Hi Peter, My last question on this , recently "Replaced the kernel RC4(arc4random) with Chacha20" on 11.0 kernel should we apply on 10.4 kernel ?? please find the corresponding review and fix https://reviews.freebsd.org/D10048 and https://reviews.freebsd.org/rS317015
Thanks in advance, Brahma On Fri, Jan 12, 2018 at 1:11 PM, Peter Jeremy <pe...@rulingia.com> wrote: > On 2018-Jan-12 12:33:21 +0530, Brahmanand Reddy <brahma....@gmail.com> > wrote: > >TCP uses weak initial sequence numbers > >https://www.freebsd.org/security/advisories/FreeBSD- > SA-00%3A52.tcp-iss.asc > > As has been pointed out to you several times in this thread, that SA is > nearly 20 years old and there is no evidence that TCP on any recent FreeBSD > uses weak ISNs. > > >actually "arc4random()" will take care on https://github.com/freebsd/ > >freebsd/blob/master/sys/netinet/tcp_subr.c#L2374 > > Without studying the code in detail, that code appears to correctly use > arc4random() to initialise the ISN - which is as expected. > > > I suspecting 10.4 already having fix... but i didn't found on exactly > >which this problem from https://www.freebsd.org/security/patches/ > > Well, the original patch is > https://www.freebsd.org/security/patches/SA-00%3A52/ and was committed > as what is now https://svnweb.freebsd.org/base?view=revision&revision= > 66433 > Since that patch is integrated into the FreeBSD codebase, there's no need > to update the contents of https://www.freebsd.org/ > security/patches/SA-00%3A52/ > and it is not relevant to the current codebase. > > > i would like expecting where is the fix in 10,4 kernel. > > That code was re-written in r82122, retaining the use of arc4random() for > ISN initialisation. As a result, it's no longer possible to point at > specific code and say "that code fixes weak TCP ISNs". > > -- > Peter Jeremy > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
