From owner-freebsd-stable@FreeBSD.ORG Sun Jun 15 12:12:30 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3AB483FA for ; Sun, 15 Jun 2014 12:12:30 +0000 (UTC) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0979A2419 for ; Sun, 15 Jun 2014 12:12:29 +0000 (UTC) Received: from vpn-128-194-199-103.tamulink.tamu.edu (vpn-128-194-199-103.tamulink.tamu.edu [128.194.199.103]) (authenticated bits=0) by nostrum.com (8.14.9/8.14.7) with ESMTP id s5FCCR6s038835 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sun, 15 Jun 2014 07:12:28 -0500 (CDT) (envelope-from daved@nostrum.com) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:03.pkg From: Dave Duchscher In-Reply-To: <201405140000.s4E002sO029919@freefall.freebsd.org> Date: Sun, 15 Jun 2014 07:12:21 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201405140000.s4E002sO029919@freefall.freebsd.org> To: freebsd-stable@freebsd.org X-Mailer: Apple Mail (2.1878.2) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jun 2014 12:12:30 -0000 I have had a few surprises with FreeBSD over the years and with the new = ports system has provided quite a few of them but this update takes the = cake. We have our own package repository with custom options. We liked = and adopted pkgng early. We also have a lot of automation. With this = update, all of a sudden, we have a new repository configured on our = system (/etc/FreeBSD.conf). Lets say, I was very surprised. It is true = that mistakes happen. Maybe its ours for not fully understand what was = being done. In any event, this definitely caused lots of issues for us = and has wasted a lot of my time. Dave On May 13, 2014, at 7:00 PM, FreeBSD Errata Notices = wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-EN-14:03.pkg Errata = Notice > The FreeBSD = Project >=20 > Topic: pkg bootstrapping, configuration and public keys >=20 > Category: core, packages > Module: pkg > Announced: 2014-05-13 > Credits: Baptiste Daroussin, Bryan Drewery > Affects: All versions of FreeBSD prior to 10.0-RELEASE > Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE) > 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) > 2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE) > 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) > 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) >=20 > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > . >=20 > I. Background >=20 > The pkg(7) utility is the new package management tool for FreeBSD. = The > FreeBSD project has provided official pkg(7) packages since October = 2013 > and signed packages since the pkg-1.2 release in November 2013. The > signature checking requires known public keys to be installed locally. > The repository configuration must be installed as well. >=20 > The base system also includes a pkg(7) bootstrap tool that installs = the > latest real pkg(7) package. The bootstrap tool knows where to find = the > official pkg(7) package but once that is installed the real pkg(7) = will > not know where to find official packages, nor have the known public = key > for signature checking. >=20 > The bootstrap tool was also improved in 10.0-RELEASE to check the > signature on the pkg(7) package it is installing. >=20 > II. Problem Description >=20 > Only FreeBSD 10.0 has been released with the official repository > configuration, known public keys, and a bootstrap tool that checks the > signature of the pkg(7) package it is installing. >=20 > To allow packages to be used on a system, the configuration must be > manually setup and keys securely fetched and installed to the proper > location. >=20 > III. Impact >=20 > Releases before 10.0 require manual configuration. Manually = configuring the > pkg(7) signatures could result in insecurely installing the keys or = leaving > the signature checking disabled. >=20 > The bootstrap tool is not secure on releases prior to 10.0 due to not = checking > the signature and could result in having an unofficial pkg(7) = installed due to > MITM attacks. >=20 > IV. Workaround >=20 > To securely install pkg(7) on releases prior to 10.0, install it from = ports > obtained from a secure portsnap checkout: >=20 > # portsnap fetch extract > # echo "WITH_PKGNG=3Dyes" >> /etc/make.conf > # make -C /usr/ports/ports-mgmt/pkg install clean >=20 > If this is an existing system it may be converted to pkg(7) as well by = running: >=20 > # pkg2ng >=20 > After this is done /usr/ports may be removed if no longer required. >=20 > To workaround the configuration and keys being missed, apply the = solution in > this Errata. >=20 > V. Solution >=20 > No solution is provided for pkg(7) bootstrap signature checking on = releases prior > to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice. >=20 > To install the configuration and public key in a secure means, perform = one of > the following: >=20 > 1) Upgrade your system to a supported FreeBSD stable or release / = security > branch (releng) dated after the correction date. >=20 > 2) To update your present system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 9.2] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc > # gpg --verify pkg-en-releng-9.2.patch.asc >=20 > [FreeBSD 9.1] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc > # gpg --verify pkg-en-releng-9.1.patch.asc >=20 > [FreeBSD 8.4] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc > # gpg --verify pkg-en-releng-8.4.patch.asc >=20 > b) Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/etc/pkg > # mkdir -p /etc/pkg /usr/share/keys/pkg/trusted = /usr/share/keys/pkg/revoked > # make install > # cd /usr/src/share/keys/pkg > # make install >=20 > 3) To update your system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > VI. Correction details >=20 > The following list contains the revision numbers of each file that was > corrected in FreeBSD. >=20 > Branch/path = Revision > - = ------------------------------------------------------------------------- > stable/8/ = r264519 > releng/8.4/ = r265989 > stable/9/ = r263937 (*) > releng/9.1/ = r265988 > releng/9.2/ = r265988 > - = ------------------------------------------------------------------------- >=20 > (*) The actual required changeset consists a series of changes, = including > r263023,r258550,r263050,r263053 and r263937. >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > The latest revision of this Errata Notice is available at > http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) >=20 > iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv > 51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW > WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp > BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD > FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7 > S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr > qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh > iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8 > iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn > 4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj > paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1 > u3zAXa3xup1ginA9Wi6O > =3DUI84 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org"