npm doesn't check package signatures, should www/npm print security alert?

2015-03-16 Thread Yuri 
www/npm downloads and installs packages without having signature 
checking in place.
There is the discussion about package security 
https://github.com/node-forward/discussions/issues/29 , but actual 
checking isn't currently done.


Additionally, npm allows direct downloads of GitHub projects without any 
authenticity checking or maintainer review, see  documentation 
https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install 
githubname/reponame' can also be easily confused with the official 
package name. Random GitHub projects can contain code without any 
guarantees.


I think there is the risk that some malicious JavaScript code can be 
injected through the MITM attack, and server side JavaScript is a fully 
functional language.


Shouldn't www/npm at least print a security alert about this? It 
probably shouldn't be used on production systems until package 
authentication is in place.


Yuri
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: npm doesn't check package signatures, should www/npm print security alert?

2015-03-16 Thread Mark Felder 


On Mon, Mar 16, 2015, at 14:57, Yuri wrote:
> www/npm downloads and installs packages without having signature 
> checking in place.
> There is the discussion about package security 
> https://github.com/node-forward/discussions/issues/29 , but actual 
> checking isn't currently done.
> 
> Additionally, npm allows direct downloads of GitHub projects without any 
> authenticity checking or maintainer review, see  documentation 
> https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install 
> githubname/reponame' can also be easily confused with the official 
> package name. Random GitHub projects can contain code without any 
> guarantees.
> 
> I think there is the risk that some malicious JavaScript code can be 
> injected through the MITM attack, and server side JavaScript is a fully 
> functional language.
> 
> Shouldn't www/npm at least print a security alert about this? It 
> probably shouldn't be used on production systems until package 
> authentication is in place.
> 
> Yuri
>

This would require FreeBSD to modify npm code to inject this message,
correct? Or do you just want a post-install message when the package is
installed to remind FreeBSD users about it?

It seems to me a scary warning patch should be sent upstream.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: npm doesn't check package signatures, should www/npm print security alert?

2015-03-16 Thread Yuri 

On 03/16/2015 13:05, Mark Felder wrote:

This would require FreeBSD to modify npm code to inject this message,
correct? Or do you just want a post-install message when the package is
installed to remind FreeBSD users about it?

It seems to me a scary warning patch should be sent upstream.


I meant post-install message.
pkg and ports nicely check package signatures or fingerprints, but then 
npm defeats this outright, if installed.


Yuri
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: sendmail broken by libssl in current

2015-03-16 Thread Gregory Shapiro 
I've made the change in HEAD to turn off SSL padding (see attached mail 
message).  Julian, can you test to see if it addresses the issue before I MFC?

--- Begin Message ---
Author: gshapiro
Date: Mon Mar 16 20:24:37 2015
New Revision: 280155
URL: https://svnweb.freebsd.org/changeset/base/280155

Log:
  Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks
  compatibility with some sites
  
  This change comes from 8.15 but is being backported to FreeBSD releases
  not yet using 8.15.
  
  MFC after:3 days
  Noted by: julian@

Modified:
  head/contrib/sendmail/src/readcf.c

Modified: head/contrib/sendmail/src/readcf.c
==
--- head/contrib/sendmail/src/readcf.c  Mon Mar 16 20:13:25 2015
(r280154)
+++ head/contrib/sendmail/src/readcf.c  Mon Mar 16 20:24:37 2015
(r280155)
@@ -124,6 +124,11 @@ readcf(cfname, safe, e)
| SSL_OP_NO_TICKET
 #endif
;
+# ifdef SSL_OP_TLSEXT_PADDING
+   /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
+   Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+   Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+# endif /* SSL_OP_TLSEXT_PADDING */
 #endif /* STARTTLS */
if (DontLockReadFiles)
sff |= SFF_NOLOCK;
@@ -2406,6 +2411,9 @@ static struct ssl_options
 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG",SSL_OP_CRYPTOPRO_TLSEXT_BUG 
},
 #endif
+#ifdef SSL_OP_TLSEXT_PADDING
+   { "SSL_OP_TLSEXT_PADDING",  SSL_OP_TLSEXT_PADDING   },
+#endif
{ NULL, 0   }
 };
 #endif /* STARTTLS && _FFR_TLS_1 */

--- End Message ---
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"