On Wed, Feb 12, 2020 at 03:22:21PM +, Glen Barber wrote:
> > Have you considered the possibility of simply publishing a detached
> > signature with every MANIFEST, in a similar manner to what is done for
> > the installer images?
> >
>
> I have not, as a change to the misc/freebsd-release-man
Sorry for my delayed response.
On Mon, Feb 03, 2020 at 01:57:10PM +, Glen Barber wrote:
> First, if one installs from a snapshot, the MANIFEST file would only be
> valid until the next snapshot build.
>
> The second and third problems are somewhat related: the various
> distribution sets (bas
On Thu, Jan 30, 2020 at 01:22:39PM +, Glen Barber wrote:
> I honestly wasn't aware there was a jail subcommand to bsdinstall.
> I think, rather than creating /usr/freebsd-dist on the host system, we
> should instead check if the misc/freebsd-release-manifests package is
> installed and bail if
Hello all,
I really hope I'm missing something here, and we can all have a nice
chuckle at my expense.
But I can't see any way the integrity of the installer sets (base.txz,
kernel.txz and friends) can be verified cryptographically? There is a
MANIFEST file containing SHA256 checksums, but it its
On Mon, Jan 27, 2020 at 04:42:01PM +, Glen Barber wrote:
> No, this last part is not true. The installer always verifies the
> checksums against /usr/freebsd-dist/MANIFEST on the installation medium.
>
> In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS
> variable explici
Hello all,
I really hope I'm missing something here, and we can all have a nice
chuckle at my expense.
But I can't see any way the integrity of the installer sets (base.txz,
kernel.txz and friends) can be verified cryptographically? There is a
MANIFEST file containing SHA256 checksums, but it its
On Fri, Sep 18, 2015 at 04:05:39PM +0200, Dag-Erling Smørgrav wrote:
> Then again, if you have the means to mount a MITM attack you probably
> have the means to get a valid certificate.
If you're that paranoid, there's a nice Firefox extension called CertPatrol
that will alert you to any changes i
On Fri, Sep 18, 2015 at 04:05:39PM +0200, Dag-Erling Smørgrav wrote:
> Then again, if you have the means to mount a MITM attack you probably
> have the means to get a valid certificate.
If you're that paranoid, there's a nice Firefox extension called CertPatrol
that will alert you to any changes i
On Fri, Sep 18, 2015 at 07:45:29AM -0400, Daniel Feenberg wrote:
> Is there a reason to encrypt something that is completely public?
> Perhaps to allow the visitor to conceal the fact that they are
> interested in FreeBSD? That won't work, since the IP address of the
> server can't be encrypted. I
On Fri, Sep 26, 2014 at 12:29 PM, Robert Joosten wrote:
> What about /bin/sh ?
/bin/sh isn't bash on FreeBSD and doesn't have this problem.
-nd.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To
On Sun, Apr 20, 2014 at 2:31 PM, Jamie Landeg-Jones
wrote:
> Once memory has been freed, I thought any attempt by a user process to
> access it would cause a SIGSEV.
>
> I thought the issue was with programs that inadvertantly expose (either
> to read or write) other parts of their active memory.
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster
> than what the FreeBSD community provides, then you should not rely on the
> FreeBSD community. Install OpenSSL on your mission-critical systems from
> OpenSSL s
On Wed, Apr 9, 2014 at 4:12 PM, Dag-Erling Smørgrav wrote:
> Nathan Dorfman writes:
>> Is it implausible to suggest that before embarking on the task of
>> backporting, reviewing, testing and releasing the actual fix, an
>> announcement could have been made immediately
First, the (unfortunately) necessary disclaimer: this is an honest
question to satisfy my curiosity, nothing more. Absolutely no
criticism of anyone is intended.
Is it implausible to suggest that before embarking on the task of
backporting, reviewing, testing and releasing the actual fix, an
annou
Uh, an excuse for what exactly? You must be talking about installing
1.0.1 from the ports. That was fixed yesterday by updating the version
in ports to 1.0.1g:
http://svnweb.freebsd.org/ports?view=revision&revision=350548
-nd.
On Tue, Apr 8, 2014 at 2:54 PM, Niklaus Schiess wrote:
> Plenty of F
herefore FreeBSD base isn't vulnerable and the only
> problem is people who installed a newer OpenSSL from ports.
>
> Cheers,
> Merijn
>
>
> - Reply message -
> From: "Nathan Dorfman"
> To: "Mike Tancsa"
> Cc:
> Subject: FreeB
Someone please correct me if I'm wrong, but I think simply adding
-DOPENSSL_NO_HEARTBEATS to crypto/openssl/Makefile (and recompiling!) is
sufficient to remove the vulnerability from the base system.
-nd.
___
freebsd-security@freebsd.org mailing list
htt
17 matches
Mail list logo
