From owner-freebsd-security@freebsd.org Mon Jan 27 16:42:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CAAAC1FBBD4 for ; Mon, 27 Jan 2020 16:42:04 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 485wWc4mD6z4ZGb; Mon, 27 Jan 2020 16:42:04 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 2F1BB227B6; Mon, 27 Jan 2020 16:42:04 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Mon, 27 Jan 2020 16:42:01 +0000 From: Glen Barber To: Nathan Dorfman Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200127164201.GB9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fKfh0xY2eB01Z/0V" Content-Disposition: inline In-Reply-To: <20200125200007.GA11@rtfm.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jan 2020 16:42:04 -0000 --fKfh0xY2eB01Z/0V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 25, 2020 at 08:00:07PM +0000, Nathan Dorfman wrote: > Hello all, >=20 > I really hope I'm missing something here, and we can all have a nice > chuckle at my expense. >=20 > But I can't see any way the integrity of the installer sets (base.txz, > kernel.txz and friends) can be verified cryptographically? There is a > MANIFEST file containing SHA256 checksums, but it itself does not appear > to be signed in any way. >=20 > The installer images do come with PGP-signed checksums. So, when using > an image that already contains all the sets, one can be sure they are > authentic. What happens when one uses a network-only installer, though? > How can it authenticate the sets it downloads from the user's chosen > mirror? >=20 > A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, > in fact, do that. Checksums are compared against the MANIFEST (in > scripts/checksum), but that is itself simply downloaded from the same > mirror (in scripts/jail), usually over plain FTP, without any > authentication. >=20 No, this last part is not true. The installer always verifies the checksums against /usr/freebsd-dist/MANIFEST on the installation medium. In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS variable explicitly contains the MANIFEST. Glen --fKfh0xY2eB01Z/0V Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl4vEtUACgkQAxRYpUeP 4pOaiA//Zw3CNf/io/WiClS6MNLt0y1EfeSB//5+e95zd+xvVNKf6bmvf1zD4qO3 MrrogmMQiVOzYPH29dbHHLsLkmf8aBXkzQuVEONQrKAwGWcgTYggoRf+xHdeLSqr 4PF1BrdrJIGS/hd/7q1hs017dsaqkpPXIZVuS1Vkm1tGBXYtQviKcLSRui9cGmMv j6xSCwBaGVPw+9wJKPc7As3QHsJkpTfhY8y0vcCbMTjKWhvG/fkjXXKPCpJd3g2t e9U/tYE+8LZY+2eR2xR4AED2LKwLddtXkmXWGot1eel195sz33c45lNsfw5aVpw+ HxLOmKMYQpvkKFaeUUJE0xqn5CEVieMNiHvyiI+PxGnyHZXTl8UHw9ATw6tU/Ybm LIX9QBzYWWcZtHCjsBjcGd9F4/qjm46s860EJUt+KJ9z/FZs3oILMlzNDE9Hal9J ScJ98a31j0AOp6C+Nv/J6digNvlnGumIMnsPMu7kGCufb0raNetAwEbQ+vv4TQ7z t0PsjWx/JgQhGyNZ2NrF/cLNI/o/zNuaChQHrAa2zChTLNs2CjaGcuJWj4T+7fOr ikQ6MoQ3q6z5/OKO/sJEQ9ErSYTyuH+PXWztFnNSnD1hIMUhdmpeJRVr9vgExwPX jnuuXf9Fc9nURf11DOBR+QQB5ToM875gtJd72Q0PqhHSBe2Pqdw= =kBOZ -----END PGP SIGNATURE----- --fKfh0xY2eB01Z/0V-- From owner-freebsd-security@freebsd.org Mon Jan 27 16:53:18 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C24BA1FC3EE for ; Mon, 27 Jan 2020 16:53:18 +0000 (UTC) (envelope-from frenezahomo@gmail.com) Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 485wmY72Jmz4bC5 for ; Mon, 27 Jan 2020 16:53:17 +0000 (UTC) (envelope-from frenezahomo@gmail.com) Received: by mail-wm1-x32c.google.com with SMTP id s10so3956022wmh.3 for ; Mon, 27 Jan 2020 08:53:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=JmO9YfAxbKXItTfM4pJy3yt/qxv+A/Sm3R1s/ETfyzs=; b=SYgAhP1s7M3LgllNGX34on/fUPKQ6EEDRskz8M5J6R/e2zGpnnX+oMw78KFFXWSWHN 7Xqz+L13jaAl8Do6GXJgEXMS8iiZtRWUV2WPucKhllKqiqSLDcUEfQmcSCIgeRli7llM Udb+Nvh74KJhkQr3w93zdZQzNF6BiAAmYwGY3QXSjf9INbv5CCYjoiFDHo0GxGyB1Lv4 QNCk5VhJ3ULybYvlr/MmAxr8od6a+AqNH1oLTY3Ih8Ic3FLyZrqJuFXLk4b7UQTD/0kB KARcqEf2vmOFTcID2zPPqCEQxkYonjKjJO23HmlB4RAqhgy74iq571bRCLG9claCMzAj hFYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=JmO9YfAxbKXItTfM4pJy3yt/qxv+A/Sm3R1s/ETfyzs=; b=ok26xgHpNMGLBXPDEw3xYvOKIhNJf7VfhzS+LGWtu5q30UG5KVTE0Voi60zbT9Qh7k rfLJjnHAIbyWy47Czt5oDgo2Dtv7l7L6M+SYEmhtnlhXUbKn3ur7h366/MjVQtZ8nT1z Rzr8/mVv3rE/eZ2CUd4I/DX5zlEToOo6pPqAM0FZcqDb5NQRIQLMn4hqq4t8emQanWhE 8f9a22X2c7KcrDCkWr1nGSx4xdMugHI8cdyepMuGHv6U8+25u6BIPe5siBoG2jtN7uMP qAOeu0+z9RAOXSQadtreLUCzeA1cByDhswmghdftm0+J2vjplO5OhgKZ0ecQ36bxjVFU H8MQ== X-Gm-Message-State: APjAAAU1ZxyGpcEcJz0ZG9EqMwIRsFjWISgdOylXcqBTTbFIwkprMVxI w9OgyBXhRU4y76v73NnLrW28G9zG X-Google-Smtp-Source: APXvYqxru8xvhvD6zpnN7Oys49eExXJY+7AYhQ3pxa2iid275xPWRoGlRIZCQqZ6enBd6UoXtOFl7g== X-Received: by 2002:a05:600c:2c01:: with SMTP id q1mr14433650wmg.179.1580143996277; Mon, 27 Jan 2020 08:53:16 -0800 (PST) Received: from [192.168.2.197] ([212.36.208.224]) by smtp.gmail.com with ESMTPSA id y139sm19682960wmd.24.2020.01.27.08.53.15 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Jan 2020 08:53:15 -0800 (PST) To: freebsd-security@freebsd.org From: freneza Subject: cjdns Message-ID: <910b28bb-6f4f-bf44-3a18-5d4e2437ae85@gmail.com> Date: Mon, 27 Jan 2020 18:53:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 485wmY72Jmz4bC5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=SYgAhP1s; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of frenezahomo@gmail.com designates 2a00:1450:4864:20::32c as permitted sender) smtp.mailfrom=frenezahomo@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.37), ipnet: 2a00:1450::/32(-2.52), asn: 15169(-1.78), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[c.2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jan 2020 16:53:18 -0000 I am having major trouble getting cjdns working on FreeBSD. I was capable of running it on Debian and Fedora without any trouble, but FreeBSD has trouble with getting the network to route properly. I tried the `pkg install cjdns` and running it from source, but both don't work for me. If someone could get cjdns to work, please create a guide. All generic (usually Linux-targetted) cjdns guides didn't work for me. I am sure my connectTo configuration (peering) is correct because I use the same peers on Fedora and Debian without a hitch. From owner-freebsd-security@freebsd.org Tue Jan 28 16:21:48 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D55702320BF for ; Tue, 28 Jan 2020 16:21:48 +0000 (UTC) (envelope-from frenezahomo@gmail.com) Received: from mail-wm1-x343.google.com (mail-wm1-x343.google.com [IPv6:2a00:1450:4864:20::343]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486X1m03pnz49FZ for ; Tue, 28 Jan 2020 16:21:47 +0000 (UTC) (envelope-from frenezahomo@gmail.com) Received: by mail-wm1-x343.google.com with SMTP id p17so3239852wma.1 for ; Tue, 28 Jan 2020 08:21:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=hRy7VAWmju6Kt4OazmjrXG02mT+XxB5+NsWWmLQP3kM=; b=lRL2A3O9EDiWuDBbNAGR/mbJUx8nGG6pMVGd8YnSfjvdxTMo8COrjmQnZhdEvKNa5V vPcPBVAqSUZb4Vl6/SCMeLqdFNUyB/zPmcXjwMH1diHkAuM0FGzt00CXNr1gkZ8thtV0 grmXGV3h7+b3Tyw1GzDBKT8A+NIjpbkVvQWzHjRxETpbXK9BNzzLDYdCDE/sY6oCu4bF d7uVODrZduBunM7LsNPQFEDEsXoakOo8l/vYWMj/qTizT6Jz8ltZ9w6R4RikKW0y5iMB XCA6T1J59agV5PHIY2WpL8Ox1ECjelrzc5iOE1h+kmwrD62crPrO+dwVytVKgZhhhx5f 0qNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=hRy7VAWmju6Kt4OazmjrXG02mT+XxB5+NsWWmLQP3kM=; b=L6047wgy3YZhI/xlRhIeWJaw0pvBrKq0TKJLJXkvABXmplAyuMz6e+Eg7838Nbc/0L 1egY9Tdi3Vzv8EtaKDxy9OZwtGbXzedIZNlQ+59Tr+p+wvYbwbu18JIjq99/DLRo3QFw fg2Z5fgtC6rbSHki1hZt1r0VU4/jLijk2DLHqpWzpfXsPATs+7QhBGVR4tcnia0mQK07 WnZXnBHnrn0+QjKGq3Izi2ELjFXecwIEbzRKIQfRsv/l037wuYmJnUijPJhU9OAtmrqD NfBZL8Qc3F/tK0WSZxv+9cp0WvhGsGGJd05H5nh/FTmb2ZEfWuXlaRiExsxfYZ9hvPwI 6vOQ== X-Gm-Message-State: APjAAAXV2Up7W5aEopaf7LNakI0uRz0TMvgCz6J5Wa5JZ7k3gvwwPG1Y nJehSq1RCdtlv2pGJ3qOzDU8TZOH X-Google-Smtp-Source: APXvYqxfSRKG1E+lYashvcJrtdke/X76Sa40HZ9+wmVPtrn8IKyfjN6MBR5UeFWKW95r5p/ux3ocYQ== X-Received: by 2002:a1c:a78b:: with SMTP id q133mr5800583wme.28.1580228506101; Tue, 28 Jan 2020 08:21:46 -0800 (PST) Received: from [192.168.2.197] ([80.77.191.190]) by smtp.gmail.com with ESMTPSA id n13sm3623628wmd.21.2020.01.28.08.21.44 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Jan 2020 08:21:45 -0800 (PST) Subject: Re: cjdns From: freneza To: freebsd-security@freebsd.org References: <910b28bb-6f4f-bf44-3a18-5d4e2437ae85@gmail.com> Message-ID: <3a46f07b-eb3d-c3a4-0888-33436c83c304@gmail.com> Date: Tue, 28 Jan 2020 18:21:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <910b28bb-6f4f-bf44-3a18-5d4e2437ae85@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 486X1m03pnz49FZ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=lRL2A3O9; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of frenezahomo@gmail.com designates 2a00:1450:4864:20::343 as permitted sender) smtp.mailfrom=frenezahomo@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RECEIVED_SPAMHAUS_PBL(0.00)[190.191.77.80.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(0.00)[ip: (2.96), ipnet: 2a00:1450::/32(-2.52), asn: 15169(-1.78), country: US(-0.05)]; RCVD_IN_DNSWL_NONE(0.00)[3.4.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 16:21:48 -0000 I am replying to myself.. I have fixed this problem by adding a stating route. Turns out cjdns FreeBSD doesn't add a proper route when being run from FreeBSD. In addition you had to statically select the interface name or else it will just increment whenever you restart cjdns (tun0, tun1, tun2, etc..). If anyone ever faces this problem and this to your `/etc/rc.conf`: ``` ipv6_static_routes="cjdns" ipv6_route_cjdns="-net fc00::/7 fc4d:b57e:887e:5f2a:33e7:a215:2399:ea72" cjdns_enable="YES" ``` and add this to the `interface` section of `router` at the end of the line: ``` "tunDevice": "tun0" ``` It should like this in the end: ```         "interface": {             // The type of interface (only TUNInterface is supported for now)             "type": "TUNInterface",             // The type of tunfd (only "android" for now)             // If "android" here, the tunDevice should be used as the pipe path             // to transfer the tun file description.             // "tunfd" : "android"             // The name of a persistent TUN device to use.             // This for starting cjdroute as its own user.             // *MOST USERS DON'T NEED THIS*             "tunDevice": "tun0"         }, ``` and then restart your FreeBSD machine and cjdns should work ! On 1/27/20 6:53 PM, freneza wrote: > I am having major trouble getting cjdns working on FreeBSD. > > I was capable of running it on Debian and Fedora without any trouble, > but FreeBSD has trouble with getting the network to route properly. > > I tried the `pkg install cjdns` and running it from source, but both > don't work for me. > > If someone could get cjdns to work, please create a guide. All generic > (usually Linux-targetted) cjdns guides didn't work for me. > > I am sure my connectTo configuration (peering) is correct because I > use the same peers on Fedora and Debian without a hitch. > > From owner-freebsd-security@freebsd.org Tue Jan 28 20:38:47 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7EE7A23C59E for ; Tue, 28 Jan 2020 20:38:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486dkH2v2Tz4WKB; Tue, 28 Jan 2020 20:38:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 5CAED1BE7B; Tue, 28 Jan 2020 20:38:47 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:01.libfetch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200128203847.5CAED1BE7B@freefall.freebsd.org> Date: Tue, 28 Jan 2020 20:38:47 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 20:38:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:01.libfetch Security Advisory The FreeBSD Project Topic: libfetch buffer overflow Category: core Module: libfetch Announced: 2020-01-28 Credits: Duncan Overbruck Affects: All supported versions of FreeBSD. Corrected: 2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13) 2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2020-7450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libfetch(3) is a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and others. II. Problem Description A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. III. Impact An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc # gpg --verify libfetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r357213 releng/12.1/ r357217 releng/12.0/ r357217 stable/11/ r357214 releng/11.3/ r357217 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp +8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1 /C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe+pls6HQ50OeainXDU1dal4 HcBOCM1cnXNjXDdizqdMDvyR7ftXuBxOYeMsxY2JbT4qKjjA19M= =chN4 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Jan 28 20:38:51 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E89E323C5E4 for ; Tue, 28 Jan 2020 20:38:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486dkM5M0Tz4WLr; Tue, 28 Jan 2020 20:38:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 965D11BFD1; Tue, 28 Jan 2020 20:38:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:02.ipsec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200128203851.965D11BFD1@freefall.freebsd.org> Date: Tue, 28 Jan 2020 20:38:51 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 20:38:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:02.ipsec Security Advisory The FreeBSD Project Topic: Missing IPsec anti-replay window check Category: core Module: kernel Announced: 2020-01-28 Credits: Jean-Francois HREN Affects: FreeBSD 12.0 only Corrected: 2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13) CVE Name: CVE-2019-5613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPsec is a suite of protocols providing data authentication, integrity, and confidentiality between two networked hosts. II. Problem Description A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. III. Impact The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated. IV. Workaround No workaround is available. Systems not using IPsec are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- releng/12.0/ r357218 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX 9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6 bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO 7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU= =tFox -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Jan 28 20:38:59 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EED0E23C63C for ; Tue, 28 Jan 2020 20:38:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486dkW5rZpz4WSP; Tue, 28 Jan 2020 20:38:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id BCEDF1C316; Tue, 28 Jan 2020 20:38:59 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:03.thrmisc Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200128203859.BCEDF1C316@freefall.freebsd.org> Date: Tue, 28 Jan 2020 20:38:59 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 20:39:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:03.thrmisc Security Advisory The FreeBSD Project Topic: kernel stack data disclosure Category: core Module: kernel Announced: 2020-01-28 Credits: Ilja Van Sprundel Affects: All supported versions of FreeBSD. Corrected: 2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13) 2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2019-15875 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The kernel can create a core dump file when a process crashes that contains process state, for debugging. II. Problem Description Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. III. Impact Sensitive kernel data may be disclosed. IV. Workaround Core dumps may be disabled by setting the kern.coredump sysctl to 0. See sysctl(8) and sysctl.conf(5). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc # gpg --verify thrmisc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r354734 releng/12.1/ r357219 releng/12.0/ r357219 stable/11/ r354735 releng/11.3/ r357219 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR 33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR +JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4= =3mdJ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Jan 28 20:51:49 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A579623F9E4 for ; Tue, 28 Jan 2020 20:51:49 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486f1J224qz4btF for ; Tue, 28 Jan 2020 20:51:48 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id c84so4079312wme.4 for ; Tue, 28 Jan 2020 12:51:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=MW1tznUXTs+6qZtQ3NVwklA3UWC7/qhjrnDiuoOjLXc=; b=YD9wutB06Pal7nICojjWe2OzcW28RyqYF+TDmsAGg0Cd75Pg8Ti19W2y3Y00rt/+/j KZz5+qNjRnfSOFNiy//6NNIqDs0wd0d52is//DFXx/00uH6UDdPe8uHHmNxg2xnPslT7 PRCCEr/+sv1g4n5STbd2bgqPqc58Mqct9EfPhEoMHbyNCCVAQtOU0AiWfEfIcDkxzw3y cijbK4CknyBFS8S2xA9ugBQXVScS2rzTvrvOxf7c4aqP+JSoM+wKCoJjw7QCLIUkKWI5 1BMkSWaBvBjf2Cd2HBSND9Z9kEhIbWcbK93qNdKr4ljwpMNzeMcDFDWVe0ogLs53NEwp 60hg== X-Gm-Message-State: APjAAAWXoYHguTANoQJoZreuP3JDu10hgV5jwt3gFDQAwNnBEzj6C5FL zgqFs/NR7zegIV6NBQCJ/IwI0gSyjIC6Wk7KH4UZw4LxtOQ= X-Google-Smtp-Source: APXvYqzYkl7H8+1PkexmolC1yXHBGvH4VHUTIhaf0Jw0d+xS1HbdLe+uhW+qogBMkyaUOzksvWumairxm1ij4IfPEz0= X-Received: by 2002:a1c:1b4d:: with SMTP id b74mr7140853wmb.33.1580244706113; Tue, 28 Jan 2020 12:51:46 -0800 (PST) MIME-Version: 1.0 From: Royce Williams Date: Tue, 28 Jan 2020 11:51:10 -0900 Message-ID: Subject: @freebsdsecurity Twitter handle? To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 486f1J224qz4btF X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=techsolvency.com (policy=none); spf=pass (mx1.freebsd.org: domain of roycewilliams@gmail.com designates 209.85.128.42 as permitted sender) smtp.mailfrom=roycewilliams@gmail.com X-Spamd-Result: default: False [-1.95 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; DMARC_POLICY_SOFTFAIL(0.10)[techsolvency.com : SPF not aligned (relaxed), No valid DKIM,none]; FROM_NEQ_ENVFROM(0.00)[royce@techsolvency.com,roycewilliams@gmail.com]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_ALL(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[42.128.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.05)[ip: (-0.37), ipnet: 209.85.128.0/17(-3.05), asn: 15169(-1.78), country: US(-0.05)]; FORGED_SENDER(0.30)[royce@techsolvency.com,roycewilliams@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[42.128.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; TAGGED_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 20:51:49 -0000 Is the @freebsdsecurity Twitter handle managed by the security team? (If so, looks like it's been fallow since 2016?) If not, is there an equivalent Twitter account that is official? -- Royce From owner-freebsd-security@freebsd.org Wed Jan 29 02:53:10 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7B9791B3F30 for ; Wed, 29 Jan 2020 02:53:10 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486p2F4Nw3z40k5 for ; Wed, 29 Jan 2020 02:53:09 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x42c.google.com with SMTP id s1so7078236pfh.10 for ; Tue, 28 Jan 2020 18:53:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=UjIv2YXk93Q0AwV9c6WS998qJp0hr41jSNP7WHV/A30=; b=Qx1VtUkz7f4FdwzPhfoVhxR3VY/ETDa0fpakWy1fNgbTXoSBNk4RPbDAlKIzxM6tXa BQ3RW4LQd+1tX7s5NBUxQjDsrm5F2PcB0rjylZjXpSG6lku6JrlH8wPVuYZb/2vO4eW1 a7af9tSNXmHxlUUhpaPP/fKCP0wVsl0ZeJ88Dhzv2kXxzwN2yOX7S+Gf4jYtArapcoK4 jRHbIrAtPz3D2Oapxhr/dMn50uoyL+C1nP+4zqHTVSqy2i2EhnwalZGvGr+bzv0L9Lsw SqlX37JOioqd9C1B+8cjxvNNyaR9OUBK3h/3D9oZltX7006hTrqjId5YP3y4JrV09FLi ZVOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=UjIv2YXk93Q0AwV9c6WS998qJp0hr41jSNP7WHV/A30=; b=db3OxoKb4ml4zp0zdWnjJ6NAd83lUgABdO6r5hc2m1Xlkk1d/EaAzUOUbKS7uovcpH FPlqKdLAEKOsJ5mErNkxB8oHsvSG8A8mqGv77z8v9kw6+9jc8wkiO79piNrF7M4fPpN6 XyKKmMT8w2qMyxXjbTFo6zxoFW/sHXpRdpazYIbDPLiiQFgGeK2hZvuzH/N5+DphxyCJ P+yAAesL5SPxmgKqibvzRmvKc/l4RXhC67oHbt0aqkYttHTXAbmaFn/OqzTmBzrO8epz OeY8LRfOF8ToMSY7CnFRWgpA6utTx8uFUzqc8snG28WPZn8ec0DGF5YDC0WJsqLBOGEP h2EA== X-Gm-Message-State: APjAAAXqkdLD3EQCfWQQkJMXikwUZEHcockwWm0avAmta/6e4FvXY402 QZhbhwxMSfB7WkmDwkTk6NvcC8KU X-Google-Smtp-Source: APXvYqwMLN4BtOFDKaLVYcVd284d4YyGkE52Y9Hl6ejljVnLgCOmbO9oKqZZHdT3yUEKmvg41QoGHA== X-Received: by 2002:a62:5547:: with SMTP id j68mr7337154pfb.6.1580266387875; Tue, 28 Jan 2020 18:53:07 -0800 (PST) Received: from [192.168.1.110] (180-150-68-130.b49644.syd.nbn.aussiebb.net. [180.150.68.130]) by smtp.gmail.com with ESMTPSA id o19sm3784610pjr.2.2020.01.28.18.53.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Jan 2020 18:53:07 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: @freebsdsecurity Twitter handle? To: Royce Williams , freebsd-security@freebsd.org References: From: Kubilay Kocak Message-ID: <17390aa6-cf0a-6719-f573-9aca6df8a133@FreeBSD.org> Date: Wed, 29 Jan 2020 13:53:03 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Thunderbird/73.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 486p2F4Nw3z40k5 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Qx1VtUkz; dmarc=none; spf=pass (mx1.freebsd.org: domain of koobsfreebsd@gmail.com designates 2607:f8b0:4864:20::42c as permitted sender) smtp.mailfrom=koobsfreebsd@gmail.com X-Spamd-Result: default: False [-3.74 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[koobs@FreeBSD.org]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; TAGGED_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[c.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.54)[ip: (-8.84), ipnet: 2607:f8b0::/32(-2.03), asn: 15169(-1.78), country: US(-0.05)]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2020 02:53:10 -0000 On 29/01/2020 7:51 am, Royce Williams wrote: > Is the @freebsdsecurity Twitter handle managed by the security team? (If > so, looks like it's been fallow since 2016?) > > If not, is there an equivalent Twitter account that is official? > Hi Royce, I run @FreeBSDHelp, tweet about FreeBSD security related issues and SA's / EN's when announced, and am not aware of an official security-oriented presence on Twitter. I've reached out to @FreeBSDSecurity on twitter to see if I can access to the account to facilitate that. Note: Other official accounts are @freebsd_portmgr and @freebsdcore I registered @FreeBSDSecteam for potential official tweets by secteam & ports-secteams, but haven't put it to use yet. I'll see if I can't get something started ./koobs From owner-freebsd-security@freebsd.org Wed Jan 29 09:42:18 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7AF5E1D1612 for ; Wed, 29 Jan 2020 09:42:18 +0000 (UTC) (envelope-from SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 486z6K3pwDz4N4h; Wed, 29 Jan 2020 09:42:17 +0000 (UTC) (envelope-from SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4EDF02842F; Wed, 29 Jan 2020 10:42:14 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0F7082842E; Wed, 29 Jan 2020 10:42:13 +0100 (CET) Subject: Re: @freebsdsecurity Twitter handle? To: koobs@FreeBSD.org, Royce Williams , freebsd-security@freebsd.org References: <17390aa6-cf0a-6719-f573-9aca6df8a133@FreeBSD.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <10370c52-5446-ae64-6d08-572abf76957d@quip.cz> Date: Wed, 29 Jan 2020 10:42:13 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <17390aa6-cf0a-6719-f573-9aca6df8a133@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 486z6K3pwDz4N4h X-Spamd-Bar: +++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [5.06 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; IP_SCORE(0.86)[ip: (0.35), ipnet: 94.124.104.0/21(0.17), asn: 42000(3.70), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; SUBJECT_ENDS_QUESTION(1.00)[]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz, SRS0=9U43=3S=quip.cz=000.fbsd@elsa.codelab.cz] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2020 09:42:18 -0000 Kubilay Kocak wrote on 2020/01/29 03:53: > On 29/01/2020 7:51 am, Royce Williams wrote: >> Is the @freebsdsecurity Twitter handle managed by the security team? (If >> so, looks like it's been fallow since 2016?) >> >> If not, is there an equivalent Twitter account that is official? >> > > Hi Royce, > > I run @FreeBSDHelp, tweet about FreeBSD security related issues and SA's > / EN's when announced, and am not aware of an official security-oriented > presence on Twitter. > > I've reached out to @FreeBSDSecurity on twitter to see if I can access > to the account to facilitate that. > > Note: Other official accounts are @freebsd_portmgr and @freebsdcore > > I registered @FreeBSDSecteam for potential official tweets by secteam & > ports-secteams, but haven't put it to use yet. I'll see if I can't get > something started It is always good to have more channels for Security Advisories. Can somebody convince FreeBSD Security Office to publish Advisories in vuln.xml at the same as on the website? It is FreeBSD's own tool to handle vulnerabilities but they are not there. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243702 Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Wed Jan 29 10:58:56 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 562161D40B8 for ; Wed, 29 Jan 2020 10:58:56 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4870pl0sGCz4SDD; Wed, 29 Jan 2020 10:58:54 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x433.google.com with SMTP id n7so8230079pfn.0; Wed, 29 Jan 2020 02:58:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3HOHnCWxUOs6nxo/mYrWtsp78zCOKH4TlHzQgxFHZ1k=; b=jd/s4YoB0ONnWLVf+w/VuhHnvmWo8A5SF8pvlC/NKxUpxV+Uz2TS4Sd+tKK7NeGb29 ANO8fpLeeWswW79FRcmAScCqI2gLJIrskutcivAga7i2x/elP4DEMJ+pwuLmaqRgaO7+ TGRQzNjQAZ1ZHHuFnjMaV0usX32Tx0JTl8SgEdKpjbjM7uicSmpSemXgULLIlrb18TQQ ugm2E/BJzvS5rYZLvfkyxiSOetBWVI7UveB7679vcRTVWOKkVHMSYYaf5cZC/N0GJtEU 4llfvCYF3t0iyoq+/O/4gcht+1etyaMnw0c+3ky46WmOy1+EJvB7r1kjqtpCjC1oczwn tlHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:references:cc:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=3HOHnCWxUOs6nxo/mYrWtsp78zCOKH4TlHzQgxFHZ1k=; b=jBV+8ilGltyuUBJbB7wCObgbbABSzxlosMgX0uLul6v8qL2xgJg6gH9T79FWRxE9nO Oh8Iehjx0k8bN1p2tFF8+1OKUrblBe7GvpFmCE8o4h3NtAJlQrTBK88e79l9vsduiCrg E2UfoF5VCex59xk5rDq4fE5otTR5sUdcisEWxcZ3/NlbjRsoFfOEGn9YmyTRqhI3M9/4 YmlFSFG3Jf86A01qw7lzdL+8Sqrv3aTguYziJ5IWop3/okKfxONUqPozwwyC4hxRRNM+ HF8TDDdTwuvmi8/7Fr3qR+4CJLrXyoILKVeiu/LCsFTbLRIiqgSCv3yKRyc1UearXdiU jTVA== X-Gm-Message-State: APjAAAUuzYvtUoHDkpb3N5mZYDTcNGzX/FzcC1vv7CfP/wX5PRnpR3gg nrNsqvwrdFn95LqRrCSLG5JDrPTS X-Google-Smtp-Source: APXvYqw3m2mZvKY6YsK5gww/Bn/zT6RJ+MQcHF6ipXSgwXKPU0b71xBBIorSRVz8b3nqm3ya+dp8pw== X-Received: by 2002:a62:4e05:: with SMTP id c5mr7320064pfb.258.1580295533430; Wed, 29 Jan 2020 02:58:53 -0800 (PST) Received: from [192.168.1.110] (180-150-68-130.b49644.syd.nbn.aussiebb.net. [180.150.68.130]) by smtp.gmail.com with ESMTPSA id y197sm2333033pfc.79.2020.01.29.02.58.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jan 2020 02:58:52 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: @freebsdsecurity Twitter handle? To: Miroslav Lachman <000.fbsd@quip.cz>, Royce Williams , freebsd-security@freebsd.org References: <17390aa6-cf0a-6719-f573-9aca6df8a133@FreeBSD.org> <10370c52-5446-ae64-6d08-572abf76957d@quip.cz> Cc: "secteam@freebsd.org" From: Kubilay Kocak Message-ID: <731c6baa-d3e4-89ee-aa77-5aa6e31cdcec@FreeBSD.org> Date: Wed, 29 Jan 2020 21:58:49 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Thunderbird/73.0 MIME-Version: 1.0 In-Reply-To: <10370c52-5446-ae64-6d08-572abf76957d@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4870pl0sGCz4SDD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=jd/s4YoB; dmarc=none; spf=pass (mx1.freebsd.org: domain of koobsfreebsd@gmail.com designates 2607:f8b0:4864:20::433 as permitted sender) smtp.mailfrom=koobsfreebsd@gmail.com X-Spamd-Result: default: False [-3.72 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[koobs@FreeBSD.org]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; TAGGED_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[3.3.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.52)[ip: (-8.74), ipnet: 2607:f8b0::/32(-2.03), asn: 15169(-1.78), country: US(-0.05)]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2020 10:58:56 -0000 On 29/01/2020 8:42 pm, Miroslav Lachman wrote: > Kubilay Kocak wrote on 2020/01/29 03:53: >> On 29/01/2020 7:51 am, Royce Williams wrote: >>> Is the @freebsdsecurity Twitter handle managed by the security team? (If >>> so, looks like it's been fallow since 2016?) >>> >>> If not, is there an equivalent Twitter account that is official? >>> >> >> Hi Royce, >> >> I run @FreeBSDHelp, tweet about FreeBSD security related issues and >> SA's / EN's when announced, and am not aware of an official >> security-oriented presence on Twitter. >> >> I've reached out to @FreeBSDSecurity on twitter to see if I can access >> to the account to facilitate that. >> >> Note: Other official accounts are @freebsd_portmgr and @freebsdcore >> >> I registered @FreeBSDSecteam for potential official tweets by secteam >> & ports-secteams, but haven't put it to use yet. I'll see if I can't >> get something started > > It is always good to have more channels for Security Advisories. > Can somebody convince FreeBSD Security Office to publish Advisories in > vuln.xml at the same as on the website? It is FreeBSD's own tool to > handle vulnerabilities but they are not there. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243702 This (making sure SA's were added) was brought up in the recent past so I imagine todays SA's are/were either planned, or already in flight to land in the VuXML list. Thank you for creating the issue, its been assigned to secteam cc ports-secteam > Kind regards > Miroslav Lachman From owner-freebsd-security@freebsd.org Thu Jan 30 12:52:28 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 53F5F23849E for ; Thu, 30 Jan 2020 12:52:28 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay2.dreamhost.com (iad1-shared-relay2.dreamhost.com [208.113.157.41]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 487gHH38mHz44f2; Thu, 30 Jan 2020 12:52:27 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) by iad1-shared-relay2.dreamhost.com (Postfix) with ESMTP id 87B5A4E5C16; Wed, 29 Jan 2020 16:54:46 -0800 (PST) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id A520DB40086; Wed, 29 Jan 2020 16:50:07 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id 52ED3187C; Wed, 29 Jan 2020 16:50:07 -0800 (PST) Date: Thu, 30 Jan 2020 00:50:06 +0000 From: Nathan Dorfman To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200130005006.GA13@e398a4ce8009> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200127164201.GB9584@FreeBSD.org> X-Rspamd-Queue-Id: 487gHH38mHz44f2 X-Spamd-Bar: ++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of ndorf@rtfm.net does not designate 208.113.157.41 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [6.10 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rtfm.net]; NEURAL_SPAM_MEDIUM(0.90)[0.905,0]; RCVD_COUNT_THREE(0.00)[3]; RBL_SENDERSCORE(2.00)[41.157.113.208.bl.score.senderscore.com]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[41.157.113.208.list.dnswl.org : 127.0.5.0]; NEURAL_SPAM_LONG(1.00)[0.998,0]; IP_SCORE(0.80)[ip: (1.79), ipnet: 208.113.128.0/17(1.38), asn: 26347(0.89), country: US(-0.05)]; RWL_MAILSPIKE_POSSIBLE(0.00)[41.157.113.208.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MIME_TRACE(0.00)[0:+]; GREYLIST(0.00)[pass,body]; FROM_EQ_ENVFROM(0.00)[] X-Spam: Yes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2020 12:52:28 -0000 On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > No, this last part is not true. The installer always verifies the > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > variable explicitly contains the MANIFEST. Thank you, Glen. You're correct of course; the installer uses its embedded MANIFEST and doesn't even fetch it from the mirror... during system installation, at least. However, the first time a jail is set up, using the `bsdinstall jail` command, it does in fact fetch and trust the mirror's MANIFEST. I just tested this with a freshly installed 12.1-RELEASE system and a local mirror with a modified base.txz and manifest. It installs the modified files into the new jail without any complaint. Simply, after a clean installation /usr/freebsd-dist doesn't exist on the new system, so the jail script creates it and downloads the MANIFEST from the mirror. See lines 60-70, here: https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 After the first jail, this downloaded manifest and package(s) are saved in /usr/freebsd-dist. So you are only at risk the first time, and there will be some evidence of the tampering. Still, I hope you'll agree that this should be fixed. The installer already has a trusted manifest as you point out, why not simply install that one into the target system's /usr/freebsd-dist at setup time? -nd. From owner-freebsd-security@freebsd.org Thu Jan 30 13:22:42 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 255F0239A56 for ; Thu, 30 Jan 2020 13:22:42 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 487gy971v6z46vC; Thu, 30 Jan 2020 13:22:41 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 923E31A668; Thu, 30 Jan 2020 13:22:41 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Thu, 30 Jan 2020 13:22:39 +0000 From: Glen Barber To: Nathan Dorfman Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200130132239.GG9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xzd0sUmZITcBHKTf" Content-Disposition: inline In-Reply-To: <20200130005006.GA13@e398a4ce8009> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2020 13:22:42 -0000 --Xzd0sUmZITcBHKTf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Nathan, On Thu, Jan 30, 2020 at 12:50:06AM +0000, Nathan Dorfman wrote: > On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > > No, this last part is not true. The installer always verifies the > > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > >=20 > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > > variable explicitly contains the MANIFEST. >=20 > Thank you, Glen. You're correct of course; the installer uses its > embedded MANIFEST and doesn't even fetch it from the mirror... during > system installation, at least. >=20 > However, the first time a jail is set up, using the `bsdinstall jail` > command, it does in fact fetch and trust the mirror's MANIFEST. I just > tested this with a freshly installed 12.1-RELEASE system and a local > mirror with a modified base.txz and manifest. It installs the modified > files into the new jail without any complaint. >=20 > Simply, after a clean installation /usr/freebsd-dist doesn't exist on > the new system, so the jail script creates it and downloads the MANIFEST > from the mirror. See lines 60-70, here: >=20 > https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/script= s/jail?view=3Dmarkup#l60 >=20 > After the first jail, this downloaded manifest and package(s) are saved > in /usr/freebsd-dist. So you are only at risk the first time, and there > will be some evidence of the tampering. Still, I hope you'll agree that > this should be fixed. The installer already has a trusted manifest as > you point out, why not simply install that one into the target system's > /usr/freebsd-dist at setup time? >=20 I honestly wasn't aware there was a jail subcommand to bsdinstall. I think, rather than creating /usr/freebsd-dist on the host system, we should instead check if the misc/freebsd-release-manifests package is installed and bail if it does not. This package contains the MANIFEST files from past releases (and in-progress releases, including BETA and RC builds). Does that seem like a reasonable solution? Glen --Xzd0sUmZITcBHKTf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl4y2JoACgkQAxRYpUeP 4pNgIw/+L0cnf3PJEak7dm8nXqp8F8em/cNDnTCSoXGqHP14esvjn3w45pOsw0f8 bgBEKauvzRGZ/rurUINUEHtkjCml4VGkXHybbD+Qihg/ZQbyzaioQFAIjGaiO7Sn ++AQjvjsdiecR6cbsRhH7PqqlfvGlAtwWTN9afjuSZzUzy5rFT5rL7+/RKPVN8+w ugVyL4KwzkdJIABqw+F5pF+K96c42GPTOnMeTtveLkHH+h1tK+6zaVn/8P2XvBUB X9ejv3CbvsyUU84c2+eBsy7xD96Yyv5oFhnPPwtZ19mBu65CbH5jgtz4Owl6KBHK L//2JFw93SZQ768BK+Bm0lToaKsk0DP9OWQz9k54TeOL6DN1ZQ/PzJoxx5Mi3XQR B8+pS8//9ex6RTSX8GrMyl05S+0rfLNODM/Zu1k8D8dai0J3V2hVS4r3brn0g/ZF Uwjx4oDcI9ez15Ft/e4tFHu3Omw8gKtjmTtbBWNC4g/qg0MVC2vnx7DWE1BCf5iF fZ+Svt1XENIxDuBDFn0aLzNXNg3lwuGP6KIhbbtKxDNTAdxnvrkCvEzctkOcYStc wWfmzH4ReXSBZmibZ37pmLMJIPw6IGo72asE9cYDHV2VIHoakc8Du01+vUZ1josk mWGAxHSAHRqc0Yu98gxZqMPIkSdqUpbSRDkc0b2U5i5aY1FSFdY= =5WnG -----END PGP SIGNATURE----- --Xzd0sUmZITcBHKTf-- From owner-freebsd-security@freebsd.org Sun Jan 26 07:37:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7620233116 for ; Sun, 26 Jan 2020 07:37:04 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay2.dreamhost.com (iad1-shared-relay2.dreamhost.com [208.113.157.41]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4854TC5k30z4gDC for ; Sun, 26 Jan 2020 07:37:03 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) by iad1-shared-relay2.dreamhost.com (Postfix) with ESMTP id 6FB9246DD43 for ; Sat, 25 Jan 2020 11:38:18 -0800 (PST) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id E3390B40066 for ; Sat, 25 Jan 2020 11:33:56 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id BF00F86E; Sat, 25 Jan 2020 11:33:56 -0800 (PST) Date: Sat, 25 Jan 2020 19:33:55 +0000 From: Nathan Dorfman To: freebsd-security@freebsd.org Subject: Cryptographic signatures of installer sets Message-ID: <20200125193355.GA7@rtfm.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4854TC5k30z4gDC X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of ndorf@rtfm.net does not designate 208.113.157.41 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [3.94 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.41)[0.413,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.09)[0.092,0]; RCVD_IN_DNSWL_NONE(0.00)[41.157.113.208.list.dnswl.org : 127.0.5.0]; RBL_SENDERSCORE(2.00)[41.157.113.208.bl.score.senderscore.com]; DMARC_NA(0.00)[rtfm.net]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.54)[ip: (1.92), asn: 26347(0.83), country: US(-0.05)] X-Mailman-Approved-At: Sat, 01 Feb 2020 22:42:56 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jan 2020 07:37:04 -0000 Hello all, I really hope I'm missing something here, and we can all have a nice chuckle at my expense. But I can't see any way the integrity of the installer sets (base.txz, kernel.txz and friends) can be verified cryptographically? There is a MANIFEST file containing SHA256 checksums, but it itself does not appear to be signed in any way. The installer images do come with PGP-signed checksums. So, when using an image that already contains all the sets, one can be sure they are authentic. What happens when one uses a network-only installer, though? How can it authenticate the sets it downloads from the user's chosen mirror? A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, in fact, do that. Checksums are compared against the MANIFEST (in scripts/checksum), but that is itself simply downloaded from the same mirror (in scripts/jail), usually over plain FTP, without any authentication. Thanks, -nd.