port of OpenSSH 7.8 available for FreeBSD 11-STABLE
from the ports collection? If not, shouldn't it be?
--Brett Glass
Brahmanand Reddy writes:
> regarding the CVE-2018-15473 dint find find official patch from the openssh
> on freebsd OS base.
CVE-2018-15473 is a user existence
At 10:13 AM 5/13/2019, you wrote:
On Mon 2019-05-13 (09:51), Brett Glass wrote:
> Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE
> from the ports collection and as a binary package? If not, shouldn't it be?
Yes, you can use the original at /usr/ports/secur
port of OpenSSH 7.8 available for FreeBSD 11-STABLE
from the ports collection and as a binary package? If not, shouldn't it be?
--Brett Glass
Brahmanand Reddy writes:
> regarding the CVE-2018-15473 dint find find official patch from the openssh
> on freebsd OS base.
CVE-2018-1547
Intel Atom processors are also not susceptible. Only one of them does any
out-of-order execution, and that one appears to do it in a way that is not
susceptible to Meltdown or Spectre.
--Brett Glass
At 02:56 PM 3/20/2018, Christian Weisgerber wrote:
On 2018-03-19, Ed Maste wrote:
> Ther
ly on
all of them. This would be a big help to those of us who would
otherwise have to recompile the kernel and/or set a special tunable.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-s
some
very limited exposure due to out-of-order execution, but may also
not be vulnerable because the OOE is not speculative) to avoid
unnecessary performance impacts?
--Brett Glass
At 05:14 AM 1/12/2018, Oliver Pinter wrote:
The test patch is here: https://reviews.freebsd.
segmentation faults - remember
segments? - revealed bugs in their code. I, personally, liked segmentation
because I was a perfectionist I wanted my code to crash dramatically if
there was an error so I could fix it.)
--Brett Glass
___
freebsd
ry are not revealed
directly to the program. So, how does it deduce the contents of physical
memory merely from the fact that there's a cache miss on its address?
--Brett Glass
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/m
hey will not be slowed by patches intended for CPUs that actually need
them.)
--Brett Glass
At 06:56 PM 1/2/2018, Joey Kelly wrote:
On Tuesday, January 02, 2018 08:52:27 PM Mike Tancsa wrote:
> I am guessing this will impact FreeBSD as well ?
>
> http://www.theregister.co.uk/2018/01/02/in
a darned sight safer than devolving to
Telnet. Just as it's useful to have a way of accessing devices that
use SSLv3 (we maintain browsers specifically for that purpose), it
pays to have a way to get at an embedded device that will never
support versions of SSH b
iding them... in
plain sight. Without getting into a flame war about that, I would
simply like the option of compiling it in or not.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-securi
that ASLR provides.
--Brett Glass
At 07:05 AM 3/9/2016, Piotr Kubaj wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Shawn Webb has recently announced that ASLR is complete on HardenedBSD.
There are patches ready for FreeBSD to use and it's ready to be shipped
in FreeBSD. However,
ting up a perfect scenario for an MITM attack that could
substitute an infected file AND a forged checksum for the originals. If
an HTTPS download site were available, I would absolutely prefer it to
an HTTP one. Just my $0.02 USD.
--Brett Glass
__
Because a potential intruder can establish multiple or "tag-teamed"
TCP sessions (possibly from different IPs) to the SSH server, a
per-session limit is barely useful and will not slow a determined
attacker. A global limit might, but would enable DoS attacks.
--Brett Glass
At 01:
probably become
practical... IF one can trust the hardware not to have security
holes or backdoors. Which is, of course, a big "if."
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebs
I'd like to propose that FreeBSD move to OpenNTPD, which appears to
have none of the
fixed or unfixed (!) vulnerabilities that are present in ntpd.
There's already a port.
--Brett Glass
At 03:25 AM 12/22/2014, Steve Clement wrote:
Chances are good it is vulnerab
POLA.
I am working on a new rc.firewall that is much more efficient.
the trouble is that the script to make it do what I want is a bit
more complicated.
I'll put it out for discussion later. maybe tonight.
Would like to see it!
--Brett Glass
_
e OSes appear to use randomized high ports for
queries.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
D and I'm unsure why it was changed.) This makes
stateful firewalling less necessary and improves its performance if it is done.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
At 10:38 PM 3/20/2014, Micheas Herman wrote:
>While true, that does mean that amplification attacks are limited to being
>able to attack those ten machines.
The amplifier/relay is also a victim, and can be completely disabled by the
attack
if its link to the Net becomes saturated.
-
know
that the above addresses are the defaults for any FreeBSD machine and can
take advantage of these "holes" in your firewall.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-s
y compiled to use source port 123.
(Back in the days of FreeBSD 5.x and 6.x, it used ephemeral source ports,
but not now.)
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
due to the lack of a 3-way handshake) that they need
to be protected in every way possible.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "f
o queries. I've implemented this in the IPFW rules
of all of my servers.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
eries with rejection packets of the same size as the attack
packets. If the source addresses of the attack packets are spoofed, the
attack is relayed.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/fr
ttacks, since
this makes them more difficult to block. We have several patched servers
which malicious parties are attempting to use as relays even though they
cannot use them to amplify the volume of data sent. Once we altered
ntp.conf, we were able to put a
tion of the advisory but add the command "disable monitor" and
add the "kod" option (which may quell queries from some exploited systems).
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/
from a botnet.
I'd recommend that the lines above be included in the default
/etc/ntp.conf in all future releases, and that all systems that use
the default ntp.conf without modification be patched automatically
via freebsd-update.
--Brett Glass
dit of FreeBSD 9.1-R-p2 compiled without
>if_re module is not applicable to FreeBSD 9.1-R-p3 compiled with if_re
>module nor to FreeBSD 9.1-R-p3 compiled without if_re module
True, but the details of memory allocation and scrubbing are unlikely
-ccevs.org/CCEVS_Products/pcl.cfm?tech_name=Router
There may be other products which have "FreeBSD inside" on their
list as well.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
cure OS so that their
systems can be spied upon and their security compromised.
--Brett Glass
P.S. -- For more on NIAP, see www.niap-ccevs.org. Note that this site will
deposit multiple tracking cookies in your browser which you may want to
delete after v
FreeBSD has a "transient memory problem?" Not so far as I remember. But
maybe I have a transient memory problem. ;-)
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To u
FreeBSD has a "transient memory problem?" Not so far as I remember. But
maybe I have a transient memory problem. ;-)
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To u
;t contain NFS,
and I didn't build any loadable NFS modules, so I actually didn't need a
rebuild.)
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, sen
ty fix to apply.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
ernel. It's built
without modules, so
it's the only file in the directory /boot/kernel.
The configuration file is at /sys/amd64/conf/GATEWAY.
The identification string within the kernel is GATEWAY.
I am not sure what you're driving at here, though, so please exp
tor that a new build might be needed.
--Brett Glass
At 10:26 AM 4/30/2013, Chris Rees wrote:
I agreed with Glen, but when checking the docs it turns out that they say
that freebsd-update will detect a kernel in /boot/GENERIC:
http://www.freebsd.org/doc/handbook/updating-upgrading-freebsdupdate
the
next reboot. If there's a power failure, the system may
well not come up.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebs
ustom kernels will
want or expect. (I would have hoped that the GENERIC kernel, its modules, and
the
kernel sources would be updated and that I'd be reminded to rebuild my custom
kernel
if necessary.)
--Brett Glass
At 02:55 PM 4/29/2013, FreeBSD Security Advisories wrote:
>-BEG
) and becomes a bottleneck.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
of
9.1-RELEASE, which I'd hoped to install on servers during Thanksgiving!
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securit
How much will the current security issue delay 9.1-RELEASE? I do
want to see the integrity of the code protected, but must plan
server updates, which I'd hoped to do over US Thanksgiving.
(9.0-RELEASE is now within a couple of months of EOL unless it's extended.)
--B
tall binary packages.
Until and unless there's a convenient menu-based installer for binary
packages, would it be possible to fix this glitch?
--Brett Glass
At 09:43 AM 8/9/2012, Henrik Andersen wrote:
>Hi all,
>
>You can find the current patch level in /usr/src/sys/conf/newvers.sh ex:
Will port also be MFCed to 9-RELENG and 9.1-RELEASE? Do not want to
have to go to -CURRENT to get latest OpenSSL.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe
le pain as possible.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
e the option of installing dnscache, with the
so-called "Jumbo" patch, as the default resolver. I beleive that the
code has been released into the public domain.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.o
e-computed dictionary to
break accounts with weak or commonly used passwords. The larger the "salt,"
the more impractical it becomes to prepare or store such a dictionary.
This can matter more than the strength or computational burden of the
hashing algorithm.
--Brett Glass
At 06:51 AM 6/8/2012,
What ports, etc. must one recompile after applying this patch? It
appears to modify libc.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "fr
which tag?
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
port scan.) And it would have the
advantage that it could be integrated directly into SSH daemons and clients.
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send a
At 12:09 PM 12/1/2009, Mike Tancsa wrote:
http://isc.sans.org/trends.html
and
http://isc.sans.org/port.html
Do not seem to show any increase.
Do those stats account for the fact that the attackers may first be
fingerprinting servers to see if they're running FreeBSD?
--Brett
_
SH client that integrates a single packet authentication
system -- e.g. fwknop? I'm already seeking sources and a toolchain
so that I can try my hand at doing this for TeraTerm.)
--Brett Glass
___
freebsd-security@freebsd.org mailing list
ht
At 06:20 PM 11/30/2009, FreeBSD Security Officer wrote:
A short time ago a "local root" exploit was posted to the full-disclosure
mailing list; as the name suggests, this allows a local user to execute
arbitrary code as root.
Yargh. Thank you for catching this.
--Brett
__
lback for
administrators, to allow them to keep their systems running while a
bug was diagnosed and fixed.
--Brett Glass
At 12:39 PM 9/27/2009, Robert Watson wrote:
FYI, changes are now going into head to implement this policy,
although by slightly different mechanisms. I expect to se
ort blocks off, or naive users will fall prey to
security holes in Microsoft products. But if BIND doesn't know to
work around them, lookups will occasionally (and infuriatingly!)
fail.
--Brett Glass
At 06:06 PM 7/10/2008, Doug Barton wrote:
>First off, to those who were kind enou
do this doesn't constitute a
"fork" and is of enough value to warrant a bit of developer time
(though obviously different developers will take different amounts
of interest in maintaining "classic" releases).
--Brett Glass
__
. The expense and difficulty of hacking them all simultaneously would
go up exponentially with the number of "team mates."
--Brett Glass
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 05:05 PM 10/2/2005, Kevin Day wrote:
>This is pretty common, I'm afraid. SSH scanning with brute force
>password guessing has gone through the roof in the last 9-12 months,
>but it's been going on for years.
>
>We announce a /19 worth of space, and see several hundred ssh
>connects per se
At 04:44 PM 10/2/2005, Marcin Jessa wrote:
>B.T.W, did you also notice they harvest email addresses and send you
>useless information about products you don't need?
Was the above intended to be self-referential? ;-)
--Brett
___
freebsd-security@freebs
At 04:12 PM 10/2/2005, Daniel Gerzo wrote:
>very nice is to use AllowUsers in form of [EMAIL PROTECTED]
If you can get away with it, absolutely. Same with the RSA keys.
Of course, the problem is that if you need to get access in an
emergency from who-knows-where, you're pretty much stuck with
pas
other ways!). Therefore, it's strongly recommended that, where
practical, everyone limit SSH logins to the minimum possible number
of users via the "AllowUsers" directive. We also have a log monitor
that watches the logs (/var/log/auth.log in particular) and
blackh
ity fixes, why not just
>install 4.11 and then apply the security fixes?
That's fine for awhile, but there will soon be enough
that this will be painful. And it may be a good idea to
produce a release containing other code that's been backported
from
At 07:42 PM 4/17/2005, Colin Percival wrote:
>FreeBSD 4.11 will be supported until at least January 2007.
Any chance of a 4.12, incorporating some of the last bits
that have been brought into 4-STABLE... especially the
security fixes? (Since this is the -security list, it seems
like a good plac
11, favoring fast single
CPUs over multiprocessor systems, for production machines -- and then
jump to 6.0 when it's released. Will security fixes be available long
enough for me to do this if need be?
--Brett Glass
___
freebsd-security@freebsd.or
64 matches
Mail list logo
