspamd-Queue-Id: 4NSfwL5wPhz42JV X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N In message <20221130223855.GA89753@spindle.one-eyed-alien.net>, Brooks Davis wr ites: > > --pWyiEgJYm5f9v55/ > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: > > On 11/30/2022 4:58 PM, Dev Null wrote: > > > > > > Easily to exploit in a test environment, but difficult to be exploited= > =20 > > > in the wild, since the flaw only can be exploited in the ICMP reply,=20 > > > so the vulnerable machine NEEDS to make an ICMP request first. > > > > > > The attacker in this case, send a short reader in ICMP reply. > > > > > Lets say you know that some device regularly pings, say 8.8.8.8 as part= > =20 > > of some connectivity check. If there is no stateful firewall, can the=20 > > attacker not just forge the reply on the chance their attack packet=20 > > could get there first ??? Or if its the case of "evil ISP" in the middle,= > =20 > > it becomes even easier. At that point, how easy is it to actually do=20 > > some sort of remote code execution. The SA implies there are mitigating= > =20 > > techniques on the OS and in the app.?? I guess its that last part I am=20 > > mostly unclear of, how difficult is the RCE if given the first=20 > > requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). Local privilege escalations are significant threats. I recall one site about 25-30 years ago, one of their OSF/1 machines had crashed and never recovered. It turned out that some intruder managed to break a CGI script which gave them a shell. They attempted a ping exploit which hung the machine hard. After a little digging around I discovered a ping exploit for Tru64. The exploit should have coughed up a root shell but in my client's case they lucked out with a crashed machine instead. That same site had atrocious practices. They gave their CEO an account on the OSF/1 machine with the account name of ceo and a password of, you guessed it, ceo. The CEO never logged in once -- as if the CEO would log into some random UNIX box on the raised floor. I was surprised they didn't get broken into more often than the number of times they did. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 From nobody Mon Dec 12 19:53:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWC4T4R3jz4Y0T1 for ; Mon, 12 Dec 2022 19:54:01 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NWC4S6Jz0z42Lt for ; Mon, 12 Dec 2022 19:54:00 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.216.51 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=none Received: by mail-pj1-f51.google.com with SMTP id n65-20020a17090a2cc700b0021bc5ef7a14so1150467pjd.0 for ; Mon, 12 Dec 2022 11:54:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YEDESPhNYryjLNpJ/YYbbVrP8Mh5u2tPkZZuRQbH8mQ=; b=w/bvr4SsZKhbNIbXyy0ORQ7pzPQIeLpcm4QBSv9KBsYXOk2h2Y0/xLHaWB9D6FUV6X pcPx/NQ5R9D8z/bgOoTiZx5zg98HU2iUT80dJztlwIbQXrNWveozbKi8yPkvEw/gGBoL dsrQvxIF7ISAAa+kK8gyy+Dcvwo8Al1X0T7znQbYh+TTU+8HxAUjS9YE0mLr3n+f6i3i KaLqnVZDsghwyrX0Wef9Ag80bPd9VDQ4j4kvHic8FSw/1YNasEsjHJLF9i5oCgXwGA/R oDmi9Feik+F3oCGmh64S8MLgj098IrJwqECyN4TF4PM0T48QH3bsxVQ/YB7JS17FKxCb ALig== X-Gm-Message-State: ANoB5pkrYPC2CvC632x9XsOI0ZhNV3wQ0SzPqFmK7vXYDcEawWBc9sAf aFZgz7+9cUbGtxegG+ZlKBce27CaD2ZFJ0JYcXA= X-Google-Smtp-Source: AA0mqf4TbjCfAVYzJr7Z6p/rW3azc0QiwuxfPJVe2WRQ7GcCI7GKD8J74sjuuydjwyxFvjWDjq5yx5IxTykLAKzF2i4= X-Received: by 2002:a17:90b:818:b0:221:5315:1bf4 with SMTP id bk24-20020a17090b081800b0022153151bf4mr22176pjb.240.1670874839656; Mon, 12 Dec 2022 11:53:59 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> <4ce47f73-c48f-22f6-e0c0-0bd03452bcda@sentex.net> In-Reply-To: <4ce47f73-c48f-22f6-e0c0-0bd03452bcda@sentex.net> From: Ed Maste Date: Mon, 12 Dec 2022 14:53:48 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping To: mike tancsa Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.06 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.960]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RWL_MAILSPIKE_GOOD(-0.10)[209.85.216.51:from]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[209.85.216.51:from]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4NWC4S6Jz0z42Lt X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On Thu, 1 Dec 2022 at 10:28, mike tancsa wrote: > > My concern is the "evil server in the middle" ... Things like route > highjacking are not that uncommon. I have a number of IoT devices out > there I will need to patch, some still based on RELENG_11. The bug was introduced after releng/11, so those ones won't be affected. From nobody Mon Dec 12 19:56:45 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWC7w1gf2z4Y0dP for ; Mon, 12 Dec 2022 19:57:00 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NWC7t71wSz43qN for ; Mon, 12 Dec 2022 19:56:58 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=none Received: by mail-pf1-f170.google.com with SMTP id n3so657270pfq.10 for ; Mon, 12 Dec 2022 11:56:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=azKvFzFXsjoJs6xaFsn4ZiUEJ2DST/fCuL/gUMCwhJM=; b=iNDsH2hH8xca2FHfOmxm1Wj8pl/L//mu5935OCNt6+42biuJPN4U0EKCkSRqOc4u/P iQmqH4mp/RJfuZL7rq+0ea7U5djJPVGAh//DIGt771L5xzgGJXgHRQTbtTv2A/iSHSpS F7ylO71AsJdDgXOY+tborTZq/rasdvd2JUE72ZCmlhdREUY2USFHw7c00g0S1qmn2CBp CvoqARJ/kIlJnNnrUR5rlvu65E7Vg4TZVA1RcdzbojBLe5oGzdHDG5rw4jWi3sSfOsCx jcsE5IB7prJFkh/mcxwzrBDcj9W5U69xSY2J6gPv4BipmZcdeB4AZpr4PIXMQXLiepCB vfzw== X-Gm-Message-State: ANoB5pna+BDESFOfdVpBBzVl3ZuTzq4wHkCangJbT/JcirnroxL7F+cg Qwfq6wS0NpFxHFi9B+cd0007rflJcCSrctj5tvQ3KSGL X-Google-Smtp-Source: AA0mqf6x0hc4TEG7yU1CQt0T4DC+9YaKsZoQSvJgSzYDsgtqQY5bUk87AH8Z1oGtXtUClcL017NpEivXhcTbK91W7Co= X-Received: by 2002:a63:e547:0:b0:473:e2bb:7fc7 with SMTP id z7-20020a63e547000000b00473e2bb7fc7mr68239349pgj.40.1670875017084; Mon, 12 Dec 2022 11:56:57 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 12 Dec 2022 14:56:45 -0500 Message-ID: Subject: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.01 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.96)[-0.965]; NEURAL_HAM_MEDIUM(-0.95)[-0.948]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RWL_MAILSPIKE_GOOD(-0.10)[209.85.210.170:from]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.210.170:from]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; RCVD_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DOM_EQ_FROM_DOM(0.00)[] X-Rspamd-Queue-Id: 4NWC7t71wSz43qN X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N We've seen many blog posts and news articles about this issue and unfortunately most of them get the details wrong. So, to clarify: - This issue affects only /sbin/ping, not kernel ICMP handling. - The issue relies on receipt of malicious packet(s) while the ping utility is running (i.e., while pinging a host). - ping(8) is setuid root, but drops privilege (to that of the user executing it) after opening sockets but before sending or receiving data. - ping(8) runs in a Capsicum capability sandbox, such that even in the event of a compromise the attacker is quite limited (has no access to global namespaces, such as the filesystem). - It is believed that exploitation is not possible due to the stack layout on affected platforms. From nobody Tue Dec 13 08:35:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWWzP5pJKz4kX4w for ; Tue, 13 Dec 2022 08:35:45 +0000 (UTC) (envelope-from ted@io-tx.com) Received: from io-tx.com (io-tx.com [205.166.246.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.io-tx.com", Issuer "AlphaSSL CA - SHA256 - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NWWzP3HFJz4RxJ; Tue, 13 Dec 2022 08:35:45 +0000 (UTC) (envelope-from ted@io-tx.com) Authentication-Results: mx1.freebsd.org; none Received: from io-tx.com (io-tx.com [205.166.246.111]) (authenticated bits=0) by io-tx.com (8.17.1/8.16.1) with ESMTPSA id 2BD8Za8k099511 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 13 Dec 2022 02:35:36 -0600 (CST) (envelope-from ted@io-tx.com) Date: Tue, 13 Dec 2022 02:35:36 -0600 (CST) From: Ted Hatfield To: Ed Maste cc: freebsd-security@freebsd.org Subject: Re: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow In-Reply-To: Message-ID: <3fe5bf2-768-fe18-e8c7-a4135c37a87c@io-tx.com> References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,AWL, KAM_DMARC_STATUS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on io-tx.com X-Rspamd-Queue-Id: 4NWWzP3HFJz4RxJ X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:55103, ipnet:205.166.246.0/24, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Mon, 12 Dec 2022, Ed Maste wrote: > We've seen many blog posts and news articles about this issue and > unfortunately most of them get the details wrong. So, to clarify: > > - This issue affects only /sbin/ping, not kernel ICMP handling. > - The issue relies on receipt of malicious packet(s) while the ping > utility is running (i.e., while pinging a host). > - ping(8) is setuid root, but drops privilege (to that of the user > executing it) after opening sockets but before sending or receiving > data. > - ping(8) runs in a Capsicum capability sandbox, such that even in the > event of a compromise the attacker is quite limited (has no access to > global namespaces, such as the filesystem). > - It is believed that exploitation is not possible due to the stack > layout on affected platforms. > > Thanks for the detailed summation. Ted From nobody Thu Dec 29 01:23:03 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nj9cp4RRjz2knQk for ; Thu, 29 Dec 2022 01:23:06 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vk1-xa43.google.com (mail-vk1-xa43.google.com [IPv6:2607:f8b0:4864:20::a43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nj9cn5ftPz3tTc for ; Thu, 29 Dec 2022 01:23:05 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=cPh8puBZ; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::a43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vk1-xa43.google.com with SMTP id j5so8192950vkp.10 for ; Wed, 28 Dec 2022 17:23:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=CV9nENH3cbZJ6iGvNC5lSTOT89mFbtrCdBUG+GzKtlY=; b=cPh8puBZ24EmtVakCjZORhUBkPvB3QZDiUnfNnYMMug3NzWsOfHZ0Q4fRi2btLJaYc Gzls/0yAdHQERC9CKEmj9ePMaVXkhxzuSSzJmDE9HDiRIKaTed5EAoaDshcyft/DAxf2 XduwWfaJig5YVbR/tqKBvHcYJTi3DmgmO02qtYNCGIpArFxU4Bu/xWz4v/V1U+0WzqFN XzU55+wKrMFLoYrDWfx8im2cYRiX8+XblAgWC7OXO2xGgrvi8qCm11l1fNomTOqhkkCU 2BeYK8VgxzlMy6GkT9VbSDmNDfPiVu6o8XuGgtjFBiSgYIipw8ebLkVuAA6SaLA4djSN vYDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=CV9nENH3cbZJ6iGvNC5lSTOT89mFbtrCdBUG+GzKtlY=; b=EGhAcYebUB0hNWjUCR7Eti51/3QhG8BO/V1+rHtYPwx4LdAvmds+W+JNWAXtME5qyn Kn3a2Wz74QOAMPWb+w5Xia6HTSZ6AD5+Jans3bEM40vlu6TyelHvRdmumKguZyANbB04 DxDCzBteHEkeaET1ZAR40OBDLJ9kOfz4ZaZWVOEZMGXz/SJ9kPmpMuZ28XJYURIpG+vn XQZtvtj7Ee+Fb46xKe7G1o6Yc+q+8BpQdxKkwngXHKrQ8ZJq6ytLBdg/iOL18yFG1j1t +Nli6EkYuBnaSeBZKoSye3miYoVKuchhf+8j+Htl+0ZqcxAO2whNS9eo5dTwLsyKuHdP Nn5Q== X-Gm-Message-State: AFqh2krb9Ijc5jZCg2wcflXGlbKHvis2n/PX6EyZOLQJmu9uA8UIePh8 MSbRpQsoTnIcFui0BeEcEt/6OS9Z2W6hjTWjnEwhYX5X2ViDA2mPkUL3qQ== X-Google-Smtp-Source: AMrXdXsPpp7Y+fnZe22ow1FEgLZhPSkB2EylUUnm0S908/etKZl5Pj4YpdMByChjxMXDczspv2epvYbnM0sfAzq7XzQ= X-Received: by 2002:ac5:c94e:0:b0:3d5:7054:8ac4 with SMTP id s14-20020ac5c94e000000b003d570548ac4mr842537vkm.37.1672276984490; Wed, 28 Dec 2022 17:23:04 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Wed, 28 Dec 2022 17:23:03 -0800 (PST) From: grarpamp Date: Wed, 28 Dec 2022 20:23:03 -0500 Message-ID: Subject: 12.4R Image Sigs Missing To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.85 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.935]; NEURAL_HAM_MEDIUM(-0.92)[-0.918]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::a43:from]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4Nj9cn5ftPz3tTc X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N https://www.freebsd.org/releases/12.4R/announce/ " PGP-signed checksums for the release images are also available at: https://www.FreeBSD.org/releases/12.4R/signatures/ A PGP-signed version of this announcement is available at: https://www.FreeBSD.org/releases/12.4R/announce.asc " However the image sigs were forgotten to be put in 1st link above, or are not in the release checklist for people to follow, or were deemed redundant but theiir link blurb was not dropped from announce.asc, etc... From nobody Thu Dec 29 07:34:29 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NjKsW2w0gz2cJgC for ; Thu, 29 Dec 2022 07:34:39 +0000 (UTC) (envelope-from herbert@gojira.at) Received: from mail.bsd4all.net (mail.bsd4all.net [IPv6:2a01:4f8:13b:240c::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.bsd4all.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NjKsS5SNcz4XmV for ; Thu, 29 Dec 2022 07:34:36 +0000 (UTC) (envelope-from herbert@gojira.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gojira.at header.s=mail202005 header.b=yPL+U2gu; spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 2a01:4f8:13b:240c::25 as permitted sender) smtp.mailfrom=herbert@gojira.at; dmarc=none Date: Thu, 29 Dec 2022 08:34:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at; s=mail202005; t=1672299269; bh=KuPn3eJJSO/mj5OlzEhVHtealym9rKWGnOPhuBuKqOE=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=yPL+U2guX0LthoYiItcdKxil79iHhrIJzXJjOaFx2bSTbe/yEflwNfIQejdvPtiTD QdRiBD+ic+g7W5csS0mXAIQh0zSkfxhqfX1oPaoRkZk34FcnhZ3A82deJqkTu9K36c 8PrGQ2tzImjd7TjkG/kPEqyDT7VTFdsuYdmcQ83NYvFEesfFbJwNuAXeuqI1JMQ5+k CxbVS5vhD+t1vhL/Z3pPUoTxhDwo9rKeR71FXGeSpnZ1kRRWjx02ezuo8EhYjJU2ZW j+maJj3qui26Eq2He87bz7A7XJBHZjPxkK8IfmwzNoi8B024Bu7GW67EVDUBS4BHCF nWBqtSBN6l9ug== From: "Herbert J. Skuhra" To: freebsd-security@freebsd.org Subject: Re: 12.4R Image Sigs Missing Message-ID: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-3.48 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.981]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:13b:240c::25]; R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[gojira.at:+]; ARC_NA(0.00)[]; DMARC_NA(0.00)[gojira.at]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE] X-Rspamd-Queue-Id: 4NjKsS5SNcz4XmV X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On Wed, Dec 28, 2022 at 08:23:03PM -0500, grarpamp wrote: > https://www.freebsd.org/releases/12.4R/announce/ > " > PGP-signed checksums for the release images are also available at: > https://www.FreeBSD.org/releases/12.4R/signatures/ > > A PGP-signed version of this announcement is available at: > https://www.FreeBSD.org/releases/12.4R/announce.asc > " > > However the image sigs were forgotten to be put in 1st link above, > or are not in the release checklist for people to follow, or were deemed > redundant but theiir link blurb was not dropped from announce.asc, etc... The links were not updated for 12.4-RELEASE (Last modified on: November 11, 2022): https://www.freebsd.org/releases/12.4R/checksums/CHECKSUM.SHA512-FreeBSD-12.4-RC2-amd64.asc ^^^ The below URL works: https://www.freebsd.org/releases/12.4R/checksums/CHECKSUM.SHA512-FreeBSD-12.4-RELEASE-amd64.asc -- Herbert From nobody Thu Dec 29 07:57:25 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NjLMx6ZbVz2kXcx for ; Thu, 29 Dec 2022 07:57:33 +0000 (UTC) (envelope-from herbert@gojira.at) Received: from mail.bsd4all.net (mail.bsd4all.net [94.130.200.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.bsd4all.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NjLMw4BLkz4bCR; Thu, 29 Dec 2022 07:57:32 +0000 (UTC) (envelope-from herbert@gojira.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gojira.at header.s=mail202005 header.b=wFAfoJ1I; spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 94.130.200.20 as permitted sender) smtp.mailfrom=herbert@gojira.at; dmarc=none Date: Thu, 29 Dec 2022 08:57:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at; s=mail202005; t=1672300645; bh=nGeOkJbjVgYroHtpUK+nBXgjjrVZKWjM4zpL4LKZ+EU=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=wFAfoJ1I9EFHcGWEck/B7sJTxoCc5DszTSPp5CBT/yrPY9hyS6O8S2yrjo14aKRAc rVJ0ozFdik5WhoiqjLr5Oj8D7ElOK8MTKkXRtCDJuRELIGJSNBMEkIIOYjXY+OCB0l ZvRNLwyaff3bgxeGdLIyb3L8PmvKiSi0Q+qoF67VjRn/CHhmZDye5WezUlk+rXu0b3 F7TNKmV5VfCMVVB74sV7qvx5jhIe1ywvTh9favyU1zvGVMiw8N0bC8mi/NquCnCu3F Ycx9gpWCesF5zDMnX88ezTHB2Dkt3/4WQhqyYHXHFfUf9BE1rx0qoNxgdbjmJhXkfc xutNo595h2LmQ== From: "Herbert J. Skuhra" To: freebsd-security@freebsd.org Cc: gjb@freebsd.org Subject: Re: 12.4R Image Sigs Missing Message-ID: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-3.47 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.971]; R_SPF_ALLOW(-0.20)[+ip4:94.130.200.20]; R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; RCPT_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[gojira.at]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gojira.at:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:24940, ipnet:94.130.0.0/16, country:DE] X-Rspamd-Queue-Id: 4NjLMw4BLkz4bCR X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On Thu, Dec 29, 2022 at 08:34:29AM +0100, Herbert J. Skuhra wrote: > On Wed, Dec 28, 2022 at 08:23:03PM -0500, grarpamp wrote: > > https://www.freebsd.org/releases/12.4R/announce/ > > " > > PGP-signed checksums for the release images are also available at: > > https://www.FreeBSD.org/releases/12.4R/signatures/ > > > > A PGP-signed version of this announcement is available at: > > https://www.FreeBSD.org/releases/12.4R/announce.asc > > " > > > > However the image sigs were forgotten to be put in 1st link above, > > or are not in the release checklist for people to follow, or were deemed > > redundant but theiir link blurb was not dropped from announce.asc, etc... > > The links were not updated for 12.4-RELEASE (Last modified on: November > 11, 2022): > > https://www.freebsd.org/releases/12.4R/checksums/CHECKSUM.SHA512-FreeBSD-12.4-RC2-amd64.asc > ^^^ > The below URL works: > > https://www.freebsd.org/releases/12.4R/checksums/CHECKSUM.SHA512-FreeBSD-12.4-RELEASE-amd64.asc I guess the following file was missed: diff --git a/website/content/en/releases/12.4R/signatures.adoc b/website/content/en/releases/12.4R/signatures.adoc index 0af5ca044c..d769d37a92 100644 --- a/website/content/en/releases/12.4R/signatures.adoc +++ b/website/content/en/releases/12.4R/signatures.adoc @@ -4,11 +4,11 @@ sidenav: download --- :localRel: 12.4 -:localBranchName: RC2 +:localBranchName: RELEASE :localBranchStable: stable/12 :localBranchReleng: releng/12.4 -:localRelSha256: ../checksums/CHECKSUM.SHA256-FreeBSD-12.4-RC2 -:localRelSha512: ../checksums/CHECKSUM.SHA512-FreeBSD-12.4-RC2 +:localRelSha256: ../checksums/CHECKSUM.SHA256-FreeBSD-12.4-RELEASE +:localRelSha512: ../checksums/CHECKSUM.SHA512-FreeBSD-12.4-RELEASE = FreeBSD {localRel} Release Checksum Signatures -- Herbert From nobody Thu Jan 5 02:59:32 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NnWQv6qd2z2p106; Thu, 5 Jan 2023 02:59:35 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NnWQt330qz43L9; Thu, 5 Jan 2023 02:59:34 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Azg6RHQj; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::92b as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ua1-x92b.google.com with SMTP id j14so765039ual.10; Wed, 04 Jan 2023 18:59:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+huZeC8RyRLKcJCpfVjxpNuaohqbt541afXmnOzISR0=; b=Azg6RHQj5ENGlZ0iT31eWZeVdwG+hGSX1b8dJNvzpYs7PeW+mVj3rYvQr/BYggOoZV 0xvStndv9YPj/Wjt6fjV+K59SjhCNIfIBovPYDuW4RpksDzezqkfzvXLYRB5jIpcrE4a xlzH36vsnISQuxsx3LHDkX3oIIQgwiK+LhGicFquVSid//ahmit4asWAZOfzEM+7RR6S QJzmoKiXHQiyNSET4CwjKu/s6tB4c++/3Ws7saX92j1oXn3I/zQoUVsOdb7xkE8WWUaT upRbLc7s7jDlis7pf3RCRSbl6Zh+LfMjG8V8LxVDn3Oo29pKCB9xFiY7pDEU3O0HC7TH a2iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+huZeC8RyRLKcJCpfVjxpNuaohqbt541afXmnOzISR0=; b=v5P1GD9INZWVmUox0AJ8Ft96ppjfkw0cOkFVctbPj50kbhJh1bqwXbLXl4peZTmiT+ aUvbl0/tn73NqrxbZlI90PaGJ+2YRoiwDBKbR+AdxX5cmOzOFDzzuyuypLC8w74RxXM8 g3Sm2dUmn0Mbby66HXo6jnWXkEiIgs9EqCDpBxYDlxfunCrwRWna7Dmyj3KX5yW6F/xm OawIxAcGBG9ZZHlH+dK9nvxsgfePE59L7R+LwZ48ZxzNc3mrWbXvFUOy+sxSYhs+txQN Sa7lw7uzExKE725pgGKCQBvwsw4DmTaOihNKgJYmErdEnOLDNRP1w6djIZvvKy5Ge8Aj z2Yg== X-Gm-Message-State: AFqh2krYzhBl956Fyxef0Tn2B7Pit42QpexhpPD7SApsfe/O1qBwLX/A B5etFSWD+kE4yxdG8RPzrOw+1m1QVm3o+AQq3h5zhFk7DRnZB3uwSbs= X-Google-Smtp-Source: AMrXdXu8xTH9L7XvFaPeosmvllbjL4V83zxoBfdJZuehNXm1ZQ0GZiRIREMTCvzZdziNvHbcEZRo9navaKDYe79x/h4= X-Received: by 2002:ab0:6544:0:b0:553:bde4:42f5 with SMTP id x4-20020ab06544000000b00553bde442f5mr1837345uap.67.1672887572959; Wed, 04 Jan 2023 18:59:32 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Wed, 4 Jan 2023 18:59:32 -0800 (PST) In-Reply-To: References: From: grarpamp Date: Wed, 4 Jan 2023 21:59:32 -0500 Message-ID: Subject: Re: cant login after make installworld: pam_opie.so.6 not found To: freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-2.39 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.976]; NEURAL_SPAM_MEDIUM(0.59)[0.588]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92b:from]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NnWQt330qz43L9 X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N >> looks like the "make delete-old-libs" has deleted that lib pam_opie.so.6 >> and now I cannot pass the login prompt >> says the error "pam_opie.so: not found >> how can I get it back? I tried everything and nothing brought it back > commit 0aa2700123e22c2b0a977375e087dc2759b8e980 > Differential Revision: https://reviews.freebsd.org/D36592 This appeared as perhaps an arbitrary deletion change for some unknown non-discussed reason. Someone else posted the problems, user features, and alternatives that would preserve and update use of OPIE options for FreeBSD users, but again, no one discussed. So now users are getting locked out and have one less security option available to them in FreeBSD. https://lists.freebsd.org/archives/freebsd-security/2022-September/ https://lists.freebsd.org/archives/freebsd-security/2022-October/ There is still good opportunity therein to restore some implementation of it for FreeBSD. Welcome to 2023 :) From nobody Fri Jan 6 03:49:40 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Np8VH4LqHz2pPWt for ; Fri, 6 Jan 2023 03:49:43 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Np8VG6mkCz4HyQ for ; Fri, 6 Jan 2023 03:49:42 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=K++kXLlf; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2d as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe2d.google.com with SMTP id s127so413014vsb.5 for ; Thu, 05 Jan 2023 19:49:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i1EpVsONavu6cMlcPhJsrBT0V7CIsc3rXZercKZOSRk=; b=K++kXLlfJY6FKD1uX2U+IwUBtV0KH3ZGoCGQWWscap+VBMdwJ22KGbEBCpidG1HxLC lp2VsF5vLqhcIfyK4qdXFMwOiogHTMqovM1xwNfFp75VW+2aQ+VVZlROSkK+KrtCLNk/ KFNBpsYN67PZ3lXfWbfDhMlgUh+vQcfLzse7QiiZRO2PHhQ4HPfDxg4gdfGyMZ1kA9wG 9vCWYPi/Pi31ZT4NlHk5eOi3+oFHkL2zizHFH+DhPri6899HxRTRnWWPXyCZi2KOGDMD APJ5INtKNIUTveb6FgkM9qszcUed38M2sSuqxSr+t4z7qTz6vqZtCe0hBiLX9kfFNs1e kF0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i1EpVsONavu6cMlcPhJsrBT0V7CIsc3rXZercKZOSRk=; b=dnJ1fXRy8/EacopmzZDovH0Ss7b0zI38sWkcVgyztL4zymFYIJXOFLrMKfGmukhKGU AONlnp7UUYayhql9veQ0BiuBpnZbkngQk6Ozf15oZSfGdHSYfTRNpvxVKL2E+9Tb64ZP lFXhkEvanj/Gy0F+ETrxiWSu2oqEfB6rdONs5CmVww960vTaFQoshPa+sfRWr0VQJWpJ kCOisNBgVx13COWde0+W0zPrMvNCDXWCl8t11QVuVF14dNbc9pxdh2wsSMVjedTk2gyT Ed2da+FQ67f8966wOwLqQrKrM2WNq3A6ySjRnX66MJjQ3GPyQHCogbbEyJnlMPdW1kna aKWQ== X-Gm-Message-State: AFqh2kqs6FQ7RmfWkrMPHHs3xwvy/pHwkz0zCgcqV46SazV2DlGJTx+S vCp1Ro2VEwuWHu970SHb/wE4MYPPOgwu47pMw/qp/cs6SlWGlTl7oT0= X-Google-Smtp-Source: AMrXdXvWbveg6rX1UtTXAiA3ofPS10oI616VNxNFRCrRjaAdNswfbVll4/44i1zQmaWxxRUuI4E8lp4lPu+8++26d78= X-Received: by 2002:a67:fb5a:0:b0:3c7:9cb5:5980 with SMTP id e26-20020a67fb5a000000b003c79cb55980mr4654527vsr.44.1672976981411; Thu, 05 Jan 2023 19:49:41 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Thu, 5 Jan 2023 19:49:40 -0800 (PST) In-Reply-To: <6373b14e-5fbc-7b09-e385-c7286ac9d3d8@freebsd.org> References: <6373b14e-5fbc-7b09-e385-c7286ac9d3d8@freebsd.org> From: grarpamp Date: Thu, 5 Jan 2023 22:49:40 -0500 Message-ID: Subject: Re: Putting OPIE to rest (was: Re: cant login after make installworld: pam_opie.so.6 not found) To: freebsd-current@freebsd.org Cc: freebsd-ports@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_SHORT(-1.00)[-0.995]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2d:from]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4Np8VG6mkCz4HyQ X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On 1/5/23, Graham Perrin wrote: > I recall the original email Orthagonal as it, and some notes since neither consider any potential gap issue or/of any perhaps whimful removal process, nor moves forward on any of potential better alternatives to that which were hint (port) a bit in posts even before the removal was taken. Opie is not some hi-maint lo-api-compat legacy driver holding back kernel dev, it's a tiny stable user app plugin that just works for decades. Now users are posting locked out, punted to deploy non-replacements, and can't even compile it back because code gone from trees in use. There was hardly reason to remove it (lots of other things could be considered "outlived usefulness" but don't get removed), and even if so (as perhaps part of say some larger discuss on pam), there was zero reason for the removal team not to portify it given FreeBSD has already set good example of moving even large/complex user apps from base to ports. That should have, and still should be done, with opie. Consider on that process for future, rather than whatever is thought of some app. Cheers. Cc: ports, as the lo-maint hi-api-compat opie could also be used to +1 their competitive 35k count :) See also compat{M}x-{arch} packages. > https://lists.freebsd.org/archives/freebsd-current/2022-September/002565.html > https://lists.freebsd.org/archives/freebsd-hackers/2022-September/001479.html > https://lists.freebsd.org/archives/freebsd-security/2022-September/000081.html From nobody Fri Jan 6 06:57:45 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NpDgQ3xMCz2r4tZ; Fri, 6 Jan 2023 06:57:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "anubis.delphij.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NpDgP21xcz3KxD; Fri, 6 Jan 2023 06:57:53 +0000 (UTC) (envelope-from delphij@delphij.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=delphij.net header.s=m7e2 header.b=esl2CHK9; spf=pass (mx1.freebsd.org: domain of delphij@delphij.net designates 64.62.153.212 as permitted sender) smtp.mailfrom=delphij@delphij.net; dmarc=pass (policy=reject) header.from=delphij.net Received: from odin.corp.delphij.net (c-141-193-140-184.rev.sailinternet.net [141.193.140.184]) by anubis.delphij.net (Postfix) with ESMTPSA id AC38F3B41A; Thu, 5 Jan 2023 22:57:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=m7e2; t=1672988265; x=1673002665; bh=L9D4PF4c8ykSXWDxi56gFia95kyFNk+j+g5eAbPHAMI=; h=Date:Reply-To:To:Cc:References:From:Subject:In-Reply-To; b=esl2CHK9Zg3UJnl9qrDjaaX3MZmP65Dd2ElrkYnZI2Pr/lAdSi2O/c+tOyJhw2qCu dPwu24meMdqT7rRZSbsYC0Ap9bayTwk8mM6W6OquLm/27tTBl3+WuydMM4RTI5wALB iYb77sJXLqIqKS5JOJLNeU5zbss86QMa2N9qNJdQ2TDMIgx/CenXiivJxRHkRnIl9J 9AThPbd5l7lhhm2ysBjNezfw8uXVsrudoBdFz4MUEX79dkMmaBWND0sbwhP+0wSxnd iSkmEF9bOXi2dTPVKsfwxCJQnkca52jW0ArWktYMiMT+sFvIx6rYKUTKlSgf3Px5Nh b34og+a3kkVMw== Message-ID: <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net> Date: Thu, 5 Jan 2023 22:57:45 -0800 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Thunderbird Reply-To: d@delphij.net To: grarpamp , freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org References: Content-Language: en-US From: Xin Li Subject: Re: cant login after make installworld: pam_opie.so.6 not found In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[delphij.net,reject]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[delphij.net:s=m7e2]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[delphij]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; REPLYTO_DOM_EQ_FROM_DOM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; HAS_REPLYTO(0.00)[d@delphij.net]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[delphij.net:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:6939, ipnet:64.62.128.0/18, country:US]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NpDgP21xcz3KxD X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On 2023-01-04 6:59 PM, grarpamp wrote: >>> looks like the "make delete-old-libs" has deleted that lib pam_opie.so.6 >>> and now I cannot pass the login prompt >>> says the error "pam_opie.so: not found > >>> how can I get it back? I tried everything and nothing brought it back > >> commit 0aa2700123e22c2b0a977375e087dc2759b8e980 >> Differential Revision: https://reviews.freebsd.org/D36592 > > This appeared as perhaps an arbitrary deletion change for some > unknown non-discussed reason. Someone else posted the problems, > user features, and alternatives that would preserve and update use of > OPIE options for FreeBSD users, but again, no one discussed. Security team has discussed this a decade ago. See https://www.miknet.net/security/skey-dungeon-attack/ for technical details. And this could have been avoided if user have followed source upgrade instructions by performing mergemaster or etcupdate *before* make delete-old{-libs}, which is well documented in /usr/src/UPDATING and I quote it here: To upgrade in-place from stable to current ---------------------------------------------- make buildworld [9] make buildkernel KERNCONF=YOUR_KERNEL_HERE [8] make installkernel KERNCONF=YOUR_KERNEL_HERE [1] [3] etcupdate -p [5] make installworld etcupdate -B [4] make delete-old [6] The order here is very important. Cheers, From nobody Fri Jan 6 10:36:02 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NpKW93FWpz2pKqZ; Fri, 6 Jan 2023 10:36:05 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NpKW841L1z45NQ; Fri, 6 Jan 2023 10:36:04 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=fzERyNDB; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2a as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe2a.google.com with SMTP id 3so1065509vsq.7; Fri, 06 Jan 2023 02:36:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qgM5CNO2fp3bcmZD9soYiAaVuYStM98JbVZUP2mvwSA=; b=fzERyNDBxnLTlnc5hOYoZIOAs7wa2ggQXkXVzDLeN++X/S10RDhyOHjYL2PIs/yN5i UvwxtGAnlLMdWVBqPaiLDUlNWkSWXZoUe3EnQtmMcPlsv9hg+hNLp119Gh6maWLAmbQa trVDjve24dvjW+iBh2f8WSIugrvMDaVGzt7T2IFWQ3ST9ufFGOeaMevJBIugR5ls1Mv0 uFzIV1EzlkCcfFfSPpFDRej/NWepCvcZ899g5RBLy3bj2zvLg8gzrw4ADuZJ0MpFOfyZ /y1hDpuabc0Fs84l7gTL8gUvrXfm/Zy3TTrilT9RxOy+c+RK7gNaBFTJI8ClZxhsusRj 5B2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qgM5CNO2fp3bcmZD9soYiAaVuYStM98JbVZUP2mvwSA=; b=KpwY6Jao9LcgOYBxprCbMmB7a6V2u/v25Ed3QCr8Wp1hgHENZTlsBHl84I4uvlCz+A U/t4nxGnfpOUzQ7T0m0YTPC0B02PXrjeCNIfGdJHmtEoMZp6g+BNHR9CB+PWWs/lAzSO cnohBhuWuyGjTezyrXfVXTpcknoaSdArTNVhF/UkC0xwZXMkBkVsfvgR8aRpUbKIHwNK A9TV82zoXiiVrgXOqk7zXJsx8Ye8uGbo3OpQjcr+4igIbXHi0jRYgTALWDq3wcDEI6ct 4Nue7wT234mE04RgMmqPQ4GsLBpLtekj/oxEbAEtoUytXW+i9S0tBiC3P4pyWCkbBXIS PfqQ== X-Gm-Message-State: AFqh2kpuzbIItMPA0no/wpflopMusdjhdrTm6XvFm7Jichyz0LXSvNSF L1uJfU24dY2Wwd1ucR3LrERoMI6apnkS+jHEoAa1tSCC4pEbHISrxno= X-Google-Smtp-Source: AMrXdXsL8ojQxGty9QU+7vMpDpPbgtwdwDmF2x5x4kjz0WtBi60NUfMfoCvyLqM6QY7hPAIh0uZfuV92sa6xH0iWW6Q= X-Received: by 2002:a05:6102:2757:b0:3b3:5fe5:e22 with SMTP id p23-20020a056102275700b003b35fe50e22mr6211076vsu.55.1673001363360; Fri, 06 Jan 2023 02:36:03 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Fri, 6 Jan 2023 02:36:02 -0800 (PST) In-Reply-To: <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net> References: <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net> From: grarpamp Date: Fri, 6 Jan 2023 05:36:02 -0500 Message-ID: Subject: Re: cant login after make installworld: pam_opie.so.6 not found To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.39 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.39)[-0.387]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-current@freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2a:from]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NpKW841L1z45NQ X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On 1/6/23, Xin Li wrote: > Security team has discussed this a decade ago. See > https://www.miknet.net/security/skey-dungeon-attack/ > for technical details. That would mean that FreeBSD knowingly left users exploitable without doing even the "easy fix" in that article to the opie code for over a decade. And further left opie vulnerable and present since the commit in all RELENG, STABLE, and handbook. And did not issue a SA on it since the commit, nor ever since the article. If attempting to claim security as reason to delete, then FreeBSD might appear to be faulty of this. Which would present good opportunity to consider any potential improvements to that process too. > And this could have been avoided if user have followed source upgrade Lockout avoided... yes maybe if users wanted to quit their opie forever at that moment, but if not, then opie code module hasn't yet been moved to ports for anyone to use and or update as they wish. The nature of port security in every unix OS is 3rd-party and un-dedicated, so that wouldn't be reason not to port such things either. Onward :)