>Date: Wed, 09 Apr 2014 23:28:29 +0100
>From: Joe Holden
>To: freebsd-security@freebsd.org
>Subject: Re: Proposal
>
>The problem here is that a workaround wasn't communicated and I suspect
>a very small number of religous users actually sub to security@
I do read it.
> - also
>bare in mmind th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 4/9/14, 10:28 PM, Ronald F. Guilmette wrote:
>
> My apologies if the following few naive questions are out of place
> or off topic here. I do suppose that there might perhaps be other
> places where such question might perhaps be better put, b
On 04/09/2014 09:51 PM, Ke-li Dong wrote:
help
2014-04-04 20:00 GMT+08:00 :
Send freebsd-security mailing list submissions to
freebsd-security@freebsd.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-security
or
My apologies if the following few naive questions are out of place
or off topic here. I do suppose that there might perhaps be other
places where such question might perhaps be better put, but many/most/all
of those other places appear to be filled, at present, with discussions
and comments which
help
2014-04-04 20:00 GMT+08:00 :
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with sub
help
2014-04-08 20:00 GMT+08:00 :
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with sub
help
2014-04-09 20:00 GMT+08:00 :
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with sub
nd efficient response in cases like that.
> > Having a paid Security Officer would not have made any difference.
> >
> > DES
> Agreed.
>
> In this particular case FreeBSD's team responded very quickly once the
> threat was known and a resolution path was made avail
On 9 April 2014 18:28, Dag-Erling Smørgrav wrote:
> Walter Hop writes:
>> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their
>> base about an hour later, FreeBSD base took around 24 hours.
>
> All Bryan had to do to update the port was change the version number in
> the Makefile
The problem here is that a workaround wasn't communicated and I suspect
a very small number of religous users actually sub to security@ - also
bare in mmind that the website wasn't updated until a number of hours
after, including rss which I suspect most people use.
I am not trying to undermin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/09/14 15:15, Ronald F. Guilmette wrote:
>
> Does this port (linux-f10-openssl) also need to be
> rebuilt/reinstalled?
No, it's too old to be vulnerable to CVE-2014-0160 ("Heartbleed")
vulnerability, however it may be affected by certain other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/09/14 15:11, Ronald F. Guilmette wrote:
>
> In message <20140409084809.ga2...@lena.kiev>, l...@lena.kiev.ua
> wrote:
>
>> Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on
>> the openssl port. You need to upgrade the security/ope
Does this port (linux-f10-openssl) also need to be rebuilt/reinstalled?
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
In message <20140409084809.ga2...@lena.kiev>,
l...@lena.kiev.ua wrote:
>Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the
>openssl port. You need to upgrade the security/openssl port to
>openssl-1.0.1_10 and restart sendmail.
I am running 9.1-RELEASE and Apache _without_ any su
Hi--
On Apr 9, 2014, at 12:44 PM, Nathan Dorfman wrote:
> Is it implausible to suggest that before embarking on the task of
> backporting, reviewing, testing and releasing the actual fix, an
> announcement could have been made immediately with the much simpler
> workaround of adding -DOPENSSL_NO_
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/09/14 13:39, Nathan Dorfman wrote:
> Moving on, is it not worth talking about going in and defining
> every -DOPENSSL_NO_* flag that exists and doesn't break the base
> system? On the simple grounds that there appears to be little to be
> gaine
Nathan Dorfman writes:
> Moving on, is it not worth talking about going in and defining every
> -DOPENSSL_NO_* flag that exists and doesn't break the base system? On
> the simple grounds that there appears to be little to be gained from
> this kind of feeping creaturism, and plenty, as it turns ou
On Wed, Apr 9, 2014 at 4:12 PM, Dag-Erling Smørgrav wrote:
> Nathan Dorfman writes:
>> Is it implausible to suggest that before embarking on the task of
>> backporting, reviewing, testing and releasing the actual fix, an
>> announcement could have been made immediately with the much simpler
>> wo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/09/14 13:12, Dag-Erling Smørgrav wrote:
> Nathan Dorfman writes:
>> Is it implausible to suggest that before embarking on the task
>> of backporting, reviewing, testing and releasing the actual fix,
>> an announcement could have been made imme
Pawel Biernacki writes:
> Joe User writes:
> > http://seclists.org/oss-sec/2014/q2/22
> Interesting lecture, thank you. But if FreeBSD SO wasn't on the
> mentioned list [...]
We are. By my reckoning, Xin posted on -security that he was aware of
the issue and working on it less than two hours af
Dag-Erling Smørgrav writes:
> If all you wanted to hear was "we're working on it", well, Xin did write
> that almost on -security exactly 48 hours ago.
s/that almost on -security/that on -security almost/
DES
--
Dag-Erling Smørgrav - d...@des.no
___
f
Nathan Dorfman writes:
> Is it implausible to suggest that before embarking on the task of
> backporting, reviewing, testing and releasing the actual fix, an
> announcement could have been made immediately with the much simpler
> workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
On 09/04/2014 18:28, Dag-Erling Smørgrav wrote:
> RedHat had prior notice since one of the OpenSSL devs is on their
> security team. They had an update ready to roll out before the issue
> was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were
> basically just waiting for the announce
First, the (unfortunately) necessary disclaimer: this is an honest
question to satisfy my curiosity, nothing more. Absolutely no
criticism of anyone is intended.
Is it implausible to suggest that before embarking on the task of
backporting, reviewing, testing and releasing the actual fix, an
annou
On 09/04/2014 19:53, Dag-Erling Smørgrav wrote:
Pawel Biernacki writes:
>RedHat managed to provide the fix within 21 hours but aparently they
>knew very eraly about the issue. FreeBSD Security Team didn't? Why?
>You can_see_ the whole process on their bugzilla
>https://bugzilla.redhat.com/sh
On 9 April 2014 18:53, Dag-Erling Smørgrav wrote:
> Pawel Biernacki writes:
>> RedHat managed to provide the fix within 21 hours but aparently they
>> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
>> You can _see_ the whole process on their bugzilla
>> https://bugzilla.red
Hi Pawel,
On 9 April 2014 10:50, Pawel Biernacki wrote:
> On 9 April 2014 17:28, jungleboogie0 wrote:
>>
>> Please let us not forget that kernel.org was hacked and not detected
>> for 17 days:
>> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
>
> I don't know why you're
On 9 April 2014 17:08, Joe User wrote:
> On 09.04.2014 17:29, Pawel Biernacki wrote:
>> [snip]
>> We need more transparency here.
>>
>
> Please read this and other related threads and you'll understand that
> the FreeBSD-SecTeam had no real chance to react earlier than they did.
> http://seclists.
On 09.04.2014 19:53, Dag-Erling Smørgrav wrote:
> Pawel Biernacki writes:
>> RedHat managed to provide the fix within 21 hours but aparently they
>> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
>> You can _see_ the whole process on their bugzilla
>> https://bugzilla.redhat
Pawel Biernacki writes:
> RedHat managed to provide the fix within 21 hours but aparently they
> knew very eraly about the issue. FreeBSD Security Team didn't? Why?
> You can _see_ the whole process on their bugzilla
> https://bugzilla.redhat.com/show_bug.cgi?id=1084875.
No you can't. That tic
On 9 April 2014 17:28, jungleboogie0 wrote:
>
> Please let us not forget that kernel.org was hacked and not detected
> for 17 days:
> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
I don't know why you're bringing it up here, because FreeBSD had
similar problem some time a
Walter Hop writes:
> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their
> base about an hour later, FreeBSD base took around 24 hours.
All Bryan had to do to update the port was change the version number in
the Makefile, run "make makesum" and commit. I assume that he did some
On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote:
> 24 hours for a fix that doesn't break ABI and is relatively simple (and
> proven to be fine by other distros) is horrendous for such a critical
> problem. I mentioned this on twitter also, but there wasn't even a headsup
> from the SO until the
Hi Walter,
On 9 April 2014 08:17, Walter Hop wrote:
>> In my opinion this issue couldn't have been handled any better considering
>> what it takes to do the job properly, congrats to the security team from me.
>>
>> -Kimmo
>
> Please don’t frame this as criticism of the security people, that’s
On 09.04.2014 17:29, Pawel Biernacki wrote:
> [snip]
> We need more transparency here.
>
Please read this and other related threads and you'll understand that
the FreeBSD-SecTeam had no real chance to react earlier than they did.
http://seclists.org/oss-sec/2014/q2/22
In fact, they were realy fa
On 09/04/2014 16:17, Walter Hop wrote:
In my opinion this issue couldn't have been handled any better considering what
it takes to do the job properly, congrats to the security team from me.
-Kimmo
Please don’t frame this as criticism of the security people, that’s not fair.
Of course we all
On 9 April 2014 15:32, Kimmo Paasiala wrote:
> Can you name some of those projects that claim to have such quick response
> time? I'll be steering way clear of them knowing that they don't test their
> security patches before releasing them. It's really quite shocking to see
> that such unprofessi
> In my opinion this issue couldn't have been handled any better considering
> what it takes to do the job properly, congrats to the security team from me.
>
> -Kimmo
Please don’t frame this as criticism of the security people, that’s not fair.
Of course we all congratulate them :)
I think we’
> >* I understand that this is voluntary role and you have another (real
*> >* life) responsibilities that’s why I'd like to propose an idea of (at
*> >* least partially) paid position of Security Officer, because we all
*> >* need quick and efficient response in cases like that.
*>
> Having a paid
On 4/9/2014 9:47 AM, Steven Hartland wrote:
- Original Message - From: "Karl Denninger"
On 4/9/2014 9:21 AM, Zoran Kolic wrote:
Advisory claims 10.0 only to be affected. Patches to
branch 9 are not of importance on the same level?
9 (and before) were only impacted if you loaded th
- Original Message -
From: "Karl Denninger"
On 4/9/2014 9:21 AM, Zoran Kolic wrote:
Advisory claims 10.0 only to be affected. Patches to
branch 9 are not of importance on the same level?
9 (and before) were only impacted if you loaded the newer OpenSSL from
ports. A fair number o
On Wed, Apr 09, 2014 at 04:21:36PM +0200, Zoran Kolic wrote:
> Advisory claims 10.0 only to be affected. Patches to
> branch 9 are not of importance on the same level?
The version of OpenSSL shipped in the base FreeBSD code prior to 10.0
is not vulnerable to the Heartbeat attack, however there is
On Apr 09, 2014, at 03:25 PM, Dag-Erling Smørgrav wrote:
Pawel Biernacki writes:
> I understand that this is voluntary role and you have another (real
> life) responsibilities that’s why I'd like to propose an idea of (at
> least partially) paid position of Security Officer
On 4/9/2014 9:21 AM, Zoran Kolic wrote:
Advisory claims 10.0 only to be affected. Patches to
branch 9 are not of importance on the same level?
Zoran
9 (and before) were only impacted if you loaded the newer OpenSSL from
ports. A fair number of people did, however
Advisory claims 10.0 only to be affected. Patches to
branch 9 are not of importance on the same level?
Zoran
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscr
On 4/9/2014 8:25 AM, Dag-Erling Smørgrav wrote:
Pawel Biernacki writes:
I understand that this is voluntary role and you have another (real
life) responsibilities that’s why I'd like to propose an idea of (at
least partially) paid position of Security Officer, because we all
need quick and eff
Pawel Biernacki writes:
> I understand that this is voluntary role and you have another (real
> life) responsibilities that’s why I'd like to propose an idea of (at
> least partially) paid position of Security Officer, because we all
> need quick and efficient response in cases like that.
Having
On 9 April 2014 00:34, FreeBSD Security Advisories
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> =
> FreeBSD-SA-14:06.opensslSecurity Advisory
>
>From l...@lena.kiev.ua Wed Apr 9 10:43:40 2014
>
>Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the
>openssl port. You need to upgrade the security/openssl port to
>openssl-1.0.1_10 and restart sendmail.
I didn't know about this route of having authenticated
sendmail. It's not m
> >systems that do not use OpenSSL to implement
> >the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
> >protocols implementation and do not use the ECDSA implementation from OpenSSL
> >are not vulnerable.
>
> Please help me find out if my systems are vulnerable.
>
> I use
>From owner-freebsd-security-notificati...@freebsd.org Wed Apr 9 00:37:34 2014
>
>IV. Workaround
>
>No workaround is available, but systems that do not use OpenSSL to implement
>the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
>protocols implementation and do not use the
51 matches
Mail list logo
