In message
,
grarpamp wrote:
>On 7/12/22, mike tancsa wrote:
>>> Just wondering how this might impact FreeBSD ?
>>
>> https://news.ycombinator.com/item?id=32071949
>>
>> https://comsec.ethz.ch/research/microarch/retbleed/
>
>FreeBSD should keep a wiki table of all these
>HW attacks with at lea
In message <90e55cbc-a0f7-7220-3759-e05dee2da...@inbox.lv>,
John Long wrote:
>1st of all, my comment was because of your post but was not directed at
>you. Sorry if that was unclear.
>
>2nd of all, great that they give advice. Not so great that people have
>to actually do the work. This costs
Am I the only one who finds this terrifying?
https://twitter.com/DistributedDave/status/1426216380077117441
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freeb
In message
Robert Simmons wrote:
>I am and am not. Ubuntu has made this choice recently. I doubt I am alone
>in my thinking. I fully expected instant pushback on both suggestions.
Ubuntu removed telnet and ftp??
Somebody alert the media.
Regards,
rfg
_
In message <20190703004928.576ca1a...@freefall.freebsd.org>,
freebsd-security@freebsd.org wrote:
>Topic: Privilege escalation in cd(4) driver
>...
>devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from
>cd(4) devices.
Would it be accurate to say that another possi
In message
=?UTF-8?Q?Fernando_Apestegu=C3=ADa?= wrote:
>So, a big applause is in order for the quick response.
+1
Thanks to everyone involved who has labored to try to keep us all safe.
___
freebsd-security@freebsd.org mailing list
https://lists.fr
I just wanted to say that I'm sorry to see there being a somewhat,
testy exchange here on this list with regards to the SQLite
issue, but at least it gives me an opportunity to crack a rather
lame joke that I just made up by accident.
I'll be talking with another security professional by phone l
In message <6e279745-bfe5-fad1-a1aa-3b4d0356d...@quip.cz>,
Miroslav Lachman <000.f...@quip.cz>u wrote:
>Spectre and Meltdown was patched in FreeBSD 2 months ago and new
>vulnerabilities in CPU are about to come.
>
>https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws
In message , "Zahrir, Abderrahmane" wrote:
>Hi Guys,
>
>I understand that you have not been notified early enough about the Meltdown
>and spectre security {flaws}...
Apparently, it wasn't just the FreeBSD security crew that was inappropriately
kept in the dark about this gaggle of hardware secu
In message <8ad62a54-cfc4-6d97-4045-303e6ee78...@erdgeist.org>,
Dirk Engling wrote:
>On 03.01.18 22:14, Ed Maste wrote:
>
>> The FreeBSD Security Team recently learned of the details of these
>> issues that affect certain CPUs.
>
>Can you say, at what day you were informed?
Yes. What did the
In message
, Andrew Duane wrote:
>I wouldn't think Javascript would have the accurate timing required to leve=
>rage this attack, but I don't really know enough about the language.
This brings up something I have been wondering about, although my guess is
that much greater minds than mine have
In message <736a2b77-d4a0-b03f-8a6b-6a717f574...@metricspace.net>,
Eric McCorkle wrote:
>The attack looks like this:
>
>1) Fetch kernel/other process memory, which eventually faults
>2) Do a bit-shift/mask operation to pluck out one bit of the fetched
>value. This gets executed speculatively o
In message <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7...@metricspace.net>,
Eric McCorkle wrote:
>Given enough skill, resources, and motivation, it's likely that an
>attacker could craft a javascript-based version of the attack, then
>every javascript website (aka all of them) is a potential attack vect
In message <2347560.AJVtGcUuTT@elisha.atlnet>,
Joey Kelly wrote:
>...
>No, I mean their lame excuses, dances around the truth, claiming many other
>platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, INTEL
>hardware, and not an OS problem...
While it is clearly true, eve
In message <02563ce4-437c-ab96-54bb-a8b591900...@freebsd.org>,
Eric van Gyzen wrote:
>Wait until Tuesday before you explode. Intel are now saying that it's
>not a "bug" in Intel CPUs.
Right. "That's not a bug! That's a feature!"
I say again: Shshhh!
Just within the last three
In message <477ab39d-286d-d9a2-d31e-fd5f7f167...@sentex.net>,
Mike Tancsa wrote:
>I am guessing this will impact FreeBSD as well ?
>
>http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
Swell. Just swell.
Why couldn't this have been announced the week -before- I bought an Intel
pr
In message <49252eda-3d48-f7bc-95e7-db716db4e...@whitewinterwolf.com>,
"WhiteWinterWolf (Simon)" wrote:
>Ideally, you would use a specific protection for each of these layers,
>so that an vulnerability affecting one layer would be compensated by
>other layers.
A good point.
Right about now,
In message ,
Karl Denninger wrote:
>Please understand that if you can get an AP to hand you a zero'd key
>(with an intentionally "weak" client) THEN THAT PERSON JUST BECAME ABLE
>TO ATTACH TO YOUR NETWORK AS AN AUTHORIZED USER.
>
>Your network is thus exactly as "secure" as one that has an open
In message <20171016230525.ga94...@funkthat.com>,
John-Mark Gurney wrote:
>> In light of the recent WPA2 disclosures, it has occured to me that
>> as of today it may be a Bad Idea for me to be exporting all of this
>> stuff, read/write, to all of 192.168.1.0/24.
>
>Doesn't matter, if your netwo
Just like everybody else on this list, I guess, I'm rather less than
happy about the WPA2 story that has emerged within the past 24 hours.
Due to the announcement that WPA2 is, apparently, badly broken, I'm
trying now to figure out how to lock down my home network a little
better... as, I suspect
Thanks to everybody who replied, and sorry for being s off topic.
In message <74ed7019-cb87-c55a-fb6d-1c016bf04...@freebsd.org>,
Matthew Seaman wrote:
>> https://www.wired.com/2010/03/packet-forensics/
>>...
>The article doesn't make it entirely clear, but they are talking about
>encr
Sorry folks. I'm almost entirely ignorant about everything crypto,
and these questions would probably be better asked elsewhere, but
you all on this list are nicer that folks elsewhere, and probably
will have the kindness not to poke too much fun at my ignorance.
So, here goes...
First question:
I've been moving all of my stuff over to a shiny new VM that I've
purchased, and in the process I am having to revisit various
configuration decisions I made 10 years ago or more.
One set of such decisions has to do with the following files:
~ftp/etc/group
~ftp/etc/pwd.db
Thinking about
Maybe an ignorant question, but hopefully not an outright stupid one...
The story:
As I was interacting with my new VM provider, there was a problem.
And I had to send the provider a captured screenshot of the browser
window where something had gone ugly wrong.
I managed to get the screenshot a
In message <20160630203013.1038690d@max-BSD>,
maxnix wrote:
>And, talking about Windows, this document came in mind:
>https://www.over-yonder.net/~fullermd/rants/winstupid/1
This is excellent! Thanks for sharing!
>I hope that, in a world where telecommunication devices are more and
>more perv
Please forgive the following outburst/rant. Sometimes, I just see something
that makes me want to scream "I can't take it anymore!"
I've just seen a link to the following in my twitter feed:
http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
Short
In message ,
Charles Swiger wrote:
>On Apr 27, 2015, at 3:12 PM, Ronald F. Guilmette
>wrote:
>> As I understand it, (verbatim) duplicate packets can sometimes arrive at
>> an endpoint due simply to network anomalies. However as I understand it,
>> those will typicall
In message ,
Charles Swiger wrote:
>On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette wrot
>e:
...
>> and/or whether FreeBSD provides any options which,
>> for example, might automagically trigger a close of the relevant TCP
>> connection when and if such an event i
In message <44a8xte4i0@lowell-desk.lan>,
Lowell Gilbert wrote:
>"Ronald F. Guilmette" writes:
>
>> I am prompted to ask here whether or not FreeBSD performs any sort of
>> logging of instances when "duplicate TCP packets but with different
>
I just now read the following TheRegister news article about detection
of "Quantum Insert" funny business:
http://www.theregister.co.uk/2015/04/23/detecting_nsa_style_hacking_tool_unsheathed/
I am prompted to ask here whether or not FreeBSD performs any sort of
logging of instances when "duplica
Note:
95.215.44.195 == rkcheck.org
The web site certainly smells like a total scam... no indication
whatsoever of who might be behind this allegedly helpful project.
But they'd like me to just trust them and download their checker tool.
Yea. Right. No thanks.
But I give them an `E' for effor
In message <201405271120.s4rbkihp096...@catnip.dyslexicfish.net>,
Jamie Landeg-Jones wrote:
>I've not actually used it, but I notice this in ports:
>
>/usr/ports/sysutils/socklog:
>
> | svlogd has a built in log file rotation based on file size, so there is no
> | need for any cron jobs or simi
In message <867g57bq9o@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>"Ronald F. Guilmette" writes:
>> So should I file a PR on this, or what?
>
>*shrug*
>
>I think this falls under the same heading as a fork bomb -
Ah! But unlike unl
In message <20140527004708.u5...@sola.nimnet.asn.au>,
Ian Smith wrote:
>... might syslog trigger adhoc rotations by
>newsyslog - of a particular log, not all - after learning how to measure
>'stress', perhaps by rates of delta filesize, diskspace consumption etc?
(Not that anyone has any rea
In message <86r43gr5nb@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>"Ronald F. Guilmette" writes:
>> I forgot that newsyslog(8) should limit the size of /var/log/messages,
>and
>> that as long as you limit the size of that to a reasnable
In message <2091.1401074...@server1.tristatelogic.com>, I wrote:
>==
>#!/bin/sh
>
>while (1)
>dd if=/dev/random bs=15 count=1 | od -c | xargs logger
>end
>==
I can't have been the first person to to have thought of this... can I?
==
#!/bin/sh
while (1)
dd if=/dev/random bs=15 count=1 | od -c | xargs logger
end
=
In message <20140505101703.c38bee...@ruxcon.org.au>, c...@ruxcon.org.au wrote:
>Ruxcon 2014 Call For Presentations
>Melbourne, Australia, October 11th-12th
>http://www.ruxcon.org.au
>...
I think I'll submit a paper on the proper use of e-mail headers...
:-)
Subject: Ruxcon 2014 Call For Papers
In message , "David DeSimone" wrote:
>Are you perhaps confusing IP Fragment Reassembly with the similar but
>unrelated TCP Segment Reassembly?
That's entirely possible. I have near zero experience with or understanding
of either of these types of packet fragmentation.
>My understanding is tha
In message <53629582.9010...@delphij.net>, Xin Li wrote:
>On 05/01/14 07:19, Karl Pielorz wrote:
>>
>>
>> --On 30 April 2014 04:35:10 + FreeBSD Security Advisories
>> wrote:
>>
>>> II. Problem Description
>>>
>>> FreeBSD may add a reassemble queue entry on the stack into the
>>> segmen
In message
Ben Laurie wrote:
>But that would then hide the error condition of it being not set to a
>new value after initialisation.
The (modified/quieted) code example under discussion is as follows:
variable = value0; /* initialization */
if (condition) variable = value1;
In message <20140424000744.ge15...@in-addr.com>,
Gary Palmer wrote:
>Compiler warnings and static code analysis are a small part of a secure
>programming mentality/methodology, and in and of themselves are fairly
>useless. I doubt either would have caught Heartbleed.
I just wanted to say that
In message <86zjj9mivi@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>Ben Laurie writes:
>> Dag-Erling Sm=C3=B8rgrav writes:
>> > https://en.wikipedia.org/wiki/Halting_problem
>> Curious what the halting problem can tell us about finding/fixing bugs?
>
>Some participants in th
In message ,
Erik Cederstrand wrote:
>As others have pointed out, 'too hard' can also mean 'too hard' to get
>someone with commit access to actually commit the patch and accept the
>risk of introducing new bugs. Case in point: I contributed this
>one-liner patch for ZFS found by Clang Analyz
In message <546ce3a8-fc87-472f-8a63-0497d0d28...@cederstrand.dk>,
Erik Cederstrand wrote:
>I don't disagree with you, but rewriting 1000 if-else cases in single-threaded
>userland programs just so the analyzer understands them is 1) tedious and 2)
>bound to accidentally introduce at least 50 n
In message <50ca7e78-bb5e-4872-a272-b7374627e...@cederstrand.dk>,
Erik Cederstrand wrote:
>Have a look at the ~10.000 reports at
>http://scan.freebsd.your.org/freebsd-head/
Whatever that is supposed to be, or to show, it appears to be down at the
moment.
:-(
Regards,
rfg
__
In message <50ca7e78-bb5e-4872-a272-b7374627e...@cederstrand.dk>,
Erik Cederstrand wrote:
>Silly things are reported like missing return at the end of main()
In the post that you are replying to, I took issue with two prior assertions
made by Mark Andrews, specifically (1) that some clang stat
In message
Ben Laurie wrote:
>So where are your patches to fix these issues?
Moi?
Sorry. I'm confused. Was there something (anything) in or amongst
the comments I made have could have been construed or interpreted to
indicate that I personally was able to devote time to bugfixing on
these s
In message <20140423010054.2891e143d...@rock.dv.isc.org>,
Mark Andrews wrote:
>As for the number of CLANG analysis warnings. Clang has false
>positives
Please define your terms.
I do imagine that the truth or falsehood of your assertion may depend
quite substantally on what one does or does
In message ,
Charles Swiger wrote:
>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette wrote
>:
>> In the aftermath of this whole OpenSSL brouhaha... which none other than
>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10,
>> in terms of awf
In message <1398169014.53411.yahoomail...@web28902.mail.ir2.yahoo.com>,
Alfred Hegemeier wrote:
>What a load of nonsense here: no, I don't think we should further extend th=
>e boundaries of mathematical logic in order to avoid such bugs, and I don't=
> think we should now change our programmin
In message <5355d9f7.2010...@quietfountain.com>,
"hcoin" wrote:
>Perhaps we should consider adding a variable attribute like 'secure'
>much like 'volatile' was added, to cause the compiler to generate code
>wiping such variables when they go out of scope, force initialize them
>to a known bi
In message <53558f1e.1010...@quietfountain.com>,
"hcoin" wrote:
>
>On 04/21/2014 03:39 PM, Ronald F. Guilmette wrote:
>>
>> In message <53546795.9050...@quietfountain.com>,
>> "hcoin" wrote:
>>
>>> ... It is for the c
In message ,
Christian Kratzer wrote:
>On Mon, 21 Apr 2014, Ronald F. Guilmette wrote:
>>
>> In message <53546795.9050...@quietfountain.com>,
>> "hcoin" wrote:
>>
>>> ... It is for the community to decide whether it is 'worth it'
In message <53546795.9050...@quietfountain.com>,
"hcoin" wrote:
>... It is for the community to decide whether it is 'worth it'
>on a case by case basis given there is no way to prove a program
>'correct' from a security perspective.
I guess that I was sick that day in software school.
Did
In message <867g6x5u2r@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>"Ronald F. Guilmette" writes:
>> Xin Li writes:
>> > For this bug, doing calloc() makes no difference.
>> I would very much like to know how you reached that conclu
In message <53463a2e.90...@delphij.net>,
Xin Li wrote:
>On 4/9/14, 10:28 PM, Ronald F. Guilmette wrote:
>> 1) Why does OpenSSL even contain a function called
>> "OPENSSL_malloc"? Does anyone other than me think that it might
>> perhaps have been a bet
My apologies if the following few naive questions are out of place
or off topic here. I do suppose that there might perhaps be other
places where such question might perhaps be better put, but many/most/all
of those other places appear to be filled, at present, with discussions
and comments which
Does this port (linux-f10-openssl) also need to be rebuilt/reinstalled?
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
In message <20140409084809.ga2...@lena.kiev>,
l...@lena.kiev.ua wrote:
>Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the
>openssl port. You need to upgrade the security/openssl port to
>openssl-1.0.1_10 and restart sendmail.
I am running 9.1-RELEASE and Apache _without_ any su
In message <532cc8cf.4030...@elischer.org>,
Julian Elischer wrote:
>>> 50.116.38.157
>>> 69.50.219.51
>>> 69.55.54.17
>>> 69.167.160.102
>>> 108.61.73.244
>>> 129.250.35.251
>>> 149.20.68.17
>>> 169.229.70.183
>>> 192.241.167.38
>>> 199.7.177.206
>>> 209.114.111.1
>>> 209.118.204.201
>
>You can
In message <8f3083f1-3a20-4fec-9969-f9968d875...@freebsd.org>,
Remko Lodder wrote:
>Rest assured that you are already doing a great step in at
>least filtering your machines and as you demonstrate you are active on
>the internet to get the information you need to do it properly.
Well, one trie
In message <20140322000445.c31...@sola.nimnet.asn.au>,
Ian Smith wrote:
>As assorted experts have suggested, you need a stateful rule. It's
>really not that hard; if you _only_ needed to protect ntp on udp:
>
> kldload ipfw && add 65000 allow ip from any to any# load null fw
> ipfw add al
In message <20140321122701.ac6d411a9...@rock.dv.isc.org>,
Mark Andrews wrote:
>In message <45158.1395348...@server1.tristatelogic.com>, "Ronald F. Guilmette"
>writes:
>> I'm no expert, but I'll go out on a limb here anyway and say that the choic
In message ,
Remko Lodder wrote:
>Reading the mails from this thread leads me to believe that there is no
>stateful firewall concept in place?
I am not the poster to whom you were responding (i...@rit.lt), however
speaking only for myself I will confess that yes, in my case at least,
although
In message <742a1a10-15bf-433a-8693-ca2dd1de0...@mac.com>,
Charles Swiger wrote:
>If you don't want to provide NTP service to the outside world, leave your
>existing
>deny rule in place but add permit rules to allow UDP traffic to and from the
>NTP servers which you want to sync time from.
I
In message <201403202028.oaa01...@mail.lariat.net>,
Brett Glass wrote:
>...
>And the need to do so is becoming more urgent. Just over the past 24 hours,
>I am seeing attempted attacks on our servers in which the forged packets
>have source port 123. Obviously, they're counting on users having "
In message <742a1a10-15bf-433a-8693-ca2dd1de0...@mac.com>,
Charles Swiger wrote:
>> Of course, if this *is* messed up, then I guess that I'll have to remove
>> my firewall rule, and diddle my /etc/ntp.conf file at the same time, in
>> order to make sure that the Evil Ones don't come back and us
In message <201403201719.laa29...@mail.lariat.net>,
Brett Glass wrote:
>At 09:56 PM 3/17/2014, Ronald F. Guilmette wrote:
>
>>(It was explained to me at the time that NTP operates a bit like DNS...
>>with which I am more familiar... i.e. that all outbound requests orig
In message <5323c244.8050...@freebsd.org>,
Julian Elischer wrote:
>the best solution is to add a firewall stateful rule so that the ONLY
>port 123 udp packet that gets in is one that is a response to one you
>sent out first.
Point of order Mr. Chaiman...
Two or three weeks ago, I woke up on
70 matches
Mail list logo
