From owner-freebsd-security@freebsd.org Thu Aug 11 12:17:23 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4690BB31BD for ; Thu, 11 Aug 2016 12:17:23 +0000 (UTC) (envelope-from jshevland@calm-horizons.net) Received: from relay.ox.registrar-servers.com (relay.ox.registrar-servers.com [199.188.203.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.registrar-servers.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F92C190B for ; Thu, 11 Aug 2016 12:17:23 +0000 (UTC) (envelope-from jshevland@calm-horizons.net) Received: from MTA-07-3.privateemail.com (mta-07-3.privateemail.com [68.65.122.17]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay.ox.registrar-servers.com (Postfix) with ESMTPS id DE37FB0162 for ; Thu, 11 Aug 2016 08:13:35 -0400 (EDT) Received: from [10.20.10.1] (unknown [10.20.151.249]) by MTA-07.privateemail.com (Postfix) with ESMTPA id 62FCF6003C for ; Thu, 11 Aug 2016 12:13:25 +0000 (UTC) Subject: Re: freebsd-update and portsnap users still at risk of compromise References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> To: freebsd-security From: Joe Shevland Message-ID: Date: Thu, 11 Aug 2016 22:13:21 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 12:17:23 -0000 The HN discussion: https://news.ycombinator.com/item?id=12261347 On 11/08/2016 7:59 PM, Vincent Hoffman-Kazlauskas wrote: > For those not on freebsd-announce (or reddit or anywhere else it got posted) > > "FreeBSD Core statement on recent freebsd-update and related > vulnerabilities" > https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html > > > > Vince > > On 11/08/2016 05:22, Julian Elischer wrote: >> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >>> >>> sorry but this is blabla and does not come even near to answering the >>> real problem: >>> >>> It appears that freebsd and the US-government is more connected that >>> some of us might like: >>> >>> Not publishing security issues concerning update mechanisms - we all >>> can think WHY freebsd is not eager on this one. >>> >>> Just my thoughts... >> this has been in discussion a lot in private circles within FreeBSD. >> It's not being ignored and a "correct" patch is being developed. >> >> from one email I will quote just a small part.. >> ======= >> >> As of yet, [the] patches for the libarchive vulnerabilities have not >> been released >> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has >> created >> patches for some of the libarchive vulnerabilities, the first[3] is being >> considered for inclusion in FreeBSD, at least until a complete fix is >> committed upstream, however the second[4] is considered too brute-force and >> will not be committed as-is. Once the patches are in FreeBSD and updated >> binaries are available, a Security Advisory will be issued. >> >> ======= >> so expect something soon. >> I will go on to say that the threat does need to come from an advanced >> MITM actor, >> though that does not make it a non threat.. >> >>> >>>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>>> : >>>> >>>> You mean operating system as distribution is a Linux term. There's >>>> not much >>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>>> vulnerabilities and has a an excellent ASLR system compared to the >>>> proposed >>>> one for FreeBSD. >>>> >>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>>> >>>>> Timely update via Hackernews: >>>>> >>>>> >>>> y-update-libarchive> >>>>> >>>>> Note in particular: >>>>> >>>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>>> bspatch, >>>>> and libarchive vulnerabilities." >>>>> >>>>> Not sure why the portsec team has not commented or published an >>>>> advisory >>>>> (possibly because the freebsd list spam filters are so bad that >>>>> subscriptions are being blocked) but from where I sit it seems that >>>>> those exposed should consider: >>>>> >>>>> cd /usr/ports >>>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>>> make index >>>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>>> >>>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>>> pros and cons of cutting over to that distribution. >>>>> >>>>> Roger >>>>> >>>>> >>>>> >>>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>>> not sure if you've been contacted privately, but I believe the >>>>>>> answer is >>>>>>> "we're working on it" >>>>>>> >>>>>> My concerns are as follows: >>>>>> >>>>>> 1. This is already out there, and FreeBSD users haven't been >>>>>> alerted that >>>>>> they should avoid running freebsd-update/portsnap until the >>>>>> problems are >>>>>> fixed. >>>>>> >>>>>> 2. There was no mention in the bspatch advisory that running >>>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>>> attackers who >>>>>> are apparently already in operation. >>>>>> >>>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>>> permits >>>>>> heap corruption, even though a more complete fix is available. That's >>>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>>> source document we all did, which seems likely given the coincidental >>>>>> timing of an advisory for a little-known utility a week or two >>>>>> after that >>>>>> source document appeared, then surely FreeBSD had the complete fix >>>>>> available. >>>>>> >>>>>> _______________________________________________ >>>>> freebsd-ports@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>>> To unsubscribe, send any mail to " >>>>> freebsd-ports-unsubscribe@freebsd.org " >>>>> >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to " >>>> freebsd-security-unsubscribe@freebsd.org " >>> Best regards, >>> Mail Lists >>> mlists@mail.ru >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"