Date: Thu, 07 Apr 2016 01:18:34 -0700 From: "internetprojects@sbcglobal.net" <internetprojects@sbcglobal.net> To: freebsd-ports-bugs@freebsd.org Subject: A probably malformed Appcafe program damaged PC-BSD 10.2 and 10.2 Message-ID: <7769950.Z2AyJxTEqC@notthemicrosoft.pc-bsd.01>
next in thread | raw e-mail | index | archive | help
Thanks for the best Open Source OS I've ever used. It far outshines the Linux flavors I installed starting about 11 years ago which included several OpenSuse releases and even more from Kubuntu. This letter has two parts: Part 1 details a stealth session crash problem in the PC-BSD 10.3 upgrade that was "inherited" from 10.2. It began with an Appcafe installation of PBI-MAKER in late March under 10.2. Part 2 examines a possible or probable distro server security issue for PC-BSD. PART 1 In the past few weeks, PC-BSD 10.2 desktops have been failing to load into stealth sessions and have exhibited other problems. The stealth session issue began immediately after I installed PBI-MAKER from Appcafe. It was "inherited" by the recent 10.3 upgrade. Here's the story: Accessing my Windows networked Canon MF8050 Laser Printer was not unexpected. I hoped that a Linux RPM driver that I downloaded from Canon's website might be installable or be changed to a PBI with PBI-MAKER. The following changes and actions were first made under PC-BSD 10.2: > Installed PBI-MAKER with AppCafe > Rebooted. > FreeBSD or PC-BSD crashed, looping while loading drivers. > Rebooted the system. > <esc> stopped the PC-BSD bootloader > Selected & ran verbose oldest 10.2 available on boot environment menu. > Loaded KDE. > Loaded PBI-MAKER. It was't what I needed. > Printer access problem continued. > 10.2 updated. > Logged into stealth sessions with Lumina, Mate, Fluxbox, and Gnome. > Each, X-windows ran momentarily followed by longer-running black screen. > System dropped back to the login GUI. > There were multiple desktop ->X-windows ->black screen-> login GUI failures. > When Lumina seemed load as a stealth session, it was not running in stealth. > On stealth attempts, Fluxbox, Gnome, Lumina, and Mate failed as before. > In non-stealth, the Gnome and Mate desktops looped, choked, and froze. > In non-stealth, Lumina was unstable. > In non-stealth Fluxbox didn't get past X-Windows. > Only KDE would run, but was occasionally unstable especially with AppCafe. > Uninstalled PBI-Maker, but there was no change to the above results. > Loaded Accerciser in Lumina. It crashed. > Accerciser crash dialog box showed Java 3.x and WNCK dependencies missing. > Logged into KDE. > Installed missing Java version 3.x and WNCK3-3.14,0. > Accerciser GUI started in both KDE and Lumina. > Accerciser Plugin Errors tab indicated: > [Runtime Error: The IPython module is required for the IPython console] > Installed py27-ipython - 3.2.3 from AppCafe. > Accerciser: no change. > Ran most of the preceding process and tested other options another time. > Nothing changed. > Decided to wait for the 10.3 release. > 10.3 installed a couple of days later. > Again, nothing changed with stealth sessions or for the non-KDE desktops. I suspect that there are many missing or broken dependencies, but I've not located a list of console commands to determine what if any dependencies are missing and how to download and install them. If you have one, please send me the URL for a list of those and other console commands, PART 2 On April 5, around 12 AM I downloaded the program files and checksums for: PCBSD10.3-RELEASE-03-31-2016-x64-DVD.iso from <download.pcbsd.org/iso/-USB.img.sha25610.3-RELEASE/amd64/ . . .> First, I noticed that the server was http, not https/TLS2. Not good. MITM attacks abound. Next, while on the download page, I discovered the following: > the SHA256 checksum for PCBSD10.3-RELEASE-03-31-2016-x64-USB.img did not download as a file as did the checksum for PCBSD10.3-RELEASE-03-31-2016-x64-DVD.iso > Clicking on the x64-USB checksum link caused it to load as a plaintext file on my Firefox browser. That was quite odd. Four of the other checksums on that page also loaded as plaintext files. As I recall, there was a recent Linux server attack where some Linux software was stored with the checksum on the same server. That allowed an attacker to insert malware into a Linux distro and to create bogus checksums that matched. OUCH! The odd behavior of the above mentioned ...x64-USB.img checksum's not downloading but opening as a browser text file makes me just a bit nervous. I'm wondering if I should trust the integrity of both of the above 10.3 downloads. I'm not certain. Computing old-timers (44 years and counting for me) and new Unix/FreeBSD/PC-BSD users like me would feel far more comfortable if PC-BSD would sign and/or fingerprint its software in addition to offering checksums. I will feel far more confident about PC-BSD file download integrity once the files are, at least, digitally signed. Please do all that is possible to secure access to your servers with https/TLS2 to minimize or halt MITM attacks. Unless I missed something when I accessed your 10.3 server, it probably would be advisable for you to take additional measures to secure your software distros. The successful February Tsunami ISO malware insertion attack on the Linux Mint ISO on the Linux servers is a very good reason to act ASAP if not sooner if you haven't already mitigated the potential problem. In the Linux Mint case, the hacker(s) not only added their malware to the ISO, but they also hacked its checksum to reflect the added malware content, They also hacked the adjacent checksum confirmation file to agree with the ISO. OUCH! There's also a growing business and financing opportunity that makes those changes very important. Microsoft's obnoxious, probably U.S. Constitution 4th and 10th Amendment violating (IMO), persistent GWX behavior certainly will provide a big marketing boost for the Open Source software community. It would be a tragedy if PC-BSD, which I regard as the best by far Open Source OS I've ever used, would have its reputation damaged should some sleaze-bag hacker(s) should pull the same vile attack on your PC-BSD distros that they did on Linux Mint. Details of the Linux Mint ISO attack is downloadable in PDF format on Steve Gibson's GRC.com web site https://www.grc.com/securitynow.htm The PDF is found in the site list as Episode #548 | 23 Feb 2016 The PDF is number sn-548, on the right side of that row. Thanks for any help you can offer. I just reminded my wife to start donating to the FreeBSD Foundation. PC-BSD rocks and puts Windows to shame! From owner-freebsd-ports-bugs@freebsd.org Thu Apr 7 08:25:06 2016 Return-Path: <owner-freebsd-ports-bugs@freebsd.org> Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72A59B062B5 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>; Thu, 7 Apr 2016 08:25:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 630B41B7A for <freebsd-ports-bugs@FreeBSD.org>; Thu, 7 Apr 2016 08:25:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u378P5O8029139 for <freebsd-ports-bugs@FreeBSD.org>; Thu, 7 Apr 2016 08:25:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 208584] www/squid: undefined reference to `SSL_set_alpn_protos' Date: Thu, 07 Apr 2016 08:25:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: timp87@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: <bug-208584-13-nurd8cDhrH@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-208584-13@https.bugs.freebsd.org/bugzilla/> References: <bug-208584-13@https.bugs.freebsd.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>; List-Post: <mailto:freebsd-ports-bugs@freebsd.org> List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 07 Apr 2016 08:25:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208584 --- Comment #5 from timp87@gmail.com --- (In reply to Daniel Austin from comment #4) To be honest I'm confused. First you showed me install log from ports. I suggested you to delete libre= ssl and try again. You skipped it. Then you told me about your poudriere build fail. You said that you use ope= nssl from base system, but several sentences later you wrote 'I use openssl from ports rather than base in my builder'. I definitely don't understand you. P. S. my poudriere doesn't fail to build squid-3.5.16. I've just checked it. My ports tree to. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7769950.Z2AyJxTEqC>