From nobody Tue Apr  4 10:31:25 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PrPFQ6KBCz43LnW
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue,  4 Apr 2023 10:31:38 +0000 (UTC)
	(envelope-from hubert.tournier@gmail.com)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PrPFP5dYzz44rk
	for <FreeBSD-security@freebsd.org>; Tue,  4 Apr 2023 10:31:37 +0000 (UTC)
	(envelope-from hubert.tournier@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=SGAJRGVX;
	spf=pass (mx1.freebsd.org: domain of hubert.tournier@gmail.com designates 2a00:1450:4864:20::333 as permitted sender) smtp.mailfrom=hubert.tournier@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-wm1-x333.google.com with SMTP id o32so18690437wms.1
        for <FreeBSD-security@freebsd.org>; Tue, 04 Apr 2023 03:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1680604296;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=6FW56HpzLzPXeIr49dKrRashpXRKqh32AfEK7q/GmMQ=;
        b=SGAJRGVXeDZKmpjtyaqac3lXs026gCJ3oJrWyaW2XcF1r+SUqnGSWg8KdUdJP9mtSF
         mDogtYc7Ch4dQQJScEpP9EWx0rbP2vsQuaM8SrBdu9bp4CBCVBKSKxtlIT9LbNn+KRuY
         i5ePvnfdc+5gt1CztVaN+MGO5OeaoYGr8P2ETSQOoO3AHi8N9Yi0dxTcnULp/PL62muF
         nHx5EsUzpz0fVf0XLNoKDKBI+sXSrDcXQqKurMfJnY81pmNXIfitB9lKVJwLHmo/2joD
         V4WyKyR0uWzS7DD/QV5zKORTKAYDJWzhJzxMguroNTk9hKIqFlMwmX/War3thhWL5B9P
         Mbaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1680604296;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=6FW56HpzLzPXeIr49dKrRashpXRKqh32AfEK7q/GmMQ=;
        b=i6K0zlaQdc1Wkt64aEn4Io12/oSqu9HOKAeNcDp/KRovNJhUmhnDjchRETrHQ3tsX5
         XZg2/7kJgEgcc6MSZJmoERpVk0WWaN/LLFLcOru2ygyU+c2w27P1iBalxrJKQ/rkJ+XR
         97ebKv+pZJgoGrQ4q7/UOZoQLkLy87n1Epi90tYX8lPB2DWDdlFbpNz19n4DTkj2bGrO
         mzEXshRyBG0F8SDWFyUaXJ5/Z3aTMSJnJdojEckdEhgnccw1qXfYdayfHa4ZccvRj+og
         AhBXHk2akt7C8vDSktHNV1DGtIfRBNswXubVZ/gpF7z0eVRLwKIw2ZHuPJHqOoJTe9ha
         3jIg==
X-Gm-Message-State: AAQBX9eoUojB1p90Nr4NO5LB5k8+7p2aT3P1+3wFChMhgbINCsk9UL8t
	U4RlMHDHwj/97cbzbpPTpF0IyY1alizlWESY6XymHpwj
X-Google-Smtp-Source: AKy350bD2RH8OlnK9R1nRsfEygeX/4bZlI24D3rBaUID7FX+57FHxTqmmmY+hukf2ELaCEQt5gZxuUZJEUFG3+KhKVs=
X-Received: by 2002:a05:600c:4750:b0:3f0:5c64:e56c with SMTP id
 w16-20020a05600c475000b003f05c64e56cmr847519wmo.1.1680604296124; Tue, 04 Apr
 2023 03:31:36 -0700 (PDT)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
References: <CADr+mw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com>
 <CADr+mw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P+nEN5Gg7Yeo_A@mail.gmail.com> <ZCv00k-jL__tYYWG@int21h>
In-Reply-To: <ZCv00k-jL__tYYWG@int21h>
From: Hubert Tournier <hubert.tournier@gmail.com>
Date: Tue, 4 Apr 2023 12:31:25 +0200
Message-ID: <CADr+mw86a4XmRvmTPp+4GUN7c90C_suzK4bm2M7p6QUWY-M-Fw@mail.gmail.com>
Subject: Re: 45 vulnerable ports unreported in VuXML
To: FreeBSD-security@freebsd.org, Hubert Tournier <hubert.tournier@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000141ab805f8802eac"
X-Spamd-Result: default: False [-3.99 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.992];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_HAS_DN(0.00)[];
	TAGGED_RCPT(0.00)[];
	TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::333:from];
	ARC_NA(0.00)[];
	TAGGED_FROM(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	DKIM_TRACE(0.00)[gmail.com:+];
	RCPT_COUNT_TWO(0.00)[2];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	FREEMAIL_TO(0.00)[freebsd.org,gmail.com];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FROM_EQ_ENVFROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_TLS_LAST(0.00)[]
X-Rspamd-Queue-Id: 4PrPFP5dYzz44rk
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

--000000000000141ab805f8802eac
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I=E2=80=99m OK to do the OSV tool.

Best regards,

Le mar. 4 avr. 2023 =C3=A0 11:58, void <void@f-m.fm> a =C3=A9crit :

> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote:
> >Hello,
> >
> >While working on pipinfo <https://github.com/HubTou/pipinfo>, an
> >alternative Python packages management tool, I noticed that some Python
> >packages installed as FreeBSD ports where marked as vulnerable by the
> Python
> >Packaging Authority
> ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities=
>
> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> port=
s
> >security database.
> >
> >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them
> >vulnerable and unreported
> ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.
> >
> >I started producing new VuXML entries
> ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>
> for
> >these vulnerable ports. *Please tell me if it's worth pursuing this
> effort?*
> >
> >In order to verify if these vulnerable ports where also marked as
> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and
> got
> >carried away writing a whole utility, vuxml
> ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be
> of
> >general interest to some of you?
> >
> >Best regards,
> >
> >PS: this approach could be extended to Rust crates, Ruby gems and so on
> >with the vulnerabilities described in the OSV <https://osv.dev/>...
>
> +1 ^^^ really good idea
>
> Probably best to ask in freebsd-hackers@ as devs are likely to
> read this there
> --
>

--000000000000141ab805f8802eac
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">I=E2=80=99m OK to do the OSV tool.</div><div dir=3D"auto"=
><br></div><div dir=3D"auto">Best regards,</div><div><br><div class=3D"gmai=
l_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0mar. 4 avr. 2023 =C3=
=A0 11:58, void &lt;<a href=3D"mailto:void@f-m.fm">void@f-m.fm</a>&gt; a =
=C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Mar 26, 2=
023 at 12:16:53PM +0200, Hubert Tournier wrote:<br>
&gt;Hello,<br>
&gt;<br>
&gt;While working on pipinfo &lt;<a href=3D"https://github.com/HubTou/pipin=
fo" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pipinfo<=
/a>&gt;, an<br>
&gt;alternative Python packages management tool, I noticed that some Python=
<br>
&gt;packages installed as FreeBSD ports where marked as vulnerable by the P=
ython<br>
&gt;Packaging Authority<br>
&gt;&lt;<a href=3D"https://warehouse.pypa.io/api-reference/json.html#known-=
vulnerabilities" rel=3D"noreferrer" target=3D"_blank">https://warehouse.pyp=
a.io/api-reference/json.html#known-vulnerabilities</a>&gt;<br>
&gt;but not in FreeBSD VuXML &lt;<a href=3D"https://www.vuxml.org/freebsd/i=
ndex.html" rel=3D"noreferrer" target=3D"_blank">https://www.vuxml.org/freeb=
sd/index.html</a>&gt; ports<br>
&gt;security database.<br>
&gt;<br>
&gt;So I made a pysec2vuxml &lt;<a href=3D"https://github.com/HubTou/pysec2=
vuxml" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec=
2vuxml</a>&gt; tool to<br>
&gt;check the 4.000+ FreeBSD ports for Python packages and found 45 of them=
<br>
&gt;vulnerable and unreported<br>
&gt;&lt;<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/results.=
txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec2v=
uxml/blob/main/results.txt</a>&gt;.<br>
&gt;<br>
&gt;I started producing new VuXML entries<br>
&gt;&lt;<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_ne=
wentries.txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTo=
u/pysec2vuxml/blob/main/vuxml_newentries.txt</a>&gt; for<br>
&gt;these vulnerable ports. *Please tell me if it&#39;s worth pursuing this=
 effort?*<br>
&gt;<br>
&gt;In order to verify if these vulnerable ports where also marked as<br>
&gt;vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and=
 got<br>
&gt;carried away writing a whole utility, vuxml<br>
&gt;&lt;<a href=3D"https://github.com/HubTou/vuxml" rel=3D"noreferrer" targ=
et=3D"_blank">https://github.com/HubTou/vuxml</a>&gt;, to demonstrate its u=
se. This could be of<br>
&gt;general interest to some of you?<br>
&gt;<br>
&gt;Best regards,<br>
&gt;<br>
&gt;PS: this approach could be extended to Rust crates, Ruby gems and so on=
<br>
&gt;with the vulnerabilities described in the OSV &lt;<a href=3D"https://os=
v.dev/" rel=3D"noreferrer" target=3D"_blank">https://osv.dev/</a>&gt;...<br=
>
<br>
+1 ^^^ really good idea<br>
<br>
Probably best to ask in freebsd-hackers@ as devs are likely to <br>
read this there<br>
-- <br>
</blockquote></div></div>

--000000000000141ab805f8802eac--

From nobody Wed Apr 19 09:47:47 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1bYy6hN9z45FgV
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed, 19 Apr 2023 09:47:50 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1bYx6flwz3G5x
	for <freebsd-security@FreeBSD.org>; Wed, 19 Apr 2023 09:47:49 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmx.at header.s=s31663417 header.b=froKBQcc;
	spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.15.15 as permitted sender) smtp.mailfrom=infoomatic@gmx.at;
	dmarc=pass (policy=none) header.from=gmx.at
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.at; s=s31663417;
	t=1681897668; i=infoomatic@gmx.at;
	bh=nPwch4cw5IYgzhY7kV3ZMw6qKfl/rC6O/ygv0HGm6MM=;
	h=X-UI-Sender-Class:Date:To:From:Subject;
	b=froKBQccuWh4yjU8lNUdMjfDgQ6dM4j0r6Jf1EeyDrYoWcyiJp+k5m9pn9EWmXOw+
	 C98gwkHmQJmpmrythOxLUjEW2W0zZc90iH/mn4xmk3K6JR3QFjyZaF1n10jmyTDkQh
	 1AKz+eCDVvphs27UTsJstz7OsawbA5te9p8N/DVz6RU5azi8/w3Wf9B1DQ/wU+yOor
	 BwOPbzzprCuLRsxqMYkRWsArRT+kbcjaHziEYQn4lWQCNWdO9UiOoqJDcVPGpNvZzy
	 FZOI1D1t9xQR4hPdI1nvGwfos9JTdZ9n+PklEfCjcm63CaCN3nJsWGxhIsXfS2iRDn
	 0IxHfhil0U+8g==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [10.0.1.209] ([178.114.231.241]) by mail.gmx.net (mrgmx004
 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N3se2-1qWxnv3vTE-00zkcJ for
 <freebsd-security@FreeBSD.org>; Wed, 19 Apr 2023 11:47:48 +0200
Message-ID: <da2b20a5-3bec-7dce-59ea-8af94a17f44d@gmx.at>
Date: Wed, 19 Apr 2023 11:47:47 +0200
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.0
To: freebsd-security@FreeBSD.org
Content-Language: en-US
From: infoomatic <infoomatic@gmx.at>
Subject: geli key derivation function
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:zE60TakeaDb/b1HXEsoSusZVaD4ydB6wP+cg9L+hnUFrIBGV3uh
 VfBBA5M/rM7pcm7gLpNz3eg0MPz/huc5GvXc8H5uoTDU5Pf5HygE5gRX27hF+A8llV1Q0Sa
 linZb3rPbiz1m78M+d0E0dGjJ0+GIEFXCkZJJPqunr6484EXI2BGMiltH0PaDeT56Gz9MAd
 XKFyEFOyPPyctgL3Y61cQ==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:rm27zeLDVo4=;GHvqFTgC4gOGizfZVc4PmHkRY2w
 3VentAnFaKMXVgYLiWZQFc6lyGhaRbeaPM2LEpzfPjPXkin2uALqg6PwEYcERhlvjAXuQTDn3
 Im4z4OvEOjH1BZU0gxbbEufs7feGGhX0LVec+DTN74+YZtXXs8TyfSgoQw/NevnGvxQa3sn65
 GFgRXHTcCr2uLszPh22aqyCH79X69f2+z7yzqg+5CmlamLpFMTSq9jAJaBPtUVMGmqaTkjpmm
 MbUFL0VfjdoA8UGsBexkgh82Ey3AplA267AzB4KdoMotS9gyPYP9v1YJrOYAQd0PV3zWrTwAb
 MoAhWXLoKIL+qG+zaMoWkJTmyJpAfsWWURzfBT/Slb6vKenGMZFFs4lXUlB9DNojKEYm3RiAO
 kAy8RTHvhSeGP8VYYtNqbtcMU7ntT+FNm28fVwT6TF289p4yaBY0h+Q7q3EzseWcZhAIy/arl
 bh1iwcy5CrnVnyAohvSP8BmNKBVtLkjgtdmSK3DCcE8DKLSjNkj2BB08LZExjMN9Y1mP9tTvD
 UQX88iJQe6mpiLr5YmuJSZ/jaIW2t9xDTzfxKlO7kIxE3vvVWwlx/QNXwHE17sl5UvH8Qy8M4
 EuhHTDA0rHC/jwN50ItBBeGJtFiDwPhlHE3D3T6kp0VgtCGVQqy+RSr0VE/t6w1fsYE3c04ml
 /Dbb/naHcESL5LZqjUmUaXSca5hVxJLCHqvjBTeo/BtKnbU2DlCq8oEX0et6T9+YZDuERGb9/
 mRUQazpdlA032uWiROgYtJEBn6e7fgvFSVZbe39iUKJt0csl8G/QnkqP8G3nYc7PrbehI7ffx
 e5kQLylM6YDEA/jKgafJUQDbU6XRjj0doGfNd27k8zMYyJF52IaMhGikDNddstEVSsYMYuIq7
 LS1C4OR+LocSv8bhXPiGTFWRKRlScmCTVWUCJ2AyFcTSKf4uVft4Zym5MIaDLi9RjzqtHEFTs
 +rcAiJpD6U/vTt/Tu5rLXiFgZ6w=
X-Spamd-Result: default: False [-4.10 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[gmx.at,none];
	R_DKIM_ALLOW(-0.20)[gmx.at:s=s31663417];
	R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25:c];
	RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.15:from];
	MIME_GOOD(-0.10)[text/plain];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.15:from];
	MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	DKIM_TRACE(0.00)[gmx.at:+];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[gmx.at];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmx.at];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROM(0.00)[];
	ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4Q1bYx6flwz3G5x
X-Spamd-Bar: ----
X-ThisMailContainsUnwantedMimeParts: N

Hi,

After reading [1] I would like to approach the developers to improve
gelis KDF. Currently PKCS#5 is used (RFC 2898 from the year 2000), it
would great if some developers agree that this could be improved and
hopefully they have time to implement this. What is the best way to make
this kind of feature request?

Regards,
Robert

[1] https://mjg59.dreamwidth.org/66429.html