Re: clang way to patch for Spectre?

On 5/1/18 12:02 am, Lev Serebryakov wrote: Hello Freebsd-security, https://reviews.llvm.org/D41723 not really.. What's to stop an unprivileged used bringing his own compiler? or a precompiled binary? ___ freebsd-security@freebsd.org mailing list

Re: Crypto overhaul

On 29/10/17 8:36 am, Eric McCorkle wrote: On 10/28/2017 09:15, Poul-Henning Kamp wrote: In message <20171028123132.gf96...@kduck.kaduk.org>, Benjamin Kaduk writes: I would say that the 1.1.x series is less bad, especially on the last count, but don't know how much you've looked at the

Re: [FreeBSD-Announce] FreeBSD 9.3, 10.1 and 10.2 EoL

On 1/01/2017 8:35 AM, Xin LI wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear FreeBSD community, As of January 1, 2017, FreeBSD 9.3, 10.1 and 10.2 have reached end-of-life and will no longer be supported by the FreeBSD Security Officers Team. Users of FreeBSD 9.3, 10.1 and 10.2 are s

Re: isn't this the worst possible report??

On 5/10/2016 7:21 AM, Jules Gilbert via freebsd-security wrote: Well maybe worse, that the deal with AT&T for the BSD franchise has fallen apart... Okay, so I have a FreeBSD 10.1 CD-ROM, believed to be a true copy and authentic copy. And I loaded it on a computer. I did this entirely offline.

Re: freebsd-update and portsnap users still at risk of compromise

/ports svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports make index rm -rf /usr/sbin/portsnap /var/db/portsnap/* I'd also be interested in hearing from hardenedbsd users regarding the pros and cons of cutting over to that distribution. Roger On 2016-07-29 09:00, Julian

Re: freebsd-update and portsnap users still at risk of compromise

On 29/07/2016 11:49 AM, Martin Schroeder wrote: On July 18, John Leyden, security editor at The Register, tweeted a link to a libarchive ticket that had been sitting without a response for almost a week. not sure if you've been contacted privately, but I believe the answer is "we're working o

Re: HPN and None options in OpenSSH

On 22/01/2016 10:31 PM, Dag-Erling Smørgrav wrote: The HPN and None cipher patches have been removed from FreeBSD-CURRENT. I intend to remove them from FreeBSD-STABLE this weekend. The HPN patches were of limited usefulness and required a great deal of effort to maintain in our tree. The None c

Re: OpenSSH HPN

On 1/12/2015 3:23 AM, Brooks Davis wrote: On Tue, Nov 24, 2015 at 09:29:44PM +0100, Aaron Zauner wrote: Hi, Please forgive my ignorance but what's the reason FreeBSD ships OpenSSH patched with HPN by default? Besides my passion for security, I've been working in the HPC sector for a while and b

Re: OpenSSH HPN

On 11/12/15 5:32 AM, Bryan Drewery wrote: On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). Fun fact, it's been broken in the port for several months with no complaints.

Re: OpenSSH HPN

On 11/12/15 3:28 AM, Brooks Davis wrote: On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintain

Re: OpenSSH HPN

On 11/11/15 7:56 PM, Dag-Erling Smørgrav wrote: Julian Elischer writes: The inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Define "usable". Does it actually make a measurable diffe

Re: OpenSSH HPN

On 11/10/15 7:16 PM, Dag-Erling Smørgrav wrote: Bob Bishop writes: Is removing HPN going to impact the performance of tunnelled X connexions? yes if your rtt is greater than about 85 mSec I don't know he details but I noticed a big difference. I had thought X wouldn't show much difference but

Re: OpenSSH HPN

On 11/10/15 5:42 PM, Dag-Erling Smørgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change si

Re: LibreSSL in base?

On 6/19/15 12:02 AM, Piotr Kubaj wrote: Are there any plans to use LibreSSL in base (at least as an experimental feature, available when compiling with e.g. WITH_LIBRESSL in src.conf)? If not, is 11.0-RELEASE going to have OpenSSL 1.0.2? none that I know of. Our current zebra is black with whit

Re: avoiding base openssl when building ports

On 6/2/15 12:25 AM, Kimmo Paasiala wrote: On Mon, Jun 1, 2015 at 7:17 PM, Benjamin Kaduk wrote: On Sun, 31 May 2015, Don Lewis wrote: The big culprit turned out to be ftp/curl. Even though WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and run dependency, it was silently

Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ?

On 5/5/15 5:28 AM, Mike Tancsa wrote: On 4/29/2015 6:07 PM, Mike Tancsa wrote: The IP being scanned is in a jail. If I run the scan to an IP not associated with the jail, the scan does not complain. Its only on the jailed IP that the scan flags as problematic for this vulnerability. If this i

Re: sendmail broken by libssl in current

On 3/11/15 9:15 AM, Gregory Shapiro wrote: First, thank you Philip for jumping on this. Much appreciated. This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes SSL_OP_TLSEXT_PADDING from the default ClientSSLOpti

Re: sendmail broken by libssl in current

On 3/11/15 7:55 AM, Dan Lukes wrote: Paul Hoffman wrote: Can you say which email servers *other* than unpatched Ironport fail? Cisco has known about this for many months; see Note that Bug CSCuo25276 is considered duplicate of the bug CSCuo253

sendmail broken by libssl in current

libssl has a new "feature" implemented by: crypto/openssl/ssl/t1_lib.c 672 /* Add padding to workaround bugs in F5 terminators. 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 674 * 675 * NB: because this code works out the lengt

Re: DRAM Rowhammer exploits

On 3/9/15 12:49 PM, Dmitry Morozovsky wrote: Dear colleagues, any thoughts we're vulnerable to this? http://googleprojectzero.blogspot.ch/2015/03/exploiting-dram-rowhammer-bug-to-gain.html one important part of this exploit is the following part: ---quote--- How can we pick pairs of addresses

Re: sendmail broken by libssl in current

On 3/11/15 12:14 AM, Xin Li wrote: On 3/10/15 23:57, Julian Elischer wrote: [sorry for reposting but the original copy I got back had been truncated] libssl has a new "feature" implemented by: crypto/openssl/ssl/t1_lib.c 672 /* Add padding to workaround bugs in F5 t

sendmail broken by libssl in current

[sorry for reposting but the original copy I got back had been truncated] libssl has a new "feature" implemented by: crypto/openssl/ssl/t1_lib.c 672 /* Add padding to workaround bugs in F5 terminators. 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03

Re: New OpenSSL SA

On 6/5/14, 8:28 PM, Big Lebowski wrote: https://www.openssl.org/news/secadv_20140605.txt Debian and RHEL already published theirs: Debian advisory: https://lists.debian.org/debian-security-announce/2014/msg00129.html Red Hat 6 advisory: https://rhn.redhat.com/errata/RHSA-2014-0625.html Red Hat

Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable

On 5/26/14, 5:18 AM, David Chisnall wrote: On 25 May 2014, at 21:31, Oliver Pinter wrote: On 5/25/14, Dag-Erling Smørgrav wrote: Oliver Pinter writes: pax_log will be in future a generic pax related logging framework, with ratelimiting and other features. It will log user, IP, binary name

Re: ports requiring OpenSSL not honouring OpenSSL from ports

On 4/28/14, 6:30 PM, Dag-Erling Smørgrav wrote: Leif Pedersen writes: I realized that we don't really need any extravagance from ld at all. Move the files for the base version of openssl to a different location, and replace them with symlinks. ...and break your system. OpenSSL 0.9.x and 1.0.x

Re: URGENT?

On 3/23/14, 7:56 AM, Brett Glass wrote: At 11:33 PM 3/22/2014, Julian Elischer wrote: in ipfw that's up to you.. but I usually put the check-state quite early in my rule sets. I don't, because I want packets to touch as few rules as possible for the sake of efficiency. One "c

Re: ipfw dynamic rules

reposting with a useful subject line and more comments On 3/22/14, 10:33 PM, Julian Elischer wrote: in ipfw that's up to you.. but I usually put the check-state quite early in my rule sets. On 3/22/14, 1:34 AM, Ian Smith wrote: Firstly, that's the one page in the handbook (that

Re: URGENT?

On 3/22/14, 8:11 AM, RW wrote: On Sat, 22 Mar 2014 08:48:40 -0600 Brett Glass wrote: This is correct. And that's awkward, because you might not want all of these checks in one place. Also, if there are many dynamic rules this will slow traffic down quite a bit. in ipfw that's up to you.. but

Re: NTP security hole CVE-2013-5211?

On 3/20/14, 9:20 PM, Brett Glass wrote: At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: Starting from these lines in my /etc/ntp.conf file: server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst I resolved each of those three host name

Re: NTP security hole CVE-2013-5211?

On 3/18/14, 12:41 AM, Matthew Seaman wrote: On 18/03/2014 03:56, Ronald F. Guilmette wrote: (It was explained to me at the time that NTP operates a bit like DNS... with which I am more familiar... i.e. that all outbound requests originate on high numbered ports, well and truly away from all low

Re: NTP security hole CVE-2013-5211?

On 3/14/14, 8:38 AM, Brett Glass wrote: Everyone: Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. Unfortunately, FreeBSD, in its default configuration, will amplify the attacks if not patched an

Re: FreeBSD Transient Memory problem?

On 9/14/13 10:40 AM, Julian Elischer wrote: On 9/14/13 5:03 AM, John Baldwin wrote: On Friday, September 13, 2013 2:23:19 pm Jonathon Wright wrote: Well stated Gary. I need to divulge more information it appears. The reason I'm unable to effectively fight the semantic game, and not pa

Re: FreeBSD Transient Memory problem?

On 9/14/13 5:03 AM, John Baldwin wrote: On Friday, September 13, 2013 2:23:19 pm Jonathon Wright wrote: Well stated Gary. I need to divulge more information it appears. The reason I'm unable to effectively fight the semantic game, and not pay the auditors, etc. etc. is because the auditors are

Re: FreeBSD Transient Memory problem?

I would imagine it points out the relevant code paths. However, it seems your management wants evidence of EAL certification, not evidence from code. Perhaps you can borrow such certification from nCircle or others. Guy > On Thu, Sep 12, 2013 at 8:00 AM, Julian Elischer

Re: FreeBSD Transient Memory problem?

On 9/13/13 1:49 AM, My Email wrote: My apologies, I have been replying too all, I hope that is the correct method. Anyway, that is very interesting information. I'd be extremely interested in information on customizing malloc and jemalloc. Let me know where to start. Thanks! it's hard to kno

Re: FreeBSD Transient Memory problem?

On 9/12/13 8:15 AM, Jonathon Wright wrote: All, I have posted this question (username-scryptkiddy) in the forums: http://forums.freebsd.org/showthread.php?t=41875 but was suggested to bring it here to the mailing list for discussion. Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We

Re: Allowing tmpfs to be mounted in jail?

On 8/23/13 3:15 AM, Xin Li wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Do anybody have concerns if I would commit this? I agree to its usefulness even if I haven't looked at the details Index: sys/fs/tmpfs/tmpfs_vfsops.c ==

Re: Escaping from a jail with root privileges on the host

On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote: Hello, Today I've managed to escape from a jail by accident and ended up with root access to the host's filesystem. Here's what I did: * Using ezjail for managing my jails * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 * This works only wh

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:05.opie

On 5/26/10 9:53 PM, matt wrote: There's a typo for the fetch link: --http://security.freebsd.org/patches/SA-10-05/opie.patch ++http://security.freebsd.org/patches/SA-10:05/opie.patch -Matt easiest answer is to both fix the notice and make the two names links.. __

Re: OpenSSL 0.9.8k -> 0.9.8l

On 4/22/10 7:59 PM, Philip M. Gollucci wrote: On 4/21/2010 1:55 AM, Eirik Øverby wrote: It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are

Re: online cheksum verification for FreeBSD

Elmar Stellnberger wrote: The only thing that I have found about it is: "DS Compare the system against a "known good" index of the installed release.'" As well as freebsd-update(8), the FreeBSD base system includes mtree(8) - which can be used to generate and check file hashes. Other tools, s

Re: Increase in SSH attacks as of announcement of rtld bug

Poul-Henning Kamp wrote: In message <200912021324.nb2doc58001...@lava.sentex.ca>, Mike Tancsa writes: At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: The only way to deal with them I found [...] A very efficient measure: Move your sshd to another port number. You can configure the port in

Re: Protecting against kernel NULL-pointer derefs

István wrote: the question is how much percent of the user are using wine and dosbox which are going to break with this setting, i guess 10% or less. So those guys could use _NO_VM_MIN kernel or something while the rest of the world would fly high with secured kernel. The assumption is that the

Re: machine hangs on occasion - correlated with ssh break-in attempts

Kevin Oberman wrote: Date: Thu, 21 Aug 2008 13:38:38 -0400 From: Mikhail Teterin <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug

Re: ipfw "bug" - recv any = not recv any

Jeff Kletsky wrote: I hesitate to call this a "bug" as I don't know all the history behind the ipfw2 decisions, so let me toss this out there and see I'm just missing something. Overview The negated operator, "not recv any" was taken to mean "any packet never received by an interfac

Re: A new kind of security needed

Poul-Henning Kamp wrote: In message <[EMAIL PROTECTED]>, Matthew Dillon w rites: Doesn't OpenBSD have a syscall filtering mechanic where one can restrict the file paths the program is allowed to access? Yes they do. Really smart (multithreaded) programs modify the strings after t

Re: A new kind of security needed

Robert Watson wrote: On Thu, 24 Jul 2008, Kostik Belousov wrote: Lots of people care a lot about plan9. The problem is that it's a lot like UNIX. UNIX presupposes lots of special-purpose applications doing rather specific and well-defined things, and that is a decreasingly accurate reflect

Re: Reality check: IPFW sees SSH traffic that sshd does not?

David Wolfskill wrote: This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd

Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon

Jeremie Le Hen wrote: Hi, On Sun, Oct 01, 2006 at 12:30:22AM -0700, FreeBSD Security Officer wrote: Users of FreeBSD 4.11 systems are also reminded that that FreeBSD 4.11 will reach its End of Life at the end of January 2007 and that they should be making plans to upgrade or replace such sys

Re: Port scan from Apache?

Clemens Renner wrote: Hi everyone, today I got an e-mail from a company claiming that my server is doing port scans on their firewall machine. I found that hard to believe so I started checking the box. The company rep told me that the scan was originating at port 80 with destination port

Re: DSD Approved Products

Jason M wrote: Hi, I am considering installing several `servers' in a facility that needs to conform with the products listed at: DSD Approved Products http://www.dsd.gov.au/infosec/evaluation_services/epl/dap.html I like the motto.. no beating around the bush.. "reveal their secrets.. pr

Re: IPsec, VPN and FreeBSD

those users could be on road and using ISPs to connect the internal lab. both sites are labs. I will try the roaming clients<--->freebsd vpn server first. ok google for mpd and pptp --- Julian Elischer <[EMAIL PROTECTED]> wrote: gahn wrote: Hi: We intend to build IPS

Re: IPsec, VPN and FreeBSD

gahn wrote: Hi: We intend to build IPSec based VPN server on FreeBSD platform so that we can access internal network of a lab. The remote side will use VPN client and could be from anywhere of the Internet, or may be from the another site of the company. From the hnadbook, I saw the sample of s

Re: Brute Force Detection + Advanced Firewall Policy

Arne Woerner wrote: --- Hadi Maleki <[EMAIL PROTECTED]> wrote: Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. What about a "white list"? I mean, three rules that blocks all incoming traffic to those ports (21, 22, the others), and then

Re: Non-executable stack

martinko wrote: Julian Elischer wrote: Dag-Erling Smørgrav wrote: db <[EMAIL PROTECTED]> writes: Memory on ia32 can be writable and readable. When it is readable it is also executable. On other arch's like AMD64 and IA64, I believe memory can be readable, writable and

Re: Non-executable stack

Dag-Erling Smørgrav wrote: db <[EMAIL PROTECTED]> writes: Memory on ia32 can be writable and readable. When it is readable it is also executable. On other arch's like AMD64 and IA64, I believe memory can be readable, writable and executable. Not quite. IA32 can make individual segm