Date: Wed, 10 Aug 2016 20:11:44 +0300 From: =?UTF-8?B?TWFpbCBMaXN0cw==?= <mlists@mail.ru> To: =?UTF-8?B?TWF0dGhldyBEb25vdmFu?= <kitche@kitchetech.com> Cc: =?UTF-8?B?ZnJlZWJzZC1zZWN1cml0eQ==?= <freebsd-security@freebsd.org>, =?UTF-8?B?ZnJlZWJzZC1wb3J0cw==?= <freebsd-ports@freebsd.org>, =?UTF-8?B?TWFydGluIFNjaHJvZWRlcg==?= <mschroeder@vfemail.net>, =?UTF-8?B?Um9nZXIgTWFycXVpcw==?= <marquis@roble.com> Subject: =?UTF-8?B?UmVbMl06IGZyZWVic2QtdXBkYXRlIGFuZCBwb3J0c25hcCB1c2VycyBzdGls?= =?UTF-8?B?bCBhdCByaXNrIG9mIGNvbXByb21pc2U=?= Message-ID: <1470849104.192073030@f370.i.mail.ru> In-Reply-To: <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
sorry but this is blabla and does not come even near to answering the real problem:
It appears that freebsd and the US-government is more connected that some of us might like:
Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one.
Just my thoughts...
>Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan <kitche@kitchetech.com>:
>
>You mean operating system as distribution is a Linux term. There's not much
>different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>vulnerabilities and has a an excellent ASLR system compared to the proposed
>one for FreeBSD.
>
>On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote:
>
>> Timely update via Hackernews:
>>
>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
>> y-update-libarchive>
>>
>> Note in particular:
>>
>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>> and libarchive vulnerabilities."
>>
>> Not sure why the portsec team has not commented or published an advisory
>> (possibly because the freebsd list spam filters are so bad that
>> subscriptions are being blocked) but from where I sit it seems that
>> those exposed should consider:
>>
>> cd /usr/ports
>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
>> make index
>> rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>
>> I'd also be interested in hearing from hardenedbsd users regarding the
>> pros and cons of cutting over to that distribution.
>>
>> Roger
>>
>>
>>
>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>
>>>>
>>>> not sure if you've been contacted privately, but I believe the answer is
>>>> "we're working on it"
>>>>
>>>
>>> My concerns are as follows:
>>>
>>> 1. This is already out there, and FreeBSD users haven't been alerted that
>>> they should avoid running freebsd-update/portsnap until the problems are
>>> fixed.
>>>
>>> 2. There was no mention in the bspatch advisory that running
>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>>> are apparently already in operation.
>>>
>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>>> heap corruption, even though a more complete fix is available. That's
>>> what prompted my post. If FreeBSD learned of the problem from the same
>>> source document we all did, which seems likely given the coincidental
>>> timing of an advisory for a little-known utility a week or two after that
>>> source document appeared, then surely FreeBSD had the complete fix
>>> available.
>>>
>>> _______________________________________________
>> freebsd-ports@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe@freebsd.org "
>>
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to " freebsd-security-unsubscribe@freebsd.org "
Best regards,
Mail Lists
mlists@mail.ru
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1470849104.192073030>