Date: Sat, 30 Jul 2016 05:00:23 +0000 From: Martin Schroeder <mschroeder@vfemail.net> To: freebsd-security@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <8d52c11892db36d5041f7fa638e46681@vfemail.net> In-Reply-To: <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-07-29 09:00, Julian Elischer wrote: > > not sure if you've been contacted privately, but I believe the answer > is > "we're working on it" My concerns are as follows: 1. This is already out there, and FreeBSD users haven't been alerted that they should avoid running freebsd-update/portsnap until the problems are fixed. 2. There was no mention in the bspatch advisory that running freebsd-update to "fix" bspatch would expose systems to MITM attackers who are apparently already in operation. 3. Strangely, the "fix" in the advisory is incomplete and still permits heap corruption, even though a more complete fix is available. That's what prompted my post. If FreeBSD learned of the problem from the same source document we all did, which seems likely given the coincidental timing of an advisory for a little-known utility a week or two after that source document appeared, then surely FreeBSD had the complete fix available. ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8d52c11892db36d5041f7fa638e46681>