Date: Thu, 10 Apr 2014 09:24:22 +0800 From: Ke-li Dong <dong.keli@gmail.com> To: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 482, Issue 4 Message-ID: <CAE17K-wp18CngjEgYCFop26SZ6hzAEKmeHwx%2B8Tp13k1ShYXkw@mail.gmail.com> In-Reply-To: <mailman.170.1397074858.1239.freebsd-security@freebsd.org> References: <mailman.170.1397074858.1239.freebsd-security@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
help 2014-04-10 4:20 GMT+08:00 <freebsd-security-request@freebsd.org>: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. Proposal (Was: Re: FreeBSD Security Advisory > FreeBSD-SA-14:06.openssl) (Pawel Biernacki) > 2. Re: Proposal (Dag-Erling Sm?rgrav) > 3. Re: Proposal (Karl Denninger) > 4. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Zoran Kolic) > 5. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Karl Denninger) > 6. Re: Proposal (Kimmo Paasiala) > 7. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Gary Palmer) > 8. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Steven Hartland) > 9. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Karl Denninger) > 10. Re: Proposal (Was: Re: FreeBSD Security Advisory > FreeBSD-SA-14:06.openssl) (Big Lebowski) > 11. Re: Proposal (Walter Hop) > 12. Re: Proposal (Pawel Biernacki) > 13. Re: Proposal (Joe Holden) > 14. Re: Proposal (Joe User) > 15. Re: Proposal (jungleboogie0) > 16. Re: Proposal (ari edelkind) > 17. Re: Proposal (Dag-Erling Sm?rgrav) > 18. Re: Proposal (Pawel Biernacki) > 19. Re: Proposal (Dag-Erling Sm?rgrav) > 20. Re: Proposal (Joe User) > 21. Re: Proposal (Pawel Biernacki) > 22. Re: Proposal (jungleboogie0) > 23. Re: Proposal (Pawel Biernacki) > 24. Re: Proposal (leon@tuco) > 25. Re: Proposal (Nathan Dorfman) > 26. Re: Proposal (Matthew Seaman) > 27. Re: Proposal (Dag-Erling Sm?rgrav) > 28. Re: Proposal (Dag-Erling Sm?rgrav) > 29. Re: Proposal (Xin Li) > 30. Re: Proposal (Dag-Erling Sm?rgrav) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 9 Apr 2014 13:36:48 +0100 > From: Pawel Biernacki <pawel.biernacki@gmail.com> > To: freebsd-security@freebsd.org > Subject: Proposal (Was: Re: FreeBSD Security Advisory > FreeBSD-SA-14:06.openssl) > Message-ID: > < > CAA3htvtb+yZRApEqJ41ue+6jB5Y_Une96SYyJRwQXBmQfRZbtQ@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On 9 April 2014 00:34, FreeBSD Security Advisories > <security-advisories@freebsd.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > > ============================================================================= > > FreeBSD-SA-14:06.openssl Security > Advisory > > The FreeBSD > Project > > > > Topic: OpenSSL multiple vulnerabilities > > > > Category: contrib > > Module: openssl > > Announced: 2014-04-08 > > Affects: All supported versions of FreeBSD. > > Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE) > > 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1) > > 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE) > > 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4) > > 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11) > > 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE) > > 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8) > > 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15) > > CVE Name: CVE-2014-0076, CVE-2014-0160 > > > > Thank you for finally patching that vulnerability. Many of us, FreeBSD > users, are deeply concerned about security. Yesterday we had a very > busy day on #FreeBSD on freenode with many people asking why there is > no SA and how to mitigate the thread or patch it on their own. > > I understand that this is voluntary role and you have another (real > life) responsibilities that?s why I'd like to propose an idea of (at > least partially) paid position of Security Officer, because we all > need quick and efficient response in cases like that. > > FreeBSD Community has a good history of paying for work, many of us > supported phk@ in 2004, and recently FreeBSD Foundation hired several > people to work for all of us. Because I've no idea how Foundation had > planned a budget for this year, I don't know if there are any money > that can be allocated for that position. If not, maybe Foundation can > conduct additional public fundraising for that purpose? > > > > > -- > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to > die. > > > ------------------------------ > > Message: 2 > Date: Wed, 09 Apr 2014 15:25:04 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Pawel Biernacki <pawel.biernacki@gmail.com> > Cc: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <86fvlm7hzj.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > > I understand that this is voluntary role and you have another (real > > life) responsibilities that?s why I'd like to propose an idea of (at > > least partially) paid position of Security Officer, because we all > > need quick and efficient response in cases like that. > > Having a paid Security Officer would not have made any difference. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Message: 3 > Date: Wed, 09 Apr 2014 08:57:28 -0500 > From: Karl Denninger <karl@denninger.net> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <534551C8.6030004@denninger.net> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > > On 4/9/2014 8:25 AM, Dag-Erling Sm?rgrav wrote: > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > >> I understand that this is voluntary role and you have another (real > >> life) responsibilities that?s why I'd like to propose an idea of (at > >> least partially) paid position of Security Officer, because we all > >> need quick and efficient response in cases like that. > > Having a paid Security Officer would not have made any difference. > > > > DES > Agreed. > > In this particular case FreeBSD's team responded very quickly once the > threat was known and a resolution path was made available in a very > expeditious fashion. > > The real problem here is the depth of damage and the amount of work to > rectify it, particularly for those who have certificates issued by > someone else where **they** may have been compromised. But this has > nothing to do with FreeBSD. > > -- > -- Karl > karl@denninger.net > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 2711 bytes > Desc: S/MIME Cryptographic Signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/859bf373/attachment-0001.bin > > > > ------------------------------ > > Message: 4 > Date: Wed, 9 Apr 2014 16:21:36 +0200 > From: Zoran Kolic <zkolic@sbb.rs> > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <20140409142136.GA871@faust.sbb.rs> > Content-Type: text/plain; charset=us-ascii > > Advisory claims 10.0 only to be affected. Patches to > branch 9 are not of importance on the same level? > > Zoran > > > > ------------------------------ > > Message: 5 > Date: Wed, 09 Apr 2014 09:25:59 -0500 > From: Karl Denninger <karl@denninger.net> > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <53455877.5020006@denninger.net> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > > On 4/9/2014 9:21 AM, Zoran Kolic wrote: > > Advisory claims 10.0 only to be affected. Patches to > > branch 9 are not of importance on the same level? > > > > Zoran > > > 9 (and before) were only impacted if you loaded the newer OpenSSL from > ports. A fair number of people did, however, as a means of preventing > BEAST attack vectors. > > If you did, then you need to update that and have all your private keys > re-issued. If you did not then you never had the buggy code in the > first place. > > -- > -- Karl > karl@denninger.net > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 2711 bytes > Desc: S/MIME Cryptographic Signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/29a9014a/attachment-0001.bin > > > > ------------------------------ > > Message: 6 > Date: Wed, 09 Apr 2014 13:36:28 +0000 (GMT) > From: Kimmo Paasiala <kpaasial@icloud.com> > To: Pawel Biernacki <pawel.biernacki@gmail.com> > Cc: "Dag-Erling Sm?rgrav" <des@des.no>, freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > On Apr 09, 2014, at 03:25 PM, Dag-Erling Sm?rgrav <des@des.no> wrote: > > Pawel Biernacki <pawel.biernacki@gmail.com ? ? ?> writes: > ? ? ? ?> I understand that this is voluntary role and you have another > (real > ? ? ? ?> life) responsibilities that?s why I'd like to propose an idea of > (at > ? ? ? ?> least partially) paid position of Security Officer, because we > all > ? ? ? ?> need quick and efficient response in cases like that. > > Having a paid Security Officer would not have made any difference. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > ? > Could everyone just please stop panicking and take an objective look on > this issue. It took only one full DAY to come up with a fix and issue the > security advisory. That's damn fast if you look at some of the commercial > entities that face the exact same kind of issues and often struggle to even > acknowledge that there is a problem they need to address and take sometimes > weeks to release hotfixes. > > In my opinion this issue couldn't have been handled any better considering > what it takes to do the job properly, congrats to the security team from me. > > -Kimmo > > ------------------------------ > > Message: 7 > Date: Wed, 9 Apr 2014 10:39:40 -0400 > From: Gary Palmer <gpalmer@freebsd.org> > To: Zoran Kolic <zkolic@sbb.rs> > Cc: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <20140409143940.GA15884@in-addr.com> > Content-Type: text/plain; charset=us-ascii > > On Wed, Apr 09, 2014 at 04:21:36PM +0200, Zoran Kolic wrote: > > Advisory claims 10.0 only to be affected. Patches to > > branch 9 are not of importance on the same level? > > The version of OpenSSL shipped in the base FreeBSD code prior to 10.0 > is not vulnerable to the Heartbeat attack, however there is a different > vulnerability which *is* in 8.x and 9.x and was documented in the advisory > as [CVE-2014-0076] > > You should update 8.x and 9.x systems also, even though the vulnerability > there is probably not as easy to exploit as the Heartbeat attack. > > Regards, > > Gary > > > ------------------------------ > > Message: 8 > Date: Wed, 9 Apr 2014 15:47:25 +0100 > From: "Steven Hartland" <killing@multiplay.co.uk> > To: "Karl Denninger" <karl@denninger.net>, > <freebsd-security@freebsd.org> > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk> > Content-Type: text/plain; format=flowed; charset="Windows-1252"; > reply-type=response > > ----- Original Message ----- > From: "Karl Denninger" <karl@denninger.net> > > > > On 4/9/2014 9:21 AM, Zoran Kolic wrote: > >> Advisory claims 10.0 only to be affected. Patches to > >> branch 9 are not of importance on the same level? > >> > >> > > 9 (and before) were only impacted if you loaded the newer OpenSSL from > > ports. A fair number of people did, however, as a means of preventing > > BEAST attack vectors. > > > > If you did, then you need to update that and have all your private keys > > re-issued. If you did not then you never had the buggy code in the > > first place. > > Actually they are vulnerable without any ports install just not to > CVE-2014-0160 only CVE-2014-0076, both of which where fixed by > SA-14:06.openssl > > Regards > Steve > > > ------------------------------ > > Message: 9 > Date: Wed, 09 Apr 2014 09:50:25 -0500 > From: Karl Denninger <karl@denninger.net> > To: Steven Hartland <killing@multiplay.co.uk>, > freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <53455E31.90100@denninger.net> > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > > On 4/9/2014 9:47 AM, Steven Hartland wrote: > > ----- Original Message ----- From: "Karl Denninger" <karl@denninger.net> > > > > > > > > On 4/9/2014 9:21 AM, Zoran Kolic wrote: > >>> Advisory claims 10.0 only to be affected. Patches to > >>> branch 9 are not of importance on the same level? > >>> > >>> > >> 9 (and before) were only impacted if you loaded the newer OpenSSL > >> from ports. A fair number of people did, however, as a means of > >> preventing BEAST attack vectors. > >> > >> If you did, then you need to update that and have all your private > >> keys re-issued. If you did not then you never had the buggy code in > >> the first place. > > > > Actually they are vulnerable without any ports install just not to > > CVE-2014-0160 only CVE-2014-0076, both of which where fixed by > > SA-14:06.openssl > > > > Regards > > Steve > Good point -- there is that other advisory in there so "base" 8.x and > 9.x users should update as well. > > However, the other problem does not involve the same sort of > vulnerability to remote "grabs" of data, including authentication > credentials (and worse, private key data.) > > -- > -- Karl > karl@denninger.net > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 2711 bytes > Desc: S/MIME Cryptographic Signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/71c79a00/attachment-0001.bin > > > > ------------------------------ > > Message: 10 > Date: Wed, 9 Apr 2014 15:57:09 +0200 > From: Big Lebowski <spankthespam@gmail.com> > To: freebsd-security@freebsd.org > Subject: Re: Proposal (Was: Re: FreeBSD Security Advisory > FreeBSD-SA-14:06.openssl) > Message-ID: > < > CAHcXP+dnKwJJrarzjTA4_y9BOFCf5trPe9MAuM7KtCxhEQSU_w@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > > >* I understand that this is voluntary role and you have another (real > *> >* life) responsibilities that?s why I'd like to propose an idea of (at > *> >* least partially) paid position of Security Officer, because we all > *> >* need quick and efficient response in cases like that. > *> > > Having a paid Security Officer would not have made any difference. > > Do you care to elaborate on why it would not made any difference? And, > if possible, also on what could do one, if you have any ideas about > that? > > I have to say that I agree with Pawe? fully, I would love to see such > things being handled a way faster and to be better communicated, if > they're 'on they way' and I also belive having paid Security Office > could help - but I am happy to get to know why I might be under wrong > impression. > > I also doesnt know if there's any chance of directing any monye from > this year's budget towards improving that situation, but I also like > the idea of 'targeted' funding, where people gets a chance to say > where they want the money to be used, some sort of money democracy, I > would say. > > > Regards, > > Bl > > > ------------------------------ > > Message: 11 > Date: Wed, 9 Apr 2014 17:17:37 +0200 > From: Walter Hop <freebsd@spam.lifeforms.nl> > To: Kimmo Paasiala <kpaasial@icloud.com> > Cc: freebsd-security@freebsd.org, Dag-Erling Sm?rgrav <des@des.no>, > Pawel Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> > Content-Type: text/plain; charset=windows-1252 > > > In my opinion this issue couldn't have been handled any better > considering what it takes to do the job properly, congrats to the security > team from me. > > > > -Kimmo > > Please don?t frame this as criticism of the security people, that?s not > fair. Of course we all congratulate them :) > > I think we?re just interested in discussing what could be improved to > improve response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on > retainer? Resources for training new people? Liaisons with other projects > to improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base > about an hour later, FreeBSD base took around 24 hours. Not super bad, but > I think it?s safe to expect much more scrutiny of security-critical code in > the coming years, so it looks like a good time to try to streamline if > possible at all. > > The public attention for this and similar events may also provide a unique > window of opportunity for soliciting extra resources from professional > users (e.g. via a Foundation campaign). > > -- > Walter Hop | PGP key: https://lifeforms.nl/pgp > > > > ------------------------------ > > Message: 12 > Date: Wed, 9 Apr 2014 16:29:13 +0100 > From: Pawel Biernacki <pawel.biernacki@gmail.com> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: > < > CAA3htvve4NNvmN0QOf6v4RwbT8PmGrSCFzNCbivfaEMN7J26Ow@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On 9 April 2014 15:32, Kimmo Paasiala <kpaasial@icloud.com> wrote: > > Can you name some of those projects that claim to have such quick > response > > time? I'll be steering way clear of them knowing that they don't test > their > > security patches before releasing them. It's really quite shocking to see > > that such unprofessional working attitude has taken so firm hold in the > open > > source world. What a pity. > > > RedHat managed to provide the fix within 21 hours but aparently they > knew very eraly about the issue. FreeBSD Security Team didn't? Why? > You can _see_ the whole process on their bugzilla > https://bugzilla.redhat.com/show_bug.cgi?id=1084875. > > On the other hand Xin Li acknowledged the issue answering to an mail > to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of > _silence_ the fix was commited. They managed to release the fix 15 > hours before FreeBSD and I assume they test thing before release > because beside Fedora and Centos they also have paying customers. > > Debian acknowledged the problem in the same time as FreeBSD according > to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they > released fix very very quickly. > > Ports got the fix very quickly as well. > > Maybe it'll surprise you but there are still people using FreeBSD. > What we are supposed to do when so@ is silent while scripts exploting > the issue are in the wild? > We need more transparency here. > > -- > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to > die. > > > ------------------------------ > > Message: 13 > Date: Wed, 09 Apr 2014 16:37:42 +0100 > From: Joe Holden <lists@rewt.org.uk> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <53456946.9030200@rewt.org.uk> > Content-Type: text/plain; charset=windows-1252; format=flowed > > On 09/04/2014 16:17, Walter Hop wrote: > >> In my opinion this issue couldn't have been handled any better > considering what it takes to do the job properly, congrats to the security > team from me. > >> > >> -Kimmo > > > > Please don?t frame this as criticism of the security people, that?s not > fair. Of course we all congratulate them :) > > > > I think we?re just interested in discussing what could be improved to > improve response time and also make their lives better. > > > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on > retainer? Resources for training new people? Liaisons with other projects > to improve prior notification channels? Etc. > > > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their > base about an hour later, FreeBSD base took around 24 hours. Not super bad, > but I think it?s safe to expect much more scrutiny of security-critical > code in the coming years, so it looks like a good time to try to streamline > if possible at all. > > > > The public attention for this and similar events may also provide a > unique window of opportunity for soliciting extra resources from > professional users (e.g. via a Foundation campaign). > > > 24 hours for a fix that doesn't break ABI and is relatively simple (and > proven to be fine by other distros) is horrendous for such a critical > problem. I mentioned this on twitter also, but there wasn't even a > headsup from the SO until the patch went live. > > > ------------------------------ > > Message: 14 > Date: Wed, 09 Apr 2014 18:08:31 +0200 > From: Joe User <mailinglists@rootservice.org> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <3g3r546WVbz62Xv@devnoip.rootservice.org> > Content-Type: text/plain; charset=UTF-8 > > On 09.04.2014 17:29, Pawel Biernacki wrote: > > [snip] > > We need more transparency here. > > > > Please read this and other related threads and you'll understand that > the FreeBSD-SecTeam had no real chance to react earlier than they did. > http://seclists.org/oss-sec/2014/q2/22 > > In fact, they were realy fast, thanks therefor. > > Regards, > Joe User > > > ------------------------------ > > Message: 15 > Date: Wed, 9 Apr 2014 09:28:46 -0700 > From: jungleboogie0 <jungleboogie0@gmail.com> > To: Walter Hop <freebsd@spam.lifeforms.nl> > Cc: freebsd-security@freebsd.org, Pawel Biernacki > <pawel.biernacki@gmail.com>, Kimmo Paasiala <kpaasial@icloud.com>, > Dag-Erling Sm?rgrav <des@des.no> > Subject: Re: Proposal > Message-ID: > <CAKE2PDuR9Av2HeYzQPbE+P2=eB1obY= > aOSRrWtrjGLWynQSXCg@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi Walter, > > > On 9 April 2014 08:17, Walter Hop <freebsd@spam.lifeforms.nl> wrote: > >> In my opinion this issue couldn't have been handled any better > considering what it takes to do the job properly, congrats to the security > team from me. > >> > >> -Kimmo > > > > Please don?t frame this as criticism of the security people, that?s not > fair. Of course we all congratulate them :) > > > > I think we?re just interested in discussing what could be improved to > improve response time and also make their lives better. > > > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on > retainer? Resources for training new people? Liaisons with other projects > to improve prior notification channels? Etc. > > > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their > base about an hour later, FreeBSD base took around 24 hours. Not super bad, > but I think it?s safe to expect much more scrutiny of security-critical > code in the coming years, so it looks like a good time to try to streamline > if possible at all. > > > > Please let us not forget that kernel.org was hacked and not detected > for 17 days: > http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ > > > I would rather was 24 hours for a fix that's been verified and > reviewed over having to re-update the system. It looks like many linux > distros had this updated before > freeBSD but its a matter of hours we're talking about. > > > > > The public attention for this and similar events may also provide a > unique window of opportunity for soliciting extra resources from > professional users (e.g. via a Foundation campaign). > > > > -- > > Walter Hop | PGP key: https://lifeforms.nl/pgp > > > > > -- > ------- > inum: 883510009902611 > sip: jungleboogie@sip2sip.info > xmpp: jungle-boogie@jit.si > > > ------------------------------ > > Message: 16 > Date: Wed, 9 Apr 2014 11:54:28 -0400 > From: ari edelkind <edelkind-list-freebsd-security@episec.com> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: > < > CAPxErSUkfJjS_kZcYb3gUbKZbcYwoGwC2O0gjRZmxNPpMPZ3TA@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote: > > > 24 hours for a fix that doesn't break ABI and is relatively simple (and > > proven to be fine by other distros) is horrendous for such a critical > > problem. I mentioned this on twitter also, but there wasn't even a > headsup > > from the SO until the patch went live. > > > > To give this some additional perspective, it took me approximately 30 > minutes to write a working exploit. > > Everyone makes a big deal out of private keys (which, admittedly, are a big > deal), but i was able to collect usernames, passwords, session credentials, > back-end single-sign-on credentials (e.g. client tokens), database > passwords, and more from affected hosts -- all quite easily. > > ari > > > ------------------------------ > > Message: 17 > Date: Wed, 09 Apr 2014 19:28:53 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Walter Hop <freebsd@spam.lifeforms.nl> > Cc: freebsd-security@freebsd.org, Kimmo Paasiala > <kpaasial@icloud.com>, Pawel Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: <867g6y1kfe.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Walter Hop <freebsd@spam.lifeforms.nl> writes: > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their > > base about an hour later, FreeBSD base took around 24 hours. > > All Bryan had to do to update the port was change the version number in > the Makefile, run "make makesum" and commit. I assume that he did some > testing as well, but apart from that, he probably spent more time > writing the commit message than actually updating the port. > > Ubuntu is much the same, since they distribute OpenSSL as a package > rather than part of the base system - they don't even _have_ a base > system. > > RedHat had prior notice since one of the OpenSSL devs is on their > security team. They had an update ready to roll out before the issue > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were > basically just waiting for the announcement, which was originally > planned for today. > > To update OpenSSL in the FreeBSD base system, Xin first had to verify > which FreeBSD releases were vulnerable and which weren't. He then had > to obtain, verify, apply and test a patch for head, stable/10 and > releng/10.0. Next, he had to upload the patch to the freebsd-update > build servers and start the builds, which take several hours. Once the > builds were done, he had to sign them and move them to the master > server, from which they propagated to the mirrors, and then sign the > release. > > Once the builds were ready to go, he moved into a phase where everything > had to happen more or less simultaneously: commit the patches, finalize > the advisory (which contains revision numbers and timestamps), sign it, > then commit the advisory and the patch to the doc tree, update the > relevant portions of the web site, wait for them to propagate (or grab a > passing member of clusteradm@ and have them push it through manually), > and finally mail out the advisory. > > Bonus points for updating vuln.xml and liaising with MITRE / CMU CERT / > NVD / what have you. > > And yes, he has a whole team, but apart from writing the advisory (which > is a lot more work than you'd think), this process is pretty much > single-threaded. The best you can hope for is to have someone relieve > you while you eat and sleep. > > And while everybody is running around yelling OMG THE INTERNET IS ON > FIRE and calling this an unprecedented event, I'm sitting here with a > strong sense of d?ja vu, because this sort of thing actually happens > quite often. Off the top of my head, I can think of two advisories last > year - out of 14 - that were more or less rushed out in a panic. > > DES (so@ on sabbatical) > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Message: 18 > Date: Wed, 9 Apr 2014 18:50:33 +0100 > From: Pawel Biernacki <pawel.biernacki@gmail.com> > To: jungleboogie0 <jungleboogie0@gmail.com> > Cc: freebsd-security@freebsd.org, Kimmo Paasiala > <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl>, > Dag-Erling Sm?rgrav <des@des.no> > Subject: Re: Proposal > Message-ID: > <CAA3htvss= > 2UkiEYF+V2+nUY2iacBJwbJVEp66cvLbh4nX_vgZQ@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On 9 April 2014 17:28, jungleboogie0 <jungleboogie0@gmail.com> wrote: > > > > Please let us not forget that kernel.org was hacked and not detected > > for 17 days: > http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ > > I don't know why you're bringing it up here, because FreeBSD had > similar problem some time ago > (http://www.freebsd.org/news/2012-compromise.html) and I think that we > had learnt a lot from it. > > > I would rather was 24 hours for a fix that's been verified and > > reviewed over having to re-update the system. It looks like many linux > > distros had this updated before > > freeBSD but its a matter of hours we're talking about. > > > > -- > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to > die. > > > ------------------------------ > > Message: 19 > Date: Wed, 09 Apr 2014 19:53:10 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Pawel Biernacki <pawel.biernacki@gmail.com> > Cc: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <86txa2z8xl.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > > RedHat managed to provide the fix within 21 hours but aparently they > > knew very eraly about the issue. FreeBSD Security Team didn't? Why? > > You can _see_ the whole process on their bugzilla > > https://bugzilla.redhat.com/show_bug.cgi?id=1084875. > > No you can't. That ticket is just window dressing. By the time it was > created, RedHat had known about the issue for at least a week, and > probably more. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Message: 20 > Date: Wed, 09 Apr 2014 20:00:01 +0200 > From: Joe User <mailinglists@rootservice.org> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <3g3tYW2jPgz62Y0@devnoip.rootservice.org> > Content-Type: text/plain; charset=UTF-8 > > On 09.04.2014 19:53, Dag-Erling Sm?rgrav wrote: > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > >> RedHat managed to provide the fix within 21 hours but aparently they > >> knew very eraly about the issue. FreeBSD Security Team didn't? Why? > >> You can _see_ the whole process on their bugzilla > >> https://bugzilla.redhat.com/show_bug.cgi?id=1084875. > > > > No you can't. That ticket is just window dressing. By the time it was > > created, RedHat had known about the issue for at least a week, and > > probably more. > > > > DES > > > > According to Kurts Post on oss-sec RedHat didn't know it before others. > > Regards, > Joe User > > > ------------------------------ > > Message: 21 > Date: Wed, 9 Apr 2014 19:00:52 +0100 > From: Pawel Biernacki <pawel.biernacki@gmail.com> > To: joeuser@rootservice.org > Cc: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: > < > CAA3htvtSOGdfUQY9SiAQu5SUzgRxs6izyLjjMPWtKao8HjJo+w@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On 9 April 2014 17:08, Joe User <mailinglists@rootservice.org> wrote: > > On 09.04.2014 17:29, Pawel Biernacki wrote: > >> [snip] > >> We need more transparency here. > >> > > > > Please read this and other related threads and you'll understand that > > the FreeBSD-SecTeam had no real chance to react earlier than they did. > > http://seclists.org/oss-sec/2014/q2/22 > > > > In fact, they were realy fast, thanks therefor. > > Interesting lecture, thank you. But if FreeBSD SO wasn't on the > mentioned list it's an argument for payable position because that can > help developing more efficient social network in the future ;-). > > -- > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to > die. > > > ------------------------------ > > Message: 22 > Date: Wed, 9 Apr 2014 11:04:23 -0700 > From: jungleboogie0 <jungleboogie0@gmail.com> > To: Pawel Biernacki <pawel.biernacki@gmail.com> > Cc: freebsd-security@freebsd.org, Kimmo Paasiala > <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl>, > Dag-Erling Sm?rgrav <des@des.no> > Subject: Re: Proposal > Message-ID: > <CAKE2PDsRa15+= > qZNLJPkdTaDJNJn6hkmgVLg+5T9dFdHAh53ew@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi Pawel, > > > > On 9 April 2014 10:50, Pawel Biernacki <pawel.biernacki@gmail.com> wrote: > > On 9 April 2014 17:28, jungleboogie0 <jungleboogie0@gmail.com> wrote: > >> > >> Please let us not forget that kernel.org was hacked and not detected > >> for 17 days: > http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ > > > > I don't know why you're bringing it up here, because FreeBSD had > > similar problem some time ago > > (http://www.freebsd.org/news/2012-compromise.html) and I think that we > > had learnt a lot from it. > > > > Interesting, I didn't know these were identical in nature. Thanks! > > > >> I would rather was 24 hours for a fix that's been verified and > >> reviewed over having to re-update the system. It looks like many linux > >> distros had this updated before > >> freeBSD but its a matter of hours we're talking about. > >> > > > > -- > > One of God's own prototypes. A high-powered mutant of some kind never > > even considered for mass production. Too weird to live, and too rare to > die. > > > > -- > ------- > inum: 883510009902611 > sip: jungleboogie@sip2sip.info > xmpp: jungle-boogie@jit.si > > > ------------------------------ > > Message: 23 > Date: Wed, 9 Apr 2014 19:15:46 +0100 > From: Pawel Biernacki <pawel.biernacki@gmail.com> > To: Dag-Erling Sm?rgrav <des@des.no> > Cc: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: > <CAA3htvtKGXhvoJ_k6VvqeeuhN40QF+guZfGNhakXrqqiT= > iPFQ@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On 9 April 2014 18:53, Dag-Erling Sm?rgrav <des@des.no> wrote: > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > >> RedHat managed to provide the fix within 21 hours but aparently they > >> knew very eraly about the issue. FreeBSD Security Team didn't? Why? > >> You can _see_ the whole process on their bugzilla > >> https://bugzilla.redhat.com/show_bug.cgi?id=1084875. > > > > No you can't. That ticket is just window dressing. By the time it was > > created, RedHat had known about the issue for at least a week, and > > probably more. > > > > According to http://seclists.org/oss-sec/2014/q2/36 RedHat learnt > about it 7th March and after that the bugzilla entry was created. I > assume that it was marked as private and unaccessible to other users > for few hours until release of SA but at least he have some trace of > what was done. > > > -- > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to > die. > > > ------------------------------ > > Message: 24 > Date: Wed, 09 Apr 2014 20:02:55 +0200 > From: "leon@tuco" <leon@tucoinfo.fr> > To: Dag-Erling Sm?rgrav <des@des.no>, Pawel Biernacki > <pawel.biernacki@gmail.com> > Cc: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <53458B4F.5070908@tucoinfo.fr> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 09/04/2014 19:53, Dag-Erling Sm?rgrav wrote: > > Pawel Biernacki<pawel.biernacki@gmail.com> writes: > >> >RedHat managed to provide the fix within 21 hours but aparently they > >> >knew very eraly about the issue. FreeBSD Security Team didn't? Why? > >> >You can_see_ the whole process on their bugzilla > >> >https://bugzilla.redhat.com/show_bug.cgi?id=1084875. > > No you can't. That ticket is just window dressing. By the time it was > > created, RedHat had known about the issue for at least a week, and > > probably more. > Who cares, nobody found it in 2 years and we are squabbling about a few > hours or days! > > I am much more worried about the late coming journalists who are > starting to freak out any Internet credit card user. That is really bad > for e-commerce - in addition to these depressing last years of financial > crisis. > > Thank you for your efforts and I will definitely continue using FreeBSD. > > > ------------------------------ > > Message: 25 > Date: Wed, 9 Apr 2014 15:44:53 -0400 > From: Nathan Dorfman <na@rtfm.net> > To: Dag-Erling Sm?rgrav <des@des.no> > Cc: freebsd-security@freebsd.org, Kimmo Paasiala > <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl>, > Pawel > Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: > <CADgEyUstkxO1i_B9Qsw=K9qT= > nrh9evhv8VekMdNKauOQFN6dg@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > First, the (unfortunately) necessary disclaimer: this is an honest > question to satisfy my curiosity, nothing more. Absolutely no > criticism of anyone is intended. > > Is it implausible to suggest that before embarking on the task of > backporting, reviewing, testing and releasing the actual fix, an > announcement could have been made immediately with the much simpler > workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler > flags? > > Given the severity of the issue, it doesn't seem that an immediate > advisory stating "here's an immediate workaround, a full fix will be > coming in the next day or two" would be terribly inappropriate. > Perhaps this workaround would have required more testing than I > imagine, but surely it'd be a tiny fraction of the time required to > release the full fix? > > While I'm out here drawing fire, I might as well also ask if I'm crazy > to think that it might be a good idea for the base system OpenSSL (and > other third party imports) to just disable any and all non-essential > functionality that can be disabled at compile time? Non-essential > meaning everything not required for the base system to function -- > there's always the ports version if anyone needs more. > > Thanks for your thoughts, and of course, your ongoing efforts. They > are much appreciated. > > -nd. > > > ------------------------------ > > Message: 26 > Date: Wed, 09 Apr 2014 20:38:39 +0100 > From: Matthew Seaman <matthew@FreeBSD.org> > To: freebsd-security@freebsd.org > Subject: Re: Proposal > Message-ID: <5345A1BF.2030809@FreeBSD.org> > Content-Type: text/plain; charset="utf-8" > > On 09/04/2014 18:28, Dag-Erling Sm?rgrav wrote: > > RedHat had prior notice since one of the OpenSSL devs is on their > > security team. They had an update ready to roll out before the issue > > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were > > basically just waiting for the announcement, which was originally > > planned for today. > > Didn't we (FreeBSD) have any advanced knowledge? There is at least one > FreeBSD committer who is also an OpenSSL developer... > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 1036 bytes > Desc: OpenPGP digital signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/117cdc73/attachment-0001.sig > > > > ------------------------------ > > Message: 27 > Date: Wed, 09 Apr 2014 22:12:29 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Nathan Dorfman <na@rtfm.net> > Cc: freebsd-security@freebsd.org, Kimmo Paasiala > <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl>, > Pawel > Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: <86d2gqz2he.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Nathan Dorfman <na@rtfm.net> writes: > > Is it implausible to suggest that before embarking on the task of > > backporting, reviewing, testing and releasing the actual fix, an > > announcement could have been made immediately with the much simpler > > workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler > > flags? > > No, that's not implausible, although I don't know whether that > workaround was known at the time. It seems obvious in retrospect, but > may not have been that obvious under pressure. Was it mentioned in the > OpenSSL advisory? > > If all you wanted to hear was "we're working on it", well, Xin did write > that almost on -security exactly 48 hours ago. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Message: 28 > Date: Wed, 09 Apr 2014 22:13:23 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Nathan Dorfman <na@rtfm.net> > Cc: freebsd-security@freebsd.org, Walter Hop > <freebsd@spam.lifeforms.nl>, Kimmo Paasiala <kpaasial@icloud.com>, > Pawel Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: <868urez2fw.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Dag-Erling Sm?rgrav <des@des.no> writes: > > If all you wanted to hear was "we're working on it", well, Xin did write > > that almost on -security exactly 48 hours ago. > > s/that almost on -security/that on -security almost/ > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Message: 29 > Date: Wed, 09 Apr 2014 13:20:42 -0700 > From: Xin Li <delphij@delphij.net> > To: Dag-Erling Sm?rgrav <des@des.no>, Nathan Dorfman <na@rtfm.net> > Cc: freebsd-security@freebsd.org, Walter Hop > <freebsd@spam.lifeforms.nl>, Kimmo Paasiala <kpaasial@icloud.com>, > Pawel Biernacki <pawel.biernacki@gmail.com> > Subject: Re: Proposal > Message-ID: <5345AB9A.8040001@delphij.net> > Content-Type: text/plain; charset=UTF-8 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 04/09/14 13:12, Dag-Erling Sm?rgrav wrote: > > Nathan Dorfman <na@rtfm.net> writes: > >> Is it implausible to suggest that before embarking on the task > >> of backporting, reviewing, testing and releasing the actual fix, > >> an announcement could have been made immediately with the much > >> simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the > >> OpenSSL compiler flags? > > > > No, that's not implausible, although I don't know whether that > > workaround was known at the time. It seems obvious in retrospect, > > but may not have been that obvious under pressure. Was it > > mentioned in the OpenSSL advisory? > > The OpenSSL advisory did mentioned it. > > I didn't mention the workaround because I had posted our patch (ported > and committed to secteam repo pending review at about 13:00 PDT I > think, which later was revised because another unrelated CVE), and the > workaround also requires recompile. Moreover, the patch would provide > better protection because it changes the code so NO_CLEAN= won't skip > it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's > possible that the user can mistakenly miss the fix. > > Cheers, > - -- > Xin LI <delphij@delphij.net> https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) > > iQIcBAEBCgAGBQJTRauaAAoJEJW2GBstM+nsxtIQAKOcxp0ziuJgrEpCg9yt2q7B > rU6P6xOfVAbdMcNtj0v1XpXPyRrCtK2VHSYEd1BIIWlrYBwSLByeU2hfkYI0+TRS > FGslwuiQVZFgkqfzQjHysAf3gZICa93q8PseHD0zcMb2gLYBqHxQo222dXBjJYY4 > kdvK0qBaIy8JtYGyQbyZl9nUku0s642mla8wGPb4cuTi57F2jQk2y1lFz8dZbz3+ > tiGqoEk02uJsoTYOryfgaydc4WuZ63g0w8EMIsN+18qNAVigMPgzisG8kpljA/yx > mcNGfqp31BV3cHLEPjjXt7dnXvVbiEkU17ZlMNGJbgnjirfpG5sSWDM3HX1QA2Ih > GYh05a3V+l2ZgpaBhdg22KBYoH7GOc4bPs1tdHzGr1dKwzZpt3JyiR+vpCAmDfwr > RxNeFqmJnsK8VfvmIYqQHlZoDCTnzH60z8ecZG1dy6GiBVge9bqPBDUl9wvBRion > 3vR3UMi1Ieby9a73MbffEyboXAGjXIXOTYp8JioqUlutj8VhgXNstDTdBw04w3s0 > 5lMXA6xI5hseZ/uJukrouVTzGKwZzFWht583An4DIsN4hjc4oF+LyBsFp1DYkRmX > H7WA8wqOuqTW8rVMPLiQzt3vZOTpC98q/xntAaYktAO5lHAFoBwQnO+5xYBrENEK > yJqP4hDtWUvFqQqBXPzi > =fETK > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 30 > Date: Wed, 09 Apr 2014 22:20:55 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Pawel Biernacki <pawel.biernacki@gmail.com> > Cc: freebsd-security@freebsd.org, joeuser@rootservice.org > Subject: Re: Proposal > Message-ID: <8638hmz23c.fsf@nine.des.no> > Content-Type: text/plain; charset=utf-8 > > Pawel Biernacki <pawel.biernacki@gmail.com> writes: > > Joe User <mailinglists@rootservice.org> writes: > > > http://seclists.org/oss-sec/2014/q2/22 > > Interesting lecture, thank you. But if FreeBSD SO wasn't on the > > mentioned list [...] > > We are. By my reckoning, Xin posted on -security that he was aware of > the issue and working on it less than two hours after that announcement. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > > ------------------------------ > > End of freebsd-security Digest, Vol 482, Issue 4 > ************************************************ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE17K-wp18CngjEgYCFop26SZ6hzAEKmeHwx%2B8Tp13k1ShYXkw>