From owner-freebsd-security@freebsd.org Sun Jul 31 21:29:39 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1C0EBAA3B1 for ; Sun, 31 Jul 2016 21:29:39 +0000 (UTC) (envelope-from mschroeder@vfemail.net) Received: from vfemail.net (onethreetwo.vfemail.net [199.16.11.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 954911DB5 for ; Sun, 31 Jul 2016 21:29:39 +0000 (UTC) (envelope-from mschroeder@vfemail.net) Received: (qmail 61617 invoked by uid 89); 31 Jul 2016 21:29:31 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP; 31 Jul 2016 21:29:29 -0000 Received: (qmail 62128 invoked by uid 89); 30 Jul 2016 05:00:24 -0000 Received: by simscan 1.3.1 ppid: 62126, pid: 62127, t: 0.1013s scanners:none Received: from unknown (HELO smtp101-2.vfemail.net) (172.16.100.61) by FreeQueue with SMTP; 30 Jul 2016 05:00:24 -0000 Received: (qmail 10072 invoked by uid 89); 30 Jul 2016 05:00:23 -0000 Received: by simscan 1.4.0 ppid: 10066, pid: 10069, t: 0.0200s scanners:none Received: from unknown (HELO www.vfemail.net) (bXNjaHJvZWRlckB2ZmVtYWlsLm5ldA==@172.16.100.92) by 172.16.100.61 with ESMTPA; 30 Jul 2016 05:00:23 -0000 Received: from bw9vnC7Ytdd+sZMiyaUD9h4AaPYVqc0D8rEhfhVYUcxFkQe59tvQoCgthrq2aoLDO4tpKB6q3EM= (ZUpxuFeS1F5w9EMlpSRSnCBlcPbKXt8k) by www.vfemail.net with HTTP (HTTP/1.1 POST); Sat, 30 Jul 2016 00:00:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sat, 30 Jul 2016 05:00:23 +0000 From: Martin Schroeder To: freebsd-security@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise In-Reply-To: References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> Message-ID: <8d52c11892db36d5041f7fa638e46681@vfemail.net> X-Sender: mschroeder@vfemail.net User-Agent: Roundcube Webmail/1.0.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2016 21:29:39 -0000 On 2016-07-29 09:00, Julian Elischer wrote: > > not sure if you've been contacted privately, but I believe the answer > is > "we're working on it" My concerns are as follows: 1. This is already out there, and FreeBSD users haven't been alerted that they should avoid running freebsd-update/portsnap until the problems are fixed. 2. There was no mention in the bspatch advisory that running freebsd-update to "fix" bspatch would expose systems to MITM attackers who are apparently already in operation. 3. Strangely, the "fix" in the advisory is incomplete and still permits heap corruption, even though a more complete fix is available. That's what prompted my post. If FreeBSD learned of the problem from the same source document we all did, which seems likely given the coincidental timing of an advisory for a little-known utility a week or two after that source document appeared, then surely FreeBSD had the complete fix available. ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!