From owner-freebsd-security@FreeBSD.ORG Sun Nov 3 21:31:16 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 48F88BE4; Sun, 3 Nov 2013 21:31:16 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 5070D23E0; Sun, 3 Nov 2013 21:31:11 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id XAA06157; Sun, 03 Nov 2013 23:31:04 +0200 (EET) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1Vd5GB-0002WW-JP; Sun, 03 Nov 2013 23:31:03 +0200 Message-ID: <5276C05F.5020007@FreeBSD.org> Date: Sun, 03 Nov 2013 23:30:07 +0200 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: gecko@FreeBSD.org Subject: security/ca_root_nss: ETCSYMLINK and openssl from ports X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=X-VIET-VPS Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 03 Nov 2013 21:54:16 +0000 Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2013 21:31:16 -0000 I would like to suggest to either extend ETCSYMLINK config option or to add a new option to support using security/ca_root_nss with openssl from ports. The latter looks at /usr/local/openssl/cert.pem as its default CAfile. -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Tue Nov 5 01:55:00 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8F15FC55 for ; Tue, 5 Nov 2013 01:55:00 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1D38022BA for ; Tue, 5 Nov 2013 01:54:59 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE762.dip0.t-ipconnect.de [217.251.231.98]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id rA51sveZ031383 for ; Tue, 5 Nov 2013 01:54:58 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id rA51skPD087329 for ; Tue, 5 Nov 2013 02:54:46 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost.js.berklix.net [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id rA51sdD3088586 for ; Tue, 5 Nov 2013 02:54:45 +0100 (CET) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201311050154.rA51sdD3088586@fire.js.berklix.net> To: freebsd-security@freebsd.org Subject: NSA papers published on Tor strengths, Firefox ID tracing etc. From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Tue, 05 Nov 2013 02:54:39 +0100 Sender: jhs@berklix.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 01:55:00 -0000 Hi freebsd-security@freebsd.org people Papers from USA NSA were published today, Includes analysis of TOR, Firefox build IDs, OS R/O CDROM for secure booting etc. See bottom of http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded An ancient FreeBSD + firefox even plays the Guardian audio & video clips http://berklix.eu/jhs/blog/2013_10_30#decoded (a suprise for me, as I don't chase flash patch of the week solutions ;-) Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 From owner-freebsd-security@FreeBSD.ORG Tue Nov 5 16:17:40 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 128021BF; Tue, 5 Nov 2013 16:17:40 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6709A2319; Tue, 5 Nov 2013 16:17:39 +0000 (UTC) Received: by mail-la0-f46.google.com with SMTP id el20so687238lab.5 for ; Tue, 05 Nov 2013 08:17:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CN8fVRfa6FsQr7OXlf6AD5gTTzER2WaitsucTI+4/bA=; b=gcbLu6pldM1fWd1KnIq3tengRSeostUSbYUd9jpLFAen5G7k/mdmbaJRDCQSGbhX1b d4R4zpMMhPKJlrD0z7EZcxUYwipF9FVkoindLlbR7GlnocfE1LOXPEM9AVsL5Y0DghiJ 8qaoHo34NoXcME7V6AxjYId6QeLk0PAQnC3wVGZ3y1fDLkulxshuxcp/t89m+Vtn8U2p KvB4/xwpFDU5qmTYhe/n4GbmOUH6wbXFuZXuE+Zk27tZktycBdSZSPVuq86ZmYSeRQxS Q1kxfIOPCab505ZqAY9jXf9CPJ9CYKPFE3lwACTRVAHp2NTSnWtozKoPsd1T7In4YGIn vtwQ== MIME-Version: 1.0 X-Received: by 10.152.22.170 with SMTP id e10mr34627laf.78.1383668257461; Tue, 05 Nov 2013 08:17:37 -0800 (PST) Received: by 10.112.5.138 with HTTP; Tue, 5 Nov 2013 08:17:37 -0800 (PST) In-Reply-To: References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Date: Tue, 5 Nov 2013 16:17:37 +0000 Message-ID: Subject: Re: ntpd 4.2.4p8 - up to date? From: Tom Evans To: Dimitry Andric Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org, Karl Pielorz X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 16:17:40 -0000 On Sat, Nov 2, 2013 at 12:18 AM, Dimitry Andric wrote: > On 01 Nov 2013, at 17:31, Tom Evans wrote: >> On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz wrote: >>> >>> Hi, >>> >>> A friend who uses linux a lot happened to notice on a FreeBSD box I >>> installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. >>> >>> They reckon that's had a lot of issues (e.g. CVE reports) against it - and >>> it should be newer. >>> >>> I'm sure the one it has been 'updated' with is secure - and just reports >>> that version, but if someone can confirm that'd be great, >>> >> >> Don't take anything I say as confirmation, but I would have thought, >> looking at this page [1], that he is wrong. All the CVEs listed there >> say they apply to "before 4.2.4p8" or a lower version. >> >> Cheers >> >> Tom >> >> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html > > That page lists a bunch of CVEs, and the relevant ones have already had FreeBSD security advisories: > > CVE-2009-3563 http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc > CVE-2009-1252 http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc > CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 > CVE-2009-0021 not relevant, NTP before 4.2.4p5 > CVE-2004-0657 not relevant, NTP before 4.0 > > -DImitry > Which is what I said? FreeBSD is currently at 4.2.4p8, all those CVEs apply to "before 4.2.4p8". Cheers Tom From owner-freebsd-security@FreeBSD.ORG Fri Nov 8 13:14:24 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D433BAFB for ; Fri, 8 Nov 2013 13:14:24 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 926E428B1 for ; Fri, 8 Nov 2013 13:14:24 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VelwF-000A3E-OR for freebsd-security@freebsd.org; Fri, 08 Nov 2013 17:17:27 +0400 Date: Fri, 8 Nov 2013 17:17:27 +0400 From: Slawa Olhovchenkov To: freebsd-security@freebsd.org Subject: openssh gcmrekey Message-ID: <20131108131727.GA38453@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2013 13:14:24 -0000 http://www.openssh.com/txt/gcmrekey.adv 2. Affected configurations OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL that supports AES-GCM. ===== FreeBSD affected? From owner-freebsd-security@FreeBSD.ORG Sat Nov 9 16:24:54 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 036165DE for ; Sat, 9 Nov 2013 16:24:54 +0000 (UTC) (envelope-from mailnull@mips.inka.de) Received: from mail-in-05.arcor-online.net (mail-in-05.arcor-online.net [151.189.21.45]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AFFC52774 for ; Sat, 9 Nov 2013 16:24:53 +0000 (UTC) Received: from mail-in-17-z2.arcor-online.net (mail-in-17-z2.arcor-online.net [151.189.8.34]) by mx.arcor.de (Postfix) with ESMTP id 6EA87E4227 for ; Sat, 9 Nov 2013 17:24:45 +0100 (CET) Received: from mail-in-10.arcor-online.net (mail-in-10.arcor-online.net [151.189.21.50]) by mail-in-17-z2.arcor-online.net (Postfix) with ESMTP id 55B10110A2C for ; Sat, 9 Nov 2013 17:24:45 +0100 (CET) X-Greylist: Passed host: 94.218.177.33 X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-10.arcor-online.net 189A92D6301 Received: from lorvorc.mips.inka.de (dslb-094-218-177-033.pools.arcor-ip.net [94.218.177.33]) by mail-in-10.arcor-online.net (Postfix) with ESMTPS id 189A92D6301 for ; Sat, 9 Nov 2013 17:24:43 +0100 (CET) Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.14.7/8.14.7) with ESMTP id rA9FCc7W017268 for ; Sat, 9 Nov 2013 16:12:38 +0100 (CET) (envelope-from mailnull@lorvorc.mips.inka.de) Received: (from mailnull@localhost) by lorvorc.mips.inka.de (8.14.7/8.14.7/Submit) id rA9FCcDC017267 for freebsd-security@freebsd.org; Sat, 9 Nov 2013 16:12:38 +0100 (CET) (envelope-from mailnull) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: openssh gcmrekey Date: Sat, 9 Nov 2013 15:12:38 +0000 (UTC) Message-ID: References: <20131108131727.GA38453@zxy.spb.ru> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2013 16:24:54 -0000 Slawa Olhovchenkov wrote: > 2. Affected configurations > OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL > that supports AES-GCM. > > ===== > > FreeBSD affected? FreeBSD 9 is not affected, because the OpenSSL there is too old and doesn't support AES-GCM (cf. PR #179619). FreeBSD 10+ is affected. -- Christian "naddy" Weisgerber naddy@mips.inka.de