Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

their responses to you. Gordon in particular wrote that it is NOT acceptable; however, rather than smash down the port's maintainer with the Security Officer sledgehammer, he preferred to give the maintainer some time to address the problem. -- Chris BeHanna ch...@behanna.org

Querying entropy state

entropy is always at an acceptable state; the author has suggested disabling this test on FreeBSD. Am I correct that there is no point in checking for entropy any more, and the entropy is unmeasurable? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is

Re: Intel hardware bug

affected processors? As it stands, they should be practically giving them away. How is it that the burden lies on the OS vendors, and not the manufacturers?! --Chris ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listin

Re: Stuff I don't understand, and maybe never will.

nor should we, nor do we hold the FreeBSD Foundation liable if someone uses FreeBSD to craft a worm or virus, or to commit some other cybercrime. -- Chris BeHanna ch...@behanna.org ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/

Re: Enumerating glibc dependencies

valent (single) command for pkgng? Hey Roger, You'll want `pkg info -r` for this--and note that glib is not glibc! -- Chris Nehren pgpKb9OIEynrP.pgp Description: OpenPGP digital signature

Re: ntpd vulnerabilities

t version. If you want fast security updates, use ports. Or hire developers to patch software for you. -- Chris Nehren pgpraIZ0e0xJ1.pgp Description: PGP signature

Re: FreeBSD Security Advisory FreeBSD-SA-14:30.unbound

This is weird as I now get a thing that "Directory's required to be removed ..." and that directory is "/" will this be fixed as this is kinda scary seeing "Directory couldn't be removed "rmdir /" or something it showed. On Thu, 18 Dec 2014 10:13:07 -0600 zko...@sbb.rs wrote > Th

Re: bash velnerability

Sandbox each > application into its own user. And its own jail. Jails with ZFS are dirt cheap. -- Chris Nehren pgp_th8N350zW.pgp Description: PGP signature

Re: Ports tree insecure because of IGNOREFILES+IGNORE

ler things to cause a problem. The Project doesn't have the resources to audit every single distfile's code. If you're that paranoid, you're welcome to do so yourself. -- Chris Nehren signature.asc Description: This is a digitally signed message part.

Re: FreeBSD Security Advisory FreeBSD-SA-14:11.sendmail

http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch does not exist. Chris On 6/3/2014 2:34 PM, FreeBSD Security Advisories wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:11.sendmail

Re: Heartbleed / r264266 / openssl version

oth ~] I can't say this is very useful. Is this only supposed to work for -RELEASE? -- Chris Nehren pgp8HDAvo8ETQ.pgp Description: PGP signature

FreeBSD's heartbleed response

ixes out more quickly? I and others have hardware and time we'd be glad to donate if it would help resolve these sorts of critical issues more quickly. I'm sorry if I sound impatient. I want to help, but don't know how, so I'm asking here. -- Chris Nehren pgplacYTicAbR.pgp Description: PGP signature

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

atement applies. I agreed with Glen, but when checking the docs it turns out that they say that freebsd-update will detect a kernel in /boot/GENERIC: http://www.freebsd.org/doc/handbook/updating-upgrading-freebsdupdate.html Are the docs wrong, or is this only in new freebsd-update? Chris ___

Re: FreeBSD DDoS protection

break, etc. It makes troubleshooting using traceroute not work. If you don't want to get pinged, then drop echo request/reply. But those are really pretty harmless. --Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mai

Re: Recent security announcement and csup/cvsup?

On 18 November 2012 18:17, Gary Palmer wrote: > On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: >> On 17 Nov 2012 15:06, "Gary Palmer" wrote: >> > >> > Hi, >> > >> > Can someone explain why the cvsup/csup infrastructure is cons

Re: Recent security announcement and csup/cvsup?

ng csup/cvsup to wipe and reinstall > their boxes. Unfortunately the wipe option is not possible for me right > now and my backups do go back to before the 19th of September Checks are being made, but CVS makes it slow work. It's incredibly unlikely that there will be a problem, but the

Re: getting the running patch level

s > making it hard to solve. It should be solved so people can get this > information, personally I just haven't had the time to work on it. Split off a version.ko and update that with each patch? -- Chris BeHanna chris@behanna.org_

Re: Replacing BIND with unbound

gt; > > Highly disagree; we use it (ISP) as our resolving nameserver for all of our > customers. As Doug has pointed out, you can always get BIND from a port; not every installation requires a heavyweight resolver. Chris ___ freebsd-se

Re: (Free 7.2) "su -l" didnt prompt password.Is it possbile?

ystem even with empty password should print "Password:"..and that time it was nothing absolultey. Empty password behaviour is for no prompt, so what you are seeing is normal, and means that you did indeed have a empty password. Check your logs very carefully over the pas

Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix

is. > Generally users are expected to pay attention to what is updated-- I know this isn't always the easiest task, but blindly following instructions is not something that is generally advocated in FreeBSD. Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

that this should be enforced in kernel, in the jail(8) > command nor anywhere else. UNIX rm(1) is not opening a pop-up window > asking "are you sure?" if you do "rm -rf /". I suggest you test this assertion Chris ___ freeb

Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

say /usr > > even though it was apparently 0755 > > I remember that happening! I thought it was like that on FreeBSD too, > but if it was, it isn't any longer! > > I always make mount-points 0111 these days > Why not ? What sense does having -r+x make? Chris

Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

2011/5/9 Dag-Erling Smørgrav : > Jason Hellenthal writes: >> Chris Rees writes: >> > I've updated the docs patches (links at [1]), though unfortunately it >> > means it's a little less elegant; I'm reluctant to suggest >> > >> > # ch

Re: Rooting FreeBSD , Privilege Escalation using Jails (P�tur)

On 7 May 2011 23:31, Jamie Landeg Jones wrote: >> All the same, I've sent a PR [1] with some doc patches to make people >> more aware of this -- fulfilling my promise of 2+ years ago :S >> >> Thanks! >> >> Chris >> >> [1] http://www.freebsd

Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

s to make people >> >> more aware of this -- fulfilling my promise of 2+ years ago :S >> >> >> >> Thanks! >> >> >> >> Chris >> >> >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 >> > >> > Um. Some

Re: Rooting FreeBSD , Privilege Escalation using Jails (Pétur)

R [1] with some doc patches to make people more aware of this -- fulfilling my promise of 2+ years ago :S Thanks! Chris [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/li

Re: Rooting FreeBSD , Privilege Escalation using Jails (Pétur)

On 6 May 2011 17:18, "Mark Felder" wrote: > > On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson < daniel.jacobsson...@gmail.com> wrote: > >> Can someone confirm if this bugg/exploit works? > > > It's really not a bug or exploit... it's just the guy being crafty. It only makes sense: the jails a

Re: Rooting FreeBSD , Privilege Escalation using Jails (Pétur)

s. Oops, looks like I broke my promise to make a doc entry... Thanks for reminding me! Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: kernel module for chmod restrictions while in securelevel one or higher

27;s > useless, makes the system unstable and gives a false sense of security. > > Bryan > > On 7/31/2010 10:39 AM, Chris Walker wrote: >> Hi list >> >> #1 Not same exploit referenced in URL. >> #2 Not same bug, although you had the function right, s

Re: kernel module for chmod restrictions while in securelevel one or higher

Hi list #1 Not same exploit referenced in URL. #2 Not same bug, although you had the function right, sort of. #3 That kernel module is useless: The exploit in the wild has already changed to bypass such restriction. #4 The bug is already patched, upgrade your kernel. #5 If you intend on introduci

Re: PHK's MD5 might not be slow enough anymore

Dag-Erling Sm??rgrav writes: > option to store their keys unencrypted, and there is nothing you can do on > the server side do to prevent them? That's even *less* secure than > passwords. Less secure in certain, but not all, attack scenarios. An attacker with code running on the client (i.e. an

Re: PHK's MD5 might not be slow enough anymore

For backwards compatibility, which do people prefer: Creating a new $N$ prefix every time we re-tune the algorithm, or using a new notation to say how many times this password was hashed? For example: $1.1000$, $1.10$, et c.? I prefer the latter. It can work with Blowfish, too, and anything el

Re: PHK's MD5 might not be slow enough anymore

Xin LI writes: > The slowness was useful at the time when the code was written, but I don't > think it would buy us as much nowadays, expect the slowness be halved from > time to time, not to mention the use of distributed techniques to > accelerate the build of dictionaries. The goal is to make

Re: PHK's MD5 might not be slow enough anymore

Bill Moran writes: > I'm sure someone will correct me if I'm wrong, but you can't do this > without establishing this as an entirely new algorithm. The hashes > generated after your patch will not be compatible with existing password > files, thus anyone who applies this will be unable to log in.

PHK's MD5 might not be slow enough anymore

See your copy of /usr/src/lib/libcrypt/crypt-md5.c: /* * and now, just to make sure things don't run too fast * On a 60 Mhz Pentium this takes 34 msec, so you would * need 30 seconds to build a 1000 entry dictionary... */ for(i = 0; i < 1000; i++

Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl

Maxim Dounin writes: > While talking about "often" - do you have any stats? Anyway, this is > quite a differenet from "all client cert-powered apps" you stated in your > previous message. IIS defaults to renegotiation when doing client cert auth, and Apache certainly can (possibly must? I don't

Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl

Maxim Dounin writes: > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > not request client certs in initial handshake, but instead do it via > renegotiation. It's not really commonly used feature. The ideal case is not the typical case: http://extendedsubset.com/Rene

Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl

Dag-Erling Sm??rgrav writes: > Do you use client-side certificates? This is probably the original poster's problem. FreeBSD Security Advisory FreeBSD-SA-09:15.ssl made clear that the patch fixes the protocol bug by removing the broken feature (session renegotiation), but stated incorrectly that s

Re: GPU crypto acceleration?

On Oct 9, 2009, at 8:57 PM, remodeler wrote: I'm wondering if there's any core functionality or third-party utilities to off-load cryptographic processing to the GPU or audio chip, instead of using a hardware acceleration expansion card? This is on amd64 build. Check out the Nvidia Tesla,

Re: openssh concerns

Doug Barton writes: > > However, I'm concerned about the suggestion of using an unprivileged > > port > > Please explain your reasoning, and how it's relevant in a world where the > vast majority of Internet users have complete administrative control over > the systems they use. Shared shell ser

Re: FreeBSD bug grants local root access (FreeBSD 6.x)

2009/9/16 Xin LI : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chris Palmer wrote: >> utis...@googlemail.com writes: >> >>> It appears to only affect 6.x and requires local access. If an >>> attacker has local access to a machine you

Re: FreeBSD bug grants local root access (FreeBSD 6.x)

should *not* be a "you're screwed anyway" scenario. The fundamental security guarantee of a modern operating system is that different principals cannot affect each other's resources (user chris cannot read or write user jane's email -- let alone root's email). This bu

Re: Protecting against kernel NULL-pointer derefs

Pieter's approach to the problem seems reasonable. If it provides some safety without breaking any/too many applications, why not adopt it? I wonder how many of these kinds of issues could also be caught with unit tests/regression tests. See also: the CanSecWest 2009 FreeBSD bugs by Christer Oberg

Re: OPIE considered insecure

Michael Ekstrand writes: > Simple use case: checking e-mail from the library/Internet > cafe/relative's house. With Mutt or Gnus. So we're talking about a case in which we don't want attackers who own the untrustworthy client to know our password, but we are okay with them reading and forging th

Re: OPIE considered insecure

Rich Healey writes: > I'm thinking about implementing OPIE, but after reading this I'm not so > sure. What's consensus on the best approach to one time logins? Why are people logging into their remote servers from assumed-untrustworthy clients at all?

Re: Thoughts on jail privilege (FAQ submission)

-- Forwarded message -- From: Chris Rees Date: 2009/1/17 Subject: Re: Thoughts on jail privilege (FAQ submission) To: Jan Demter 2009/1/17 Jan Demter : > Am 15.01.2009 um 19:31 schrieb Jon Passki: > >> Another thing to think about is user IDs. You could have a u

Thoughts on jail privilege (FAQ submission)

f a jail? Regards Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "f

Incorrect (?) documentation for setreuid(2) could lead to security issues for user code

According to section 6.4.1 of "Setuid Demystified": http://www.cs.ucdavis.edu/~hchen/paper/usenix02.html FreeBSD 4.4's setreuid(2) man page is wrong. The man page for FBSD 7 says the same thing. Is it still wrong, or was the implementation changed to match the documentation? This person noticed

Re: A new kind of security needed

On Jul 28, 2008, at 7:36 PM, Tim Clewlow wrote: I'd like to offer a possible solution that I believe can be both secure and usable. This will use the AID concept outlined above. What is an AID, and where does it come from? Is it a sequential uid_t assigned at install-time, is it the SHA-256

Re: A new kind of security needed

On Jul 28, 2008, at 12:28 PM, Matt Reimer wrote: My idea was to basically have a secure file picker that grants the app (e.g. Firefox) access to the file, in a way that would be transparent to the user. For example, when Firefox wants to save a PDF it displays the file picker as usual and the fi

Re: A new kind of security needed

On Jul 24, 2008, at 4:20 PM, Matthew Dillon wrote: I think the best way to approach the problem is to work out the desired userland API first... find the easiest and most convenient way to wrap an application, what kind of features are desired, etc, and then implement it. I thi

Re: A new kind of security needed

Matt Reimer wrote: Is anyone else nervous trusting all his programs to have access to all his files? Is there already a reasonable solution to this problem? http://www.cis.upenn.edu/~KeyKOS/Confinement.html http://cr.yp.to/qmail/qmailsec-20071101.pdf Also: CapDesk, Bitfrost, systrace, EROS/C

Re: BIND update?

Jason Stone wrote: So you say, "But I don't send important information over that connection, nor do I trust the information I get back?" Maybe. I think that the AOL data leak fiasco proved that, while people don't generally think of search queries as sensitive, they really kind of are. And

Re: BIND update?

Mark Boolootian writes: > Everyone that uses the Internet depends on the security of DNS. That's too bad, because DNS never made any security guarantees. When you ask to resolve www.google.com, the answer does not mean "www.google.com is on the network at 74.125.19.104." It means "As far as we ca

Re: BIND update?

Wesley Shields writes: > > Malware authors create exploits based on information they gleaned by > > reverse > > (legitimate businesses). I'm also not sure how this applies since the > project is open source - the fix is published at the time of the patch, My implicit (sorry about that) point wa

Re: BIND update?

Okay everybody, take a step back, take a deep breath, and count to ten. :) DNS has never provided any security guarantees, and so a marginal increase or decrease in the difficulty of spoofing responses is not a huge issue in the grand scheme of things. Even if the 16 bits were somehow pure delicio

Re: BIND update?

Wesley Shields writes: > In the security world there is a balance which must be maintained between > providing information to consumers so that they may plan accordingly, and > not providing too much information so that the attackers can write > exploits; this is the sensitive nature of the inform

Re: freebsd-security Digest, Vol 246, Issue 1

Sorry. Please disregard. On Wed, Apr 2, 2008 at 2:11 PM, Chris Kesler <[EMAIL PROTECTED]> wrote: > Here's another project for us. We'll want to upgrade to 6.3-RELEASE in May. > > > > On Wed, Apr 2, 2008 at 7:00 AM, <[EMAIL PROTECTED]> wrote: > > Sen

Re: freebsd-security Digest, Vol 246, Issue 1

Here's another project for us. We'll want to upgrade to 6.3-RELEASE in May. On Wed, Apr 2, 2008 at 7:00 AM, <[EMAIL PROTECTED]> wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit >

Re: RELENG_6_2 EoL Date?

grade path for those using that release. Regards, Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD Security Advisory FreeBSD-SA-07:07.bind

On Wed, 1 Aug 2007, Doug Barton wrote: Chris Byrnes wrote: -I/usr/src/usr.sbin/named/../../lib/bind -U__DATE__ -o named os.o aclconf.o builtin.o client.o config.o control.o controlconf.o interfacemgr.o listenlist.o log.o logconf.o main.o notify.o query.o server.o sortlist.o tkeyconf.o

Re: FreeBSD Security Advisory FreeBSD-SA-07:07.bind

Anyone receiving the same? is a fix on the way? Please cc in replies. Thank you so much! Chris On Wed, 1 Aug 2007, FreeBSD Security Advisories wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = F

Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?)

On 06/02/07, Remko Lodder <[EMAIL PROTECTED]> wrote: On Tue, Feb 06, 2007 at 01:21:44PM +, Chris wrote: > On 03/02/07, Julian H. Stacey <[EMAIL PROTECTED]> wrote: > think you hit the nail bang on the head, I am one such person who > tried to submit a bug causing crashes

Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?)

wonder if a paypal slush fund where people who use freebsd can donate to and this slush fund is then used to pay devs who fix pr's oldest first of course would be effective. Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: What about BIND 9.3.4 in FreeBSD in base system ?

t burden onto a user base that's done nothing but embraced the products produced by its efforts? Chris ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: What about BIND 9.3.4 in FreeBSD in base system ?

Peter Jeremy wrote: On Tue, 2007-Jan-30 14:51:15 -0500, Chris Marlatt wrote: Doug Barton wrote: plan to MFC it after 4 or 5 days. I am actually considering only MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x to upgrade. One would assume that the release wou

Re: What about BIND 9.3.4 in FreeBSD in base system ?

Doug Barton wrote: plan to MFC it after 4 or 5 days. I am actually considering only MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x to upgrade. One would assume that the release would be supported up until the EOL provided on freebsd.org of May 31, 2008. _

RE: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon

ersonal experience of (4) 4.x machines and (1) 5.x machine, all on the same hardware, I've had more problems with my 5.x install than I ever did with my 4.x install. I'm afraid to even look to see if 6.0 will run on it. Just another $0.2. -=Chris

Re: SSH scans vs connection ratelimiting

As requested, here you go. Please read the README file for further information. http://irchost.no/ssh-4.3p2+timelox+chroot.tgz Chris wrote: > On 20/08/06, Chris <[EMAIL PROTECTED]> wrote: >> I'm maintaining a patch for OpenSSH portable that allows configurable >> bloc

Re: SSH scans vs connection ratelimiting

On 20/08/06, Chris <[EMAIL PROTECTED]> wrote: I'm maintaining a patch for OpenSSH portable that allows configurable blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I will post it if anyone is interested in it. Daniel Gerzo wrote: > Hello Pieter, > >

Re: SSH scans vs connection ratelimiting

I'm maintaining a patch for OpenSSH portable that allows configurable blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I will post it if anyone is interested in it. Daniel Gerzo wrote: > Hello Pieter, > > Saturday, August 19, 2006, 9:48:49 PM, you wrote: > > >> Gang, >>

Re: [fbsd] Integrating ProPolice/SSP into FreeBSD

SE. No problems at all really :) Except that i want a nob for gcc to use the protection by default. We discussed this in another email. I'm also using nomad's 5.4 one of my 5.4-p14 with stack gap and random mmap (slight modication was needed to get it working), which for me has the

RE: ipf stopped working on 5.3

I had this same problem and found out there is a parimeter that needs to be added to the kernel config that was not needed previously. When I get back to my office, I will look it up and send it to you. Chris Odell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED

Re: FreeBSD Security Advisory FreeBSD-SA-05:09.htt [REVISED]

I am somewhat confused by applying the patch, does this disable HTT functionality? or does a patched server close the issue and keep HTT enabled? Chris On 5/14/05, Drew B. [Security Expertise/Freelance Security research]. <[EMAIL PROTECTED]> wrote: > The political problem is th

Re: What is this Very Stupid DOS Attack Script?

> > > >___ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > ___ > freebsd-securi