Date: Thu, 11 Aug 2016 10:59:57 +0100 From: Vincent Hoffman-Kazlauskas <vince@unsane.co.uk> To: Julian Elischer <julian@freebsd.org>, Mail Lists <mlists@mail.ru>, Matthew Donovan <kitche@kitchetech.com> Cc: freebsd-security <freebsd-security@freebsd.org>, Roger Marquis <marquis@roble.com>, freebsd-ports <freebsd-ports@freebsd.org>, Martin Schroeder <mschroeder@vfemail.net> Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <d34bf03a-c3d7-7f3e-48da-cd62bbdad119@unsane.co.uk> In-Reply-To: <e45a1d5e-1bc2-6602-2cf2-f0b24aff153b@freebsd.org> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <CABgom6ca0Rh-H_uQPbO9=EMCEZk3Q78AXQGbCSFae_qMKJggdQ@mail.gmail.com> <1470849104.192073030@f370.i.mail.ru> <e45a1d5e-1bc2-6602-2cf2-f0b24aff153b@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For those not on freebsd-announce (or reddit or anywhere else it got posted) "FreeBSD Core statement on recent freebsd-update and related vulnerabilities" https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html Vince On 11/08/2016 05:22, Julian Elischer wrote: > On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >> >> >> sorry but this is blabla and does not come even near to answering the >> real problem: >> >> It appears that freebsd and the US-government is more connected that >> some of us might like: >> >> Not publishing security issues concerning update mechanisms - we all >> can think WHY freebsd is not eager on this one. >> >> Just my thoughts... > > this has been in discussion a lot in private circles within FreeBSD. > It's not being ignored and a "correct" patch is being developed. > > from one email I will quote just a small part.. > ======= > > As of yet, [the] patches for the libarchive vulnerabilities have not > been released > upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has > created > patches for some of the libarchive vulnerabilities, the first[3] is being > considered for inclusion in FreeBSD, at least until a complete fix is > committed upstream, however the second[4] is considered too brute-force and > will not be committed as-is. Once the patches are in FreeBSD and updated > binaries are available, a Security Advisory will be issued. > > ======= > so expect something soon. > I will go on to say that the threat does need to come from an advanced > MITM actor, > though that does not make it a non threat.. > >> >> >>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>> <kitche@kitchetech.com>: >>> >>> You mean operating system as distribution is a Linux term. There's >>> not much >>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>> vulnerabilities and has a an excellent ASLR system compared to the >>> proposed >>> one for FreeBSD. >>> >>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>> >>>> Timely update via Hackernews: >>>> >>>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit >>>> y-update-libarchive> >>>> >>>> Note in particular: >>>> >>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>> bspatch, >>>> and libarchive vulnerabilities." >>>> >>>> Not sure why the portsec team has not commented or published an >>>> advisory >>>> (possibly because the freebsd list spam filters are so bad that >>>> subscriptions are being blocked) but from where I sit it seems that >>>> those exposed should consider: >>>> >>>> cd /usr/ports >>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>> make index >>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>> >>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>> pros and cons of cutting over to that distribution. >>>> >>>> Roger >>>> >>>> >>>> >>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>> not sure if you've been contacted privately, but I believe the >>>>>> answer is >>>>>> "we're working on it" >>>>>> >>>>> My concerns are as follows: >>>>> >>>>> 1. This is already out there, and FreeBSD users haven't been >>>>> alerted that >>>>> they should avoid running freebsd-update/portsnap until the >>>>> problems are >>>>> fixed. >>>>> >>>>> 2. There was no mention in the bspatch advisory that running >>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>> attackers who >>>>> are apparently already in operation. >>>>> >>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>> permits >>>>> heap corruption, even though a more complete fix is available. That's >>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>> source document we all did, which seems likely given the coincidental >>>>> timing of an advisory for a little-known utility a week or two >>>>> after that >>>>> source document appeared, then surely FreeBSD had the complete fix >>>>> available. >>>>> >>>>> _______________________________________________ >>>> freebsd-ports@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>> To unsubscribe, send any mail to " >>>> freebsd-ports-unsubscribe@freebsd.org " >>>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to " >>> freebsd-security-unsubscribe@freebsd.org " >> >> Best regards, >> Mail Lists >> mlists@mail.ru >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d34bf03a-c3d7-7f3e-48da-cd62bbdad119>