From owner-freebsd-security@freebsd.org Tue Jan 10 07:49:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B1D5CA915C for ; Tue, 10 Jan 2017 07:49:34 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C2DE1678 for ; Tue, 10 Jan 2017 07:49:34 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from Xins-MBP.ut.rhv.delphij.net (unknown [IPv6:2601:646:8882:752a:e0b9:c9ec:8d0c:8aeb]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B29A41C366; Mon, 9 Jan 2017 23:49:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1484034566; x=1484048966; bh=ZNxiNiX059ifxlS90jdt0pUx36UJym4IQEKrzRECPG0=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=ZXbtqwFOoKzPrJp/453yYN29+65qRaB6OhT3m4Xr6bV2tMQzl3Hz7uOTaxJ402hAU BPnUC7TQZbFaf5oFt8JDSPNhjyWwCuNMbdTNYpdnWO7UXlcZoR5nViSKEj72Dh9UFc ic02ozEY0AjWBx3CHMaBtZBYZTYHMa2wg2j8QQZY= Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> Cc: d@delphij.net From: Xin Li Message-ID: Date: Mon, 9 Jan 2017 23:49:21 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <586FB98F.2050500@quip.cz> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 07:49:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL Content-Type: multipart/mixed; boundary="j6g21x97hq64N5QTmPjgIW0XkSGlffTgl"; protected-headers="v1" From: Xin Li To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security Cc: d@delphij.net Message-ID: Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> In-Reply-To: <586FB98F.2050500@quip.cz> --j6g21x97hq64N5QTmPjgIW0XkSGlffTgl Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 1/6/17 07:36, Miroslav Lachman wrote: > Miroslav Lachman wrote on 2017/01/03 14:11: >> Security entries for base are in VuXML for some time so we are checkin= g >> it periodically. Now we have an alert for base sshd in 10.3-p14 and -1= 5 >> too. >> >> # pkg audit FreeBSD-10.3_15 >> FreeBSD-10.3_15 is vulnerable: >> openssh -- multiple vulnerabilities >> CVE: CVE-2016-10010 >> CVE: CVE-2016-10009 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf= =2Ehtml >> >> >> 1 problem(s) in the installed packages found. >> >> >> But there is no advisory on >> https://www.freebsd.org/security/advisories.html for this problem. >> >> Is it false alarm? Or did I missed something? >=20 > 3 days without reply... >=20 > Please, can somebody from FreeBSD team clarify if sshd in base is > vulnerable or not? The default configuration is not affected by CVE-2016-10010 because privilege separation is enabled by default. Exploiting CVE-2016-10009 requires non-trivial control over both a SSH server and ability to write file on the system running ssh-agent(1). We plan to issue an advisory soon, but most of users do not need to be worried for the vulnerabilities as the sshd(8) vulnerability requires deliberately weaken the configuration, and it's hard to exploit the ssh-agent(1) vulnerability (if an attacker is able to exploit it, they already have substantial control and there would be much easier attacks than doing it over ssh-agent). Hope this helps. Cheers, --j6g21x97hq64N5QTmPjgIW0XkSGlffTgl-- --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYdJIFAAoJEJW2GBstM+nsttkP/iy7/WDfke+DWF3D78NwhXfR jvBUM2kM9/md6PIUo6MTR4zYdyJAek3DhtjLXqG4vk4meV5X0qyz/wUvk48i6XbF SLsgo1CXfrT3aAGvL71SVYnQmsiXUx9544J/9ljwebi2sCIQ014hcDlLC0bEQeoS wIXAF6d6KXIlIwOhn+zTydgG3sLKrgtYzDOedD/50MQAw0+ji5bzE6za6I0ZjRUS yeTez7vDQFYgHENnyo+h3BhyWLOGyOglqe+Nhn5v0H/kTiL5GUcEBNE4x9KKlIAV kB9vnaQF3Co8c6YxZ8OI3EXb1lh/7MGylTQ/56p/4WaHWsLufAcQOdj7QGMCJJs9 XFAgytV0n4yB62nwLCHZeTsptsotKoNW0uu/kzHZU5ULg4lMnZRmBE/EOqpjRCcm kAgwofyYfBO9okhdSGJHZ1RcjHOYwPzZnYHrUt5owoy5Sxk2Mc/DQ1daWn3Xm+SI bmJeKjKlmcCl9pO/55fabprKM4LOtjPIyGXyA0QE119lQzYUzMAoUN95E1hmzbRV Qtq39+QwOIksvPtJSYB+MKzmOGIb0QjNuYr93g/R8ZbVZPKvPwTPjPMB1qUiK6gn 2LjnAEDyzlL3xA++1dMNLeZSvDd30zUzkjWsqHMc6uJYwqPlrA8BRbDSeD9qJBzv 8KtECiuevSlvuRwkbkCs =iIAJ -----END PGP SIGNATURE----- --db5qFHIoKt2wcjjn2E82c8Cg8hkxik7PL-- From owner-freebsd-security@freebsd.org Tue Jan 10 10:04:21 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90250CA8B13 for ; Tue, 10 Jan 2017 10:04:21 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 55A3515B7 for ; Tue, 10 Jan 2017 10:04:20 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E861828437; Tue, 10 Jan 2017 11:04:17 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id B1CE92840C; Tue, 10 Jan 2017 11:04:16 +0100 (CET) Subject: Re: VuXML entry for openssh - 10.3 sshd in base vulnerable To: Xin Li , freebsd security Cc: d@delphij.net References: <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <5874B1A0.6060403@quip.cz> Date: Tue, 10 Jan 2017 11:04:16 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 10:04:21 -0000 Xin Li wrote on 2017/01/10 08:49: > > > On 1/6/17 07:36, Miroslav Lachman wrote: >> Miroslav Lachman wrote on 2017/01/03 14:11: >>> Security entries for base are in VuXML for some time so we are checking >>> it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 >>> too. >>> >>> # pkg audit FreeBSD-10.3_15 >>> FreeBSD-10.3_15 is vulnerable: >>> openssh -- multiple vulnerabilities >>> CVE: CVE-2016-10010 >>> CVE: CVE-2016-10009 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html >>> >>> >>> 1 problem(s) in the installed packages found. >>> >>> >>> But there is no advisory on >>> https://www.freebsd.org/security/advisories.html for this problem. >>> >>> Is it false alarm? Or did I missed something? >> >> 3 days without reply... >> >> Please, can somebody from FreeBSD team clarify if sshd in base is >> vulnerable or not? > > The default configuration is not affected by CVE-2016-10010 because > privilege separation is enabled by default. > > Exploiting CVE-2016-10009 requires non-trivial control over both a SSH > server and ability to write file on the system running ssh-agent(1). > > We plan to issue an advisory soon, but most of users do not need to be > worried for the vulnerabilities as the sshd(8) vulnerability requires > deliberately weaken the configuration, and it's hard to exploit the > ssh-agent(1) vulnerability (if an attacker is able to exploit it, they > already have substantial control and there would be much easier attacks > than doing it over ssh-agent). > > Hope this helps. Thank you for this clarification. Miroslav Lachman From owner-freebsd-security@freebsd.org Wed Jan 11 06:27:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 616D0CAABF3 for ; Wed, 11 Jan 2017 06:27:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 456781A85; Wed, 11 Jan 2017 06:27:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 974DE579; Wed, 11 Jan 2017 06:27:37 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:01.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20170111062737.974DE579@freefall.freebsd.org> Date: Wed, 11 Jan 2017 06:27:37 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2017 06:27:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:01.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: OpenSSH Announced: 2017-01-11 Affects: All supported versions of FreeBSD. Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE) 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7) 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE) 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-10009, CVE-2016-10010 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH supports accessing keys provided by a PKCS#11 token. II. Problem Description The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009] When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] III. Impact A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009] When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010] IV. Workaround Systems not running ssh-agent(1) and sshd(8) services are not affected. System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009. System administrators should enable privilege separation when running OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r311915 releng/10.3/ r311916 stable/11/ r311915 releng/11.0/ r311916 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.16 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yuAACgkQ7Wfs1l3P auebFA//TGtwrub7JNTgKdc5qnpw+s8W1j0AnQ4wTaJ6v7zNyUB0DG+LHW4uXCwR xc9Etd2mhY26wJIUxx0Z3oArcqVBGpCGbozuIOU6AdgmHdOL3ddj8aq4SuC0PyMA 0OvNgZIRPZxEm81MP+6/GES4JLmOumiNeAG/MrtITGJDP/K5vVPIst/+F7OJ4P2+ OGrjqBWmAz2EMG62QUJI8oSwB+FJpXtWHKOC4fPGibAQe3vF1WequbcDkLsYl1pX Ktlk/qh9ivaQreM9rHkUDF0PYwFdsXzveze/TLNbEo+w43v/PAlyR+xw2+22VjGK fxTL8Gk2tMQfahGZwFmmQFPLcwNRcdjgnZcRRHA3z8vKgM831A53gV3KskUwZl4V DyKdXtl44zrZ7PtPJ1gJkPK6B8zzfjnSwzPC51pDjh30ps28Rgfc6JOyjxhX5BJ4 sXvQ3meiEfVgVq3DpTqQ3mZVQ1pRF+yhPf1Ptts9fQzAD95JsFF0WT0nzbYoB2VY KrU4V7d/Ys+HIeQWgDwZlFuLOULlVZDW/H55PT5Tx9JvP5vRlZS/w2HHN7wwy8n5 tNX9mcH8DuG7X/jWDR9ompbJp5uZqcKWVMHPQY7fnaLSJoQMqrpPgZ9tsw6wq347 Vslm3qQwUTSGRagH0rBuHiVJmY/AeqY3lvsaZklWGIYMRjmUeA0= =3z/p -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jan 12 10:08:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0965ACAB5FC for ; Thu, 12 Jan 2017 10:08:49 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C45FD1EC3 for ; Thu, 12 Jan 2017 10:08:48 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 75E7E28431 for ; Thu, 12 Jan 2017 11:08:39 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 974632842F for ; Thu, 12 Jan 2017 11:08:38 +0100 (CET) To: freebsd security From: Miroslav Lachman <000.fbsd@quip.cz> Subject: VuXML entry for openssh listed twice Message-ID: <587755A6.70508@quip.cz> Date: Thu, 12 Jan 2017 11:08:38 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 10:08:49 -0000 There are two entries for the same problem. Is it intentional? I think it would be better to update original entry and add FreeBSD SA reference. The newer has wrong CVE name. The original was added 2016-12-25 Database fetched: Wed Jan 11 23:57:12 CET 2017 0 problem(s) in the installed packages found. FreeBSD-10.3_15 is vulnerable: FreeBSD -- OpenSSH multiple vulnerabilities CVE: CVE-2016-1001 CVE: CVE-2016-1000 WWW: https://vuxml.FreeBSD.org/freebsd/2c948527-d823-11e6-9171-14dae9d210b8.html FreeBSD-10.3_15 is vulnerable: openssh -- multiple vulnerabilities CVE: CVE-2016-10010 CVE: CVE-2016-10009 WWW: https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html Miroslav Lachman From owner-freebsd-security@freebsd.org Thu Jan 12 18:02:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1AE74CAD990 for ; Thu, 12 Jan 2017 18:02:33 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f]) by mx1.freebsd.org (Postfix) with ESMTP id 08A781B34 for ; Thu, 12 Jan 2017 18:02:30 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from sweettea.beer.town (unknown [76.164.8.130]) by smtp.vangyzen.net (Postfix) with ESMTPSA id 81955564A5 for ; Thu, 12 Jan 2017 12:02:29 -0600 (CST) To: freebsd-security@FreeBSD.org From: Eric van Gyzen Subject: Plan for OpenSSL in stable/10? Message-ID: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> Date: Thu, 12 Jan 2017 12:02:24 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 18:02:33 -0000 Has anyone had time to discuss and form a plan for OpenSSL in stable/10, now that 1.0.1 is end-of-life? I don't recall seeing any public discussion or announcement; forgive me if I missed it. Thanks, Eric From owner-freebsd-security@freebsd.org Thu Jan 12 21:57:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19E80CADA04 for ; Thu, 12 Jan 2017 21:57:33 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [IPv6:2001:7b8:3a7:1:2d0:b7ff:fea0:8c26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D775211D6; Thu, 12 Jan 2017 21:57:32 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from [IPv6:2001:7b8:3a7::79df:b3f4:e7e6:5f47] (unknown [IPv6:2001:7b8:3a7:0:79df:b3f4:e7e6:5f47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 3BBFD9CCB; Thu, 12 Jan 2017 22:57:29 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_DE79BA07-48DE-4DE3-833C-022240C55936"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Plan for OpenSSL in stable/10? From: Dimitry Andric In-Reply-To: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> Date: Thu, 12 Jan 2017 22:57:20 +0100 Cc: freebsd-security@FreeBSD.org Message-Id: <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> To: Eric van Gyzen X-Mailer: Apple Mail (2.3124) X-Mailman-Approved-At: Thu, 12 Jan 2017 22:26:06 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 21:57:33 -0000 --Apple-Mail=_DE79BA07-48DE-4DE3-833C-022240C55936 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > > Has anyone had time to discuss and form a plan for OpenSSL in stable/10, > now that 1.0.1 is end-of-life? I don't recall seeing any public > discussion or announcement; forgive me if I missed it. Would updating to 1.0.2 change the API and/or ABI? -Dimitry --Apple-Mail=_DE79BA07-48DE-4DE3-833C-022240C55936 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.30 iEYEARECAAYFAlh3+8gACgkQsF6jCi4glqPwnQCguOvokkBLjSRJkwOnvGrFx7ck /bAAn13Q+zSgNvQi44QIdPvY45Vp+UJT =RL7h -----END PGP SIGNATURE----- --Apple-Mail=_DE79BA07-48DE-4DE3-833C-022240C55936-- From owner-freebsd-security@freebsd.org Fri Jan 13 04:21:02 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 11FA4CADE0A for ; Fri, 13 Jan 2017 04:21:02 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8847A125E; Fri, 13 Jan 2017 04:21:01 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190f-0cbff70000001694-c3-58785475ef89 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 3B.CC.05780.57458785; Thu, 12 Jan 2017 23:15:50 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v0D4FmHb021224; Thu, 12 Jan 2017 23:15:49 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0D4Fjdl014239 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Jan 2017 23:15:48 -0500 Date: Thu, 12 Jan 2017 22:15:45 -0600 From: Benjamin Kaduk To: Dimitry Andric Cc: Eric van Gyzen , freebsd-security@FreeBSD.org Subject: Re: Plan for OpenSSL in stable/10? Message-ID: <20170113041545.GS8460@kduck.kaduk.org> References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6nrlsWUhFhcP+IiMWSrn2MFj2bnrBZ 3Di6l9GB2WPGp/ksAYxRXDYpqTmZZalF+nYJXBl77zYwFjxjqbj+9CpTA+NT5i5GTg4JAROJ dZMmMYHYQgJtTBL3m8W6GLmA7I2MErNvnmaCcK4ySUzZvB+sikVAVWLvyx0sIDabgIpEQ/dl sEkiQPbfWXvYQGxmAXeJxtsTGUFsYQFticbJZ9hBbF4BY4kL1xYyQ2wrljg97S0zRFxQ4uTM JywQvVoSN/69BNrFAWRLSyz/xwFicgrYS3y6mgNSISqgLNEw4wHzBEaBWUiaZyFpnoXQvICR eRWjbEpulW5uYmZOcWqybnFyYl5eapGuiV5uZoleakrpJkZQiHJK8u9gnNPgfYhRgINRiYd3 wu3yCCHWxLLiytxDjJIcTEqivN9VKyKE+JLyUyozEosz4otKc1KLDzFKcDArifB2BQPleFMS K6tSi/JhUtIcLErivJcy3SOEBNITS1KzU1MLUotgsjIcHEoSvLtAGgWLUtNTK9Iyc0oQ0kwc nCDDeYCGzwEbXlyQmFucmQ6RP8Woy3Hq04WXTEIsefl5qVLivMogRQIgRRmleXBzQKlFInt/ zStGcaC3hHm1Qap4gGkJbtIroCVMQEsu2pSDLClJREhJNTA2ye9OShUQn69859X+t9XnDjed rIrOOLxlHbOtZrhr2mV9pTbNoKOBN3f16cQvbN+x4kyJq+hS16jSnS8eSa++YVfmerXa942t hn7e0r+tXA9+hwj3GR/af2hHeMmsi0LqPmJlq/UOiSbWz+huKFu8J2+f2pn669JP7Vs3C2sb datn2sfdmKzEUpyRaKjFXFScCAAZcqCgCAMAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2017 04:21:02 -0000 On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: > On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > > > > Has anyone had time to discuss and form a plan for OpenSSL in stable/10, > > now that 1.0.1 is end-of-life? I don't recall seeing any public > > discussion or announcement; forgive me if I missed it. > > Would updating to 1.0.2 change the API and/or ABI? IIRC upstream claims that it is ABI and API compatible, but they were less good about enforcing that rigorously back then than they are now, so maybe some things slipped through the cracks. -Ben From owner-freebsd-security@freebsd.org Sat Jan 14 17:14:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9A07CAFEBD for ; Sat, 14 Jan 2017 17:14:49 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7B4721F34; Sat, 14 Jan 2017 17:14:49 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-252-76.lns20.per4.internode.on.net [121.45.252.76]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v0EHEi5X016404 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 14 Jan 2017 09:14:47 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: [FreeBSD-Announce] FreeBSD 9.3, 10.1 and 10.2 EoL To: freebsd-security@freebsd.org, re References: <20170101003519.3DA8C5681@freefall.freebsd.org> From: Julian Elischer Message-ID: Date: Sun, 15 Jan 2017 01:14:38 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <20170101003519.3DA8C5681@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2017 17:14:49 -0000 On 1/01/2017 8:35 AM, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dear FreeBSD community, > > As of January 1, 2017, FreeBSD 9.3, 10.1 and 10.2 have reached end-of-life > and will no longer be supported by the FreeBSD Security Officers Team. > Users of FreeBSD 9.3, 10.1 and 10.2 are strongly encouraged to upgrade to > a newer release as soon as possible. > > The currently supported branches and releases and their expected > end-of-life dates are: > > +--------------------------------------------------------------------------+ > | Branch | Release | Type | Release Date | Estimated EoL | > +-----------+------------+--------+----------------+-----------------------+ > |stable/10 |n/a |n/a |n/a |last release + 2 years | which brings up the question of a 10.4 (personally I hope there will be .. but not a 10.5) releng-10 is still very active and 10 is being used in a lot of products. For us the factor is the fact that we are not ready to jump to clang/LLVM yet, so 11 is "still a way off". We already see errors when doing buildworld with gcc under 10.3 due to assumptions of clang usage, both in base and ports. 11 would be many times worse and none of our code has ever been compiled under clang yet.. (We expect to try for that after we finish getting onto 10.3++.) > +-----------+------------+--------+----------------+-----------------------+ > |releng/10.3|10.3-RELEASE|Extended|April 4, 2016 |April 30, 2018 | > +--------------------------------------------------------------------------+ > |stable/11 |n/a |n/a |n/a |last release + 2 years | > +-----------+------------+--------+----------------+-----------------------+ > |releng/11.0|11.0-RELEASE|Standard|October 10, 2016|11.1-RELEASE + 3 months| > +--------------------------------------------------+-----------------------+ > > Please refer to https://security.freebsd.org/ for an up-to-date list of > supported releases and the latest security advisories. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.16 (FreeBSD) > > iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhoTfYACgkQ7Wfs1l3P > aueXSA/8C0ao1KuGaB55oIVZwFTc6wHMKZsKdU40ddsV0y98+ZThkNXB2XG5Qrgl > LmxKbjoeyOVThgZfcoYKNKhaaUZ28MMcMxeJy/lnQsPk3lzGaC9f+shO6aw80EoF > TGTX9Pj/gIJA3S74G3yNq/r0PY2h55nLKM1bWPfrGRaszpbsSnNBg0QKj3S6GNne > arLLH0pPvjSkdeOkPzjK64vRDVa5yzi23pzdzgyDs344XHjOj8gWuFWvu40OUFDm > hlYFmNkn9Oq8zv7ufyOgCke4me3NC2L9FlHS0ikzTxHXiqlKoL0JdzvGvNT/fONW > Pgwclq+8lntNWCi/MecZKzZGrYclrC/Y69lMGVy8vzam54bEX6M/10Bll6ZZmU3s > 0M33Ehf1E7f86yoxRLpLoyZ19tY75cTxQEoWI6Vfc6pdyoGgexUHX8R45eoi+O6H > xfVc5bsSiIvnNlOMeqzTtZuzlxiLnYoyrTs8D3mnS9Al7j9XxCVhaNZoepxvFIzF > roCdsWG3JNhnSvXc+kDMktIqyIIbU+AVpIVsMnU/BlDBm357dsDawkqwgYThshaj > sfz+Dj/HGjHXqfjJ/a9gIkT9LF2AqRZa0XAhhnT2+Mx6tHdcr2AT/y01kgdALrNT > 0EZJZen1EXNzJwabxdeE5Y3moLQ4WI8+2dZv7Bt4y6BLwlcPd1Y= > =K1wA > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" >