Re: CA's TLS Certificate Bundle in base = BAD

share/certs/trusted/TrustCor*" but there's sure to be room for options to better harden PKI. Roger Marquis

Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping

Also note that the update can be as easy as: gitup src cd /usr/src make buildworld cd sbin/ping make install ls -l /sbin/ping /sbin/ping ... Roger Marquis On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: On 11/30/2022 4:58 PM, Dev Null wrote: Easily to exploit in

Re: sysrc bug

easons are, particularly considering /usr/sbin/sysrc starts with "#!/bin/sh" (as does and should every system shell script). Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To u

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

Whatever the fix I hope we all agree that a policy is needed allowing or requiring the ports and security teams to reject ports and patches which exfiltrate (i.e, upload) _any_ local information without an explicit, detailed and robust opt-in. Roger Marquis On 08/04/2021 18:24, Shawn Webb

Re: Buffer overruns, license violations, and bad code: FreeBSD 13s close call

03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/3/> The only downside, no idea how it got by Ars' editors, is an irrelevant side-thread on 'Macy's record as a landlord. That aside the article is a must-read for anyone concerned w

Re: Moinmoin

28/11/2020 12:55 pm, Roger Marquis wrote: Anyone know if www/moinmoin is abandonware? The maintainer is listed as pyt...@freebsd.org and the version in ports has had an unpatched vulnerability for the last couple of weeks. Hi Roger, I don't believe so, but development is slow Can you p

Moinmoin

Anyone know if www/moinmoin is abandonware? The maintainer is listed as pyt...@freebsd.org and the version in ports has had an unpatched vulnerability for the last couple of weeks. Roger Marquis ___ freebsd-security@freebsd.org mailing list https

Re: A question about Security Advisories

and Annual reports occasionally mention them but only in passing. How do we get someone on the Board/Foundation who is willing and able to prioritize these important issues? Roger Marquis Hi, Last years all Security Advisories regarding base system in the "update your vulnerable system

Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd

the reason why it is no longer bundled. Roger Marquis Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilit

Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK}

dmills but wouldn't it be better to at least try beefing-up security support and creating a sustainable SECURITY BUDGET? If it grew the user-base by only a few percent that would at the very least make everyone's contribution more valuable. IMO, Roger Marquis _

Re: Untrusted terminals: OPIE vs security/pam_google_authenticator

should be kept somewhere accessible for security-conscious end-users. To eliminate it would only benefit those with commercial interests in proprietary and hosted (vendor lock-in) MFA solutions. IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list

Re: SQLite vulnerability

rt on December 4th. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: SQLite vulnerability

that opposition viewpoints are simply Linux advocates. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: SQLite vulnerability

mply a means of keeping end-users safe and making everyone's contribution to the project more effective. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send

SQLite vulnerability

cteam is not able to properly maintain the vulnerability database? If the latter perhaps someone from the security team could let us know how such a significant vulnerability could go unflagged for so long and, more importantly, what might be done to address the gap in reporting? Roger Ma

Re: Interim support guarantee for FreeBSD 12

FYI re potential cuts to STABLE long-term support. Does this affect the RELEASE branch as well? Anyone know where this is being discussed? The announcement mentions community feedback but that seems unlikely given there has been no mention of it on the freebsd-security list. Roger Marquis

Jailing {open,}ntpd

Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux container? Can it be done in such a way that a breached daemon would not have access to the host? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org

Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp

could have been saved by migrating ntpd to ports and openntpd to base. One too many cases exactly like this are why OpenBSD and HardenedBSD forked of course, but it is still not at all clear why openntpd and other tested and proven security changes haven't been pulled in to Fre

Re: Fwd: [tor-relays] FreeBSD 11.1 ZFS Tor Image

tion I received is that the ports-secteam is a volunteer effort and nobody really expects 'pkg audit' to be timely anyhow. Such easily fixable problems. Even the FreeBSD Foundation for all the projects it funds, and could fund with +$2.5M in the bank, doesn'

Re: Malicious URL ? https://[::]/

Dag-Erling Sm?rgrav wrote: Hang on a sec ? localhost should be [::1], not [::], which is the equivalent of 0.0.0.0. My guess is a software bug. Jails look a little weird from the inside unless you use a fully virtualized network stack. The proxy probably doesn't have sufficient error checking a

Malicious URL ? https://[::]/

else has seen this? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

ternative signature presharing mechanism would be more secure (than the CA maintained by EFF/LetsEncrypt at least). IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscr

New pkg audit FNs

ver, so concern regarding the validity of FreeBSD's vulnerability database is larger than this CVE. We are concerned about update processes and procedures, especially considering how this topic has come up in the past (for different apps). Roger Marquis __

Re: pkg audit false negatives

That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that mea

Re: pkg audit false negatives

I do not think that holds: 17521 php -- multiple vulnerabilities 17522 17523 17524 php55 17525 5.5.38 17526 This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML a

Re: pkg audit false negatives

ng of installed but deprecated ports OTOH, seems to have fallen through the cracks. Even the FreeBSD Foundation and the ports-security teams appear to be ignoring this issue. Roger Marquis ___ freebsd-security@freebsd.org mailing list

Re: pkg audit false negatives

It had been resolved for dovecot (it will now match both variants, since people might still have the old variant of the port installed) and there is a new paragraph added to the porters handbook which tells that we need to have a look at the vuxml entries. Thanks Remko. Hope this solves your

pkg audit false negatives

In the past pkg-audit and even pkg-version have not been reliable tools where installed ports or packages have been subsequently discontinued or renamed. Today, however, I notice that dovecot2 is still showing up in the output of pkg-version despite the port having been renamed to dovecot (withou

Re: fbsd11 & sshv1

I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only for SSHv1. People using such port should know the consequences of it. This could be a good candidate for a new ports category, /usr/ports/legacy If implemented there is a lot of code, in both ports and base, that sho

Re: /tmp/ecp.* created during kernel build?

Found a couple of ecp binaries in /tmp, apparently created concurrent with an 11.0 x86_64 kernel build. Anyone else seen this? Could they be related to a "make buildkernel"? Confirmed 'make buildkernel' does create these files, apparently via /usr/src/contrib/elftoolchain/elfcopy/main.c (thank

/tmp/ecp.* created during kernel build?

Found a couple of ecp binaries in /tmp, apparently created concurrent with an 11.0 x86_64 kernel build. Anyone else seen this? Could they be related to a "make buildkernel"? # ls -l /tmp/ecp* -rw-r--r-- 1 root wheel 4229 Dec 27 06:21 ecp.Aak1ruL8 -rw-r--r-- 1 root wheel 2371 Dec 27 06

Re: ftpd leaks info which might be useful to an attacker

Matthew Seaman wrote: FTP as a protocol is archaic and needs to die. A good step towards that would be the deprecation of ftpd in base. As well as the rest of the legacy daemons under /usr/libexec(/*d, other than tcpd). Roger ___ freebsd-security@f

Re: ftpd leaks info which might be useful to an attacker

Matthew Seaman wrote: FTP as a protocol is archaic and needs to die. A good step towards that would be the deprecation of ftpd in base. IMO, Roger ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-securi

Re: Ports EOL vuxml entry

Is an outdated (EOL) port a vulnerability? I don't think so. It's a possible vulnerability, but not a real one. Exactly. The meta-discussion we're having is regarding the word 'audit' (in 'pkg audit'). When you or I audit a server or a site the client always wants to know about potential vulne

Re: Ports EOL vuxml entry

today there was a new entry added to the vuxml file including all outdated ports. Where is the value in this Entry. This is good news for many of us Gerhard, who depend on the output of 'pkg audit' for vulnerability information. In this file should only are real vulnerabilities and not maybe v

pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable)

there is no released patch'. This is particularly problematic as there are usually mitigations that do not require patches. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: freebsd-update and portsnap users still at risk of compromise

Timely update via Hackernews: Note in particular: "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities." Not sure why the portsec team has not commented or published an advisory (possibly because the freebsd list spam filters are so bad that

Re: freebsd-update and portsnap users still at risk of compromise

Question is does this warrant moving from portsnap to svn? Also have to wonder why the security team hasn't issued a vulnerability announcement. Roger On July 18, John Leyden, security editor at The Register, tweeted a link to a libarchive ticket that had been sitting without a response for

Re: [SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

These vulnerabilities seem to be missing from the current vuln.xml, FYI. Roger Date: Wed, 22 Jun 2016 11:02:59 +0100 From: Mark Thomas Reply-To: annou...@tomcat.apache.org To: "us...@tomcat.apache.org" Cc: "d...@tomcat.apache.org" , "annou...@tomcat.apache.org" , annou...@apache.org Su

Re: Batching errata & advisories in heaps degrades security.

Totally the opposite, it means one rollout instead of X rollouts making it simpler not harder. I don't know, isn't that the logic behind Microsoft's failed patch-Tuesdays? It's important not to confound security with usability. Any delay to a security advisory is an invitation to hackers. I d

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Large builds over NFS filesystems, particularly secure NFS (i.e., Kerberos) are one the best tests of time synchronization. Clients with bad clocks can further exercise this not uncommon infrastructure. The reason you don't typically see build errors even here, IME, is because the timehosts tend

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Who needs millisecond accuracy anyway? Cell phones, cell phone towers, computers handling financial transactions, etc. I manage security for several dozen FreeBSD computers handling financial transactions and they all run openntpd in client-only mode. It was the only way we could avoid an abs

RE: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

What are the reasons FreeBSD has not deprecated ntpd in favor of openntpd? While I cannot speak for anyone other than myself, the two simply aren't equivalent. As a conscious design choice, OpenNTPD trades off accuracy for code simplicity. IIRC openntpd is accurate down to ~100ms. Ntpd does

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Despite the risk of beating a dead horse (apologies to non-native english speakers for the acronym), as I cannot recall discussion of migrating base, and since replacing ntpd with openntpd has been standard practice in security-oriented environments for a few years now, perhaps someone on the sec

Re: verify FreeBSD installation

Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? At the filesystem-level there's security/integ

PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

that goal I'm wondering if FreeBSD base has ever been analyzed for patterns of suspicious commits[4]? Roger Marquis Refs. [1] http://www.viva64.com/en/b/0377/ [2] http://tech.slashdot.org/story/16/02/19/001202/pvs-studio-analyzer-spots-40-bugs-in-the-freebsd-kernel [3] http://www.apple.co

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

rhi wrote: Until now, I have avoided installing the OpenSSL port because the base OpenSSL gets security updates via freebsd-update and so it's one thing less to care about... also, I don't like the idea of having two different versions of the same thing on the system A fair number of sites have

Re: OpenSSH HPN

It is little used, has been the source of multiple vulnerabilities, but still exists in GENERIC. Since both of these security issues can be easily compiled around I only wonder why FreeBSD doesn't default to the more secure defaults. Roger Marquis _

Re: OpenSSH HPN

reason inetd is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to &

vuln.xml to oval script?

it be to write a translation script? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: HTTPS on freebsd.org, git, reproducible builds

re good and timely subjects given recently published details of NSA/5 eyes methodologies as well as the issues freebsd security teams were having as recently as a few months ago. Roger Marquis Refs. https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-

Re: OpenSSH max auth tries issue

Brett Glass wrote: Because a potential intruder can establish multiple or "tag-teamed" TCP sessions (possibly from different IPs) to the SSH server, a per-session limit is barely useful and will not slow a determined attacker. A global limit might, but would enable DoS attacks. If you run ssh

Re: New pkg audit / vuln.xml failures (php55, unzoo)

> On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > Crickets. > > May I ask again: > > How do we find out who the members of the Ports Secteam are? > > How do we join the team? Anyone? >> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery >> wrote: >>> I think the VUXML database needs

Re: avoiding base openssl when building ports

ystem use full set of its own libraries for everything either. I'd be happy just to to 'make buildworld -DWITHOUT_OPENSSL'. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-sec

Re: New pkg audit / vuln.xml failures (php55, unzoo)

Walter Parker wrote: > What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that > their systems are secure? An audit trail of CVE issues fixed, while a > good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There

Re: New pkg audit / vuln.xml failures (php55, unzoo)

t a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to qu

Re: New pkg audit / vuln.xml failures (php55, unzoo)

>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >> OpenBSD server operators) have no assurance that their systems are >> secure. > > Slow down here for a second. Where's the command-line tool on RedHat or > Debian that lists only the known vulnerable packages? In R

New pkg audit / vuln.xml failures (php55, unzoo)

FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago ) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the POR

Re: pkg audit / vuln.xml failures

I would like to contribute on that level as well. Still interested in the team's policies and procedures, if those are online somewhere. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/fr

Re: Forums.FreeBSD.org - SSL Issue?

Mark Felder wrote: Sure, when you must change the ABI you also have to rebuild linked libs and bins, but how many openssl 0.9 updates have required ABI changes? This entire discussion has been about doing MAJOR updates to OpenSSL in base. I agree that this discussion has been about updates to

Re: Forums.FreeBSD.org - SSL Issue?

Mark Felder wrote: Considering the time to write and test patches is the same in either case it is still an open question. Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked

pkg audit / vuln.xml failures

email to the security team). Is there a URL outlining the policies and procedures of vuln.xml maintenance? Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any ma

Re: Forums.FreeBSD.org - SSL Issue?

You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. Right, there are two issues being discussed that should be separated. The thread was originally about SSL

Re: Forums.FreeBSD.org - SSL Issue?

Mark Felder wrote: Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). This will never work. You can't guar

Re: Forums.FreeBSD.org - SSL Issue?

, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). Roger Marquis ___ freebsd-security@freebsd.org ma

Re: Enumerating glibc dependencies

Is FreeBSD glib always linked to libc (vs glibc)? Apparently it is, at least on the systems I've tested where there were no glibc dependencies at all. Another item added to the list of BSD (security) advantages. Roger ___ freebsd-security@freebsd.org

Re: Enumerating glibc dependencies

Please note that the glibc has nothing to do with glib. Is FreeBSD glib always linked to libc (vs glibc)? # ldd /usr/local/lib/libglib* 2>/dev/null| grep libc | sort -u libc.so.7 => /lib/libc.so.7 (0x800648000) Roger ___ freebsd-security@freebsd.or

Enumerating glibc dependencies

Before pkgng it was easy to list a system's port dependencies by (starting with): grep glib /var/db/pkg/*/* Is there an equivalent (single) command for pkgng? Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listi

Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem

>> >> If SCTP is NOT compiled in the kernel, are you still vulnerable ? >> > >> > No -- we should have mentioned that too. For GENERIC kernel however >> > SCTP is compiled in. >> >> Should probably fix that too, in GENERIC, considering how little used this >> protocol is. > > It is not used much b

Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem

>> If SCTP is NOT compiled in the kernel, are you still vulnerable ? > > No -- we should have mentioned that too. For GENERIC kernel however > SCTP is compiled in. Should probably fix that too, in GENERIC, considering how little used this protocol is.

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

> DES wrote: > I do it all the time: > $ sudo env UNAME_r=X.Y-RELEASE freebsd-update fetch install Not sure if using a jail to test is relevant but this never updates (my) binaries to the specified RELEASE/RELENG, only to the current kernel's patch level. Then there's the issue of specifying -REL

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

Dag-Erling Sm?rgrav wrote: Roger Marquis writes: ... or those with constrained resources are never going to be able to make/build/installworld for something as simple as a single binary update. These sites would be better served using freebsd-update to download and apply binary patches

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

ere be a budget estimate associated with addressing this security advicory situation? Since quick publication of advisories is critical this also raises the question of what might be an effective way to subsequently publish more granular update instructions. Roger Marquis

Re: ntpd vulnerabilities

feature missing from openntpd that we could use is a way to set the egress interface. Openntpd's "listen on" directive only defines the ingress tcp adddress, outgoing queries still use the server's primary ip. Roger Marquis

Re: getting the running patch level

ted by appending a simple "-modified" to whatever uname prints for the userland version. Attempting to do more than that, IMO, would have a negative ROI. IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.or

Re: periodic security run output gives false positives after 1 year

The correct format is "2012-02-20T01:23:45.6789+01:00" You guys are aware that RFC 5424 is a proposed standard I trust? By being "proposed" it is not a standard, at least not yet. Perhaps the differences in human-readability of the proposed timestamp, or the fact that it has variable field typ

Re: periodic security run output gives false positives after 1 year

still my favorite OS in large part because it is not like POSIX' Austin group in those respects. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any

Re: periodic security run output gives false positives after 1 year

The current syslog syntax timestamp has been reliable now for what, 25+ years? I don't personally see any measurable ROI from changing it. YMMV of course. It is similar to y2k problem and dates with YY format instead of - it was fine for many years... Is it? If I recall Y2K had more to

Re: periodic security run output gives false positives after 1 year

ftware, some of which is hardcoded and difficult to change without breaking more than it fixes. The current syslog syntax timestamp has been reliable now for what, 25+ years? I don't personally see any measurable ROI from changing it. YMMV of co

Re: periodic security run output gives false positives after 1 year

noptimized aspect of nearly all Unix and Linux default installs but SA's don't have to restrict their systems to those defaults. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-

Re: Rooting FreeBSD , Privilege Escalation using Jails

hat I would not be surprised if someone employed by Redhat, Canonical or the FSF was behind paid to astroturf. The tactic may have worked for Gnome, KDE, and a large number of apps but FreeBSD coders are generally more experienced than that. Roger Ma

Re: online cheksum verification for FreeBSD

://www.elstel.com/checkroot/) for openSUSE. This is often the only way to spot an intrusion. Unlike SuSE and Solaris, FreeBSD is most often compiled on the local host. Wouldn't that make global checksums relatively useless? Roger Marquis ___ freebsd-sec

DNS probe sources

These source addresses are likely spoofed, but am still curious whether other FreeBSD admins saw a preponderance of DNS probes originating from Microsoft corp subnets ahead of the recent ISC bind vulnerability announcement? Roger Marquis Jul 28 16:51:23 PDT named[...]: client 94.245.67.253

Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV

om a patch, assuming it would be trivial to create such a patch. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: BIND update?

al time for FreeBSD. If we can't keep up, response-time-wise, patch-wise, finance-wise, or otherwise, our OS won't last long. The competition has gotten too good. Question is, OT but very relevant, how can FreeBSD get some decent corporate sponsorship? Roger Marquis _

Re: openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh)

libraries. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh)

ver A) which version of openssl a new port or upgrade (i.e., openssh) will use, and B) how to update systems with openssl-overwrite-base installed. Is there a best practice/recommendation for updating openssl-overwrite-base without having to maintain multiple versions? Roger Marquis Roble Sy

Re: MD5 Collisions...

ry packages and tarballs. At the very least define the specific scenarios under which MD5 can be broken and drop the "its security is in some doubt" claim. Vague statements about crypto are worse than none at all. -- Roger Marquis ___ fre

Re: I cannot upgrade openssl-stablr

'make *world' cannot parse OPENSSL_OVERWRITE_BASE and requires NO_OPENSSL instead? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-s

Re: FreeBSD Security Survey

#x27;s ports are still the reference implementation, head-and-shoulders better than up2date, yum, rpm, apt-get, or anything else out there. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing lis

Re: Need urgent help regarding security

IDS alerts that's a different problem. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Need urgent help regarding security

h its own source address. But this does bring up a good point i.e, that no IDS should be operated without a well thought-out whitelist. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http:/

Re: Need urgent help regarding security

protection thanks to the fact that ~3 failed passwords will cause the account to be locked. Bruce Schneier looks at more areas on where security by obscurity works and where it doesn't in the May 2002 CRYPTO-GRAM <http://archives.neohapsis.com/archives/crypto/2002-

Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

test machine around for every arch and OS version under support. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"