From owner-freebsd-security@freebsd.org Fri Jul 5 17:22:48 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AA2115D040C for ; Fri, 5 Jul 2019 17:22:48 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B712F80E1B for ; Fri, 5 Jul 2019 17:22:46 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-io1-xd42.google.com with SMTP id j5so1209356ioj.8 for ; Fri, 05 Jul 2019 10:22:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:reply-to:references :content-disposition:in-reply-to:message-id; bh=kOgDeU5L1fRpb3uOUfpEUNmtRNEHA7oSSE3oLXAeAx4=; b=Qaz0+iEQgUnnZE9Nyv+H21OK7zLxRxJxGOlhZVuRLB+hkwWrcJMUm75pEkjMIJu75+ sIodeidXtTgBhHzFu++NzUQRoFhTQGac6aXnumej52w3dtAtirf6OTYVGjSJSpmO/T9h COHsBiDTDxBUisAhwKo0p+q0I5iMQ1bVj08webzlXE7FvKINczphKMp3UBbdsARdJmtb ahWfXEVGxWfHo5o8k+QDCZaxN2rGINHouujIYFbo6b7XfkcM8XLQXc0Il+oVtgoxYTfj DB6FgMhFHRl9fhvxpAzHOPLr3ETfLi9pcpFU7tarYcwSMBQIASe0qsp8rqBnQ14plpus uugw== X-Gm-Message-State: APjAAAXbg9FtsRmjJ84FfWw8b8Ecm81zx6HFM0Dq1HLfIQMFRbJl1o5H Gi9ZFpbj0i6HV7wm9KlaYpdlunW+Qsc= X-Google-Smtp-Source: APXvYqz0ln22xoqWYtjA9IeJkn4pS8qbQ+jfw/MET9UQclhyksgW7938hkOWkFDzt9hkV0bredzPQw== X-Received: by 2002:a5e:d615:: with SMTP id w21mr656594iom.0.1562347365791; Fri, 05 Jul 2019 10:22:45 -0700 (PDT) Received: from DataIX.net (cpe-65-30-192-150.wi.res.rr.com. [65.30.192.150]) by smtp.gmail.com with ESMTPSA id v13sm8008205ioq.13.2019.07.05.10.22.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jul 2019 10:22:44 -0700 (PDT) From: "J. Hellenthal" X-Google-Original-From: "J. Hellenthal" Date: Fri, 5 Jul 2019 12:22:43 -0500 To: Walter Cramer Cc: freebsd-security@freebsd.org Subject: Re: ?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg Reply-To: jhellenthal@DataIX.net References: <20190703004928.525251A7DC@freefall.freebsd.org> <20190704093847.U44480@mulder.mintsol.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mxktcol6gdwwqprk" Content-Disposition: inline In-Reply-To: <20190704093847.U44480@mulder.mintsol.com> X-OpenPGP-Key-Id: 0x32EEFB045CE0A708 X-OpenPGP-Key-Fingerprint: 781B 622C 0AA6 FDF8 B46F 3B31 32EE FB04 5CE0 A708 Message-Id: <20190705172243.D0A7B4C710E0@DataIX.net> X-Rspamd-Queue-Id: B712F80E1B X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.85 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[jhellenthal@DataIX.net]; TO_DN_SOME(0.00)[]; MISSING_MIME_VERSION(2.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-0.80)[ip: (1.59), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.40), country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jul 2019 17:22:48 -0000 --mxktcol6gdwwqprk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable And in what revision besides an administrators local modifications suggest that those werre ever a part of the source trree ? For reference ... https://svnweb.freebsd.org/base/stable/11/etc/hosts?view=3Dlog Quite frankly the FreeBSD source committers are much more knowledged thann your insight suggests... Facts plz ... On Thu, Jul 04, 2019 at 10:18:16AM -0400, Walter Cramer wrote: > Suspected severity: Low. Systems with inattentive administrators may not > receive the latest updates, and no obvious error messages will point out = the > problem. >=20 > Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with > /etc/hosts entries like this: >=20 > 96.47.72.72 ftp.freebsd.org > 96.47.72.71 pkg.freebsd.org >=20 > (Those are now obsolete. Originally, they were added to simplify firewall > rules and rule-loading, and as a DNS hijack defense.) >=20 > Resulting problem: `freebsd-update fetch` sometimes "sees" the latest > (11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older > 11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell h= im > when systems needed updating, he could be unaware of un-patched, vulnerab= le > systems. >=20 > NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org > actually causes any problems. (Or if `pkg` is aware of the problem, and > silently doing all the right things.) >=20 > Suggested Fixes... > - Have `freebsd-update`, `pkg`, and similar utilities double-check for D= NS > information that is obsolete or conflicting, and warn the user. > - Have any obsolete - but still-active - pkg or update servers advertise > their obsolete status, and `freebsd-update` and `pkg` notice that, and wa= rn > the user. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 The fact that there's a Highway to Hell but only a Stairway to Heaven says = a lot about anticipated traffic volume. --mxktcol6gdwwqprk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFUBAEBCAA+FiEEeBtiLAqm/fi0bzsxMu77BFzgpwgFAl0fh2MgFIAAAAAAFgAB amhlbGxlbnRoYWxARGF0YUlYLm5ldCEACgkQMu77BFzgpwgmdAgAjellRpzCVpr9 CQug8uBqaiIJBmVTpyS218R7e80aPcjLy9y+2Lbf10a7v+xh93WOE1B5krfFrA/3 /d16xlUxMnqDXUVhyZiD7ao5sA1AG8KZ1bCAMNAF5zjcOZq4KCVyqCL77nk+ILgo r9YEDZkHiptOwGhXS0KewtlX8dumIm6LluvbQL86iLup6ZHA/h6qQD+2fa9Lspw9 l57yhxEzhA6M94J5JAWUd63Y0Ewes1N0kd1ASgVNjuReuTTs+LsICq/lVOAxYEJE 1ArwASAWOQ56xawzahPSFV8XJcrSuLPpbdpnbxnLjcasnNbgOSWZU2WL8katMnGb JhE62010+Q== =5uTD -----END PGP SIGNATURE----- --mxktcol6gdwwqprk--