Date: Wed, 10 Aug 2016 07:41:13 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Big Lebowski <spankthespam@gmail.com> Cc: Matthew Donovan <kitche@kitchetech.com>, freebsd-security <freebsd-security@freebsd.org>, Roger Marquis <marquis@roble.com>, freebsd-ports <freebsd-ports@freebsd.org>, Martin Schroeder <mschroeder@vfemail.net> Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <20160810114113.GG81651@mutt-hardenedbsd> In-Reply-To: <CAHcXP%2BfkOjBZOZyscOhya41Z0t8uhTyNoYwmxi=tpD0Zt-N%2BHA@mail.gmail.com> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> <CAHcXP%2BfkOjBZOZyscOhya41Z0t8uhTyNoYwmxi=tpD0Zt-N%2BHA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--kadn00tgSopKmJ1H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote: > On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan <kitche@kitchetech.com> > wrote: >=20 > > You mean operating system as distribution is a Linux term. There's not = much > > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > > vulnerabilities and has a an excellent ASLR system compared to the prop= osed > > one for FreeBSD. > > >=20 > And what are your sources on which you're formulating this statement? What > is the HBSD authors security, or even general coding, track record? How > well are they known for their code, whitepapers, implementations? I'd say, > not at all. You can have the example of their 'ASLR' code quality in the > FreeBSD reviews system, where known and respected coders point out very > basic and critical code mistakes, where well known and respected system > designers point out flaws in their lack of design, so on and so forth. The > only thing that's excellent about them is how they spread this opinion > about their code to other people, including you ;) >=20 > I'd much rather take my bet with kib's implementation knowing who he is a= nd > how long and how well he does what he does (that is, quality code for > FreeBSD) than untested, un-designed, self-procclaimed code from relatively > young, inexperienced and unknown person, that's not willing to take advic= es > on fixing their code, when given so. >=20 > With all due respect :) Hey there, ASLR shouldn't be part of the discussion revolving the freebsd-update, portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help with these vulnerabilities in particular as they are logic vulnerabilities. ASLR helps make more difficult the successful exploitation of buffer overflows, format string vulnerabilities, etc. In HardenedBSD, we've fixed the two libarchive vulnerabilities that FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD publishes their fixes, which they are planning on to do before 11.0-RELEASE goes out the door. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --kadn00tgSopKmJ1H Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXqxLXAAoJEGqEZY9SRW7uM14P/jYceCgnCYrSfFaGIhpzT7S8 Aopx5VvnpZlMCIHz+SvoPqsZAIzDhEm4Ia/q1Q0fGZcHHYo6dqArDFF34wLE2KBG 0NK1pvrv0P6RGrPlTACTDYHAdlBbQ1aLJfTQgbplnw6MT0JIU3ev/vVRFdutEmOW eX8G5O06KCZg1plR6JWMTOgMQCFhM/OxRVS3IPwcbvFACG/GVb6z8DbGsMWQANFC ykV5jBjRo8YmWY5Fz/AWJlHV1++H/ZNY+I9n8tae8ik+kDeQxND7Yv7s1hXsKtKx HfOoCNCI9LsBu8zl6QMXsRWsNyIXOmQFbPTxr2sBN0sCynTNXk5G+DZneoAUeLpw I3jvQ7mORe7y8husMw4h+E0aXcXeo/qFbVu6Y/Qh3HKy6My2IRXj0YzxzKbPgKH7 l8+tDBGx+FAj37lTgkjryHGiTEA0yRDVL7GdDCI67v4aV/OtevLbEuTsNvBEZrq+ 0c07OM4Qhh1qp+f3OB0AP4ELcGrb2swWZTCfpYQkJaHiitJqLCqjeluOgi9BGNmt vWoktIO2Ik5TYgkYDZ5fqed89XBWr5tPBxtvG0Lhz/L5sCAtQbvcLqnVvLLuI3zr nHxxVtJYjDxQIBCZBd9pu3FivyHD46eUoq+IjjIQzkkEI27RBj6XBUApCHW6CksJ +2ysFfP9OK0wn3GPuJ4X =pI8f -----END PGP SIGNATURE----- --kadn00tgSopKmJ1H--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160810114113.GG81651>