From owner-freebsd-security@FreeBSD.ORG Wed Aug 20 16:34:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0644968 for ; Wed, 20 Aug 2014 16:34:28 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D15DB3573 for ; Wed, 20 Aug 2014 16:34:28 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s7KGYSGV074413 for ; Wed, 20 Aug 2014 16:34:28 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s7KGYSOm074410 for freebsd-security@freebsd.org; Wed, 20 Aug 2014 16:34:28 GMT (envelope-from bdrewery) Received: (qmail 23391 invoked from network); 20 Aug 2014 11:34:26 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 20 Aug 2014 11:34:26 -0500 Message-ID: <53F4CE0E.8040106@FreeBSD.org> Date: Wed, 20 Aug 2014 11:34:22 -0500 From: Bryan Drewery Reply-To: Ports FreeBSD Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Ports FreeBSD , pkg@freebsd.org Subject: [CFT] SSP Package Repository available References: <523D79CD.2090302@FreeBSD.org> In-Reply-To: <523D79CD.2090302@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K5G4LOnFU7x5CMaL6D0wm5KIVLpq9PTjB" X-Mailman-Approved-At: Wed, 20 Aug 2014 17:14:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2014 16:34:29 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --K5G4LOnFU7x5CMaL6D0wm5KIVLpq9PTjB Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/21/2013 5:49 AM, Bryan Drewery wrote: > Ports now support enabling Stack Protector [1] support on FreeBSD 10 > i386 and amd64, and older releases on amd64 only currently. >=20 > Support may be added for earlier i386 releases once all ports properly > respect LDFLAGS. >=20 > To enable, just add WITH_SSP=3Dyes to your make.conf and rebuild all po= rts. >=20 > The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all > may optionally be set instead. >=20 > Please help test this on your system. We would like to eventually enabl= e > this by default, but need to identify any major ports that have run-tim= e > issues due to it. >=20 > [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection >=20 We have not had any feedback on this yet and want to get it enabled by default for ports and packages. We now have a repository that you can use rather than the default to help test. We need your help to identify any issues before switching the default. This repository is available for: head 10.0 9.1,9.2,9.3 It is not available for 8.4. If someone is willing to test on 8.4 I will build a repository for it. Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf: FreeBSD: { enabled: no } FreeBSD_ssp: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } Once that is done you should force reinstall packages from this repositor= y: pkg update pkg upgrade -f Thanks for your help! Bryan Drewery On behalf of portmgr. --K5G4LOnFU7x5CMaL6D0wm5KIVLpq9PTjB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJT9M4OAAoJEDXXcbtuRpfPudQH/RV3dAPGOMV+RRC3IGo0l7bB rjr5J5xQK4FuIYenMhkEV+p8Wh/ow9P3GXBQtR4ki/x3Jgk7Xw5YlC4PfJyPdFpM 90wx0IjtT9i5CLTGF+psTgeV5Oh50jWnpy8wggsK+CfFtgqRebdbQvqIWOtKuDdT R5QtxF9U4ZDHCJTEVLsiCeY4SP3N2eqwS4MHX1/92I1xJxbETDQ0CjvoQ5ojfmEi crtNhk4QNUxmmElmxM71iiElbZPfdf3UbqDupQm80eTHNj5Adda8+Mo1ZmUsJYM6 YimDcpNTumctOVLXobpBZEJtOExAsajO1v/aFGWJz4kp2AkGwCLXHowNpHbb/u4= =ElhW -----END PGP SIGNATURE----- --K5G4LOnFU7x5CMaL6D0wm5KIVLpq9PTjB--