From owner-freebsd-chat@FreeBSD.ORG Tue Jun 29 18:43:10 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DB7116A4CE for ; Tue, 29 Jun 2004 18:43:10 +0000 (GMT) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97CFF43D41 for ; Tue, 29 Jun 2004 18:43:09 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-ser.prod.shaw.ca [10.0.141.110])2003)) with ESMTP id <0I03004QS2NG0R@l-daemon> for freebsd-chat@freebsd.org; Tue, 29 Jun 2004 12:42:52 -0600 (MDT) Received: from pn2ml3so.prod.shaw.ca ([10.0.121.147]) by pd2mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I0300AGP2NGEGK0@pd2mr1so.prod.shaw.ca> for freebsd-chat@freebsd.org; Tue, 29 Jun 2004 12:42:52 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (S0106006067227a4a.vc.shawcable.net [24.87.233.42]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I0300C5C2NFAN@l-daemon> for freebsd-chat@freebsd.org; Tue, 29 Jun 2004 12:42:52 -0600 (MDT) Date: Tue, 29 Jun 2004 11:42:25 -0700 From: Colin Percival In-reply-to: <40E1A6C0.2040406@ofdengineering.com> X-Sender: cperciva@popserver.sfu.ca (Unverified) To: Kevin Lyons Message-id: <6.1.0.6.1.20040629112919.03bcffc8@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Content-type: text/plain; charset=us-ascii References: <40E1A6C0.2040406@ofdengineering.com> cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 18:43:10 -0000 At 10:28 29/06/2004, Kevin Lyons wrote: >I was reading with some surprise that some of the MAC and other "addons" from trusted bsd are to be incorporated. > >I can already see the security advisories for these things like we've had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad infinitum. It's worth noting that some of these advisories are rather esoteric. For example, FreeBSD-SA-04:09.kadmind doesn't affect any binary installations of FreeBSD, since it requires that both Kerberos 4 and Kerberos 5 are built. Meanwhile, despite having two security issues with jails (issues which weakened jails, but did not allow any privilege beyond that of an un-jailed user), there was one advisory (FreeBSD-SA-04:06.ipv6) for which jails (in their default configuration) were a specific workaround. Colin Percival