Re: Enumerating glibc dependencies
[Followup-To: set to questions@. This is not a security question.] On Mon, 2 Feb 2015 07:07:11 -0800 (PST) Roger Marquis marq...@roble.com wrote: Before pkgng it was easy to list a system's port dependencies by (starting with): grep glib /var/db/pkg/*/* Is there an equivalent (single) command for pkgng? Hey Roger, You'll want `pkg info -r` for this--and note that glib is not glibc! -- Chris Nehren pgpKb9OIEynrP.pgp Description: OpenPGP digital signature
Re: ntpd vulnerabilities
On Mon, Dec 22, 2014 at 10:39:54 -0700, Brett Glass wrote: I'd like to propose that FreeBSD move to OpenNTPD, which appears to have none of the fixed or unfixed (!) vulnerabilities that are present in ntpd. There's already a port. Heartbleed, more than any other vulnerability in recent memory, showed us users on the outside of the Project just how much effort is involved in patching the base system (thank you, again, DES, for being patient and explaining all the details!). Because of this, I am reticent to support more software going into the base system. It should be small enough to build itself and bootstrap the ports tree, with very little else. The more things are in base, the more things the developers need to worry about patching across all the different supported versions of FreeBSD. It's a lot faster to update a port to use a different version. If you want fast security updates, use ports. Or hire developers to patch software for you. -- Chris Nehren pgpraIZ0e0xJ1.pgp Description: PGP signature
Re: bash velnerability
On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor apache. Sandbox each application into its own user. And its own jail. Jails with ZFS are dirt cheap. -- Chris Nehren pgp_th8N350zW.pgp Description: PGP signature
Re: Ports tree insecure because of IGNOREFILES+IGNORE
On Sunday, June 22, 2014 22:31:50 ph...@openmailbox.org wrote: The IGNOREFILES+IGNORE mechanism allows port maintainers to disable checksum checks. I feel that this mechanism is a stain on an otherwise fantastic ports system. It reduces user confidence in security and makes us all sitting ducks for sophisticated adversaries. Er. There's nothing stopping a port maintainer from saying Sorry, the distfiles aren't fetchable from the master sites any more, I can host a copy and then host a malicious distfile. Or doing any number of simpler things to cause a problem. The Project doesn't have the resources to audit every single distfile's code. If you're that paranoid, you're welcome to do so yourself. -- Chris Nehren signature.asc Description: This is a digitally signed message part.
Re: Heartbleed / r264266 / openssl version
On Tue, Apr 08, 2014 at 15:47:29 -0700, Xin Li wrote: What would be the preferable way of representing the patchlevel? We can do it as part of a EN batch at later time. (Note though, even without this the user or an application can still use freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the patchlevel for userland). On an updated system: [(18:56:41) apeiron@behemoth ~] freebsd-version 10.0-STABLE [(18:56:42) apeiron@behemoth ~] freebsd-version -k 10.0-STABLE [(18:56:43) apeiron@behemoth ~] freebsd-version -u 10.0-STABLE [(18:56:47) apeiron@behemoth ~] I can't say this is very useful. Is this only supposed to work for -RELEASE? -- Chris Nehren pgp8HDAvo8ETQ.pgp Description: PGP signature