Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[perryh]

Jerry  wrote:
> Waiting until someone is harmed is tantamount to being an
> accomplice to the act.

And providing details of a currently-undefendable vulnerability
to a black hat who did not previously know about it, thereby
enabling the black hat to perpetrate harm that would otherwise
not have occurred, isn't?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: New mail server setup

[Matthew Seaman]

Steve Bertrand wrote:

I'm looking potentially to try a different mail server setup. I'm
requesting honest feedback from experienced mail ops.

My minimum requirements:

- IPv6 for all protocols
- SPF
- IMAP|POP3 must support SSL
- SMTP AUTH
- submit on 587
- MySQL backend for un/pw, vpopmail preferred, but not mandatory
- Maildir storage preferred
- easy (ie: well documented) integration with SA/clam
- integration with maildrop .mailfiter preferred

Right now I use a system wrapped around Qmail, and honestly, I just
don't want to patch for IPv6 anymore.

I've broken my personal system, so while I work on re-hacking
everything, I thought I'd solicit some new ideas. I've been using the
same email system pretty much across the board for seven years or so, so
perhaps I should look at other options.

Please cc me, as this addr isn't subscribed. I won't be receiving my
list email from my backup mx until tomorrow, as it were ;)


For an MTA: postfix does everything you want, it's not too shabby speed wise
and the config files are reasonably comprehensible.

For an IMAP/POP3 server: dovecot has the required functionality and unless 
you're dealing with thousands of user accounts it's probably a better alternative

for you than the nuclear option of cyrus-imapd.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

New mail server setup

[Steve Bertrand]

I'm looking potentially to try a different mail server setup. I'm
requesting honest feedback from experienced mail ops.

My minimum requirements:

- IPv6 for all protocols
- SPF
- IMAP|POP3 must support SSL
- SMTP AUTH
- submit on 587
- MySQL backend for un/pw, vpopmail preferred, but not mandatory
- Maildir storage preferred
- easy (ie: well documented) integration with SA/clam
- integration with maildrop .mailfiter preferred

Right now I use a system wrapped around Qmail, and honestly, I just
don't want to patch for IPv6 anymore.

I've broken my personal system, so while I work on re-hacking
everything, I thought I'd solicit some new ideas. I've been using the
same email system pretty much across the board for seven years or so, so
perhaps I should look at other options.

Please cc me, as this addr isn't subscribed. I won't be receiving my
list email from my backup mx until tomorrow, as it were ;)

Steve


smime.p7s
Description: S/MIME Cryptographic Signature

Can't boot Marvel Sheevaplug from USB

[James Butler]

> Hi everyone,
>
> I'm also playing with a Sheevaplug and I'm running into the same problem
> as reported  by Rafal Jaworowski, but I think I have a clearer picture
> of what goes wrong.
>
> To recap, the kernel fails to mount the root filesystem because the
> partition on the USB stick isn't recognized by the kernel:
>
> FreeBSD 9.0-CURRENT #4: Mon Sep 14 19:57:10 CEST 2009
> -- blablabla --
> ugen0.1:  at usbus0
> uhub0:  on usbus0
> uhub0: 1 port with 1 removable, self powered
> Root mount waiting for: usbus0
> ugen0.2:  at usbus0
> umass0:  2> on usbus0
> umass0:  SCSI over Bulk-Only; quirks = 0x
> Root mount waiting for: usbus0
> umass0:0:0:-1: Attached to scbus0
> Trying to mount root from ufs:/dev/da0s1a
> ROOT MOUNT ERROR:
>
> I think the problem is that the partition is detected only after the USB
> bus has been scanned. If I configure a kernel to boot from the network
> instead, it does recognize the USB device because of the additional
> delay involved in booting from the network:
>
> FreeBSD 9.0-CURRENT #5: Mon Sep 14 20:45:30 CEST 2009
> -- blablabla --
> ugen0.1:  at usbus0
> uhub0:  on usbus0
> uhub0: 1 port with 1 removable, self powered
> mge0: link state changed to UP
> Received DHCP Offer packet on mge0 from 130.89.1.145 via 130.89.160.4
> (accepted) (no root path)
> Received DHCP Offer packet on mge0 from 130.89.1.144 via 130.89.160.5
> (ignored) (no root path)
> ugen0.2:  at usbus0
> umass0:  2> on usbus0
> umass0:  SCSI over Bulk-Only; quirks = 0x
> umass0:0:0:-1: Attached to scbus0
> (probe0:umass-sim0:0:0:0): TEST UNIT READY. CDB: 0 0 0 0 0 0
> (probe0:umass-sim0:0:0:0): CAM Status: SCSI Status Error
> (probe0:umass-sim0:0:0:0): SCSI Status: Check Condition
> (probe0:umass-sim0:0:0:0): UNIT ATTENTION asc:28,0
> (probe0:umass-sim0:0:0:0): Not ready to ready change, medium may have
> changed
> (probe0:umass-sim0:0:0:0): (probe0:umass-sim0:0:0:0): TEST UNIT READY.
> CDB: 0 0 0 0 0 0
> (probe0:umass-sim0:0:0:0): UNIT ATTENTION asc:28,0
> (probe0:umass-sim0:0:0:0): Not ready to ready change, medium may have
> changed
> Retrying Command (per Sense Data)
> (probe0:umass-sim0:0:0:0): Retrying Command
> pass0 at umass-sim0 bus 0 scbus0 target 0 lun 0
> pass0: < USB Flash Memory 1.00> Removable Direct Access SCSI-2 device
> pass0: Serial Number 0612140557130
> pass0: 40.000MB/s transfers
> GEOM: new disk da0
> da0 at umass-sim0 bus 0 scbus0 target 0 lun 0
> da0: < USB Flash Memory 1.00> Removable Direct Access SCSI-2 device
> da0: Serial Number 0612140557130
> da0: 40.000MB/s transfers
> da0: 962MB (1971200 512 byte sectors: 64H 32S/T 962C)
>
> Of course with the kernel configured like this, the kernel wants to
> mount the root filesystem from NFS and I can't break into the mountroot>
> prompt!
>
> It seems that the kernel assumes that it only needs to wait for the USB
> bus to finish scanning and then expects the root partition to be
> available, but apparently partitions can be detected after that.
>
> Does anyone have a suggestion how to deal with this? Is there a way to
> insert a delay before trying to mount root? (I tried setting SCSI_DELAY
> to 5000 but this didn't seem to have any effect -- I didn't notice any
> delay. Maybe this isn't supported for the ARM architecture?)
>
> Kind regards,
> Maks Verver.
>

Sounds similar to:

http://www.freebsd.org/cgi/query-pr.cgi?pr=138798

Apparently Scott Long is working on a fix.

-James Butler
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: where to put `startx` serverargs

[Alexander Best]

Roland Smith schrieb am 2009-09-16:
> On Tue, Sep 15, 2009 at 09:54:39PM +0200, Alexander Best wrote:
> > Roland Smith schrieb am 2009-09-15:
> > > You can put them in /usr/local/lib/X11/xinit/xserverrc, together
> > > with
> > > the X
> > > server.

> > > Roland

> > thx. could you tell me what exactly i need to put in that file?
> > because i
> > already tried adding `startx -- -nolisten inet6` to ~/.serverrc and
> > that
> > didn't work.

> Read the startx(1) and xinit() manual pages closely. What you should
> put in to
> the xserverrc is:

>  xerverrc 
> #!/bin/sh
> exec /usr/local/bin/Xorg -nolisten inet6
>  xerverrc 

> Roland

thx a bunch. that worked.

imo the xorg guys should allow people to disable ipv6 support at compile time
with a ./configure option.

cheers.
alex
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: freebsd-questions Digest, Vol 276, Issue 5

[James Phillips]

> 
> Message: 15
> Date: Tue, 15 Sep 2009 14:13:17 -0400
> From: Jerry 
> Subject: Re: reporter on deadline seeks comment about
> reported
>     security bug in FreeBSD
> To: freebsd-questions@freebsd.org
> Message-ID: <20090915141317.7a41b...@scorpio.seibercom.net>
> Content-Type: text/plain; charset=US-ASCII
> 
> On Tue, 15 Sep 2009 13:18:29 -0400
> Bill Moran 
> wrote:
> 

> 
> The fact is, that you do in fact notify me. Keeping
> important security
> information secret benefits no one, except for possibly
> those
> responsible for the problem to begin with who do not want
> the
> knowledge of the problem to become public. A multitude of
> software,
> such as Mozilla, publish known security holes in their
> software.
> The ramifications of allowing a user to actively use a
> piece of
> software when a known bug/exploit/etc. exists within it is
> grossly
> negligent.
>   

The important question is: known by whom?
Every reviewer brings their own bias and experience. The code has not been 
"proven correct," so there is not reason to assume that a Black-hat will find 
the same bug/exploit. If there are more than about 3 unknown exploits, they are 
more likely to find a different one.

IMO, Mozilla is a bad example. I've been bitten by (non-security) bugs going 
back to 1.5 or earlier. Disclosure: I still prefer Lynx.




> 


  __
The new Internet Explorer® 8 - Faster, safer, easier.  Optimized for Yahoo!  
Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: where to put `startx` serverargs

[Roland Smith]

On Tue, Sep 15, 2009 at 09:54:39PM +0200, Alexander Best wrote:
> Roland Smith schrieb am 2009-09-15:
> > You can put them in /usr/local/lib/X11/xinit/xserverrc, together with
> > the X
> > server.
> 
> > Roland
> 
> thx. could you tell me what exactly i need to put in that file? because i
> already tried adding `startx -- -nolisten inet6` to ~/.serverrc and that
> didn't work.

Read the startx(1) and xinit() manual pages closely. What you should put in to
the xserverrc is:

 xerverrc 
#!/bin/sh
exec /usr/local/bin/Xorg -nolisten inet6
 xerverrc 

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpcAdGfIrHku.pgp
Description: PGP signature

Re: looking for motherboard with 7.2 proven suspend/resume

[Steve Franks]

> On 9/15/09, Steve Franks  wrote:
>> S3 is a key feature for me for my desktops.  I have gone thru probably
>> 5 mobo's and 5 laptops in my time as a FBSD user, the only one which
>> ever S3'd was a compaq of all things (well, lots of them will S3 if
>> you kldunload usb, but they crash/hang/etc on resume generally).
>>
>> Anyway, it's time for a new system, and as long as I can shove a
>> somewhat modern dual core in it, my second most critical criteria for
>> purchase is that S3 works with FreeBSD with a minimum of or at least
>> well described hacking.
>
> Resume doesnt work on i386 SMP, on amd64 it should work (at least it worked
> on Intel T5500 last time I tried).

So, no way to nix the second processor in rc.suspend, I take it?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 15:28:59 -0400
DAve  wrote:

> Jerry wrote:
> > On Tue, 15 Sep 2009 20:51:40 +0200
> > Mel Flynn  wrote:
> > 
> >> Please inform yourself properly before assuming you're right.
> >> Mozilla does not by default publish vulnerabilities before a fix
> >> is known. In some cases publishing has been delayed by months. The
> >> exception is when exploits are already in the wild and a work
> >> around is available, while a real fix will take more work.
> >>
> >> This is also why vulnerabilities are typically not disclosed till a
> >> fix is known, because it does not protect the typical user, but
> >> puts him in harms way, which is exactly what you don't want.
> >>
> >> In theory, if I know the details of this particular exploit, I can
> >> patch my 6.4 machines myself, but more realistically, if developers
> >> take all this time to come up with a solution that doesn't break
> >> functionality the chances that I and more casual users can do this
> >> are slim. Meanwhile, the exploit will be coded into the usual
> >> rootkits and internet scanners and casualties will be made. That
> >> doesn't help anyone.
> > 
> > Assume that I have discovered a vulnerability in a widely used, or
> > even marginal for arguments sake, program. I now start to exploit
> > that vulnerability. Now assume that you are responsible for
> > maintaining, that program. Use any job description that suits you
> > for this purpose. Are you claiming that since it may take several
> > months to fix, it is better to let users be exploited rather than
> > inform them that there is an exploitable problem in said software?
> > I fine that extremely disturbing.
> > 
> > As you can no doubt tell, I am not a believer in the "Ignorance is
> > bliss" theory.
> > 
> 
> I believe the point that others are trying to make is this. Your
> example requires that the exploit is known to the blackhats and in
> use currently. Their example assumes that exploit is only known to
> those who discovered it.
> 
> This particular exploit is not believed to be known to the black
> hats, and not known to be in use currently.
> 
> Is it better for an exploit to remain a secret and not is use, 
> protecting those that may not get their systems patched in time (as
> the blackhats *will* most certainly put the exploit to use as soon as
> they are told about it). Or, let the exploit remain a secret until it
> is either fixed and a patch made available or discovered in use by
> blackhats.
> 
> I think you are both right. If the exploit is not being used, keep it
> a secret and let the developers design a permanent fix. If the
> exploit is discovered publicly before the fix is out, warn everyone
> loudly and provide a workaround.
> 
> I believe all software I am aware of handles exploits with that
> method.

I am not aware of any infallible method of determining if an exploit is
in use. By the time the exploit become common knowledge it is usually
too late. Lacking same, I believe in the "For Warned is For Armed"
policy. Waiting until someone is harmed is tantamount to being an
accomplice to the act.

-- 
Jerry
ges...@yahoo.com

Never buy from a rich salesman.

Goldenstern
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Mel Flynn]

On Tuesday 15 September 2009 21:23:40 Jeronimo Calvo wrote:
> done and fixed!! thanks a lot!!

Good, and you're very welcome.

> btw, that was caused then to a portupgrade -f?? there is any
> additional steps, to solve any future errors caused by that as well??

Though the initial instructions about the jpeg upgrade were questionable at 
best, the current description is accurate and will resolve any future 
problems. You can of course reduce the amount of work by figuring out which 
ports still link with libjpeg.so.9, using ldd on /usr/local/bin/* and 
/usr/local/sbin/*, grep and pkg_info -W.

pkg_updating -d 20090719 jpeg

will show the UPDATING entry.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: where to put `startx` serverargs

[Alexander Best]

Roland Smith schrieb am 2009-09-15:
> You can put them in /usr/local/lib/X11/xinit/xserverrc, together with
> the X
> server.

> Roland

thx. could you tell me what exactly i need to put in that file? because i
already tried adding `startx -- -nolisten inet6` to ~/.serverrc and that
didn't work.

cheers.
alex
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 21:14:25 Jerry wrote:
> On Tue, 15 Sep 2009 20:51:40 +0200
> 
> Mel Flynn  wrote:

> > The exception is
> > when exploits are already in the wild and a work around is available,
> > while a real fix will take more work.

> Assume that I have discovered a vulnerability in a widely used, or even
> marginal for arguments sake, program. I now start to exploit that
> vulnerability. Now assume that you are responsible for maintaining,
> that program. Use any job description that suits you for this purpose.
> Are you claiming that since it may take several months to fix, it is
> better to let users be exploited rather than inform them that there is
> an exploitable problem in said software? I fine that extremely
> disturbing.

Then I suggest you cancel your internet account(s). Also, it helps to read 
what people are writing.

But for the corner case where you are the person reporting me this 
vulnerability, telling me you won't exploit it, then do it anyway, there is no 
guard in place, other then that sooner or later, you'll compromise a machine 
administered by someone able to retrace what happened and it'll come back to 
me and I'd move up the timetable, cook up a work around and publish the 
details.
There is some level of trust between reporter and fixer, whether it be good or 
bad, it's simply a fact of life and not likely to change.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[DAve]

Jerry wrote:

On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn  wrote:


Please inform yourself properly before assuming you're right. Mozilla
does not by default publish vulnerabilities before a fix is known. In
some cases publishing has been delayed by months. The exception is
when exploits are already in the wild and a work around is available,
while a real fix will take more work.

This is also why vulnerabilities are typically not disclosed till a
fix is known, because it does not protect the typical user, but puts
him in harms way, which is exactly what you don't want.

In theory, if I know the details of this particular exploit, I can
patch my 6.4 machines myself, but more realistically, if developers
take all this time to come up with a solution that doesn't break
functionality the chances that I and more casual users can do this
are slim. Meanwhile, the exploit will be coded into the usual
rootkits and internet scanners and casualties will be made. That
doesn't help anyone.


Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely
disturbing.

As you can no doubt tell, I am not a believer in the "Ignorance is
bliss" theory.



I believe the point that others are trying to make is this. Your example 
requires that the exploit is known to the blackhats and in use 
currently. Their example assumes that exploit is only known to those who 
discovered it.


This particular exploit is not believed to be known to the black hats, 
and not known to be in use currently.


Is it better for an exploit to remain a secret and not is use, 
protecting those that may not get their systems patched in time (as the 
blackhats *will* most certainly put the exploit to use as soon as they 
are told about it). Or, let the exploit remain a secret until it is 
either fixed and a patch made available or discovered in use by blackhats.


I think you are both right. If the exploit is not being used, keep it a 
secret and let the developers design a permanent fix. If the exploit is 
discovered publicly before the fix is out, warn everyone loudly and 
provide a workaround.


I believe all software I am aware of handles exploits with that method.

DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Jeronimo Calvo]

done and fixed!! thanks a lot!!

btw, that was caused then to a portupgrade -f?? there is any
additional steps, to solve any future errors caused by that as well??

Cheers!

2009/9/15 Mel Flynn :
> On Tuesday 15 September 2009 20:48:55 Jeronimo Calvo wrote:
>> Yes, I remember I had an error when I ran "pkgdb -F" due to 2
>> different versions of jpeg...
>>
>> here is the output:
>>
>> $ ldd -a /usr/local/bin/krootimage
>
> ...
>
>> /usr/local/lib/libqt-mt.so.3:
>> libaudio.so.2 => /usr/local/lib/libaudio.so.2 (0x803e1)
>> libXt.so.6 => /usr/local/lib/libXt.so.6 (0x803f27000)
>> libmng.so.1 => /usr/local/lib/libmng.so.1 (0x804086000)
>> libjpeg.so.9 => /usr/local/lib/compat/pkg/libjpeg.so.9
>>  (0x8041e6000) libpng.so.5 => /usr/local/lib/libpng.so.5 (0x802796000)
>> libz.so.4 => /lib/libz.so.4 (0x803351000)
>> libXi.so.6 => /usr/local/lib/libXi.so.6 (0x804307000)
>> libXrender.so.1 => /usr/local/lib/libXrender.so.1 (0x802bef000)
>> libXrandr.so.2 => /usr/local/lib/libXrandr.so.2 (0x80441)
>> libXcursor.so.1 => /usr/local/lib/libXcursor.so.1 (0x804518000)
>> libXinerama.so.1 => /usr/local/lib/libXinerama.so.1 (0x804622000)
>> libXft.so.2 => /usr/local/lib/libXft.so.2 (0x804724000)
>> libfreetype.so.9 => /usr/local/lib/libfreetype.so.9 (0x804837000)
>> libfontconfig.so.1 => /usr/local/lib/libfontconfig.so.1
>>  (0x8049b6000) libXext.so.6 => /usr/local/lib/libXext.so.6 (0x8028bc000)
>> libX11.so.6 => /usr/local/lib/libX11.so.6 (0x802cf8000)
>> libSM.so.6 => /usr/local/lib/libSM.so.6 (0x8029cd000)
>> libICE.so.6 => /usr/local/lib/libICE.so.6 (0x802ad5000)
>> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8036a1000)
>> libm.so.5 => /lib/libm.so.5 (0x8038ad000)
>> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8039c7000)
>> libthr.so.3 => /lib/libthr.so.3 (0x803ad4000)
>> libc.so.7 => /lib/libc.so.7 (0x803bec000)
>
>> /usr/local/lib/libmng.so.1:
>> libm.so.5 => /lib/libm.so.5 (0x8038ad000)
>> libz.so.4 => /lib/libz.so.4 (0x803351000)
>> liblcms.so.1 => /usr/local/lib/liblcms.so.1 (0x804ae5000)
>> libjpeg.so.9 => /usr/local/lib/compat/pkg/libjpeg.so.9
>>  (0x8041e6000) libc.so.7 => /lib/libc.so.7 (0x803bec000)
>> /usr/local/lib/compat/pkg/libjpeg.so.9:
>
> Those are the two culprits. Forcibly (portupgrade/portmaster -f) reinstall
> x11-toolkits/qt33 and graphics/libmng and make sure it's done from source, not
> from local packages.
> --
> Mel
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn  wrote:

> Please inform yourself properly before assuming you're right. Mozilla
> does not by default publish vulnerabilities before a fix is known. In
> some cases publishing has been delayed by months. The exception is
> when exploits are already in the wild and a work around is available,
> while a real fix will take more work.
> 
> This is also why vulnerabilities are typically not disclosed till a
> fix is known, because it does not protect the typical user, but puts
> him in harms way, which is exactly what you don't want.
> 
> In theory, if I know the details of this particular exploit, I can
> patch my 6.4 machines myself, but more realistically, if developers
> take all this time to come up with a solution that doesn't break
> functionality the chances that I and more casual users can do this
> are slim. Meanwhile, the exploit will be coded into the usual
> rootkits and internet scanners and casualties will be made. That
> doesn't help anyone.

Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely
disturbing.

As you can no doubt tell, I am not a believer in the "Ignorance is
bliss" theory.

-- 
Jerry
ges...@yahoo.com

In the days of old,
When Knights were bold,
And women were too cautious;
Oh, those gallant days,
When women were women,
And men were really obnoxious.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Mel Flynn]

On Tuesday 15 September 2009 20:48:55 Jeronimo Calvo wrote:
> Yes, I remember I had an error when I ran "pkgdb -F" due to 2
> different versions of jpeg...
> 
> here is the output:
> 
> $ ldd -a /usr/local/bin/krootimage

...

> /usr/local/lib/libqt-mt.so.3:
> libaudio.so.2 => /usr/local/lib/libaudio.so.2 (0x803e1)
> libXt.so.6 => /usr/local/lib/libXt.so.6 (0x803f27000)
> libmng.so.1 => /usr/local/lib/libmng.so.1 (0x804086000)
> libjpeg.so.9 => /usr/local/lib/compat/pkg/libjpeg.so.9
>  (0x8041e6000) libpng.so.5 => /usr/local/lib/libpng.so.5 (0x802796000)
> libz.so.4 => /lib/libz.so.4 (0x803351000)
> libXi.so.6 => /usr/local/lib/libXi.so.6 (0x804307000)
> libXrender.so.1 => /usr/local/lib/libXrender.so.1 (0x802bef000)
> libXrandr.so.2 => /usr/local/lib/libXrandr.so.2 (0x80441)
> libXcursor.so.1 => /usr/local/lib/libXcursor.so.1 (0x804518000)
> libXinerama.so.1 => /usr/local/lib/libXinerama.so.1 (0x804622000)
> libXft.so.2 => /usr/local/lib/libXft.so.2 (0x804724000)
> libfreetype.so.9 => /usr/local/lib/libfreetype.so.9 (0x804837000)
> libfontconfig.so.1 => /usr/local/lib/libfontconfig.so.1
>  (0x8049b6000) libXext.so.6 => /usr/local/lib/libXext.so.6 (0x8028bc000)
> libX11.so.6 => /usr/local/lib/libX11.so.6 (0x802cf8000)
> libSM.so.6 => /usr/local/lib/libSM.so.6 (0x8029cd000)
> libICE.so.6 => /usr/local/lib/libICE.so.6 (0x802ad5000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8036a1000)
> libm.so.5 => /lib/libm.so.5 (0x8038ad000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8039c7000)
> libthr.so.3 => /lib/libthr.so.3 (0x803ad4000)
> libc.so.7 => /lib/libc.so.7 (0x803bec000)

> /usr/local/lib/libmng.so.1:
> libm.so.5 => /lib/libm.so.5 (0x8038ad000)
> libz.so.4 => /lib/libz.so.4 (0x803351000)
> liblcms.so.1 => /usr/local/lib/liblcms.so.1 (0x804ae5000)
> libjpeg.so.9 => /usr/local/lib/compat/pkg/libjpeg.so.9
>  (0x8041e6000) libc.so.7 => /lib/libc.so.7 (0x803bec000)
> /usr/local/lib/compat/pkg/libjpeg.so.9:

Those are the two culprits. Forcibly (portupgrade/portmaster -f) reinstall 
x11-toolkits/qt33 and graphics/libmng and make sure it's done from source, not 
from local packages.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: looking for motherboard with 7.2 proven suspend/resume

[Paul B. Mahol]

On 9/15/09, Steve Franks  wrote:
> S3 is a key feature for me for my desktops.  I have gone thru probably
> 5 mobo's and 5 laptops in my time as a FBSD user, the only one which
> ever S3'd was a compaq of all things (well, lots of them will S3 if
> you kldunload usb, but they crash/hang/etc on resume generally).
>
> Anyway, it's time for a new system, and as long as I can shove a
> somewhat modern dual core in it, my second most critical criteria for
> purchase is that S3 works with FreeBSD with a minimum of or at least
> well described hacking.

Resume doesnt work on i386 SMP, on amd64 it should work (at least it worked
on Intel T5500 last time I tried).
-- 
Paul
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[DAve]

Jerry wrote:


Now, if you don't like that, "KISS MY ASS".


I love IT mail lists! So classy.

DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 20:13:17 Jerry wrote:
> On Tue, 15 Sep 2009 13:18:29 -0400
> 
> Bill Moran  wrote:
> > On Tue, 15 Sep 2009 13:03:50 -0400
> >
> > Jerry  wrote:
> > > On Tue, 15 Sep 2009 11:13:31 -0400
> > >
> > > Bill Moran  wrote:
> > > > In response to Jerry :
> > > > > I usually discover security problems with updates I receive from
> > > > > . Aren't FreeBSD security problems
> > > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > > dark to known security problems is not a serviceable protocol.
> > > >
> > > > Because releasing security advisories before there is a fix
> > > > available is not responsible use of the information, and (as is
> > > > being discussed) the fix is still in the works.
> > >
> > > I disagree. If I have a medical problem, or what ever, I expect to
> > > be informed of it. The fact that there is no known cure, fix, etc.
> > > is immaterial, if in fact not grossly negligent.
> >
> > This is a stupid and non-relevant comparison.  A better comparison
> > would be if I realized that you'd left your car door unlocked in a
> > less than safe neighborhood.  Would you rather I told you discreetly,
> > or just started shouting it out loud to the neighborhood?  Wait, I
> > know the answer, if I see _your_ car unlocked, I'll just start
> > shouting.
> 
> The fact is, that you do in fact notify me. Keeping important security
> information secret benefits no one, except for possibly those
> responsible for the problem to begin with who do not want the
> knowledge of the problem to become public. A multitude of software,
> such as Mozilla, publish known security holes in their software.
> The ramifications of allowing a user to actively use a piece of
> software when a known bug/exploit/etc. exists within it is grossly
> negligent.

Please inform yourself properly before assuming you're right. Mozilla does not 
by default publish vulnerabilities before a fix is known. In some cases 
publishing has been delayed by months. The exception is when exploits are 
already in the wild and a work around is available, while a real fix will take 
more work.

This is also why vulnerabilities are typically not disclosed till a fix is 
known, because it does not protect the typical user, but puts him in harms 
way, which is exactly what you don't want.

In theory, if I know the details of this particular exploit, I can patch my 
6.4 machines myself, but more realistically, if developers take all this time 
to come up with a solution that doesn't break functionality the chances that I 
and more casual users can do this are slim. Meanwhile, the exploit will be 
coded into the usual rootkits and internet scanners and casualties will be 
made. That doesn't help anyone.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Jeronimo Calvo]

Yes, I remember I had an error when I ran "pkgdb -F" due to 2
different versions of jpeg...

here is the output:

$ ldd -a /usr/local/bin/krootimage
/usr/local/bin/krootimage:
libkio.so.6 => /usr/local/lib/libkio.so.6 (0x80064f000)
libkdeui.so.6 => /usr/local/lib/libkdeui.so.6 (0x800b35000)
libkdesu.so.6 => /usr/local/lib/libkdesu.so.6 (0x800fef000)
libkwalletclient.so.1 => /usr/local/lib/libkwalletclient.so.1
(0x801108000)
libkdecore.so.6 => /usr/local/lib/libkdecore.so.6 (0x80121b000)
libDCOP.so.6 => /usr/local/lib/libDCOP.so.6 (0x8015c1000)
libutil.so.7 => /lib/libutil.so.7 (0x8016fb000)
libart_lgpl_2.so.5 => /usr/local/lib/libart_lgpl_2.so.5 (0x80180a000)
libidn.so.16 => /usr/local/lib/libidn.so.16 (0x801921000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x801a53000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801b5c000)
libkdefx.so.6 => /usr/local/lib/libkdefx.so.6 (0x801d56000)
libqt-mt.so.3 => /usr/local/lib/libqt-mt.so.3 (0x801e81000)
libpng.so.5 => /usr/local/lib/libpng.so.5 (0x802796000)
libXext.so.6 => /usr/local/lib/libXext.so.6 (0x8028bc000)
libSM.so.6 => /usr/local/lib/libSM.so.6 (0x8029cd000)
libICE.so.6 => /usr/local/lib/libICE.so.6 (0x802ad5000)
libXrender.so.1 => /usr/local/lib/libXrender.so.1 (0x802bef000)
libX11.so.6 => /usr/local/lib/libX11.so.6 (0x802cf8000)
libxcb.so.2 => /usr/local/lib/libxcb.so.2 (0x802f26000)
libXau.so.6 => /usr/local/lib/libXau.so.6 (0x80304)
libXdmcp.so.6 => /usr/local/lib/libXdmcp.so.6 (0x803143000)
librpcsvc.so.4 => /usr/lib/librpcsvc.so.4 (0x803248000)
libz.so.4 => /lib/libz.so.4 (0x803351000)
libfam.so.0 => /usr/local/lib/libfam.so.0 (0x803465000)
libjpeg.so.10 => /usr/local/lib/libjpeg.so.10 (0x80356d000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8036a1000)
libm.so.5 => /lib/libm.so.5 (0x8038ad000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8039c7000)
libthr.so.3 => /lib/libthr.so.3 (0x803ad4000)
libc.so.7 => /lib/libc.so.7 (0x803bec000)
/usr/local/lib/libkio.so.6:
libkdeui.so.6 => /usr/local/lib/libkdeui.so.6 (0x800b35000)
libkdesu.so.6 => /usr/local/lib/libkdesu.so.6 (0x800fef000)
libkwalletclient.so.1 => /usr/local/lib/libkwalletclient.so.1
(0x801108000)
libkdecore.so.6 => /usr/local/lib/libkdecore.so.6 (0x80121b000)
libDCOP.so.6 => /usr/local/lib/libDCOP.so.6 (0x8015c1000)
libutil.so.7 => /lib/libutil.so.7 (0x8016fb000)
libart_lgpl_2.so.5 => /usr/local/lib/libart_lgpl_2.so.5 (0x80180a000)
libidn.so.16 => /usr/local/lib/libidn.so.16 (0x801921000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x801a53000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801b5c000)
libkdefx.so.6 => /usr/local/lib/libkdefx.so.6 (0x801d56000)
libqt-mt.so.3 => /usr/local/lib/libqt-mt.so.3 (0x801e81000)
libpng.so.5 => /usr/local/lib/libpng.so.5 (0x802796000)
libXext.so.6 => /usr/local/lib/libXext.so.6 (0x8028bc000)
libSM.so.6 => /usr/local/lib/libSM.so.6 (0x8029cd000)
libICE.so.6 => /usr/local/lib/libICE.so.6 (0x802ad5000)
libXrender.so.1 => /usr/local/lib/libXrender.so.1 (0x802bef000)
libX11.so.6 => /usr/local/lib/libX11.so.6 (0x802cf8000)
libxcb.so.2 => /usr/local/lib/libxcb.so.2 (0x802f26000)
libXau.so.6 => /usr/local/lib/libXau.so.6 (0x80304)
libXdmcp.so.6 => /usr/local/lib/libXdmcp.so.6 (0x803143000)
librpcsvc.so.4 => /usr/lib/librpcsvc.so.4 (0x803248000)
libz.so.4 => /lib/libz.so.4 (0x803351000)
libfam.so.0 => /usr/local/lib/libfam.so.0 (0x803465000)
libjpeg.so.10 => /usr/local/lib/libjpeg.so.10 (0x80356d000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8036a1000)
libm.so.5 => /lib/libm.so.5 (0x8038ad000)
libc.so.7 => /lib/libc.so.7 (0x803bec000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8039c7000)
/usr/local/lib/libkdeui.so.6:
libkdecore.so.6 => /usr/local/lib/libkdecore.so.6 (0x80121b000)
libDCOP.so.6 => /usr/local/lib/libDCOP.so.6 (0x8015c1000)
libutil.so.7 => /lib/libutil.so.7 (0x8016fb000)
libart_lgpl_2.so.5 => /usr/local/lib/libart_lgpl_2.so.5 (0x80180a000)
libidn.so.16 => /usr/local/lib/libidn.so.16 (0x801921000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x801a53000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801b5c000)
libkdefx.so.6 => /usr/local/lib/libkdefx.so.6 (0x801d56000)
libqt-mt.so.3 => /usr/local/lib/libqt-mt.so.3 (0x801e81000)
libpng.so.5 => /usr/local/lib/libpng.so.5 (0x802796000)
libz.so.4 => /lib/libz.so.4 (0x803351000)
libXext.so.6 => /usr/local/lib/libXext.so.6 (0x8028bc000)
libSM.so.6 => /usr/local/lib/libSM.so.6 (0x8029cd000)
libICE.so.6 => /usr/l

Re: krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Mel Flynn]

On Tuesday 15 September 2009 19:35:47 Jeronimo Calvo wrote:
> Hi folks!!!
> 
> For some reason im getting krootimage (the wallpaper manager of kde)
> crashing everytime when i login...
> Any ideas of how to fix that?

Any chance you have two jpeg versions lying around? Please provide ldd -a 
output of krootimage.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 13:18:29 -0400
Bill Moran  wrote:

> On Tue, 15 Sep 2009 13:03:50 -0400
> Jerry  wrote:
> 
> > On Tue, 15 Sep 2009 11:13:31 -0400
> > Bill Moran  wrote:
> > 
> > > In response to Jerry :
> > > 
> > > > 
> > > > I usually discover security problems with updates I receive from
> > > > . Aren't FreeBSD security problems
> > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > dark to known security problems is not a serviceable protocol.
> > > 
> > > Because releasing security advisories before there is a fix
> > > available is not responsible use of the information, and (as is
> > > being discussed) the fix is still in the works.
> > 
> > I disagree. If I have a medical problem, or what ever, I expect to
> > be informed of it. The fact that there is no known cure, fix, etc.
> > is immaterial, if in fact not grossly negligent.
> 
> This is a stupid and non-relevant comparison.  A better comparison
> would be if I realized that you'd left your car door unlocked in a
> less than safe neighborhood.  Would you rather I told you discreetly,
> or just started shouting it out loud to the neighborhood?  Wait, I
> know the answer, if I see _your_ car unlocked, I'll just start
> shouting.

The fact is, that you do in fact notify me. Keeping important security
information secret benefits no one, except for possibly those
responsible for the problem to begin with who do not want the
knowledge of the problem to become public. A multitude of software,
such as Mozilla, publish known security holes in their software.
The ramifications of allowing a user to actively use a piece of
software when a known bug/exploit/etc. exists within it is grossly
negligent.

 
> > Being keep ignorant of a
> > security problem is as foolish a theory as "Security through
> > Obscurity".
> 
> No, it's not.  And I don't even want to hear your ill-fitting
> metaphor for how you arrived at that conclusion.
> 
> > I find the  updates invaluable. The fact
> > that apparently FBSD does not encompass them I find discomforting.
> 
> You're missing the fact that FreeBSD's security issues _are_ listed
> there, when appropriate.
> 
> Your obvious ignorance of how things operate absolves you of any right
> to complain.
> 
> > BTW, please do not CC: me. I am subscribe to the list and do not
> > need multiple copies of the same post.
> 
> Whine me a river, for crying out loud.  List policy on this list
> since the Dawn of Time has been to CC the list and the poster.  I'm
> not going to check with everyone on the list to see if they're
> subscribed or not.  Don't like it?  Get off the list.

I just check the FreeBSD list web page,
 and
failed to find any indication that CC:ing was the desired posting
response. In fact, except for a few, perhaps one or two others, I am
not aware of any perpetual CC:'s on this list. Then again, I doubt that
they feel as threatened when their beliefs are questioned. Perhaps you
should seek professional help for your anger issues.

Now, if you don't like that, "KISS MY ASS".
 
> -Bill

-- 
Jerry
ges...@yahoo.com

If it doesn't smell yet, it's pretty fresh.

Dave Johnson, on dead seagulls
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

looking for motherboard with 7.2 proven suspend/resume

[Steve Franks]

S3 is a key feature for me for my desktops.  I have gone thru probably
5 mobo's and 5 laptops in my time as a FBSD user, the only one which
ever S3'd was a compaq of all things (well, lots of them will S3 if
you kldunload usb, but they crash/hang/etc on resume generally).

Anyway, it's time for a new system, and as long as I can shove a
somewhat modern dual core in it, my second most critical criteria for
purchase is that S3 works with FreeBSD with a minimum of or at least
well described hacking.

Thanks,
Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

krootimage crashed at KDE 3.5 startup on signal 11 (7.2 STABLE)

[Jeronimo Calvo]

Hi folks!!!

For some reason im getting krootimage (the wallpaper manager of kde)
crashing everytime when i login...
Any ideas of how to fix that?

All the best!

Jero
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

On Tue, 15 Sep 2009 13:03:50 -0400
Jerry  wrote:

> On Tue, 15 Sep 2009 11:13:31 -0400
> Bill Moran  wrote:
> 
> > In response to Jerry :
> > 
> > > 
> > > I usually discover security problems with updates I receive from
> > > . Aren't FreeBSD security problems
> > > reported to their site? If not, why? IMHO, keeping users in the
> > > dark to known security problems is not a serviceable protocol.
> > 
> > Because releasing security advisories before there is a fix available
> > is not responsible use of the information, and (as is being
> > discussed) the fix is still in the works.
> 
> I disagree. If I have a medical problem, or what ever, I expect to be
> informed of it. The fact that there is no known cure, fix, etc. is
> immaterial, if in fact not grossly negligent.

This is a stupid and non-relevant comparison.  A better comparison would
be if I realized that you'd left your car door unlocked in a less than
safe neighborhood.  Would you rather I told you discreetly, or just started
shouting it out loud to the neighborhood?  Wait, I know the answer, if I
see _your_ car unlocked, I'll just start shouting.

> Being keep ignorant of a
> security problem is as foolish a theory as "Security through Obscurity".

No, it's not.  And I don't even want to hear your ill-fitting metaphor for
how you arrived at that conclusion.

> I find the  updates invaluable. The fact that
> apparently FBSD does not encompass them I find discomforting.

You're missing the fact that FreeBSD's security issues _are_ listed there,
when appropriate.

Your obvious ignorance of how things operate absolves you of any right
to complain.

> BTW, please do not CC: me. I am subscribe to the list and do not need
> multiple copies of the same post.

Whine me a river, for crying out loud.  List policy on this list since the
Dawn of Time has been to CC the list and the poster.  I'm not going to check
with everyone on the list to see if they're subscribed or not.  Don't like
it?  Get off the list.

-Bill
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 11:13:31 -0400
Bill Moran  wrote:

> In response to Jerry :
> 
> > On Tue, 15 Sep 2009 07:18:26 -0400
> > Bill Moran  wrote:
> > 
> > > Mel Flynn  wrote:
> > > >
> > > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com
> > > > > wrote:
> > > > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > > > Hello,
> > > > > > >
> > > > > > > Dan Goodin, a reporter at technology news website The
> > > > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > > > never got a response. We'll be writing a brief article
> > > > > > > about this. Please let me know ASAP if someone cares to
> > > > > > > comment.
> > > > > >
> > > > > > Has anyone submitted a PR about this?
> > > > > 
> > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a
> > > > > PR is not submitted then one has *not* informed the Powers
> > > > > That Be.
> > > > 
> > > > Wrong. Security bugs should be reported to the security team,
> > > > not PR'd.
> > > 
> > > It's typical for security issues to be kept hushed until a fix is
> > > ready. As a result, there are usually no PRs, and in the case
> > > where the person who discovered the problem is amenable, there is
> > > no public discussion at all until a fix is available.
> > > 
> > > Apparently, Mr. Frasunek started out down that path, which is
> > > admirable. It seems as if he doesn't have much patience, however,
> > > since he thinks that only 2 weeks is enough time to fix a security
> > > problem and QA the fix.
> > 
> > I usually discover security problems with updates I receive from
> > . Aren't FreeBSD security problems
> > reported to their site? If not, why? IMHO, keeping users in the
> > dark to known security problems is not a serviceable protocol.
> 
> Because releasing security advisories before there is a fix available
> is not responsible use of the information, and (as is being
> discussed) the fix is still in the works.

I disagree. If I have a medical problem, or what ever, I expect to be
informed of it. The fact that there is no known cure, fix, etc. is
immaterial, if in fact not grossly negligent. Being keep ignorant of a
security problem is as foolish a theory as "Security through Obscurity".

I find the  updates invaluable. The fact that
apparently FBSD does not encompass them I find discomforting.

BTW, please do not CC: me. I am subscribe to the list and do not need
multiple copies of the same post.

-- 
Jerry
ges...@yahoo.com

There is no sin but ignorance.

Christopher Marlowe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Approx. restore time estimate

[jaymax]

I was wondering if 24, 48, 72 hrs or even a lifetime was the order of time. I
am now approaching 24 hrs. probably wait until my geriatric years and come
back to look at the machine ... lol!!!

Or would I have been better off using
dd if=/dev/* of=output/path/filename [options]

All other things being equal, would the removal of the "restore" overheads
be significant relative to those from dd .

Thanks


Lars Eighner-2 wrote:
> 
> On Mon, 14 Sep 2009, jaymax wrote:
> 
>>
>> Thanks!
>>
>> That might explain. Is there an alternate process you would recommend
>> with
>> at least equal reliability.
> 
> I don't know of anything that isn't a bigger can of worms in a file system
> of any complexity to speak of.
> 
>> BTW I should have mentioned that I was restoring from a disk file rather
>> than from a tape
> 
> I was speaking of disk to disk.
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Approx.-restore-time-estimate-tp25443580p25457128.html
Sent from the freebsd-questions mailing list archive at Nabble.com.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

In response to Jerry :

> On Tue, 15 Sep 2009 07:18:26 -0400
> Bill Moran  wrote:
> 
> > Mel Flynn  wrote:
> > >
> > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > > Hello,
> > > > > >
> > > > > > Dan Goodin, a reporter at technology news website The
> > > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > > never got a response. We'll be writing a brief article about
> > > > > > this. Please let me know ASAP if someone cares to comment.
> > > > >
> > > > > Has anyone submitted a PR about this?
> > > > 
> > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR
> > > > is not submitted then one has *not* informed the Powers That Be.
> > > 
> > > Wrong. Security bugs should be reported to the security team, not
> > > PR'd.
> > 
> > It's typical for security issues to be kept hushed until a fix is
> > ready. As a result, there are usually no PRs, and in the case where
> > the person who discovered the problem is amenable, there is no public
> > discussion at all until a fix is available.
> > 
> > Apparently, Mr. Frasunek started out down that path, which is
> > admirable. It seems as if he doesn't have much patience, however,
> > since he thinks that only 2 weeks is enough time to fix a security
> > problem and QA the fix.
> 
> I usually discover security problems with updates I receive from
> . Aren't FreeBSD security problems reported to
> their site? If not, why? IMHO, keeping users in the dark to known
> security problems is not a serviceable protocol.

Because releasing security advisories before there is a fix available is
not responsible use of the information, and (as is being discussed) the
fix is still in the works.

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Lane Holcombe]

On Tue, 2009-09-15 at 10:49 -0400, Jerry wrote:
> On Tue, 15 Sep 2009 07:18:26 -0400
> Bill Moran  wrote:
> 
> > Mel Flynn  wrote:
> > >
> > > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:

> snip

> I usually discover security problems with updates I receive from
> . Aren't FreeBSD security problems reported to
> their site? If not, why? IMHO, keeping users in the dark to known
> security problems is not a serviceable protocol.

Jerry, 

point your aggregator to http://www.freebsd.org/security/advisories.rdf

There have only been 12 security advisories put out this year, as far as
I can tell.  Nothing about this one, though.

lane

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Jerry]

On Tue, 15 Sep 2009 07:18:26 -0400
Bill Moran  wrote:

> Mel Flynn  wrote:
> >
> > On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > > Am 2009/9/14 Dan Goodin  writhed:
> > > > > Hello,
> > > > >
> > > > > Dan Goodin, a reporter at technology news website The
> > > > > Register. Security researcher Przemyslaw Frasunek says
> > > > > versions 6.x through 6.4 of FreeBSD has a security bug. He
> > > > > says he notified the FreeBSD Foundation on August 29 and
> > > > > never got a response. We'll be writing a brief article about
> > > > > this. Please let me know ASAP if someone cares to comment.
> > > >
> > > > Has anyone submitted a PR about this?
> > > 
> > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR
> > > is not submitted then one has *not* informed the Powers That Be.
> > 
> > Wrong. Security bugs should be reported to the security team, not
> > PR'd.
> 
> It's typical for security issues to be kept hushed until a fix is
> ready. As a result, there are usually no PRs, and in the case where
> the person who discovered the problem is amenable, there is no public
> discussion at all until a fix is available.
> 
> Apparently, Mr. Frasunek started out down that path, which is
> admirable. It seems as if he doesn't have much patience, however,
> since he thinks that only 2 weeks is enough time to fix a security
> problem and QA the fix.

I usually discover security problems with updates I receive from
. Aren't FreeBSD security problems reported to
their site? If not, why? IMHO, keeping users in the dark to known
security problems is not a serviceable protocol.

-- 
Jerry
ges...@yahoo.com

If there is a possibility of several things going wrong, the one that
will cause the most damage will be the one to go wrong.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

building emulators/virtualbox-3.0.51r22902 fails in kBuild

[Scott Bennett]

 Here's the last part of the output.

kBuild: Compiling RuntimeR0Drv - 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/generic/RTMpIsCpuWorkPending-r0drv-generic.cpp
kBuild: Compiling RuntimeR0Drv - 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/generic/mpnotification-r0drv-generic.cpp
kBuild: Compiling RuntimeR0Drv - 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/alloc-r0drv-freebsd.c
kBuild: Compiling RuntimeR0Drv - 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/assert-r0drv-freebsd.c
In file included from 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/the-freebsd-kernel.h:60In
 file included from 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/the-freebsd-kernel.h:60,
 from 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/assert-r0drv-freebsd.c:34:
/sys/vm/vm.h:64:24: error: machine/vm.h: No such file or directory
,
 from 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/alloc-r0drv-freebsd.c:34:
/sys/vm/vm.h:64:24: error: machine/vm.h: No such file or directory
kmk[2]: *** 
[/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/obj/RuntimeR0Drv/r0drv/freebsd/alloc-r0drv-freebsd.o]
 Error 1
The failing command:
@cc -c -O2 -Wall -Wextra -Wno-missing-field-initializers -Wno-unused 
-Wno-trigraphs -Wpointer-arith -Winline -Wno-pointer-sign -Wstrict-prototypes 
-Wmissing-prototypes -Wstrict-prototypes -Wnested-externs -O2 
-fformat-extensions -ffreestanding -fno-strict-aliasing -fno-common 
-finline-limit=8000 -fno-stack-protector -O2 -mtune=generic 
-fno-omit-frame-pointer -nostdinc -std=c99 -m32 -mno-align-long-strings 
-mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/gen-sys-hdrs
 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/include
 -I/sys -I/sys/contrib/altq -I/sys/../include -I/usr/include 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/include 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release
 -DVBOX -DVBOX_OSE -DVBOX_W!
ITH_64_BITS_GUESTS -DVBOX_WITH_HARDENING 
-DRTPATH_APP_PRIVATE=\"/usr/local/share/virtualbox\" 
-DRTPATH_APP_PRIVATE_ARCH=\"/usr/local/lib/virtualbox\" 
-DRTPATH_SHARED_LIBS=\"/usr/local/lib/virtualbox\" 
-DRTPATH_APP_DOCS=\"/usr/local/share/doc/virtualbox\" -DRT_OS_FREEBSD 
-D__FREEBSD__ -DRT_ARCH_X86 -D__X86__ -D_KERNEL -DKLD_MODULE -DIN_RING0 
-DIN_RT_R0 -DIN_RT_R0 -DRT_WITH_VBOX -DRT_WITHOUT_NOCRT_WRAPPERS 
-DRT_NO_EXPORT_SYMBOL 
-Wp,-MD,/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/obj/RuntimeR0Drv/r0drv/freebsd/alloc-r0drv-freebsd.o.dep
 
-Wp,-MT,/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/obj/RuntimeR0Drv/r0drv/freebsd/alloc-r0drv-freebsd.o
 -Wp,-MP -o 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/obj/RuntimeR0Drv/r0drv/freebsd/alloc-r0drv-freebsd.o
 
/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/r0drv/freebsd/alloc-r0drv-freebsd.c
kmk[2]: *** Waiting for unfinished jobs
kmk[2]: *** 
[/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/obj/RuntimeR0Drv/r0drv/freebsd/assert-r0drv-freebsd.o]
 Error 1
The failing command:
@cc -c -O2 -Wall -Wextra -Wno-missing-field-initializers -Wno-unused 
-Wno-trigraphs -Wpointer-arith -Winline -Wno-pointer-sign -Wstrict-prototypes 
-Wmissing-prototypes -Wstrict-prototypes -Wnested-externs -O2 
-fformat-extensions -ffreestanding -fno-strict-aliasing -fno-common 
-finline-limit=8000 -fno-stack-protector -O2 -mtune=generic 
-fno-omit-frame-pointer -nostdinc -std=c99 -m32 -mno-align-long-strings 
-mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release/gen-sys-hdrs
 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/src/VBox/Runtime/include
 -I/sys -I/sys/contrib/altq -I/sys/../include -I/usr/include 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/include 
-I/usr/ports/emulators/virtualbox/work/virtualbox-3.0.51r22902/out/freebsd.x86/release
 -DVBOX -DVBOX_OSE -DVBOX_W!
ITH_64_BITS_GUESTS -DVBOX_WITH_HARDENING 
-DRTPATH_APP_PRIVATE=\"/usr/local/share/virtualbox\" 
-DRTPATH_APP_PRIVATE_ARCH=\"/usr/local/lib/virtualbox\" 
-DRTPATH_SHARED_LIBS=\"/usr/local/lib/virtualbox\" 
-DRTPATH_

Re: Non-root user and accept() or listen()

[Mel Flynn]

On Monday 14 September 2009 18:47:18 Freminlins wrote:
> Hi,
> 
> I am not sure if this exists (but don't think so), so I am asking.
> 
> Is there a sysctl type thing to disallow non-root users, or indeed any
> specified user or group, from running a program with listen() ?
> 
> What I am looking at is improving network security, such that if a user
> account is compromised it can then not be used to run a dodgy web
> server/whatever on a non-privileged port. Although I can firewall off any
> port I wish, it seems like an obvious thing to disallow any user from
> opening a listening socket in the first place. I am suggesting something
> like "sysctl user.socket_listen" with enable or disable.
> 
> Am I being really daft? Or does this exist already?

See mac_portacl(4).
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Giorgos Keramidas]

On Tue, 15 Sep 2009 09:58:31 +0200, Przemyslaw Frasunek 
 wrote:
> Giorgos Keramidas wrote:
>> Przemyslaw should email security-officer with any details he thinks are
>> relevant.  Then the security team will make sure to fix the bug for all
>> affected releases of FreeBSD, release a patch with the fix, issue an
>> advisory through the usual channels, and post the details online at our
>> security information web pages at .
>
> I see that I received a lot of criticism after disclosing 6.4 vulnerability.
> Please read some facts:
>
> I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep 
> directly
> to security officer. None of them were responded. I haven't filled any PRs,
> because it would disclose details of vulnerability to the public and allow
> blackhats to exploit it.
>
> I won't publish anything more than video, before official security advisory. 
> The
> exploit is private to me and it won't be given to the "community".

Hi Przemyslaw,

What I wrote is not criticism for what you have or might have not done.
I now know (after posting the initial message) that the security officer
is preparing a fix and an advisory, so my response was more like ``this
is the usual way of handling this sort of thing''.  The wording was a
bit careful to avoid implying that you didn't know or were not prepared
to do what is appropriate :)



pgp6EjWT4Gvtk.pgp
Description: PGP signature

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Mel Flynn]

On Tuesday 15 September 2009 09:58:31 Przemyslaw Frasunek wrote:
> Giorgos Keramidas wrote:
> > Przemyslaw should email security-officer with any details he thinks are
> > relevant.  Then the security team will make sure to fix the bug for all
> > affected releases of FreeBSD, release a patch with the fix, issue an
> > advisory through the usual channels, and post the details online at our
> > security information web pages at .
> 
> I see that I received a lot of criticism after disclosing 6.4
>  vulnerability. Please read some facts:

FWIW, I think some people here read with their eyes closed and I'm wondering 
myself, why security@ did not at least respond with a "we're looking into it, 
please hold on, as we're busy with 8.0 release.".
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: libnsl.so.1

[Mel Flynn]

On Tuesday 15 September 2009 02:43:32 Joe R. Jah wrote:
> On Tue, 15 Sep 2009, Mel Flynn wrote:
> > Date: Tue, 15 Sep 2009 01:17:02 +0200
> > From: Mel Flynn 
> > To: freebsd-questions@freebsd.org
> > Cc: Joe R. Jah 
> > Subject: Re: libnsl.so.1
> >
> > On Tuesday 15 September 2009 00:02:50 Joe R. Jah wrote:
> > > Hello all,
> > >
> > > I want to install a dispather module from Day Communique software on
> > > apache22.  The binaray mod_dispatcher.so is provided by Day as a 64 bit
> > > *NIX compatible module to place in apache22 module directory.  The
> > > mocule requires a shared library missing from system:
> > >
> > > --8<--
> > > # apachectl -t
> > > httpd: Syntax error on line 827 of /usr/local/etc/apache22/httpd.conf:
> > > Cannot load /usr/local/libexec/apache22/mod_dispatcher.so into server:
> > > Shared object "libnsl.so.1" not found, required by "mod_dispatcher.so"
> > > --8<--
> > >
> > > Does anyone know where to download libnsl.so.1, or from what port it
> > > can be installed?
> >
> > nsl=name service library. All of it's functions are in FreeBSD implement
> > in libc. If this mod_dispatcher.so is indeed loadable by FreeBSD's
> > linker, then you can provide a dummy libnsl.so.1, like so:
> >
> > $ cat <'EOF' >BSDmakefile
> > SHLIB=nsl
> > SHLIB_MAJOR=1
> > NO_MAN=yes
> > SRCS=nsl.c
> >
> > .include 
> > EOF
> > $ cat <'EOF' >nsl.c
> > int nsl_dummy(void);
> >
> > int nsl_dummy(void) { return 0; }
> > EOF
> >
> > $ make; sudo make LIBDIR=/usr/local/lib install
> >
> > The symbols it's looking for should be provided by libc, but if there's
> > any undefined ones, this trickery gets a little dangerous and you're
> > better off asking the developers for a native FreeBSD version.
> 
> Thank you Mel.  You were right about undefined ones;  Here's what I get:
> 
> --8<--
> apachectl -t
> httpd: Syntax error on line 826 of /usr/local/etc/apache22/httpd.conf:
> Cannot load /usr/local/libexec/apache22/mod_dispatcher.so into server:
> /usr/local/libexec/apache22/mod_dispatcher.so: Undefined symbol "__strdup"
> --8<--
> 
> Any more trickeries?;-)

Sure, add #define __strdup strdup to nsl.c, however this road is not likely to 
end soon. It seems to be compiled for a linux system, at least for a SYSV 
system, while FreeBSD follows '4.4BSD'.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Non-root user and accept() or listen()

[Ruben de Groot]

On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
> 2009/9/14 Chris Rees 
> 
> >
> > Isn't this a bit drastic? Listening sockets are opened by very many
> > types of processes, as well as remembering that sendmail, BIND, and
> > others don't actually run as root... I suppose it'd be possible, but
> >  would it actually be useful?
> >
> 
> Sure, those open listening sockets. But those are things I want to listen.
> 
> Now suppose a user account was hacked, and "Bob" sets up a web server
> listening on some random port above 1024. If "Bob" couldn't use listen() he
> wouldn't be able to do that.

Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.

Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Can't boot Marvel Sheevaplug from USB

[Maks Verver]

Hi everyone,

I'm also playing with a Sheevaplug and I'm running into the same problem 
as reported  by Rafal Jaworowski, but I think I have a clearer picture 
of what goes wrong.


To recap, the kernel fails to mount the root filesystem because the 
partition on the USB stick isn't recognized by the kernel:


FreeBSD 9.0-CURRENT #4: Mon Sep 14 19:57:10 CEST 2009
-- blablabla --
ugen0.1:  at usbus0
uhub0:  on usbus0
uhub0: 1 port with 1 removable, self powered
Root mount waiting for: usbus0
ugen0.2:  at usbus0
umass0: 2> on usbus0

umass0:  SCSI over Bulk-Only; quirks = 0x
Root mount waiting for: usbus0
umass0:0:0:-1: Attached to scbus0
Trying to mount root from ufs:/dev/da0s1a
ROOT MOUNT ERROR:

I think the problem is that the partition is detected only after the USB 
bus has been scanned. If I configure a kernel to boot from the network 
instead, it does recognize the USB device because of the additional 
delay involved in booting from the network:


FreeBSD 9.0-CURRENT #5: Mon Sep 14 20:45:30 CEST 2009
-- blablabla --
ugen0.1:  at usbus0
uhub0:  on usbus0
uhub0: 1 port with 1 removable, self powered
mge0: link state changed to UP
Received DHCP Offer packet on mge0 from 130.89.1.145 via 130.89.160.4 
(accepted) (no root path)
Received DHCP Offer packet on mge0 from 130.89.1.144 via 130.89.160.5 
(ignored) (no root path)

ugen0.2:  at usbus0
umass0: 2> on usbus0

umass0:  SCSI over Bulk-Only; quirks = 0x
umass0:0:0:-1: Attached to scbus0
(probe0:umass-sim0:0:0:0): TEST UNIT READY. CDB: 0 0 0 0 0 0
(probe0:umass-sim0:0:0:0): CAM Status: SCSI Status Error
(probe0:umass-sim0:0:0:0): SCSI Status: Check Condition
(probe0:umass-sim0:0:0:0): UNIT ATTENTION asc:28,0
(probe0:umass-sim0:0:0:0): Not ready to ready change, medium may have 
changed
(probe0:umass-sim0:0:0:0): (probe0:umass-sim0:0:0:0): TEST UNIT READY. 
CDB: 0 0 0 0 0 0

(probe0:umass-sim0:0:0:0): UNIT ATTENTION asc:28,0
(probe0:umass-sim0:0:0:0): Not ready to ready change, medium may have 
changed

Retrying Command (per Sense Data)
(probe0:umass-sim0:0:0:0): Retrying Command
pass0 at umass-sim0 bus 0 scbus0 target 0 lun 0
pass0: < USB Flash Memory 1.00> Removable Direct Access SCSI-2 device
pass0: Serial Number 0612140557130
pass0: 40.000MB/s transfers
GEOM: new disk da0
da0 at umass-sim0 bus 0 scbus0 target 0 lun 0
da0: < USB Flash Memory 1.00> Removable Direct Access SCSI-2 device
da0: Serial Number 0612140557130
da0: 40.000MB/s transfers
da0: 962MB (1971200 512 byte sectors: 64H 32S/T 962C)

Of course with the kernel configured like this, the kernel wants to 
mount the root filesystem from NFS and I can't break into the mountroot> 
prompt!


It seems that the kernel assumes that it only needs to wait for the USB 
bus to finish scanning and then expects the root partition to be 
available, but apparently partitions can be detected after that.


Does anyone have a suggestion how to deal with this? Is there a way to 
insert a delay before trying to mount root? (I tried setting SCSI_DELAY 
to 5000 but this didn't seem to have any effect -- I didn't notice any 
delay. Maybe this isn't supported for the ARM architecture?)


Kind regards,
Maks Verver.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Bill Moran]

Mel Flynn  wrote:
>
> On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote:
> > > Am 2009/9/14 Dan Goodin  writhed:
> > > > Hello,
> > > >
> > > > Dan Goodin, a reporter at technology news website The Register.
> > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4
> > > > of FreeBSD has a security bug. He says he notified the FreeBSD
> > > > Foundation on August 29 and never got a response. We'll be writing a
> > > > brief article about this. Please let me know ASAP if someone cares to
> > > > comment.
> > >
> > > Has anyone submitted a PR about this?
> > 
> > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
> > submitted then one has *not* informed the Powers That Be.
> 
> Wrong. Security bugs should be reported to the security team, not PR'd.

It's typical for security issues to be kept hushed until a fix is ready.
As a result, there are usually no PRs, and in the case where the person
who discovered the problem is amenable, there is no public discussion at
all until a fix is available.

Apparently, Mr. Frasunek started out down that path, which is admirable.
It seems as if he doesn't have much patience, however, since he thinks
that only 2 weeks is enough time to fix a security problem and QA the fix.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: rebinding keys to functions

[Mel Flynn]

On Tuesday 15 September 2009 09:01:00 Roland Smith wrote:
> On Tue, Sep 15, 2009 at 01:38:18AM +0200, Mel Flynn wrote:
> > > Not all of them. My laptop is based on a quite modern cantiga (aka
> > >  centrino2) PM45 chipset (from 2008, according to Wikipedia). The
> > > function keys for changing the creen brightness and sound volume work
> > > OK with FreeBSD, even though xev doesn't see them. So that signal seems
> > > to go directly to the hardware.
> >
> > Most likely not entirely. Having acpidump(8)ed a few laptops, I have seen
> > references to multimedia keys in there. However I know not nearly enough
> > about ACPI to know if the OS can intercept/reroute the bindings. A gamble
> > I would take is to let FreeBSD post itself as a windows variant to acpi,
> > by setting hw.acpi.osname="Windows 2001" in /boot/loader.conf. Then
> > recheck xev.
> 
> What would you see in the acpidump that indicates those keys?

Example, HPDV9000:

If (LEqual (Local1, 0x07))
{
Store ("Fn+F7 Pressed", Debug)
If (LEqual (OSYS, 0x07D6))
{
If (IGDS)
{
Notify (\_SB.PCI0.GFX0.DD04, 0x87)
}
Else
{
Notify (\_SB.PCI0.PEGP.VGA.LCD, 0x87)
}
}
Else
{
Store (0x15, SMIF)
Store (0x00, TRP0)
}


Fn+F7 = screen darker. See the ref to OSYS.
Also:

Method (_Q16, 0, NotSerialized)
{
Store ("!!! DVD/Music Button pressed !!!", Debug)
If (LEqual (OSYS, 0x07D6))
{
And:
If (\_OSI ("Windows 2006"))
{
Store (0x07D6, OSYS)
}

-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Non-root user and accept() or listen()

[Freminlins]

2009/9/14 Chris Rees 

>
> Isn't this a bit drastic? Listening sockets are opened by very many
> types of processes, as well as remembering that sendmail, BIND, and
> others don't actually run as root... I suppose it'd be possible, but
>  would it actually be useful?
>

Sure, those open listening sockets. But those are things I want to listen.

Now suppose a user account was hacked, and "Bob" sets up a web server
listening on some random port above 1024. If "Bob" couldn't use listen() he
wouldn't be able to do that.

Of course, user accounts should be made secure, but what I am getting at is
making the hack much less useful.


> BTW, there may be an ipfw rule for this, I'll have to look it up when
> my servers are back online!
>
> Chris
>

Frem. (Apologies for Gmail quoting, which is horrible).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: reporter on deadline seeks comment about reported security bug in FreeBSD

[Przemyslaw Frasunek]

Giorgos Keramidas wrote:
> Przemyslaw should email security-officer with any details he thinks are
> relevant.  Then the security team will make sure to fix the bug for all
> affected releases of FreeBSD, release a patch with the fix, issue an
> advisory through the usual channels, and post the details online at our
> security information web pages at .

I see that I received a lot of criticism after disclosing 6.4 vulnerability.
Please read some facts:

I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly
to security officer. None of them were responded. I haven't filled any PRs,
because it would disclose details of vulnerability to the public and allow
blackhats to exploit it.

I won't publish anything more than video, before official security advisory. The
exploit is private to me and it won't be given to the "community".

Michael Powell wrote:
> Quoted from ~freebsd.security.general:
> "The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
> was not recognized as security vulnerability."

This is another bug. The former one affected only 6.1, this one affects
everything up to 6.4-STABLE.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: rebinding keys to functions

[perryh]

Roland Smith  wrote:
> Writing a driver to detect if headphones are connected sounds
> much more complicated to me than connecting a couple of switches!
> I mean, you'd have to measure something like the impedance of
> the jack. Surely that is more expensive than a simple switch?

Or use a simpler jack, with one switch that connects to ground or
not depending on whether the plug is inserted or not.  It probably
costs a cent or two less than the usual two-switch variety, and this
is a BOM (Bill Of Materials, i.e. per-unit-built) savings.  Writing
the driver is an NRE (non-recurring engineering) expense which can
be amortized over -- the manufacturer hopes -- a huge number of
delivered units.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: rebinding keys to functions

[Roland Smith]

On Tue, Sep 15, 2009 at 01:38:18AM +0200, Mel Flynn wrote:
> > Not all of them. My laptop is based on a quite modern cantiga (aka
> >  centrino2) PM45 chipset (from 2008, according to Wikipedia). The function
> >  keys for changing the creen brightness and sound volume work OK with
> >  FreeBSD, even though xev doesn't see them. So that signal seems to go
> >  directly to the hardware.
> 
> Most likely not entirely. Having acpidump(8)ed a few laptops, I have seen 
> references to multimedia keys in there. However I know not nearly enough 
> about 
> ACPI to know if the OS can intercept/reroute the bindings. A gamble I would 
> take is to let FreeBSD post itself as a windows variant to acpi, by setting 
> hw.acpi.osname="Windows 2001" in /boot/loader.conf. Then recheck xev.

What would you see in the acpidump that indicates those keys?

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpl1pHBsDqvg.pgp
Description: PGP signature