Date: Thu, 11 Aug 2016 22:13:21 +1000 From: Joe Shevland <jshevland@calm-horizons.net> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <aadba3e2-b7fc-a7ce-110a-fad68da8e2f2@calm-horizons.net> In-Reply-To: <d34bf03a-c3d7-7f3e-48da-cd62bbdad119@unsane.co.uk> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> <1470849104.192073030@f370.i.mail.ru> <e45a1d5e-1bc2-6602-2cf2-f0b24aff153b@freebsd.org> <d34bf03a-c3d7-7f3e-48da-cd62bbdad119@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
The HN discussion: https://news.ycombinator.com/item?id=12261347 On 11/08/2016 7:59 PM, Vincent Hoffman-Kazlauskas wrote: > For those not on freebsd-announce (or reddit or anywhere else it got posted) > > "FreeBSD Core statement on recent freebsd-update and related > vulnerabilities" > https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html > > > > Vince > > On 11/08/2016 05:22, Julian Elischer wrote: >> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >>> >>> sorry but this is blabla and does not come even near to answering the >>> real problem: >>> >>> It appears that freebsd and the US-government is more connected that >>> some of us might like: >>> >>> Not publishing security issues concerning update mechanisms - we all >>> can think WHY freebsd is not eager on this one. >>> >>> Just my thoughts... >> this has been in discussion a lot in private circles within FreeBSD. >> It's not being ignored and a "correct" patch is being developed. >> >> from one email I will quote just a small part.. >> ======= >> >> As of yet, [the] patches for the libarchive vulnerabilities have not >> been released >> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has >> created >> patches for some of the libarchive vulnerabilities, the first[3] is being >> considered for inclusion in FreeBSD, at least until a complete fix is >> committed upstream, however the second[4] is considered too brute-force and >> will not be committed as-is. Once the patches are in FreeBSD and updated >> binaries are available, a Security Advisory will be issued. >> >> ======= >> so expect something soon. >> I will go on to say that the threat does need to come from an advanced >> MITM actor, >> though that does not make it a non threat.. >> >>> >>>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>>> <kitche@kitchetech.com>: >>>> >>>> You mean operating system as distribution is a Linux term. There's >>>> not much >>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>>> vulnerabilities and has a an excellent ASLR system compared to the >>>> proposed >>>> one for FreeBSD. >>>> >>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>>> >>>>> Timely update via Hackernews: >>>>> >>>>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >>>>> y-update-libarchive> >>>>> >>>>> Note in particular: >>>>> >>>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>>> bspatch, >>>>> and libarchive vulnerabilities." >>>>> >>>>> Not sure why the portsec team has not commented or published an >>>>> advisory >>>>> (possibly because the freebsd list spam filters are so bad that >>>>> subscriptions are being blocked) but from where I sit it seems that >>>>> those exposed should consider: >>>>> >>>>> cd /usr/ports >>>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>>> make index >>>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>>> >>>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>>> pros and cons of cutting over to that distribution. >>>>> >>>>> Roger >>>>> >>>>> >>>>> >>>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>>> not sure if you've been contacted privately, but I believe the >>>>>>> answer is >>>>>>> "we're working on it" >>>>>>> >>>>>> My concerns are as follows: >>>>>> >>>>>> 1. This is already out there, and FreeBSD users haven't been >>>>>> alerted that >>>>>> they should avoid running freebsd-update/portsnap until the >>>>>> problems are >>>>>> fixed. >>>>>> >>>>>> 2. There was no mention in the bspatch advisory that running >>>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>>> attackers who >>>>>> are apparently already in operation. >>>>>> >>>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>>> permits >>>>>> heap corruption, even though a more complete fix is available. That's >>>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>>> source document we all did, which seems likely given the coincidental >>>>>> timing of an advisory for a little-known utility a week or two >>>>>> after that >>>>>> source document appeared, then surely FreeBSD had the complete fix >>>>>> available. >>>>>> >>>>>> _______________________________________________ >>>>> freebsd-ports@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>>> To unsubscribe, send any mail to " >>>>> freebsd-ports-unsubscribe@freebsd.org " >>>>> >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to " >>>> freebsd-security-unsubscribe@freebsd.org " >>> Best regards, >>> Mail Lists >>> mlists@mail.ru >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aadba3e2-b7fc-a7ce-110a-fad68da8e2f2>