On Thursday, September 29, 2016, Shawn Webb <shawn.w...@hardenedbsd.org> wrote:
> On Wed, Sep 14, 2016 at 09:15:01PM +0000, Martin Matuska wrote: > > Author: mm > > Date: Wed Sep 14 21:15:01 2016 > > New Revision: 305819 > > URL: https://svnweb.freebsd.org/changeset/base/305819 > > > > Log: > > MFV r305816: > > Sync libarchive with vendor including important security fixes. > > > > Issues fixed (FreeBSD): > > PR #778: ACL error handling > > Issue #745: Symlink check prefix optimization is too aggressive > > Issue #746: Hard links with data can evade sandboxing restrictions > > > > This update fixes the vulnerability #3 and vulnerability #4 as > reported in > > "non-cryptanalytic attacks against FreeBSD update components". > > https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f > > > > Fix for vulnerability #2 has already been merged in r304989. > > > > MFC after: 1 week > > Security: http://gist.github.com/anonymous/ > e48209b03f1dd9625a992717e7b89c4f > > Hey Martin, > > Any plans to release a security announcement? > > I expect that at the same time, as 11.0-RELEASE is announced. It would be logical. > Thanks, > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
