Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > If FreeBSD is going to continue to use OpenSSL, better testing needs to > be done to figure out such breakage earliers, and how to not have them > go undetected for so long. I don't think anyone would argue against increasing te

Re: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl]

On Sat, Dec 12, 2020 at 11:21:14AM +0100, Andrea Venturoli wrote: > On 12/11/20 9:23 PM, Benjamin Kaduk wrote: > > > It would be useful to give more specifics on the failures, as there's a few > > classes of things that can go wrong. > > I thought this would be OT in

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 20

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Sat, Dec 12, 2020 at 05:11:07AM +0200, Konstantin Belousov wrote: > On Fri, Dec 11, 2020 at 06:42:13PM -0800, Gordon Tetlow via freebsd-security > wrote: > > On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > > > Benjamin Kaduk wrote this message on Fri,

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

Hi John-Mark, On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 > +: > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4.

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Fri, Dec 11, 2020 at 11:11:54AM +0100, Andrea Venturoli wrote: > On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL v

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

Hi Franco, On Fri, Dec 11, 2020 at 01:28:43PM +0100, Franco Fichtner wrote: > > > On 11. Dec 2020, at 13:20, Martin Simmons wrote: > > > > > > I'm talking about the binary packages from pkg.FreeBSD.org. Don't they > > always > > use the base OpenSSL at the moment? > > Yes, and if it would b

Re: Status of OpenSSL 1.1.1

On Fri, Aug 03, 2018 at 07:02:18AM -0400, Eric McCorkle wrote: > On 08/03/2018 04:44, Warner Losh wrote: > > > > > > On Thu, Aug 2, 2018 at 5:45 PM, Benjamin Kaduk > <mailto:ka...@mit.edu>> wrote: > > > > On Wed, Aug 01, 2018 at 10:05:28AM -

Re: Status of OpenSSL 1.1.1

On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > wrote: > > > > Hi folks, > > > > I'm wondering what's the status of OpenSSL 1.1.1 integratio

Re: TLSv1.3 support in freeBSD 11.X

Hi Dewayne, (Full disclosure: I am currently the IETF Area Director responsible for the TLS working group, and as such the TLS 1.3 spec itself; I am also an OpenSSL committer.) On Sun, Jul 29, 2018 at 09:59:29AM +1000, Dewayne Geraghty wrote: > > On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via

Re: TLSv1.3 support in freeBSD 11.X

On Thu, Jul 26, 2018 at 11:45:22AM +, PRAKASH RAI (prakrai) via freebsd-security wrote: > Hi All, > > I was going through the https://wiki.freebsd.org/OpenSSL and found that > openssl 1.1.1 support is planned for freeBSD 12. > As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 1

Re: Default password hash, redux

On Wed, May 23, 2018 at 05:50:04PM -0400, Yonas Yanfa wrote: > I recommend adding support for Argon2. > > https://en.wikipedia.org/wiki/Argon2 Yes, Argon2 seems like a no-brainer at this point. -Ben ___ freebsd-security@freebsd.org mailing list https:/

Re: Crypto overhaul

On Sat, Oct 28, 2017 at 08:36:01PM -0400, Eric McCorkle wrote: > On 10/28/2017 09:15, Poul-Henning Kamp wrote: > > > > In message <20171028123132.gf96...@kduck.kaduk.org>, Benjamin Kaduk writes: > > > >> I would say that the 1.1.x series is less bad

Re: Crypto overhaul

On Sat, Oct 28, 2017 at 08:03:32AM +, Poul-Henning Kamp wrote: > > In message <20171028022557.ge96...@kduck.kaduk.org>, Benjamin Kaduk writes: > > >But I think the main issue with OpenSSL in base that was leading to > >thoughts about replacing it is t

Re: Crypto overhaul

On Fri, Oct 27, 2017 at 09:20:13PM +0100, Ben Laurie wrote: > On 27 October 2017 at 20:24, Poul-Henning Kamp wrote: > > > > In message > > > > , Ben Laurie writes: > > > >>OpenSSL includes (and is used for) lots of crypto that is not used in > >>SSL - since BearSSL targets SSL/TLS only,

Re: WPA2 bugz - One Man's Quick & Dirty Response

On Thu, Oct 19, 2017 at 03:07:57PM +0200, WhiteWinterWolf (Simon) wrote: > Hi Benjamin, > > Le 19/10/2017 à 00:43, Benjamin Kaduk a écrit : > >> NFS has no built-in encryption, it may be possible to tunnel it but this > >> is out-of-scope here (using a VPN and tunnel

Re: WPA2 bugz - One Man's Quick & Dirty Response

I fear I must wade into this thread, despite it being thick with FUD. On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > Hi Ronald, > > Le 18/10/2017 à 06:00, Ronald F. Guilmette a écrit : > > > > In message <49252eda-3d48-f7bc-95e7-db716db4e...@whitewinterwolf.com>, >

Re: Plan for OpenSSL in stable/10?

/timeline/openssl/ > > (3 missing symbols needs to be fixed, and we need to verify if the result > is still compatible; the usage of these missing symbols should be quite > rare, though). > > On Thu, Jan 26, 2017 at 1:48 PM, Oliver Pinter < > oliver.pin...@hardenedbsd.or

Re: Plan for OpenSSL in stable/10?

On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: > On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > > > > Has anyone had time to discuss and form a plan for OpenSSL in stable/10, > > now that 1.0.1 is end-of-life? I don't recall seeing any public > > discussion or announcement; f

Re: Heimdal in base

On Wed, 14 Sep 2016, Garrett Wollman wrote: > < > said: > > > Well, it's definitely too late for 11, now. > > > But, Debian is preparing to remove their heimdal package entirely, > > imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728 > [...] > > Since 11.0 hasn't been released y

Heimdal in base

(was Re: OpenSSH HPN) [See https://lists.freebsd.org/pipermail/freebsd-security/2015-November/008747.html for the bits that Dag-Erling skipped] On Fri, 13 Nov 2015, Dag-Erling Smørgrav wrote: > Benjamin Kaduk writes: > > Things seem to have slowed down a lot since the lead Heimdal

Re: Trying to think out a hack for NSS and pw(8)

On Fri, 9 Sep 2016, Garrett Wollman wrote: > Presently, we have a bunch of machines under configuration management > (using Puppet, but that's not really relevant here). I'm hoping to > implement LDAP via nsswitch on these machines, but I've run into an > issue: the standard getpw*(3) mechanisms

Re: Batching errata & advisories in heaps degrades security.

On Thu, 5 May 2016, Julian H. Stacey wrote: > Benjamin Kaduk wrote: > > > As a member of the security team for two projects (not FreeBSD's, though), > > I can say that it is a lot of behind-the-scenes work to put out > > advisories, > > Of course. > > >

Re: Batching errata & advisories in heaps degrades security.

On Thu, 5 May 2016, Julian H. Stacey wrote: > Another bunch of Security alerts, degrades FreeBSD by being clumped together: > > I guess many recipients get tired of recent indigestable batches of > multiple FreeBSD Errata & think approx: I cannot recall whether you were participating in the discu

Re: Signal 11 dumps in telnetd (freebsd 10.3 release)

On Mon, 25 Apr 2016, Tim Zingelman wrote: > See if the attached patch helps. > > It applies cleanly to ports/security/krb5-appl, but may need adjustment for > the base system telnetd. [Obligatory note that krb5-appl is unmaintained upstream, due to insecure crypto, among other things.] -Ben

Re: OpenSSH HPN

On Thu, 12 Nov 2015, Dewayne Geraghty wrote: > Heimdal is (and has been for some time) undergoing constant development. > For reasons unknown, they do not perform releases. I am aware of updates > from heimdal that are being applied to the samba project (in fact some of > the samba developers are

kereros telnet/rlogin/etc. (was Re: OpenSSH HPN)

On Wed, 11 Nov 2015, Daniel Kalchev wrote: > > Perhaps similar level of security could be achieved by “the old tools” > if they were by default compiled with Kerberos. Although, this still > requires building additional infrastructure. The kerberized versions of the old tools are basically unsupp

Re: Is there a policy to delay & batch errata security alerts ?

On Sat, 29 Aug 2015, Julian H. Stacey wrote: > Presumably there's no delays eg for PR, giving longer quiet periods before > a release, slipping out bad news immediately after good. That seems highly unlikely. > What else might be causing batch flooding of alerts ? It's an awful lot of work to a

Re: scope of private libraries

On Mon, 1 Jun 2015, Franco Fichtner wrote: > As a side note, does pkgng really have to depend on base > OpenSSL; does it have to depend on a full-blown SSL library? Yes. -Ben (From IRC:) efnet / #bsddev / bjk 13:17 () In particular, Franco asked "does pkg really need to depend on o

scope of private libraries

(was Re: avoiding base openssl when building ports) On Mon, 1 Jun 2015, Kimmo Paasiala wrote: > This leads to another question. Where is the line going to be drawn > which libraries in the base system should be private? There are > certainly some of them that have to be public like libc and the >

Re: avoiding base openssl when building ports

On Mon, 1 Jun 2015, Roger Marquis wrote: > Kimmo Paasiala: > > Rumour is that something like that is going to happen with all of the > > problematic libraries by making them private. If someone with inside > > knowledge could confirm these rumours? ;) > > Curious why this is a rumor? Open source

Re: avoiding base openssl when building ports

On Sun, 31 May 2015, Don Lewis wrote: > The big culprit turned out to be ftp/curl. Even though > WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and > run dependency, it was silently getting linked to openssl from base. The > cause of that problem is that the default GSSAPI_BAS

Re: Missind #defines in /usr/include/gssapi/gssapi.h?

On Thu, 5 Mar 2015, Benjamin Kaduk wrote: > My understanding was that python-gssapi was intended to support both > Heimdal and MIT implementations, so given that MIT (correctly) does not > provide a GSS_C_AF_INET6 symbol, I am somewhat surprised that > python-gssapi cannot cope with

Re: Missind #defines in /usr/include/gssapi/gssapi.h?

On Thu, 5 Mar 2015, Erik Cederstrand wrote: > Hello list, > > Currently, installing the Python gssapi module (sudo pip install > python-gssapi) fails (on FreeBSD 10.1, at least) because a lot of #defines > are missing from /usr/include/gssapi/gssapi.h (installed from > /usr/src/include/gssapi/g

Re: Securing SSH

The author also appears to not understand the difference between single-DES and triple-DES, so I would expect the value of that posting to be only as a brainstormed list of ideas to consider for further analysis. -Ben On Sun, 11 Jan 2015, Jonathan Anderson wrote: > Hi, > > I can't comment much o

Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl

On Tue, 9 Sep 2014, Zoran Kolic wrote: > I used freebsd-update way on 9.3 amd64. > It took 14 patches and 1 second to do the job. Now, > I cannot see any difference. Only using fetch again, > it says "No updates needed to update system to > 9.3-RELEASE-p1". > How could I see that p1? I did not rec

Re: Speed and security of /dev/urandom

On Sat, 19 Jul 2014, Steven Chamberlain wrote: Or if we're worried about draining entropy too quickly from the CSPRNG, a non-privileged user could do that anyway from /dev/urandom, or it may happen when a server doing crypto work is under stress? Can we please disabuse ourselves of the notion

Re: Speed and security of /dev/urandom

On Sat, 19 Jul 2014, Mateusz Guzik wrote: I believe the idea here is to have reliable source for reseeding after fork. I don't think that's quite right; there are issues in reliably detecting that fork has occurred and a reseed performed. Always getting random bits from the kernel avoids the

Re: Speed and security of /dev/urandom

On Sat, 19 Jul 2014, Konstantin Belousov wrote: On Sat, Jul 19, 2014 at 09:47:12PM +0100, Steven Chamberlain wrote: On 19/07/14 20:26, Konstantin Belousov wrote: I think that using sysctl for non-management functionality is wrong. If this feature is for the libraries and applications, and not

Re: Speed and security of /dev/urandom

On Fri, 18 Jul 2014, Andrey Chernov wrote: On 18.07.2014 3:41, Steven Chamberlain wrote: Is there a good reason arc4random_buf() can't take bytes directly from /dev/urandom or sysctl KERN_ARND? Therefore no longer needing to seed first, periodically reseed, or use any stream cipher? One of t

Re: HEADS UP: OpenSSH with DNSSEC support in 10

On Wed, 11 Sep 2013, Ian Lepore wrote: On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is "yes". This means that OpenSSH wi

Re: Escaping from a jail with root privileges on the host

[minus -stable] On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote: Hello, Today I've managed to escape from a jail by accident and ended up with root access to the host's filesystem. Here's what I did: * Using ezjail for managing my jails * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 * This wo

Re: PAM modules -> LDAP!

On Sat, 24 Sep 2011, Ryan Steinmetz wrote: I think an interesting concept would be something that gave us the ability to (easily) tie certain ports into software from the base system. Something that would allow the software to be more easily kept current. Perhaps this could be done via some sor

Re: PAM modules

On Tue, 20 Sep 2011, Xin LI wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/20/11 15:51, Kostik Belousov wrote: [...] Yes, the question of maintanence of the OpenLDAP code in the base is not trivial by any means. I remember that openldap once broke the ABI on its stable-like branc