From owner-freebsd-security@freebsd.org Tue Jan 19 14:57:33 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 815EEA87E7C for ; Tue, 19 Jan 2016 14:57:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 71B751B0F for ; Tue, 19 Jan 2016 14:57:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0JEvXKM015221 for ; Tue, 19 Jan 2016 14:57:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Tue, 19 Jan 2016 14:57:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: bapt@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 19 Jan 2016 16:48:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 14:57:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Baptiste Daroussin changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|des@FreeBSD.org |bapt@FreeBSD.org --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Tue Jan 19 15:02:47 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 478EAA880ED for ; Tue, 19 Jan 2016 15:02:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37BB41EA4 for ; Tue, 19 Jan 2016 15:02:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0JF2kTf025826 for ; Tue, 19 Jan 2016 15:02:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Tue, 19 Jan 2016 15:02:47 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 19 Jan 2016 17:51:59 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 15:02:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #7 from commit-hook@freebsd.org --- A commit references this bug: Author: bapt Date: Tue Jan 19 15:02:38 UTC 2016 New revision: 294326 URL: https://svnweb.freebsd.org/changeset/base/294326 Log: Test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH Prior to this patch, unless SSL_CA_CERT_FILE is set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of masking SSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (see X509_STORE_load_locations()). While here, fall back to OpenSSL defaults if neither SSL_CA_CERT_FILE nor SSL_CA_CERT_PATH are set in the environment, and if neither of the libfetch default CA files exists. PR: 193871 Submitted by: John W. O'Brien Approved by: des MFC after: 1 week Changes: head/lib/libfetch/common.c --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Tue Jan 19 15:03:33 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4714FA881C9 for ; Tue, 19 Jan 2016 15:03:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 375061004 for ; Tue, 19 Jan 2016 15:03:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0JF3XB3054429 for ; Tue, 19 Jan 2016 15:03:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Tue, 19 Jan 2016 15:03:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: bapt@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 19 Jan 2016 17:55:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 15:03:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Baptiste Daroussin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |In Progress --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Thu Jan 21 21:59:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38DB4A8C7AE for ; Thu, 21 Jan 2016 21:59:46 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BBFC31D50 for ; Thu, 21 Jan 2016 21:59:45 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: by mail-lb0-x22b.google.com with SMTP id oh2so31121932lbb.3 for ; Thu, 21 Jan 2016 13:59:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucsc.edu; s=ucsc-google; h=mime-version:date:message-id:subject:from:to:content-type; bh=SiNsW+4wGR8SePbb5h2mN2M/wVC7nBcGslMksGLhDI0=; b=mReGgYzpFn0lkjjX10ijz05Usin9i96JM5/W4EYCKDkZA8t9gY8zcmE2mD9D1CAJgf PZwSXfcmHxuGz0naUW+injb+2pZNeA0czcTaE8e8H1Foz1aP160If9s2MvapcJuXHWkQ giO3xD/0mdxNMr8G6h9fezKez8SG/85ps0s38= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=SiNsW+4wGR8SePbb5h2mN2M/wVC7nBcGslMksGLhDI0=; b=Xxb1+58TgvFhLRHYYYqKjNqpCSJG4Ny2Kg+huSOX7AkmsSm4mdoaZFO+COZBa1C4iB aMixXtQHJaPb4yNkapN8VKqomzFi6BGdXMUdB1bEnOChrknNEtuNVWIAz6L60LTi6AEd 0ZvIjXpq3F2hS3Ed8RuxTD1piniScRHnEuwZWIfSVhG1PgsP6lZZLZ2PvG5i8vEyWDdF GXmSiKzR+ux6hJgK7F2UWCXMYPNQfSt44Qe8unZzsdzRWgClUmg2nuzil+sRqFcxfm+z d97fcWqehuFhxUPcDky6/7TXVJXSQjKfxUDQchCe29MuCnk51laFs8ITDsuO4T6YPb/M 92UQ== X-Gm-Message-State: ALoCoQlYL+phkdDyyq5GznNIqR1nv1SEoM0YjIgesLHvrJTvc02t/AIv4yoLzj1X1aVIFAeaqNqlCU1D7KS4eil08YtuVQqC/cE7ESt9jQkTX8ZjsnA2UrE= MIME-Version: 1.0 X-Received: by 10.112.125.9 with SMTP id mm9mr13472204lbb.113.1453413583725; Thu, 21 Jan 2016 13:59:43 -0800 (PST) Received: by 10.25.23.231 with HTTP; Thu, 21 Jan 2016 13:59:43 -0800 (PST) Date: Thu, 21 Jan 2016 13:59:43 -0800 Message-ID: Subject: bind 9.9.8-P3 From: Mark Boolootian To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jan 2016 21:59:46 -0000 Hi folks, I haven't seen a FreeBSD security advisory released for the patch that has been applied for: https://kb.isc.org/article/AA-01335 Any clue as to why that hasn't happened (for FreeBSD 9.x - I understand why it wouldn't for FreeBSD 10). thanks, mark From owner-freebsd-security@freebsd.org Fri Jan 22 14:31:24 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CD61A8CEF0; Fri, 22 Jan 2016 14:31:24 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6B9361D3E; Fri, 22 Jan 2016 14:31:23 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 118B45FB3; Fri, 22 Jan 2016 14:31:22 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 838974807A; Fri, 22 Jan 2016 15:31:22 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: HPN and None options in OpenSSH Date: Fri, 22 Jan 2016 15:31:22 +0100 Message-ID: <86mvrxvg79.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2016 14:31:24 -0000 The HPN and None cipher patches have been removed from FreeBSD-CURRENT. I intend to remove them from FreeBSD-STABLE this weekend. The HPN patches were of limited usefulness and required a great deal of effort to maintain in our tree. The None cipher patch was less onerous, but it was a terrible idea with a very small user base since it was a compile-time option and off by default. The HPN-related configuration variables have been marked deprecated, while those related to the None cipher have been marked unsupported. This means that the former will be accepted with a warning, whereas the latter will result in an error. Most users will not be affected by this change. Those who are should switch to the openssh-portable port, which still offers both patches, with HPN enabled by default. It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a number of modifications intended to reduce the impact of upstream changes on existing systems. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Jan 22 17:20:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B868A8D64B for ; Fri, 22 Jan 2016 17:20:50 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 687D41F13 for ; Fri, 22 Jan 2016 17:20:50 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3DBA020D6D for ; Fri, 22 Jan 2016 12:20:49 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute4.internal (MEProxy); Fri, 22 Jan 2016 12:20:49 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=uPATvGAcnIScTSI RX6Wps7Vq6vA=; b=hMf8ml2YALM0HzBl7cb7fNywh5giFeUAcpCvr6fQl2tZnxX smrSKsnFmj9nTl5lgbaZiV1b2+d8pAr3VqOZ/8cfJ9aDKW1f+3qBRBmJfUAXujXG 7/rj5iehrw3OvVaT00t2EIRNKZdl8lFIGQbNGKsvqEOakXdy2o9eZXPfBa3g= Received: by web6.nyi.internal (Postfix, from userid 99) id 14A7A4C92E; Fri, 22 Jan 2016 12:20:49 -0500 (EST) Message-Id: <1453483249.2464004.499796066.4ECF1B03@webmail.messagingengine.com> X-Sasl-Enc: bl9iVy1FyVBNl5SJSnCl/EG+c+iw8/FpGP/xhSuA4py1 1453483249 From: Mark Felder To: Mark Boolootian , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-6cda141f Subject: Re: bind 9.9.8-P3 Date: Fri, 22 Jan 2016 11:20:49 -0600 In-Reply-To: References: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2016 17:20:50 -0000 On Thu, Jan 21, 2016, at 15:59, Mark Boolootian wrote: > Hi folks, > > I haven't seen a FreeBSD security advisory released for the > patch that has been applied for: > > https://kb.isc.org/article/AA-01335 > > Any clue as to why that hasn't happened (for FreeBSD 9.x - > I understand why it wouldn't for FreeBSD 10). > Good question. I just checked a 9.3 jail and the version is 9.9.5 so it should be affected. -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Fri Jan 22 18:05:16 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E34DA8C771 for ; Fri, 22 Jan 2016 18:05:16 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D3B818BB for ; Fri, 22 Jan 2016 18:05:16 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-ig0-x230.google.com with SMTP id mw1so59564204igb.1 for ; Fri, 22 Jan 2016 10:05:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=r0Fu7u/gldYAw/4zsxJZMvlhrreQ2wYBSjY5QCKIyYU=; b=xH50QPnBG78D+kMqPXmP1yj4R0cyRDKBn6wETCxdR660aQ1oBMrUCGcoiFggk0MLRg zQy4klmBncZwNxqiMGruxbMSdwn7bzA9R7hyhLU9BD23a1a4xsQSQbPJnXiODwf/vEHL y1yayBuGPLjYoukyQ7lutO1OyKFGaRdkwGoepDeJUw9sOaN28RqH7+AC1l3PySWa0Zr6 HNjq4QBlXvrg7Cwnl0GxjMfMNkdFU7m88GwI0ASYf2xlG651qZQrIPFCVHI7xYTSK4Mm ngiEMuJGnkzSnTiJZtla80d2pXNyZcEKd6LtJhLm0YsSc8hnBV74P5nKSl26IYbr8Bm2 +HdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=r0Fu7u/gldYAw/4zsxJZMvlhrreQ2wYBSjY5QCKIyYU=; b=PDlIzLIcQu5aLJj2g8JQhpQaYiPUc1WYNCOopBokXxBhEqUCL/37od0ZUD2TB3/aTv s2ZdOd1+WslAmLTLpn9DKJR2oOP1rZZQv7qpLpkvDsenER1yxpZEI3Jw59KHFdNQC7rC /hFH+CPEAbEBtyUTSlp+Oj897CB1x12wOZKn+AhJy29khqqLatNs7CFi6GoQtPO1v0B/ 5d5dd0VKL/Svxa3ZAcVET/6GwiGrOybHT+Yztdt+UcaYE7nrf3fBDDEdU3LmJS+++bk3 2x1jhVXHvqOA8iBpmwuCleefL+XF3pRbq/cM1yMgnChMDIb24leGYDEgIBu5oFJ9qg61 MOdg== X-Gm-Message-State: AG10YOQ2cSoVtsLrBZ1Nl4BhJmZiarWFeU+NOwGPtdy4OLLQKW+MXOF4a0fr2aEi8mOiQdNlDokbf3haBgkLCA== MIME-Version: 1.0 X-Received: by 10.50.155.43 with SMTP id vt11mr4922227igb.6.1453485915370; Fri, 22 Jan 2016 10:05:15 -0800 (PST) Received: by 10.36.54.207 with HTTP; Fri, 22 Jan 2016 10:05:15 -0800 (PST) In-Reply-To: References: Date: Fri, 22 Jan 2016 10:05:15 -0800 Message-ID: Subject: Re: bind 9.9.8-P3 From: Xin LI To: Mark Boolootian Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2016 18:05:16 -0000 There are other security advisories still pending in queue and we will issue them together. On Thu, Jan 21, 2016 at 1:59 PM, Mark Boolootian wrote: > Hi folks, > > I haven't seen a FreeBSD security advisory released for the > patch that has been applied for: > > https://kb.isc.org/article/AA-01335 > > Any clue as to why that hasn't happened (for FreeBSD 9.x - > I understand why it wouldn't for FreeBSD 10). > > thanks, > mark > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@freebsd.org Sat Jan 23 01:59:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCA98A8DA06; Sat, 23 Jan 2016 01:59:00 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 92DA81D93; Sat, 23 Jan 2016 01:59:00 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-229-231.lns20.per1.internode.on.net [121.45.229.231]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u0N1wn9J071906 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 22 Jan 2016 17:58:52 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: HPN and None options in OpenSSH To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org References: <86mvrxvg79.fsf@desk.des.no> From: Julian Elischer Message-ID: <56A2DE54.6070603@freebsd.org> Date: Sat, 23 Jan 2016 09:58:44 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <86mvrxvg79.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2016 01:59:00 -0000 On 22/01/2016 10:31 PM, Dag-Erling Smørgrav wrote: > The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend. > > The HPN patches were of limited usefulness and required a great deal of > effort to maintain in our tree. The None cipher patch was less onerous, > but it was a terrible idea with a very small user base since it was a > compile-time option and off by default. > > The HPN-related configuration variables have been marked deprecated, > while those related to the None cipher have been marked unsupported. > This means that the former will be accepted with a warning, whereas the > latter will result in an error. > > Most users will not be affected by this change. Those who are should > switch to the openssh-portable port, which still offers both patches, > with HPN enabled by default. > > It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a > number of modifications intended to reduce the impact of upstream > changes on existing systems. what is the internal window size in the new ssh? > > DES From owner-freebsd-security@freebsd.org Sat Jan 23 15:55:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C97DCA8EAA0; Sat, 23 Jan 2016 15:55:21 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9439D1297; Sat, 23 Jan 2016 15:55:21 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 78B445540; Sat, 23 Jan 2016 15:55:14 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id ED2B5481C2; Sat, 23 Jan 2016 16:55:14 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Julian Elischer Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH References: <86mvrxvg79.fsf@desk.des.no> <56A2DE54.6070603@freebsd.org> Date: Sat, 23 Jan 2016 16:55:14 +0100 In-Reply-To: <56A2DE54.6070603@freebsd.org> (Julian Elischer's message of "Sat, 23 Jan 2016 09:58:44 +0800") Message-ID: <861t98e1el.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2016 15:55:21 -0000 Julian Elischer writes: > what is the internal window size in the new ssh? 64 kB. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sat Jan 23 20:33:06 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4FCDDA8FF23; Sat, 23 Jan 2016 20:33:06 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1B0A510D7; Sat, 23 Jan 2016 20:33:05 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id AE5195765; Sat, 23 Jan 2016 20:33:04 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 2A9B5481E4; Sat, 23 Jan 2016 21:33:05 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kevin Oberman Cc: Julian Elischer , FreeBSD Current , FreeBSD-STABLE Mailing List , freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH References: <86mvrxvg79.fsf@desk.des.no> <56A2DE54.6070603@freebsd.org> <861t98e1el.fsf@desk.des.no> Date: Sat, 23 Jan 2016 21:33:05 +0100 In-Reply-To: (Kevin Oberman's message of "Sat, 23 Jan 2016 09:15:36 -0800") Message-ID: <86wpr0c9z2.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2016 20:33:06 -0000 Kevin Oberman writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Julian Elischer writes: > > > what is the internal window size in the new ssh? > > 64 kB. > Are you sure of this? Sorry, I was thinking of 6.6 (in stable/10). The buffer code in 7.1 supports dynamically-sized buffers with a hard limit of 128 MB. The default window size for client sessions is 2 MB, or 1 MB if associated with a tty. I'm not sure what the maximum size is. Note that scp, sftp etc. count as client sessions. X11 and agent forwarding use different (smaller) windows which improve latency at the cost of throughput. > [...] scp still performed poorly when compared to other technologies scp is a horrible protocol, use sftp or (preferably) rsync over ssh. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no