Date: Tue, 9 Aug 2016 15:21:23 -0500 From: Matthew Donovan <kitche@kitchetech.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-ports <freebsd-ports@freebsd.org>, freebsd-security <freebsd-security@freebsd.org>, Martin Schroeder <mschroeder@vfemail.net> Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> In-Reply-To: <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You mean operating system as distribution is a Linux term. There's not much
different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
vulnerabilities and has a an excellent ASLR system compared to the proposed
one for FreeBSD.
On Aug 9, 2016 3:10 PM, "Roger Marquis" <marquis@roble.com> wrote:
> Timely update via Hackernews:
>
> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
> y-update-libarchive>
>
> Note in particular:
>
> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
> and libarchive vulnerabilities."
>
> Not sure why the portsec team has not commented or published an advisory
> (possibly because the freebsd list spam filters are so bad that
> subscriptions are being blocked) but from where I sit it seems that
> those exposed should consider:
>
> cd /usr/ports
> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
> make index
> rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>
> I'd also be interested in hearing from hardenedbsd users regarding the
> pros and cons of cutting over to that distribution.
>
> Roger
>
>
>
> On 2016-07-29 09:00, Julian Elischer wrote:
>>
>>>
>>> not sure if you've been contacted privately, but I believe the answer is
>>> "we're working on it"
>>>
>>
>> My concerns are as follows:
>>
>> 1. This is already out there, and FreeBSD users haven't been alerted that
>> they should avoid running freebsd-update/portsnap until the problems are
>> fixed.
>>
>> 2. There was no mention in the bspatch advisory that running
>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>> are apparently already in operation.
>>
>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>> heap corruption, even though a more complete fix is available. That's
>> what prompted my post. If FreeBSD learned of the problem from the same
>> source document we all did, which seems likely given the coincidental
>> timing of an advisory for a little-known utility a week or two after that
>> source document appeared, then surely FreeBSD had the complete fix
>> available.
>>
>> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ>