From owner-freebsd-security@freebsd.org Thu Aug 11 04:22:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48435BB4A5A; Thu, 11 Aug 2016 04:22:22 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2716C19AD; Thu, 11 Aug 2016 04:22:21 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7B4M9th034703 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 10 Aug 2016 21:22:12 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Mail Lists , Matthew Donovan References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> Cc: freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder From: Julian Elischer Message-ID: Date: Thu, 11 Aug 2016 12:22:04 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <1470849104.192073030@f370.i.mail.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 04:22:22 -0000 On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: > > > sorry but this is blabla and does not come even near to answering the real problem: > > It appears that freebsd and the US-government is more connected that some of us might like: > > Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one. > > Just my thoughts... this has been in discussion a lot in private circles within FreeBSD. It's not being ignored and a "correct" patch is being developed. from one email I will quote just a small part.. ======= As of yet, [the] patches for the libarchive vulnerabilities have not been released upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created patches for some of the libarchive vulnerabilities, the first[3] is being considered for inclusion in FreeBSD, at least until a complete fix is committed upstream, however the second[4] is considered too brute-force and will not be committed as-is. Once the patches are in FreeBSD and updated binaries are available, a Security Advisory will be issued. ======= so expect something soon. I will go on to say that the threat does need to come from an advanced MITM actor, though that does not make it a non threat.. > > >> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan : >> >> You mean operating system as distribution is a Linux term. There's not much >> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >> vulnerabilities and has a an excellent ASLR system compared to the proposed >> one for FreeBSD. >> >> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >> >>> Timely update via Hackernews: >>> >>> >> y-update-libarchive> >>> >>> Note in particular: >>> >>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >>> and libarchive vulnerabilities." >>> >>> Not sure why the portsec team has not commented or published an advisory >>> (possibly because the freebsd list spam filters are so bad that >>> subscriptions are being blocked) but from where I sit it seems that >>> those exposed should consider: >>> >>> cd /usr/ports >>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>> make index >>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>> >>> I'd also be interested in hearing from hardenedbsd users regarding the >>> pros and cons of cutting over to that distribution. >>> >>> Roger >>> >>> >>> >>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>> not sure if you've been contacted privately, but I believe the answer is >>>>> "we're working on it" >>>>> >>>> My concerns are as follows: >>>> >>>> 1. This is already out there, and FreeBSD users haven't been alerted that >>>> they should avoid running freebsd-update/portsnap until the problems are >>>> fixed. >>>> >>>> 2. There was no mention in the bspatch advisory that running >>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>>> are apparently already in operation. >>>> >>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>>> heap corruption, even though a more complete fix is available. That's >>>> what prompted my post. If FreeBSD learned of the problem from the same >>>> source document we all did, which seems likely given the coincidental >>>> timing of an advisory for a little-known utility a week or two after that >>>> source document appeared, then surely FreeBSD had the complete fix >>>> available. >>>> >>>> _______________________________________________ >>> freebsd-ports@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe@freebsd.org " >>> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to " freebsd-security-unsubscribe@freebsd.org " > > Best regards, > Mail Lists > mlists@mail.ru > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >