On Thu, Apr 10, 2014 at 6:28 PM, Paul Hoffman wrote:
> I have heard from others, less interested in self-aggrandizement than
> Theo, that OpenSSL's malloc was significantly to blame.
>
OpenSSL's simplistic malloc implementation exacerbated the information
exposure in this case, so you might well
On 4/10/2014 12:03 PM, David Noel wrote:
> I found a few bugs in portsnap and freebsd-update that I'd like to
> bring to the community's attention and hopefully recruit people to
> help fix. I mentioned them to Colin (their author) a few years ago and
> he agreed that they're issues that need to be
On 4/9/2014 5:15 PM, Ronald F. Guilmette wrote:
>
> Does this port (linux-f10-openssl) also need to be rebuilt/reinstalled?
>
No, but I did just update vuxml to reflect older vulnerabilities it does
have.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
On Apr 10, 2014, at 12:36 PM, ari edelkind
wrote:
> On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
>
>> Quite right. It is reasonable to assume that, given what we now know about
>> the memory allocation scheme in OpenSSL, that other bugs exist and will
>> only be found by exploits. Thus
On Apr 10, 2014, at 12:34 PM, Nathan Dorfman wrote:
> On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
>> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster
>> than what the FreeBSD community provides, then you should not rely on the
>> FreeBSD community. Install
On 4/10/2014 22:05, Bryan Drewery wrote:
> On 4/10/2014 1:35 PM, Janne Snabb wrote:
>>
>> I think I have noticed binary package updates only about once a week. Is
>> my observation correct? Why such an infrequent update cycle? If there is
>> some real reason to build package updates so rarely, woul
On 4/10/2014 1:35 PM, Janne Snabb wrote:
> Hi,
>
> I recently started using the new fancy pkgng binary packages on some
> machines that I maintain. I thought I could save a lot of time as I
> would not need to keep compiling ports manually any more.
>
> Unfortunately it seems that it was not such
On 4/10/14, David Noel wrote:
>> I'm not convinced that a rototil of the protocol and all the associated
>> storage duplication is worth the effort.
>
> As far as portsnap is concerned I'm not convinced that ANY amount of
> effort is worth it. That is why I was hoping to start a conversation
> on
> I'm not convinced that a rototil of the protocol and all the associated
> storage duplication is worth the effort.
As far as portsnap is concerned I'm not convinced that ANY amount of
effort is worth it. That is why I was hoping to start a conversation
on the possibility of phasing it out.
> It
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> Quite right. It is reasonable to assume that, given what we now know about
> the memory allocation scheme in OpenSSL, that other bugs exist and will
> only be found by exploits. Thus, it is reasonable to assume that there will
> be future eme
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster
> than what the FreeBSD community provides, then you should not rely on the
> FreeBSD community. Install OpenSSL on your mission-critical systems from
> OpenSSL s
[Trimming the list to -security plus Colin in hopes of reducing the
number of partial conversations. Sending to four lists and an alias is
a list etiquette violation.]
[Also dropping the discussion of replacing portsnap since that is
a mostly unrelated discussion.]
On Thu, Apr 10, 2014 at 12:03:
Hi,
I recently started using the new fancy pkgng binary packages on some
machines that I maintain. I thought I could save a lot of time as I
would not need to keep compiling ports manually any more.
Unfortunately it seems that it was not such a good idea:
# date
Thu Apr 10 21:27:22 EEST 2014
# p
I found a few bugs in portsnap and freebsd-update that I'd like to
bring to the community's attention and hopefully recruit people to
help fix. I mentioned them to Colin (their author) a few years ago and
he agreed that they're issues that need to be addressed, but in the
time since neither he nor
On Thu, Apr 10, 2014 at 01:20:08PM +0200, Dag-Erling Sm??rgrav wrote:
> Throwing more manpower at the job won't make a difference; in fact, it
> might slow things down due to the need to communicate and coordinate.
You mean 9 women can't make a baby in 1 month?!!
On Wed, Apr 09, 2014 at 03:44:53
On Apr 9, 2014, at 3:46 PM, Pawel Biernacki wrote:
> Since such situations had happened in the past and are still
> happening, something should be done about them.
Quite right. It is reasonable to assume that, given what we now know about the
memory allocation scheme in OpenSSL, that other bugs
On 10.4.2014, at 15.48, Ed Maste wrote:
> On 10 April 2014 06:33, Kimmo Paasiala wrote:
>>
>> Going back to this original report of the vulnerability. Has it been
>> established with certainty that the attacker would first need MITM
>> capability to exploit the vulnerability? I'm asking this
Dne 10.4.2014 12:00, Ronald F. Guilmette napsal(a):
Rather, I was asking, albeit indirectly, whether a program or
library, such as OpenSSL, which is primarily a security-forcused
tool, and upon which a significant fraction of online humanity
depends for its security, is deserving of a "belt and s
On 10 April 2014 06:33, Kimmo Paasiala wrote:
>
> Going back to this original report of the vulnerability. Has it been
> established with certainty that the attacker would first need MITM capability
> to exploit the vulnerability? I'm asking this because MITM capability is not
> something that
In message <867g6x5u2r@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>"Ronald F. Guilmette" writes:
>> Xin Li writes:
>> > For this bug, doing calloc() makes no difference.
>> I would very much like to know how you reached that conclusion.
>
>It's very simple. The explpoit re
10/04/2014 12:58 - Cyrus Lopez wrote:
>
>
> >>
> >> SSH is not affected.
> >>
> >
> > SSH is indeed not affected, but I guess you should still consider the
> > secret sshd key on your otherwise affected server as burnt, as it might
> > have been in the memory too while an attacker was inspe
On 8.4.2014, at 17.05, Dirk Engling wrote:
> On 08.04.14 15:45, Mike Tancsa wrote:
>
>>I am trying to understand the implications of this bug in the
>> context of a vulnerable client, connecting to a server that does not
>> have this extension. e.g. a client app linked against 1.xx thats
>
Pawel Biernacki writes:
> Dag-Erling Smørgrav writes:
> > The freebsd-update build is not a normal make buildworld or make
> > release, it's much more complicated than that.
> So you're telling me that nothing can be done about it?
I'm telling you that you're arguing out of ignorance.
Publishin
On 10 April 2014 08:09, Dag-Erling Smørgrav wrote:
> Pawel Biernacki writes:
>> If you want to make an excuse that a build took a long time - it's
>> really a poor one. If the build cluster is too slow then project need
>> to acquire a new one.
>
> The freebsd-update build is not a normal make bu
"Ronald F. Guilmette" writes:
> Xin Li writes:
> > For this bug, doing calloc() makes no difference.
> I would very much like to know how you reached that conclusion.
It's very simple. The explpoit relies on reading past the end of the
allocated buffer. Clearing the allocated buffer would not
Joe Holden writes:
> IME issues like this need to be patched first, tested later [...]
If we'd done that and screwed up, you'd be on the barricades demanding
our heads.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing
>>
>> SSH is not affected.
>>
>
> SSH is indeed not affected, but I guess you should still consider the secret
> sshd key on your otherwise affected server as burnt, as it might have been in
> the memory too while an attacker was inspecting it via heartbleed. Better
> recreate the secret ss
>
> SSH is not affected.
>
SSH is indeed not affected, but I guess you should still consider the secret
sshd key on your otherwise affected server as burnt, as it might have been in
the memory too while an attacker was inspecting it via heartbleed. Better
recreate the secret ssh key and all o
In message <53463a2e.90...@delphij.net>,
Xin Li wrote:
>On 4/9/14, 10:28 PM, Ronald F. Guilmette wrote:
>> 1) Why does OpenSSL even contain a function called
>> "OPENSSL_malloc"? Does anyone other than me think that it might
>> perhaps have been a better choice to provide only a function calle
On Wed, 9 Apr 2014 19:00:52 +0100, Pawel Biernacki wrote:
> On 9 April 2014 17:08, Joe User wrote:
> > On 09.04.2014 17:29, Pawel Biernacki wrote:
> >> [snip]
> >> We need more transparency here.
> >>
> >
> > Please read this and other related threads and you'll understand that
> > the Fre
Pawel Biernacki writes:
> If you want to make an excuse that a build took a long time - it's
> really a poor one. If the build cluster is too slow then project need
> to acquire a new one.
The freebsd-update build is not a normal make buildworld or make
release, it's much more complicated than th
31 matches
Mail list logo
