From owner-freebsd-security@freebsd.org Tue Aug 9 20:21:24 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0329BB49CF for ; Tue, 9 Aug 2016 20:21:24 +0000 (UTC) (envelope-from kitche@kitchetech.com) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96BFD1355 for ; Tue, 9 Aug 2016 20:21:24 +0000 (UTC) (envelope-from kitche@kitchetech.com) Received: by mail-it0-x22d.google.com with SMTP id f6so25327766ith.0 for ; Tue, 09 Aug 2016 13:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kitchetech-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xUuryufY1W5Oh8HFFeJhFVsUFV2bQyO++M5ScHz7RZs=; b=V1nqsNH8fHcGvpvFWgfUGTyeJCxZr8HvdBfe6PnZVA4voy29UnfqrMmM9Su/dlHgEU BF/sce3pkGaIazdH/hewVVYm40W2VFkE9r6WMZ0TBM3iT/oaIuSlsjps/wdPdMTKDCff nrF1ECajvBAf+tF4KuR2M1VoXqyWV5cUsdufBjwhszCZyfJniaRsSJLTdTtirpN3nR8h 0JWLTpvsFa9D3FDQ42ceC7K8h/C8AP84iFBPKEJM8C5SyfQ0DSyeNWqapTKZEti6M+3u ckpybEpxefm03Wwmq8yBl4fhsIoKM7bP3QRzkR8RU7CwBcTF1hfE9ol1GgLKbW5Bv2yo X0Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xUuryufY1W5Oh8HFFeJhFVsUFV2bQyO++M5ScHz7RZs=; b=i98HxX9z+TGhKOVB6dx4fyeKG+Xv2QujIeI3/Mui0Fp7yoZ9tjWfOKQxVeJA9l9Vh4 DqniLQQwSBeAusGGTk+mWvMYnAiyYp/aXCkzwCGsz0Oz/BLI7KciD68xVKH6Fa5TreBp yOYuhtoMYCr9ZofP6Iwoc37iNj7jYV6fEAgXPI8vL+j+T0TemCIbO0duCqD6qouQMVEY +Fm6/qJHw68V0CNvfOkr9rvBAu0rWEAy8LZj9t055xJ6Qhs2GfvfRHQ/lypNbHWTgsSN wcu2PogNb/gNEtyxy1Eq6IYJnrgMHLb8fSeDHz6A0EgbWcckmxn8SdKdMz51ohGwvPTk XEjA== X-Gm-Message-State: AEkooutBKpOewWPu/NO9DelWpBV02/mg1LVLYZlpv29ZkoxTAvok26ZB8Ra5VPeRIRNuJmDyDQ2lpkkEpTWtPQ== X-Received: by 10.36.133.213 with SMTP id r204mr1164451itd.50.1470774084020; Tue, 09 Aug 2016 13:21:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.19.13 with HTTP; Tue, 9 Aug 2016 13:21:23 -0700 (PDT) Received: by 10.107.19.13 with HTTP; Tue, 9 Aug 2016 13:21:23 -0700 (PDT) In-Reply-To: <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> From: Matthew Donovan Date: Tue, 9 Aug 2016 15:21:23 -0500 Message-ID: Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Roger Marquis Cc: freebsd-ports , freebsd-security , Martin Schroeder X-Mailman-Approved-At: Tue, 09 Aug 2016 20:49:38 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 20:21:24 -0000 You mean operating system as distribution is a Linux term. There's not much different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes vulnerabilities and has a an excellent ASLR system compared to the proposed one for FreeBSD. On Aug 9, 2016 3:10 PM, "Roger Marquis" wrote: > Timely update via Hackernews: > > y-update-libarchive> > > Note in particular: > > "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, > and libarchive vulnerabilities." > > Not sure why the portsec team has not commented or published an advisory > (possibly because the freebsd list spam filters are so bad that > subscriptions are being blocked) but from where I sit it seems that > those exposed should consider: > > cd /usr/ports > svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports > make index > rm -rf /usr/sbin/portsnap /var/db/portsnap/* > > I'd also be interested in hearing from hardenedbsd users regarding the > pros and cons of cutting over to that distribution. > > Roger > > > > On 2016-07-29 09:00, Julian Elischer wrote: >> >>> >>> not sure if you've been contacted privately, but I believe the answer is >>> "we're working on it" >>> >> >> My concerns are as follows: >> >> 1. This is already out there, and FreeBSD users haven't been alerted that >> they should avoid running freebsd-update/portsnap until the problems are >> fixed. >> >> 2. There was no mention in the bspatch advisory that running >> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >> are apparently already in operation. >> >> 3. Strangely, the "fix" in the advisory is incomplete and still permits >> heap corruption, even though a more complete fix is available. That's >> what prompted my post. If FreeBSD learned of the problem from the same >> source document we all did, which seems likely given the coincidental >> timing of an advisory for a little-known utility a week or two after that >> source document appeared, then surely FreeBSD had the complete fix >> available. >> >> _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >