Date: Thu, 11 Aug 2016 12:22:04 +0800 From: Julian Elischer <julian@freebsd.org> To: Mail Lists <mlists@mail.ru>, Matthew Donovan <kitche@kitchetech.com> Cc: freebsd-security <freebsd-security@freebsd.org>, Roger Marquis <marquis@roble.com>, freebsd-ports <freebsd-ports@freebsd.org>, Martin Schroeder <mschroeder@vfemail.net> Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <e45a1d5e-1bc2-6602-2cf2-f0b24aff153b@freebsd.org> In-Reply-To: <1470849104.192073030@f370.i.mail.ru> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> <1470849104.192073030@f370.i.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:
>
>
> sorry but this is blabla and does not come even near to answering the real problem:
>
> It appears that freebsd and the US-government is more connected that some of us might like:
>
> Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one.
>
> Just my thoughts...
this has been in discussion a lot in private circles within FreeBSD.
It's not being ignored and a "correct" patch is being developed.
from one email I will quote just a small part..
=======
As of yet, [the] patches for the libarchive vulnerabilities have not been released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.
=======
so expect something soon.
I will go on to say that the threat does need to come from an advanced
MITM actor,
though that does not make it a non threat..
>
>
>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche@kitchetech.com>:
>>
>> You mean operating system as distribution is a Linux term. There's not much
>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>> vulnerabilities and has a an excellent ASLR system compared to the proposed
>> one for FreeBSD.
>>
>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote:
>>
>>> Timely update via Hackernews:
>>>
>>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
>>> y-update-libarchive>
>>>
>>> Note in particular:
>>>
>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>>> and libarchive vulnerabilities."
>>>
>>> Not sure why the portsec team has not commented or published an advisory
>>> (possibly because the freebsd list spam filters are so bad that
>>> subscriptions are being blocked) but from where I sit it seems that
>>> those exposed should consider:
>>>
>>> cd /usr/ports
>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
>>> make index
>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>>
>>> I'd also be interested in hearing from hardenedbsd users regarding the
>>> pros and cons of cutting over to that distribution.
>>>
>>> Roger
>>>
>>>
>>>
>>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>>> not sure if you've been contacted privately, but I believe the answer is
>>>>> "we're working on it"
>>>>>
>>>> My concerns are as follows:
>>>>
>>>> 1. This is already out there, and FreeBSD users haven't been alerted that
>>>> they should avoid running freebsd-update/portsnap until the problems are
>>>> fixed.
>>>>
>>>> 2. There was no mention in the bspatch advisory that running
>>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>>>> are apparently already in operation.
>>>>
>>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>>>> heap corruption, even though a more complete fix is available. That's
>>>> what prompted my post. If FreeBSD learned of the problem from the same
>>>> source document we all did, which seems likely given the coincidental
>>>> timing of an advisory for a little-known utility a week or two after that
>>>> source document appeared, then surely FreeBSD had the complete fix
>>>> available.
>>>>
>>>> _______________________________________________
>>> freebsd-ports@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe@freebsd.org "
>>>
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to " freebsd-security-unsubscribe@freebsd.org "
>
> Best regards,
> Mail Lists
> mlists@mail.ru
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e45a1d5e-1bc2-6602-2cf2-f0b24aff153b>