On Fri, 15 May 2015 07:51:34 -0500, Mark Felder wrote:
> On Fri, May 15, 2015, at 03:07, Ian Smith wrote:
> > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
> > > Hello
> > >
> > > >> But I don't think disable TLS 1.0 is ok.
> > > >>
> > > >
> > > > TLS 1.0 is dead and is eve
On 18 mai 2015, at 09:05, Ian Smith wrote:
>>
>> Actually, that might be the reason -- Google search results. Perhaps
>> Google is also logging what protocols/ciphers your HTTPS has and is
>> using that in search rankings.
>
> You're seriously suggesting that the FreeBSD project should set secu
On Mon, May 18, 2015 at 09:43:24AM +0200, pat...@patpro.net wrote:
> On 18 mai 2015, at 09:05, Ian Smith wrote:
>
> >>
> >> Actually, that might be the reason -- Google search results. Perhaps
> >> Google is also logging what protocols/ciphers your HTTPS has and is
> >> using that in search ran
On Mon, May 18, 2015, at 02:05, Ian Smith wrote:
>
> > The danger is decryption. Your username/password could be stolen if
> > someone captures your traffic after successfully initiating a downgrade
> > attack.
>
> So the danger is only to myself, from some MITM, and not to the server?
> A
On Sun, May 17, 2015, at 18:06, Dan Lukes wrote:
> On 05/18/15 00:00, Mark Felder:
> >> If TLS 1.0 is considered severe security issue AND system utilities are
> >> using it, why there is no Security Advisory describing this system
> >> vulnerability ?
> >>
> >
> > It's not a vulnerability in sof
On Mon, May 18, 2015 at 08:42:54AM -0500, Mark Felder wrote:
> >
> > > Actually, that might be the reason -- Google search results. Perhaps
> > > Google is also logging what protocols/ciphers your HTTPS has and is
> > > using that in search rankings.
> >
> > You're seriously suggesting that t
On 5/17/2015 4:02 PM, Roger Marquis wrote:
> Does anyone know what's going on with vuln.xml updates? Over the last
> few weeks and months CVEs and application mailing lists have announced
> vulnerabilities for several ports that in some cases only showed up in
> vuln.xml after several days and in
ports-secteam@ owns this file, not secteam@.
Thanks for the pointer Bryan. I would hope that port vulnerability
emails are forwarded from secteam@ to ports-secteam@, by policy, as the
freebsd.org website is not clear on this. Either way at least I/we now
know the right address/es.
The team n
On 05/18/15 15:52, Mark Felder:
I mean, should we have an SA because our libc supports strcpy and people
can use that and create severe vulnerabilities?
No, but we should have SA whenever other system component is using
strcpy() the way that may affect system security.
System utility 'fetch'
On Mon, May 18, 2015, at 12:34, Dan Lukes wrote:
> On 05/18/15 15:52, Mark Felder:
> > I mean, should we have an SA because our libc supports strcpy and people
> > can use that and create severe vulnerabilities?
>
> No, but we should have SA whenever other system component is using
> strcpy() t
On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
> Does anyone know what's going on with vuln.xml updates? Over the last
> few weeks and months CVEs and application mailing lists have announced
> vulnerabilities for several ports that in some cases only showed up in
> vuln.xml after several
On 18 May 2015 at 19:06, Mark Felder wrote:
>
>
> On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
>> Does anyone know what's going on with vuln.xml updates? Over the last
>> few weeks and months CVEs and application mailing lists have announced
>> vulnerabilities for several ports that in so
On Mon, May 18, 2015, at 14:01, Sevan / Venture37 wrote:
> On 18 May 2015 at 19:06, Mark Felder wrote:
> >
> >
> > On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
> >> Does anyone know what's going on with vuln.xml updates? Over the last
> >> few weeks and months CVEs and application maili
On 05/18/15 20:04, Mark Felder:
Fetch also doesn't have a certificate trust store out of the box.
fetch (nor SSL protocol itself) claim there is one here
FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this
behavior in fetch. If you add this to your base system image you can
On 18 May 2015 at 20:26, Mark Felder wrote:
> I was just thinking it might be nice when you're committing a change to
> a port to fix a CVE if there was a tag you can drop in the commit log to
> tell ports-security if there is a need for an entry to vuln.xml. At
> least those without experience ed
On Mon, May 18, 2015, at 13:55, Dan Lukes wrote:
>
> I have own source repository with custom system patches so I'm not tied
> to "official" decisions. No offense to FreeBSD team in any way! I'm just
> not average user. ;-)
>
>
Do not be discouraged about submitting them. It's quite easy to
16 matches
Mail list logo
