Re: CVE-2015-7547: critical bug in libc

[Joe Holden]

On 22/02/2016 00:04, Chris H wrote:

On Thu, 18 Feb 2016 08:39:32 -0600 (CST) Dan Mack  wrote


On Thu, 18 Feb 2016, Joe Holden wrote:


On 17/02/2016 14:07, Daniel Kalchev wrote:

On 17.02.2016 ?., at 15:40, Shawn Webb 
wrote: >>>
TL;DR: FreeBSD is not affected by CVE-2015-7547.


Unless you use Linux applications under emulation.

Daniel


Which is supported by ports so at most it should be a ports advisory and
not a FreeBSD (base) SA and therefore not on the website.

Just my 2p ;)

Documenting and putting out security advisiories for other operating
systems seems like a bad precedent in general.  The same could be said
for runniing java applications, windows under bhyve, etc. - *sigh* -
if the cross over use is common via a port, then have the port maybe
remind users to consult their distribution specific security
vulnerabilites prior to running it maybe - which is what they should
be doing anyway.

That's my two insignificant cents :-)

Dan

If Sell distributes a bad batch of gasoline. It's not Chevrolet's
responsibility to inform it's car buyers/owners, that Shell produced
a bad batch of gasoline. Is it? :)

--Chris

Exactly, however it is done now so nevermind
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Chris H]

On Thu, 18 Feb 2016 08:39:32 -0600 (CST) Dan Mack  wrote

> On Thu, 18 Feb 2016, Joe Holden wrote:
> 
> > On 17/02/2016 14:07, Daniel Kalchev wrote:
> >>
> >>> On 17.02.2016 ?., at 15:40, Shawn Webb 
> >>> wrote: >>>
> >>> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> >>
> >>
> >> Unless you use Linux applications under emulation.
> >>
> >> Daniel
> >>
> > Which is supported by ports so at most it should be a ports advisory and 
> > not a FreeBSD (base) SA and therefore not on the website.
> >
> > Just my 2p ;)
> 
> Documenting and putting out security advisiories for other operating
> systems seems like a bad precedent in general.  The same could be said
> for runniing java applications, windows under bhyve, etc. - *sigh* -
> if the cross over use is common via a port, then have the port maybe
> remind users to consult their distribution specific security
> vulnerabilites prior to running it maybe - which is what they should
> be doing anyway.
> 
> That's my two insignificant cents :-)
> 
> Dan
If Sell distributes a bad batch of gasoline. It's not Chevrolet's
responsibility to inform it's car buyers/owners, that Shell produced
a bad batch of gasoline. Is it? :)

--Chris


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Kurt Jaeger]

Hi!

> > A short note on the www.freebsd.org website would probably be helpful,
> > as this case will produce a lot of noise.

> I'd like to second this! This could be some kind of use for the
> further propagation of FreeBSD!
> Many people asked me since yesterday, whether the operating system I used to
> base my appliances and work on does have the bug or not. 

There's a link in the News section now to a writeup by des.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[O. Hartmann]

Am Wed, 17 Feb 2016 14:50:28 +0100
Kurt Jaeger  schrieb:

> Hi!
> 
> > The project that's vulnerable is called "glibc", not "libc". The BSDs
> > don't use glibc, so the phrase "nothing to see here" applies. glibc
> > isn't even available in FreeBSD's ports tree.
> > 
> > TL;DR: FreeBSD is not affected by CVE-2015-7547.  
> 
> A short note on the www.freebsd.org website would probably be helpful,
> as this case will produce a lot of noise.
> 

I'd like to second this! This could be some kind of use for the further 
propagation of
FreeBSD! Many people asked me since yesterday, whether the operating system I 
used to
base my appliances and work on does have the bug or not. 


pgpdjBObmGVsO.pgp
Description: OpenPGP digital signature

Re: CVE-2015-7547: critical bug in libc

[O. Hartmann]

Am Wed, 17 Feb 2016 08:40:03 -0500
Shawn Webb  schrieb:

> On Wed, Feb 17, 2016 at 02:24:10PM +0100, O. Hartmann wrote:
> > It is around now in the media also for non-OS developers: CVE-2015-7547
> > describes a bug in libc which is supposed to affects all Linux versions.
> > 
> > big price question: is FreeBSD > 9.3 also affected?
> > 
> > Some reporters tell us that Linux/UNIX is affected, so sometimes this 
> > terminus
> > is used to prevent the "Linux-nailed" view, but sometimes it also referes to
> > everything else those people can not imagine but consider them Linux-like. 
> > So
> > I'm a bit puzzled, since there is no report about *BSD is affected, too.
> > 
> > Thanks in advance for shedding light onto CVE-2015-7547.  
> 
> The project that's vulnerable is called "glibc", not "libc". The BSDs
> don't use glibc, so the phrase "nothing to see here" applies. glibc
> isn't even available in FreeBSD's ports tree.
> 
> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> Thanks,
> 

The article, I refere to, did only mention "libc" and they used the terminus
"Linux/UNIX", and this is usually associted by that Linux-folks with the rest 
of the
UNIX-alike world after their precious Linux.

I followed then the explanation of the CVE and that stated very clearly, that 
it is GNU
libc. So, I feel better now, but a pity of all that stuff in routers, switches, 
security
appliances utilizing Linux and the penetrated glic. :-)


pgpRNzZksOfi_.pgp
Description: OpenPGP digital signature

Re: CVE-2015-7547: critical bug in libc

[Dan Mack]

On Thu, 18 Feb 2016, Joe Holden wrote:


On 17/02/2016 14:07, Daniel Kalchev wrote:



On 17.02.2016 ?., at 15:40, Shawn Webb  wrote:

TL;DR: FreeBSD is not affected by CVE-2015-7547.



Unless you use Linux applications under emulation.

Daniel

Which is supported by ports so at most it should be a ports advisory and 
not a FreeBSD (base) SA and therefore not on the website.


Just my 2p ;)


Documenting and putting out security advisiories for other operating
systems seems like a bad precedent in general.  The same could be said
for runniing java applications, windows under bhyve, etc. - *sigh* -
if the cross over use is common via a port, then have the port maybe
remind users to consult their distribution specific security
vulnerabilites prior to running it maybe - which is what they should
be doing anyway.

That's my two insignificant cents :-)

Dan

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Joe Holden]

On 17/02/2016 14:07, Daniel Kalchev wrote:



On 17.02.2016 г., at 15:40, Shawn Webb  wrote:

TL;DR: FreeBSD is not affected by CVE-2015-7547.



Unless you use Linux applications under emulation.

Daniel

Which is supported by ports so at most it should be a ports advisory and 
not a FreeBSD (base) SA and therefore not on the website.


Just my 2p ;)
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Kubilay Kocak]

On 18/02/2016 4:23 AM, Warren Block wrote:
> On Thu, 18 Feb 2016, Kubilay Kocak wrote:
> 
>> On 18/02/2016 3:51 AM, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
>>>
 On 02/17/2016 08:19, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>
>> A short note on the www.freebsd.org website would probably be
>> helpful,
>> as this case will produce a lot of noise.
>
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>
>
>

 Articles are permanent, which makes sense for the recurring issue of
 leap seconds.  This vulnerability is transient, so I would suggest a
 news item.
>>>
>>> Yes, but news items are usually just links.  For the amount of
>>> information we have so far, an article seems like the easiest way to do
>>> this.  Or maybe an addition to the security part of the web site?
>>>
>>> For now, I'll collect the information as just text.
>>
>> Don't we also want our sec teams to investigate/confirm it anyway,
>> independent of how it's communicated?
> 
> Absolutely.
> 
>> If so, doesn't a security advisory (with secteam and/or ports-secteam as
>> appropriate) make the most sense here, given the scope of vulnerability
>> for base/linux emulation/ports is yet to be completely established and
>> is still to be investigated properly?
> 
> Have there been security advisories for unconfirmed or
> not-actually-a-problem events before?  My impression was that they have
> only been announced when a problem exists and action needs to be taken.

This "No SA, no problem" pattern is reasonable for default case, and the
vast majority of issues. This glibc issue, like heartbleed and others
may be sufficiently high-profile to warrant special treatment, even if
not in "SA" form.

> However, a real problem *does* exist for Linux VMs and applications on
> FreeBSD, so it could be addressed that way.  A "we are investigating"
> advisory right now could do some good, if the protocols allow it.
> 
>> Finally, would users expect a news item, an article or a heads up from
>> our security teams for something like this, even in the case where it's
>> only a "confirmed we're not affected" ?
> 
> A news item linking to a "it's not us!" advisory would be no problem.
> People have to go looking for that.
> 
> Those who are subscribed to the security mailing list will receive those
> notices directly, and because those are expected to be problems that
> need to be addressed immediately, it might cause some initial
> palpitations as if it were an actual problem with FreeBSD.

Yup, and let me make clear an out-there-in-the-world distinction between
'an advisory by freebsd security people ' and a FreeBSD "SA" the
implementation format.

./koobs
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Warren Block]

On Thu, 18 Feb 2016, Kubilay Kocak wrote:


On 18/02/2016 3:51 AM, Warren Block wrote:

On Wed, 17 Feb 2016, Eric van Gyzen wrote:


On 02/17/2016 08:19, Warren Block wrote:

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html




Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.


Yes, but news items are usually just links.  For the amount of
information we have so far, an article seems like the easiest way to do
this.  Or maybe an addition to the security part of the web site?

For now, I'll collect the information as just text.


Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?


Absolutely.


If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?


Have there been security advisories for unconfirmed or 
not-actually-a-problem events before?  My impression was that they have 
only been announced when a problem exists and action needs to be taken.


However, a real problem *does* exist for Linux VMs and applications on 
FreeBSD, so it could be addressed that way.  A "we are investigating" 
advisory right now could do some good, if the protocols allow it.



Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?


A news item linking to a "it's not us!" advisory would be no problem. 
People have to go looking for that.


Those who are subscribed to the security mailing list will receive those 
notices directly, and because those are expected to be problems that 
need to be addressed immediately, it might cause some initial 
palpitations as if it were an actual problem with FreeBSD.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Kubilay Kocak]

On 18/02/2016 3:51 AM, Warren Block wrote:
> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
> 
>> On 02/17/2016 08:19, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>
 A short note on the www.freebsd.org website would probably be helpful,
 as this case will produce a lot of noise.
>>>
>>> Maybe a short article like we did for leap seconds?
>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>
>>>
>>
>> Articles are permanent, which makes sense for the recurring issue of
>> leap seconds.  This vulnerability is transient, so I would suggest a
>> news item.
> 
> Yes, but news items are usually just links.  For the amount of
> information we have so far, an article seems like the easiest way to do
> this.  Or maybe an addition to the security part of the web site?
> 
> For now, I'll collect the information as just text.

Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?

If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?

Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?

./koobs
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Warren Block]

On Wed, 17 Feb 2016, Eric van Gyzen wrote:


On 02/17/2016 08:19, Warren Block wrote:

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html



Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.


Yes, but news items are usually just links.  For the amount of 
information we have so far, an article seems like the easiest way to do 
this.  Or maybe an addition to the security part of the web site?


For now, I'll collect the information as just text.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Eric van Gyzen]

On 02/17/2016 08:19, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>
>> A short note on the www.freebsd.org website would probably be helpful,
>> as this case will produce a lot of noise.
>
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>

Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.

Eric
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Chagin Dmitry]

On Wed, Feb 17, 2016 at 07:19:07AM -0700, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
> 
> > Hi!
> >
> >> The project that's vulnerable is called "glibc", not "libc". The BSDs
> >> don't use glibc, so the phrase "nothing to see here" applies. glibc
> >> isn't even available in FreeBSD's ports tree.
> >>
> >> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> What about software that uses emulators/linux_base?
> 
see PR/207272

> > A short note on the www.freebsd.org website would probably be helpful,
> > as this case will produce a lot of noise.
> 
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
> 
> I can help with that.
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Daniel Kalchev]

> On 17.02.2016 г., at 15:40, Shawn Webb  wrote:
> 
> TL;DR: FreeBSD is not affected by CVE-2015-7547.


Unless you use Linux applications under emulation.

Daniel


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: CVE-2015-7547: critical bug in libc

[Kurt Jaeger]

Hi!

> >> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> What about software that uses emulators/linux_base?
> 
> > A short note on the www.freebsd.org website would probably be helpful,
> > as this case will produce a lot of noise.
> 
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
> 
> I can help with that.

Just write the piece, there's no-one else doin' it 8-}

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Warren Block]

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


Hi!


The project that's vulnerable is called "glibc", not "libc". The BSDs
don't use glibc, so the phrase "nothing to see here" applies. glibc
isn't even available in FreeBSD's ports tree.

TL;DR: FreeBSD is not affected by CVE-2015-7547.


What about software that uses emulators/linux_base?


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html

I can help with that.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Shawn Webb]

On Wed, Feb 17, 2016 at 04:07:25PM +0200, Daniel Kalchev wrote:
> 
> > On 17.02.2016 ??., at 15:40, Shawn Webb  wrote:
> > 
> > TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> 
> Unless you use Linux applications under emulation.

True. I didn't think of that since I don't use the linuxulator and am
not a big fan of it. Good catch.

-- 
Shawn Webb
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: CVE-2015-7547: critical bug in libc

[Kurt Jaeger]

Hi!

> The project that's vulnerable is called "glibc", not "libc". The BSDs
> don't use glibc, so the phrase "nothing to see here" applies. glibc
> isn't even available in FreeBSD's ports tree.
> 
> TL;DR: FreeBSD is not affected by CVE-2015-7547.

A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Tommi Pernila]

Hi,

as Shawn types faster then me...

the libc issue has been found from glibc which is not used in the BSD
family.
This is the affected libc
https://en.wikipedia.org/wiki/GNU_C_Library

What FreeBSD uses:
https://en.wikipedia.org/wiki/BSD_libc

-Tommi


On Wed, Feb 17, 2016 at 3:24 PM, O. Hartmann 
wrote:

> It is around now in the media also for non-OS developers: CVE-2015-7547
> describes a bug in libc which is supposed to affects all Linux versions.
>
> big price question: is FreeBSD > 9.3 also affected?
>
> Some reporters tell us that Linux/UNIX is affected, so sometimes this
> terminus
> is used to prevent the "Linux-nailed" view, but sometimes it also referes
> to
> everything else those people can not imagine but consider them Linux-like.
> So
> I'm a bit puzzled, since there is no report about *BSD is affected, too.
>
> Thanks in advance for shedding light onto CVE-2015-7547.
>
> Regards,
>
> oh
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

[Shawn Webb]

On Wed, Feb 17, 2016 at 02:24:10PM +0100, O. Hartmann wrote:
> It is around now in the media also for non-OS developers: CVE-2015-7547
> describes a bug in libc which is supposed to affects all Linux versions.
> 
> big price question: is FreeBSD > 9.3 also affected?
> 
> Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus
> is used to prevent the "Linux-nailed" view, but sometimes it also referes to
> everything else those people can not imagine but consider them Linux-like. So
> I'm a bit puzzled, since there is no report about *BSD is affected, too.
> 
> Thanks in advance for shedding light onto CVE-2015-7547.

The project that's vulnerable is called "glibc", not "libc". The BSDs
don't use glibc, so the phrase "nothing to see here" applies. glibc
isn't even available in FreeBSD's ports tree.

TL;DR: FreeBSD is not affected by CVE-2015-7547.

Thanks,

-- 
Shawn Webb
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

CVE-2015-7547: critical bug in libc

[O. Hartmann]

It is around now in the media also for non-OS developers: CVE-2015-7547
describes a bug in libc which is supposed to affects all Linux versions.

big price question: is FreeBSD > 9.3 also affected?

Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus
is used to prevent the "Linux-nailed" view, but sometimes it also referes to
everything else those people can not imagine but consider them Linux-like. So
I'm a bit puzzled, since there is no report about *BSD is affected, too.

Thanks in advance for shedding light onto CVE-2015-7547.

Regards,

oh
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"