Date: Thu, 22 Jun 2017 12:00:33 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Michelle Sullivan <michelle@sorbs.net> Cc: Ed Maste <emaste@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: The Stack Clash vulnerability Message-ID: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> In-Reply-To: <a1c45d20-78f9-e7d7-2f3e-d18c1723c5d5@sorbs.net> References: <F9B7242B-ED83-45C5-9196-6FD095AD9497@gvcgroup.com> <CAPyFy2CicxYBZpyy-pHS%2BQ=wTvwhpqi0fOKahEBDqiVe5h084A@mail.gmail.com> <CAPyFy2C4-hKG=hh0=th%2BRDwBzmMUqMqdg4YYZ76WxGS-JLnLBA@mail.gmail.com> <a1c45d20-78f9-e7d7-2f3e-d18c1723c5d5@sorbs.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On 22 Jun 2017, at 03:10, Michelle Sullivan <michelle@sorbs.net> wrote: > > Ed Maste wrote: >> On 20 June 2017 at 16:22, Ed Maste <emaste@freebsd.org> wrote: >>> On 20 June 2017 at 04:13, Vladimir Terziev <vterziev@gvcgroup.com> wrote: >>>> Hi, >>>> >>>> I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. >>> Yes, the security team is aware of this. Improvements in stack >>> handling are in progress (currently in review). >> I would like to provide some additional background on this issue. >> First I'd like to thank Qualys for their detailed and thorough >> investigation, which is contributing directly to improving FreeBSD. >> >> The FreeBSD security team is aware of and is monitoring this issue, >> but is not directly developing in the changes that are in progress. >> The issue under discussion is a limitation in a vulnerability >> mitigation technique. Changes to improve the way FreeBSD manages stack >> growth, and mitigate the issue demonstrated by Qualys' >> proof-of-concept code, are in progress by FreeBSD developers >> knowledgeable in the VM subsystem. These changes are expected to be >> committed to FreeBSD soon, and from there they will be merged to >> stable branches and into updates for supported releases. > > One would hope considering the nature and potential threat this would be one of those fixes back ported to previous -STABLE trees as well. > Hi Michelle, On a general note: When we fix issues, they go to the supported branches / releases. 7.x for example is no longer supported and is not likely to receive this care and attention unless someone is willing to support such a change to that branch. For supported branches, such a change is likely to be merged to those branches and also to supported releases depending on the determination. E.g. A Security Advisory (SA) or Errata Notice (EN) will be merged to affected -RELEASES as well. If an issue does not get one of those two markers, the issue will not be merged to -RELEASES but can be merged to -STABLE branches. The above is a general note and not specifically pointed towards “The Stack Clash” documents, so this can support potential future questions in the same area as well :-) Cheers Remko > > -- > Michelle Sullivan > http://www.mhix.org/ <http://www.mhix.org/>; > > _______________________________________________ > freebsd-security@freebsd.org <mailto:freebsd-security@freebsd.org> mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security <https://lists.freebsd.org/mailman/listinfo/freebsd-security>; > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org <mailto:freebsd-security-unsubscribe@freebsd.org>" [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZS5VCAAoJEHE1jtY/d0B5SZwQAJDIs1XR6pOEDJCbaDSPa2xF SZtJlTyje5taJC8M9Llk+HS1Zzy/wxfXTCVb+n6o4LKUv8p3qkQFc0iU0ZSIRL5d jVwo4SCdSJVoNrqqSR3yrU4QFDwiSkUnRq+HJCEnIMqMnvwyMNMxAmiQCmwVsAp2 mP8ViB3rWQmby2PxNGeWoQ0e+YMP3LmmL2PD4IH2jB2qMCxsvdgS6l8xnvxJwFyc iDMKWMbFVsEo9Lm6KL0CxLtk8/GOTE6b5Rxxlar5oHlXxrRsMR2msfHw87nDOscJ XrlaGSDCttS9ccfUv8PyV+5LUQz8mvTxFTcnkCEHOFLDVhE19l5S/7ZFILLqrmdQ PMK6Q+OebI1VElLRaavXpFBJlJ1+C6m0HdrQjagm9KDhw9ev11Q9TIHEu8hgzZ9Q dfpLGLTjh+UIRLSt8HS1E6G+35GMPUTtf3oMGAnU58exaxL6JPq6s2J5wbMSBAWE HkKSXnYVFKmx7yJ5P2nsrX4hF5EOZ6wJ7xmY2NwmZsrOUhPLIr3QMUuAi0kdwxBg r0bJz8GUU+COaeoBkZiIehu0qOYSsbdCCs0nJ4x8LVMbc0753NVAR9gT03GwzSIT CPT+zh9s19UkilEEKnUSTvkFfjlTEw7jyWLnwnIp6Vm4Uan9M18Zw0K6n8W+ZJiK IW/4YAMoG+9Owv39iCSA =Vfz+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0F042A4B-CB52-47EB-A191-D7617E51789A>