From owner-freebsd-security@FreeBSD.ORG Fri Sep 13 10:17:36 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 47F46566; Fri, 13 Sep 2013 10:17:36 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 07C2E26E0; Fri, 13 Sep 2013 10:17:35 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id D8B514D5B; Fri, 13 Sep 2013 10:17:34 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id CB6163687B; Fri, 13 Sep 2013 12:17:06 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov Subject: Re: FreeBSD Transient Memory problem? References: <5231D461.5050504@freebsd.org> <1458963304.20130913091835@serebryakov.spb.ru> Date: Fri, 13 Sep 2013 12:17:06 +0200 In-Reply-To: <1458963304.20130913091835@serebryakov.spb.ru> (Lev Serebryakov's message of "Fri, 13 Sep 2013 09:18:35 +0400") Message-ID: <86k3il58m5.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Julian Elischer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Sep 2013 10:17:36 -0000 Lev Serebryakov writes: > In my expirience, "Security audit" people, who could, for example, do > PCI/DSS audit, are like this. So, yet, it is their level of > competence, but you could not pass around them, if you want official > PCI/DSS certification, for example. Did you seen this epic thread on > stackoverflow (or its devops/sysops counterpart) about "log file with > every login of each user with password in clear text,'' for example? That was the first thing that sprung to my mind as well. scryptkiddy, you should tell them to read this: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-ho= w-do-i-give-him-the-information-he-wants I've been in a similar situation myself. The JITC audited a customer's product for IPv6 compliance and failed it because it did not put an ICMP destination unreachable on the wire when neighbor discovery failed. Note that the RFC *explicitly states* (but not in a normative section) that this is not required when the error occurs on the originating node. (the product in question did not run FreeBSD, but used an old version of the FreeBSD IPv6 stack) They had other idiotic requirements that we were able to work around, and found one genuine but benign bug that had already been fixed in FreeBSD. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no