From owner-freebsd-security@freebsd.org Fri Feb 19 19:07:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2406BAADEED for ; Fri, 19 Feb 2016 19:07:10 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C3C51ADA for ; Fri, 19 Feb 2016 19:07:09 +0000 (UTC) (envelope-from marquis@roble.com) Date: Fri, 19 Feb 2016 11:07:03 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 19:07:10 -0000 In light of recently found kernel anomalies[1][2] and considering the FBI's reckless effort to force Apple to build an iPhone backdoor[3] it would only be prudent to consider the risk of less transparent efforts by our three and four letter agencies (and NGOs) targeting our FOSS. Towards that goal I'm wondering if FreeBSD base has ever been analyzed for patterns of suspicious commits[4]? Roger Marquis Refs. [1] http://www.viva64.com/en/b/0377/ [2] http://tech.slashdot.org/story/16/02/19/001202/pvs-studio-analyzer-spots-40-bugs-in-the-freebsd-kernel [3] http://www.apple.com/customer-letter/ [4] http://blogs.marketwatch.com/thetell/2014/04/11/heartbleed-bug-was-introduced-seconds-before-new-years-day-2012/ From owner-freebsd-security@freebsd.org Sat Feb 20 12:11:03 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19C1DAAD0F2 for ; Sat, 20 Feb 2016 12:11:03 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D97381446 for ; Sat, 20 Feb 2016 12:11:02 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C3B43C473; Sat, 20 Feb 2016 12:01:22 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 3A1B446638; Sat, 20 Feb 2016 13:01:22 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Roger Marquis Cc: freebsd-security@freebsd.org Subject: Re: PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel References: <20160219190727.2DA5ECB30@smtp.des.no> Date: Sat, 20 Feb 2016 13:01:22 +0100 In-Reply-To: <20160219190727.2DA5ECB30@smtp.des.no> (Roger Marquis's message of "Fri, 19 Feb 2016 11:07:03 -0800 (PST)") Message-ID: <861t87lhf1.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 12:11:03 -0000 Roger Marquis writes: > I'm wondering if FreeBSD base has ever been analyzed for patterns of > suspicious commits[4]? No, but the Heartbeat commit was not suspicious, regardless of that the Wall Street Journal wants you to believe. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sat Feb 20 13:37:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC2B8AAF65D for ; Sat, 20 Feb 2016 13:37:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC4F2258 for ; Sat, 20 Feb 2016 13:37:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KDb3iA056999 for ; Sat, 20 Feb 2016 13:37:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 13:37:04 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 20 Feb 2016 14:05:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 13:37:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #8 from commit-hook@freebsd.org --- A commit references this bug: Author: des Date: Sat Feb 20 13:36:25 UTC 2016 New revision: 295840 URL: https://svnweb.freebsd.org/changeset/base/295840 Log: MFH (r273114, r273124): turn SSLv3 off by default MFH (r294326): fall back to standard / configured CA store MFH (r295536): fix double-free when SSL connection fails PR: 193871 206774 Changes: _U stable/9/ _U stable/9/lib/ _U stable/9/lib/libfetch/ stable/9/lib/libfetch/common.c stable/9/lib/libfetch/fetch.3 stable/9/lib/libfetch/http.c _U stable/9/usr.bin/ _U stable/9/usr.bin/fetch/ --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sat Feb 20 16:40:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3C92AAFFFB for ; Sat, 20 Feb 2016 16:40:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1D161792 for ; Sat, 20 Feb 2016 16:40:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KGe4Ws048193 for ; Sat, 20 Feb 2016 16:40:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 16:40:04 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: des@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9+ mfc-stable10+ X-Bugzilla-Changed-Fields: bug_status flagtypes.name resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 20 Feb 2016 16:55:07 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 16:40:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Dag-Erling Sm=C3=83=C2=B8rgrav changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Progress |Closed Flags|mfc-stable9?, mfc-stable10? |mfc-stable9+, mfc-stable10+ Resolution|--- |FIXED --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sat Feb 20 16:42:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCA27AAE138 for ; Sat, 20 Feb 2016 16:42:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C912A188D for ; Sat, 20 Feb 2016 16:42:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KGg0od056491 for ; Sat, 20 Feb 2016 16:42:00 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 16:42:00 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: des@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9+ mfc-stable10? X-Bugzilla-Changed-Fields: bug_status flagtypes.name resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 20 Feb 2016 17:30:54 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 16:42:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Dag-Erling Sm=C3=83=C2=B8rgrav changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Closed |Open Flags|mfc-stable10+ |mfc-stable10? Resolution|FIXED |--- --- Comment #9 from Dag-Erling Sm=C3=83=C2=B8rgrav --- Reopening, apparently it wasn't merged to 10. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sat Feb 20 16:42:08 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F3C8AAE160 for ; Sat, 20 Feb 2016 16:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3FE5D18AF for ; Sat, 20 Feb 2016 16:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KGg7Kc057042 for ; Sat, 20 Feb 2016 16:42:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 16:42:08 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: des@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9+ mfc-stable10? X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 20 Feb 2016 17:30:59 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 16:42:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Dag-Erling Sm=C3=83=C2=B8rgrav changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |In Progress --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sat Feb 20 22:58:47 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE748AAF140 for ; Sat, 20 Feb 2016 22:58:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF298EE2 for ; Sat, 20 Feb 2016 22:58:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KMwlxc083418 for ; Sat, 20 Feb 2016 22:58:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 22:58:47 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9+ mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 20 Feb 2016 23:54:29 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 22:58:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #10 from commit-hook@freebsd.org --- A commit references this bug: Author: des Date: Sat Feb 20 22:58:33 UTC 2016 New revision: 295843 URL: https://svnweb.freebsd.org/changeset/base/295843 Log: MFH (r294326): fall back to standard / configured CA store PR: 193871 Approved by: re (gjb) Changes: _U stable/10/ stable/10/lib/libfetch/common.c --=20 You are receiving this mail because: You are on the CC list for the bug.=