From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 16:18:22 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F0E3CB8 for ; Wed, 9 Apr 2014 16:18:22 +0000 (UTC) Received: from mail-qc0-f180.google.com (mail-qc0-f180.google.com [209.85.216.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D02F1D01 for ; Wed, 9 Apr 2014 16:18:21 +0000 (UTC) Received: by mail-qc0-f180.google.com with SMTP id w7so2950490qcr.25 for ; Wed, 09 Apr 2014 09:18:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=Pg+ilB26NyDvyOQnMfSpI2VuQB6KDfNZQy1pNanhgOQ=; b=E1jOSi8nv8sw6TMmCF6FdoEFTUNmK7VeXs/9FVHTiO7M+LKCuyEnc3Nsz7KXFvcZqj DA+hMQQ4ZAxt4egPb1xbSLtmojTrLXoP1amPCPHxo7cu0uSCJFvSWvUngkS5lat7JVqZ s35AKkh6Pc7tNz19jH64cZA6Qs99OVVMm6vTPSQ21uPE2bj4bopC9BdLRvfM57/1afUX ySanTef62enGLKM+UsJzPDXU5JVYaUlcFUD/nheAQEbYNb+gLzNfhlVgADn7riwwkJU+ 1eIbABxWFOEs9YFj6a5AxXOnnra/3m6muigi8RkKBd6u8cdsHCsn6VO+Owifz8moYPGl N5Bw== X-Gm-Message-State: ALoCoQlsmp3gA3MoV1pG1fsy5CX6e6iOIaHQOkTu6MwmhF1Wtp/ACuXjhRycxXfFumPffFvntqQu X-Received: by 10.224.39.20 with SMTP id d20mr13490927qae.21.1397058888680; Wed, 09 Apr 2014 08:54:48 -0700 (PDT) MIME-Version: 1.0 Sender: edelkind@episec.com Received: by 10.140.92.167 with HTTP; Wed, 9 Apr 2014 08:54:28 -0700 (PDT) X-Originating-IP: [38.122.12.254] In-Reply-To: <53456946.9030200@rewt.org.uk> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <53456946.9030200@rewt.org.uk> From: ari edelkind Date: Wed, 9 Apr 2014 11:54:28 -0400 X-Google-Sender-Auth: TjYMQDHIgVEoFW7BhLo_iKTvt3I Message-ID: Subject: Re: Proposal To: freebsd-security@freebsd.org X-Mailman-Approved-At: Wed, 09 Apr 2014 16:42:05 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 16:18:22 -0000 On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote: > 24 hours for a fix that doesn't break ABI and is relatively simple (and > proven to be fine by other distros) is horrendous for such a critical > problem. I mentioned this on twitter also, but there wasn't even a headsup > from the SO until the patch went live. > To give this some additional perspective, it took me approximately 30 minutes to write a working exploit. Everyone makes a big deal out of private keys (which, admittedly, are a big deal), but i was able to collect usernames, passwords, session credentials, back-end single-sign-on credentials (e.g. client tokens), database passwords, and more from affected hosts -- all quite easily. ari