From owner-freebsd-security@freebsd.org Thu Jul 4 14:23:25 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10FC415D6C70 for ; Thu, 4 Jul 2019 14:23:25 +0000 (UTC) (envelope-from wfc@mintsol.com) Received: from scully.mintsol.com (scully.mintsol.com [199.182.77.206]) by mx1.freebsd.org (Postfix) with ESMTP id 1F32393919 for ; Thu, 4 Jul 2019 14:23:24 +0000 (UTC) (envelope-from wfc@mintsol.com) Received: from mintsol.com (officecc.mintsol.com [96.85.114.33]) by scully.mintsol.com with esmtp; Thu, 04 Jul 2019 10:18:16 -0400 id 00AB6D54.000000005D1E0AA8.0000FAC0 Received: from localhost (localhost [127.0.0.1]) (IDENT: uid 1002) by mintsol.com with esmtp; Thu, 04 Jul 2019 10:18:16 -0400 id 00000929.5D1E0AA8.0000C81A Date: Thu, 4 Jul 2019 10:18:16 -0400 (EDT) From: Walter Cramer To: freebsd-security@freebsd.org Subject: ?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg In-Reply-To: <20190703004928.525251A7DC@freefall.freebsd.org> Message-ID: <20190704093847.U44480@mulder.mintsol.com> References: <20190703004928.525251A7DC@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 1F32393919 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of wfc@mintsol.com designates 199.182.77.206 as permitted sender) smtp.mailfrom=wfc@mintsol.com X-Spamd-Result: default: False [-5.11 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:scully.mintsol.com]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[mintsol.com]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MX_GOOD(-0.01)[bmx01.pofox.com]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22768, ipnet:199.182.77.0/24, country:US]; IP_SCORE(-2.44)[ip: (-6.38), ipnet: 199.182.77.0/24(-3.19), asn: 22768(-2.55), country: US(-0.06)]; SUBJECT_HAS_QUESTION(0.00)[] X-Mailman-Approved-At: Thu, 04 Jul 2019 14:44:34 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jul 2019 14:23:25 -0000 Suspected severity: Low. Systems with inattentive administrators may not receive the latest updates, and no obvious error messages will point out the problem. Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with /etc/hosts entries like this: 96.47.72.72 ftp.freebsd.org 96.47.72.71 pkg.freebsd.org (Those are now obsolete. Originally, they were added to simplify firewall rules and rule-loading, and as a DNS hijack defense.) Resulting problem: `freebsd-update fetch` sometimes "sees" the latest (11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older 11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell him when systems needed updating, he could be unaware of un-patched, vulnerable systems. NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org actually causes any problems. (Or if `pkg` is aware of the problem, and silently doing all the right things.) Suggested Fixes... - Have `freebsd-update`, `pkg`, and similar utilities double-check for DNS information that is obsolete or conflicting, and warn the user. - Have any obsolete - but still-active - pkg or update servers advertise their obsolete status, and `freebsd-update` and `pkg` notice that, and warn the user.