The HN discussion:
https://news.ycombinator.com/item?id=12261347
On 11/08/2016 7:59 PM, Vincent Hoffman-Kazlauskas wrote:
For those not on freebsd-announce (or reddit or anywhere else it got posted)
"FreeBSD Core statement on recent freebsd-update and related
vulnerabilities"
https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
Vince
On 11/08/2016 05:22, Julian Elischer wrote:
On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:
sorry but this is blabla and does not come even near to answering the
real problem:
It appears that freebsd and the US-government is more connected that
some of us might like:
Not publishing security issues concerning update mechanisms - we all
can think WHY freebsd is not eager on this one.
Just my thoughts...
this has been in discussion a lot in private circles within FreeBSD.
It's not being ignored and a "correct" patch is being developed.
from one email I will quote just a small part..
=======
As of yet, [the] patches for the libarchive vulnerabilities have not
been released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has
created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.
=======
so expect something soon.
I will go on to say that the threat does need to come from an advanced
MITM actor,
though that does not make it a non threat..
Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan
<kit...@kitchetech.com>:
You mean operating system as distribution is a Linux term. There's
not much
different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
vulnerabilities and has a an excellent ASLR system compared to the
proposed
one for FreeBSD.
On Aug 9, 2016 3:10 PM, "Roger Marquis" < marq...@roble.com > wrote:
Timely update via Hackernews:
<hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
y-update-libarchive>
Note in particular:
"FreeBSD is still vulnerable to the portsnap, freebsd-update,
bspatch,
and libarchive vulnerabilities."
Not sure why the portsec team has not commented or published an
advisory
(possibly because the freebsd list spam filters are so bad that
subscriptions are being blocked) but from where I sit it seems that
those exposed should consider:
cd /usr/ports
svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
make index
rm -rf /usr/sbin/portsnap /var/db/portsnap/*
I'd also be interested in hearing from hardenedbsd users regarding the
pros and cons of cutting over to that distribution.
Roger
On 2016-07-29 09:00, Julian Elischer wrote:
not sure if you've been contacted privately, but I believe the
answer is
"we're working on it"
My concerns are as follows:
1. This is already out there, and FreeBSD users haven't been
alerted that
they should avoid running freebsd-update/portsnap until the
problems are
fixed.
2. There was no mention in the bspatch advisory that running
freebsd-update to "fix" bspatch would expose systems to MITM
attackers who
are apparently already in operation.
3. Strangely, the "fix" in the advisory is incomplete and still
permits
heap corruption, even though a more complete fix is available. That's
what prompted my post. If FreeBSD learned of the problem from the same
source document we all did, which seems likely given the coincidental
timing of an advisory for a little-known utility a week or two
after that
source document appeared, then surely FreeBSD had the complete fix
available.
_______________________________________________
freebsd-po...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "
freebsd-ports-unsubscr...@freebsd.org "
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "
freebsd-security-unsubscr...@freebsd.org "
Best regards,
Mail Lists
mli...@mail.ru
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"freebsd-security-unsubscr...@freebsd.org"
_______________________________________________
freebsd-po...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
