Re: Intel/AMD Downfall/Inception Vulnerabilities

On 21/08/2023 09:06, Christos Chatzaras wrote: I am aware that work is currently being done for upcoming FreeBSD 14 release and there may not be available human resources, but is there anyone working on this? The FreeBSD project doesn't have the capability to fix this independently of the CPU

Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh

On 2016/11/03 09:41, Kimmo Paasiala wrote: > Both 10.1 and 10.2 are going to be unsupported by the end of this > year, that's probably the reason the fix was not included in them. > > https://www.freebsd.org/security/#sup > Yes, but 10.1 and 10.2 are still supported for the next two months. That

Re: Two Dumb Questions

On 26/09/2016 08:42, Ronald F. Guilmette wrote: > > Sorry folks. I'm almost entirely ignorant about everything crypto, > and these questions would probably be better asked elsewhere, but > you all on this list are nicer that folks elsewhere, and probably > will have the kindness not to poke too m

Re: ftpd leaks info which might be useful to an attacker

On 13/09/2016 22:07, Ronald F. Guilmette wrote: > One set of such decisions has to do with the following files: > > ~ftp/etc/group > ~ftp/etc/pwd.db > > Thinking about how the contents of these files affects the behavior of > the ftp DIR command caused me to realize that I actually would

Re: FreeBSD Security Advisory FreeBSD-SA-16:17.openssl

On 05/05/16 05:56, ga...@zahemszky.hu wrote: > 2016-05-05 04:32 időpontban Mel Pilgrim ezt írta: >> On 5/4/2016 3:55 PM, FreeBSD Security Advisories wrote: >>> FreeBSD-SA-16:17.opensslSecurity >>> Advisory >>>

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 2015/12/18 15:47, rhi wrote: > Matthew Seaman freebsd.org> writes: > >> Is that the ports or the base version of openssl? I can recreate your >> results with the base openssl, but everything works as expected with the >> ports version: > > Yes, it&#x

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 12/18/15 11:41, rhi wrote: > Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I > get OpenSSL to use it by default? Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports vers

Re: segfault in ntpd

On 10/30/15 17:21, Matthew Seaman wrote: > On 2015/10/30 10:32, Dag-Erling Smørgrav wrote: >> Can those of you who are experiencing this bug on 10 please try to build >> and run a kernel from head@287591 or newer (with your 10 userland) and >> report back? >> >> #

Re: segfault in ntpd

On 2015/10/30 10:32, Dag-Erling Smørgrav wrote: > Can those of you who are experiencing this bug on 10 please try to build > and run a kernel from head@287591 or newer (with your 10 userland) and > report back? > > # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head > # cd /tmp/head > #

Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp

On 10/27/15 22:51, Robert Sargent via freebsd-security wrote: > there is a simple workaround if you don't want to or can't reboot your > machines: install the ntp pkg > > pkg install ntp > > and add the following line to /etc/rc.conf > > ntpd_program="/usr/local/sbin/ntpd" > > then kill the

Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp

On 2015/10/26 16:13, Derek Schrock wrote: > On Mon, Oct 26, 2015 at 11:59:15AM EDT, Gary Palmer wrote: >> >> Hi, >> >> Anyone else done the update on FreeBSD 9.3? After rebuilding the world >> I'm getting an error when running ntpdc or ntpq >> >> % ntpdc -np >> /usr/src/usr.sbin/ntp/libntp/../../.

Re: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl

On 13/06/2015 22:28, rollingbits (Lucas) wrote: > On Fri, Jun 12, 2015 at 07:43:30AM +, FreeBSD Security Advisories wrote: >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. > > Do I need rebuild my packa

Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

On 05/20/15 23:48, Xin Li wrote: > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. The part of that https://weakdh.org/ site that concerns me most

Re: ports requiring OpenSSL not honouring OpenSSL from ports

On 01/05/2014 00:38, Darren Pilgrim wrote: > On 4/30/2014 12:48 PM, Michael Grimm wrote: >> On 28.04.2014, at 00:50, Jamie Landeg-Jones >> wrote: >>> Scot Hetzel wrote: >>> Here's a list of some that link against /lib/libcrypto.so.7 and/or >>> /lib/libssl.so.7 >>> ports-mgmt/pkg pkg is a speci

Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs

On 30/04/2014 19:58, Xin Li wrote: > On 04/30/14 11:51, Corey Smith wrote: >>> It would be interesting to find out if we could teach net-snmpd >>> to use alternative methods to access data it needs > >> It is not necessary if you build net-mgmt/net-snmp with the >> UNPRIVILEGED knob set. > > Will

Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs

On 04/30/14 05:35, FreeBSD Security Advisories wrote: > Then apply the default ruleset for jails on a devfs mount using: > > devfs -m ${devfs_mountpoint} rule -s 4 applyset > > Or, alternatively, the following command will apply the ruleset over all devfs > mountpoints except the host one: > >

Re: CVE-2014-0160?

On 11/04/2014 15:34, Erik Trulsson wrote: > Quoting sbre...@hotmail.com: > >> I receive daily email from the host which normally shows port audits >> and vulnerabilities. However, I did not sport anything related to >> CVE-2014-0160 in this email. I expected the same info comes in this >> email ab

Re: Proposal

On 09/04/2014 18:28, Dag-Erling Smørgrav wrote: > RedHat had prior notice since one of the OpenSSL devs is on their > security team. They had an update ready to roll out before the issue > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were > basically just waiting for the announce

Re: NTP security hole CVE-2013-5211?

On 18/03/2014 03:56, Ronald F. Guilmette wrote: > (It was explained to me at the time that NTP operates a bit like DNS... > with which I am more familiar... i.e. that all outbound requests originate > on high numbered ports, well and truly away from all low numbered ports, > including, in particula

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 21/11/2012 03:37, Mark Andrews wrote: >> The certificates are self-signed. Whilst the hashes are published on >> > the FreeBSD website, that site is only available via HTTP so there's >> > still a bootstrap issue - which I don't have a general solution for. > See DANE, RFC 6698. Which means g

Re: Recent security announcement and csup/cvsup?

On 20/11/2012 10:01, Ollivier Robert wrote: > According to Gary Palmer on Sun, Nov 18, 2012 at 01:04:21PM -0500: >> > In other words: while signed updates via freebsd-update and portsnap >> > are great for a good chunk of users, they don't address everyones needs. > Hopefully, with the move toward

Re: getting the running patch level

On 09/08/2012 23:13, Glen Barber wrote: > On Thu, Aug 09, 2012 at 03:31:25PM -0600, Brett Glass wrote: >> > I realize that sysinstall is deprecated in favor of the new installer, but >> > the new installer doesn't have the ability to install binary packages. >> > Until and unless there's a convenie

Re: HSM in FreeBSD

On 13/05/2012 06:58, mahdieh salamat wrote: > Hi all. I want to use a HSM pc card for security in my system. Can I use it > in FreeBSD? FreeBSD support this cards? I take it you mean a 'Hardware Security Module' and not 'Hierarchical Storage Management' ? You'ld have to tell us the make and model

Re: Latest bind advisory

On 18/11/2011 04:22, sys Admin wrote: > On Thursday, November 17, 2011, Mike Tancsa wrote: >> On 11/17/2011 9:29 PM, sys Admin wrote: >>> Hi >>> Any plans to apply these patches to the bind version shipped with > FreeBSD ? >>> >>> http://www.isc.org/software/bind/advisories/cve-2011-tbd >> >> Hi,

Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]

On 04/10/2011 21:38, Mark Duller wrote: > On 10/04/11 20:15, FreeBSD Security Advisories wrote: >> > = >> > >> > > FreeBSD-SA-11:05.unix Security > Advisory >> > The FreeBSD Project >>

Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix

On 02/10/2011 05:53, Brett Glass wrote: > Another question. Suppose one has built a custom kernel (as I always > do). Does FreeBSD-update update the kernel sources such that I can do a > simple "make buildkernel installkernel"? Or do I also have to csup my > kernel sources to some specific tag and

Re: SSL is broken on FreeBSD

On 02/04/2011 00:30, Chad Perrin wrote: > I don't think that either of the two options currently under discussion > (quietly provide a "trusted" CA list or quietly failing to provide one) > is optimal. In the best-case scenario, I guess there would be some > self-evident system for letting the use

Re: portaudit

On 25/07/2010 19:06:30, ajtiM wrote: > Hi! > portaudit -a shows: > > Affected package: mDNSResponder-214 > Type of problem: mDNSResponder -- corrupted stack crash when parsing bad > resolv.conf. > Reference: > > > Affecte

Re: OpenSSL 0.9.8k -> 0.9.8l

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/04/2010 17:01:13, Tim Gustafson wrote: >> This isn't an answer to your question, but you could >> always use OpenSSL from the ports tree. > > I'm hesitant to do so because in the past I've had problem when I've > used the ports to upgrade base O

Re: pf rules

kalin m wrote: hi all... doing testing with pf... how is it possible that if i have these rules below in pf.conf if i do: telnet that.host.org 25 i get: Trying xx.xx.xx.xx... Connected to that.host.org. Escape character is '^]'. ... etc ... pf.conf contetns: tcp_in = "{ www, h

Re: Openssl TLS Reneg "Bug"

Daniel wrote: Dear List, new here so sorry if I am missing any important points. I was wondering#: Does anyone know of the status of the "amended" openssl packages for FreeBSD. I'd like to try running our site with "reneg off", but I can't seem to find any notion of this on freebsd sites ? Any

Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl

FreeBSD Security Advisories wrote: I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Se

Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829

Jason Stone wrote: If people really would like to see these kind of notifications (i.e., security-related PRs for ports) in mailing-list format, I think that a separate mailing list would be appropriate (e.g., freebsd-security-ports@). There's already a freebsd-vuxml@ list which hasn't seen an

Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Alan Clegg wrote: Jeremy Chadwick wrote: On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: Is there a way to restrict the ports which BIND selects -- perhaps at the expense of a small amount of entropy -- such that it doesn't try to use UDP ports which are administratively blocked

Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Ian Smith wrote: > On Thu, 17 Apr 2008, Peter Pentchev wrote: > > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > > > IV. Workaround > > > > > > > > Dis

Re: IPsec, VPN and FreeBSD

Drew Tomlinson wrote: > I've been very pleased with OpenVPN for my needs. Biggest downside is > that each potential connection requires a separate OpenVPN instance as I > understand it. However if your client base is small, you might give it > a look. That used to be the case, but since OpenVPN