From owner-freebsd-security@FreeBSD.ORG Sun Jun 7 13:18:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B920633B; Sun, 7 Jun 2015 13:18:58 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96208165C; Sun, 7 Jun 2015 13:18:58 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: by iebgx4 with SMTP id gx4so82928832ieb.0; Sun, 07 Jun 2015 06:18:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7ju4TgEGegflKy/xkxMssV8KMcnbyC9yTUcZcBJHhv4=; b=R9cNDVVtvDff6f465gwPvd6acmZ+4ltm3VGyk5Vk08Ep7KA8m5PPDG8iadWH5BvriI u9qgqnGjgkvALSVfT2KC0lci4l5W4rryHRbTvhNw6h0VbweuCykPFlMpTdWS/7U+rHGs 3K/MNPiXzZYzbZDiwogwFEOBjL8tq+XwyR7fxkwexihWl3PybnuCxbmMNKq4UT8L/vsO Oh+kwGpbkDf/efzYsWzKXKeoP1qW7wh9SlWwmctpV/wKpiVloHJ1dJf/b4oYnu4fHcOS 23KqtgBmUjcHrZAq0wN/bexDJyfd+y6v/q1tAiRe3/cTAEWoBBqECbzk+BIcBVhtqp5W sh2Q== MIME-Version: 1.0 X-Received: by 10.107.35.203 with SMTP id j194mr14929907ioj.45.1433683137696; Sun, 07 Jun 2015 06:18:57 -0700 (PDT) Received: by 10.36.27.13 with HTTP; Sun, 7 Jun 2015 06:18:57 -0700 (PDT) In-Reply-To: <55734E7F.2070308@Plominski.eu> References: <55734E7F.2070308@Plominski.eu> Date: Sun, 7 Jun 2015 09:18:57 -0400 Message-ID: Subject: Re: IPsec-Tools 0-Day Denial of Service From: Jason Unovitch To: "Daniel DP. Plominski" Cc: freebsd-net@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2015 13:18:58 -0000 On Sat, Jun 6, 2015 at 3:48 PM, Daniel DP. Plominski wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > https://www.altsci.com/ipsec/ipsec-tools-sa.html > > security/ipsec-tools build with gssapi: CRASHED > > (FreeBSD 10.1 + ipsec-tools 0.8.2_1) > > best regards > Daniel > -----BEGIN PGP SIGNATURE----- See https://bugs.freebsd.org/200334. The issue was documented as being fixed here https://svnweb.freebsd.org/ports?view=revision&revision=386793 and documented in VuXML here http://www.vuxml.org/freebsd/35431f79-fe3e-11e4-ba63-000c292ee6b8.html. It seems highly unlikely someone was waiting for you to install ipsec-tools and start sending packets to cause a DoS. Are you sure this isn't just a run time issue? Perhaps with the off by default GSSAPI option? The correct avenue to report that would be via https://bugs.freebsd.org/bugzilla/ vice the mailing list. Jason From owner-freebsd-security@FreeBSD.ORG Mon Jun 8 21:00:01 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 522B872E; Mon, 8 Jun 2015 21:00:01 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E03810FD; Mon, 8 Jun 2015 21:00:01 +0000 (UTC) (envelope-from marquis@roble.com) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 0A0DB67882; Mon, 8 Jun 2015 13:55:45 -0700 (PDT) In-Reply-To: References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org> Date: Mon, 8 Jun 2015 13:55:45 -0700 Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: "Roger Marquis" To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org, des@freebsd.org Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 21:00:01 -0000 > On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > Crickets..... > > May I ask again: > > How do we find out who the members of the Ports Secteam are? > > How do we join the team? Anyone? >> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery >> wrote: >>> I think the VUXML database needs to be simpler to contribute to. Only a >>> handful of committers feel comfortable touching the file. We have also >>> had the wrong pervasive mentality by committers and users that the vuxml >>> database should only have an entry if there is a committed fix. This is >>> totally wrong. These CVE are _already public_ in all of these cases. >>> Users deserve to know that there is a known issue with a package they >>> have installed. I can understand how the mentality grew to what it is >>> with some people, but the fact that there is not an update doesn't >>> change that the user's system is insecure and needs to be dealt with. If >>> the tool can't reliably report issues then it is not worth trusting. >>> TL;DR; the file needs to be simpler. I know there is an effort to use >>> CPE but I'm not too familiar with where it is going. >>> >>> As for maintainers tracking upstream mailing lists, this is hard. I'm >>> subscribed to a lot of lists and can't keep up with all of the traffic. >>> >>> The RedHat security team and reporting is very impressive. Don't forget >>> that they are a funded company though. Perhaps the FreeBSD Foundation >>> needs to fund a fulltime security officer that is devoted to both Ports >>> and Src. Just the Ports piece is easily a fulltime job. >> >> It seems from this thread that we have a group of people who are >> passionate enough about fixing this problem. >> >> How do we find out who the members of the Ports Secteam are? Once we >> know that, I'd say that at least some of the people on this thread are >> willing to join the Ports Secteam (myself included). How do we join >> the team? >> >> Once the team has new and energized members, I would envision the team >> then working through the problems that have been outlined in this >> thread and putting together a plan for fixing them. From owner-freebsd-security@FreeBSD.ORG Mon Jun 8 21:37:51 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4EB39168 for ; Mon, 8 Jun 2015 21:37:51 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C8C41B27 for ; Mon, 8 Jun 2015 21:37:51 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by igbsb11 with SMTP id sb11so2643134igb.0 for ; Mon, 08 Jun 2015 14:37:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=/TUqtm6iUkY6kPl1PR/w3h9xLWikrcXSsZBOYSxWISc=; b=b1xImTHPXCxrkmxXZygzZ3uj9GK1QNIo5kR1Z9jYdf86qPbV1ojVarFCzD9s1B3pMl GyJVl35krKShA0De33rGOK26lQJQzv73uBCqdvaZ981GTkWoK+A/kJ1/oKtJFKnBxW+G 7RJJ1Ff+GABgFcGUulpHp+EwMonZkLFjEGrAXP0ewnOBxkWSbxAm8zn3rV1K2glYwnf2 Eh/kpGrZG2Scf7c38bbOfeC+Nz90zbZC7q26ZT+TV2pPemn7y+9/RxvNgZUSoMaPIOYy 9ZKY/V/5b4GX3pSrZ3CH/SshSnBrTqJ9sDKHZd+9LTxxqecrO7fPb7BO38+O7LSW5jXe SPIQ== MIME-Version: 1.0 X-Received: by 10.50.36.9 with SMTP id m9mr15856302igj.15.1433799470358; Mon, 08 Jun 2015 14:37:50 -0700 (PDT) Received: by 10.64.60.73 with HTTP; Mon, 8 Jun 2015 14:37:50 -0700 (PDT) Date: Mon, 8 Jun 2015 17:37:50 -0400 Message-ID: Subject: Ports Secteam From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 21:37:51 -0000 I'm sure that the reason these questions have not been answered is simply because they may have gotten lost in the volume of traffic on freebsd-ports. In the following thread, there are a number of folks with enough passion to volunteer time to help with the Ports Secteam, but we're having difficulty getting a few basic questions answered. https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html Here are the basic questions: Who are the members of the Ports Secteam? How does one join the Ports Secteam? From owner-freebsd-security@FreeBSD.ORG Mon Jun 8 23:31:23 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F12EFD00 for ; Mon, 8 Jun 2015 23:31:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DA3771700 for ; Mon, 8 Jun 2015 23:31:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 4F777180AB; Mon, 8 Jun 2015 16:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1433806283; x=1433820683; bh=b5k93Au4E7MHAZHqWxHol8+ZMFcBglWvY2QODtXt6lI=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=jWf5rNY3SxgUnfsCegDAsERax4fZjUd8L5tVhq76oTlzXhFeO2jimv9ESU7+npd2v 3JNL+NNnUIQVYG+3vXkswjHZf2YxBEkE+xy7yN15yBEPsKkREi0Rc7Mi5wRp/N7FkM 3L2rO07l6vdMOHbjTvAbI+KGMu9xW2hnFut3Ww3M= Message-ID: <557625CA.8030206@delphij.net> Date: Mon, 08 Jun 2015 16:31:22 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Robert Simmons , freebsd-security@freebsd.org Subject: Re: Ports Secteam References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 23:31:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/08/15 14:37, Robert Simmons wrote: > I'm sure that the reason these questions have not been answered is > simply because they may have gotten lost in the volume of traffic > on freebsd-ports. In the following thread, there are a number of > folks with enough passion to volunteer time to help with the Ports > Secteam, but we're having difficulty getting a few basic questions > answered. > https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > > Here are the basic questions: > > Who are the members of the Ports Secteam? Current members include the current security officers (who act as a fallback when needed and a contact for liaison for sensitive and embargoed information) and: Eitan Adler (eadler@); Jason Helfman (jgh@); Martin Wilke (miwi@); Eygene Ryabinkin (rea@); Sofian Brabez (sbz@); Simon L. B. Nielsen (simon@, clusteradm@ liaison); Steve Wills (swills@); Wesley Shields (wxs@); Ryan Steinmetz (zi@); > How does one join the Ports Secteam? Per previous discussion with portmgr@, members are volunteers selected by the Security Officer from active ports committers who have made commits in the ports tree in the last 90 days. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.4 (FreeBSD) iQIcBAEBCgAGBQJVdiXKAAoJEJW2GBstM+ns+rUP/iZoF77HjxrJTYabcPrgduDs ijWGw6NyvYR47r26jzss3HNdZ4qw9gPxtn3CroCBxQdOIUXaFbkYw3RAFhXvCIMV jBQRFkZmzupC/w9viorT1UEqiFCUa6Bd3qyE5kXRgM18EpXz3xWe3+bQW8OMvJ3h gaoXnbp5beZfxojGj5Ig4lJebBDsu9HB+cekoHECmdmdB11MsC/aGsQmbey95Kg3 Y7ERHENz1f/ZFbJaCurBCVVeB+07Nu/qNMFX6SqCHV177DvuzFM2oBaO1d552y8m /LldCGTC9TCUsloMZifncSgIs8DB6Aq9eDcDyT5mOUGqVkfJb0Y22F9RGG6dQcEY TEHRvHk7L+Huxsvq7YQK3kIC4ywDv/wpBIDsSK8devHXKWCxif+io+aYERad1cY1 LCFwWZGJ4ooxpZyV1GPKh+pX8YGFfMksFxeghUhJcFVdApX4PZRQGjeLOj8CYY8H 8un1qdFPStJz/zbTnF2JPsXi1x3/eeJLAdRtW4j3w2Hz9XwOTDcxpUZpwyO2bDZN Bl89+ee2OtjDCLG7y9Jgz7PZQG37sZMshV8dJqL/o2uILVwcB02rM4jme/e3Pg7B AeRZ4OqPZZoZhKS8y1AOGBSBmm6trLJzSKKvy+eboLVU8oIaozBEawqwZqeuXM2C iln7HRIgZ4/woDAjg4Tc =1ULw -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jun 8 23:59:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 76B74569 for ; Mon, 8 Jun 2015 23:59:47 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 409691C64 for ; Mon, 8 Jun 2015 23:59:47 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by igbsb11 with SMTP id sb11so786882igb.0 for ; Mon, 08 Jun 2015 16:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TxTWmGbW21xWGEmVR6Dt66ZOWhrw5rZbPrPb81NDmlI=; b=Q9e2BYX5CFmyC0wiV7zF9MbVsmXxvKCaOTA5DHYq4Gapx0jowRYkxvi0rzjiArtIQD oljz7lAu2yd/SgHKH2/dFyvF+B+Ltgnlxmy0UvitsrhgwqILwB/xa78w5cNegS65fDBX b3gFlg9C/LJya1kFDHHMkk6sFaoHmK/0bTtC+/bXlEELM9hMJAfT4Tu4RXButhFoOHS1 IwBnAzFfKRmgQRULQ3CxXjQhYXLuj6ZLHfr5zUEjC4HrSUdR7YwN1xtLl14eeECBeGJc QSXkSF2HdFUEF+rKqwvnLCwAqiUmkKTDCo1uufC9WaNxE4iX2tvJslov5sKJSEXzeCO+ 1fOw== MIME-Version: 1.0 X-Received: by 10.107.160.141 with SMTP id j135mr23542354ioe.43.1433807986730; Mon, 08 Jun 2015 16:59:46 -0700 (PDT) Received: by 10.64.60.73 with HTTP; Mon, 8 Jun 2015 16:59:46 -0700 (PDT) In-Reply-To: <557625CA.8030206@delphij.net> References: <557625CA.8030206@delphij.net> Date: Mon, 8 Jun 2015 19:59:46 -0400 Message-ID: Subject: Re: Ports Secteam From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 23:59:47 -0000 On Mon, Jun 8, 2015 at 7:31 PM, Xin Li wrote: > On 06/08/15 14:37, Robert Simmons wrote: >> I'm sure that the reason these questions have not been answered is >> simply because they may have gotten lost in the volume of traffic >> on freebsd-ports. In the following thread, there are a number of >> folks with enough passion to volunteer time to help with the Ports >> Secteam, but we're having difficulty getting a few basic questions >> answered. >> https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html >> >> Here are the basic questions: >> >> Who are the members of the Ports Secteam? > > Current members include the current security officers (who act as a > fallback when needed and a contact for liaison for sensitive and > embargoed information) and: > > Eitan Adler (eadler@); > Jason Helfman (jgh@); > Martin Wilke (miwi@); > Eygene Ryabinkin (rea@); > Sofian Brabez (sbz@); > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > Steve Wills (swills@); > Wesley Shields (wxs@); > Ryan Steinmetz (zi@); > >> How does one join the Ports Secteam? > > Per previous discussion with portmgr@, members are volunteers selected > by the Security Officer from active ports committers who have made > commits in the ports tree in the last 90 days. Excellent. Thanks for the quick reply! So, if membership requires committership, what is the next best way to help the team? From owner-freebsd-security@FreeBSD.ORG Tue Jun 9 03:34:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93C854BE for ; Tue, 9 Jun 2015 03:34:44 +0000 (UTC) (envelope-from feld@feld.me) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F99C105B for ; Tue, 9 Jun 2015 03:34:43 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 2A41321175 for ; Mon, 8 Jun 2015 23:34:42 -0400 (EDT) Received: from web2 ([10.202.2.212]) by compute5.internal (MEProxy); Mon, 08 Jun 2015 23:34:42 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=dyc7qH1HnLbv2N24bEfN5xKtwyo=; b=G1sDtt apTdw73r6A1Bvzs30w2TGI9fNmB1725Jlwttc7lL0IkIKJQD1nDH4sEuAOF6WzDy Z+pMV7uRhMqZPI7xzggkQpQgyRSfn2i+WhVbnuH7SYOkKzgrhdbJSDsjwJoQu0w/ Bs6Iy9OxgY+vHQrKdrEA72wfKyXGtjNopfSzs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=dyc7qH1HnLbv2N2 4bEfN5xKtwyo=; b=SUSGtl3J5x4lx7+qjU2kqgKnZliMlzfXx6/D1W6ENoFL+s3 J160gWClIRBcFqdp9y9MR1JzlH+/9qlqLsgiLvHb55R6xGWfrSmj5K6V/8rLwaVs kagjW74idvol9bElw2exR55n8zHA9D+EfkXw75rrRNGq06Vq1ULhDBvSRyXM= Received: by web2.nyi.internal (Postfix, from userid 99) id ED0DB541289; Mon, 8 Jun 2015 23:34:41 -0400 (EDT) Message-Id: <1433820881.2461667.290406793.0AB7ECBD@webmail.messagingengine.com> X-Sasl-Enc: FFBvZpafFI0delct/0t3WdYgXtv8JKLuIaOnh0Uhyn+2 1433820881 From: Mark Felder To: Roger Marquis , freebsd-security@freebsd.org Cc: des@freebsd.org, freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4f86186e In-Reply-To: <20150608210004.9F46A7B7@hub.freebsd.org> References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org> <20150608210004.9F46A7B7@hub.freebsd.org> Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Date: Mon, 08 Jun 2015 22:34:41 -0500 X-Mailman-Approved-At: Tue, 09 Jun 2015 03:44:04 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2015 03:34:44 -0000 On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote: > > On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > > Crickets..... > > > > May I ask again: > > > > How do we find out who the members of the Ports Secteam are? > > > > How do we join the team? > > Anyone? > I really hope this can be resolved face-to-face at BSDCan... From owner-freebsd-security@FreeBSD.ORG Tue Jun 9 09:55:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 49FFBAC8 for ; Tue, 9 Jun 2015 09:55:40 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) by mx1.freebsd.org (Postfix) with ESMTP id ED226186E for ; Tue, 9 Jun 2015 09:55:39 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from gandalf.elvandar.org (localhost [127.0.0.1]) by smtp-out.elvandar.org (Postfix) with ESMTP id 4BF822C1923; Tue, 9 Jun 2015 11:55:31 +0200 (CEST) Received: from smtp-out.elvandar.org ([149.210.225.204]) by gandalf.elvandar.org (gandalf.elvandar.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bMgldmwMnpgl; Tue, 9 Jun 2015 11:55:28 +0200 (CEST) Received: from mail1.elvandar.org (a44084.upc-a.chello.nl [62.163.44.84]) by smtp-out.elvandar.org (Postfix) with ESMTP id CE1782C1809; Tue, 9 Jun 2015 11:55:27 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.1 smtp-out.elvandar.org CE1782C1809 Authentication-Results: smtp-out.elvandar.org/CE1782C1809; dmarc=none header.from=freebsd.org Received: from openexchange.elvandar.org (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail1.elvandar.org (Postfix) with ESMTPSA id 82D9D60605; Tue, 9 Jun 2015 11:55:27 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.1 mail1.elvandar.org 82D9D60605 Authentication-Results: mail1.elvandar.org/82D9D60605; dmarc=none header.from=freebsd.org Date: Tue, 9 Jun 2015 11:56:08 +0200 (CEST) From: Remko Lodder Reply-To: Remko Lodder To: freebsd-security , Robert Simmons Message-ID: <1062935246.137.1433843768796.JavaMail.open-xchange@openexchange.elvandar.org> In-Reply-To: References: <557625CA.8030206@delphij.net> Subject: Re: Ports Secteam MIME-Version: 1.0 X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v7.6.2-Rev12 X-Originating-Client: open-xchange-appsuite Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2015 09:55:40 -0000 Hi, > > On June 9, 2015 at 1:59 AM Robert Simmons wrote: > > > On Mon, Jun 8, 2015 at 7:31 PM, Xin Li wrote: > > On 06/08/15 14:37, Robert Simmons wrote: > >> I'm sure that the reason these questions have not been answered is > >> simply because they may have gotten lost in the volume of traffic > >> on freebsd-ports. In the following thread, there are a number of > >> folks with enough passion to volunteer time to help with the Ports > >> Secteam, but we're having difficulty getting a few basic questions > >> answered. > >> https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > >> > >> Here are the basic questions: > >> > >> Who are the members of the Ports Secteam? > > > > Current members include the current security officers (who act as a > > fallback when needed and a contact for liaison for sensitive and > > embargoed information) and: > > > > Eitan Adler (eadler@); > > Jason Helfman (jgh@); > > Martin Wilke (miwi@); > > Eygene Ryabinkin (rea@); > > Sofian Brabez (sbz@); > > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > > Steve Wills (swills@); > > Wesley Shields (wxs@); > > Ryan Steinmetz (zi@); > > > >> How does one join the Ports Secteam? > > > > Per previous discussion with portmgr@, members are volunteers selected > > by the Security Officer from active ports committers who have made > > commits in the ports tree in the last 90 days. > > Excellent. Thanks for the quick reply! > > So, if membership requires committership, what is the next best way to > help the team? > _______________________________________________ > I think that actively sending patches would help in getting in information sooner. A PR with the patch would greatly assist in that. Cheers Remko From owner-freebsd-security@FreeBSD.ORG Wed Jun 10 05:30:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 39758ADE for ; Wed, 10 Jun 2015 05:30:33 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D8E419E7 for ; Wed, 10 Jun 2015 05:30:32 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 124FB20D91 for ; Wed, 10 Jun 2015 01:30:25 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Wed, 10 Jun 2015 01:30:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=U0/HjppGXVpi4xJ zf0W2srOI2Ho=; b=M08YZhQEvvOVGRke5AnY7Tbb4fJSwPhSA82jfTVOJg9/yPa NZNib8D+i51/QtvGtckzf6p0Yml9To4F0+5DYXXm0e+hDfnVeg3z46EPBvmzD1oL /RTFOmqbnkkDVd1I4g074BwGSfXWs8uHe9CHwrmS0PraivZNyFp7pbj8Amfo= Received: by web4.nyi.internal (Postfix, from userid 99) id DC12F10D65B; Wed, 10 Jun 2015 01:30:24 -0400 (EDT) Message-Id: <1433914224.244626.291502609.0C780DD0@webmail.messagingengine.com> X-Sasl-Enc: d+q1HnBX1u9iNcucQYayOyvTgpF+ITVmWE2CAK/5jtV7 1433914224 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff004c4b In-Reply-To: <557625CA.8030206@delphij.net> References: <557625CA.8030206@delphij.net> Subject: Re: Ports Secteam Date: Wed, 10 Jun 2015 00:30:24 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2015 05:30:33 -0000 On Mon, Jun 8, 2015, at 18:31, Xin Li wrote: > > On 06/08/15 14:37, Robert Simmons wrote: > > I'm sure that the reason these questions have not been answered is > > simply because they may have gotten lost in the volume of traffic > > on freebsd-ports. In the following thread, there are a number of > > folks with enough passion to volunteer time to help with the Ports > > Secteam, but we're having difficulty getting a few basic questions > > answered. > > https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > > > > Here are the basic questions: > > > > Who are the members of the Ports Secteam? > > Current members include the current security officers (who act as a > fallback when needed and a contact for liaison for sensitive and > embargoed information) and: > > Eitan Adler (eadler@); > Jason Helfman (jgh@); > Martin Wilke (miwi@); > Eygene Ryabinkin (rea@); > Sofian Brabez (sbz@); > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > Steve Wills (swills@); > Wesley Shields (wxs@); > Ryan Steinmetz (zi@); > > > How does one join the Ports Secteam? > > Per previous discussion with portmgr@, members are volunteers selected > by the Security Officer from active ports committers who have made > commits in the ports tree in the last 90 days. > miwi stepped down 7 months ago. His name on this list is a huge red flag that there is a lack of care and feeding for this team. As long as my script isn't broken, here are the number of commits from March 1st through June 1st by each committer in that list: eadler: 6 jgh: 49 miwi: 0 rea: 5 sbz: 2 simon: 0 swills: 117 wxs: 1 zi: 64 There's an obvious lack of activity in that list and I would expect participation in ports-secteam duties to be closely monitored and have members rotated out if they take time away. My participation in the ports tree has been rather sporadic lately, but the script I used indicates I've 85 commits in that time period. However, I'm not sure "number of commits" is necessarily a valuable metric when considering candidates... How do we make the ports-secteam effective again? Team members? Infrastructure? New documentation and procedures? From owner-freebsd-security@FreeBSD.ORG Wed Jun 10 07:07:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 801F6925 for ; Wed, 10 Jun 2015 07:07:45 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1615E10E2 for ; Wed, 10 Jun 2015 07:07:45 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: by wgv5 with SMTP id 5so28337807wgv.1 for ; Wed, 10 Jun 2015 00:07:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=G1EPSctP7wbmPbZEXphTZ5Z+CeaS3KcgE6RZlk8gfxo=; b=ZxoA788/BUXKCtRuIjSU3xJbaXdP9odWO9jlQMaZkID0LuMSl8pdLD4yml8S90lfy9 LderyounvWZBN5iQ/iUphMTYNrgK7xMt8eH+EB5mhzPwG6tVoAKx7Wo7XAIBi7tP6avb 2Hxb2apxPvvIKALOfejFhrMUpezf7IS+qZmGk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=G1EPSctP7wbmPbZEXphTZ5Z+CeaS3KcgE6RZlk8gfxo=; b=WSJsqM8AulIlYGal+/8QJb1dTMN5V/vqrcq47zSX1YqezW7js7GAoqwUyDZYajTz4r Q5APTRz7xhIe7deRN152HuK4lIdxA6zjf5CRVq7JfcRz0uTjkcBF33zFo5bYS3md8W9R BRI3NKfVLWad4NytEHEssA3CY4Nt1EUDEK3onouc+JQ9Xlcl9UeKw31mJaAMHpyhHeq8 pJ1thlOA3QxfUheA8DmsY+VXcSvN0kdsyTr4WSKJt7UjUQnEkyxjIBQM5NRkyayUozyO /VJYuLV+GD0mzRy4tdVEzNusYTTy0aiX6pW0SRvOurNUrcuqriJs+jD7344B+jVmOM0W jEtg== X-Gm-Message-State: ALoCoQkDeKY7dmWskjuVp5SuA3LRgSvFC77XeN8lqJJeRdaSDP39LzdfG/XnvJ6mRqeAke9Zz3Mk X-Received: by 10.181.13.172 with SMTP id ez12mr5181695wid.91.1433920063255; Wed, 10 Jun 2015 00:07:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.65.85 with HTTP; Wed, 10 Jun 2015 00:07:12 -0700 (PDT) In-Reply-To: <1433914224.244626.291502609.0C780DD0@webmail.messagingengine.com> References: <557625CA.8030206@delphij.net> <1433914224.244626.291502609.0C780DD0@webmail.messagingengine.com> From: Eitan Adler Date: Wed, 10 Jun 2015 00:07:12 -0700 Message-ID: Subject: Re: Ports Secteam To: Mark Felder Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2015 07:07:45 -0000 On 9 June 2015 at 22:30, Mark Felder wrote: > > How do we make the ports-secteam effective again? Team members? > Infrastructure? New documentation and procedures? ports-secteam's scope has grown since it was created. The team needs new, active, members to be able to deal with the VuXML and quarterly branch portion of its work. We also need to creating tooling to make this easier: for instance it would be really awesome to automatically create VuXML entries from CVE/CPE data. > However, I'm not sure > "number of commits" is necessarily a valuable metric when considering > candidates... I agree. I *am* active as a ports-security member: I monitor relevent open & closed security lists for concerns that may affect FreeBSD. In addition I watch pkgng development for new security concerns. That said, I havn't committed to the ports tree very much lately. -- Eitan Adler From owner-freebsd-security@FreeBSD.ORG Wed Jun 10 14:49:37 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33EF7E54 for ; Wed, 10 Jun 2015 14:49:37 +0000 (UTC) (envelope-from wxs@FreeBSD.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.49.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0F57919DF for ; Wed, 10 Jun 2015 14:49:36 +0000 (UTC) (envelope-from wxs@FreeBSD.org) Received: from [192.168.1.209] (cpe-173-95-128-126.nc.res.rr.com [173.95.128.126]) by syn.atarininja.org (Postfix) with ESMTPSA id A70765C0B; Wed, 10 Jun 2015 10:42:33 -0400 (EDT) Subject: Re: Ports Secteam Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Content-Type: multipart/signed; boundary="Apple-Mail=_59221034-9DF6-4501-B217-208360DB8931"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5 From: Wesley Shields In-Reply-To: <557625CA.8030206@delphij.net> Date: Wed, 10 Jun 2015 10:42:32 -0400 Cc: Robert Simmons , freebsd-security@freebsd.org Message-Id: References: <557625CA.8030206@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2015 14:49:37 -0000 --Apple-Mail=_59221034-9DF6-4501-B217-208360DB8931 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii As I've been unable to contribute to this team or to ports much lately I = hereby request that I be removed from this team. I'd rather someone else = who is more actively engaged take my spot. -- WXS > On Jun 8, 2015, at 7:31 PM, Xin Li wrote: >=20 > Signed PGP part > On 06/08/15 14:37, Robert Simmons wrote: > > I'm sure that the reason these questions have not been answered is > > simply because they may have gotten lost in the volume of traffic > > on freebsd-ports. In the following thread, there are a number of > > folks with enough passion to volunteer time to help with the Ports > > Secteam, but we're having difficulty getting a few basic questions > > answered. > > = https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > > > > Here are the basic questions: > > > > Who are the members of the Ports Secteam? >=20 > Current members include the current security officers (who act as a > fallback when needed and a contact for liaison for sensitive and > embargoed information) and: >=20 > Eitan Adler (eadler@); > Jason Helfman (jgh@); > Martin Wilke (miwi@); > Eygene Ryabinkin (rea@); > Sofian Brabez (sbz@); > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > Steve Wills (swills@); > Wesley Shields (wxs@); > Ryan Steinmetz (zi@); >=20 > > How does one join the Ports Secteam? >=20 > Per previous discussion with portmgr@, members are volunteers selected > by the Security Officer from active ports committers who have made > commits in the ports tree in the last 90 days. >=20 > Cheers, > -- > Xin LI https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_59221034-9DF6-4501-B217-208360DB8931 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlV4TNgACgkQvlQxDBfwqjfqCwCdEcx+F/nu/TL7Yt/pS9+ErbBP I48An3bTFQ8dSLgqGdWy6BjwAOoAeFgP =k/Yx -----END PGP SIGNATURE----- --Apple-Mail=_59221034-9DF6-4501-B217-208360DB8931-- From owner-freebsd-security@FreeBSD.ORG Fri Jun 12 00:48:22 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7ACF7DA8; Fri, 12 Jun 2015 00:48:22 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 351911FB4; Fri, 12 Jun 2015 00:48:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 7867A18B77; Thu, 11 Jun 2015 17:48:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1434070092; x=1434084492; bh=UpRl6nDLqyJ99Adau2u5DbSLUepo4+cOAiipnXEpBDU=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=f6S3eeobuXTzEt3xEnJMpnXo6yfZHyPLzmF2dOjubPY81XvsYWpRf+ny5L+jr4yfT KuiNsz+9k8RZDi+CMprVReel+79X05rnoZcyooWwpsaBk9P/5YnIK0iLjU/cmKoBgY 6LakH2lYls1jVW3H95uk1UhTKJKIepPx8BFzgnzY= Message-ID: <557A2C4C.8080006@delphij.net> Date: Thu, 11 Jun 2015 17:48:12 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Michelle Sullivan , marquis@roble.com CC: secteam@FreeBSD.org, freebsd-ports@freebsd.org, "freebsd-security@freebsd.org" Subject: Re: OpenSSL Security Advisory [11 Jun 2015] References: <20150611183848.2D328F4C@hub.freebsd.org> <557A1B16.3060606@sorbs.net> In-Reply-To: <557A1B16.3060606@sorbs.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 00:48:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/11/15 16:34, Michelle Sullivan wrote: > Roger Marquis wrote: >> The ports-secteam knows about this but posting here in case >> someone wants to update ahead of the port, from this morning's >> Hackernews: >> >> >> > > *wonders how this will affect 8.x & 9.x* (seems to be no fix for > 0.9.8 which 8.4 and 9.3 has 0.9.8zd in base - i expect 8.4 to get > ignored as it EoLs on Jun 30, 2015, but 9.3 EoLs on Dec 31, 2016) Well, by "supported" we mean supported at least up until the EoL date and they will never be dropped before that date. Actually we are working on the update right now (first round of tests done, patches going to build and writing advisories, etc.) so it would be out sometime today or tomorrow. Additionally we are considering issuing another EN for all supported releases at a later time to do a full upgrade after the current batch of -STABLE OpenSSL upgrades gets enough exposure. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.4 (FreeBSD) iQIcBAEBCgAGBQJVeixMAAoJEJW2GBstM+nslxIP/jh1wWjo6KSqhjwdkoKIfqix FHR+xT+FduFjMvku84TaOIBI+EgyBetnOIT9Lovg8BhUvFqGQh+bN5KleRiUjpPf vees9pvZ/r0GmpJfDbKX3kbTc+QfumO7W2yu8xaPeL4UJIo7OnzUmmcfjbWHvfLk W7MaLUA3NR1I1H6YBNCydaPOafDqk1SjUuZTN4jrgSWPAeRA8TWKnx0Cd62VN3u/ 0a0pMDFJmEMZodKcfsleZA2TrtSX4SC8xqQVxB8Rg5+YKahb1dOJC3+im1DqN9tM 4xuDvDLzEw/ilWIVIa0EyIxwW+8eIhKFgSr7a6hj+anBxkFYzsMClRdzJc7snQtQ QfscsxXbH4rx2zW1IvT+UrLUUlpdRjp77BR1nSTZ7voKRSQf46bTWduaZfK2SIe9 SUxMazajJtzV6ovgRGQWOhBhAD3hU95Yt4lWAW0HOcf40Wzp/ZKslpA5pP7a00KS 101eQ5AaAax44GcN5sY/dzvbmw9NLtBK4r9w2e6GsDUYiOXEPRLr3G4NExU2J85m Ke2ktTPKjc2mhq9P4T2hjgqHrJB36SBr7Nu7FXAVHDTG7wQVO+a5CUpq6toA7c4f AKhg+3pb8A8V35i4rEbMEo+Grdj0nMiGXafYEBRGYo+YKKmboxY9PYnary2wOpz5 J5Gm6w/kfxKUHfFjx7FJ =oJDs -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jun 12 07:43:30 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4675C76; Fri, 12 Jun 2015 07:43:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27C21193A; Fri, 12 Jun 2015 07:43:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t5C7hUoD035886; Fri, 12 Jun 2015 07:43:30 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t5C7hUdu035884; Fri, 12 Jun 2015 07:43:30 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 12 Jun 2015 07:43:30 GMT Message-Id: <201506120743.t5C7hUdu035884@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 07:43:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:10.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-06-12 Affects: All supported versions of FreeBSD. Corrected: 2015-06-11 19:07:45 UTC (stable/10, 10.1-STABLE) 2015-06-12 07:23:55 UTC (releng/10.1, 10.1-RELEASE-p12) 2015-06-11 19:39:27 UTC (stable/9, 9.3-STABLE) 2015-06-12 07:23:55 UTC (releng/9.3, 9.3-RELEASE-p16) 2015-06-11 19:39:27 UTC (stable/8, 8.4-STABLE) 2015-06-12 07:23:55 UTC (releng/8.4, 8.4-RELEASE-p30) CVE Name: CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 CVE-2015-1792, CVE-2015-4000 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A vulnerability in the TLS protocol would allow a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is also known as Logjam [CVE-2015-4000]. When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. [CVE-2015-1788] X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. [CVE-2015-1789] The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. [CVE-2015-1790] When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. [CVE-2015-1792] If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur, potentially leading to a double free of the ticket data. [CVE-2015-1791] The OpenSSL advisory also describes a problem that is identified as CVE-2014-8176, which is already fixed by an earlier FreeBSD Errata Notice, FreeBSD-EN-15:02.openssl. III. Impact A man-in-the-middle attacker may be able to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. [CVE-2015-4000]. On FreeBSD 10.1, the patch contains a countermeasure for clients by rejecting handshakes with DH parameters shorter than 768 bits. An attacker who is able to use a certificate to authenticate with a remote system perform denial of service against any system which processes public keys, certificate requests or certificates. [CVE-2015-1788]. This affects FreeBSD 10.1 only, as the problem was no longer exist in OpenSSL 0.9.8 series since July 2012. An attacker can use the CVE-2015-1789 issue by using specifically crafted certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. An attacker who can create specifically crafted malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. [CVE-2015-1790]. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. An attacker can perform denial of service against any system which verifies signedData messages using the CMS code. [CVE-2015-1792] An attacker may be able to crash multi-thread applications that supports resumed TLS handshakes. [CVE-2015-1791] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:10/openssl-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-15:10/openssl-10.1.patch.asc # gpg --verify openssl-10.1.patch.asc [FreeBSD 9.3 and 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:10/openssl-8.4.patch # fetch https://security.FreeBSD.org/patches/SA-15:10/openssl-8.4.patch.asc # gpg --verify openssl-8.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r284286 releng/8.4/ r284295 stable/9/ r284286 releng/9.3/ r284295 stable/10/ r284285 releng/10.1/ r284295 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.4 (FreeBSD) iQIcBAEBCgAGBQJVeopGAAoJEO1n7NZdz2rnzhQP/Ak6el188Y+7QbEYVfCZ7eG8 BQLj5TMGHV5swSKVlPcEuBlMwTjpgB5Gqhc8luDS0eIAuJGdcMPSrZDdXxWQFtPf pbfIwp/ElFc7d6ut0Y8t6fFLJbhTOoHJpzTGkFRfJkjinGOx7OZQPeLJsxSubbnL JKugZ3diH6yk6IPMf9SvhO/kYXUF1VbXQvHNTnqgdhFVkgF6tK22Pkl2XoJ9EHbh vBXft1yJwiYlZ//DxZuScTUj1pHYzK3bOpg//REJMWCMj1RVwQr2EyDa0Q2cT02d eRnSZykXD69eybyzEck+BvwnUYYJICimnHuE5t78UIr0D/NWyOAZTQ99z5TID5aV HXkcil+1E/Q+xBB4+5UOOnESf6cmiWwewQOVvD26ZY39E6oJXvsrWnyxIuCG6DL9 sLtxB6iTYlTX5Civ/VJX8H7rFiw4UwMembthvGzck22026iHjplWM3GCWz0E8O3R PrXBHjAzNFawK3owNMxFSUFTuFw/qY7EEwJ3SKCEC+hoxcLOl26NMxrQKRIAUk+I MMOaZfvOh2uM19y9SJZz8+sqU8gIm7ihDm5fuSkO8kY0jdvLwyS9bXAejN/lZ6oJ TyfTDDyXDOdaPpnpQehh6vQV0NiaJ+WXfGhfiE8/G/t6b1E0LlCaaGJTpYkildGe vVCM4Nyx4S9WDFOi76ug =dyhg -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jun 12 16:14:04 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D43E282D for ; Fri, 12 Jun 2015 16:14:04 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 992EC948 for ; Fri, 12 Jun 2015 16:14:04 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t5CGDIqm085978; Fri, 12 Jun 2015 12:13:19 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <557B051F.5070806@sentex.net> Date: Fri, 12 Jun 2015 12:13:19 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Dirk Meyer , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl References: <201506120743.t5C7hUdu035884@freefall.freebsd.org>

In-Reply-To:

Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 16:14:04 -0000 On 6/12/2015 7:06 AM, Dirk Meyer wrote: > FreeBSD Security Advisories schrieb:, > >> Topic: Multiple OpenSSL vulnerabilities >> Module: openssl >> Announced: 2015-06-12 >> CVE Name: CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 >> CVE-2015-1792, CVE-2015-4000 > > I see a regression in the port for OpenSSL 1.0.2b: There is also an ssh issue it seems ? http://marc.info/?l=openssh-unix-dev&m=143412504002151&w=2 ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Sat Jun 13 03:26:49 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E09F03E2 for ; Sat, 13 Jun 2015 03:26:49 +0000 (UTC) (envelope-from zkolic@sbb.rs) Received: from mproxy19.sbb.rs (mproxy19.sbb.rs [89.216.2.104]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57C059AB for ; Sat, 13 Jun 2015 03:26:48 +0000 (UTC) (envelope-from zkolic@sbb.rs) Received: from knossos (cable-178-148-122-190.dynamic.sbb.rs [178.148.122.190]) by mproxy19.sbb.rs (8.14.4/8.14.4) with ESMTP id t5D3CvRR015252 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 13 Jun 2015 05:12:57 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: from localhost (knossos [local]); by knossos (OpenSMTPD) with ESMTPA id f424b363; for ; Sat, 13 Jun 2015 05:13:07 +0200 (CEST) Date: Sat, 13 Jun 2015 05:13:07 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl Message-ID: <20150613031307.GA30499@knossos> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy19.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 03:26:50 -0000 Do I read this advisory correctly: it does not affect 9.3? Zoran From owner-freebsd-security@FreeBSD.ORG Sat Jun 13 09:09:29 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DBF38908 for ; Sat, 13 Jun 2015 09:09:29 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (unknown [IPv6:2001:7b8:3a7:0:20e:cff:fea0:e4a2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B47CE91 for ; Sat, 13 Jun 2015 09:09:29 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from [IPv6:2001:7b8:3a7::ad7a:6fe0:9873:3fb4] (unknown [IPv6:2001:7b8:3a7:0:ad7a:6fe0:9873:3fb4]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id BF1CC21955; Sat, 13 Jun 2015 11:09:23 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Content-Type: multipart/signed; boundary="Apple-Mail=_E808DF3C-30FE-4F69-A6FD-F43EB02E753D"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5 From: Dimitry Andric In-Reply-To: <20150613031307.GA30499@knossos> Date: Sat, 13 Jun 2015 11:09:15 +0200 Cc: freebsd-security@freebsd.org Message-Id: <44F32106-F54A-40F6-9360-5F0904EF6C8B@FreeBSD.org> References: <20150613031307.GA30499@knossos> To: Zoran Kolic X-Mailer: Apple Mail (2.2098) X-Mailman-Approved-At: Sat, 13 Jun 2015 11:25:23 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 09:09:29 -0000 --Apple-Mail=_E808DF3C-30FE-4F69-A6FD-F43EB02E753D Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 13 Jun 2015, at 05:13, Zoran Kolic wrote: > > Do I read this advisory correctly: it does not affect 9.3? It *does* affect 9.3: > Category: contrib > Module: openssl > Announced: 2015-06-12 > Affects: All supported versions of FreeBSD. > Corrected: 2015-06-11 19:07:45 UTC (stable/10, 10.1-STABLE) > 2015-06-12 07:23:55 UTC (releng/10.1, 10.1-RELEASE-p12) > 2015-06-11 19:39:27 UTC (stable/9, 9.3-STABLE) > 2015-06-12 07:23:55 UTC (releng/9.3, 9.3-RELEASE-p16) > 2015-06-11 19:39:27 UTC (stable/8, 8.4-STABLE) > 2015-06-12 07:23:55 UTC (releng/8.4, 8.4-RELEASE-p30) > CVE Name: CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 > CVE-2015-1792, CVE-2015-4000 You need 9.3-RELEASE-p16 to fix it. -Dimitry --Apple-Mail=_E808DF3C-30FE-4F69-A6FD-F43EB02E753D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.27 iEYEARECAAYFAlV780YACgkQsF6jCi4glqMJwwCeOr7ZPxg2E6wkc+Cl3vtd/oAn wOoAoMFLuiAY2/KlZI26V784PKpJNQXc =2NKR -----END PGP SIGNATURE----- --Apple-Mail=_E808DF3C-30FE-4F69-A6FD-F43EB02E753D-- From owner-freebsd-security@FreeBSD.ORG Sat Jun 13 14:00:14 2015 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F907706 for ; Sat, 13 Jun 2015 14:00:14 +0000 (UTC) (envelope-from zkolic@sbb.rs) Received: from mproxy19.sbb.rs (mproxy19.sbb.rs [89.216.2.104]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CEB8AB9 for ; Sat, 13 Jun 2015 14:00:12 +0000 (UTC) (envelope-from zkolic@sbb.rs) Received: from faust.localdomain (cable-178-148-101-253.dynamic.sbb.rs [178.148.101.253]) by mproxy19.sbb.rs (8.14.4/8.14.4) with ESMTP id t5DE0AeW005314 for ; Sat, 13 Jun 2015 16:00:10 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id BBDC5A42063; Sat, 13 Jun 2015 16:00:13 +0200 (CEST) Date: Sat, 13 Jun 2015 16:00:13 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl Message-ID: <20150613140013.GB689@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy19.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 14:00:14 -0000 My bad. Posted prior reading everything carefully. Thanks all for correcting me. Zoran