under the src/ tree (or sort of), causing
every "make buildworld" with some symbol defined to cover upgrades
of them, but also permitting portaudit to check vulnerabilities on
these packages.
Of course this scheme would be complex to implement, so just my 0.02 RMB :-)
Cheers,
--
Xin LI http://www.delphij.net/
See complete headers for GPG key and other information.
pgpiskmxi1mVR.pgp
Description: PGP signature
Hi folks,
I think we need to update compat5x binary to fix FreeBSD-SA-05:21.openssl,
but will the binaries built by ``make universe'' be identical with actual
build on Alpha, Sparc64, etc? (Yes, I'm volunteering to do the work iff
they are identical ;-)
Cheers,
--
ruction found in the revised advisory. The
patch procedure in the first advisory was not quite correct...
Cheers,
--
Xin LI <[EMAIL PROTECTED]> http://www.delphij.net
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/li
over versions that we are
known not to be vulnerable, for instance, the user might be running
1.1.4 or 1.1.5 with their local patched versions and does not want to
upgrade, making false positives would actually hurt the credibility of
vuxml.
Cheers,
- --
Xin LI <[EMAIL PROTECTED]>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi, Eygene,
Eygene Ryabinkin wrote:
> Xin,
>
> Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote:
>>> Thanks for handling this. But I have a question: what is the general
>>> policy about versions that are to be d
fore
> the beginning of the 'outfile', so it will be buffer underflow in any
> case (unless I am terribly mistaken and missing some obvious point).
>
> I'd change the above code to warn and return if snprintf will discard
> some trailing characters, the patch is at
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Xin LI wrote:
> Eygene Ryabinkin wrote:
>> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
>>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
>>> with the -S option.
>>>> g
here as well. My revised patch would
make the memcpy into a fatal errx, and reduce the allowed suffix length
to 30 to match GNU behavior.
Please let me know if this version looks better, I'll propose it to re@
and commit if they approved it.
Cheers,
- --
Xin LI http://www.delphij.ne
beginning I just matched GNU gzip's behavior, but they cover when
the -S is specified when decompressing, which we don't care about, so it
might be reasonable for us to explicitly say it's too long.
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eygene Ryabinkin wrote:
> Xin,
>
> Thu, Jul 30, 2009 at 10:43:07PM -0700, Xin LI wrote:
>> After talking with Matthew Green (the author of NetBSD) it seems that it
>> would be more reasonable to fix the bug itself than breaking u
ith some remote vulnerability on
applications that allow the attacker to inject their own code.
We can not release further details about the problem at this time,
though, but I think we will likely to publish the advisory and
correction patch this patch Wednesday.
Cheers,
- --
Xin LI http://www.delphij.net
remote vulnerability (i.e. some popular remote admin tool that
allows you to upload and run something on web server's context, etc).
We are still working on this one, it looks like that we would need to
patch some other problems altogether.
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD
#x27;s resources
> (user chris cannot read or write user jane's email -- let alone root's
> email). This bug breaks that guarantee, and is definitely not a ho-hum bug.
Exactly. This type of vulnerability could turn into a serious threat if
being used with some other vulnerabil
you have a stale version of the port...
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)
iQEcBAEBAgAGBQJLT7bnAAoJEATO+BI/yjfBcKQH/2L1ejz5cDLn5oH
you have a stale version of the port...
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)
iQEcBAEBAgAGBQJLT7chAAoJEATO+BI/yjfBHUsH/25OGrb2rjTyuz8/BMrpIfiG
I20QWulnm5QwiA
by the end of 2008.
It's time to switch to some better algorithm, maybe something like
Skein, etc...
[1] http://www.kb.cert.org/vuls/id/836068
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2010/01/28 12:11, Chris Palmer wrote:
> Xin LI writes:
>
>> The slowness was useful at the time when the code was written, but I don't
>> think it would buy us as much nowadays, expect the slowness be halved from
>>
r example: $1.1000$, $1.10$,
> et c.?
I'd vote for $1.$, as a good side effect it would be tunable by the
administrators who want to fine tune the round number as need.
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BE
m PIDs. ¿1000, 1, 10?
It's a modules number. The kernel will adjust it for you if you specify
a too large number, e.g. 100k.
> Thanks in advance for aclarations.
>
> PD. I've real this old post
> http://marc.info/?l=freebsd-security&m=99495048923300&w=2. Inter
ead instead?
Cheers,
- --
Xin LI http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)
iQEcBAEBAgAGBQJLvMnbAAoJEATO+BI/yjfBb6MH/j5yANyXX/zgAHm0fLSh9Sdv
gb78sUDTwLO4H6dI88l0uruVEr5W+yznMplfX5d+yWo9
reference to OpenSSL bug tracking system, a CVE number,
etc. so we will be able to handle it more quickly.
We do have patched RELENG_8_0 before 8.0-RELEASE for a few SSL protocol
flaws. http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc
Hope this helps.
Cheers,
- --
Xin LI
PAM opie implementation was careful enough not triggering this issue. So
no, programs using solely PAM, configured or not configured with OPIE, are
not affected. Programs that links directly to OPIE may be affected,
depending on their usage.
On May 27, 2010 3:30 AM, "Dag-Erling Smørgrav" wrote:
ation.
Logging remotely to a dedicated and secured central logging server
could be a better (as long as you have control to your internal network)
alternative, since the attacker has to take down two systems, rather
than one, in order to erase their foot prints.
Cheers,
- --
Xin LI http://www.de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2010/08/24 12:57, free...@johnea.net wrote:
[...]
> A simpler question that I've been unable to resolve: Does the openssl of
> 8.1-RELEASE enable the TLS extensions, including SNI, by default? If I
Yes.
Cheers,
- --
Xin
ee(3) is not guaranteed to give the memory back to the
kernel, which in turn WILL zero the page before handing it to another
process.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17
least some of these
> into base. My question is: which ones?
LDAP? (We do currently have some work on LDAP integration but not
sure if the community would be interested -- this would need an import
of stripped down OpenLDAP) and modifies OpenSSH to support public key
in LDAP directory.
Che
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/16/11 10:39, Mark Felder wrote:
> On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI wrote:
>
>> LDAP? (We do currently have some work on LDAP integration but not
>> sure if the community would be interested -- this would ne
ot;base-integrated" port -- I wouldn't object if that would ever happen
but I bet it's a much bigger one than LDAP integration :) It may take
me a day or two days to get our patchset cleaned up and updated to
- -HEAD and latest OpenLDAP -stable and universe it, plus test on amd64,
but i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/18/11 11:03, Dag-Erling Smørgrav wrote:
> Xin LI writes:
>> LDAP? (We do currently have some work on LDAP integration but
>> not sure if the community would be interested -- this would need
>> an import of stripp
mark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
===
Cheers,
- --
Xin LI https://www.delphij.net/
Free
tem plus these
modules can be upgraded or updated with existing binary update mechanisms.
The proposed approach would not be a whole OpenLDAP import (selected
client libraries only) nor would replace the port by the way.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/20/11 14:19, Dag-Erling Smørgrav wrote:
> Xin LI writes:
>> The main concern I have is that users might want to stay on an
>> older FreeBSD release, while wanting features of a new OpenLDAP.
>> That's why I would pr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/21/11 10:10, Jason Hellenthal wrote:
>
>
> On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote:
>> On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/22/11 19:19, Benjamin Kaduk wrote:
> On Tue, 20 Sep 2011, Xin LI wrote:
>
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> On 09/20/11 15:51, Kostik Belousov wrote: [...]
>>> Yes, the question of ma
pdate, etc.
At this time it's advisable that users use the BIND version from
ports, or use an alternative (e.g. dns/unbound), if resolving DNS
server functionality is desired; it seems that authoritive-only DNS
servers are NOT affected by the problem as far as we know.
Cheers,
--
Xin LI
ects only configurations, where
> /etc/ftpchroot exists or anonymous user is allowed to create files
> inside etc and lib dirs.
This doesn't seem to be typical configuration or no?
Will the attached patch fix the problem?
(I think libc should just refuse /etc/nsswitch.conf and libr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/30/11 17:01, Mike Tancsa wrote:
> On 11/30/2011 7:01 PM, Xin LI wrote:
>>
>>> BTW. This vulnerability affects only configurations, where
>>> /etc/ftpchroot exists or anonymous user is allowed to create
>&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/05/11 11:44, Mike Tancsa wrote:
> On 11/30/2011 8:16 PM, Xin LI wrote:
>> On 11/30/11 17:01, Mike Tancsa wrote:
>>> On 11/30/2011 7:01 PM, Xin LI wrote:
>>>>
>>>>> BTW. This vulnerability affects onl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi, Mike,
On 12/05/11 12:34, Mike Tancsa wrote:
> On 12/5/2011 2:48 PM, Xin Li wrote:
>>
>> Currently no (I thought you were in the cc list in my discussion
>> with kib@?). My initial plan was simply rejecting .so's with
&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/08/11 13:52, Mike Tancsa wrote:
> On 11/30/2011 8:37 PM, Mike Tancsa wrote:
>> On 11/30/2011 8:16 PM, Xin LI wrote:
>>>
>>> Sorry I patched at the wrong place, this one should do.
>>>
>>> Note howe
s that should be sufficient workaround.
Cheers,
--
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe
ed kib@ to Cc list.
It doesn't seem to me that this proposed change would do something
with security? Personally I think the change is reasonable (but we
may want printf be replaced with _rtld_error in rtld.c and use
LD_UTRACE there?)
Cheers,
--
Xin LI https://www.delphij.net/
FreeBSD - T
Cheers,
--
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi
Hi, Doug,
On Sat, Dec 24, 2011 at 1:29 PM, Doug Barton wrote:
> On 12/24/2011 12:46, Xin LI wrote:
>> Won't work because the binary might be run by privileged but chroot
>> user. Again, this is the first proposal that we have considered.
>
> Now that the cat is ou
exposure?
>
> (I note that 8.2S uses gcc version 4.2.2 20070831 prerelease
> [FreeBSD] 9.0S has gcc 4.2.1)
This have nothing to do with gcc as far as I can tell. It does
require changes to your individual applications if they do chroot into
untrusted environment.
Cheers,
- --
ause this batch does not change kernel (last batch did change
kernel but I guess you already patched?)
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuP
On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin wrote:
> On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote:
>> On 12/29/11 10:43, John Baldwin wrote:
>> > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote:
>> >> On 12/29/11 06:39, John Baldwin wrote:
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/29/11 10:36, Andrey Chernov wrote:
> On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>
>> On 12/29/11 06:39, John Baldwin wrote:
>>> Can you give so
7;t
> possibly affect helper programs ability to use dlopen() from within
> libc).
Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if
it notices a change. After chroot() the file is considered as
"chang"ed and thus it reloads the file as well as designated shar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/29/11 10:43, John Baldwin wrote:
> On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote:
>> On 12/29/11 06:39, John Baldwin wrote:
>>> Can you give some more details on why ftpd is triggering a
>>> dlopen inside of t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/29/11 11:42, Andrey Chernov wrote:
> On Thu, Dec 29, 2011 at 11:15:44AM -0800, Xin Li wrote:
>> Would you please elaborate how this would be less ugly (e.g. with
>> a patch)?
>
> Why doing a patch if you apparently don&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/29/11 11:35, John Baldwin wrote:
> On Thursday, December 29, 2011 2:10:37 pm Xin LI wrote:
>> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin
>> wrote:
>>> On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote:
>
rriden because
> known program
No it doesn't run external programs.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http
:passwd_format=md5:\ +
>> :passwd_format=sha512:\ :copyright=/etc/COPYRIGHT:\
>> :welcome=/etc/motd:\
>> :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
>>
>> DES
>
>
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to S
graphs a little confusing. Is the
> correct interpretation that FreeBSD/amd64 running on Intel CPUs is
> the vulnerable combination?
Correct.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi, Dag-Erling,
Here is a patch from OpenBSD which makes ssh-keyscan to fetch ECDSA
keys by default, to match the default hostkey algorithm.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The proposed change have been committed as r237567 (for vendor branch)
and r237568 (merged to -HEAD with 1 week settle). Thanks!
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN
cutables are used for administrative usage, and thus should be kept
if OPIE functionality is desirable (or be made as ports).
However, the built-in components in telnet and ftp servers, in my
opinion, could be removed in favor of the PAM implementation.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 8/21/12 6:37 AM, Dag-Erling Smørgrav wrote:
> I'm looking for *rekeyable* TOTP (RFC 6238) tokens - preferably,
> but not necessarily OATH-certified. Does anyone know where I can
> find something like that?
>
> Alternatively, does anyone know of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
I've been playing around GELI a little bit and come with an idea, have
a prototype and wonders if this would be useful.
The scenario is that a system administrator wants a system be started
with only network access. In the current startup orde
ink you could use sysctl -n to remove the variable names (which is
a good thing). I'm a little bit concerned with the fact that most of
the characters here are numbers, would it be a good idea to filter it
with e.g. gzip (my $.02) by the way before feeding into /dev/random?
Cheers,
- --
Xin L
bits.
It's not clear to me whether we really need to have 32768 bits worth
of entropy at all, or if 20480 bits would be "good enough" but the
fact of feeding less bytes to the device makes me a little bit
concerned. but not very much.
Cheers,
- --
Xin LI https://www.delphij.net/
F
file to fill-up the
>> remaining 4k.
>
> Or fill-up the 4k buffers with high-quality entropy, and add in
> the low-grade stuff if there is room.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATUR
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 14:17, David O'Brien wrote:
> On Tue, Sep 11, 2012 at 02:04:42PM -0700, Xin Li wrote:
>> So if I was to implement the low grade part I'd remove the
>> variable names from the sysctl output at minimum.
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 14:27, RW wrote:
> On Tue, 11 Sep 2012 13:54:41 -0700 Xin Li wrote:
>
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> On 09/11/12 12:53, RW wrote:
>>> On Tue, 11 Sep 2012 13:28:5
nistic (header, etc) so I
choose to skip first 16 bytes.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 14:52, David O'Brien wrote:
> On Tue, Sep 11, 2012 at 02:22:15PM -0700, Xin Li wrote:
>> On 09/11/12 14:17, David O'Brien wrote:
>>> On Tue, Sep 11, 2012 at 02:04:42PM -0700, Xin Li wrote:
>>>> So
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 15:48, Arthur Mesh wrote:
> On Tue, Sep 11, 2012 at 03:37:09PM -0700, Xin Li wrote:
>> Using gzip is better than not using it though, since 4k worth of
>> compressed data is better than 4k worth of plain text becaus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 16:01, David O'Brien wrote:
> On Tue, Sep 11, 2012 at 03:37:09PM -0700, Xin Li wrote:
>> On 09/11/12 14:52, David O'Brien wrote:
>>> On Tue, Sep 11, 2012 at 02:22:15PM -0700, Xin Li wrote:
>>>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/11/12 17:07, David O'Brien wrote:
> On Tue, Sep 11, 2012 at 04:22:24PM -0700, Xin Li wrote:
>> Please consider using sha512...
>
> What is the performance (boot time) impact on low-end MIPS and ARM
> systems?
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 9/14/12 7:18 PM, Samuel Ports wrote:
> Omg cant an freebsd-entropy be created as mailing list already
Nothing prevents you from unsubscribing this mailing list.
> Sent from my iPhone
>
> On Sep 14, 2012, at 8:09 PM, RW
> wrote:
>
>> On Fri, 1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/1/12 3:31 AM, Erik Cederstrand wrote:
> I'm looking through the clang analyzer reports and found this one:
> http://scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC6.html#EndPath
>
>
>
It's complaining that, if setui
c me on the PR as I'll commit if no one else
> objects.
It doesn't seem hurt in general but if you are going to commit it
please also change the other instances in the base system.
I personally don't think this is useful either -- the case does not
apply to FreeBSD and it seems t
t the new OpenSSL version have introduced a
regression, by the way:
http://www.mail-archive.com/openssl-dev@openssl.org/msg32009.html
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
iQEcBAEB
7;s agenda and have set a deadline on that
day, also noted on my own calendar as well as the agenda.
If we have received no objections by Apr 18, I assume the responsibility
of approving this proposed change and consider this as a formal approval
for committing.
Cheers,
--
Xin LI https://www.d
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 4/29/13 3:26 PM, Winston wrote:
> For the purpose of the NFS vulnerability in 9.0-RELEASE, does it
> make any difference whether one has used /etc/exports and an
> explicitly started nfsd, or exported the files using "zfs set
> sharenfs={options}"
(working copy)
@@ -420,4 +420,4 @@ struct vfsops tmpfs_vfsops = {
.vfs_statfs = tmpfs_statfs,
.vfs_fhtovp = tmpfs_fhtovp,
};
- -VFS_SET(tmpfs_vfsops, tmpfs, 0);
+VFS_SET(tmpfs_vfsops, tmpfs, VFCF_JAIL);
Cheers,
- --
Xin LI https
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 11/19/13, 3:52 AM, Cstdenis wrote:
> I think the file in workaround should actually be
> /etc/ssh/sshd_config unless I am mistaken.
Ah you are right, that's my fault.
Cheers,
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJSjFU1AAoJEJW2GBstM+nspsE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 11/20/13, 7:09 AM, Paul Hoffman wrote:
> I was wondering about that, but figured it might have moved in
> FreeBSD 10. Good to hear that it is not moving.
No, it's not moving. We try our best to keep POLA even with .0
releases whenever possible.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 11/29/13, 1:14 PM, Rob wrote:
> Hi,
>
> Why isn't this bug being fixed in 9.1?
FreeBSD 9.x are not affected because the earlier FreeBSD releases do
not ship with OpenSSL that supports AES-GCM, therefore, OpenSSH would
not support it and thus not
exit 0
+fi
+
case ${entropy_dir} in
[Nn][Oo])
exit 0
Cheers,
--
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 12/24/13 14:36, Paul Hoffman wrote:
> On Dec 24, 2013, at 12:44 PM, Xin Li wrote:
>
>> I think we shouldn't save entropy inside jails, as the data is
>> not going to be used by rc script (pjd@126744). If there is no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 12/24/13 15:26, Paul Hoffman wrote:
> On Dec 24, 2013, at 2:53 PM, Xin Li wrote:
>
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>>
>> On 12/24/13 14:36, Paul Hoffman wrote:
>>> On Dec 24, 2013, at 12:44 P
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 1/9/14, 7:14 PM, Garrett Wollman wrote:
> < said:
>
>> Other than updating ntpd, you can filter out requests to
>> 'monlist' command with 'restrict ... noquery' option that
>> disables some queries for the internal ntpd status, including
>> 'mon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 1/9/14, 6:12 AM, Palle Girgensohn wrote:
>
> 9 jan 2014 kl. 15:08 skrev Eugene Grosbein :
>
>> On 09.01.2014 19:38, Palle Girgensohn wrote:
>>> They recommend at least 4.2.7. Any thoughts about this?
>>
>> Other than updating ntpd, you can filt
On 01/13/14 02:08, Cristiano Deana wrote:
> On Fri, Jan 10, 2014 at 6:18 AM, Xin Li wrote:
>
> Hi,
>
> We will have an advisory next week. If a NTP server is properly
>> configured, it's likely that they are not affected
>>
>
> I had this problem in nove
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 1/16/14, 12:41 PM, Jeremie Le Hen wrote:
> Hi,
>
> On Tue, Jan 14, 2014 at 08:11:08PM +, FreeBSD Security
> Advisories wrote:
>>
>> II. Problem Description
>>
>> The bsnmpd(8) daemon is prone to a stack-based buffer-overflow
>> when it has
d be to change your configuration such that:
1) Do not give shell access to jail users unless they are also host
system administrator.
2) Do not make host's sshd to listen on all addresses, instead, only
listen to the designated host IP address. This is not a security
measure but avoids con
both close() can be omitted. If
this makes sense I'll submit a new patch.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTIh5UAAoJEJW2GBstM+nsDIoP/jJ0na0zN
n additional step for ntp prior to 4.2.7).
[1]
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc ;
patch at http://security.freebsd.org/patches/SA-14:02/ntpd.patch
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 3/14/14, 8:43 PM, Brett Glass wrote:
> At 07:39 PM 3/14/2014, Xin Li wrote:
>
>> FreeBSD 10.0-RELEASE ships with new default NTP settings, are
>> you talking an earlier RC (before RC4 as r259975), or are you
>> saying 1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 3/15/14, 2:30 AM, Brett Glass wrote:
> At 11:34 PM 3/14/2014, Xin Li wrote:
>
>> I can't reproduce with fresh install. How did you tested it (or
>> what is missing in the default ntp.conf), can you elaborate?
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/17/14 02:26, Pawel Jakub Dawidek wrote:
> On Thu, Mar 13, 2014 at 02:08:36PM -0700, Xin Li wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>>
>> Hi, Pawel,
>>
>> I have noticed that casperd
ld
take some time.
Attached is the minimal fix (extracted from upstream git repository)
we are intending to use in the advisory for those who want to apply a
fix now, please DO NOT use any new certificates before applying fixes.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 4/7/14, 7:27 PM, Mike Tancsa wrote:
> On 4/7/2014 5:02 PM, Xin Li wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>>
>> Hi, Thomas,
>>
>> On 04/07/14 13:49, Thomas Steen Rasmussen wrote:
>>
ater time. (Note though, even
without this the user or an application can still use
freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the
patchlevel for userland).
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/08/14 15:58, Chris Nehren wrote:
> On Tue, Apr 08, 2014 at 15:47:29 -0700, Xin Li wrote:
>> What would be the preferable way of representing the patchlevel?
>> We can do it as part of a EN batch at later time. (Note though,
which later was revised because another unrelated CVE), and the
workaround also requires recompile. Moreover, the patch would provide
better protection because it changes the code so NO_CLEAN= won't skip
it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's
possible t
binary is absolutely
needed). This will make it easier to make sure that the system is
clean of outdated OpenSSL bits when updating the libraries.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
pd and
see if there is /usr/local/lib/libcrypto.so.8), then you are affected.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTRcaZAAoJEJW2GBstM+nsPGAP+gJ
1 - 100 of 156 matches
Mail list logo
