From owner-freebsd-security@FreeBSD.ORG Tue Oct 10 10:40:24 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82E2816A403; Tue, 10 Oct 2006 10:40:24 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B24B643D53; Tue, 10 Oct 2006 10:40:23 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from atlantis.dp.ua (localhost [127.0.0.1]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k9AAeBXV032718; Tue, 10 Oct 2006 13:40:12 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.13.1/8.13.1/Submit) with ESMTP id k9AAeBpt032712; Tue, 10 Oct 2006 13:40:11 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 10 Oct 2006 13:40:11 +0300 (EEST) From: Dmitry Pryanishnikov To: Jose Alonso Cardenas Marquez In-Reply-To: <200610070149.k971nX1A027408@repoman.freebsd.org> Message-ID: <20061010133106.Y13139@atlantis.atlantis.dp.ua> References: <200610070149.k971nX1A027408@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: cvs commit: ports/multimedia/win32-codecs Makefile distinfo pkg-plist X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2006 10:40:24 -0000 Hello! On Sat, 7 Oct 2006, Jose Alonso Cardenas Marquez wrote: > Modified files: > multimedia/win32-codecs Makefile distinfo pkg-plist > Log: > - Add the REALPLAYER and QUICKTIME(off) OPTIONS. If QUICKTIME OPTION is off, > this port could install without problem of vulnerabilities. > - Bump PORTREVISION > - Other few modifications Thanks, that's great, however portaudit's vulnerabilities database still lists the port as vulnerable: http://www.FreeBSD.org/ports/portaudit/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Affects: * win32-codecs >0 I wonder whether it's possible to list the port there conditionally (e.g. only if QUICKTIME option is 'off'). Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Tue Oct 10 14:31:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BB7C16A412 for ; Tue, 10 Oct 2006 14:31:33 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89A7A43D64 for ; Tue, 10 Oct 2006 14:31:24 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by smtp1.sarenet.es (Postfix) with ESMTP id 5513910B99 for ; Tue, 10 Oct 2006 16:31:22 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: <588E5B66-F621-4639-9F56-A65A2DFC471A@SARENET.ES> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Tue, 10 Oct 2006 16:31:20 +0200 X-Mailer: Apple Mail (2.752.2) Subject: Proposal: MAC_BIBA and real-world usage X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2006 14:31:33 -0000 Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and, worse, when none of the applications we are using are prepared to take advantage of it. So it should be as transparent as possible. I started the project with some goals: 1) Users are kept isolated. This isn't so obvious, as by design Apache should run as an unprivileged user. The mac_bsdextended policy can implement an additional layer of security. In my case, hosting users are given uids belonging to an interval, and there is a ugidfw rule that states that subjects with an uid withing that range can only access objects belonging to the same user in case their uid is within the interval as well. I didn't use MAC compartments because there is a limit on the number of compartments. Users are allowed to run CGIs and PHP scripts, and PHP is ran as CGI, so that each process will have the uid of its owner. Launching PHP as a CGI hurts performance, but this is a server for relatively low- volume sites, and security is much more important. 2) OS Integrity. Apache is launched with biba/low(low-low) credentials. 3) Defacements should be prevented. At least processes spawned from Apache should not be able to modify any files in the system, except at designated directories in case PHP scripts or CGI programs need to write something to the disk. This is naturally done with MAC_BIBA. We launch Apache with biba/low(low-low) credentials. 4) FTP access for site mainteinance. We assign each user an account, which will be used to update their files. The ftp accounts have a low integrity credential assigned, but anyway higher than biba/low so that files uploaded by users are safe from being modified by Apache. However, this has a problem: Files created/modified from PHP and/or CGIs will be labelled biba/low. And the ftp process, with, say, biba/ 100, will be unable to read them. We could create two user accounts per user but it's just too confusing and error prone. What about adding a discretionary mechanism to MAC_BIBA? It would be useful to have the possibilty of implementing half of the BIBA protection, preventing high integrity objects from being modified by low integrity subjects, but allowing high integrity subjects to read low-integrity objects. Of course it weakens the BIBA model, but used wisely it could really help. Instead of a global sysctl flag, which would disable one of the great BIBA features, it could be done selectively for some processes (in my case, ftp accounts) specifying a negative value. So, a subject with biba/-N would be: - unable to modify objects with a higher than N integrity level - able to read objects with a lower than N integrity level, instead of being limited to objects with an integrity level equal to N. What do you think? Any ideas? Borja. From owner-freebsd-security@FreeBSD.ORG Tue Oct 10 23:00:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED35C16A403 for ; Tue, 10 Oct 2006 23:00:54 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF8C543D69 for ; Tue, 10 Oct 2006 23:00:07 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-qfe3.prod.shaw.ca [10.0.141.110]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6X0024IZW8UT30@l-daemon> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 17:00:08 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd2mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6X00ANFZW76671@pd2mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 17:00:08 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6X002CGZTZ1N20@l-daemon> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 17:00:07 -0600 (MDT) Received: (qmail 51858 invoked from network); Tue, 10 Oct 2006 22:58:42 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 10 Oct 2006 22:58:42 +0000 Date: Tue, 10 Oct 2006 15:58:42 -0700 From: Colin Percival In-reply-to: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> To: Bill Moran Message-id: <452C25A2.6080809@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd security , questions@freebsd.org Subject: Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2006 23:00:55 -0000 Bill Moran wrote: > This report seems pretty vague. I'm unsure as to whether the alleged > "bug" gives the user any more permissions than he'd already have? Anyone > know any details? This is a local denial of service bug, which was fixed 6 weeks ago in HEAD and RELENG_6. There is no opportunity for either remote denial of service or any privilege escalation. > VI. VENDOR RESPONSE > > "The policy of the FreeBSD Security Team is that local denial of service > bugs not be treated as security issues; it is possible that this problem > will be corrected in a future Erratum." If there was any potential for (a) privilege escalation, (b) disclosure of potentially sensitive information, or (c) denial of service by a non-authenticated attacker, we would have issued a security advisory. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 04:48:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7134B16A412 for ; Wed, 11 Oct 2006 04:48:49 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAD5143D58 for ; Wed, 11 Oct 2006 04:48:48 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr6so.prod.shaw.ca (pd4mr6so-qfe3.prod.shaw.ca [10.0.141.69]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6Y00GJ8FZCUY10@l-daemon> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 22:47:36 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd4mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6Y00AMXFZCBGM0@pd4mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 22:47:36 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6Y006G1FZBDL80@l-daemon> for freebsd-security@freebsd.org; Tue, 10 Oct 2006 22:47:36 -0600 (MDT) Received: (qmail 52732 invoked from network); Wed, 11 Oct 2006 04:47:33 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 11 Oct 2006 04:47:33 +0000 Date: Tue, 10 Oct 2006 21:47:33 -0700 From: Colin Percival In-reply-to: <20061010201630.aabaf1a4.wmoran@collaborativefusion.com> To: Bill Moran Message-id: <452C7765.5080403@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> <452C25A2.6080809@freebsd.org> <20061010201630.aabaf1a4.wmoran@collaborativefusion.com> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd security , questions@freebsd.org Subject: Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 04:48:49 -0000 Bill Moran wrote: > Colin Percival wrote: >> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > That was what I expected. Section III seems to hint that it could be > used by an unprivilidged user to crash or lock a system. Yes. An unprivileged user who is able to execute code on an affected system can cause a kernel panic. There are a variety of reasons for not treating bugs like this as security issues; the strongest reason imho is that if one of your users is making a system crash, you can disable his account and call the police. > BTW, are you going to be at NYCBSDCon? No -- I only go to conferences if I have a paper to present. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 10:20:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E14E916A40F; Wed, 11 Oct 2006 10:20:10 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69CDC43D45; Wed, 11 Oct 2006 10:20:10 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 99AEB52F6B; Wed, 11 Oct 2006 12:20:09 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 1AF1D9B9B0; Wed, 11 Oct 2006 10:21:07 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id EAAE4405B; Wed, 11 Oct 2006 12:21:06 +0200 (CEST) Date: Wed, 11 Oct 2006 12:21:06 +0200 From: Jeremie Le Hen To: security-officer@freebsd.org Message-ID: <20061011102106.GY1594@obiwan.tataz.chchile.org> References: <451F6E8E.8020301@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <451F6E8E.8020301@freebsd.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd security , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 10:20:11 -0000 Hi, On Sun, Oct 01, 2006 at 12:30:22AM -0700, FreeBSD Security Officer wrote: > Users of FreeBSD 4.11 systems are also reminded that that FreeBSD 4.11 > will reach its End of Life at the end of January 2007 and that they > should be making plans to upgrade or replace such systems. Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it is still used in many places because of its stability and performance. For instance, according to Julian Elischer's posts, it seems he is still working on it. Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once more ? Thank you. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 00:16:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7606316A403; Wed, 11 Oct 2006 00:16:33 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id D287843D5C; Wed, 11 Oct 2006 00:16:32 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from localhost (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Tue, 10 Oct 2006 20:16:31 -0400 id 00056413.452C37E0.00001831 Date: Tue, 10 Oct 2006 20:16:30 -0400 From: Bill Moran To: Colin Percival Message-Id: <20061010201630.aabaf1a4.wmoran@collaborativefusion.com> In-Reply-To: <452C25A2.6080809@freebsd.org> References: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> <452C25A2.6080809@freebsd.org> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Oct 2006 12:24:38 +0000 Cc: freebsd security , questions@freebsd.org Subject: Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 00:16:33 -0000 Colin Percival wrote: > Bill Moran wrote: > > This report seems pretty vague. I'm unsure as to whether the alleged > > "bug" gives the user any more permissions than he'd already have? Anyone > > know any details? > > This is a local denial of service bug, which was fixed 6 weeks ago in HEAD > and RELENG_6. There is no opportunity for either remote denial of service > or any privilege escalation. > > > VI. VENDOR RESPONSE > > > > "The policy of the FreeBSD Security Team is that local denial of service > > bugs not be treated as security issues; it is possible that this problem > > will be corrected in a future Erratum." > > If there was any potential for > (a) privilege escalation, > (b) disclosure of potentially sensitive information, or > (c) denial of service by a non-authenticated attacker, > we would have issued a security advisory. That was what I expected. Section III seems to hint that it could be used by an unprivilidged user to crash or lock a system. I suspect they used it as root to crash/lock the OS. But I don't need any bugs to do that as root, so it doesn't really count as a security issue. BTW, are you going to be at NYCBSDCon? If so, seek me out -- I owe you a beer at the least. As always, thanks for the quick response. -- Bill Moran That seem right to you? Jubal Early From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 11:41:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9994716A407; Wed, 11 Oct 2006 11:41:11 +0000 (UTC) (envelope-from linimon@lonesome.com) Received: from mail.soaustin.net (mail.soaustin.net [207.200.4.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id D92AE43D6B; Wed, 11 Oct 2006 11:41:10 +0000 (GMT) (envelope-from linimon@lonesome.com) Received: by mail.soaustin.net (Postfix, from userid 502) id 619911016; Wed, 11 Oct 2006 06:41:10 -0500 (CDT) Date: Wed, 11 Oct 2006 06:41:10 -0500 To: Jeremie Le Hen Message-ID: <20061011114110.GA23653@soaustin.net> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061011102106.GY1594@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.9i From: linimon@lonesome.com (Mark Linimon) X-Mailman-Approved-At: Wed, 11 Oct 2006 12:24:59 +0000 Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 11:41:11 -0000 On Wed, Oct 11, 2006 at 12:21:06PM +0200, Jeremie Le Hen wrote: > Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once > more ? >From a ports standpoint: absolutely not. We are currently trying to support 4 major CVS branches. Although we still have some dedicated committers who are trying to keep the Ports Collection running on 4.X, they are falling further and further behind, especially as the rate of new ports being added continues to accelerate. mcl From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 12:29:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15C1B16A412; Wed, 11 Oct 2006 12:29:54 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE69F43DD4; Wed, 11 Oct 2006 12:28:12 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from atlantis.dp.ua (localhost [127.0.0.1]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k9BCPthb025916; Wed, 11 Oct 2006 15:26:31 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.13.1/8.13.1/Submit) with ESMTP id k9BCPtjJ025911; Wed, 11 Oct 2006 15:25:55 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Wed, 11 Oct 2006 15:25:55 +0300 (EEST) From: Dmitry Pryanishnikov To: Jeremie Le Hen In-Reply-To: <20061011102106.GY1594@obiwan.tataz.chchile.org> Message-ID: <20061011151458.L97038@atlantis.atlantis.dp.ua> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 12:29:54 -0000 Hello! On Wed, 11 Oct 2006, Jeremie Le Hen wrote: > Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it > is still used in many places because of its stability and performance. > > For instance, according to Julian Elischer's posts, it seems he is still > working on it. > > Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once > more ? Yes, I'm also voting for it. This support may be limited to remote-exploitable vulnerabilities only, but I'm sure there are many old slow routers for which RELENG_4 -> 6 transition still hurts the performance. RELENG_4 is the last stable pre-SMPng branch, and (see my spring letters, Subject: RELENG_4 -> 5 -> 6: significant performance regression) _very_ significant UP performance loss (which has occured in RELENG_4 -> 5 transition) still isn't reclaimed. So I think it would be wise to extend { RELENG_4 / RELENG_4_11 / both } [may be limited] support. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 12:39:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9B5316A4A0 for ; Wed, 11 Oct 2006 12:39:53 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9E3D43D81 for ; Wed, 11 Oct 2006 12:39:43 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 11 Oct 2006 08:39:30 -0400 id 00056412.452CE602.00004EC6 Received: from Internal Mail-Server (206.210.89.202) by mx01 (envelope-from wmoran@collaborativefusion.com) with AES256-SHA encrypted SMTP; 11 Oct 2006 08:35:30 -0400 Date: Wed, 11 Oct 2006 08:39:29 -0400 From: Bill Moran To: Colin Percival Message-Id: <20061011083929.fbb9d226.wmoran@collaborativefusion.com> In-Reply-To: <452C7765.5080403@freebsd.org> References: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> <452C25A2.6080809@freebsd.org> <20061010201630.aabaf1a4.wmoran@collaborativefusion.com> <452C7765.5080403@freebsd.org> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd security , questions@freebsd.org Subject: Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 12:39:54 -0000 In response to Colin Percival : > Bill Moran wrote: > > Colin Percival wrote: > >> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > That was what I expected. Section III seems to hint that it could be > > used by an unprivileged user to crash or lock a system. > > Yes. An unprivileged user who is able to execute code on an affected system > can cause a kernel panic. There are a variety of reasons for not treating > bugs like this as security issues; the strongest reason imho is that if one > of your users is making a system crash, you can disable his account and call > the police. Thanks for the clarification. >From my standpoint, this qualifies as a "privilege escalation" and warrants action. I see that it's already fixed in RELENG_6_1. Am I correct that there is no intention to MFC this back to RELENG_6_0? And, yes, I can't spell "unprivileged" to save my life, and the spell checker was turned off on my other computer ... -- Bill Moran Collaborative Fusion Inc. **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 12:44:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CD5516A4E2 for ; Wed, 11 Oct 2006 12:44:49 +0000 (UTC) (envelope-from em.conti@tin.it) Received: from vsmtp4.tin.it (vsmtp4.tin.it [212.216.176.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D0A643E31 for ; Wed, 11 Oct 2006 12:43:31 +0000 (GMT) (envelope-from em.conti@tin.it) Received: from localhost (62.211.140.91) by vsmtp4.tin.it (7.2.072.1) id 452C9C44000551E6 for freebsd-security@freebsd.org; Wed, 11 Oct 2006 14:43:15 +0200 Date: Wed, 11 Oct 2006 14:43:14 +0200 From: em.conti@tin.it To: freebsd-security@freebsd.org Message-ID: <20061011144314.3e680c9f@localhost> X-Mailer: Sylpheed-Claws 2.1.1 (GTK+ 2.8.20; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 12:44:49 -0000 Hi all, this is the first time I post to this list. If I am wrong, sorry. I have been trying for three weeks to update openssl-stable, but I cannot beacause of this message: ===> Cleaning for openssl-stable-0.9.7k # # this ports conflicts with your base system # please undefine OPENSSL_OVERWRITE_PORT # and use WITH_OPENSSL_BASE=yes instead. # *** Error code 1 I do not know how to act. Bye Emilio From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 14:08:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DB7716A416 for ; Wed, 11 Oct 2006 14:08:04 +0000 (UTC) (envelope-from martin@custard.org) Received: from rhubarb.custard.org (custard.org [195.97.194.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA65B43D5F for ; Wed, 11 Oct 2006 14:08:02 +0000 (GMT) (envelope-from martin@custard.org) Received: from doomie (unknown [64.140.19.2]) by rhubarb.custard.org (Postfix) with ESMTP id AEDCD42; Wed, 11 Oct 2006 15:07:59 +0100 (BST) From: "Martin Leach" To: , Date: Wed, 11 Oct 2006 10:07:51 -0400 Organization: Not Much Message-ID: <001c01c6ed3e$a47c4280$2801a8c0@doomie> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AcbtM/U6ykGy4I9OSMySKVT0KGxlZQACkEcw In-reply-to: <20061011144314.3e680c9f@localhost> Cc: Subject: RE: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 14:08:04 -0000 owner-freebsd-security@freebsd.org <> wrote on Wednesday, October 11, 2006 8:43 AM: > ===> Cleaning for openssl-stable-0.9.7k # # this ports > conflicts with your base system # please undefine > OPENSSL_OVERWRITE_PORT # and use WITH_OPENSSL_BASE=yes instead. # > *** Error code 1 Also first post.. Try adding OPENSSL_OVERWRITE_BASE=yes into your /etc/make.conf file, and try again. You can also define that variable at build time, but having it in make.conf keeps it there for future reference. Regards, Martin From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 13:32:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 239E616A4E2; Wed, 11 Oct 2006 13:32:25 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7B8043DC8; Wed, 11 Oct 2006 13:31:50 +0000 (GMT) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 1B7502A68C; Wed, 11 Oct 2006 10:31:49 -0300 (BRT) Date: Wed, 11 Oct 2006 10:31:49 -0300 From: Hugo Koji Kobayashi To: Jeremie Le Hen Message-ID: <20061011133149.GC77710@registro.br> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061011102106.GY1594@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD X-Mailman-Approved-At: Wed, 11 Oct 2006 14:28:45 +0000 Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 13:32:25 -0000 Hi, On Wed, Oct 11, 2006 at 12:21:06PM +0200, Jeremie Le Hen wrote: > Hi, > > On Sun, Oct 01, 2006 at 12:30:22AM -0700, FreeBSD Security Officer wrote: > > Users of FreeBSD 4.11 systems are also reminded that that FreeBSD 4.11 > > will reach its End of Life at the end of January 2007 and that they > > should be making plans to upgrade or replace such systems. > > Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it > is still used in many places because of its stability and > performance. You bet ! > > For instance, according to Julian Elischer's posts, it seems he is still > working on it. > > Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once > more ? Until we can't get at least 90% of the UDP performance of the 4.11 on the 6.x or upcoming releases, high performance DNS servers need it and we should keep supporting 4.11. If we don't do that people will move to something else. On UP servers 4.11 is still head to head to Linux 2.6 (actually, Linux got to be head to head to 4.11 only in 2.6). On SMP servers Linux outperform 4.11 by 10%. 6.x don't get even close to 50% of 4.11 performance on UP and is still worse on SMP. This is extensively tested, documented and is reproducible [1]. For the good of the FreeBSD we should urge the security team to extend 4_11 EoL. Regards, Hugo [1] http://lists.freebsd.org/pipermail/freebsd-net/2006-September/011748.html http://lists.freebsd.org/pipermail/freebsd-net/2006-September/011846.html From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 15:39:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C2F316A417; Wed, 11 Oct 2006 15:39:42 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A3B743D5F; Wed, 11 Oct 2006 15:39:33 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [IPv6:2001:718:1e03:a01::7] (dan.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::7]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k9BFfY4k090504; Wed, 11 Oct 2006 17:41:35 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <452D1033.8050003@obluda.cz> Date: Wed, 11 Oct 2006 17:39:31 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20060105 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Linimon References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011114110.GA23653@soaustin.net> In-Reply-To: <20061011114110.GA23653@soaustin.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security , security-officer@freebsd.org, Jeremie Le Hen , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 15:39:42 -0000 Mark Linimon wrote: >>From a ports standpoint: absolutely not. > > We are currently trying to support 4 major CVS branches. Although we still > have some dedicated committers who are trying to keep the Ports Collection > running on 4.X, they are falling further and further behind, especially as > the rate of new ports being added continues to accelerate. The network infrastructure servers (DNS servers, routers, firewalls) is traditional role of BSD UNIXes. FreeBSD 4.11 is very well tested and has good performance. Those servers need not new ports so much nor new version of installed aplications - unless a security problem revealed. Even if no new ports will be compilable on 4.x, even if the old ports will not be updated with exception of update caused by security bug, I vote for delaying EOL of 4.11 Dan BTW, if you encounter problem with port on 4.x, the "tips for dummies" are: 1. update perl from ports 2. install openssl from ports 3. install and use gcc 3.4 for compiling Many of problematic ports become compilable again. From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 15:42:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE0A516A47C for ; Wed, 11 Oct 2006 15:42:20 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0EE043D7B for ; Wed, 11 Oct 2006 15:42:18 +0000 (GMT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 2747 invoked by uid 1000); 11 Oct 2006 15:42:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2006 15:42:15 -0000 Date: Wed, 11 Oct 2006 08:42:15 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: freebsd security In-Reply-To: <20061011151458.L97038@atlantis.atlantis.dp.ua> Message-ID: <20061011083021.C2780@treehorn.dfmm.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 15:42:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it >> is still used in many places because of its stability and performance. >> [...] >> Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once >> more ? > Yes, I'm also voting for it. I realize that resources to keep chasing this stuff are in limited supply, but if you solicit the opinion of the community, I'd bet that more people would rather see 4.x support continue than 5.x support. I know that it would be a violation of the stated policy, but I think that supporting 4.x and 6.x over the next year would benefit way more people than the current plan of supporting 5.x and 6.x and eol'ing 4.x. just a thought... -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFFLRDXswXMWWtptckRApQ/AJ9ocwgBjCKGG8E9/Uml4T9Da/wFlwCeLfiS kzo7WphIVjOVDg+fh5tbuP4= =ezVj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 16:20:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF2E116A56A for ; Wed, 11 Oct 2006 16:20:40 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.FreeBSD.org (Postfix) with SMTP id 0CE6843D88 for ; Wed, 11 Oct 2006 16:20:19 +0000 (GMT) (envelope-from sthaug@nethelp.no) Received: (qmail 84916 invoked from network); 11 Oct 2006 16:20:18 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 11 Oct 2006 16:20:18 -0000 Date: Wed, 11 Oct 2006 18:20:18 +0200 (CEST) Message-Id: <20061011.182018.41709122.sthaug@nethelp.no> To: freebsd-security@dfmm.org From: sthaug@nethelp.no In-Reply-To: <20061011083021.C2780@treehorn.dfmm.org> References: <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Oct 2006 16:33:04 +0000 Cc: freebsd-security@freebsd.org, security-officer@freebsd.org, freebsd-stable@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 16:20:41 -0000 > I realize that resources to keep chasing this stuff are in limited supply, > but if you solicit the opinion of the community, I'd bet that more people > would rather see 4.x support continue than 5.x support. > > I know that it would be a violation of the stated policy, but I think that > supporting 4.x and 6.x over the next year would benefit way more people > than the current plan of supporting 5.x and 6.x and eol'ing 4.x. Yes, fully agreed. I'd much rather have longer support for 4.x than 5.x. We still have lots of machines running 4.11 here. Steinar Haug, Nethelp consulting, sthaug@nethelp.no From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 17:06:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDFDE16A47C for ; Wed, 11 Oct 2006 17:06:30 +0000 (UTC) (envelope-from nullpt@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0625643E4E for ; Wed, 11 Oct 2006 16:59:33 +0000 (GMT) (envelope-from nullpt@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so136097uge for ; Wed, 11 Oct 2006 09:59:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=PrQK5qgShPm6Rn8Q07dIBEDs4Vdge4DK8iYkb26GZM+D2oAXjAIguBx8ZSxo+s1V8CeRNmDSW2mnwJS5fm7FrRcwXT2q3XHqg1iDhC/PaACoHnbn1o8Ntq3dOfKMl6HPbmqpSPqtT+fIq+LSFZ/ZnWv32rEATf2bIru8sDznVww= Received: by 10.67.101.8 with SMTP id d8mr1335734ugm; Wed, 11 Oct 2006 09:59:29 -0700 (PDT) Received: by 10.66.237.14 with HTTP; Wed, 11 Oct 2006 09:59:28 -0700 (PDT) Message-ID: <755cb9fc0610110959g713a7e02rda3037ca88341707@mail.gmail.com> Date: Wed, 11 Oct 2006 17:59:28 +0100 From: "Alexandre Vieira" To: "sthaug@nethelp.no" In-Reply-To: <20061011.182018.41709122.sthaug@nethelp.no> MIME-Version: 1.0 References: <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <20061011.182018.41709122.sthaug@nethelp.no> X-Mailman-Approved-At: Wed, 11 Oct 2006 17:33:35 +0000 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@dfmm.org, security-officer@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 17:06:31 -0000 On 10/11/06, sthaug@nethelp.no wrote: > > > I realize that resources to keep chasing this stuff are in limited > supply, > > but if you solicit the opinion of the community, I'd bet that more > people > > would rather see 4.x support continue than 5.x support. > > > > I know that it would be a violation of the stated policy, but I think > that > > supporting 4.x and 6.x over the next year would benefit way more people > > than the current plan of supporting 5.x and 6.x and eol'ing 4.x. > > Yes, fully agreed. I'd much rather have longer support for 4.x than 5.x. > > We still have lots of machines running 4.11 here. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > I fully agree with the delay in the 4x EOL. I know many people (including myself) who still run 4.x in dead end hardware for home firewalls/gateways and several other services that run in low, low end hardware. 4.x still has reasons to live for quite a while :) Best regards -- Alexandre Vieira - nullpt@gmail.com From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 19:39:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE27E16A416; Wed, 11 Oct 2006 19:39:56 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp8.server.rpi.edu (smtp8.server.rpi.edu [128.113.2.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id A912143D69; Wed, 11 Oct 2006 19:39:55 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp8.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k9BJXQ1V020876; Wed, 11 Oct 2006 15:33:29 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <20061011083021.C2780@treehorn.dfmm.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> Date: Wed, 11 Oct 2006 15:33:26 -0400 To: Jason Stone , freebsd security From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 19:39:57 -0000 At 8:42 AM -0700 10/11/06, Jason Stone wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >>>Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it >>>is still used in many places because of its stability and performance. >>>[...] >>>Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL >>>once more ? > >> Yes, I'm also voting for it. > >I realize that resources to keep chasing this stuff are in limited >supply, but if you solicit the opinion of the community, I'd bet >that more people would rather see 4.x support continue than 5.x >support. While this is an interesting idea, please realize that if we are supporting 6.x (and we are!), then it is much less work to also support 5.x than it is to support 4.x instead of 5.x. The effort for one is not the same as the effort for the other. But I do agree that this is an interesting idea. In a different message, Dan Lukes wrote: > Even if no new ports will be compilable on 4.x, even if the >old ports will not be updated with exception of update caused by >security bug, I vote for delaying EOL of 4.11 That's easy to say. But then that security bug will be in an old version of openssh, and to fix it you'll need to update *both* openssh and openssl, and to compile openssl you'll need a newer version of, oh, some compiler. Or the latest libtool. Or it will assume a variety of changes have been made to base-system include files under /usr/include/**.h. (Note that I face this very issue with a variety of old Solaris and IRIX machines here at work. It's one thing to say "Oh, I'll just apply one little security fix", and it's another when you figure out it's going to take you two weeks of solid work to do successfully do that) More to the point, we might not even know there *is* a security exposure in the system you are running. Maybe someone stumbles upon a new exploit in an ancient version of , but everyone running 5.x and 6.x and 7.x is already running the newer version. Thus, we won't even know that 4.x users have a serious security issue which needs to be fixed. You can't just keep voting to say "support me forever", and have it cost nothing. Someone, somewhere, has to put up the time and effort to actually do that support. And realistically, that someone has to be the people who are actively running 4.x. Me, I have no desire to run 4.x. I have become too accustomed to a variety of nice features which are in 6.x. I'm also in the process of replacing two of my PC's (because they are having hardware trouble), and once I do that I only have one PC which will even bootup in 4.x -- and that is a 10-year-old PC which I hope to replace before the end of the year. (of course, I'm only one freebsd developer, and I do not claim to be speaking for security@freebsd or re@freebsd. I'm just saying, more and more FreeBSD developers are actively running on newer hardware, and thus that is where their expertise is...) -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 19:54:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6068816A403 for ; Wed, 11 Oct 2006 19:54:56 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id ACE6043F43 for ; Wed, 11 Oct 2006 19:50:47 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 11 Oct 2006 19:50:46 -0000 Date: Wed, 11 Oct 2006 22:50:18 +0300 From: Nikolay Pavlov To: Dirk Meyer Message-ID: <20061011195018.GA15554@zone3000.net> Mail-Followup-To: Nikolay Pavlov , Dirk Meyer , freebsd-security@freebsd.org References: <451F6E8E.8020301@freebsd.org> <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <+2VE7LPdEU@dmeyer.dinoex.sub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <+2VE7LPdEU@dmeyer.dinoex.sub.org> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Cc: freebsd-security@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 19:54:56 -0000 On Wednesday, 11 October 2006 at 18:08:02 +0200, Dirk Meyer wrote: > Jeremie Le Hen schrieb:, > > > Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it > > is still used in many places because of its stability and performance. > > agreed. > > > Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once > > more ? > > I second this. > > I know a half dozend installation, that must rum RELENG_4_11, > because FreeBSD 5.x and 6.x simply don't boot on that servers any more. > There is alot of hardware where an updated don't run on. > > kind regards Dirk > I don't want to bother somebody, but it would be realy cool if we can use RELENG_4 with security updates support for the next year. FreeBSD-4.11 is the best choice for old hardware like our PentiumII 400Mhz router. It's just works. Thats all. In any case thanks for all security officers for they work. From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 19:31:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6793216A407; Wed, 11 Oct 2006 19:31:41 +0000 (UTC) (envelope-from prvs=julian=4328b7b2f@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 522C543D91; Wed, 11 Oct 2006 19:31:32 +0000 (GMT) (envelope-from prvs=julian=4328b7b2f@elischer.org) Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229]) by a50.ironport.com with ESMTP; 11 Oct 2006 12:31:32 -0700 Message-ID: <452D4693.6010606@elischer.org> Date: Wed, 11 Oct 2006 12:31:31 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Jeremie Le Hen References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> In-Reply-To: <20061011102106.GY1594@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Oct 2006 20:51:11 +0000 Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 19:31:41 -0000 Jeremie Le Hen wrote: > Hi, > > On Sun, Oct 01, 2006 at 12:30:22AM -0700, FreeBSD Security Officer wrote: > >> Users of FreeBSD 4.11 systems are also reminded that that FreeBSD 4.11 >> will reach its End of Life at the end of January 2007 and that they >> should be making plans to upgrade or replace such systems. >> > > Though I admit RELENG_4 is getting dusty, it is not rusty. I believe it > is still used in many places because of its stability and performance. > > For instance, according to Julian Elischer's posts, it seems he is still > working on it. > Weeeeeeellllll, we (Ironport) just moved to 6.1 but my previous employer (Vicor) is still using it. > Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once > more ? > > Thank you. > Regards, > From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 21:45:05 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8022C16A416; Wed, 11 Oct 2006 21:45:05 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout2.pacific.net.au (mailout2-3.pacific.net.au [61.8.2.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99FFB43D78; Wed, 11 Oct 2006 21:45:01 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.2.163]) by mailout2.pacific.net.au (Postfix) with ESMTP id E4257309347; Thu, 12 Oct 2006 07:44:59 +1000 (EST) Received: from epsplex.bde.org (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (Postfix) with ESMTP id CDC0A27416; Thu, 12 Oct 2006 07:44:58 +1000 (EST) Date: Thu, 12 Oct 2006 07:44:58 +1000 (EST) From: Bruce Evans X-X-Sender: bde@epsplex.bde.org To: Dmitry Pryanishnikov In-Reply-To: <20061011151458.L97038@atlantis.atlantis.dp.ua> Message-ID: <20061012052709.P897@epsplex.bde.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd security , security-officer@FreeBSD.org, Jeremie Le Hen , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 21:45:05 -0000 On Wed, 11 Oct 2006, Dmitry Pryanishnikov wrote: > On Wed, 11 Oct 2006, Jeremie Le Hen wrote: >> ... >> Is it envisageable to extend the RELENG_4's and RELENG_4_11's EoL once >> more ? > > Yes, I'm also voting for it. This support may be limited to > remote-exploitable vulnerabilities only, but I'm sure there are many old > slow routers for which RELENG_4 -> 6 transition still hurts the performance. > RELENG_4 is the last stable pre-SMPng branch, and (see my spring letters, > Subject: RELENG_4 -> 5 -> 6: significant performance regression) > _very_ significant UP performance loss (which has occured in RELENG_4 -> 5 > transition) still isn't reclaimed. So I think it would be wise to extend > { RELENG_4 / RELENG_4_11 / both } [may be limited] support. I hesitate to do anything to kill RELENG_4, but recently spent a few days figuring out why the perfomance for building kernels over nfs dropped by much more than for building of kernels on local disks between RELENG_4 and -current. The most interesting loss (one not very specific to kernels) is that changes on 6 or 7 Dec 2004 resulted in open/close of an nfs file generating twice as much network traffic (2 instead of 1 Access RPCs per open) and thus being almost twice as slow for files that are otherwise locally cached. This combined with not very low network latency gives amazingly large losses of performance for things like "make depend" and cvs checkouts where 1 RPC per open already made things very slow. Bruce From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 22:05:06 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED59D16A40F for ; Wed, 11 Oct 2006 22:05:05 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51906.mail.yahoo.com (web51906.mail.yahoo.com [206.190.48.69]) by mx1.FreeBSD.org (Postfix) with SMTP id D328543D45 for ; Wed, 11 Oct 2006 22:05:04 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 52807 invoked by uid 60001); 11 Oct 2006 22:05:03 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wWLyiIbYGBCI1ybc8324OL34ElGcg7fH6a8YUn0ZizP4bN5QaaNlZjZlWMPanHUkuBRj7SNwITlMYyU9FKjJBEs6Sg2DeJMIKpe8k62rhyMn/CVuQz1owj4sTA6epXqxu8F0S1Qt3fA1gPJv5Qgx/G0z4Z644FrCIX7Xqy7iJc8= ; Message-ID: <20061011220502.52779.qmail@web51906.mail.yahoo.com> Received: from [65.106.146.230] by web51906.mail.yahoo.com via HTTP; Wed, 11 Oct 2006 15:05:01 PDT Date: Wed, 11 Oct 2006 15:05:01 -0700 (PDT) From: Peter Thoenen To: freebsd security In-Reply-To: <20061012052709.P897@epsplex.bde.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:05:06 -0000 Lots of knashing of the teeth on this one but lets face it, it had to die sometime. For all the 4.x users still out there (and plenty of them have deep pockets) no reason you can't just hire third party support (possibly even a current developer); hell get together and maybe pool your resources. Thats just how life is for legacy systems, we are all mature enough here in the tech world to know this. No reason you can't sell your CIO's on this when I am guessing they are shelling out millions on other vendors. -Peter From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 22:15:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A754716A4AB for ; Wed, 11 Oct 2006 22:15:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.FreeBSD.org (Postfix) with SMTP id BD43C43D5C for ; Wed, 11 Oct 2006 22:15:28 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 15460 invoked by uid 399); 11 Oct 2006 22:15:27 -0000 Received: from localhost (HELO ?156.154.5.186?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 11 Oct 2006 22:15:27 -0000 Message-ID: <452D6CFD.4040905@FreeBSD.org> Date: Wed, 11 Oct 2006 15:15:25 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Jason Stone References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> In-Reply-To: <20061011083021.C2780@treehorn.dfmm.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable , re@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:15:30 -0000 Jason Stone wrote: > I realize that resources to keep chasing this stuff are in limited > supply, You just hit the nail on the head. The vast majority of FreeBSD developers (including but not limited to the committer community) have moved on. If you (meaning the people that want continued support for 4.x) want to see this supported, you're going to have to step up and support it. I see at least 2 areas that will require work: 1. Ports -- the portmgr team for sure, and to a large measure the port committers, do not have the resources necessary to continue support 4.x. The cluster (read, package building) resources could almost work if 5.x support is totally dropped (which is an intriguing idea), but the manpower to keep things working (ports compiling, etc.) isn't there right now, and would have to be supplied from this community. I like the idea proposed by another poster that requiring perl, openssl, and gcc 3.4 from ports makes most things work. Perhaps something can be added to bsd.port.mk to make that happen transparently? My point here is that the resources have to come from somewhere, because they are running very thin now, and will get much thinner soon. 2. Security updates -- some committers are still interested in this, but not many. Work would have to come from the community to keep key things updated (and of course, the SO team would have to sign off on that effort). In order to facilitate this effort, I'd like to suggest that a new mailing list be created, freebsd-releng4. That would allow the interested folks to get together, pool resources, and decide what is possible. One last suggestion, for those of you who are still using 4.x for performance reasons, perhaps you could dedicate a system or two, and some of your resources, to helping determine where and how things need to be improved. I could make an argument that doing this would actually give you a better ROI than putting work into trying to keep 4.x (and the old hardware it runs on) alive, but I won't. :) Finally, I think it's important to keep in mind that unless the personpower comes from somewhere, official support for 4.x WILL go away. It's nothing personal, it's simply a question of resources. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 22:42:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 129B916A40F; Wed, 11 Oct 2006 22:42:55 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 772FC43D7B; Wed, 11 Oct 2006 22:42:41 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k9BMiVkq007043; Thu, 12 Oct 2006 00:44:32 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <452D7351.6050804@obluda.cz> Date: Thu, 12 Oct 2006 00:42:25 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20060918 SeaMonkey/1.0.5 MIME-Version: 1.0 To: Garance A Drosihn References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Jason Stone , security-officer@freebsd.org, FreeBSD Stable , freebsd security Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:42:55 -0000 Garance A Drosihn napsal/wrote, On 10/11/06 21:33: >> Even if no new ports will be compilable on 4.x, even if the >> old ports will not be updated with exception of update caused by >> security bug, I vote for delaying EOL of 4.11 > > That's easy to say. I understand that it's much more work than just "you are on your own - EOL arrived". As I'm not commiter, I'm allowed to submit PR and speak. I'm trying both. This letter is "speak" part. > You can't just keep voting to say "support me forever", and have it > cost nothing. Someone, somewhere, has to put up the time and effort > to actually do that support. And realistically, that someone has to > be the people who are actively running 4.x. Me, I have no desire to > run 4.x. I have become too accustomed to a variety of nice features > which are in 6.x. I'm also in the process of replacing two of my PC's > (because they are having hardware trouble), and once I do that I only > have one PC which will even bootup in 4.x -- and that is a 10-year-old > PC which I hope to replace before the end of the year. I never call for "support forever". In advance, I didn't accept other's "I has old hardware, unsupported by 6.x' as strong argument for delaying of EOL. It's about money only and if you run important production server, you should be able to obtain money for it's upgrade. Problem is performance and trust in stability. It's money and hardware independent problem. 5.x has significant performance hit, so we can't count it as competitive replacement for 4.x. 6.1 is second release in 6.x tree. 6.0 has stability problem. The 6.1 is sufficiently stable on average use, but it still has problems in edge situations. The 6.2 become first RELEASE in 6.x tree acceptable for serious production use. 6.3 will be candidate for first trustable RELEASE if there will not be significant problem with 6.2. It's nothing special on major version changes - 3.0 has been buggy, 4.0 has been buggy, 5.0 has been almost unusable. It's common for other systems also - first usable release of Novell Netware in 3.x tree has been 3.11 (after buggy 3.0 and 3.1), but stable release has been 3.12 for example. At this time, there are about 224 unclosed PRs related to kern/6.x tree older than three month, 192 of them are untouched (eg. in plain open state). Nobody knows they are reporting serious problem or they are reports of nonexistent problems and they are a sort bug of submitter or hardware or so. IMHO, commiters are hard working on implementing new features, but has no spare time to polish and repair older parts of code. So, at the time of EOL of well tested, fast and stable version we have the only so-so trustable release as replacement. Despite of a money spent to modern hardware. It's just not so good news. Nothing more. I understand that FreeBSD is volunteer based project so nobody can push a commiter to prefer polishing previously implemented features against implementing new toys. Nobody can force release team to postpone next RELEASE until previously reported problems are analysed and resolved or denied (at least most of them). I respect you are upgrading to 6.x because of nice features which you need. But I need none of it on most of our infrastructure server (including those routing to network with more than thousand computer). In the fact, I'm using IPFW2 only and it's available on 4.11 as well, so no reason for 6.x for routers, firewals DNS servers. I prefer performance and stability over new features (it's main reason we selected FreeBSD instead of Linux as main platform for our networks ten years ago). Well. I'm hesitate that my doubt about stability and performance of current and next 6.x release will not make so much friends for me there. So, no more words with exception of "thank you" for all volunteers. I'm sure they do the best they can. If I can say my humble opinion with no further explanation - the optimal EOL for 4.11 I see about three months after 6.4-RELEASE. Three months after 6.3-RELEASE is worse but still acceptable. It's my $0.02 Dan P.S. Please note the english isn't my native language. -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 22:46:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDB0216A403; Wed, 11 Oct 2006 22:46:57 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A2DB43D69; Wed, 11 Oct 2006 22:46:55 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 2A9181A3C20; Wed, 11 Oct 2006 15:46:55 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 55A79514B1; Wed, 11 Oct 2006 18:46:54 -0400 (EDT) Date: Wed, 11 Oct 2006 18:46:54 -0400 From: Kris Kennaway To: Paul Allen Message-ID: <20061011224653.GA24829@xor.obsecurity.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D6CFD.4040905@FreeBSD.org> <20061011223610.GA30707@riyal.ugcs.caltech.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <20061011223610.GA30707@riyal.ugcs.caltech.edu> User-Agent: Mutt/1.4.2.2i Cc: Jason Stone , Doug Barton , FreeBSD Stable , freebsd security , security-officer@freebsd.org, re@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:46:57 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 11, 2006 at 03:36:10PM -0700, Paul Allen wrote: > Well, I suspect that most people with the resources to do what you ask > have already moved on precisely because the EoL has been published. > i.e., faced with that limited commitment, we had no choice but to > (grudgingly and at the last minute) move on. >=20 > I think the most likely path of success is, as you say, to make the 4.x > userland more like 6.x. >=20 > Without some prior commitment of project resources though, this > is unlikely to fly with anyone. >=20 > e.g., an agreement to EoL of 5.x and do port-cluster builds of=20 > a gcc 3.x variant of the 4.x kernel series. >=20 > I recall that this was done in Dragonfly for a while. The 4.x support policy was announced some time ago and may be found here: http://www.freebsd.org/portmgr/policies_releng_4.html We are not interested in increasing the level of support beyond this. In particular 4.x package builds will stop on 31 Jan 2007. Kris --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFLXRdWry0BWjoQKURAlehAKD5AfxEDut0PFwh4hvikTpTwXlNXwCgywGA 3rJDZTXJKJcEnnE3mx+x8eM= =Mdkb -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From owner-freebsd-security@FreeBSD.ORG Wed Oct 11 22:36:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA84516A403; Wed, 11 Oct 2006 22:36:11 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: from riyal.ugcs.caltech.edu (riyal.ugcs.caltech.edu [131.215.176.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7594C43D6E; Wed, 11 Oct 2006 22:36:11 +0000 (GMT) (envelope-from jd@ugcs.caltech.edu) Received: by riyal.ugcs.caltech.edu (Postfix, from userid 3640) id 7699F45806; Wed, 11 Oct 2006 15:36:10 -0700 (PDT) Date: Wed, 11 Oct 2006 15:36:10 -0700 From: Paul Allen To: Doug Barton Message-ID: <20061011223610.GA30707@riyal.ugcs.caltech.edu> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D6CFD.4040905@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <452D6CFD.4040905@FreeBSD.org> Sender: jd@ugcs.caltech.edu X-Mailman-Approved-At: Wed, 11 Oct 2006 22:48:50 +0000 Cc: Jason Stone , security-officer@freebsd.org, FreeBSD Stable , re@freebsd.org, freebsd security Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:36:12 -0000 Well, I suspect that most people with the resources to do what you ask have already moved on precisely because the EoL has been published. i.e., faced with that limited commitment, we had no choice but to (grudgingly and at the last minute) move on. I think the most likely path of success is, as you say, to make the 4.x userland more like 6.x. Without some prior commitment of project resources though, this is unlikely to fly with anyone. e.g., an agreement to EoL of 5.x and do port-cluster builds of a gcc 3.x variant of the 4.x kernel series. I recall that this was done in Dragonfly for a while. Paul From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 02:09:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B79CA16A403; Thu, 12 Oct 2006 02:09:41 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp6.server.rpi.edu (smtp6.server.rpi.edu [128.113.2.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BCD043D4C; Thu, 12 Oct 2006 02:09:41 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp6.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k9C29dLj018091; Wed, 11 Oct 2006 22:09:39 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <452D7351.6050804@obluda.cz> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> Date: Wed, 11 Oct 2006 22:09:38 -0400 To: Dan Lukes From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 02:09:41 -0000 At 12:42 AM +0200 10/12/06, Dan Lukes wrote: > As I'm not commiter, I'm allowed to submit PR and speak. >I'm trying both. This letter is "speak" part. Understood. But this has been announced for awhile. If the people who actually depend on 4.x can find the resources to support it, I am fine with them doing that work. I was running 4.x on a production server until just about six months ago. But now I am not. I do have a full-time job, and my "hobby" programming is going to go into the operating system I run on the hardware I own. It isn't going to go into *your* hardware that you want to see supported, for free, for as long as you can keep "voting" that SOMEONE ELSE must do a bunch of free work just for your peace-of-mind. Your 4.x system is not doing to die when we EOL 4.x. We're only saying that it is not going to see any additional work on it in the official FreeBSD repository. None of us are going to break into your house and smash your currently-running system. This is an open-source project. If it really is as easy to support 4.x with security fixes as you think it is, then "you" (all of you who depend on a 4.x system) should be able to do that work without help from "us" (the people running AMD64, ARM, PowerPC, Sparc64, or even just recent i386 hardware which is not supported by 4.x). That's it. The entire rest of your message is irrelevant to the issues here. I very soon will not own any hardware which can even boot up 4.x, so you can be sure that I will not be providing any support for your continued piece-of-mind. If I do not run a given operating system, then I can not claim to support it. That fact is not going to change simply because you vote on it. I don't want to sound unsympathetic here, because up until just six months ago I was also depending on security fixes for 4.x. But after having two of my personal PC's fried (due to a broken air-conditioner), I have now moved on. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 02:35:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4CB616A40F for ; Thu, 12 Oct 2006 02:35:22 +0000 (UTC) (envelope-from trunasuci@mail.com) Received: from webmail-outgoing.us4.outblaze.com (webmail-outgoing.us4.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF14743D49 for ; Thu, 12 Oct 2006 02:35:21 +0000 (GMT) (envelope-from trunasuci@mail.com) Received: from unknown (unknown [192.168.9.180]) by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id D8C4C1800D53 for ; Thu, 12 Oct 2006 02:36:05 +0000 (GMT) X-OB-Received: from unknown (205.158.62.182) by wfilter.us4.outblaze.com; 12 Oct 2006 02:36:05 -0000 Received: by ws1-6.us4.outblaze.com (Postfix, from userid 1001) id D15F11CE304; Thu, 12 Oct 2006 02:36:05 +0000 (GMT) Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 From: "Ahmad Arafat Abdullah" To: sthaug@nethelp.no, freebsd-security@dfmm.org Date: Wed, 11 Oct 2006 18:36:04 -0800 Received: from [60.49.202.201] by ws1-6.us4.outblaze.com with http for trunasuci@mail.com; Wed, 11 Oct 2006 18:36:04 -0800 X-Originating-Ip: 60.49.202.201 X-Originating-Server: ws1-6.us4.outblaze.com Message-Id: <20061012023605.D15F11CE304@ws1-6.us4.outblaze.com> X-Mailman-Approved-At: Thu, 12 Oct 2006 05:17:12 +0000 Cc: freebsd-security@freebsd.org, security-officer@freebsd.org, freebsd-stable@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 02:35:22 -0000 > ----- Original Message ----- > From: sthaug@nethelp.no > To: freebsd-security@dfmm.org > Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon > Date: Wed, 11 Oct 2006 18:20:18 +0200 (CEST) >=20 >=20 > > I realize that resources to keep chasing this stuff are in=20 > > limited supply, but if you solicit the opinion of the community,=20 > > I'd bet that more people would rather see 4.x support continue=20 > > than 5.x support. > > > > I know that it would be a violation of the stated policy, but I=20 > > think that supporting 4.x and 6.x over the next year would=20 > > benefit way more people than the current plan of supporting 5.x=20 > > and 6.x and eol'ing 4.x. >=20 > Yes, fully agreed. I'd much rather have longer support for 4.x than 5.x. >=20 > We still have lots of machines running 4.11 here. >=20 > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > Mine too.. I've lots of 4.11 prod server and it's runs smooth and perfect for long.. Hope it can be supported longer, maybe another 2-3 years? :) --=20 ___________________________________________________ Play 100s of games for FREE! http://games.mail.com From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 07:43:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41F8C16A403; Thu, 12 Oct 2006 07:43:27 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EC0843D58; Thu, 12 Oct 2006 07:43:25 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k9C7jRf7024143; Thu, 12 Oct 2006 09:45:28 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <452DF218.3090902@obluda.cz> Date: Thu, 12 Oct 2006 09:43:20 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20060918 SeaMonkey/1.0.5 MIME-Version: 1.0 To: Garance A Drosihn References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 07:43:27 -0000 Garance A Drosihn napsal/wrote, On 10/12/06 04:09: > Your 4.x system is not doing to die when we EOL 4.x. We're only > This is an open-source project. If it really is as easy to support > 4.x with security fixes as you think it is, then "you" (all of you Yes, I'm ready to self-support the 4.x for me. In the fact, the problem is not in system, the problem is in ports, but I used few ports only, so it's acceptable. But, maybe for my poor knowledge of english, you misunderstand the point of my think. The main problem is - 6.x is still not competitive replacement for 4.x. I'm NOT speaking about old unsupported hardware - I speaked about performance in some situation and believe in it's stability. It has been serie of decisions of commiters and release team that create current situation and all I say is, the resulting situation is not good because we must drop product when worse replacement available only. > who depend on a 4.x system) should be able to do that work without > help from "us" (the people running AMD64, ARM, PowerPC, Sparc64, > or even just recent i386 hardware which is not supported by 4.x). I fully understand it. But' I'm not sure if there is sufficient amount of users of those new platform in the community. I sayd the commiters prefer to work on new toys over maintaining the previous code (including it's own). I understant the working on new toys is more interesting work than debugging code with not so exact PR in hand only. Despite of it, I respect the sovereighty of an commiter to decide what he want to work on. May be - the project need to adopt commiters of another sort - those who are ready to review old code, repairing bug and polishing. Well - it's off-topic here. I sayd the current situation (which has no good solution) is result of recent decision. > I don't want to sound unsympathetic here, because up until just > six months ago I was also depending on security fixes for 4.x. > But after having two of my personal PC's fried (due to a broken > air-conditioner), I have now moved on. I'm also preparing to transition, but it's first time I'm changing better version and thinking I'm upgrading to worse system than previous .... Despite of anything I sayd, we should thank for the whole team for it's work. I'm sure anybody do all he can. Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 09:06:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A74F416A416; Thu, 12 Oct 2006 09:06:26 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FA9D43D5F; Thu, 12 Oct 2006 09:06:23 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id D0EAA30083B; Thu, 12 Oct 2006 09:06:21 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 065621142D; Thu, 12 Oct 2006 11:06:21 +0200 (CEST) Date: Thu, 12 Oct 2006 11:06:21 +0200 From: "Simon L. Nielsen" To: Patrick Okui Message-ID: <20061012090620.GA1059@zaphod.nitro.dk> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <452D4693.6010606@elischer.org> <200610121059.18889.pokui@psg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200610121059.18889.pokui@psg.com> User-Agent: Mutt/1.5.11 Cc: freebsd security , security-officer@freebsd.org, freebsd-stable@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 09:06:26 -0000 On 2006.10.12 10:59:18 +0300, Patrick Okui wrote: > One of my servers is colocated in a place on a different continent - which is > why I haven't been able to upgrade it beyond RELENG_4. Google turns up a > binary upgrade as the only way I can get to RELENG_6. Is this still the case > (because the logistics on arranging that are ... interesting) or is there a > relatively safe way to upgrade from RELENG_4 to RELENG_6 remotely? I have upgraded a system from 4.10 to 6.2 via 5.5 half a world away just using serial console (well and remote power, but that wasn't needed for the upgrade itself). I did this via buildworld etc. and it was actually quite painless, so it can be done. That said, of cause there is always the risk that something will make it blow up. Note that you have to be careful to follow the guidelines to the letter (see the migration guide which was part of 5.3 or 5.4 docs AFAIR) for the 4.x -> 5.x part. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 09:25:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C278216A47E for ; Thu, 12 Oct 2006 09:25:36 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.FreeBSD.org (Postfix) with SMTP id B875543D64 for ; Thu, 12 Oct 2006 09:25:32 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 16486 invoked by uid 399); 12 Oct 2006 09:25:31 -0000 Received: from localhost (HELO dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 12 Oct 2006 09:25:31 -0000 Date: Thu, 12 Oct 2006 02:25:29 -0700 (PDT) From: Doug Barton To: Dan Lukes In-Reply-To: <452DF218.3090902@obluda.cz> Message-ID: <20061012021223.X521@qbhto.arg> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> <452DF218.3090902@obluda.cz> Organization: http://www.FreeBSD.org/ X-OpenPGP-Key-ID: 0xD5B2F0FB X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd security , security-officer@freebsd.org, Garance A Drosihn , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 09:25:36 -0000 On Thu, 12 Oct 2006, Dan Lukes wrote: > But, maybe for my poor knowledge of english, you misunderstand the > point of my think. Your English is quite good, actually. :) > The main problem is - 6.x is still not competitive replacement for > 4.x. I'm NOT speaking about old unsupported hardware - I speaked about > performance in some situation and believe in it's stability. > > It has been serie of decisions of commiters and release team that > create current situation and all I say is, the resulting situation is not > good because we must drop product when worse replacement available only. I think saying that it's a worse replacement is a bit too broad. There are many cases where 6.x performs better than 4.x. However, to say that 6.x is always better would also be too broad (in addition to being demonstrably false). The key (as I stated in a previous mail) is for those that are seeing performance problems to jump in and help make it better. You are partially correct when you say that the developer community is only interested in more recent issues. I say partially because while in some cases it may be an "attention span" issue as you suggest, it's also due to the fact that as a project we've made an architectural decision to move forward along the path we're on. The "way of the future" is further down this road, not backing up to the 4.x days. Therefore, if 6.x is not working for you, for whatever reason, it's time to get in the game. > Despite of anything I sayd, we should thank for the whole team for > it's work. I'm sure anybody do all he can. Thanks! I don't think anyone would misinterpret your tone as harsh, or inappropriate. You've very effectively made your case for why you want support to continue. I hope that those who've responded have made their reasons equally clear for why that is not likely to happen. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 10:03:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B75C216A407; Thu, 12 Oct 2006 10:03:23 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AB3943D7F; Thu, 12 Oct 2006 10:03:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 3E6D0547E8; Thu, 12 Oct 2006 12:03:16 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 01EBC9B9B0; Thu, 12 Oct 2006 10:04:10 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id B565A405B; Thu, 12 Oct 2006 12:04:10 +0200 (CEST) Date: Thu, 12 Oct 2006 12:04:10 +0200 From: Jeremie Le Hen To: Doug Barton Message-ID: <20061012100410.GH1594@obiwan.tataz.chchile.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D6CFD.4040905@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <452D6CFD.4040905@FreeBSD.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: Jason Stone , security-officer@freebsd.org, FreeBSD Stable , re@freebsd.org, freebsd security Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 10:03:23 -0000 Hi list, On Wed, Oct 11, 2006 at 03:15:25PM -0700, Doug Barton wrote: > In order to facilitate this effort, I'd like to suggest that a new > mailing list be created, freebsd-releng4. That would allow the > interested folks to get together, pool resources, and decide what is > possible. I am all for it. According to this thread, it appears the 4.x branch is still used for whatever reasons, may they be perceived good or bad depends on one's own consideration and feeling. If the FreeBSD Project is going to relinquish RELENG_4 support because of lack of interest from the developpers -- and I can understand this --, it would not hurt though to arrange a place where people still interrested in RELENG_4 could talk together, exchange tricks and patches and so to continue a kind of unofficial support. Although this may appear as a loose and slack support, it is yet better than having nothing, IMHO. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 10:36:42 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94F7416A407; Thu, 12 Oct 2006 10:36:42 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp2.ms.mff.cuni.cz (sns.ms.mff.cuni.cz [195.113.20.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 189EF43D8F; Thu, 12 Oct 2006 10:36:35 +0000 (GMT) (envelope-from dan@obluda.cz) Received: from [195.113.19.244] (dan.ms.mff.cuni.cz [195.113.19.244]) by smtp2.ms.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k9CAaWAM007235; Thu, 12 Oct 2006 12:36:33 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <452E1BB0.7090607@obluda.cz> Date: Thu, 12 Oct 2006 12:40:48 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20060919 SeaMonkey/1.0.5 MIME-Version: 1.0 To: Doug Barton References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> <452DF218.3090902@obluda.cz> <20061012021223.X521@qbhto.arg> In-Reply-To: <20061012021223.X521@qbhto.arg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security , security-officer@freebsd.org, Garance A Drosihn , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 10:36:42 -0000 Doug Barton wrote: >> The main problem is - 6.x is still not competitive replacement for >> 4.x. I'm NOT speaking about old unsupported hardware - I speaked about >> performance in some situation and believe in it's stability. > I think saying that it's a worse replacement is a bit too broad. With no doubt. > You are > partially correct when you say that the developer community is only > interested in more recent issues. It's based on number of PR's I has opened/unanalyzed. My PR's are mostly focused on not so critical problem in ancients part of code. I know standard mantra, of course - no volunteer must analyze my (or anybody's) PRs, there is no doubt about it ... > Therefore, if 6.x is not > working for you, for whatever reason, it's time to get in the game. I'm already in ;-) I'm using 6-STABLE (and 5-STABLE previously) on some unimportant computers and I'm reposting observered problems (mostly with offer of patch). I'm hesitating to install 6.x tree releases on critical routers mainly as they are on the performance top already (with modern hardware, not an old crap) ... Well, nothing more to speak. Have a nice day. Dan From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 07:59:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D64F16A403; Thu, 12 Oct 2006 07:59:40 +0000 (UTC) (envelope-from pokui@psg.com) Received: from mail.trueafrican.com (mail.trueafrican.com [212.88.98.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7301743D49; Thu, 12 Oct 2006 07:59:37 +0000 (GMT) (envelope-from pokui@psg.com) Received: from mail.trueafrican.com ([127.0.0.1]) by localhost (mail.trueafrican.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11802-07; Thu, 12 Oct 2006 10:59:14 +0300 (EAT) Received: from andromeda.trueafrican.com (pokui.trueafrican.com [169.254.0.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.trueafrican.com (Postfix) with ESMTP id 5854325F1B8; Thu, 12 Oct 2006 10:59:10 +0300 (EAT) Received: from [127.0.0.1] (helo=localhost) by andromeda.trueafrican.com with esmtp (Exim 4.62) (envelope-from ) id 1GXvTL-00021V-Jj; Thu, 12 Oct 2006 10:59:19 +0300 From: Patrick Okui To: freebsd-stable@freebsd.org Date: Thu, 12 Oct 2006 10:59:18 +0300 User-Agent: KMail/1.8 References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <452D4693.6010606@elischer.org> In-Reply-To: <452D4693.6010606@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200610121059.18889.pokui@psg.com> X-Virus-Scanned: by amavisd-new at trueafrican.com X-Mailman-Approved-At: Thu, 12 Oct 2006 11:41:09 +0000 Cc: freebsd security , security-officer@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 07:59:40 -0000 One of my servers is colocated in a place on a different continent - which is why I haven't been able to upgrade it beyond RELENG_4. Google turns up a binary upgrade as the only way I can get to RELENG_6. Is this still the case (because the logistics on arranging that are ... interesting) or is there a relatively safe way to upgrade from RELENG_4 to RELENG_6 remotely? Yes, I do have OOB access to the box in question... -- patrick From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 12:58:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D08ED16A4C8; Thu, 12 Oct 2006 12:58:22 +0000 (UTC) (envelope-from claco@summitracing.com) Received: from summitracing.com (summitproxy.summitracing.com [208.44.49.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECCE243E92; Thu, 12 Oct 2006 12:57:27 +0000 (GMT) (envelope-from claco@summitracing.com) Received: from exchange.summit.network [172.16.246.189] by summitracing.com with ESMTP (SMTPD-9.10) id ABB61078; Thu, 12 Oct 2006 08:57:26 -0400 Received: by exchange.summit.network with Internet Mail Service (5.5.2653.19) id ; Thu, 12 Oct 2006 08:57:26 -0400 Message-ID: <4239A4FA4FF82E44AD6D215C41024B5C09601D01@exchange.summit.network> From: Chris Laco To: Dan Lukes , Garance A Drosihn Date: Thu, 12 Oct 2006 08:57:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Cc: Jason Stone , security-officer@freebsd.org, FreeBSD Stable , freebsd security Subject: RE: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 12:58:23 -0000 Just a lurker, and FreeBSD users since late 3.0... > Problem is performance and trust in stability. It's > money and hardware independent problem. > > 5.x has significant performance hit, so we can't count > it as competitive replacement for 4.x. 6.1 is second release > in 6.x tree. 6.0 has stability problem. The 6.1 is > sufficiently stable on average use, but it still has problems > in edge situations. The 6.2 become first RELEASE in 6.x tree > acceptable for serious production use. 6.3 will be candidate > for first trustable RELEASE if there will not be significant > problem with 6.2. It's nothing special on major version > changes - 3.0 has been buggy, 4.0 has been buggy, 5.0 has > been almost unusable. It's common for other systems also - > first usable release of Novell Netware in 3.x tree has been > 3.11 (after buggy 3.0 and 3.1), but stable release has been > 3.12 for example. Oddly enough, I've heard this very sentiment elsewhere this week. Take the post with a grain of salt, but it does touch on the matter. http://use.perl.org/~scrottie/journal/31273 >From my personal experience of (4) 4.x machines and (1) 5.x machine, all on the same hardware, I've had more problems with my 5.x install than I ever did with my 4.x install. I'm afraid to even look to see if 6.0 will run on it. Just another $0.000000002. -=Chris From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 15:33:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD12B16A407 for ; Thu, 12 Oct 2006 15:33:13 +0000 (UTC) (envelope-from em.conti@tin.it) Received: from vsmtp4.tin.it (vsmtp4.tin.it [212.216.176.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F0CA43D55 for ; Thu, 12 Oct 2006 15:33:13 +0000 (GMT) (envelope-from em.conti@tin.it) Received: from localhost (62.211.3.147) by vsmtp4.tin.it (7.2.072.1) id 452C9C440019EC54 for freebsd-security@freebsd.org; Thu, 12 Oct 2006 17:33:12 +0200 Date: Thu, 12 Oct 2006 17:33:11 +0200 From: em.conti@tin.it To: freebsd-security@freebsd.org Message-ID: <20061012173311.51fab90f@localhost> In-Reply-To: <001c01c6ed3e$a47c4280$2801a8c0@doomie> References: <20061011144314.3e680c9f@localhost> <001c01c6ed3e$a47c4280$2801a8c0@doomie> X-Mailer: Sylpheed-Claws 2.1.1 (GTK+ 2.8.20; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 15:33:13 -0000 Il giorno Wed, 11 Oct 2006 10:07:51 -0400 "Martin Leach" ha scritto: > owner-freebsd-security@freebsd.org <> wrote on Wednesday, October 11, > 2006 8:43 AM: > > > ===> Cleaning for openssl-stable-0.9.7k # # this ports > > conflicts with your base system # please undefine > > OPENSSL_OVERWRITE_PORT # and use WITH_OPENSSL_BASE=yes instead. # > > *** Error code 1 > > Also first post.. > > Try adding OPENSSL_OVERWRITE_BASE=yes into your /etc/make.conf file, > and try again. > You can also define that variable at build time, but having it in > make.conf keeps it there for future reference. > > Regards, > > Martin > Thank you, Martin. That worked. Cheers Emilio From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 13:30:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A94DC16A412; Thu, 12 Oct 2006 13:30:08 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B0F043D6E; Thu, 12 Oct 2006 13:30:00 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5E5DE.dip.t-dialin.net [84.165.229.222]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.6/8.13.6) with ESMTP id k9CDRZPV014790; Thu, 12 Oct 2006 15:27:35 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (webmail.Leidinger.net [192.168.1.102]) by Andro-Beta.Leidinger.net (8.13.4/8.13.4) with ESMTP id k9CDTwKJ041698; Thu, 12 Oct 2006 15:29:58 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Thu, 12 Oct 2006 15:29:52 +0200 Message-ID: <20061012152952.dlx4z9am8088k0kg@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 12 Oct 2006 15:29:52 +0200 From: Alexander Leidinger To: Dan Lukes References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> <452DF218.3090902@obluda.cz> <20061012021223.X521@qbhto.arg> <452E1BB0.7090607@obluda.cz> In-Reply-To: <452E1BB0.7090607@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Thu, 12 Oct 2006 16:32:08 +0000 Cc: Doug Barton , FreeBSD Stable , Garance, freebsd security , security-officer@freebsd.org, Drosihn Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 13:30:09 -0000 Quoting Dan Lukes (from Thu, 12 Oct 2006 12:40:48 +0200): > I'm using 6-STABLE (and 5-STABLE previously) on some unimportant > computers and I'm reposting observered problems (mostly with offer of > patch). The trick is to make some noise and get the attention of a committer. Tell the people you know about problem X and that you have a patch to fix it. This may result in some posts of other people which try your patch and report that it works for them. The probability that someone without the possibility to test this will commit it is higher if there are several people which tell it works, than when the fix is only sitting in Gnats. Bye, Alexander. -- Woman would be more charming if one could fall into her arms without falling into her hands. -- DeGourmont http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Thu Oct 12 14:14:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6163716A40F; Thu, 12 Oct 2006 14:14:31 +0000 (UTC) (envelope-from vivek@khera.org) Received: from yertle.kcilink.com (yertle.kcilink.com [65.205.34.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0712043EAA; Thu, 12 Oct 2006 14:10:45 +0000 (GMT) (envelope-from vivek@khera.org) Received: from [192.168.7.103] (host-103.int.kcilink.com [192.168.7.103]) by yertle.kcilink.com (Postfix) with ESMTP id 33246B80F; Thu, 12 Oct 2006 10:10:37 -0400 (EDT) In-Reply-To: <452D7351.6050804@obluda.cz> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-7--181073445; protocol="application/pkcs7-signature" Message-Id: <75D56444-EA9D-426B-A53C-2BDB77F00D87@khera.org> From: Vivek Khera Date: Thu, 12 Oct 2006 10:10:36 -0400 To: FreeBSD Stable X-Mailer: Apple Mail (2.752.2) X-Mailman-Approved-At: Thu, 12 Oct 2006 16:32:28 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd security Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 14:14:31 -0000 --Apple-Mail-7--181073445 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Oct 11, 2006, at 6:42 PM, Dan Lukes wrote: > 5.x has significant performance hit, so we can't count it as > competitive replacement for 4.x. 6.1 is second release in 6.x tree. > 6.0 has stability problem. The 6.1 is sufficiently stable on > average use, but it still has problems in edge situations. The 6.2 > become first RELEASE in 6.x tree acceptable for serious production > use. 6.3 will be candidate for first trustable RELEASE if there > will not be significant I'll agree with your assessment of 5.x. The characterization of 6.0 and 6.1 is, IMO, inaccurate. We have one database server running 6.0 in production nonstop for nearly a year now. We have many systems running 6.1 with great performance and stability. There may be certain situations which 6.0 (indeed, any version) may fail in, but that's why you need to test *your* sytem with *your* software under *your* load to certify it as suitable for production. I'm already evaluating 6.2 for our production and plan to move to it shortly after release barring any failures we encounter. I'm trusting that the bge/em driver issues will be resolved prior to release, as those are just too important. --Apple-Mail-7--181073445-- From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 06:16:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8612716A403; Fri, 13 Oct 2006 06:16:29 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B010943D53; Fri, 13 Oct 2006 06:16:28 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 38C2246DF9; Fri, 13 Oct 2006 02:16:28 -0400 (EDT) Date: Fri, 13 Oct 2006 07:16:26 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Garance A Drosihn In-Reply-To: Message-ID: <20061013071320.K84892@fledge.watson.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D7351.6050804@obluda.cz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Dan Lukes , freebsd security , security-officer@freebsd.org, FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 06:16:29 -0000 On Wed, 11 Oct 2006, Garance A Drosihn wrote: > Your 4.x system is not doing to die when we EOL 4.x. We're only > saying that it is not going to see any additional work on it in > the official FreeBSD repository. Actually, we're not even saying that. We're just saying that it will no longer be officially supported. I anticipate that we will continue to see a gradual smattering of 4.x commits fixing critical bugs and so on, we just won't be covering it in security advisories, etc. That said, I'v eworked hard over the last two or three months to phase out 4.x for my production servers, and was quite pleased with how easily the 6.x transition went on the last few remaining ones. One of the big motivating features for me to move forward was actually audit support, but then, I suppose it would be :-). Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 06:21:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2214C16A4A0; Fri, 13 Oct 2006 06:21:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 552D143D7E; Fri, 13 Oct 2006 06:19:39 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9C8D846E1C; Fri, 13 Oct 2006 02:19:34 -0400 (EDT) Date: Fri, 13 Oct 2006 07:19:34 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: "Simon L. Nielsen" In-Reply-To: <20061012090620.GA1059@zaphod.nitro.dk> Message-ID: <20061013071718.W84892@fledge.watson.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <452D4693.6010606@elischer.org> <200610121059.18889.pokui@psg.com> <20061012090620.GA1059@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd security , Patrick Okui , freebsd-stable@freebsd.org, security-officer@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 06:21:04 -0000 On Thu, 12 Oct 2006, Simon L. Nielsen wrote: > On 2006.10.12 10:59:18 +0300, Patrick Okui wrote: >> One of my servers is colocated in a place on a different continent - which >> is why I haven't been able to upgrade it beyond RELENG_4. Google turns up a >> binary upgrade as the only way I can get to RELENG_6. Is this still the >> case (because the logistics on arranging that are ... interesting) or is >> there a relatively safe way to upgrade from RELENG_4 to RELENG_6 remotely? > > I have upgraded a system from 4.10 to 6.2 via 5.5 half a world away just > using serial console (well and remote power, but that wasn't needed for the > upgrade itself). I did this via buildworld etc. and it was actually quite > painless, so it can be done. That said, of cause there is always the risk > that something will make it blow up. > > Note that you have to be careful to follow the guidelines to the letter (see > the migration guide which was part of 5.3 or 5.4 docs AFAIR) for the 4.x -> > 5.x part. Ditto. I upgraded my cyrus mail server and kerberos server from 4.x to 6.x remotely from across the world and didn't have any problems. The main caveat was to include the compat4.x stuff during the upgrade, and to make sure to be thorough when rebuilding ports and packages. I was careful to boot 6.x test kernels on all boxes to make sure all hardware probed, etc, before committing to the update. I would have felt a lot less comfortable without a serial console in-hand, though. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 06:24:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E9C516A4A0; Fri, 13 Oct 2006 06:24:54 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C00A743D93; Fri, 13 Oct 2006 06:24:44 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 09ADB46D39; Fri, 13 Oct 2006 02:24:42 -0400 (EDT) Date: Fri, 13 Oct 2006 07:24:41 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Chris Laco In-Reply-To: <4239A4FA4FF82E44AD6D215C41024B5C09601D01@exchange.summit.network> Message-ID: <20061013072103.C84892@fledge.watson.org> References: <4239A4FA4FF82E44AD6D215C41024B5C09601D01@exchange.summit.network> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Dan Lukes , Jason Stone , FreeBSD Stable , freebsd security , security-officer@freebsd.org, Garance A Drosihn Subject: RE: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 06:24:54 -0000 On Thu, 12 Oct 2006, Chris Laco wrote: > Just a lurker, and FreeBSD users since late 3.0... From my personal > experience of (4) 4.x machines and (1) 5.x machine, all on the same > hardware, I've had more problems with my 5.x install than I ever did with my > 4.x install. I'm afraid to even look to see if 6.0 will run on it. 6.x is a significantly more refined release series than 5.x ever was, and this is a result of a lot of very hard work. If you didn't like 5.x, you should try 6.x and see how it does for you. Don't assume that problems you may have experienced in 5.x persist. In particular, the whole world of ACPI has matured drastically in the last 3-4 years, which has resolved a lot of issues with hardware probing, etc, that existed in earlier 5.x releases. Part of this is vendors fixing their BIOS's, part of it is improvements in the Intel ACPI CA code, and part of it is adding blacklisting, workarounds, etc, for known BIOS problems. File system performance and stability have gone up drastically, as has network performance and stability. So I would encourage you to re-evaluate in the 6.x world, ideally with the most recent 6.x release available. Undoubtably there will be imperfections, but as I hope the 6.x release processes have revealed, we're working hard to resolve any issues. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 12:39:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C295516A412; Fri, 13 Oct 2006 12:39:38 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3634743D49; Fri, 13 Oct 2006 12:39:38 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 548D020C7; Fri, 13 Oct 2006 14:39:31 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id 3366320C6; Fri, 13 Oct 2006 14:39:31 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 0CD27B85E; Fri, 13 Oct 2006 14:39:31 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Chris Laco References: <4239A4FA4FF82E44AD6D215C41024B5C09601D01@exchange.summit.network> Date: Fri, 13 Oct 2006 14:39:30 +0200 In-Reply-To: <4239A4FA4FF82E44AD6D215C41024B5C09601D01@exchange.summit.network> (Chris Laco's message of "Thu, 12 Oct 2006 08:57:16 -0400") Message-ID: <86odsgbda5.fsf@dwp.des.no> User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Dan Lukes , Jason Stone , FreeBSD Stable , freebsd security , security-officer@freebsd.org, Garance A Drosihn Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 12:39:38 -0000 Chris Laco writes: > From my personal experience of (4) 4.x machines and (1) 5.x machine, > all on the same hardware, I've had more problems with my 5.x install > than I ever did with my 4.x install. I'm afraid to even look to see > if 6.0 will run on it. The transition from 4.x to 5.x was very painful for a number of reasons (both technical and organisational) mainly having to do with trying to do too much at the same time. 6.x was a significant improvement in terms of stability and maturity, and hopefully 7.x will continue that trend. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 16:20:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1CF816A47E for ; Fri, 13 Oct 2006 16:20:57 +0000 (UTC) (envelope-from cmoulin@simplerezo.com) Received: from mail.omnikles.com (omnicertisg-47-74.cnt.nerim.net [213.215.47.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2CAD43D4C for ; Fri, 13 Oct 2006 16:20:56 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 32037 invoked by uid 98); 13 Oct 2006 18:20:55 +0200 Received: from 192.168.6.112 by poseidon.omnikles.net (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.88.1/1374. Clear:RC:1(192.168.6.112):. Processed in 0.186761 secs); 13 Oct 2006 16:20:55 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via poseidon.omnikles.net X-Qmail-Scanner: 1.25 (Clear:RC:1(192.168.6.112):. Processed in 0.186761 secs) Received: from unknown (HELO nb03) (192.168.6.112) by 192.168.6.18 with SMTP; 13 Oct 2006 18:20:54 +0200 From: =?iso-8859-1?Q?Cl=E9ment_Moulin?= To: Date: Fri, 13 Oct 2006 18:20:53 +0200 Organization: SimpleRezo Message-ID: <000a01c6eee3$8e56d500$7006a8c0@nb03> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AcbuPJOx55/7T58HTHGk64uipnw0ngAo0tdg In-Reply-To: Subject: RE: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 16:20:57 -0000 Dirk Meyer a =E9crit: > >OPENSSL_OVERWRITE_BASE=3Dyes >sould be used with extreme caution! > >This might break your base application in cases like this, when the = base uses a diffrent api as the ports does. > That's totally true. I was wondering if, to avoid ports problem with openssl (and maybe some = over libs/important parts) - because somes refers directly to the openssl = base, others to the ports one -, we might try to find a way to have openssl - = in future release - in the base system being like a pre-installed port. It will be very hopeful too when security issues are discovered, because instead of patching the system base (and rebuilding the world...) we = have only to do a portupgrade... Saving times :) An other interest in doing this, is that the system will be reported unsecure by portaudit... OpenSSH should have the same treatment :) -- Cl=E9ment Moulin SimpleRezo From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 16:21:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CE7D16A500 for ; Fri, 13 Oct 2006 16:21:20 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F3B343D46 for ; Fri, 13 Oct 2006 16:21:20 +0000 (GMT) (envelope-from marquis@roble.com) Date: Fri, 13 Oct 2006 09:21:19 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20061013120059.8232C16A5F6@hub.freebsd.org> Message-ID: <20061013090533.C51590@ubfganzr> References: <20061013120059.8232C16A5F6@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 16:21:20 -0000 Dirk Meyer wrote: >> Try adding OPENSSL_OVERWRITE_BASE=yes into your /etc/make.conf >> file, and try again. You can also define that variable at build >> time, but having it in make.conf keeps it there for future >> reference. > > OPENSSL_OVERWRITE_BASE=yes sould be used with extreme caution! I disagree, never having had a problem with OPENSSL_OVERWRITE_BASE. > This might break your base application in cases like this, when > the base uses a diffrent api as the ports does. That would be a version mis-match, not really related to overwriting the base port. Indeed if you install openssl without OPENSSL_OVERWRITE_BASE you will have two different versions on your your system, which is much more of a sysadmin headache than an easily diagnosed version mismatch. For the same reason I recommend OPENSSH_OVERWRITE_BASE, NO_MAILWRAPPER, NO_SENDMAIL, NO_OPENSSH, NO_OPENSSL, NO_BIND, and PORT_REPLACES_BASE_BIND8 or PORT_REPLACES_BASE_BIND9 as well. OPENSSL_OVERWRITE_BASE should be the default, but consider adding WITH_OPENSSL_097 to prevent automatic incompatible version upgrades. Most of the sites I consult with have stuck with the 0.9.7 branch for compatibility reasons. Is it still the case that 'make *world' cannot parse OPENSSL_OVERWRITE_BASE and requires NO_OPENSSL instead? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 17:04:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8219B16A4A7; Fri, 13 Oct 2006 17:04:56 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AF2C43D45; Fri, 13 Oct 2006 17:04:50 +0000 (GMT) (envelope-from brett@lariat.net) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id LAA08076; Fri, 13 Oct 2006 11:04:31 -0600 (MDT) Message-Id: <200610131704.LAA08076@lariat.net> X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 13 Oct 2006 10:28:41 -0600 To: Dan Lukes , Mark Linimon From: Brett Glass In-Reply-To: <452D1033.8050003@obluda.cz> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011114110.GA23653@soaustin.net> <452D1033.8050003@obluda.cz> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Fri, 13 Oct 2006 17:24:11 +0000 Cc: freebsd security , security-officer@freebsd.org, Jeremie Le Hen , FreeBSD Stable Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 17:04:56 -0000 At 09:39 AM 10/11/2006, Dan Lukes wrote: > Even if no new ports will be compilable on 4.x, even if > the old ports will not be updated with exception of update caused > by security bug, I vote for delaying EOL of 4.11 I would second that vote. Yes, some of the new enhancements in 6.x are nice to have, but there's something to be said for an older, leaner, meaner, extremely well tested system that "just works" and consumes less memory and fewer computing resources. Just this week, we looked at the status of 6.2 (still just a bit shaky) and its resource consumption (about 40% greater than 4.11) and opted to build another 4.11 server. This wasn't intended as a slight to 6.x; it was just the right thing to do under the circumstances. I also build embedded systems based on 4.11. I sometimes have to backport subtle kernel fixes myself, but it's worth it. IMHO, The FreeBSD Project should have some mechanism for recognizing the fact that in some cases (especially embedded systems and slower hardware) a really good, solid older implementation is the right choice and is worth maintaining. (And that's no April Fool's Day joke.) To do this doesn't constitute a "fork" and is of enough value to warrant a bit of developer time (though obviously different developers will take different amounts of interest in maintaining "classic" releases). --Brett Glass From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 19:36:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA2E116A47C for ; Fri, 13 Oct 2006 19:36:29 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2692043D73 for ; Fri, 13 Oct 2006 19:36:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 46A8B300BC7; Fri, 13 Oct 2006 19:36:27 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id AFB231142D; Fri, 13 Oct 2006 21:36:26 +0200 (CEST) Date: Fri, 13 Oct 2006 21:36:25 +0200 From: "Simon L. Nielsen" To: Roger Marquis Message-ID: <20061013193625.GC1012@zaphod.nitro.dk> References: <20061013120059.8232C16A5F6@hub.freebsd.org> <20061013090533.C51590@ubfganzr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061013090533.C51590@ubfganzr> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: I cannot upgrade openssl-stablr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 19:36:29 -0000 On 2006.10.13 09:21:19 -0700, Roger Marquis wrote: > Is it still the case that 'make *world' cannot parse > OPENSSL_OVERWRITE_BASE and requires NO_OPENSSL instead? Yes, since OPENSSL_OVERWRITE_BASE is a ports knob, so the base system doesn't use that. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Fri Oct 13 23:28:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F56616A403; Fri, 13 Oct 2006 23:28:22 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07C4E43D80; Fri, 13 Oct 2006 23:28:22 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id EE33D46E00; Fri, 13 Oct 2006 19:28:20 -0400 (EDT) Date: Sat, 14 Oct 2006 00:28:20 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jeremie Le Hen In-Reply-To: <20061012100410.GH1594@obiwan.tataz.chchile.org> Message-ID: <20061014002315.S96390@fledge.watson.org> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011151458.L97038@atlantis.atlantis.dp.ua> <20061011083021.C2780@treehorn.dfmm.org> <452D6CFD.4040905@FreeBSD.org> <20061012100410.GH1594@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Jason Stone , Doug Barton , FreeBSD Stable , freebsd security , security-officer@freebsd.org, re@freebsd.org Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 23:28:22 -0000 On Thu, 12 Oct 2006, Jeremie Le Hen wrote: > I am all for it. > > According to this thread, it appears the 4.x branch is still used for > whatever reasons, may they be perceived good or bad depends on one's own > consideration and feeling. If the FreeBSD Project is going to relinquish > RELENG_4 support because of lack of interest from the developpers -- and I > can understand this --, it would not hurt though to arrange a place where > people still interrested in RELENG_4 could talk together, exchange tricks > and patches and so to continue a kind of unofficial support. > > Although this may appear as a loose and slack support, it is yet better than > having nothing, IMHO. FWIW, it's important to remember that what the security officer is doing is not saying that 4.x cannot be supported, it's saying that they no longer guarantee it will be supported. If someone decides to support 4.x anyway, then that's not a problem. This is more about recognizing the reality that the vast majority of new work on FreeBSD is on the 7.x and 6.x branches. If there are people who want to continue to support 4.x, there's nothing preventing from doing that. Existing FreeBSD developers will still be able to commit to the 4.x branches. We will still be able to give commit access to people who turn up who show consistent contributions (and all the normal criteria for a new committer) and are interested in continuing to support 4.x. This is a community project: if people turn up to do the work, and do it well, we're not going to stop them. "Official" support has to do with recognizing that we're doing a good job in supporting something, and that the hands are there to do it. What we're trying to avoid here by announcing EOL's is people incorrectly assuming that something that is not being supported is being supported. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sat Oct 14 08:38:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11F0316A403 for ; Sat, 14 Oct 2006 08:38:46 +0000 (UTC) (envelope-from dom@helenmarks.co.uk) Received: from mail.goodforbusiness.co.uk (mail.goodforbusiness.co.uk [81.19.179.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FD5943D55 for ; Sat, 14 Oct 2006 08:38:45 +0000 (GMT) (envelope-from dom@helenmarks.co.uk) Received: from localhost (localhost [127.0.0.1]) by mail.goodforbusiness.co.uk (Postfix) with ESMTP id 902BD1149D for ; Sat, 14 Oct 2006 09:38:44 +0100 (BST) X-Virus-Scanned: mail.goodforbusiness.co.uk Received: from mail.goodforbusiness.co.uk ([127.0.0.1]) by localhost (mail.goodforbusinessc.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dqs+86ZWMtW0 for ; Sat, 14 Oct 2006 09:38:43 +0100 (BST) Received: from mail.helenmarks.co.uk (unknown [192.168.100.1]) by mail.goodforbusiness.co.uk (Postfix) with ESMTP id CF41611490 for ; Sat, 14 Oct 2006 09:38:43 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by mail.helenmarks.co.uk (Postfix) with ESMTP id 5FAB6177D8; Sat, 14 Oct 2006 09:38:43 +0100 (BST) X-Virus-Scanned: amavisd-new at helenmarks.co.uk Received: from mail.helenmarks.co.uk ([127.0.0.1]) by localhost (mail.helenmarks.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xh-jCrQGDFqu; Sat, 14 Oct 2006 09:38:38 +0100 (BST) Received: by mail.helenmarks.co.uk (Postfix, from userid 80) id E2163177C4; Sat, 14 Oct 2006 09:38:38 +0100 (BST) Received: from 82-69-13-6.dsl.in-addr.zen.co.uk ([82.69.13.6]) (SquirrelMail authenticated user dom) by mail.helenmarks.co.uk with HTTP; Sat, 14 Oct 2006 09:38:38 +0100 (BST) Message-ID: <50037.82.69.13.6.1160815118.squirrel@mail.helenmarks.co.uk> In-Reply-To: <200610131704.LAA08076@lariat.net> References: <451F6E8E.8020301@freebsd.org> <20061011102106.GY1594@obiwan.tataz.chchile.org> <20061011114110.GA23653@soaustin.net> <452D1033.8050003@obluda.cz> <200610131704.LAA08076@lariat.net> Date: Sat, 14 Oct 2006 09:38:38 +0100 (BST) From: "Dominic Marks" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [fbsd] HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 08:38:46 -0000 > > IMHO, The FreeBSD Project should have some mechanism for > recognizing the fact that in some cases (especially embedded > systems and slower hardware) a really good, solid older > implementation is the right choice and is worth maintaining. (And > that's no April Fool's Day joke.) To do this doesn't constitute a > "fork" and is of enough value to warrant a bit of developer time > (though obviously different developers will take different amounts > of interest in maintaining "classic" releases). > If enough people want 4.x to continue being supported they should put up their hands and find a company willing to back it. You can't ask developers to spend time on a specific thing, as has been discussed, but it sounds to me like a lot of people are running Business applications on 4.x and are quite happy as they are. Now you just have to find some one/some company which you can pay for this pleasure. Sadly I have neither the time or sufficient skills to do this, but I might if I did. In an ideal world paying for 'long life' support of 4.x might even fund developers to work on 6 and 7. Dominic From owner-freebsd-security@FreeBSD.ORG Sat Oct 14 08:09:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD04F16A403 for ; Sat, 14 Oct 2006 08:09:39 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id C93C743D49 for ; Sat, 14 Oct 2006 08:09:36 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id KAA22669 for ; Sat, 14 Oct 2006 10:09:32 +0200 (METDST) To: freebsd security References: <20061010185141.ce3e7134.wmoran@collaborativefusion.com> <452C25A2.6080809@freebsd.org> From: Harald Muehlboeck Date: Sat, 14 Oct 2006 10:12:11 +0200 In-Reply-To: <452C25A2.6080809@freebsd.org> (Colin Percival's message of "Tue, 10 Oct 2006 15:58:42 -0700") Message-ID: <86odsfmi3o.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Sat, 14 Oct 2006 11:43:24 +0000 Subject: Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 08:09:39 -0000 Colin Percival writes: >> "The policy of the FreeBSD Security Team is that local denial of service >> bugs not be treated as security issues; it is possible that this problem >> will be corrected in a future Erratum." > > If there was any potential for > (a) privilege escalation, > (b) disclosure of potentially sensitive information, or > (c) denial of service by a non-authenticated attacker, > we would have issued a security advisory. I am missing this information on . The site does not say wich bugs are treated as security issue and which are not. Perhaps these three points above can be added to the website. From owner-freebsd-security@FreeBSD.ORG Sat Oct 14 08:50:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78FF016A685 for ; Sat, 14 Oct 2006 08:50:23 +0000 (UTC) (envelope-from yeahchang@vip.sina.com) Received: from smtp.vip.sina.com (smtp.vip.sina.com [202.108.3.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9A443D76 for ; Sat, 14 Oct 2006 08:50:20 +0000 (GMT) (envelope-from yeahchang@vip.sina.com) Received: from zhangamuufcjz4 (unknown [219.236.16.240]) by smtp.vip.sina.com (SINAMAIL) with ESMTP id B40D314DDD72; Sat, 14 Oct 2006 16:50:17 +0800 (CST) From: "Zhang Ye" To: "'Borja Marcos'" Date: Sat, 14 Oct 2006 16:50:09 +0800 Message-ID: <000601c6ef6d$c50dfda0$0b00a8c0@zhangamuufcjz4> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-Reply-To: <588E5B66-F621-4639-9F56-A65A2DFC471A@SARENET.ES> Thread-Index: AcbseNrv2LVgTeGFQLCqJXdGb/5SIgC8cygg X-Mailman-Approved-At: Sat, 14 Oct 2006 11:43:41 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Proposal: MAC_BIBA and real-world usage X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 08:50:23 -0000 Hello Borja, I think you may use the "multilabe" with the combination of both Biba = and Bell-LaPadula(Multi-Level) access control model to overcome it(just = like Lipner's). And it SHOULD have discretionary mechanism in the = Bell-LaPadula model but I don't know whether or not in FreeBSD. Moreover, the Biba(and Bell-LaPadula) is more suitable in the scenario = of army. And there are many models, such as "Chinese Wall" model, for = the commerce environment. They are more flexible. Zhang Ye -----original message----- Hello, Are there many people actually using the MAC subsystem in the real =20 world? I have been working to set up a shared hosting webserver and =20 I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if =20 applications are aware of its existance, but I find it incompatible =20 with the real-world needs in Unix, and, worse, when none of the =20 applications we are using are prepared to take advantage of it. So it =20 should be as transparent as possible. I started the project with some goals: 1) Users are kept isolated. This isn't so obvious, as by design =20 Apache should run as an unprivileged user. The mac_bsdextended policy =20 can implement an additional layer of security. In my case, hosting =20 users are given uids belonging to an interval, and there is a ugidfw =20 rule that states that subjects with an uid withing that range can =20 only access objects belonging to the same user in case their uid is =20 within the interval as well. I didn't use MAC compartments because =20 there is a limit on the number of compartments. Users are allowed to run CGIs and PHP scripts, and PHP is ran as CGI, =20 so that each process will have the uid of its owner. Launching PHP as =20 a CGI hurts performance, but this is a server for relatively low-=20 volume sites, and security is much more important. 2) OS Integrity. Apache is launched with biba/low(low-low) credentials. 3) Defacements should be prevented. At least processes spawned from =20 Apache should not be able to modify any files in the system, except =20 at designated directories in case PHP scripts or CGI programs need to =20 write something to the disk. This is naturally done with MAC_BIBA. We =20 launch Apache with biba/low(low-low) credentials. 4) FTP access for site mainteinance. We assign each user an account, =20 which will be used to update their files. The ftp accounts have a low =20 integrity credential assigned, but anyway higher than biba/low so =20 that files uploaded by users are safe from being modified by Apache. However, this has a problem: Files created/modified from PHP and/or =20 CGIs will be labelled biba/low. And the ftp process, with, say, biba/=20 100, will be unable to read them. We could create two user accounts =20 per user but it's just too confusing and error prone. What about adding a discretionary mechanism to MAC_BIBA? It would be =20 useful to have the possibilty of implementing half of the BIBA =20 protection, preventing high integrity objects from being modified by =20 low integrity subjects, but allowing high integrity subjects to read =20 low-integrity objects. Of course it weakens the BIBA model, but used wisely it could really =20 help. Instead of a global sysctl flag, which would disable one of the =20 great BIBA features, it could be done selectively for some processes =20 (in my case, ftp accounts) specifying a negative value. So, a subject with biba/-N would be: - unable to modify objects with a higher than N integrity level - able to read objects with a lower than N integrity level, instead =20 of being limited to objects with an integrity level equal to N. What do you think? Any ideas? Borja. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"