Date: Fri, 5 Jul 2019 12:22:43 -0500 From: "J. Hellenthal" <jhellenthal@dataix.net> To: Walter Cramer <wfc@mintsol.com> Cc: freebsd-security@freebsd.org Subject: Re: ?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg Message-ID: <20190705172243.D0A7B4C710E0@DataIX.net> In-Reply-To: <20190704093847.U44480@mulder.mintsol.com> References: <20190703004928.525251A7DC@freefall.freebsd.org> <20190704093847.U44480@mulder.mintsol.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--mxktcol6gdwwqprk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable And in what revision besides an administrators local modifications suggest that those werre ever a part of the source trree ? For reference ... https://svnweb.freebsd.org/base/stable/11/etc/hosts?view=3Dlog Quite frankly the FreeBSD source committers are much more knowledged thann your insight suggests... Facts plz ... On Thu, Jul 04, 2019 at 10:18:16AM -0400, Walter Cramer wrote: > Suspected severity: Low. Systems with inattentive administrators may not > receive the latest updates, and no obvious error messages will point out = the > problem. >=20 > Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with > /etc/hosts entries like this: >=20 > 96.47.72.72 ftp.freebsd.org > 96.47.72.71 pkg.freebsd.org >=20 > (Those are now obsolete. Originally, they were added to simplify firewall > rules and rule-loading, and as a DNS hijack defense.) >=20 > Resulting problem: `freebsd-update fetch` sometimes "sees" the latest > (11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older > 11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell h= im > when systems needed updating, he could be unaware of un-patched, vulnerab= le > systems. >=20 > NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org > actually causes any problems. (Or if `pkg` is aware of the problem, and > silently doing all the right things.) >=20 > Suggested Fixes... > - Have `freebsd-update`, `pkg`, and similar utilities double-check for D= NS > information that is obsolete or conflicting, and warn the user. > - Have any obsolete - but still-active - pkg or update servers advertise > their obsolete status, and `freebsd-update` and `pkg` notice that, and wa= rn > the user. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 The fact that there's a Highway to Hell but only a Stairway to Heaven says = a lot about anticipated traffic volume. --mxktcol6gdwwqprk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFUBAEBCAA+FiEEeBtiLAqm/fi0bzsxMu77BFzgpwgFAl0fh2MgFIAAAAAAFgAB amhlbGxlbnRoYWxARGF0YUlYLm5ldCEACgkQMu77BFzgpwgmdAgAjellRpzCVpr9 CQug8uBqaiIJBmVTpyS218R7e80aPcjLy9y+2Lbf10a7v+xh93WOE1B5krfFrA/3 /d16xlUxMnqDXUVhyZiD7ao5sA1AG8KZ1bCAMNAF5zjcOZq4KCVyqCL77nk+ILgo r9YEDZkHiptOwGhXS0KewtlX8dumIm6LluvbQL86iLup6ZHA/h6qQD+2fa9Lspw9 l57yhxEzhA6M94J5JAWUd63Y0Ewes1N0kd1ASgVNjuReuTTs+LsICq/lVOAxYEJE 1ArwASAWOQ56xawzahPSFV8XJcrSuLPpbdpnbxnLjcasnNbgOSWZU2WL8katMnGb JhE62010+Q== =5uTD -----END PGP SIGNATURE----- --mxktcol6gdwwqprk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190705172243.D0A7B4C710E0>