From owner-freebsd-security@FreeBSD.ORG Mon Sep 22 09:10:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C60F8B11 for ; Mon, 22 Sep 2014 09:10:30 +0000 (UTC) Received: from mail-lb0-x242.google.com (mail-lb0-x242.google.com [IPv6:2a00:1450:4010:c04::242]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FD346EE for ; Mon, 22 Sep 2014 09:10:30 +0000 (UTC) Received: by mail-lb0-f194.google.com with SMTP id b12so2138105lbj.9 for ; Mon, 22 Sep 2014 02:10:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=wq2JVwmUGQJRZhlcgWa/FtABdUKIxezUbm/rgUHb5Ds=; b=N0Xi0SettPN7eAvaOn/Ss0ahAWWM3bC4vuRvVSDO42bjfEE9ZoFoALjf13rpVGEiLO AMuTZKZFbERhFdANyFZEW1YzEef9NKcrfcT13sKuKDq1qEAVA5JIfJLvabTaWe3g6T3g p+hX283oEgaFYCgoIfM1ir/SX9W9Y2C3Jg2bBa4LJ03s9tiIQIWgVKB+d8xXljK7K5JQ H8Jk7dUfUz5UijNaVEMFK71HbVUmzBi71luW3CQpKQ/GN/Qx9XZ3iypj0nQsBSqPRW2/ 5Q23rLGROCNCoadqClWSfgXTimq0ezbEPlaNtot5jC3KNtOXMrQ5CWCfjany9eGrlzcF hxiA== X-Received: by 10.112.130.68 with SMTP id oc4mr22697722lbb.41.1411377028119; Mon, 22 Sep 2014 02:10:28 -0700 (PDT) Received: from [10.0.0.9] (ti0064a400-0514.bb.online.no. [85.166.237.6]) by mx.google.com with ESMTPSA id ug7sm3530448lac.48.2014.09.22.02.10.27 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Sep 2014 02:10:27 -0700 (PDT) Message-ID: <541FE781.2080505@gmail.com> Date: Mon, 22 Sep 2014 11:10:25 +0200 From: List Monkey User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ossec hit: Hidden process (rootkit) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 09:10:30 -0000 I'm running freebsd as an vm. I recently got a hit from the ossec agent: OSSEC HIDS Notification. 2014 Aug 28 03:01:34 Received From: (host) xxx.xxx.xxx.xxx->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible kernel-level rootkit. It took a couple of days for me to respond to the alert but I could not find the process. Is there any reason this could be explained because freebsd is running as a vm? Any other thoughts? __ Arne From owner-freebsd-security@FreeBSD.ORG Mon Sep 22 15:21:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 07F5ED0C for ; Mon, 22 Sep 2014 15:21:42 +0000 (UTC) Received: from tensor.andric.com (unknown [IPv6:2001:7b8:3a7:1:2d0:b7ff:fea0:8c26]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "tensor.andric.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BDAE78AA for ; Mon, 22 Sep 2014 15:21:41 +0000 (UTC) Received: from [192.168.2.2] (unknown [77.243.161.229]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id E5D62B803; Mon, 22 Sep 2014 17:21:35 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: ossec hit: Hidden process (rootkit) From: Dimitry Andric In-Reply-To: <541FE781.2080505@gmail.com> Date: Mon, 22 Sep 2014 16:57:06 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <51C393BF-FEE2-4955-944C-EBD0DBA4C18C@FreeBSD.org> References: <541FE781.2080505@gmail.com> To: List Monkey X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Mon, 22 Sep 2014 15:35:13 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 15:21:42 -0000 On 22 Sep 2014, at 11:10, List Monkey wrote: > I'm running freebsd as an vm. I recently got a hit from the ossec = agent: >=20 > OSSEC HIDS Notification. > 2014 Aug 28 03:01:34 >=20 > Received From: (host) xxx.xxx.xxx.xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event = (rootcheck)." > Portion of the log(s): >=20 > Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible = kernel-level rootkit. >=20 > It took a couple of days for me to respond to the alert but I could = not > find the process. > Is there any reason this could be explained because freebsd is running > as a vm? > Any other thoughts? Maybe the ossec agent software is overly paranoid, or simply missed a very short-lived process? It's hard to say without more information. -Dimitry From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 00:29:41 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79680433 for ; Tue, 23 Sep 2014 00:29:41 +0000 (UTC) Received: from mail-qg0-f53.google.com (mail-qg0-f53.google.com [209.85.192.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3CCC7E27 for ; Tue, 23 Sep 2014 00:29:40 +0000 (UTC) Received: by mail-qg0-f53.google.com with SMTP id e89so3282291qgf.26 for ; Mon, 22 Sep 2014 17:29:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DdUsFMo/wbpQ4kqFjJ29xyF+iaq+pRADhcxoLI/0M9g=; b=QMrDdI/4VMEjdNhSagkBojI0toiZHGvt+5LJssrsFdGzG3mRgtMPll+QzAdINTVn6Z FUfdywqqFE3mjzFcp2KU1uRIG2de1MCltu/B7SYbMR9rQbyMJcVhqzlgXgXoOWtZbnDx I+bDEzzKfxe6osXLvPLZXWhvJReFdCPBeuIXlLh8j1Ja2TV6Fu8IDnhGjELRBDSRZWh+ H4uKc58unehfrwTvF7nI6eO8IVv7uRICOoFaohEKJPRUx+ErQwD+doCP2T114OdK8B7o A/rXuXPHLYrLVaZlOWjQrAoYHWbvU0Vsy0z9nhNGQ39dRQlI4AoTsxokBTpY+aLdSpkF qlQw== X-Gm-Message-State: ALoCoQmmjJPGA1X+yuMzNWPInl2cZUqY+iCbXorrxQtAg1p2rokVrzavmlYWe/5PSli6hrxRJ8q1 MIME-Version: 1.0 X-Received: by 10.140.18.166 with SMTP id 35mr26684592qgf.57.1411432179431; Mon, 22 Sep 2014 17:29:39 -0700 (PDT) Received: by 10.140.108.135 with HTTP; Mon, 22 Sep 2014 17:29:39 -0700 (PDT) In-Reply-To: <541FE781.2080505@gmail.com> References: <541FE781.2080505@gmail.com> Date: Mon, 22 Sep 2014 17:29:39 -0700 Message-ID: Subject: Re: ossec hit: Hidden process (rootkit) From: Brandon Vincent To: List Monkey Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2014 00:29:41 -0000 On Mon, Sep 22, 2014 at 2:10 AM, List Monkey wrote: > Any other thoughts? If you run ossec-rootcheck manually do you still get an alert? Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 09:52:01 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 306115C6 for ; Tue, 23 Sep 2014 09:52:01 +0000 (UTC) Received: from mail-wi0-x241.google.com (mail-wi0-x241.google.com [IPv6:2a00:1450:400c:c05::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6DE35D1C for ; Tue, 23 Sep 2014 09:52:00 +0000 (UTC) Received: by mail-wi0-f193.google.com with SMTP id q5so1688973wiv.0 for ; Tue, 23 Sep 2014 02:51:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=nCRjjguVXe0C3hhr/gjZwjipNbs7Mu+Xhsldw44k2VI=; b=TfmUl30AbfW41iTFcQFCwN/IVwSKWYPQd/s5jBGwKTveS6pVjVwWAEtcNLcgVGZGfl 5XR6v95ZRF9PJ04cakAXr7no/kRXGT1rFZSpSpIapo3up26hqImW/tfTApT/p0R4OCp0 yy7NDYKEkBjdD0aP0kSz6EA8J6KRDiCILpkwuiuAlilEUQfybA8EkCXV067osSd/qSKx AEj+CkQRazhX5m+ebcnhgt1T+8TOLWFXU8im5PO5C4+5flsnJ8QQLduzw1e3Vi3pykTz fBPhbYS9Kf/h9ovmJXlbu9GeggcWIQ+5H/r3p8r4exLFLjG6WC/7PHtrjB9J+SHz5epV r/lA== X-Received: by 10.180.92.225 with SMTP id cp1mr2005491wib.5.1411465918559; Tue, 23 Sep 2014 02:51:58 -0700 (PDT) Received: from [192.168.1.148] (78-26-20-251.network.trollfjord.no. [78.26.20.251]) by mx.google.com with ESMTPSA id bg10sm15241483wjc.47.2014.09.23.02.51.57 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Sep 2014 02:51:58 -0700 (PDT) Message-ID: <542142BC.2000409@gmail.com> Date: Tue, 23 Sep 2014 11:51:56 +0200 From: List Monkey User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Brandon Vincent Subject: Re: ossec hit: Hidden process (rootkit) References: <541FE781.2080505@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2014 09:52:01 -0000 Brandon, The ossec-rootcheck is not present on my install (has it been deprecated?) I am able to use the agent-control to force a complete run. It runs without error. Arne On 23. sep. 2014 02:29, Brandon Vincent wrote: > On Mon, Sep 22, 2014 at 2:10 AM, List Monkey wrote: >> Any other thoughts? > If you run ossec-rootcheck manually do you still get an alert? > > Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 17:33:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 603B430C for ; Tue, 23 Sep 2014 17:33:57 +0000 (UTC) Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 20D7FDA6 for ; Tue, 23 Sep 2014 17:33:56 +0000 (UTC) Received: by mail-qc0-f172.google.com with SMTP id c9so2108422qcz.17 for ; Tue, 23 Sep 2014 10:33:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=g1eCnwLnxuZwbPh5M9qp0o7b2AM7iERAzUzyoOGpS+c=; b=LtHrzCgAVTMGTmqp1xUIaTOCAwnrc2A7mNjbvRp0QfIUKYia3UWH6QlObBps1WHR0C rWASNNerINihDd4rzVqCnsjbQIfZ0keN5RjgQYwYPANJjiO3Pk7344bvqcWWq6888/te ZSCVGOrURRh3FPS2/rt9LjvCXpklxpecEJUfRHkQ5X6MUcgTGcqHd/PhVHLlofA05zD1 Lw3JQwlVoXKY90ozxmPw61J4G3auq2b+9dhhJIsE+d41zzEMSTsM17DWTjbabPNT0xSw zeT+h/k0dKs2led7tmyp4eIjN1y+XGJGqXTxzQXlc9Y0j+7cQI7OAoph6EIeqXzAq4Zl KbWw== X-Gm-Message-State: ALoCoQm95gW6cFs6zA6kpmqJ9kbq343dEAbxJ/HdNagI75gSkv7darnfBhma63Fv2QWyTs9K0FWQ MIME-Version: 1.0 X-Received: by 10.224.60.193 with SMTP id q1mr1842185qah.12.1411493634662; Tue, 23 Sep 2014 10:33:54 -0700 (PDT) Received: by 10.140.108.135 with HTTP; Tue, 23 Sep 2014 10:33:54 -0700 (PDT) In-Reply-To: <542142BC.2000409@gmail.com> References: <541FE781.2080505@gmail.com> <542142BC.2000409@gmail.com> Date: Tue, 23 Sep 2014 10:33:54 -0700 Message-ID: Subject: Re: ossec hit: Hidden process (rootkit) From: Brandon Vincent To: List Monkey Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2014 17:33:57 -0000 On Tue, Sep 23, 2014 at 2:51 AM, List Monkey wrote: > The ossec-rootcheck is not present on my install (has it been deprecated?) > I am able to use the agent-control to force a complete run. It runs > without error. Without more information, I would have to say it is likely a false positive. A binary is probably not returning the value OSSEC is expecting in regards to the system calls getsid() and kill() and the output of ps. This is common with less popular operating systems since the majority of individuals who use OSSEC run it on GNU/Linux. I know this has happened with OSSEC + IBM AIX on occasion. Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 13:28:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2A512AC for ; Thu, 25 Sep 2014 13:28:20 +0000 (UTC) Received: from mta1-filtered.netlife.no (mail.netlife.no [62.92.26.226]) by mx1.freebsd.org (Postfix) with ESMTP id 5E96ECFC for ; Thu, 25 Sep 2014 13:28:19 +0000 (UTC) Received: from amavis.netlife.no (unknown [10.115.1.11]) by mta1-filtered.netlife.no (Postfix) with ESMTP id C8AB5A13D8C for ; Thu, 25 Sep 2014 15:21:04 +0200 (CEST) X-Virus-Scanned: amavisd-new at netlife.no Received: from mta1-submission.netlife.no ([62.92.26.226]) by amavis.netlife.no (amavis.netlife.no [10.115.1.11]) (amavisd-new, port 10026) with ESMTP id L5zxezyAcSCe for ; Thu, 25 Sep 2014 13:21:04 +0000 (UTC) Received: from [10.0.0.41] (unknown [195.1.220.218]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: erik@tefre.com) by mta1-submission.netlife.no (Postfix) with ESMTPSA id 990A4A13D83 for ; Thu, 25 Sep 2014 15:21:04 +0200 (CEST) Message-ID: <542416C0.2040203@tefre.com> Date: Thu, 25 Sep 2014 15:21:04 +0200 From: Erik Stian Tefre User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Bash ShellShock bug(s) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 25 Sep 2014 13:36:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 13:28:20 -0000 I hereby declare the bash ShellShock bug(s) worthy of mention. Yes, bash is just a port in FreeBSD, but: Hundreds of other ports (including network accessible ports) seem to depend on shells/bash. (Figuring out if they use it in a vulnerable way or not is left as an exercise for the reader.) Custom/third party apps might also be using bash. Some users perfer to chsh -s bash. [> Insert your favourite reason to patch here <] References to the ShellShock bug(s): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ^ Seems to be patched in ports, bash >= 4.3.25. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ^ Patch does not yet exist? Here's a little copy-and-paste exercise for verifying CVE-2014-6271 vulnerability: env var='() { ignore this;}; echo vulnerable' bash -c /usr/bin/true -- Erik From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 16:57:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C874FFAB for ; Thu, 25 Sep 2014 16:57:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A852FE47 for ; Thu, 25 Sep 2014 16:57:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8PGvmuZ014945 for ; Thu, 25 Sep 2014 16:57:48 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8PGvmL4014944 for freebsd-security@freebsd.org; Thu, 25 Sep 2014 16:57:48 GMT (envelope-from bdrewery) Received: (qmail 41393 invoked from network); 25 Sep 2014 11:57:46 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 25 Sep 2014 11:57:46 -0500 Message-ID: <54244982.8010002@FreeBSD.org> Date: Thu, 25 Sep 2014 11:57:38 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-ports@freebsd.org, freebsd-security Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> In-Reply-To: <54243F0F.6070904@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP" X-Mailman-Approved-At: Thu, 25 Sep 2014 17:25:34 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 16:57:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/25/2014 11:13 AM, Jung-uk Kim wrote: > On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: >> Please let me make corrections. The "shellshock" bash=20 >> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 -=20 >> CVE-2014-7169 >> >> The first CVE is already fixed in latest freebsd ports tree=20 >> (r369185), so far the second CVE is not fixed yet. >=20 > CVE-2014-7169 is fixed now (r369261). >=20 > http://svnweb.freebsd.org/changeset/ports/369261 >=20 > Note the commit log says CVE-2014-3659 but it was actually reassigned > as CVE-2014-7169. >=20 > Jung-uk Kim >=20 The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor "apache". Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash= =2E 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJEmCAAoJEDXXcbtuRpfP7PYH/0xaUF1M55vD8+EjDS7Nc9eF zLC5Akrxc9DtoBWmmUnvfpTKsIVQe1m/eUsRAD63zXf0Jt/EsWNllMS+rfkDp4i/ IEbAPvaxsvr5xtZc/vfU3H3/WDAvKFiaVfEwhWjPPiPzFk4Q4NGL0i8epoZPlMMg QJRtlLAlMzPZR2U/w0PZYUeSMPKfmce9YNJNbB3durvHRbuv7KMIP0hL+DM9lyB7 NPv5/1ShSmrvLuORto2iDPluuuDG3FM70J0QIndK+r0nMaH4e0xB68a0hddcTbE5 SeDuHuosY6Af3cCRx4rLUCxVw3ITySmGsEE+BAdOXifJw0oJfAxlB8dwoYx5B/0= =pqt8 -----END PGP SIGNATURE----- --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 19:36:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4088EA4B for ; Thu, 25 Sep 2014 19:36:03 +0000 (UTC) Received: from smtp.pobox.com (smtp.pobox.com [208.72.237.35]) by mx1.freebsd.org (Postfix) with ESMTP id 08CF935E for ; Thu, 25 Sep 2014 19:36:02 +0000 (UTC) Received: from smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 6EC323CFEA for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=DabokY/z+hfCrCOWP2kKi+e2i9o=; b=f+kbh8l mTB0jj1em270KIsN5y7KmSx60dYo1Z2fEvwHtyqJ0pXiwtbl2j+KrgcnqhnaRYml tG4N5b3WFaoICS64kuf++6ZuXbpyv/dw19mVdzlGa9uaq+2Q8nRmxKHPdl7wuyOF H6chI550cWloKXHDHoUqtFKSztMxRBMkQ9c0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=clEfx35ZVKZC+3rw/NeOImIa4NhkCwVaG 75OTghangykSkoE3Xg1L69OxOC3+CPNiL4bKm0G2K5YNdrIoTEBHUIiTb+tNbhok W/TL9g2T79kOKSDaUjhojbQ72a1q/2yI2x9C4maGFE4GLy6jzPZlavKeS1omtm0R 14HZwvxGBg= Received: from pb-smtp0. (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 6615D3CFE8 for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) Received: from localhost (unknown [50.90.2.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-smtp0.pobox.com (Postfix) with ESMTPSA id 0C0A83CFE7 for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) Date: Thu, 25 Sep 2014 15:35:55 -0400 From: Chris Nehren To: freebsd-security@freebsd.org Subject: Re: bash velnerability Message-ID: <20140925193555.GB28430@satori.lan> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: <54244982.8010002@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Pobox-Relay-ID: 2B30BF24-44EB-11E4-B77C-D931C4D60FE0-49531120!pb-smtp0.pobox.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 19:36:03 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > 1. Do not ever link /bin/sh to bash. This is why it is such a big > problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. > 2. Web/CGI users should have shell of /sbin/nologin. > 3. Don't write CGI in shell script / Stop using CGI :) > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > application into its own user. And its own jail. Jails with ZFS are dirt cheap. --=20 Chris Nehren --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJdBAABAgBHBQJUJG6bQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQEcD4YkAzS895rBAA nB7Jx4Y91M1F5oy0H8ZPtdf8UNePdiRLPE7LODN5Op5xr/RJF14IbbXY89eMnFfG jqjqyUtVx3DAaDb/5atHIMBy1SGdMhIQNnIwUf10d7zrhIZS55Lef/38h/EeYl4J aJ3dQb4FFXJCr28kNYa7nfzBl/dBjCoU9s+Z7hy5GilNJ6aDL+JYZu90zsg+udrT 1VwLVPv6qgTz19NtI4pup3P3kAHOy7d3MMYBzoK/Grr9szNFrisfJNuIV2Y7yF3H q/GC4qrSm7bgs7PMOmF114rF8VNGjIEZsT8jKR1bKOnm+vAxcFg1xMvMIKOTI6VM NqyUqeu/FFras6P+zp3N6jVZUau8R/FfgY/Il7ZgoMftTXIUUj7wrxNUddhRijyj ruUyMmYm+GyZtebUr46tUqKhkRKcB/arB94JNYZA8tVuFwUqIhuy4rHGz0rLqS14 YI//GzMs/3jmr9woKcs8p6IkfBh2Vhj/8YpFkmO1fUa9eCTIiRU1rV4b2DTNfXT9 Xm3w4xsCphej1cFcKKquO/0JTouWd2gsjjzElEMfB3A8lwNAtHGeAAiIL45WSZiz CWs91ZZHE6OuSZhh4isDbGXa0YlHgB5mxyiOxZM4wIr3Pah7VTCIa9NA7WZwE5lq ZL7MGNV4/lxgIq4ZYTIwxY/8AtjDAs8hs8HaOgWqJTw= =MDHf -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 07:46:04 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5913747E; Fri, 26 Sep 2014 07:46:04 +0000 (UTC) Received: from mail1.mbox.lu (mail.mbox.lu [85.93.212.23]) by mx1.freebsd.org (Postfix) with ESMTP id DD233C94; Fri, 26 Sep 2014 07:46:02 +0000 (UTC) Received: from mail1.mbox.lu (localhost [127.0.0.1]) by mail1.mbox.lu (Postfix) with ESMTP id 014D278113; Fri, 26 Sep 2014 09:36:36 +0200 (CEST) Received: from [172.16.100.79] (unknown [178.254.110.124]) by mail1.mbox.lu (Postfix) with ESMTPSA id AB62F780B4; Fri, 26 Sep 2014 09:36:35 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_22830F4B-750A-4011-89BA-60016101A495"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: bash velnerability From: Steve Clement In-Reply-To: <54244982.8010002@FreeBSD.org> Date: Fri, 26 Sep 2014 09:36:55 +0200 Message-Id: <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> To: Bryan Drewery X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Fri, 26 Sep 2014 11:36:57 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security , freebsd-ports@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 07:46:04 -0000 --Apple-Mail=_22830F4B-750A-4011-89BA-60016101A495 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Dear all, In case you urgently need to go the manual route, here is one way to = really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream=85 (which it might be by now) Take care, --=20 Steve Clement=20 CIRCL - Computer Incident Response Center Luxembourg=20 Awareness raising, incident handling=20 A: 41, Av. de la Gare L-1611 Luxembourg=20 T: (352) 274 00 98 604=20 F: (352) 274 00 98 698 E: info@circl.lu=20 W: www.circl.lu On Sep 25, 2014, at 6:57 PM, Bryan Drewery wrote: > The port is fixed with all known public exploits. The package is > building currently. --Apple-Mail=_22830F4B-750A-4011-89BA-60016101A495 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUJReXAAoJEGmiD1Cb5K7p0eEP/iBi3+PPDj4FCy9G3mVgQaUr sSk9biPLSUiMQDQ8gmj1of55FjUxERn5IWhChvXqagFvkwrk15JcF76AvSrSWxqx 9sdkNgV0hhk6rZfejhqCx+8qfcWb2eTQ/ecUUMCuRjykPJIvP5izpuW+t4m9q7XH +lzak5O8lp+97emqjdBOdkoWLUAgFcnbwPdAFYORE4KFimtklsIGs9uMYmIvRGkx O71br8sUVz1nLiabvJNrJHCDofEDVksjrP6jzaJ/84BMbXP0JhzDGl7/h+oOjHFM kLul3iNOZxJa/mvBQaNGGNANCVPDTDZkSVAAfmTXJqreFmf/oBYrfiiHq8FWzh9c Y8pt6fpxGq2WcMqB7LLbZPLXAHjLVFwg9xZtZpJqCUV+pNzjh5VGosy3JUOruaAK yvB445qe+rVye9k4Mxe7jryQoyHepuqiTVQHaYscl+876ZDYyiwvHPMLkj4X1gK4 EhA9VRWp6wgHKY2tSCCwmsyXH6tP7grd9VALdT6nGt8wKEjdQDdvjAA5GuZZUp8U kQcQM0oJBULm6TJLPJ2jeQ6eb1RmNGA62/SbV5wnvDp3M29bNI/YzqZo5JFjY+3S sI4KwmBS+yyEP46GCDO3sO9ghMyTPBgf9vYU3FbWgWciOq7mHfgoC91fdulGG8vS pjynm4/4E9CBSSaJ9z44 =XNRP -----END PGP SIGNATURE----- --Apple-Mail=_22830F4B-750A-4011-89BA-60016101A495-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 12:55:47 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ACDB5D7F for ; Fri, 26 Sep 2014 12:55:47 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6740D7C7 for ; Fri, 26 Sep 2014 12:55:47 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XXUmh-0008HB-FT; Fri, 26 Sep 2014 16:38:03 +0400 Date: Fri, 26 Sep 2014 16:38:03 +0400 From: Slawa Olhovchenkov To: Chris Nehren Subject: Re: bash velnerability Message-ID: <20140926123803.GA30925@zxy.spb.ru> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140925193555.GB28430@satori.lan> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 12:55:47 -0000 On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote: > On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > > 1. Do not ever link /bin/sh to bash. This is why it is such a big > > problem on Linux, as system(3) will run bash by default from CGI. > > I would think that this would cause other, more fundamental, > issues. FreeBSD's system don't expect /bin/sh to be bash, > and I wouldn't be surprised if they break for whatever reason. > > > 2. Web/CGI users should have shell of /sbin/nologin. > > 3. Don't write CGI in shell script / Stop using CGI :) > > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > > application into its own user. > > And its own jail. Jails with ZFS are dirt cheap. For goodness of jail with ZFS we need fixing unionfs and devfs. From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 15:53:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B766ACD for ; Fri, 26 Sep 2014 15:53:54 +0000 (UTC) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E055FDEA for ; Fri, 26 Sep 2014 15:53:53 +0000 (UTC) Received: by mail-wi0-f169.google.com with SMTP id hi2so1289431wib.2 for ; Fri, 26 Sep 2014 08:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:content-type:subject:from:date:to:cc :message-id; bh=YNa8/PrWAY5b5pMFD6l63Mw+aBJfSFFVFyPUK1cU3nY=; b=QAcF+tbluDv9XlcXItur4+YBPKx9S1hQfc3mz//gpmbzY0yY3YyrxmAUzo/FNh0A0H 8IWqLwaGvreEcg5FtSKcVWLi9YY+8eZLSLYuAPvwZ0H7KH71HNBkuum74JK3iRHqTyGP /5u1G1M9VlayWyjD7fg/Zr17tCWOx0d+JrxfFTDiy7fKCILJzwytnXPKZfRxodZSzhUY 6QWykThSIevqqPDUHingAkbCUCH5ApjDhbrNLzDEvNBADggsJZmNxdb1bjsHidFBoNhZ ETZ7UjTULwEJat6dZrL1Si7skXnUA1qWrkU9bJ1rCGnU1h32ugCJv7UkPgRWDiWy8JOl 5vxQ== X-Received: by 10.180.187.144 with SMTP id fs16mr46565685wic.75.1411746832133; Fri, 26 Sep 2014 08:53:52 -0700 (PDT) Received: from [10.146.131.243] ([109.166.136.3]) by mx.google.com with ESMTPSA id pn5sm6633795wjc.4.2014.09.26.08.53.49 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 26 Sep 2014 08:53:51 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: <541FE781.2080505@gmail.com> <542142BC.2000409@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: ossec hit: Hidden process (rootkit) From: Bw Date: Fri, 26 Sep 2014 10:21:29 +0300 To: List Monkey Message-ID: <39A16A80-547B-4AAA-AC5E-E5FBB371332B@gmail.com> Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 15:53:54 -0000 On 23 September 2014 20:33:54 EEST, Brandon Vincent wrote: >On Tue, Sep 23, 2014 at 2:51 AM, List Monkey >wrote: >> The ossec-rootcheck is not present on my install (has it been >deprecated?) >> I am able to use the agent-control to force a complete run. It runs >> without error. > >Without more information, I would have to say it is likely a false >positive. A binary is probably not returning the value OSSEC is >expecting in regards to the system calls getsid() and kill() and the >output of ps. This is common with less popular operating systems since >the majority of individuals who use OSSEC run it on GNU/Linux. I know >this has happened with OSSEC + IBM AIX on occasion. Just to confirm that I got that several times before, too. Figured the process has gone away between checks. From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 16:29:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6F4C84D0 for ; Fri, 26 Sep 2014 16:29:48 +0000 (UTC) Received: from smtp-vbr5.xs4all.nl (smtp-vbr5.xs4all.nl [194.109.24.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E642F1FF for ; Fri, 26 Sep 2014 16:29:47 +0000 (UTC) Received: from vromage.erje.net (erje.net [80.126.62.176]) by smtp-vbr5.xs4all.nl (8.13.8/8.13.8) with ESMTP id s8QGTiaj027942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Fri, 26 Sep 2014 18:29:45 +0200 (CEST) (envelope-from robert@ml.erje.net) Received: from ismet.erje.net (ismet.erje.net [IPv6:2001:888:1f33::8e45:5e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vromage.erje.net (PostFix 2.11.0) with ESMTPS id 3j4JVv4Lnbz7gL3 for ; Fri, 26 Sep 2014 18:29:43 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.8.3 vromage.erje.net 3j4JVv4Lnbz7gL3 Date: Fri, 26 Sep 2014 18:29:38 +0200 From: Robert Joosten To: freebsd-security@freebsd.org Subject: Re: Bash ShellShock bug(s) Message-ID: <20140926162937.GA48704@ismet.erje.net> References: <542416C0.2040203@tefre.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <542416C0.2040203@tefre.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: by XS4ALL Virus Scanner X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:29:48 -0000 Hi, > Yes, bash is just a port in FreeBSD, but: What about /bin/sh ? Regards, Robert From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 16:31:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3133161A for ; Fri, 26 Sep 2014 16:31:16 +0000 (UTC) Received: from mail-we0-x233.google.com (mail-we0-x233.google.com [IPv6:2a00:1450:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C030722D for ; Fri, 26 Sep 2014 16:31:15 +0000 (UTC) Received: by mail-we0-f179.google.com with SMTP id u56so1950482wes.24 for ; Fri, 26 Sep 2014 09:31:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UNtiojbDPxsVLNOZ0InQgyagyF2N166ZFebqQG37uBo=; b=dJuVg55MYL9dYTul9HgGeIumTJFqtOkp46Ug5Ji1CDBLtdb6U1gYGKoHTUaDopO/8O FOsAIKnYVbTSXY9yzojgkS9+gOIL6VN6l9lhVwb/lcTqxfB4UnY0G2Vk0Qxmyb52nIP+ I4WQu6EODI+XaspS8I0uImXvnEaQ66jF1/kJMskplh8SKoDnCYfHJiQh+t27hFlu86BK 3EeSo4T0sc/QIfUKsI/wyAE1lMJ/kG4y61XbFU292jipamABA9WtdJrxwvClR2Y50jBv oLRmhEPtgMbp+Q5t1BtnBmSq4L9y/DY2Dj0TBqvz10oADo4h3GZI4F4m4n1jiOID8mlJ qBow== MIME-Version: 1.0 X-Received: by 10.180.91.70 with SMTP id cc6mr28603006wib.66.1411749074110; Fri, 26 Sep 2014 09:31:14 -0700 (PDT) Sender: ndorfman@gmail.com Received: by 10.194.82.72 with HTTP; Fri, 26 Sep 2014 09:31:14 -0700 (PDT) In-Reply-To: <20140926162937.GA48704@ismet.erje.net> References: <542416C0.2040203@tefre.com> <20140926162937.GA48704@ismet.erje.net> Date: Fri, 26 Sep 2014 12:31:14 -0400 X-Google-Sender-Auth: Xzc-Y-onIqCzK3eClADpJWepwlU Message-ID: Subject: Re: Bash ShellShock bug(s) From: Nathan Dorfman To: Robert Joosten Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:31:16 -0000 On Fri, Sep 26, 2014 at 12:29 PM, Robert Joosten wrote: > What about /bin/sh ? /bin/sh isn't bash on FreeBSD and doesn't have this problem. -nd. From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 16:46:39 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0AA79FE; Fri, 26 Sep 2014 16:46:39 +0000 (UTC) Received: from mail-qa0-x235.google.com (mail-qa0-x235.google.com [IPv6:2607:f8b0:400d:c00::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DD48662; Fri, 26 Sep 2014 16:46:39 +0000 (UTC) Received: by mail-qa0-f53.google.com with SMTP id cm18so6327796qab.40 for ; Fri, 26 Sep 2014 09:46:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=OR12KhxFS7zggStK0Fycepa90QWylIXgLEjP4ttNJDk=; b=ZJWrexnGsEu7op3/hYhmWQlaKx4BmikuBZBf5RiRnd2UwqpVzJQ3MEBi5xGudtWuvB U2LKQCWNOcWD9lf1H475ru9QsCYqWJWUNwHSd0Ao0/s3QBdGJhHftBe65YdXsxDIYQa/ /iJZhe9i2ajR95OeEsL06FsmbGQ93bwYPaZn7Ob7YxLLz2nsuDvr5qFl5yYHAi/d1lvQ byUjdpdoD2PF+DVYAHp0ewiLzh7socngCyn3I4jz4iyf7cnlqcvCg8TifeWalY57Y/wd lgVGjDUbg3pBi1kzgByoRI7uIMZ7TEZklorjJI82Gle6vbU3kYa+3GL529MOijJFvbur sxMA== MIME-Version: 1.0 X-Received: by 10.224.80.10 with SMTP id r10mr8284748qak.24.1411749998268; Fri, 26 Sep 2014 09:46:38 -0700 (PDT) Sender: spankthespam@gmail.com Received: by 10.229.203.72 with HTTP; Fri, 26 Sep 2014 09:46:38 -0700 (PDT) In-Reply-To: <542596E3.3070707@FreeBSD.org> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> Date: Fri, 26 Sep 2014 18:46:38 +0200 X-Google-Sender-Auth: u7mkMRnyFWZDA2S6B0fKRl_KT5o Message-ID: Subject: Re: bash velnerability From: Bartek Rutkowski To: Bryan Drewery Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:46:39 -0000 On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery wrote= : > On 9/26/2014 2:36 AM, Steve Clement wrote: >> Dear all, >> >> In case you urgently need to go the manual route, here is one way to rea= lly patch your systems: >> >> https://www.circl.lu/pub/tr-27/ >> >> Until the patch is in the bash upstream=E2=80=A6 (which it might be by n= ow) >> >> Take care, >> > > The port has had the fixes since yesterday. The packages are building. > > -- > Regards, > Bryan Drewery > Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 15:25:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DAFC2726 for ; Fri, 26 Sep 2014 15:25:23 +0000 (UTC) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC54CB10 for ; Fri, 26 Sep 2014 15:25:23 +0000 (UTC) Received: from [10.20.30.90] (142-254-17-87.dsl.dynamic.fusionbroadband.com [142.254.17.87]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s8QFPDJm034114 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Fri, 26 Sep 2014 08:25:15 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 142-254-17-87.dsl.dynamic.fusionbroadband.com [142.254.17.87] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: pkg repositories out of alignment (was: Re: bash velnerability) From: Paul Hoffman In-Reply-To: <20140926123803.GA30925@zxy.spb.ru> Date: Fri, 26 Sep 2014 08:25:12 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Fri, 26 Sep 2014 19:30:28 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 15:25:23 -0000 Just a note that the pkg repo for 10 seems to be far advanced over that = for 9.3. That is, the bash fix appeared in the 10 repo yesterday (or = earlier), but it still not in the 9.3 repo. Here's what I'm seeing on a = 9.3 box right now: # sudo pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. # sudo pkg audit bash-4.3.24 is vulnerable: bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: = http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html 1 problem(s) in the installed packages found. # sudo pkg upgrade bash Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) Your packages are up to date. I appreciate the speed that folks update the packages; I'm a bit = distressed that 9.3 seems to be a second-class citizen for security = fixes. (And I totally admit that I could be misreading the situation.) --Paul Hoffman= From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 19:55:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F88558F for ; Fri, 26 Sep 2014 19:55:11 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5CE47D0E for ; Fri, 26 Sep 2014 19:55:11 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by gateway2.nyi.internal (Postfix) with ESMTP id F211B36EA for ; Fri, 26 Sep 2014 15:55:03 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute1.internal (MEProxy); Fri, 26 Sep 2014 15:55:03 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=yeLS9co9gUBCogaetNvT7th0 RBE=; b=jYZzA4458dzv3WW3zOcuYq2OoKPnzdMp21mMXfe3ukWx7TXsG2JIOH0L y7yWH5FhQhxF/ONhU86F0NFAzLzbfgLZ1loerdMLxAP8l5jqw9K+kZAgN9hbfkhL uLwH0wv4ktnCnt1zjQXNTQRA4N16Rzkwck2La7qZITj+eSKnp0M= Received: by web6.nyi.internal (Postfix, from userid 99) id A7D65587DC; Fri, 26 Sep 2014 15:55:03 -0400 (EDT) Message-Id: <1411761303.37126.172207289.07A402AF@webmail.messagingengine.com> X-Sasl-Enc: lsv0B7PcePd0MT+izuWnztzLZC6caZ8jtTlJ8ir5IYj+ 1411761303 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-cad53418 In-Reply-To: References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> Subject: Re: pkg repositories out of alignment (was: Re: bash velnerability) Date: Fri, 26 Sep 2014 14:55:03 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 19:55:11 -0000 On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote: > > I appreciate the speed that folks update the packages; I'm a bit > distressed that 9.3 seems to be a second-class citizen for security > fixes. (And I totally admit that I could be misreading the situation.) > (speaking strictly as a consumer of the pkg repository) I am not aware of any other packages with security vulnerabilities that have been updated on the repository outside of the planned once-a-week schedule. This means if the package set is built and published and immediately thereafter a vulnerability comes out for www/chromium, don't expect to see the update until next week. There is a desire to solve this problem and it is not simple solution. Keep in mind that the ports tree existed for 20 years now expecting people to consume it from source, not from packages. I've witnessed the ports team and ports-mgmt/pkg authors perform miracles over the last 2 years and they have further plans to modernize the architecture. FYI, the repositories are built sequentially and I don't think there's a preference of a certain release over another. They're working hard to get these updated packages out the door as fast as possible. From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 16:40:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18F648C2 for ; Fri, 26 Sep 2014 16:40:19 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D23F4374 for ; Fri, 26 Sep 2014 16:40:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8QGeI72096837 for ; Fri, 26 Sep 2014 16:40:18 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8QGeICD096836 for freebsd-security@freebsd.org; Fri, 26 Sep 2014 16:40:18 GMT (envelope-from bdrewery) Received: (qmail 81121 invoked from network); 26 Sep 2014 11:40:14 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 26 Sep 2014 11:40:14 -0500 Message-ID: <542596E3.3070707@FreeBSD.org> Date: Fri, 26 Sep 2014 11:40:03 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> In-Reply-To: <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IGDPWnCwLslU6FBjANxTaxUjKnbS7ImiX" X-Mailman-Approved-At: Fri, 26 Sep 2014 20:56:01 +0000 Cc: freebsd-security , freebsd-ports@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:40:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IGDPWnCwLslU6FBjANxTaxUjKnbS7ImiX Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/26/2014 2:36 AM, Steve Clement wrote: > Dear all, >=20 > In case you urgently need to go the manual route, here is one way to re= ally patch your systems: >=20 > https://www.circl.lu/pub/tr-27/ >=20 > Until the patch is in the bash upstream=85 (which it might be by now) >=20 > Take care, >=20 The port has had the fixes since yesterday. The packages are building. --=20 Regards, Bryan Drewery --IGDPWnCwLslU6FBjANxTaxUjKnbS7ImiX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJZbjAAoJEDXXcbtuRpfPJMkIANbdqoZFIUgRVDLQ7U6rgJa1 JE6Exmqnh3uvPLgwn7w4492mSdXdJiUK18CMT1wf6e04lnCFK3CRFW18l5RWwvcw WpF6SrylFymPZBFOewzdlYAV9gEDOyBpnxntCbN1cxtGjWZMFv2LjE+mBcPEm/lH Nl5a7LWTD8FxjhnIP8r68eDbzNU53gp1FrI27ETnZeD1cPhhB2JJRl6O95RqfkgU 4CjqWLDWGidNP3mg/7PNaAY6Qiy542h20/Kjpt4XJDf+B01kQyGgUakR/yx5tcdW DuVQRwkb5xRXRXf0rt51IyY/IPPSg7HxOuIVFYm/UmEQiaaEKgjKspJfi2eg//Q= =P1lN -----END PGP SIGNATURE----- --IGDPWnCwLslU6FBjANxTaxUjKnbS7ImiX-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 16:51:51 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9A73AC05 for ; Fri, 26 Sep 2014 16:51:51 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 76BE07A9 for ; Fri, 26 Sep 2014 16:51:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8QGppHC099933 for ; Fri, 26 Sep 2014 16:51:51 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8QGppmE099931 for freebsd-security@freebsd.org; Fri, 26 Sep 2014 16:51:51 GMT (envelope-from bdrewery) Received: (qmail 40766 invoked from network); 26 Sep 2014 11:51:49 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 26 Sep 2014 11:51:49 -0500 Message-ID: <5425999A.3070405@FreeBSD.org> Date: Fri, 26 Sep 2014 11:51:38 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Bartek Rutkowski Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> In-Reply-To: OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="va42hkwdeprlC58M2DtxTtuMo0MD5Dhxs" X-Mailman-Approved-At: Fri, 26 Sep 2014 20:56:09 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:51:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --va42hkwdeprlC58M2DtxTtuMo0MD5Dhxs Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: > On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery w= rote: >> On 9/26/2014 2:36 AM, Steve Clement wrote: >>> Dear all, >>> >>> In case you urgently need to go the manual route, here is one way to = really patch your systems: >>> >>> https://www.circl.lu/pub/tr-27/ >>> >>> Until the patch is in the bash upstream=E2=80=A6 (which it might be b= y now) >>> >>> Take care, >>> >> >> The port has had the fixes since yesterday. The packages are building.= >> >> -- >> Regards, >> Bryan Drewery >> >=20 > Apparently, the full fix is still not delivered, accordingly to this: > http://seclists.org/oss-sec/2014/q3/741 >=20 > Kind regards, > Bartek Rutkowski >=20 I'm pretty sure they call that a "feature". This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. --=20 Regards, Bryan Drewery --va42hkwdeprlC58M2DtxTtuMo0MD5Dhxs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJZmaAAoJEDXXcbtuRpfPQUEIANGtu3zTUyewl5OETRpraWdD c7WlFWEFH4/KZ6f5BtuD6ozE4RIiTEJRnoKSczOJo11ZBVajD9cjRXO46ujpCqth ZRAtUXsTak8RwuDOdTwV4EUhUdCwGgXBNBfPAiVwmNYShMyREsmnSsHaIiE6+9XU 4r/ZIEymp8aDY8nTvVhpWvfm/qs1Y80YIepqto+HR1PJAXinR10Bxek2JOJtQOFW LCJObtSC4KntsNl5m/zJ7AyaNRysvUSTvukH/PnO9ArH4e4/ehlTyjh0DnjGcxtW jUuYEbbO9D/QWxNseM1rLKCHcgVcH0U/+lRlqJiFUSgSQIKbNS/Ru4W91NGmFR0= =MHTp -----END PGP SIGNATURE----- --va42hkwdeprlC58M2DtxTtuMo0MD5Dhxs-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 17:41:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4FC627EF for ; Fri, 26 Sep 2014 17:41:42 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2B501C26 for ; Fri, 26 Sep 2014 17:41:42 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8QHfgDt016858 for ; Fri, 26 Sep 2014 17:41:42 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8QHff0R016856 for freebsd-security@freebsd.org; Fri, 26 Sep 2014 17:41:41 GMT (envelope-from bdrewery) Received: (qmail 36831 invoked from network); 26 Sep 2014 12:41:39 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 26 Sep 2014 12:41:39 -0500 Message-ID: <5425A548.9090306@FreeBSD.org> Date: Fri, 26 Sep 2014 12:41:28 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> In-Reply-To: <5425999A.3070405@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv" X-Mailman-Approved-At: Fri, 26 Sep 2014 20:56:26 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 17:41:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 9/26/2014 11:51 AM, Bryan Drewery wrote: > On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery = wrote: >>> On 9/26/2014 2:36 AM, Steve Clement wrote: >>>> Dear all, >>>> >>>> In case you urgently need to go the manual route, here is one way to= really patch your systems: >>>> >>>> https://www.circl.lu/pub/tr-27/ >>>> >>>> Until the patch is in the bash upstream=E2=80=A6 (which it might be = by now) >>>> >>>> Take care, >>>> >>> >>> The port has had the fixes since yesterday. The packages are building= =2E >>> >>> -- >>> Regards, >>> Bryan Drewery >>> >> >> Apparently, the full fix is still not delivered, accordingly to this: >> http://seclists.org/oss-sec/2014/q3/741 >> >> Kind regards, >> Bartek Rutkowski >> >=20 > I'm pretty sure they call that a "feature". This is a bit different. > This is modifying the command used to call a function as the feature > intends. The vulnerability was that just parsing the environment would > execute the code. >=20 > TL;DR; You should cleanse your environment and only accept valid input > to work around this feature. The bash developer (Chet) said he would no= t > remove it by default, at least a few days ago. >=20 There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. --=20 Regards, Bryan Drewery --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJaVJAAoJEDXXcbtuRpfPlYMIAMaWhTvu6haxeP5FKQu4CR4U lWlUw4qzJQpS+/y9YM9FHymSmo0FxhoiHSzJlxOXSnjasAn3G+lhet35fBtykh2r YfL0ivFepjxpYyMiK0SD5RN+Nbf39SKaHTatO9oXZNuJjBTvUYR6Kgt/ztO3c1YJ pWwx5UNUGykjD5nFQomeONRDFtRf/NHY0xss1g66XFVyx3feI9c5oHSM0Z1Z+uti 0dr2I8e0ghVqEcIr7SfnhqyIGUEAFuavzIUk0G2TvxIlJiKZqsS2BkjcCKcNhuBf fu5mrrlFMupsK7ag50W2xIprlDWZ+B0hGDMfnUPdduHlTTtw1RI09gzisqkQxiY= =AjWi -----END PGP SIGNATURE----- --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 20:35:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 49DF793A for ; Fri, 26 Sep 2014 20:35:27 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0DFAA1FB for ; Fri, 26 Sep 2014 20:35:27 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8QKZQFk072103 for ; Fri, 26 Sep 2014 20:35:26 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8QKZQPd072102 for freebsd-security@freebsd.org; Fri, 26 Sep 2014 20:35:26 GMT (envelope-from bdrewery) Received: (qmail 31882 invoked from network); 26 Sep 2014 15:35:25 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 26 Sep 2014 15:35:25 -0500 Message-ID: <5425CE01.5070506@FreeBSD.org> Date: Fri, 26 Sep 2014 15:35:13 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Paul Hoffman , freebsd-security@freebsd.org Subject: Re: pkg repositories out of alignment References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> In-Reply-To: OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V0XOvSAaaWOveX6XQjQGgIHLdNEwvNXkQ" X-Mailman-Approved-At: Fri, 26 Sep 2014 21:13:04 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 20:35:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --V0XOvSAaaWOveX6XQjQGgIHLdNEwvNXkQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/26/2014 10:25 AM, Paul Hoffman wrote: > Just a note that the pkg repo for 10 seems to be far advanced over that= for 9.3. That is, the bash fix appeared in the 10 repo yesterday (or ear= lier), but it still not in the 9.3 repo. Here's what I'm seeing on a 9.3 = box right now: Quarterly builds before Latest and 10 builds before 9 due to demand. Packages are not published at the same time. They are published as each set finishes. There was an unfortunate delay this week because of nss/bash panic. Now we're mostly waiting on this week's libreoffice to fully build for each s= et. We're not well prepared for security updates to packages yet. We have many technical challenges to work through still. --=20 Regards, Bryan Drewery --V0XOvSAaaWOveX6XQjQGgIHLdNEwvNXkQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJc4BAAoJEDXXcbtuRpfPyCMH/AozB/4+rwb+VepT4lAKpCDT pNwo1DR3k2KIZXms6r1s4EpV31Hw/zl2saUZ7LY5T11dhMfsMD5i8ZnH0IDpFocY gidXxF2guaHvAjcV67uPJo7h2dKW6HqxTmCm3GWH3+Na/IWMBmUU8MUcmwmiy565 ujEfeytfThPjyi9ArRc4z9q8TRiby6QZajCtdMKpKnjWn//Nq/LGSf7hShe73FE7 mZPJJehk5IOx2uLTR9gH1+dLJlkOcE1OGLW1NAyAV6xlMuelmju9faRNmlya+Yp+ TQQCuW8ZARTRTnykKpqBMHEFpjZAlmuWpti0SJJOIFYdtbpsDaX6qjCRUfeViEU= =/lLE -----END PGP SIGNATURE----- --V0XOvSAaaWOveX6XQjQGgIHLdNEwvNXkQ-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 21:18:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 75CDCDB4 for ; Fri, 26 Sep 2014 21:18:12 +0000 (UTC) Received: from mail-pd0-x236.google.com (mail-pd0-x236.google.com [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 463B19CC for ; Fri, 26 Sep 2014 21:18:12 +0000 (UTC) Received: by mail-pd0-f182.google.com with SMTP id y10so1794286pdj.13 for ; Fri, 26 Sep 2014 14:18:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=oayiZoeZgH7LIe41+ew+nTdTgLd9T61IyIIiiX5D2yA=; b=uEOyxOpAf46gQPgpFE3TeZ8PmnpbaDAiUmNK0UW4sU8oOf4++tZBPTTHyg0wsvON0E 3hVHdn+mOe79TLHIGQ3cOPZKdslkJ3nEEFxWSRpTGXWXdUedAvKGNpvX075YXFOMH/x1 7CAQTRsJaTWtIfr10SbTrXlrH4I3J9dC0J0wgu35d/Cm7mjdL0cWV4PeCwQdPaty2KSY 1U52/V6af6V0uMFcc6FRIv2Gl7xRiYOEfjWDgsNKG4DlUA+t8KprreBXVDEN2n1I8dKv 8H+9iCknPK9cFnAgevWW/BYiE+6a62rb+TTlQjt/oluR/QevqKwKTqCivCwO9l83pdUO 39tQ== X-Received: by 10.70.131.13 with SMTP id oi13mr40713020pdb.23.1411766291775; Fri, 26 Sep 2014 14:18:11 -0700 (PDT) Received: from [10.0.1.31] (wsip-24-234-41-175.lv.lv.cox.net. [24.234.41.175]) by mx.google.com with ESMTPSA id rg1sm5787120pdb.14.2014.09.26.14.18.10 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Sep 2014 14:18:11 -0700 (PDT) Message-ID: <5425D80E.9000909@gmail.com> Date: Fri, 26 Sep 2014 14:18:06 -0700 From: Jungle Boogie User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: pkg repositories out of alignment References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> <1411761303.37126.172207289.07A402AF@webmail.messagingengine.com> In-Reply-To: <1411761303.37126.172207289.07A402AF@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 21:18:12 -0000 Dear Mark, -------------------------------------------- From: Mark Felder Sent: Fri, 26 Sep 2014 14:55:03 -0500 To: freebsd-security@freebsd.org Subject: Re: pkg repositories out of alignment (was: Re: bash velnerability) > > On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote: >> >> I appreciate the speed that folks update the packages; I'm a bit >> distressed that 9.3 seems to be a second-class citizen for security >> fixes. (And I totally admit that I could be misreading the situation.) >> > > (speaking strictly as a consumer of the pkg repository) > > I am not aware of any other packages with security vulnerabilities that > have been updated on the repository outside of the planned once-a-week > schedule. This means if the package set is built and published and > immediately thereafter a vulnerability comes out for www/chromium, don't > expect to see the update until next week. But how do other operating systems build or patch new applications so quickly and make it available in a pkg manner? > > FYI, the repositories are built sequentially and I don't think there's a > preference of a certain release over another. They're working hard to > get these updated packages out the door as fast as possible. Is is alphabetical order? If so B should be coming up soon! ;) -- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 21:01:40 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6A955ED for ; Fri, 26 Sep 2014 21:01:40 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9901D837 for ; Fri, 26 Sep 2014 21:01:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8QL1elN081266 for ; Fri, 26 Sep 2014 21:01:40 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8QL1epT081264 for freebsd-security@freebsd.org; Fri, 26 Sep 2014 21:01:40 GMT (envelope-from bdrewery) Received: (qmail 63181 invoked from network); 26 Sep 2014 16:01:38 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 26 Sep 2014 16:01:38 -0500 Message-ID: <5425D427.8090309@FreeBSD.org> Date: Fri, 26 Sep 2014 16:01:27 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> In-Reply-To: <5425A548.9090306@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MTurRjG07qWw2eVNCmuAqjHpejEKKteUn" X-Mailman-Approved-At: Fri, 26 Sep 2014 22:41:10 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 21:01:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MTurRjG07qWw2eVNCmuAqjHpejEKKteUn Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 9/26/2014 12:41 PM, Bryan Drewery wrote: > On 9/26/2014 11:51 AM, Bryan Drewery wrote: >> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>> Apparently, the full fix is still not delivered, accordingly to this:= >>> http://seclists.org/oss-sec/2014/q3/741 >>> >>> Kind regards, >>> Bartek Rutkowski >>> >> >> I'm pretty sure they call that a "feature". This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. https://svnweb.freebsd.org/changeset/ports/369341 --=20 Regards, Bryan Drewery --MTurRjG07qWw2eVNCmuAqjHpejEKKteUn Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJdQnAAoJEDXXcbtuRpfPGLIH/jXFSyJal3Vnbj+CDSY+P5VZ 3oRq3spm96tpulRobGZG52gdlaSWTzoZrTvTN0vTA1WlUGzmV8tAVc8P0M8lvgho 6TJecVIVURzqu+Q9A6MVW82uc0G6F+tWY99lk0w1Vxz+ghyYlpIIWeaAXwrSSgbD RYDmnZapPvaTwdpQJRixCXRiR7SYElMWxXLF6L08KAJujpZUHCZa7kHRw8FSMSUN DjDFT/lnkWxFqnDjT7BU9Jf4hHwJUSpHxbA9RFKXS4ICekYZpfS1n5RTPOWeGtvY wLbRFIVISRQxgMjw/6X+F77ZvmUTEzU5jSbKkFhs2ZNNEb4oJbYAK44Nz6Ib5SQ= =PBZY -----END PGP SIGNATURE----- --MTurRjG07qWw2eVNCmuAqjHpejEKKteUn--