From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 15:25:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DAFC2726 for ; Fri, 26 Sep 2014 15:25:23 +0000 (UTC) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC54CB10 for ; Fri, 26 Sep 2014 15:25:23 +0000 (UTC) Received: from [10.20.30.90] (142-254-17-87.dsl.dynamic.fusionbroadband.com [142.254.17.87]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s8QFPDJm034114 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Fri, 26 Sep 2014 08:25:15 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 142-254-17-87.dsl.dynamic.fusionbroadband.com [142.254.17.87] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: pkg repositories out of alignment (was: Re: bash velnerability) From: Paul Hoffman In-Reply-To: <20140926123803.GA30925@zxy.spb.ru> Date: Fri, 26 Sep 2014 08:25:12 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Fri, 26 Sep 2014 19:30:28 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 15:25:23 -0000 Just a note that the pkg repo for 10 seems to be far advanced over that = for 9.3. That is, the bash fix appeared in the 10 repo yesterday (or = earlier), but it still not in the 9.3 repo. Here's what I'm seeing on a = 9.3 box right now: # sudo pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. # sudo pkg audit bash-4.3.24 is vulnerable: bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: = http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html 1 problem(s) in the installed packages found. # sudo pkg upgrade bash Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) Your packages are up to date. I appreciate the speed that folks update the packages; I'm a bit = distressed that 9.3 seems to be a second-class citizen for security = fixes. (And I totally admit that I could be misreading the situation.) --Paul Hoffman=