On Wed, May 23, 2018, at 16:40, Mark Felder wrote:
> Additionally, making password hashing more
>
Mailman came to the door and my barking dog interrupted my train of thought :-)
I believe what I was going for was in reference to the bugzilla report, so I'll
try again:
Additionally,
g/bugzilla/show_bug.cgi?id=182518
[4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=75934 is the original
report about the issue
--
Mark Felder
ports-secteam & portmgr member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lis
On Sun, Jan 1, 2017, at 04:17, mokhi wrote:
> Happy new year :)
> > As of January 1, 2017, FreeBSD 9.3, 10.1 and 10.2 have reached end-of-life
> Does it mean it's no longer needed to test/poudriere the ports I
> patch/maintain for 9.X?
>
Correct
--
Mark Felder
ports-
reebsd-base-system-vulnerabilities-with-pkg-audit/
#3 is being reviewed by secteam/core, so I think we're well on our way
to solving these concerns.
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing l
d here. Instead we need to focus
on decoupling openssl from base so this can all be handled by ports.
--
Mark Felder
f...@feld.me
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscr
espite large
> swathes of it being well over my head.
>
I agree, this is fantastic!
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-secur
ilable on the master mirror they
should be distributed within a few minutes.
I have emailed secteam@ about it but have not yet heard back.
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https
9.x -
> I understand why it wouldn't for FreeBSD 10).
>
Good question. I just checked a 9.3 jail and the version is 9.9.5 so it
should be affected.
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing
rs who deploy FreeBSD
> and provide a safe default. The patch itself DOES NOT fix the
> permissions
> for existing installations.
>
Are we paranoid of breaking someone's special snowflake install, or is
freebsd-update unable to only do a permissions change?
--
Mark Felder
ports-
te to
update it and then IDS to verify it.
If you have a 10.2-RELEASE host and a 9.3-RELEASE jail you would do
this:
$ UNAME_r=9.3-RELEASE freebsd-update -d /path/to/jail fetch install
$ UNAME_r=9.3-RELEASE freebsd-update -d /path/to/jail IDS
--
Mark Felder
ports-secteam member
f...
Any recommendations as to how we might help this particular effort?
>
What do you mean? It has been there for a while
https://svnweb.freebsd.org/base/projects/release-pkg/
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
other openjdks need to be listed as
affected as well?
https://svnweb.freebsd.org/ports?view=revision=403819
--
Mark Felder
f...@feld.me
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubs
pdated every time there's a new release.
--
Mark Felder
f...@feld.me
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
yself updating the port, but I can get a vuxml entry added.
--
Mark Felder
f...@feld.me
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
lly annoying. 8u72 won't be available until *January* ?!
http://openjdk.java.net/projects/jdk8u/releases/8u72.html
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/
ning openssh
> from ports. Which does not generate warnings I have questions about the
> originating ip-nr.
>
> >> Are they still willing to accept changes to the old version that is
> >> currently in base?
> >
> > No, why would they do that?
>
> Exactly
it's
popular and you know the target(s) will go there. HTTPS is irrelevant.
https://en.wikipedia.org/wiki/Watering_Hole
--
Mark Felder
ports-secteam member
f...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mai
On Fri, Aug 14, 2015, at 06:18, Stari Karp wrote:
Hi!
My system (updated today from FreeBSD 10.1-RELEASE):
FreeBSD 10.2-RELEASE #0 r28: Wed Aug 12 15:26:37 UTC 2015
r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
I did run rkhunter -c today and I have one
On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote:
Not sure if others have seen this yet
--
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
OpenSSH has a default value of six
On Thu, Jul 9, 2015, at 11:15, Lev Serebryakov wrote:
Does somebody succeed to setup FreeBSD for usage with Yubikey NEO
token without Yubico authentication service, with OATH-HOTP?
What have you tried so far? I don't do the offline auth, but this seems
to be documented well in
On Thu, Jul 9, 2015, at 13:05, Lev Serebryakov wrote:
`security/pam_ssh_agent_auth' installs PAM module
(pam_ssh_agent_auth.so) into `${LOCALBASE}/lib', but
`security/pam_yubico' and `security/oath-toolkit' install PAM modules
into `${LOCALBASE}/lib/security'.
And, by default on
On Tue, Jul 7, 2015, at 18:25, FreeBSD Security Advisories wrote:
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
Why is no workaround available? Can't you just disable DNSSEC
validation?
dnssec-enable no;
dnssec-validation no;
In fact,
On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote:
On 07/08/15 18:29, Mark Felder:
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
Why is no workaround available? Can't you just disable DNSSEC
validation?
dnssec-enable no;
dnssec
On Wed, Jul 1, 2015, at 08:47, Dag-Erling Smørgrav wrote:
Mark Felder f...@freebsd.org writes:
I'm not an expert on the leapsecond operation, but if I understand it
correctly there are two ways a system can be notified of a leapsecond:
via a tzdata update or through NTP.
Answering
On Tue, Jun 23, 2015, at 14:03, Pawel Biernacki wrote:
Hi,
As we (hopefully) all know on 30th of June we'll observe leap second.
tzdata information was updated in release 2015a in January. This
version
was imported in FreeBSD HEAD (r279706), 10-STABLE (r279707), 9-STABLE
(r279708) and
On Mon, Jun 8, 2015, at 18:31, Xin Li wrote:
On 06/08/15 14:37, Robert Simmons wrote:
I'm sure that the reason these questions have not been answered is
simply because they may have gotten lost in the volume of traffic
on freebsd-ports. In the following thread, there are a number of
On Mon, Jun 8, 2015, at 15:55, Roger Marquis wrote:
On Fri, May 29, 2015 at 5:15 PM, Robert Simmons rsimmo...@gmail.com wrote:
Crickets.
May I ask again:
How do we find out who the members of the Ports Secteam are?
How do we join the team?
Anyone?
I really hope this can
On Sun, May 17, 2015, at 18:06, Dan Lukes wrote:
On 05/18/15 00:00, Mark Felder:
If TLS 1.0 is considered severe security issue AND system utilities are
using it, why there is no Security Advisory describing this system
vulnerability ?
It's not a vulnerability in software, it's
On Mon, May 18, 2015, at 02:05, Ian Smith wrote:
The danger is decryption. Your username/password could be stolen if
someone captures your traffic after successfully initiating a downgrade
attack.
So the danger is only to myself, from some MITM, and not to the server?
And
On Mon, May 18, 2015, at 12:34, Dan Lukes wrote:
On 05/18/15 15:52, Mark Felder:
I mean, should we have an SA because our libc supports strcpy and people
can use that and create severe vulnerabilities?
No, but we should have SA whenever other system component is using
strcpy() the way
On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
Does anyone know what's going on with vuln.xml updates? Over the last
few weeks and months CVEs and application mailing lists have announced
vulnerabilities for several ports that in some cases only showed up in
vuln.xml after several
On Mon, May 18, 2015, at 14:01, Sevan / Venture37 wrote:
On 18 May 2015 at 19:06, Mark Felder f...@freebsd.org wrote:
On Sun, May 17, 2015, at 16:02, Roger Marquis wrote:
Does anyone know what's going on with vuln.xml updates? Over the last
few weeks and months CVEs and application
On Mon, May 18, 2015, at 13:55, Dan Lukes wrote:
I have own source repository with custom system patches so I'm not tied
to official decisions. No offense to FreeBSD team in any way! I'm just
not average user. ;-)
Do not be discouraged about submitting them. It's quite easy to get
On Sun, May 17, 2015, at 15:50, Roger Marquis wrote:
You're not understanding the situation: the vulnerability isn't in
OpenSSL; it's a design flaw / weakness in the protocol. This is why
everyone is running like mad from SSL 3.0 and TLS 1.0.
Right, there are two issues being discussed
On Sun, May 17, 2015, at 16:08, Roger Marquis wrote:
Mark Felder wrote:
Considering the time to write and test patches is the same in either case
it is still an open question.
Again, this is not possible. You can't just replace the base OpenSSL.
That port or package would also have
On Thu, May 14, 2015, at 06:31, Dan Lukes wrote:
Patrick Proniewski wrote:
Data Transfer Interrupted
The connection to forums.freebsd.org has terminated unexpectedly. Some
data may have been transferred.
looks like your browser/OS does not support TLS 1.2.
I'm confused by FreeBSD
On Fri, May 15, 2015, at 03:07, Ian Smith wrote:
On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
Hello
But I don't think disable TLS 1.0 is ok.
TLS 1.0 is dead and is even now banned in new installations according to
the PCI DSS 3.1 standards. Nobody should
On Fri, May 15, 2015, at 10:22, Roger Marquis wrote:
Mark Felder wrote:
In the future FreeBSD's base libraries like OpenSSL hopefully will be
private: only the base system knows they exist; no other software will
see them. This will mean that every port/package you install requiring
On Thu, May 14, 2015, at 05:19, Adam Major wrote:
Hello
I checked now by sslLabs.com:
https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org
and score is A+
But I don't think disable TLS 1.0 is ok.
TLS 1.0 is dead and is even now banned in new installations according to
On Fri, Mar 20, 2015, at 10:21, Paul Hoffman wrote:
It doesn't look like OpenSSL got updated, and it looks like a bunch of
the attempted updates failed. Was this advisory tested on 10.0?
Those failures are for files in /usr/src. If you don't have the source
code in /usr/src the updates to
On Mon, Mar 16, 2015, at 14:57, Yuri wrote:
www/npm downloads and installs packages without having signature
checking in place.
There is the discussion about package security
https://github.com/node-forward/discussions/issues/29 , but actual
checking isn't currently done.
On Wed, Mar 11, 2015, at 19:35, Dan Lukes wrote:
Julian Elischer wrote:
Can you say which email servers *other* than unpatched Ironport fail?
well my problem is that I don't know what the other ends are running
exactly, but they are pretty big institution.
Just side note - you need
On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote:
Example:
# touch -t 20150101 foo
# find / -user www -newer foo
If you don’t find anything, look back a little further.
Hopefully you will find a clue in this way.
Thanks for posting this trick -- I've never considered it before
On Tue, Feb 3, 2015, at 07:48, Mark Felder wrote:
Unless you're building a Frankenstein OS you should never come across a
situation where a native FreeBSD binary is linked to glibc. (I'm not
even sure it's possible!) Linux uses glibc for their libc reference, we
use our own.
I forgot
On Mon, Feb 2, 2015, at 12:58, Roger Marquis wrote:
Is FreeBSD glib always linked to libc (vs glibc)?
Apparently it is, at least on the systems I've tested where there were no
glibc dependencies at all. Another item added to the list of BSD
(security) advantages.
Unless you're
On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote:
I'd like to propose that FreeBSD move to OpenNTPD, which appears to
have none of the
fixed or unfixed (!) vulnerabilities that are present in ntpd.
There's already a port.
Historically OpenNTPD has been dismissed as a candidate because of
On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote:
I appreciate the speed that folks update the packages; I'm a bit
distressed that 9.3 seems to be a second-class citizen for security
fixes. (And I totally admit that I could be misreading the situation.)
(speaking strictly as a consumer
On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote:
Hi,
On 16/09/14 11:14, FreeBSD Security Advisories wrote:
An attacker who has the ability to spoof IP traffic can tear down a
TCP connection by sending only 2 packets, if they know both TCP port
numbers.
This may be a silly
On Tue, Sep 16, 2014, at 08:20, Lowell Gilbert wrote:
Spoofing traffic is pretty easy. The reason it isn't generally a problem
is that knowing what to spoof is more difficult. [I assume that's what
feld@ actually meant, but it's an important distinction.]
How many AS are out there don't
There is always going to be skepticism about who to trust by default. The CA
system is out of control and it worries me as well. However, if we do not make
an effort to provide a default trust store why do we enforce verification by
default? I feel it would be more consistent to disable
On Tue, Sep 10, 2013, at 14:05, Darren Pilgrim wrote:
- Leave SSLv3/TLSv1.0 enabled only for cases where you can't control the
remote end's SSL capabilities.
Which is what I routinely run into: public webhosting services.
Customers will scream if their website doesn't work on every moderately
I'm still waiting for someone to thoroughly analyze this question
What's worse: the possibility that NSA has cracked RC4 or being
vulnerable to BEAST/CRIME?
Set your crypto to a minimum of TLS 1.1 and let everyone who can't
connect complain. At least their data wasn't compromised.
This entire
As described here:
http://lists.grok.org.uk/pipermail/full-disclosure/2013-July/091084.html
If I understand this correctly our accept filters will have zero effect
on stopping this exploit, correct?
___
freebsd-security@freebsd.org mailing list
On Mon, 04 Mar 2013 16:34:58 -0600, Koornstra, Reinoud koorns...@hp.com
wrote:
Hi Mark,
Why not consider NPF from NetBSD where SMP friendly firewalling is a
given.
I've actually been toying with the idea of reinstalling my firewall with
NetBSD so I can try NPF. I just hate debugging
On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons rsimmo...@gmail.com
wrote:
Are there plans to update ipfilter or pf to current versions?
ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28
from 2007.
On the pf side, the version in FreeBSD is 4.5, but the current version
I
On Mon, 7 Jan 2013 13:54:01 +0100
Patrick Proniewski pat...@patpro.net wrote:
As I understand it, ZFS includes a feature allowing to trigger an antivirus
scan when a file system write is issued. The proper hook seems to exist only
on Solaris. Is there any plan to activate this feature on
On Wed, 01 Aug 2012 07:09:53 -0500, Oliver Pinter oliver.p...@gmail.com
wrote:
Hi all!
I found this today on FD:
I wonder if this has been tested on FreeBSD yet?
___
freebsd-security@freebsd.org mailing list
On Mon, 09 Jul 2012 05:39:37 -0500, Dag-Erling Smørgrav d...@des.no wrote:
What sort of benchmarks do you envision? Unlike named, unbound is
intended to serve only one client (localhost) or a small number of
clients (a SOHO).
Highly disagree; we use it (ISP) as our resolving nameserver for
On Wed, 04 Jul 2012 16:19:38 -0500, Doug Barton do...@freebsd.org wrote:
On 07/04/2012 11:51, Jason Hellenthal wrote:
What would be really nice here is a command wrapper hooked into the
shell so that when you type a command and it does not exist it presents
you with a question for suggestions
On Mon, 25 Jun 2012 22:47:27 -0500, J. Hellenthal jhellent...@dataix.net
wrote:
Still have yet to hear of something like this happening but its real
enough considering some of the exploits out there.
Cisco Ironport devices do MITM for SSL and SSH. Clearly someone wrote
enough of the code
On Fri, 22 Jun 2012 10:59:28 -0500, Jason Hellenthal
jhellent...@dataix.net wrote:
Security principles are well laid out and have not changed in a long
time. Vering away from those principles will cause a LOT of
administrative overhead as most software out there can expect a sane
environment
On Fri, 08 Jun 2012 07:51:55 -0500, Dag-Erling Smørgrav d...@des.no wrote:
We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days. We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default
On Tue, 22 May 2012 02:06:25 -0500, mahdieh salamat
mahdieh.sala...@gmail.com wrote:
Hi all. I don't know I should ask my question here or not,I want to lock
my
partitons by geli or gbde, but I want that after boot users don't force
to
enter the passphrase. In other wise the partitions
On Wed, 02 May 2012 17:45:27 -0500, Matt Dawson m...@chronos.org.uk
wrote:
IE might be the only client with support for those protocols right now
but somebody has to lead the way on the server side or you end up with
a mutual apathy loop (AKA positive can't be arsed feedback loop).
On Thu, 03 May 2012 10:21:24 -0500, Robert Simmons rsimmo...@gmail.com
wrote:
TLS 1.1:
https://bugzilla.mozilla.org/show_bug.cgi?id=565047
TLS 1.2:
https://bugzilla.mozilla.org/show_bug.cgi?id=480514
Cool, thanks for the followup!
___
On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson m...@chronos.org.uk
wrote:
mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
which secures SSLv3 against BEAST. This setup on my own HTTPS servers
passes Qualys' own tests with an A rating of 87 and tells me BEAST is
66 matches
Mail list logo