Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Jul 2016 05:00:23 +0000
From:      Martin Schroeder <mschroeder@vfemail.net>
To:        freebsd-security@freebsd.org
Subject:   Re: freebsd-update and portsnap users still at risk of compromise
Message-ID:  <8d52c11892db36d5041f7fa638e46681@vfemail.net>
In-Reply-To: <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org>
References:  <6bd80e384e443e5de73fb951e973b221@vfemail.net> <c59340ad-38d8-5b76-6cce-d4a1d540f90c@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-07-29 09:00, Julian Elischer wrote:
> 
> not sure if you've been contacted privately, but  I believe the answer 
> is
> "we're working on it"

My concerns are as follows:

1. This is already out there, and FreeBSD users haven't been alerted 
that
they should avoid running freebsd-update/portsnap until the problems are
fixed.

2. There was no mention in the bspatch advisory that running
freebsd-update to "fix" bspatch would expose systems to MITM attackers 
who
are apparently already in operation.

3. Strangely, the "fix" in the advisory is incomplete and still permits
heap corruption, even though a more complete fix is available. That's
what prompted my post. If FreeBSD learned of the problem from the same
source document we all did, which seems likely given the coincidental
timing of an advisory for a little-known utility a week or two after 
that
source document appeared, then surely FreeBSD had the complete fix
available.



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8d52c11892db36d5041f7fa638e46681>