Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh

Both 10.1 and 10.2 are going to be unsupported by the end of this year, that's probably the reason the fix was not included in them. https://www.freebsd.org/security/#sup -Kimmo On Wed, Nov 2, 2016 at 3:57 PM, Martin Simmons wrote: >> On Wed, 2 Nov 2016 07:55:33 + (UTC), FreeBSD Securi

Re: scope of private libraries

On Tue, Jun 2, 2015 at 5:43 PM, Franco Fichtner wrote: > Hi, > > the general lack of responses is probably why we have the > OpenSSL base issues and maybe they won’t go away anytime > soon, even though there are no downsides to modularisation. > > Yes, anyone can submit patches, but how can potent

Re: avoiding base openssl when building ports

On Mon, Jun 1, 2015 at 7:17 PM, Benjamin Kaduk wrote: > On Sun, 31 May 2015, Don Lewis wrote: > >> The big culprit turned out to be ftp/curl. Even though >> WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and >> run dependency, it was silently getting linked to openssl from bas

Re: Forums.FreeBSD.org - SSL Issue?

On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote: > Mark Felder wrote: >>> >>> Another option is a second openssl port, one that overwrites base and >>> guarantees compatibility with RELEASE. Then we could at least have all >>> versions of openssl in vuln.xml (not that that's been a reliable

Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]

On Fri, Mar 20, 2015 at 5:21 PM, Paul Hoffman wrote: > # sudo freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 5 mirrors found. > Fetching metadata signature for 10.0-RELEASE from update6.freebsd.org... done. > Fetching metadata index... done. > Inspecting system... done. > Preparin

Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl

On 8.6.2014, at 16.14, Jilles Tjoelker wrote: > On Fri, Jun 06, 2014 at 02:33:59PM +1000, John Marshall wrote: >> On Thu, 05 Jun 2014, 13:16 +, FreeBSD Security Advisories wrote: > >>> Corrected: > >>>2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) > >>> VI. Correcti

Re: FreeBSD-SA-14:08.tcp has nothing to do with tcp fragments!

On 5.5.2014, at 11.57, Thomas Steen Rasmussen wrote: > Signed PGP part > Hello all, > > I've been following the thread on FreeBSD-SA-14:08.tcp [1] and I > am concerned that people seem to have entirely misunderstood the > issue entirely - or perhaps it is me :) > > I'll take the liberty of pas

Re: am I NOT hacked?

On 26.4.2014, at 21.17, Joe Parsons wrote: > Sorry, one paragraph of my last reply appears to be screwed up on the web > archive. You can ignore that reply and just read the following. I'm sorry > for the confusion. > > > Ok, thanks a lot for all your kind help. I learned the pwd_mkdb

Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?

On 25.4.2014, at 17.15, Ben Laurie wrote: > On 25 April 2014 13:24, Dag-Erling Smørgrav wrote: >> Chad Perrin writes: >>> Obviously, human judgment is an important part of the process of finding >>> and fixing bugs. If it wasn't, the last program we'd ever have to debug >>> would be the one t

Re: De Raadt + FBSD + OpenSSH + hole?

On 21.4.2014, at 6.06, Jamie Landeg-Jones wrote: > "hcoin" wrote: > >> local variables) harms performance. It's also true doing both of these >> things would not fix the flaw that 'opened the window' onto these data. >> However it is true that doing so would make the exploit valueless as

Re: CVE-2014-0160?

On 11.4.2014, at 15.53, sbre...@hotmail.com wrote: > ext 65281 (renegotiation info, length=1) > ext 00011 (EC point formats, length=4) > ext 00035 (session ticket, length=0) > ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is > possible when linking against OpenSSL 1.0.1

Re: http://heartbleed.com/

On 10.4.2014, at 15.48, Ed Maste wrote: > On 10 April 2014 06:33, Kimmo Paasiala wrote: >> >> Going back to this original report of the vulnerability. Has it been >> established with certainty that the attacker would first need MITM >> capability to exploit th

Re: http://heartbleed.com/

On 8.4.2014, at 17.05, Dirk Engling wrote: > On 08.04.14 15:45, Mike Tancsa wrote: > >>I am trying to understand the implications of this bug in the >> context of a vulnerable client, connecting to a server that does not >> have this extension. e.g. a client app linked against 1.xx thats >

Re: Proposal

On Apr 09, 2014, at 03:25 PM, Dag-Erling Smørgrav wrote: Pawel Biernacki writes:        > I understand that this is voluntary role and you have another (real        > life) responsibilities that’s why I'd like to propose an idea of (at        > least partially) paid position of Security Officer

Re: NTP security hole CVE-2013-5211? (Gary Palmer)

On 25.3.2014, at 15.48, Olafur Gudmundsson wrote: > > On Mar 25, 2014, at 8:00 AM, freebsd-security-requ...@freebsd.org wrote: > >> >> Message: 1 >> Date: Mon, 24 Mar 2014 11:02:08 -0400 >> From: Gary Palmer >> To: Brett Glass >> Cc: "freebsd-security@freebsd.org" , >> Remko Lodder , "

Re: FreeBSD Transient Memory problem?

On Fri, Sep 13, 2013 at 3:47 AM, Jonathon Wright wrote: > Thanks Brett, > > That item just made it to the top of the argument list I'm formulating > right now from everyone's input. =) > That makes a very strong argument for the OS as "approved". > > > On Thu, Sep 12, 2013 at 2:39 PM, Brett Glass

Re: bind9 and CVE-2013-4854

A question related to this: What is it that prevents BIND from being removed from the base when there are very well working ports of BIND already that are far easier to update when vulnerabilities are found. Is it the dig(1), host(1) and nslookup(1) utilities? -Kimmo _

Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)

On Thu, Jun 20, 2013 at 3:04 AM, Michael Holmes wrote: > On Thu, Jun 20, 2013 at 12:57 AM, Sergio Tam wrote: >> >> Hello Hunger >> >> I am new can you clarify a question? >> I have not installed nmap. Its FreBSD insecure? >> Can you do the same? >> can you exploit freebsd without nmap? >> >> Rega