From owner-freebsd-security@FreeBSD.ORG Tue Apr 2 18:03:51 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7298136E; Tue, 2 Apr 2013 18:03:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 641F2604; Tue, 2 Apr 2013 18:03:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r32I3pv4045961; Tue, 2 Apr 2013 18:03:51 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r32I3pMp045959; Tue, 2 Apr 2013 18:03:51 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 2 Apr 2013 18:03:51 GMT Message-Id: <201304021803.r32I3pMp045959@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-13:03.openssl Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 18:03:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:03.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2013-04-02 Affects: All supported versions of FreeBSD. Corrected: 2013-03-08 17:28:40 UTC (stable/8, 8.3-STABLE) 2013-04-02 17:34:42 UTC (releng/8.3, 8.3-RELEASE-p7) 2013-03-14 17:48:07 UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2) CVE Name: CVE-2013-0166, CVE-2013-0169 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack. [CVE-2013-0166] OpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack. [CVE-2013-0169] III. Impact The Denial of Service could be caused in the OpenSSL server application by using an invalid key. [CVE-2013-0166] A remote attacker could recover sensitive information by conducting an attack via statistical analysis of timing data with crafted packets. [CVE-2013-0169] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.3 and 9.0] # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl.patch.asc # gpg --verify openssl.patch.asc [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl-9.1.patch # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl-9.1.patch.asc # gpg --verify openssl-9.1.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the all deamons using the library, or reboot your the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r248057 releng/8.3/ r249029 stable/9/ r248272 releng/9.0/ r249029 releng/9.1/ r249029 - ------------------------------------------------------------------------- VII. References CVE Name: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:03.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlFbGXYACgkQFdaIBMps37ISqACcCovc+NpuH57guiROqIbTfw3P 4RMAn22ppeZnRVfje8up3cyOx/D8CCmI =rQqV -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 2 18:04:12 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 5A80F76B; Tue, 2 Apr 2013 18:04:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4CB60638; Tue, 2 Apr 2013 18:04:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r32I4C2d046024; Tue, 2 Apr 2013 18:04:12 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r32I4CAc046022; Tue, 2 Apr 2013 18:04:12 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 2 Apr 2013 18:04:12 GMT Message-Id: <201304021804.r32I4CAc046022@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-13:04.bind Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 18:04:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:04.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service Category: contrib Module: bind Announced: 2013-04-02 Credits: Matthew Horsfall of Dyn, Inc. Affects: FreeBSD 8.4-BETA1 and FreeBSD 9.x Corrected: 2013-03-28 05:35:46 UTC (stable/8, 8.4-BETA1) 2013-03-28 05:39:45 UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2) CVE Name: CVE-2013-2266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description A flaw in a library used by BIND allows an attacker to deliberately cause excessive memory consumption by the named(8) process. This affects both recursive and authoritative servers. III. Impact A remote attacker can cause the named(8) daemon to consume all available memory and crash, resulting in a denial of service. Applications linked with the libdns library, for instance dig(1), may also be affected. IV. Workaround No workaround is available, but systems not running named(8) service and not using base system DNS utilities are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch.asc # gpg --verify bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the named daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r248807 stable/9/ r248808 releng/9.0/ r249029 releng/9.1/ r249029 - ------------------------------------------------------------------------- VII. References https://kb.isc.org/article/AA-00871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:04.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlFbGYYACgkQFdaIBMps37J4eACeNzJtWElzKJZCqXdzhrHEB+pu 1eoAn0oD7xcjoPOnB7H3xZbIeHldgGcI =BX1M -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Apr 3 09:57:38 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9D70C5E5 for ; Wed, 3 Apr 2013 09:57:38 +0000 (UTC) (envelope-from hdemir@metu.edu.tr) Received: from frigya.general.services.metu.edu.tr (frigya.general.services.metu.edu.tr [144.122.145.140]) by mx1.freebsd.org (Postfix) with ESMTP id 2C829172 for ; Wed, 3 Apr 2013 09:57:37 +0000 (UTC) Received: from [144.122.3.228] (nebula.cc.metu.edu.tr [144.122.3.228]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frigya.general.services.metu.edu.tr (Postfix) with ESMTPSA id 6F29D60365 for ; Wed, 3 Apr 2013 12:48:40 +0300 (EEST) Message-ID: <515BFAF8.4010205@metu.edu.tr> Date: Wed, 03 Apr 2013 12:48:40 +0300 From: Husnu Demir Organization: METU Computer Center Network Group User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:04.bind References: <201304021804.r32I4CAc046022@freefall.freebsd.org> In-Reply-To: <201304021804.r32I4CAc046022@freefall.freebsd.org> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.6 at frigya X-Virus-Status: Clean X-Spam-Status: No, score=1.3 required=10.0 tests=RDNS_NONE autolearn=disabled version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on frigya.general.services.metu.edu.tr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: hdemir@metu.edu.tr List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 09:57:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Merve, Bind kullandigimiz yerlerin guncellenmesini saglar misiniz? hdemir. On 02-04-2013 21:04, FreeBSD Security Advisories wrote: > ============================================================================= > > FreeBSD-SA-13:04.bind Security Advisory > The FreeBSD Project > > Topic: BIND remote denial of service > > Category: contrib Module: bind Announced: > 2013-04-02 Credits: Matthew Horsfall of Dyn, Inc. Affects: > FreeBSD 8.4-BETA1 and FreeBSD 9.x Corrected: 2013-03-28 > 05:35:46 UTC (stable/8, 8.4-BETA1) 2013-03-28 05:39:45 UTC > (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, > 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, > 9.1-RELEASE-p2) CVE Name: CVE-2013-2266 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and > the following sections, please visit > . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) > protocols. The named(8) daemon is an Internet Domain Name Server. > The libdns library is a library of DNS protocol support functions. > > II. Problem Description > > A flaw in a library used by BIND allows an attacker to > deliberately cause excessive memory consumption by the named(8) > process. This affects both recursive and authoritative servers. > > III. Impact > > A remote attacker can cause the named(8) daemon to consume all > available memory and crash, resulting in a denial of service. > Applications linked with the libdns library, for instance dig(1), > may also be affected. > > IV. Workaround > > No workaround is available, but systems not running named(8) > service and not using base system DNS utilities are not affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction > date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the > applicable FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify > the detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch # > fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch.asc # > gpg --verify bind.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src # patch < /path/to/patch > > Recompile the operating system using buildworld and installworld > as described in > . > > Restart the named daemon, or reboot the system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch # freebsd-update install > > VI. Correction details > > The following list contains the revision numbers of each file that > was corrected in FreeBSD. > > Branch/path > Revision > ------------------------------------------------------------------------- > > stable/8/ r248807 > stable/9/ > r248808 releng/9.0/ > r249029 releng/9.1/ > r249029 > ------------------------------------------------------------------------- > > VII. References > > https://kb.isc.org/article/AA-00871 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-13:04.bind.asc > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security To > unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJRW/r4AAoJEISpBAM51qlEN58IAK74u4pPydC5kDSQlYeHKTG8 vt1Hzl8tfjfNzs9kKb4pDhirQzCjFlqXWoAtT88K1WU585deV1WJafPt5PpRQK+h SwPBqe1Wunou8ELzUisZq/jdF+vd2mgYP4Vq2WBUZUrwjPFXOJrlg5aAq919o42v h0QsiTVxD+FR3LJAg0bA/8FFyjZO/rFkstYZen9N6Mp1D4u46UgVLnK4HU1pMyfu s0m5A2yHcXv1dyEGOpfxStwk41ei82V+Ol56ioOj+vGSKfJ2+4MbUx7P89HwNJyC w/3NmY6HSDkHHYXjcoj2y+2yVcSF7st4Hfi6NJ32pPqMADzK1t/1ySaJn3bPkhQ= =YgI6 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Apr 3 10:01:57 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EF42A70C for ; Wed, 3 Apr 2013 10:01:57 +0000 (UTC) (envelope-from hdemir@metu.edu.tr) Received: from frigya.general.services.metu.edu.tr (frigya.general.services.metu.edu.tr [144.122.145.140]) by mx1.freebsd.org (Postfix) with ESMTP id 7C3841B0 for ; Wed, 3 Apr 2013 10:01:57 +0000 (UTC) Received: from [144.122.3.228] (nebula.cc.metu.edu.tr [144.122.3.228]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frigya.general.services.metu.edu.tr (Postfix) with ESMTPSA id 115AB60376 for ; Wed, 3 Apr 2013 13:01:56 +0300 (EEST) Message-ID: <515BFE13.9040000@metu.edu.tr> Date: Wed, 03 Apr 2013 13:01:55 +0300 From: Husnu Demir Organization: METU Computer Center Network Group User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:04.bind References: <201304021804.r32I4CAc046022@freefall.freebsd.org> <515BFAF8.4010205@metu.edu.tr> In-Reply-To: <515BFAF8.4010205@metu.edu.tr> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.6 at frigya X-Virus-Status: Clean X-Spam-Status: No, score=1.3 required=10.0 tests=RDNS_NONE autolearn=disabled version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on frigya.general.services.metu.edu.tr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: hdemir@metu.edu.tr List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 10:01:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry My mistake. hdemir. On 03-04-2013 12:48, Husnu Demir wrote: > Merve, > > Bind kullandigimiz yerlerin guncellenmesini saglar misiniz? > > hdemir. > > > On 02-04-2013 21:04, FreeBSD Security Advisories wrote: >> ============================================================================= > >> > > FreeBSD-SA-13:04.bind > Security Advisory >> The FreeBSD Project > >> Topic: BIND remote denial of service > >> Category: contrib Module: bind Announced: >> 2013-04-02 Credits: Matthew Horsfall of Dyn, Inc. >> Affects: FreeBSD 8.4-BETA1 and FreeBSD 9.x Corrected: >> 2013-03-28 05:35:46 UTC (stable/8, 8.4-BETA1) 2013-03-28 05:39:45 >> UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, >> 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, >> 9.1-RELEASE-p2) CVE Name: CVE-2013-2266 > >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, >> and the following sections, please visit >> . > >> I. Background > >> BIND 9 is an implementation of the Domain Name System (DNS) >> protocols. The named(8) daemon is an Internet Domain Name >> Server. The libdns library is a library of DNS protocol support >> functions. > >> II. Problem Description > >> A flaw in a library used by BIND allows an attacker to >> deliberately cause excessive memory consumption by the named(8) >> process. This affects both recursive and authoritative servers. > >> III. Impact > >> A remote attacker can cause the named(8) daemon to consume all >> available memory and crash, resulting in a denial of service. >> Applications linked with the libdns library, for instance >> dig(1), may also be affected. > >> IV. Workaround > >> No workaround is available, but systems not running named(8) >> service and not using base system DNS utilities are not >> affected. > >> V. Solution > >> Perform one of the following: > >> 1) Upgrade your vulnerable system to a supported FreeBSD stable >> or release / security branch (releng) dated after the correction >> date. > >> 2) To update your vulnerable system via a source code patch: > >> The following patches have been verified to apply to the >> applicable FreeBSD release branches. > >> a) Download the relevant patch from the location below, and >> verify the detached PGP signature using your PGP utility. > >> # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch >> # fetch >> http://security.FreeBSD.org/patches/SA-13:04/bind.patch.asc # gpg >> --verify bind.patch.asc > >> b) Execute the following commands as root: > >> # cd /usr/src # patch < /path/to/patch > >> Recompile the operating system using buildworld and installworld >> as described in >> . > >> Restart the named daemon, or reboot the system. > >> 3) To update your vulnerable system via a binary patch: > >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: > >> # freebsd-update fetch # freebsd-update install > >> VI. Correction details > >> The following list contains the revision numbers of each file >> that was corrected in FreeBSD. > >> Branch/path Revision >> ------------------------------------------------------------------------- > >> > > stable/8/ > r248807 >> stable/9/ r248808 releng/9.0/ r249029 releng/9.1/ r249029 >> ------------------------------------------------------------------------- > >> VII. References > >> https://kb.isc.org/article/AA-00871 > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 > >> The latest revision of this advisory is available at >> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:04.bind.asc >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security To >> unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJRW/4TAAoJEISpBAM51qlEpp8IAMt9BAElqcEJPC/LMFeM02m6 YUD4PK1r4cCDYinx3cfJkvWFEB0ogyLTOPC8xm/yqqW33WzyeXa9hamGqdNP+64q Zwp1prymEzfqnhtrv+j8NNkdfx7GJ4+eTdSnd/692L80rf6Dm6fgM4pahYjRpkDD iQc2PGnwfbz3hrNQTTRm9wKbympt/DcGJkWAvgU7JCWFBGS0icHuyCGBVVDNDtdn Fdc4jH9if9AO/s3YKWs8pRC8+9Me79AGAAsUSBA00rmsjF0NzAqDuL4mddNuZAPD /7xzwCRhgDVBa1kqYd8ek5u1dL6faD4BVonAJ2Oj6qwofwxDbGi+NWVsLXgHDBU= =Fb6p -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Apr 3 22:16:08 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 60D16528 for ; Wed, 3 Apr 2013 22:16:08 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) by mx1.freebsd.org (Postfix) with ESMTP id 2F3D82C5 for ; Wed, 3 Apr 2013 22:16:08 +0000 (UTC) Received: by mail-ob0-f173.google.com with SMTP id wn14so927768obc.4 for ; Wed, 03 Apr 2013 15:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type; bh=ngv32ioOnAT5NXJ6/SeGvXtsps2pnPZCoixXmrfgRMw=; b=VFN3O8eCbwu1xcbtcvmL9i4XnDa30IkaJc7l46FaAcI7kOuoANTkPQIITVO8XM+8PE wR+NPvMp8pFvKNyUZIDMPvDACeV0dJXcLLwUnuNH5bmVzOaWz4KyenarzQMS7WlWGa44 SlvJcsDRNDMA2hO0Br5UL3R1ylLmIsO/pXMeU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:cc:content-type:x-gm-message-state; bh=ngv32ioOnAT5NXJ6/SeGvXtsps2pnPZCoixXmrfgRMw=; b=ctlLf89c/7KvX7rAtXyQ/x33rOY2G8V486KZ5wcNYGE4z1gJp6N1YJTv7DQjMUUnmm UmhFVvQ3SW6u8nRkORrNsjhT0UeTyzSvYL+7BBAmLqjbfRvwDGaVF5Be96lAMgnRnU1K uPvC0JDoJFrDUrbAsJ+tmBH+DnA0VlofS/63DtVmMmbqH55vpaH7Vp/tzuUQlPDl9ovY AvStGWbQ9byV3liE50FPZl8GOW3uoawyfwkwaCiOXq2gf6aMY2fJSRpT2wTmcHBcy/Xs QlzZtsrGCWAbDkvIgUNZ3QPX1juUALBrwvu57S/kCdwS8LjhTh19PC2C0aZXFUJfKkTX Hh7w== MIME-Version: 1.0 X-Received: by 10.60.56.69 with SMTP id y5mr2356544oep.1.1365027367705; Wed, 03 Apr 2013 15:16:07 -0700 (PDT) Received: by 10.76.75.3 with HTTP; Wed, 3 Apr 2013 15:16:07 -0700 (PDT) X-Originating-IP: [89.100.2.69] Date: Wed, 3 Apr 2013 23:16:07 +0100 Message-ID: Subject: Portaudit build currently broken From: "Simon L. B. Nielsen" To: freebsd-ops-announce@FreeBSD.org Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQnjPrbXddCdN8Awg3OcIKchRgx4uPJE3mxx9V3ci4n4xL36igTtwMpeeHdI3MdIlrV7dbOo Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 22:16:08 -0000 Hey, Just wanted to let people know that the portaudit build is currently broken resulting in changes to VuXML not getting propagated to portaudit (and pkg audit). I hope to get this fixed within a couple of days, and will follow up once it's working again. PS. the is a fallout of turning off ports SVN -> CVS export. It was previously missed that this (yet another automated system we run) needed to be updated as well. -- Simon L. B. Nielsen Hat: FreeBSD.org clusteradm team / FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Wed Apr 3 22:20:21 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D9249692; Wed, 3 Apr 2013 22:20:21 +0000 (UTC) (envelope-from marka@isc.org) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by mx1.freebsd.org (Postfix) with ESMTP id 9BEB033C; Wed, 3 Apr 2013 22:20:21 +0000 (UTC) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 9DFD25F9979; Wed, 3 Apr 2013 22:20:12 +0000 (UTC) (envelope-from marka@isc.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1365027619; bh=J3O33WlmUfzDLn3jqrDlhpaUceGodUxbngycu55TaU0=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=NPSFAs2d1GgkquPxswnu7Sfc1AKHP6T00V14OI+YqjJ2xs8BW6fyNFO9eB0gqKD3T v5kCaC00YQQoRH0BAqvhylF750UAQv5aEr9UQiSNqZnz2C3jYMbxRVFNCFgNSVaHvG 3FEB7SzIVE4ujR/JxryDRXD87LDmdlRkGT/sjgjU= Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 0D63D216C47; Wed, 3 Apr 2013 22:20:11 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id BC20D31DF5F0; Thu, 4 Apr 2013 09:20:08 +1100 (EST) To: "Simon L. B. Nielsen" From: Mark Andrews References: Subject: Re: Portaudit build currently broken In-reply-to: Your message of "Wed, 03 Apr 2013 23:16:07 BST." Date: Thu, 04 Apr 2013 09:20:08 +1100 Message-Id: <20130403222008.BC20D31DF5F0@drugs.dv.isc.org> X-Spam-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org Cc: freebsd-security@FreeBSD.org, freebsd-ops-announce@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 22:20:21 -0000 In message , "Simon L. B. Nielsen" writes: > Hey, > > Just wanted to let people know that the portaudit build is currently > broken resulting in changes to VuXML not getting propagated to > portaudit (and pkg audit). > > I hope to get this fixed within a couple of days, and will follow up > once it's working again. > > PS. the is a fallout of turning off ports SVN -> CVS export. It was > previously missed that this (yet another automated system we run) > needed to be updated as well. What's more critical turning off SVN -> CVS or timely security alerts? Turn SVN -> CVS back on, fix portaudit, then try turning SVN -> CVS back off. > -- > Simon L. B. Nielsen > Hat: FreeBSD.org clusteradm team / FreeBSD Security Team > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From owner-freebsd-security@FreeBSD.ORG Thu Apr 4 14:29:19 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2CF5FC06; Thu, 4 Apr 2013 14:29:19 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail.jr-hosting.nl (midkemia.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id E295B684; Thu, 4 Apr 2013 14:29:18 +0000 (UTC) Received: from axantucar.elvandar.org (a44084.upc-a.chello.nl [62.163.44.84]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 1CF8738B1393; Thu, 4 Apr 2013 16:29:07 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_5AD32F5C-E1F8-44BD-BD05-A7654AA059BB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: Portaudit build currently broken From: Remko Lodder In-Reply-To: <20130403222008.BC20D31DF5F0@drugs.dv.isc.org> Date: Thu, 4 Apr 2013 16:29:06 +0200 Message-Id: <446FF96C-696D-46D7-A6E6-DFAA21369128@FreeBSD.org> References: <20130403222008.BC20D31DF5F0@drugs.dv.isc.org> To: Mark Andrews X-Mailer: Apple Mail (2.1503) Cc: freebsd-security@FreeBSD.org, "Simon L. B. Nielsen" , freebsd-ops-announce@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 14:29:19 -0000 --Apple-Mail=_5AD32F5C-E1F8-44BD-BD05-A7654AA059BB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 4, 2013, at 12:20 AM, Mark Andrews wrote: >=20 > In message = > , "Simon L. B. Nielsen" writes: >> Hey, >>=20 >> Just wanted to let people know that the portaudit build is currently >> broken resulting in changes to VuXML not getting propagated to >> portaudit (and pkg audit). >>=20 >> I hope to get this fixed within a couple of days, and will follow up >> once it's working again. >>=20 >> PS. the is a fallout of turning off ports SVN -> CVS export. It was >> previously missed that this (yet another automated system we run) >> needed to be updated as well. >=20 > What's more critical turning off SVN -> CVS or timely security > alerts? Turn SVN -> CVS back on, fix portaudit, then try turning > SVN -> CVS back off. >=20 If we need to do something with the services anyway we can as well = better do it the proper way right away instead of turning on unsupported services Thanks, Remko --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes --Apple-Mail=_5AD32F5C-E1F8-44BD-BD05-A7654AA059BB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iQIcBAEBAgAGBQJRXY4yAAoJEKjD27JZ84ywhBQP/RHNOhCEx4zGpTLO9BwRh4aZ 9dqDfzm5yV6UYjgV3mxnfsb+WKOvRSfIWcYehFEaNmrox3P6SwJ04vQ7QW0cWvmV Y5qcrqdf7WBHaoyZiOSnWAGzncUJu9eEctBtCSuYsdYSN02tDfujkxxCU9mstsD1 fQPDTOUd7s0KZOFaT4G8d9G/sCYIM+KCZl0GfEYocSTAUE2d1LMDXLXe6ddFTtAD PcFMnnDmRkXMCaG6ThLdRclP8ShQ6i7uj7syRHCDg/e7732tth/FM2Oc+7xB+Jzw iPPoGZ6HTsGxUdsTu/nIjFL4AWvdIpgs6ghKHIFLaJUpgrW+NgyWOfkt81ai0J9p Qi/hnbBQ1knEqrP0VQ0rMB52fD1jn2bbxcGacs1pVWZZ/3gsiuATeyXfnEDX6AY9 +clINrPNKvH/Nvv2qq+p2QjMKeGOcec+eodvGS2zQ4D2L074YmWeDEsyZLlpHxYC pnQdZBkF6WUdnMZ7aISQ/iOlJWypWC9lSRdDoU0wHqL2WycIB4Xr9aKnazxREC94 kPXH8SEzEhz0uf6PuHk92R/Y7T/GIcC074AW9L7HzYT+kAMZLPTY6odDl6JQl+3Z ZPiAtw4ZI111zMVwRdCwYsi8p46aC8GbEISx88v/X6VlHhJVOnrvqvAz6uBPypjF Sze60eCz3FZdAhF0vXzS =vpMR -----END PGP SIGNATURE----- --Apple-Mail=_5AD32F5C-E1F8-44BD-BD05-A7654AA059BB-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 4 21:29:24 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1540EEE8; Thu, 4 Apr 2013 21:29:24 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id EE52AE70; Thu, 4 Apr 2013 21:29:23 +0000 (UTC) Received: from zeta.ixsystems.com (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 6530064AA; Thu, 4 Apr 2013 14:29:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1365110963; bh=3Lmhnx5su6yhokefYOw4Ki/RnFErKzcVgJIpFxr5N5g=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=XMjqkxUmKfLYx3eoU4+pIYpwbcFJbmU0XyySfvBZ7kh+OEua3bSjYhZWPTsXO8y6B ucGhm1eQ8OnlITZ82yCrHphci1KVw0mT/jS2KaDEAexJJTO0ozQU+TsJnwKvRmoiK+ eDAH3osRa4f0CssXZWKXs9cNZDKtdP9mpGwFLVrU= Message-ID: <515DF0B4.6020000@delphij.net> Date: Thu, 04 Apr 2013 14:29:24 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Andrey Chernov Subject: Kernel arc4 one-shot reseed upon /dev/random unblock References: <201304022341.r32NfL8L096954@svn.freebsd.org> <20130403165736.F819@besplex.bde.org> <515BDADF.8060303@freebsd.org> <515D0E70.8050701@delphij.net> <515D295A.3020407@freebsd.org> In-Reply-To: <515D295A.3020407@freebsd.org> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2TSVUWWOHGUHBDXSBAGNL" Cc: Xin LI , d@delphij.net, "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 21:29:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2TSVUWWOHGUHBDXSBAGNL Content-Type: multipart/mixed; boundary="------------070305050204090202030601" This is a multi-part message in MIME format. --------------070305050204090202030601 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable (Moved to freebsd-security@) On 04/04/13 00:18, Andrey Chernov wrote: > Ok, patches are attached, one with atomic, and another one - without. > They try to reseed arc4 immediately after we have enough of entropy. > Only one of them is needed, not both. Atomic version works 100% right > and non-atomic may cause chained arc4 reseed in edge case, which not > harms arc4 itself, just takes time. The atomic version of the patch (attached) looks reasonable to me, but I'd like to give this more exposure first so please hold until Apr 18, 20= 13. I have put this on secteam@'s agenda and have set a deadline on that day, also noted on my own calendar as well as the agenda. If we have received no objections by Apr 18, I assume the responsibility of approving this proposed change and consider this as a formal approval for committing. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --------------070305050204090202030601 Content-Type: text/plain; charset=UTF-8; name="atomic.patch.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="atomic.patch.txt" --- sys/libkern.h.old 2012-01-16 07:15:12.000000000 +0400 +++ sys/libkern.h 2012-01-28 08:49:19.000000000 +0400 @@ -70,6 +70,11 @@ static __inline int abs(int a) { return=20 static __inline long labs(long a) { return (a < 0 ? -a : a); } static __inline quad_t qabs(quad_t a) { return (a < 0 ? -a : a); } =20 +#define ARC4_ENTR_NONE 0 /* Don't have entropy yet. */ +#define ARC4_ENTR_HAVE 1 /* Have entropy. */ +#define ARC4_ENTR_SEED 2 /* Reseeding. */ +extern int arc4rand_iniseed_state; + /* Prototypes for non-quad routines. */ struct malloc_type; uint32_t arc4random(void); --- dev/random/randomdev_soft.c.old 2011-03-02 01:42:19.000000000 +0300 +++ dev/random/randomdev_soft.c 2012-01-28 08:48:22.000000000 +0400 @@ -366,6 +366,8 @@ random_yarrow_unblock(void) selwakeuppri(&random_systat.rsel, PUSER); wakeup(&random_systat); } + (void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE, + ARC4_ENTR_HAVE); } =20 static int --- libkern/arc4random.c.old 2008-08-08 01:51:09.000000000 +0400 +++ libkern/arc4random.c 2012-01-28 08:51:12.000000000 +0400 @@ -24,6 +24,8 @@ __FBSDID("$FreeBSD: src/sys/libkern/arc4 #define ARC4_RESEED_SECONDS 300 #define ARC4_KEYBYTES (256 / 8) =20 +int arc4rand_iniseed_state =3D ARC4_ENTR_NONE; + static u_int8_t arc4_i, arc4_j; static int arc4_numruns =3D 0; static u_int8_t arc4_sbox[256]; @@ -130,7 +132,8 @@ arc4rand(void *ptr, u_int len, int resee struct timeval tv; =20 getmicrouptime(&tv); - if (reseed ||=20 + if (atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, + ARC4_ENTR_SEED) || reseed || (arc4_numruns > ARC4_RESEED_BYTES) || (tv.tv_sec > arc4_t_reseed)) arc4_randomstir(); --------------070305050204090202030601-- ------enig2TSVUWWOHGUHBDXSBAGNL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJRXfC0AAoJEG80Jeu8UPuzhkMIAKdKK9y7CXqWjbXMiImeMBaB fmx14/xXatMNdpq6CaRahDscHZZc6MznjGfagusS8nu/SLtZqQTGE+YA3a0p+cAe AHREIzrozNte3qs0YWmj4IHDgeQfarm/I/ecrzrjmDCwJeARquuk/WnFKhFESx/Q 3aj6E6lUjspmVu4eyd7w+yicfgSU07EZzNC5msdpdLytWIUI6UTBaNoGJENz867E kSsbnFMDrS4Om1EtuiYb+8ButTlQaCVl55ZsGfhB8tRv0GzmY67V8lm7XofvBikA VBuGssz3WGZHdSkrgobB6+kHi8IojXZpq3eWwi+b+wdN2YXXbf8ThZTicDdziIc= =XDjD -----END PGP SIGNATURE----- ------enig2TSVUWWOHGUHBDXSBAGNL-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 5 10:37:10 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C73B9F11; Fri, 5 Apr 2013 10:37:10 +0000 (UTC) (envelope-from rea@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.233.71]) by mx1.freebsd.org (Postfix) with ESMTP id 6922EDF1; Fri, 5 Apr 2013 10:37:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=three; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=5SmmnipmowruBeTFA0LhGyZwW/MgE9+qqTeE6M9dBg4=; b=YVGF0pVsP4wOXBkRk1WeaYDKWqWX9ohRWSeNU5KY/d/U2QsB0Vvz9ptg+c4vvZiya39TWAOiZGB0gkS9E3doxvonWZqpCof+Fj9UVOG/TLq3ikQg3GJqU72PpRS5/xuWkf9V1xLQ6pcs8XV7OZhBdhAdcqEBzA4hc9g/JqXcU6nXXPSgsmJRy/tivbOOIL2BLsGyky9WMECvq2QYax6NxFCGgA9AXiijvxjs4ApH+kEW9qfKhKj+uMC0uBXfy2V0QIfJMSsHkGf+nAjWusUgFk7jgENsRKLbY+EEBsV6l5tSk9qdHoaG2BTO0BP3iH4sVqq3poHCKFQOiVHTuX3S5WECA+HWGHn2JgU5oEAXDa7PLyCQABFXzUNMB0g38gZOlNsPQXh8vpQeSoUTrDuTErk6IEVn+yaa1j5fqyESm4w3bs0eaAMGPQaLz3g93hwhSyyt+qM3VnHXnLCbkt+RNJIgfJTkIts1d1QHN1ZMrdeaUQdnjLLiVPdVr7YHrmFNNNwHGkLLJxa7lDur2zB6I2Z2/blBMp0tpj8zwNoSoXiajiERFA9JHDuI4pbzxjm2BSk7jN8DNx9yBgePgbp1I7UjFQsfVuGi/Jup2dKqgxoCU+mSakSlqF6iXJ52sStxcndjYd7xRnF+s1ZJVnf5LuxloE5opZIGTeXADQb7WJ0=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.233.66]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) id 1UO40u-0009tZ-7s; Fri, 05 Apr 2013 14:36:56 +0400 Date: Fri, 5 Apr 2013 14:36:53 +0400 From: Eygene Ryabinkin To: Remko Lodder Subject: Re: Portaudit build currently broken Message-ID: References: <20130403222008.BC20D31DF5F0@drugs.dv.isc.org> <446FF96C-696D-46D7-A6E6-DFAA21369128@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="s9kDAZ2EyO0AcRYa" Content-Disposition: inline In-Reply-To: <446FF96C-696D-46D7-A6E6-DFAA21369128@FreeBSD.org> Sender: rea@codelabs.ru Cc: freebsd-security@FreeBSD.org, "Simon L. B. Nielsen" , freebsd-ops-announce@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 10:37:10 -0000 --s9kDAZ2EyO0AcRYa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thu, Apr 04, 2013 at 04:29:06PM +0200, Remko Lodder wrote: > On Apr 4, 2013, at 12:20 AM, Mark Andrews wrote: > > In message > > , "Simon L. B. Nielsen" writes: > >> Just wanted to let people know that the portaudit build is currently > >> broken resulting in changes to VuXML not getting propagated to > >> portaudit (and pkg audit). Spotted that too today, when was checking PostgreSQL stuff. > > What's more critical turning off SVN -> CVS or timely security > > alerts? Turn SVN -> CVS back on, fix portaudit, then try turning > > SVN -> CVS back off. >=20 > If we need to do something with the services anyway we can as well > better do it the proper way right away instead of turning on > unsupported services I had produced a patch for putting the needed bits for Subversion into packaudit: http://codelabs.ru/fbsd/ports/portaudit-db/packaudit-use-subversion.diff Already posted it to secteam@. Wider testing is welcome! PS: yes, the patch misses PORTVERSION bump :( --=20 Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] --s9kDAZ2EyO0AcRYa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iF4EABEIAAYFAlFeqUUACgkQFq+eroFS7PtOogD9EvjmQZhZ28kpLS0UCGzaKfsd qpHqkYWTZnR/uQ1LmI4A/3BU6W6M2jRws3J4598TCbtpokUMqqAha/LLvTnxerF2 =YSb0 -----END PGP SIGNATURE----- --s9kDAZ2EyO0AcRYa-- From owner-freebsd-security@FreeBSD.ORG Sat Apr 6 16:03:56 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 37296295; Sat, 6 Apr 2013 16:03:56 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id E84032FF; Sat, 6 Apr 2013 16:03:55 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 1ED5825D3888; Sat, 6 Apr 2013 16:03:53 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id E2B1CBE849C; Sat, 6 Apr 2013 16:03:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id okJ2kBM0ZSwt; Sat, 6 Apr 2013 16:03:51 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id EF289BE8466; Sat, 6 Apr 2013 16:03:50 +0000 (UTC) Date: Sat, 6 Apr 2013 16:03:49 +0000 (UTC) From: "Bjoern A. Zeeb" To: Eygene Ryabinkin Subject: Re: Portaudit build currently broken In-Reply-To: Message-ID: References: <20130403222008.BC20D31DF5F0@drugs.dv.isc.org> <446FF96C-696D-46D7-A6E6-DFAA21369128@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, Remko Lodder , "Simon L. B. Nielsen" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Apr 2013 16:03:56 -0000 On Fri, 5 Apr 2013, Eygene Ryabinkin wrote: > Thu, Apr 04, 2013 at 04:29:06PM +0200, Remko Lodder wrote: >> On Apr 4, 2013, at 12:20 AM, Mark Andrews wrote: >>> In message >>> , "Simon L. B. Nielsen" writes: >>>> Just wanted to let people know that the portaudit build is currently >>>> broken resulting in changes to VuXML not getting propagated to >>>> portaudit (and pkg audit). > > Spotted that too today, when was checking PostgreSQL stuff. > >>> What's more critical turning off SVN -> CVS or timely security >>> alerts? Turn SVN -> CVS back on, fix portaudit, then try turning >>> SVN -> CVS back off. >> >> If we need to do something with the services anyway we can as well >> better do it the proper way right away instead of turning on >> unsupported services > > I had produced a patch for putting the needed bits for Subversion > into packaudit: > http://codelabs.ru/fbsd/ports/portaudit-db/packaudit-use-subversion.diff > Already posted it to secteam@. Wider testing is welcome! > > PS: yes, the patch misses PORTVERSION bump :( The port is not yet fixed but with the helpful comments from Simon, things should be updating again now. Please test and only report back if it's not yet working for you. /bz -- Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."