From owner-freebsd-security@FreeBSD.ORG Fri Dec 26 21:41:24 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 90AAEF82 for ; Fri, 26 Dec 2014 21:41:24 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 525A367626 for ; Fri, 26 Dec 2014 21:41:23 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A0F2E9F0E; Fri, 26 Dec 2014 21:41:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id E9F8252DE; Fri, 26 Dec 2014 22:41:05 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Roger Marquis Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> Date: Fri, 26 Dec 2014 22:41:05 +0100 In-Reply-To: <20141226200838.DE83DACE@hub.freebsd.org> (Roger Marquis's message of "Fri, 26 Dec 2014 12:08:29 -0800 (PST)") Message-ID: <8661cy9jim.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 21:41:24 -0000 Roger Marquis writes: > This is most unfortunate as it creates a high bar for base security > patches at many FreeBSD shops. Sites with a significant number of > production hosts, jails and/or filesystem fingerprinting (integrit, > tripwire) or those with constrained resources are never going to be able > to make/build/installworld for something as simple as a single binary > update. These sites would be better served using freebsd-update to download and apply binary patches. Since freebsd-update is based entirely on http and on package signatures rather than server certificates, you can easily set up a proxy for systems which do not have direct Internet access. If your network is air-gapped, you can set up a few VMs with different FreeBSD versions in a DMZ to run freebsd-update through a proxy, then manually copy the contents of the proxy's cache to an http server in your secure network. > I assume the root cause is insufficient resources within the freebsd > security team. If that's the case would there be a budget estimate > associated with addressing this security advicory situation? I would suggest discussing this with the FreeBSD Foundation. They have already taken an interest in the matter. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no