Re: CVE-2015-7547: critical bug in libc
On 22/02/2016 00:04, Chris H wrote: On Thu, 18 Feb 2016 08:39:32 -0600 (CST) Dan Mackwrote On Thu, 18 Feb 2016, Joe Holden wrote: On 17/02/2016 14:07, Daniel Kalchev wrote: On 17.02.2016 ?., at 15:40, Shawn Webb wrote: >>> TL;DR: FreeBSD is not affected by CVE-2015-7547. Unless you use Linux applications under emulation. Daniel Which is supported by ports so at most it should be a ports advisory and not a FreeBSD (base) SA and therefore not on the website. Just my 2p ;) Documenting and putting out security advisiories for other operating systems seems like a bad precedent in general. The same could be said for runniing java applications, windows under bhyve, etc. - *sigh* - if the cross over use is common via a port, then have the port maybe remind users to consult their distribution specific security vulnerabilites prior to running it maybe - which is what they should be doing anyway. That's my two insignificant cents :-) Dan If Sell distributes a bad batch of gasoline. It's not Chevrolet's responsibility to inform it's car buyers/owners, that Shell produced a bad batch of gasoline. Is it? :) --Chris Exactly, however it is done now so nevermind ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Thu, 18 Feb 2016 08:39:32 -0600 (CST) Dan Mackwrote > On Thu, 18 Feb 2016, Joe Holden wrote: > > > On 17/02/2016 14:07, Daniel Kalchev wrote: > >> > >>> On 17.02.2016 ?., at 15:40, Shawn Webb > >>> wrote: >>> > >>> TL;DR: FreeBSD is not affected by CVE-2015-7547. > >> > >> > >> Unless you use Linux applications under emulation. > >> > >> Daniel > >> > > Which is supported by ports so at most it should be a ports advisory and > > not a FreeBSD (base) SA and therefore not on the website. > > > > Just my 2p ;) > > Documenting and putting out security advisiories for other operating > systems seems like a bad precedent in general. The same could be said > for runniing java applications, windows under bhyve, etc. - *sigh* - > if the cross over use is common via a port, then have the port maybe > remind users to consult their distribution specific security > vulnerabilites prior to running it maybe - which is what they should > be doing anyway. > > That's my two insignificant cents :-) > > Dan If Sell distributes a bad batch of gasoline. It's not Chevrolet's responsibility to inform it's car buyers/owners, that Shell produced a bad batch of gasoline. Is it? :) --Chris ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
Hi! > > A short note on the www.freebsd.org website would probably be helpful, > > as this case will produce a lot of noise. > I'd like to second this! This could be some kind of use for the > further propagation of FreeBSD! > Many people asked me since yesterday, whether the operating system I used to > base my appliances and work on does have the bug or not. There's a link in the News section now to a writeup by des. -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
Am Wed, 17 Feb 2016 14:50:28 +0100 Kurt Jaegerschrieb: > Hi! > > > The project that's vulnerable is called "glibc", not "libc". The BSDs > > don't use glibc, so the phrase "nothing to see here" applies. glibc > > isn't even available in FreeBSD's ports tree. > > > > TL;DR: FreeBSD is not affected by CVE-2015-7547. > > A short note on the www.freebsd.org website would probably be helpful, > as this case will produce a lot of noise. > I'd like to second this! This could be some kind of use for the further propagation of FreeBSD! Many people asked me since yesterday, whether the operating system I used to base my appliances and work on does have the bug or not. pgpdjBObmGVsO.pgp Description: OpenPGP digital signature
Re: CVE-2015-7547: critical bug in libc
Am Wed, 17 Feb 2016 08:40:03 -0500 Shawn Webbschrieb: > On Wed, Feb 17, 2016 at 02:24:10PM +0100, O. Hartmann wrote: > > It is around now in the media also for non-OS developers: CVE-2015-7547 > > describes a bug in libc which is supposed to affects all Linux versions. > > > > big price question: is FreeBSD > 9.3 also affected? > > > > Some reporters tell us that Linux/UNIX is affected, so sometimes this > > terminus > > is used to prevent the "Linux-nailed" view, but sometimes it also referes to > > everything else those people can not imagine but consider them Linux-like. > > So > > I'm a bit puzzled, since there is no report about *BSD is affected, too. > > > > Thanks in advance for shedding light onto CVE-2015-7547. > > The project that's vulnerable is called "glibc", not "libc". The BSDs > don't use glibc, so the phrase "nothing to see here" applies. glibc > isn't even available in FreeBSD's ports tree. > > TL;DR: FreeBSD is not affected by CVE-2015-7547. > > Thanks, > The article, I refere to, did only mention "libc" and they used the terminus "Linux/UNIX", and this is usually associted by that Linux-folks with the rest of the UNIX-alike world after their precious Linux. I followed then the explanation of the CVE and that stated very clearly, that it is GNU libc. So, I feel better now, but a pity of all that stuff in routers, switches, security appliances utilizing Linux and the penetrated glic. :-) pgpRNzZksOfi_.pgp Description: OpenPGP digital signature
Re: CVE-2015-7547: critical bug in libc
On Thu, 18 Feb 2016, Joe Holden wrote: On 17/02/2016 14:07, Daniel Kalchev wrote: On 17.02.2016 ?., at 15:40, Shawn Webbwrote: TL;DR: FreeBSD is not affected by CVE-2015-7547. Unless you use Linux applications under emulation. Daniel Which is supported by ports so at most it should be a ports advisory and not a FreeBSD (base) SA and therefore not on the website. Just my 2p ;) Documenting and putting out security advisiories for other operating systems seems like a bad precedent in general. The same could be said for runniing java applications, windows under bhyve, etc. - *sigh* - if the cross over use is common via a port, then have the port maybe remind users to consult their distribution specific security vulnerabilites prior to running it maybe - which is what they should be doing anyway. That's my two insignificant cents :-) Dan ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On 17/02/2016 14:07, Daniel Kalchev wrote: On 17.02.2016 г., at 15:40, Shawn Webbwrote: TL;DR: FreeBSD is not affected by CVE-2015-7547. Unless you use Linux applications under emulation. Daniel Which is supported by ports so at most it should be a ports advisory and not a FreeBSD (base) SA and therefore not on the website. Just my 2p ;) ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On 18/02/2016 4:23 AM, Warren Block wrote: > On Thu, 18 Feb 2016, Kubilay Kocak wrote: > >> On 18/02/2016 3:51 AM, Warren Block wrote: >>> On Wed, 17 Feb 2016, Eric van Gyzen wrote: >>> On 02/17/2016 08:19, Warren Block wrote: > On Wed, 17 Feb 2016, Kurt Jaeger wrote: > >> A short note on the www.freebsd.org website would probably be >> helpful, >> as this case will produce a lot of noise. > > Maybe a short article like we did for leap seconds? > https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html > > > Articles are permanent, which makes sense for the recurring issue of leap seconds. This vulnerability is transient, so I would suggest a news item. >>> >>> Yes, but news items are usually just links. For the amount of >>> information we have so far, an article seems like the easiest way to do >>> this. Or maybe an addition to the security part of the web site? >>> >>> For now, I'll collect the information as just text. >> >> Don't we also want our sec teams to investigate/confirm it anyway, >> independent of how it's communicated? > > Absolutely. > >> If so, doesn't a security advisory (with secteam and/or ports-secteam as >> appropriate) make the most sense here, given the scope of vulnerability >> for base/linux emulation/ports is yet to be completely established and >> is still to be investigated properly? > > Have there been security advisories for unconfirmed or > not-actually-a-problem events before? My impression was that they have > only been announced when a problem exists and action needs to be taken. This "No SA, no problem" pattern is reasonable for default case, and the vast majority of issues. This glibc issue, like heartbleed and others may be sufficiently high-profile to warrant special treatment, even if not in "SA" form. > However, a real problem *does* exist for Linux VMs and applications on > FreeBSD, so it could be addressed that way. A "we are investigating" > advisory right now could do some good, if the protocols allow it. > >> Finally, would users expect a news item, an article or a heads up from >> our security teams for something like this, even in the case where it's >> only a "confirmed we're not affected" ? > > A news item linking to a "it's not us!" advisory would be no problem. > People have to go looking for that. > > Those who are subscribed to the security mailing list will receive those > notices directly, and because those are expected to be problems that > need to be addressed immediately, it might cause some initial > palpitations as if it were an actual problem with FreeBSD. Yup, and let me make clear an out-there-in-the-world distinction between 'an advisory by freebsd security people ' and a FreeBSD "SA" the implementation format. ./koobs ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Thu, 18 Feb 2016, Kubilay Kocak wrote: On 18/02/2016 3:51 AM, Warren Block wrote: On Wed, 17 Feb 2016, Eric van Gyzen wrote: On 02/17/2016 08:19, Warren Block wrote: On Wed, 17 Feb 2016, Kurt Jaeger wrote: A short note on the www.freebsd.org website would probably be helpful, as this case will produce a lot of noise. Maybe a short article like we did for leap seconds? https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html Articles are permanent, which makes sense for the recurring issue of leap seconds. This vulnerability is transient, so I would suggest a news item. Yes, but news items are usually just links. For the amount of information we have so far, an article seems like the easiest way to do this. Or maybe an addition to the security part of the web site? For now, I'll collect the information as just text. Don't we also want our sec teams to investigate/confirm it anyway, independent of how it's communicated? Absolutely. If so, doesn't a security advisory (with secteam and/or ports-secteam as appropriate) make the most sense here, given the scope of vulnerability for base/linux emulation/ports is yet to be completely established and is still to be investigated properly? Have there been security advisories for unconfirmed or not-actually-a-problem events before? My impression was that they have only been announced when a problem exists and action needs to be taken. However, a real problem *does* exist for Linux VMs and applications on FreeBSD, so it could be addressed that way. A "we are investigating" advisory right now could do some good, if the protocols allow it. Finally, would users expect a news item, an article or a heads up from our security teams for something like this, even in the case where it's only a "confirmed we're not affected" ? A news item linking to a "it's not us!" advisory would be no problem. People have to go looking for that. Those who are subscribed to the security mailing list will receive those notices directly, and because those are expected to be problems that need to be addressed immediately, it might cause some initial palpitations as if it were an actual problem with FreeBSD. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On 18/02/2016 3:51 AM, Warren Block wrote: > On Wed, 17 Feb 2016, Eric van Gyzen wrote: > >> On 02/17/2016 08:19, Warren Block wrote: >>> On Wed, 17 Feb 2016, Kurt Jaeger wrote: >>> A short note on the www.freebsd.org website would probably be helpful, as this case will produce a lot of noise. >>> >>> Maybe a short article like we did for leap seconds? >>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html >>> >>> >> >> Articles are permanent, which makes sense for the recurring issue of >> leap seconds. This vulnerability is transient, so I would suggest a >> news item. > > Yes, but news items are usually just links. For the amount of > information we have so far, an article seems like the easiest way to do > this. Or maybe an addition to the security part of the web site? > > For now, I'll collect the information as just text. Don't we also want our sec teams to investigate/confirm it anyway, independent of how it's communicated? If so, doesn't a security advisory (with secteam and/or ports-secteam as appropriate) make the most sense here, given the scope of vulnerability for base/linux emulation/ports is yet to be completely established and is still to be investigated properly? Finally, would users expect a news item, an article or a heads up from our security teams for something like this, even in the case where it's only a "confirmed we're not affected" ? ./koobs ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Wed, 17 Feb 2016, Eric van Gyzen wrote: On 02/17/2016 08:19, Warren Block wrote: On Wed, 17 Feb 2016, Kurt Jaeger wrote: A short note on the www.freebsd.org website would probably be helpful, as this case will produce a lot of noise. Maybe a short article like we did for leap seconds? https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html Articles are permanent, which makes sense for the recurring issue of leap seconds. This vulnerability is transient, so I would suggest a news item. Yes, but news items are usually just links. For the amount of information we have so far, an article seems like the easiest way to do this. Or maybe an addition to the security part of the web site? For now, I'll collect the information as just text. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On 02/17/2016 08:19, Warren Block wrote: > On Wed, 17 Feb 2016, Kurt Jaeger wrote: > >> A short note on the www.freebsd.org website would probably be helpful, >> as this case will produce a lot of noise. > > Maybe a short article like we did for leap seconds? > https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html > Articles are permanent, which makes sense for the recurring issue of leap seconds. This vulnerability is transient, so I would suggest a news item. Eric ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Wed, Feb 17, 2016 at 07:19:07AM -0700, Warren Block wrote: > On Wed, 17 Feb 2016, Kurt Jaeger wrote: > > > Hi! > > > >> The project that's vulnerable is called "glibc", not "libc". The BSDs > >> don't use glibc, so the phrase "nothing to see here" applies. glibc > >> isn't even available in FreeBSD's ports tree. > >> > >> TL;DR: FreeBSD is not affected by CVE-2015-7547. > > What about software that uses emulators/linux_base? > see PR/207272 > > A short note on the www.freebsd.org website would probably be helpful, > > as this case will produce a lot of noise. > > Maybe a short article like we did for leap seconds? > https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html > > I can help with that. > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
> On 17.02.2016 г., at 15:40, Shawn Webbwrote: > > TL;DR: FreeBSD is not affected by CVE-2015-7547. Unless you use Linux applications under emulation. Daniel signature.asc Description: Message signed with OpenPGP using GPGMail
Re: CVE-2015-7547: critical bug in libc
Hi! > >> TL;DR: FreeBSD is not affected by CVE-2015-7547. > > What about software that uses emulators/linux_base? > > > A short note on the www.freebsd.org website would probably be helpful, > > as this case will produce a lot of noise. > > Maybe a short article like we did for leap seconds? > https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html > > I can help with that. Just write the piece, there's no-one else doin' it 8-} -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Wed, 17 Feb 2016, Kurt Jaeger wrote: Hi! The project that's vulnerable is called "glibc", not "libc". The BSDs don't use glibc, so the phrase "nothing to see here" applies. glibc isn't even available in FreeBSD's ports tree. TL;DR: FreeBSD is not affected by CVE-2015-7547. What about software that uses emulators/linux_base? A short note on the www.freebsd.org website would probably be helpful, as this case will produce a lot of noise. Maybe a short article like we did for leap seconds? https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html I can help with that. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Wed, Feb 17, 2016 at 04:07:25PM +0200, Daniel Kalchev wrote: > > > On 17.02.2016 ??., at 15:40, Shawn Webbwrote: > > > > TL;DR: FreeBSD is not affected by CVE-2015-7547. > > > Unless you use Linux applications under emulation. True. I didn't think of that since I don't use the linuxulator and am not a big fan of it. Good catch. -- Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
Re: CVE-2015-7547: critical bug in libc
Hi! > The project that's vulnerable is called "glibc", not "libc". The BSDs > don't use glibc, so the phrase "nothing to see here" applies. glibc > isn't even available in FreeBSD's ports tree. > > TL;DR: FreeBSD is not affected by CVE-2015-7547. A short note on the www.freebsd.org website would probably be helpful, as this case will produce a lot of noise. -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
Hi, as Shawn types faster then me... the libc issue has been found from glibc which is not used in the BSD family. This is the affected libc https://en.wikipedia.org/wiki/GNU_C_Library What FreeBSD uses: https://en.wikipedia.org/wiki/BSD_libc -Tommi On Wed, Feb 17, 2016 at 3:24 PM, O. Hartmannwrote: > It is around now in the media also for non-OS developers: CVE-2015-7547 > describes a bug in libc which is supposed to affects all Linux versions. > > big price question: is FreeBSD > 9.3 also affected? > > Some reporters tell us that Linux/UNIX is affected, so sometimes this > terminus > is used to prevent the "Linux-nailed" view, but sometimes it also referes > to > everything else those people can not imagine but consider them Linux-like. > So > I'm a bit puzzled, since there is no report about *BSD is affected, too. > > Thanks in advance for shedding light onto CVE-2015-7547. > > Regards, > > oh > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CVE-2015-7547: critical bug in libc
On Wed, Feb 17, 2016 at 02:24:10PM +0100, O. Hartmann wrote: > It is around now in the media also for non-OS developers: CVE-2015-7547 > describes a bug in libc which is supposed to affects all Linux versions. > > big price question: is FreeBSD > 9.3 also affected? > > Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus > is used to prevent the "Linux-nailed" view, but sometimes it also referes to > everything else those people can not imagine but consider them Linux-like. So > I'm a bit puzzled, since there is no report about *BSD is affected, too. > > Thanks in advance for shedding light onto CVE-2015-7547. The project that's vulnerable is called "glibc", not "libc". The BSDs don't use glibc, so the phrase "nothing to see here" applies. glibc isn't even available in FreeBSD's ports tree. TL;DR: FreeBSD is not affected by CVE-2015-7547. Thanks, -- Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
CVE-2015-7547: critical bug in libc
It is around now in the media also for non-OS developers: CVE-2015-7547 describes a bug in libc which is supposed to affects all Linux versions. big price question: is FreeBSD > 9.3 also affected? Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus is used to prevent the "Linux-nailed" view, but sometimes it also referes to everything else those people can not imagine but consider them Linux-like. So I'm a bit puzzled, since there is no report about *BSD is affected, too. Thanks in advance for shedding light onto CVE-2015-7547. Regards, oh ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"