Re: FreeBSD Security Survey

2006-05-23 Thread Miroslav Lachman
WITH_OPENSSL=yes', 'OVERWRITE_DB=no', ], } AFTERINSTALL = { 'databases/mysql41-server' => proc { |origin| cmd_enable_rc(origin) + ';' + cmd_restart_rc(ori

Re: Secure shared web hosting using MAC Framework

2007-02-25 Thread Miroslav Lachman
etter security called Suhosin. After installation of this extension you have better control of what you want to disable, or enable. Author of this extension was developer in PHP security team. Miroslav La

Re: Anti-Rootkit app

2008-01-14 Thread Miroslav Lachman
using security/rkhunter from ports. It is realy easy to setup and configure. I have some local scripts for periodic reports which I plan to submit in to PR database. Miroslav Lachman ___ mailing list

Re: A simple rc.d jail patch to enable priority

2008-06-03 Thread Miroslav Lachman
f the patch on Miroslav Lachman ___ mailing list To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd

2010-01-07 Thread Miroslav Lachman
obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop Try cd /usr/src/usr.sbin/ntp instead of cd /usr/src/usr.sbin/ntp/ntpd Miroslav Lachman ___ mailing list To

periodic security run output gives false positives after 1 year

2012-02-16 Thread Miroslav Lachman
Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic and I don't know the logic used in other script to get yesterday messages. What do you think about it? Miroslav Lachman ___ mailing li

Re: periodic security run output gives false positives after 1 year

2012-02-16 Thread Miroslav Lachman
Glen Barber wrote: On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date, but without specifying year (because some logs do not have year logged

Re: periodic security run output gives false positives after 1 year

2012-02-17 Thread Miroslav Lachman
I re-add list to CC. Gregory Orange wrote: Hi Miroslav, I don't know if this message really contributes anything to the list, so I'll email you directly. On 17/02/12 01:04, Miroslav Lachman wrote: I see it many times before, but never take a time to post about it. Well, tha

Re: periodic security run output gives false positives after 1 year

2012-02-17 Thread Miroslav Lachman
Sergey Kandaurov wrote: 2012/2/16 Miroslav Lachman<>: Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date, but without specifying year (because some logs do not have year logged). This resu

Re: periodic security run output gives false positives after 1 year

2012-02-17 Thread Miroslav Lachman
2k problem and dates with YY format instead of - it was fine for many years... But did you noticed, that almost everything else is already logging with year in date? Miroslav Lachman ___ mailing list http://lists.freebsd.

Re: periodic security run output gives false positives after 1 year

2012-02-17 Thread Miroslav Lachman
with gzip, there is no difference, with bzip2 there is only 2KB more. Again - I understand your view, but I still think that using new ISO date format is an improvement. Cheers, Miroslav Lachman ___ mailing list http:/

Re: periodic security run output gives false positives after 1 year

2012-02-20 Thread Miroslav Lachman
Gary Palmer wrote: On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote: On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: Glen Barber wrote: On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: Hi, I see it many times before, but never take a time to


2015-11-10 Thread Miroslav Lachman
to increase verbosity for log files. I didn't know blacklistd. It seems very interesting. It would be nice if somebody will port it to FreeBSD. Miroslav Lachman ___ mailing list

Re: FreeBSD - a lesson in poor defaults?

2016-07-13 Thread Miroslav Lachman
on FreeBSD release side and should be fixed. Some things we modified on our installs. Miroslav Lachman ___ mailing list To unsubscribe, send any mail to "fr

using pkg audit to show base vulnerabilities

2016-08-25 Thread Miroslav Lachman
ts must be trusted to run any checks on them from parent? The last thing - is it possible to have something like this included as a part of ports-mgmt/pkg Miroslav Lachman ___ mailing list

Re: using pkg audit to show base vulnerabilities

2016-09-12 Thread Miroslav Lachman
Mark Felder wrote on 09/07/2016 23:25: On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote: I am not sure if this is the right list or not. If not, please redirect me to the right one. I noticed this post from Mark Felder

Re: FreeBSD Security Advisory FreeBSD-SA-16:27.openssl

2016-10-10 Thread Miroslav Lachman
, 11.0-STABLE) 2016-09-26 20:26:19 UTC (releng/11.0, 11.0-RELEASE-p1) CVE Name: CVE-2016-7052 I think it should be Affects:FreeBSD 11.x Or should be other versions listed in "Corrected"? But older FreeBSD versions does not have OpenSSL 1.0.2 in base. Mirosl

VuXML entry for openssh - 10.3 sshd in base vulnerable

2017-01-03 Thread Miroslav Lachman
:// 1 problem(s) in the installed packages found. But there is no advisory on for this problem. Is it false alarm? Or did I missed something? Miroslav Lachman

Re: VuXML entry for openssh - 10.3 sshd in base vulnerable

2017-01-06 Thread Miroslav Lachman
Miroslav Lachman wrote on 2017/01/03 14:11: Security entries for base are in VuXML for some time so we are checking it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 too. # pkg audit FreeBSD-10.3_15 FreeBSD-10.3_15 is vulnerable: openssh -- multiple vulnerabilities CVE

Re: VuXML entry for openssh - 10.3 sshd in base vulnerable

2017-01-10 Thread Miroslav Lachman
Xin Li wrote on 2017/01/10 08:49: On 1/6/17 07:36, Miroslav Lachman wrote: Miroslav Lachman wrote on 2017/01/03 14:11: Security entries for base are in VuXML for some time so we are checking it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 too. # pkg audit FreeBSD

VuXML entry for openssh listed twice

2017-01-12 Thread Miroslav Lachman
: CVE-2016-10009 WWW: Miroslav Lachman ___ mailing list To unsubscribe, send any mail to

Re: WPA2 vulnerabilities — is FreeBSD-as-AP affected?

2017-10-16 Thread Miroslav Lachman
know, is FreeBSD (our WiFi stack + hostapd / wpa_supplicant) affected? Yes. it is discussed at current@ with patch Miroslav Lachman ___ mailing list

Spectre-NG - Multiple new Intel CPU flaws

2018-05-04 Thread Miroslav Lachman
Spectre and Meltdown was patched in FreeBSD 2 months ago and new vulnerabilities in CPU are about to come. Miroslav Lachman

Re: Possible break-in attempt?

2018-07-21 Thread Miroslav Lachman
olled by ssh_config. Miroslav Lachman ___ mailing list To unsubscribe, send any mail to ""

Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11?

2018-08-27 Thread Miroslav Lachman
e? Kind regards Miroslav Lachman ___ mailing list To unsubscribe, send any mail to ""

Re: Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11? / PR 231054

2018-08-31 Thread Miroslav Lachman
Miroslav Lachman wrote on 2018/08/28 00:20: Running pkg audit FreeBSD-10.4_11 gives me one vulnerability: # pkg audit FreeBSD-10.4_11 FreeBSD-10.4_11 is vulnerable: wpa_supplicant -- unauthenticated encrypted EAPOL-Key data CVE: CVE-2018-14526 WWW:

fix for vuln.xml / committer needed

2018-09-05 Thread Miroslav Lachman
Can somebody commit this easy fix, please? It is annoying to get false alarms every day in daily security reports. Kind Regards Miroslav Lachman Miroslav Lachman wrote on 2018/08/31 12:24: Miroslav Lachman wrote on 2018/08/28 00:20

Status of FreeBSD vulnerabilities in VUXML database

2019-07-09 Thread Miroslav Lachman
is FreeBSD's own pet so why new SAs are not added there the same day they are published as SA on It makes base-audit periodic useless. Kind regards Miroslav La

Re: [EXTERNAL] Status of FreeBSD vulnerabilities in VUXML database

2019-07-09 Thread Miroslav Lachman It makes base-audit periodic useless. Kind regards Miroslav Lachman ___ mailing list

Re: Let's Encrypt

2019-09-10 Thread Miroslav Lachman
nly the deployment of the new / renewed key is run as root through sudo. I don't know certbot well, allows to use shell scripts as hooks for actions like deployment so it was really simple to separate cert signing and deployment of new cert. Kind regards Miroslav Lachman __

New Linux vulnerability lets attackers hijack VPN connections

2019-12-08 Thread Miroslav Lachman
systems including FreeBSD, OpenBSD, macOS, iOS, and Android. Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. -- Miroslav Lachman

Re: New Linux vulnerability lets attackers hijack VPN connections

2019-12-08 Thread Miroslav Lachman
Eugene Grosbein wrote on 2019/12/08 12:33: 08.12.2019 16:25, Miroslav Lachman wrote: Security researchers found a new vulnerability allowing potential attackers to hijack VPN

Re: @freebsdsecurity Twitter handle?

2020-01-29 Thread Miroslav Lachman
visories. Can somebody convince FreeBSD Security Office to publish Advisories in vuln.xml at the same as on the website? It is FreeBSD's own tool to handle vulnerabilities but they are not there.

Critical PPP Daemon Flaw

2020-03-09 Thread Miroslav Lachman
rs to remotely execute arbitrary code on affected systems and take full control over them. [1] Kind regards Miroslav Lachman ___ mailing list

Re: Critical PPP Daemon Flaw

2020-03-09 Thread Miroslav Lachman
Eugene Grosbein wrote on 2020/03/09 18:15: 09.03.2020 20:49, Cy Schubert wrote: On March 9, 2020 4:23:10 AM PDT, Miroslav Lachman <> wrote: I don't know if FreeBSD is vulnerable or not. There are main Linux distros and NetBSD listed in the article. https://thehac

current SA in vuxml

2020-03-20 Thread Miroslav Lachman
I don't know who is responsible for adding March entries in to vuxml at the same time as published it on the website but I really would like to say THANK YOU. Kind regards Miroslav Lachman ___ mailing list

Re: FreeBSD Security Advisory FreeBSD-SA-20:11.openssl

2020-04-22 Thread Miroslav Lachman
VuXML entry or original SA? Kind regards Miroslav Lachman ___ mailing list To unsubscribe, send any mail to ""

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:01.fsdisclosure

2021-01-31 Thread Miroslav Lachman
fixed in newer patchlevel of FreeBSD 11.4 or it was not present in 11.x at all? Kind regards Miroslav Lachman ___ mailing list To unsubscribe, send any mail t

Two high-severity vulnerabilities in OpenSSL

2021-03-25 Thread Miroslav Lachman
companies have already started informing their customers about these OpenSSL vulnerabilities. Kind regards Miroslav Lachman

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

2021-04-06 Thread Miroslav Lachman
em here is that it collects and sends data right at the install time. It is really unexpected to run installed package without user consent. If you install Apache, MySQL or any other package the command / daemon is no run by "pkg install" command. This must be avoided. Kind rega

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

2021-04-08 Thread Miroslav Lachman
"lolwut" reaction was very far from expected. Trying to neglect the problem, trying to say that FreeBSD is not responsible for how packages behave in install time and nobody should be upset that something sends data on install time... Kind reagards Miroslav Lachman 8. Entitlemen

Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm

2021-04-11 Thread Miroslav Lachman
On 11/04/2021 21:21, Gian Piero Carrubba wrote: CCing ports-secteam@ as it seems a more appropriate recipient. Vulnerabilities in base should be handled by core secteam, not ports secteam. Vuxml entries should be published together with Security Advisories. Miroslav Lachman * [Sun, Apr

Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml

2021-04-12 Thread Miroslav Lachman
On 11/04/2021 21:49, Gian Piero Carrubba wrote: * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: On 11/04/2021 21:21, Gian Piero Carrubba wrote: CCing ports-secteam@ as it seems a more appropriate recipient. Vulnerabilities in base should be handled by core secteam, not ports

Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml

2021-04-13 Thread Miroslav Lachman
On 13/04/2021 06:03, Gordon Tetlow wrote: On Apr 12, 2021, at 03:21, Miroslav Lachman <> wrote: On 11/04/2021 21:49, Gian Piero Carrubba wrote: * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: On 11/04/2021 21:21, Gian Piero Carrubba wrote: CCing ports-s

Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl

2021-08-25 Thread Miroslav Lachman
ng patches; it is not equipped to notify users of vulnerabilities that we do not have a patch for. Let me think on how we might support such a thing and discuss with the team. Will it be published (marked as vulnerable) in vuln.xml so users of security/base-audit will be notified? Kind regard

vulnerablities in base unreported in VuXML

2023-05-04 Thread Miroslav Lachman
-FreeBSD.html Kind regards Miroslav Lachman remote code execution vulnerability

2023-06-09 Thread Miroslav Lachman vulnerable in VuXML database. Kind regards Miroslav Lachman

Re: vulnerablities in base unreported in VuXML

2023-08-13 Thread Miroslav Lachman
can Security Team add all past vulnerabilities in to VuXML and fix process of publishing future SAs that they will never be missed again? Kind regards Miroslav Lachman On 04/05/2023 19:56, Miroslav Lachman wrote: As was noted on FreeBSD forum [1], there is problem with missing SA entries in

Re: securelevel 1

2023-10-24 Thread Miroslav Lachman
.7 /usr/lib32/ /usr/lib32/ /usr/lib32/ /var/empty Log files are not protected. Kind regards Miroslav Lachman On 24 Oct 2023, at 12:19, void wrote: Hi, I'd like to set append-only on an arm64 system running stable/14-n265566 (so securelevel=1) but how