Re: BlueBorne

On Mon, 18 Sep 2017 16:23:31 +0200, Remko Lodder wrote: > > On 18 Sep 2017, at 15:06, Ian Smith wrote: > > > > Hi, > > > > I suppose Those Who Need To Know would be onto this, but apart from this > > newspaper article the other day, I've come acros

BlueBorne

Hi, I suppose Those Who Need To Know would be onto this, but apart from this newspaper article the other day, I've come across no other mention. "Bluetooth flaw allows airborne viruses silently to attack internet-enabled devices"

Re: DefCon lecture BSD Kern Vulns

On Tue, 8 Aug 2017, Dewayne Geraghty wrote: > > Indeed, there are times when it's best to say nothing :) ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "free

Re: fbsd11 & sshv1

On Fri, 3 Feb 2017 00:53:31 +, heasley wrote: > Wed, Feb 01, 2017 at 11:15:10AM +0100, Dag-Erling Smørgrav: > > > i'm suggesting a port with a v1 client; that is built with all the other > > > binary ports for abi changes and whatever else is reasonable. yes, i > > > can build my own, but

Re: Fw: isn't this the worst possible report?? -- i went back and put a copy on a memstick; see attachment

On Thu, 6 Oct 2016 02:12:25 +, Jules Gilbert via freebsd-security wrote: > But please help me.  These attacks are limiting my work efforts. A lot of people make the mistake of using cheap aluminium foil. You have to use real tin. HTH, Ian ___ fre

Census: How the Government says the website meltdown unfolded

Perhaps of interest to some: http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 cheers, Ian ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send

Re: FreeBSD-EN-16:06

On Sat, 7 May 2016 00:56:34 +1000, Ian Smith wrote: > On Fri, 6 May 2016 09:58:06 -0400, Robert Ames wrote: > > > This directory seems to be empty. > > > > https://security.FreeBSD.org/patches/EN-16:06 > > >

Re: FreeBSD-EN-16:06

On Fri, 6 May 2016 09:58:06 -0400, Robert Ames wrote: > This directory seems to be empty. > > https://security.FreeBSD.org/patches/EN-16:06 > Like that, yes. >From the (redirected?) parent directory it works here: http://www.freebsd.org/security/p

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

On Sat, 30 Apr 2016 14:27:17 +, Poul-Henning Kamp wrote: [..] > The best explanation of all this is John R. Vig's Quartz Tutorial > which is freely available on the web - highly recommended: > > http://www.am1.us/Local_Papers/U11625%20VIG-TUTORIAL.pdf This is one of the best scient

Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind

On Wed, 8 Jul 2015 12:49:12 -0500, Mark Felder wrote: > "No workaround is available, but only systems that are manually > configured to enable DNSSEC validation are affected." would be a > reasonable statement. Agreed. DNSSEC may become mandatory, and while surely 'best practice', it's not y

Re: Forums.FreeBSD.org - SSL Issue?

On Fri, 15 May 2015 07:51:34 -0500, Mark Felder wrote: > On Fri, May 15, 2015, at 03:07, Ian Smith wrote: > > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > > > Hello > > > > > > >> But I don't think disable TLS 1.0 is ok. > &

Re: Forums.FreeBSD.org - SSL Issue?

On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > Hello > > >> But I don't think disable TLS 1.0 is ok. > >> > > > > TLS 1.0 is dead and is even now banned in new installations according to > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > by *any* HTTP

Re: Forums.FreeBSD.org - SSL Issue?

On Thu, 14 May 2015 12:19:55 +0200, Adam Major wrote: > Hello > > I checked now by sslLabs.com: > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org > > and score is A+ Ah, so it is now .. it was still B only half an hour ago :) > But I don't think disable TLS 1.0 is ok.

Re: Forums.FreeBSD.org - SSL Issue?

On Thu, 14 May 2015 10:28:27 +0200, Patrick Proniewski wrote: > On 13 mai 2015, at 23:18, Anders Gulden Olstad wrote: > > > Qualys report chain issues > > that's pretty odd, because I've checked too just after sending my > reply to the list (message id > a2d58ccb-8b0a-40ff-9ed1-89b698a83

Re: has my 10.1-RELEASE system been compromised

On Wed, 25 Feb 2015 20:55:43 +, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I

Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem

On Wed, 28 Jan 2015 17:01:50 -0800, jungle Boogie wrote: > Hi Nick, > On Jan 28, 2015 4:56 PM, "Nick Frampton" wrote: > > > > On 29/01/15 08:46, Joe Holden wrote: > >> > >> Really, how many SCTP users are there om the wild... maybe one? > >> > >> It shouldn't be in GENERIC at the very leas

Re: Security SSH

On Tue, 13 Jan 2015 14:20:20 -0600, Greg Rivers wrote: > On Tue, 13 Jan 2015, Paul Hoffman wrote: > > ...and I'm glad we're not discussing the uninformed crypto FUD that started > > this thread... > > > Agreed, we can all move on now. I only asked about this because I honestly > wanted to k

Re: NEVERMIND!

On Mon, 26 May 2014 19:46:14 -0700, Ronald F. Guilmette wrote: > Ian Smith wrote: > > >... might syslog trigger adhoc rotations by > >newsyslog - of a particular log, not all - after learning how to measure > >'stress', perhaps by rates of delta f

Re: NEVERMIND!

On Mon, 26 May 2014 16:11:52 +0200, Dag-Erling Smørgrav wrote: > > "Ronald F. Guilmette" writes: >> I forgot that newsyslog(8) should limit the size of /var/log/messages, and >> that as long as you limit the size of that to a reasnable value, and as >> long as you have newsyslog(8) only keeping a

Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

On Sat, 3 May 2014 01:25:40 -0400, Garrett Wollman wrote: > < > said: > > > I've always allowed frags, as per the example rulesets in rc.firewall. > > I only recall seeing them on DNS responses from zen.spamhaus.org, where > > I see plenty of these after a resetlog before the logging lim

Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

On Fri, 2 May 2014 13:05:04 -0700, Xin Li wrote: > On 05/02/14 12:42, Ronald F. Guilmette wrote: > > OK, so how would one block all incoming *TCP* fragments... you > > know... > > There is no such TCP fragments thing. > > > in order to render this specific security issue a non-issue? (I

Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update]

On Sun, 13 Apr 2014 10:33:53 -0400, Lowell Gilbert wrote: > David Noel writes: > > > My main point was that if you don't trust Subversion it makes no sense > > to say you trust portsnap. Portsnap pulls the ports tree from > > Subversion. Using Subversion! The portsnap system relies on the tr

Re: Proposal

On Wed, 9 Apr 2014 19:00:52 +0100, Pawel Biernacki wrote: > On 9 April 2014 17:08, Joe User wrote: > > On 09.04.2014 17:29, Pawel Biernacki wrote: > >> [snip] > >> We need more transparency here. > >> > > > > Please read this and other related threads and you'll understand that > > the Fre

Re: ipfw dynamic rules

ule sets. > > > On 3/22/14, 1:34 AM, Ian Smith wrote: > > Firstly, that's the one page in the handbook (that I know of) that needs > > completely nuking. It contains many factual errors as well as weird > > notions, and will only tend to mislead you; co

Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?)

On Fri, 21 Mar 2014 13:01:25 -0700, Ronald F. Guilmette wrote: > In message <20140322000445.c31...@sola.nimnet.asn.au>, > Ian Smith wrote: > > >As assorted experts have suggested, you need a stateful rule. It's > >really not that hard; if you _on

Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?)

On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote: [..] > I dearly hope that someone on this list who does in fact have commit privs > will jump on this Right Away. I'm not persuaded that running a perfectly > configured ipfw... statefully, no less... should be an absolute prerequsi

Anything in this story of concern?

Ian ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to

Re: FreeBSD DDoS protection

On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote: > Ian Smith writes: > > Dag-Erling Smørgrav writes: > > > Slight correction: dropping *all* ICMP is a bad idea. You can get by > > > with just unreach. Add timex, echoreq and echorep for troubl

Re: FreeBSD DDoS protection

On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote: > Mark Felder writes: > > Dropping ICMP is not a security method. Please stop doing this! > Slight correction: dropping *all* ICMP is a bad idea. You can get by > with just unreach. Add timex, echoreq and echorep for troublesho

Re: Merry Christmas from the FreeBSD Security Team

On Fri, 23 Dec 2011 09:34:45 -0800, Colin Percival wrote: > On 12/23/11 09:08, Tim Zingelman wrote: > > On Fri, 23 Dec 2011, FreeBSD Security Officer wrote: > >> Unfortunately my hand was forced: One of the issues > >> (FreeBSD-SA-11:08.telnetd) > >> is a remote root vulnerability which is be

Re: openssh concerns

On Fri, 2 Oct 2009, johnea wrote: > Garrett Wollman wrote: [..] > > > tcp4 0 0 atom.60448 host154.advance.com.ar.auth > > > TIME_WAIT > > > > "auth" is the port number used by the IDENT protocol. > > > > -GAWollman > > Thank You to everyone who responded! > > I

Re: emacs installs a lot of 777 directories

On Thu, 19 Mar 2009, Giorgos Keramidas wrote: > On Mon, 16 Mar 2009 20:31:21 +0100, Eirik Øverby wrote: > > On 16. mars. 2009, at 00.50, freebsd...@pc.jgr.de wrote: > >> Dear Giorgos, > >> thank you for coming back to the emacs issue. I deinstalled > >> emacs by means of pkg_delete -v -d, del

Re: OT - Heartland Payment Systems

On Wed, 4 Feb 2009, Janos Dohanics wrote: > I came across this today: > > http://information-security-resources.com/2009/01/29/did-heartland-ceo-make-insider-trades/ > > The article discusses some questions about the security breach which > occurred > at Heartland Payment Systems. Among

Re: Dropping syn+fin replies, but not really?

On Mon, 24 Nov 2008, Eirik Øverby wrote: > On Nov 24, 2008, at 23:12, Pieter de Boer wrote: [..] > > > Results for port 8585: > > > IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP (6), > > > length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum 0xf765 > > > (correct),

Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829

On Mon, 24 Nov 2008, David F. Severski wrote: > On Mon, Nov 24, 2008 at 11:06:56PM +0100, William Palfreman wrote: > > That's nice. I am sure it is very useful on the ports mailinglist > > where it belongs. I also greatly enjoy the frequent interesting and > > informed discussion on the secur

Re: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6

On Thu, 2 Oct 2008, Bjoern A. Zeeb wrote: > On Thu, 2 Oct 2008, Ian Smith wrote: > > > > http://www.kb.cert.org/vuls/id/472363 > > > > This link doesn't work, and neither does searching for '472363' there? > > > > Or at least, not fro

Re: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6

On Thu, 2 Oct 2008, FreeBSD Security Advisories wrote: [..] > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476 While this link works, the first link on that page, 'Learn more at National Vulnerability Database (NVD)' to http://nvd.nist.gov/nvd.cfm?cvename=C

Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

On Sat, 12 Jul 2008, Ian Smith wrote: > Doug responded with a new option My apologies, it was Alan. Second cup of tea hadn't kicked in .. Ian ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-

Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

On Sat, 12 Jul 2008, Mark Andrews wrote: > > > Is there a way to restrict the ports which BIND selects -- perhaps > > at the expense of a small amount of entropy -- such that it doesn't > > try to use UDP ports which are administratively blocked (e.g. ports > > used by worms, or insecure Micr

Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh

On Thu, 17 Apr 2008, Peter Pentchev wrote: > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > IV. Workaround > > > > > > Disable support for IPv6 i

Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh

On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > IV. Workaround > > Disable support for IPv6 in the sshd(8) daemon by setting the option > "AddressFamily inet" in /etc/ssh/sshd_config. > > Disable support for X11 forwarding in the sshd(8) daemon by setting > the option "X11Forwa

Re: denyhosts-like app for MySQLd?

On Mon, 21 Jan 2008, Dan Lukes wrote: > Ian Smith napsal/wrote, On 01/21/08 12:55: > > No problem; IPFW has tables too, and sets, with which you could > > enable/disable or > > It interests me: > > > swap your script-constructed tables atomically. >

Re: denyhosts-like app for MySQLd?

On Mon, 21 Jan 2008, Jordi Espasa Clofent wrote: > > There is a functionality in pf, that allows you to have an application to > > update a list of hosts, that is used in a rule. You could have a script > > harvest the addresses from your log files, and then update the table in > > pf. I >

Re: IPFW: Blocking me out. How to debug?

On Fri, 21 Dec 2007, W. D. wrote: > At 05:45 12/20/2007, Ian Smith, wrote: > > Thanks for your reply Ian. This is the kind of > information I am looking for. > > >Firstly, this really belongs over on freebsd-net@ if not > >freebsd-questions@, but anyway ..

Re: IPFW: Blocking me out. How to debug?

Firstly, this really belongs over on freebsd-net@ if not freebsd-questions@, but anyway .. On Thu, 20 Dec 2007, W. D. wrote: > At 03:49 12/17/2007, Tuomo Latto wrote: > >W. D. wrote: > >> How do I tell which rule is blocking me out? SSH *is* working, > >> but others are not. > > > >It all