Re: http subversion URLs should be discontinued in favor of https URLs

On Wed, Dec 13, 2017 at 01:29:26PM -0800, Peter Wemm wrote: > On 12/12/17 5:38 PM, Yuri wrote: > > On 12/12/17 16:37, Peter Wemm wrote: > >> I think you're missing the point.  It is a sad reality that SSL/TLS > >> corporate > >> (and ISP) MITM exists and is enforced on a larger scale than we'd

Re: New Security Officer

On Sun, Nov 05, 2017 at 11:50:55PM -0800, Xin Li wrote: > (bcc'ed to core@, developers@) > > Hello all, > > I'm very please to announce that Gordon Tetlow (gordon@) has offered to > take over as FreeBSD Security Officer, which the FreeBSD Core Team has > approved. Over th

Re: http subversion URLs should be discontinued in favor of https URLs

On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > > > It

Re: http subversion URLs should be discontinued in favor of https URLs

> On Dec 5, 2017, at 14:43, Poul-Henning Kamp <p...@phk.freebsd.dk> wrote: > > > In message <20171205220849.gh9...@gmail.com>, Gordon Tetlow writes: > >> Using this as a reason to not move to HTTPS is a fallacy. We should do >> everything w

Re: http subversion URLs should be discontinued in favor of https URLs

On Tue, Dec 05, 2017 at 11:18:45PM +, RW via freebsd-security wrote: > On Tue, 5 Dec 2017 14:08:49 -0800 > Gordon Tetlow wrote: > > > > Using this as a reason to not move to HTTPS is a fallacy. We should do > > everything we can to help our end-users get FreeBSD in

Lazy FPU State Restore

Dear FreeBSD community, Intel has recently announced a side-channel information disclosure via floating point unit (FPU) context switch. This issue has been assigned CVE-2018-3665. It is our understanding this issue affects a subset of Intel processors. More information is available directly from

Re: Recent security patch cause reboot loop on 11.1 RELEASE

On Wed, Jun 20, 2018 at 11:14 PM, Denis Polygalov wrote: > What I did is following: > > # uname -a > FreeBSD my_host_name 11.1-RELEASE-p10 FreeBSD 11.1-RELEASE-p10 #0: Tue > May 8 05:21:56 UTC 2018 > r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 > > # freebsd-update

Response to Meltdown and Spectre

when in concert with OS changes would also help, but that's a bit down the road at the moment. If anything significantly changes I will make additional posts to clarify as the information becomes available. Best regards, Gordon Tetlow with security-officer hat on signature.asc Description: PGP

Re: clang way to patch for Spectre?

On Thu, Jan 4, 2018 at 10:49 AM, Julian Elischer wrote: > On 5/1/18 12:02 am, Lev Serebryakov wrote: >> >> Hello Freebsd-security, >> >> https://reviews.llvm.org/D41723 >> >> > not really.. > > What's to stop an unprivileged used bringing his own compiler? or a > precompiled

Re: Response to Meltdown and Spectre

On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov <kostik...@gmail.com> wrote: > On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote: >> Meltdown (CVE-2017-5754) >> >> Initial work can be tracked at https://reviews.freebsd

Re: Response to Meltdown and Spectre

On Tue, Jan 16, 2018 at 1:57 AM, Konstantin Belousov <kostik...@gmail.com> wrote: > On Mon, Jan 15, 2018 at 09:20:24PM -0800, Gordon Tetlow wrote: >> On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov >> <kostik...@gmail.com> wrote: >> > On Mon, Jan 08, 201

Re: Recent security patch cause reboot loop on 11.1 RELEASE

> I noticed that I can boot the *patched* kernel in single user mode. >> Removing these 3 lines from the /boot/loader.conf fixed rebooting loop >> problem: >> >> linux_load="YES" >> linprocfs_load="YES" >> linsysfs_load="YES" >

Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp

Sorry about that. I thought I had everything but I missed that piece. They should be coming shortly. That said, I’m seeing reports of the ipsec patches for 10.x not compiling. Will look into that shortly. Gordon > On Mar 7, 2018, at 06:40, Philip M. Gollucci wrote: >

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution

The Special Note in the advisory discusses this: Special Note: Speculative execution vulnerability mitigation is a work in progress. This advisory addresses the most significant issues for FreeBSD 11.1 on amd64 CPUs. We expect to update this

Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution

I want to send a follow up on what's going on with the Spectre/Meltdown. I know we have been pretty silent on this recently as the work has been ongoing in the background. Info about the current patch What we have so far is CURRENT, 11-STABLE, and 11.1-RELEASE on

Re: Regarding CVE-2018-4407

at probably didn't exist in the MacOS code. All that said, I've asked a couple of networking stack folks to take a look at it further. I'll report if anything changes with that assessment. Regards, Gordon Tetlow FreeBSD Security Officer signature.asc Description: PGP signature

Re: [FreeBSD-Announce] FreeBSD 10.4 end-of-life

On Thu, Nov 08, 2018 at 06:39:20AM +, FreeBSD Security Officer wrote: > Dear FreeBSD community, > > As of October 31, 2018, FreeBSD 10.4 reached end-of-life and is no longer > supported by the FreeBSD Security Team. Users of FreeBSD 10.4 are strongly > encouraged to upgrade to a newer

Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > NFLX-2019-001 > > Date Entry Created: 20190107 > Preallocated to nothing? > Or

Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Sorry for the late response, only so many hours in the day. On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to

Re: FreeBSD Security Advisory FreeBSD-SA-20:11.openssl

On Wed, Apr 22, 2020 at 12:31 AM Miroslav Lachman <000.f...@quip.cz> wrote: > On 2020-04-21 18:55, FreeBSD Security Advisories wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > > = > >

Re: Lack of notification of security notices

From the secteam point of view, we haven't changed anything in the way we send messages to the mailing lists. I have double checked and all SAs are sent to the three addresses listed. I suspect this is likely fallout of the mailing list change over. I can say for my part, I have gotten a copy

Re: OpenSSL 1.1.1o in 12.3?

The only vulnerability in 1.1.1 was regarding the c_rehash script, which we don't ship as part of FreeBSD. As such, we didn't push it into so-maintained releng branches. Best, Gordon Hat: security-officer > On May 9, 2022, at 12:37 AM, Natalino Picone > wrote: > > Hi, > I was looking at the

Re: CA's TLS Certificate Bundle in base = BAD

On Dec 3, 2022, at 5:26 PM, grarpamp wrote: > > Again, FreeBSD should not be including the bundle in base, if users > choose to, they can get it from ports or packages or wherever else. > Including such bundles exposes users worldwide to massive risks. > You need to do more gpg attestation,

Re: FreeBSD Security Advisory FreeBSD-SA-23:19.openssh

 > On Dec 19, 2023, at 14:08, mike tancsa wrote: > On 12/19/2023 4:33 PM, FreeBSD Security Advisories wrote: >> with 12.4 are encouraged to either implement the documented workaround or >> leverage an up to date version of OpenSSH from the ports/pkg collection. > > Hi, > > Is the version of

Re: Disclosed backdoor in xz releases - FreeBSD not affected

> On Mar 29, 2024, at 11:15 AM, Shawn Webb wrote: > > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included in the >> 5.6.0 and 5.6.1 xz releases. >> >> All supported FreeBS

Disclosed backdoor in xz releases - FreeBSD not affected

. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 Best regards, Gordon Tetlow Hat: security-officer signature.asc Description: Message signed with OpenPGP

Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound

Per FreshPorts, the dns/unbound port was fixed on 14 Feb 2024 when it was upgraded to 1.19.1. Best, Gordon > On Mar 28, 2024, at 2:25 AM, DutchDaemon - FreeBSD Forums Administrator > wrote: > > On 28-3-2024 08:51, FreeBSD Security Advisories wrote: >>

Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound

You are likely on your own here. I’m surprised the base system kinit ever worked with OpenSSL in FIPS mode. Given the age of the Heimdal code (and I believe dependence on algorithms that should be deprecated), I would strongly suggest looking at Kerberos in ports as a path forward as they will

Re: FreeBSD Security Advisory FreeBSD-SA-20:22.sqlite

> On Aug 10, 2020, at 7:21 AM, Oleksandr Kryvulia > wrote: > > 05.08.20 20:54, FreeBSD Security Advisories пишет: >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> [FreeBSD 12.1] >> #

Re: pkg.freebsd.org cert has expired :/

pkg.freebsd.org is a geographically distributed set of servers. Can you please go to https://pkg.freebsd.org/ or http://pkg.freebsd.org/ and tell us which mirror you are hitting that has an expired certificate? The

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at > > > 23:03

Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl

On Sun, Dec 13, 2020 at 12:12:08PM +, John Long via freebsd-security wrote: > Hi Guys, > > What about adopting OpenBSD's libressl? I was expecting it to take a > long time to be compatible but from my uneducated point of view it > looks like they did an incredible job. I think everything on

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:01.fsdisclosure

> On Jan 31, 2021, at 7:25 AM, Andrea Venturoli wrote: > > On 1/31/21 12:29 PM, Miroslav Lachman wrote: > >>> Several file systems were not properly initializing the d_off field of >>> the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), >>> smbfs(5), autofs(5) and

Re: Exim security release

The port maintainer (CC'd) has already included an update for the new Exim release. It should be available in the port system already. Pkg's are usually built a couple of times a week. Gordon On Wed, May 5, 2021 at 7:02 PM Patrick via freebsd-security wrote: > > Hello, and apologies if this is

Re: sysrc bug

This isn't a security bug as it requires root privilege to empty /etc/rc.conf. If you have root privilege, you can do that already. Also, changing the root shell is bad for many reasons and I'm not surprised that something doesn't work. That said, it certainly is less than desirable and should

Re: sysrc bug

> On May 31, 2021, at 16:07, Roger Marquis wrote: > >  >> >> Also, changing the root shell is bad for many reasons and I'm not >> surprised that something doesn't work. > > Surprised this old myth is still being repeated. Having used various > root shells in FreeBSD and other Unux/Linux

Re: FreeBSD Security Advisory FreeBSD-SA-21:11.smap

Since I had a question on this in another forum, I figure I'll copy it to the public list as well. The credit line below was specifically requested by the reporter. It wasn't a typo or a lack of proof-reading on our part. Best, Gordon Hat: security-officer > On May 26, 2021, at 5:54 PM,

Re: FreeBSD Security Advisory FreeBSD-SA-21:07.openssl

Actually, I'm testing this on a 13.0-RC3 host and am not getting the p1. This is likely due to the freebsd-update build scripts not properly messing with the newvers.sh. I'll investigate. Thanks for the report! Gordon > On Mar 26, 2021, at 3:50 PM, Tatsuki Makino > wrote: > > This is a fix

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

On Apr 6, 2021, at 7:42 AM, Shawn Webb wrote: > > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >> >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>>report with the BSDStats project, not FreeBSD. >>> 2. You

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

> On Apr 7, 2021, at 7:50 PM, Stefan Blachmann wrote: > > Anything else is apparently deemed “allowed”. > Spying out the machine and its configuration, sending that data to an > external entity – perfectly OK. Not a problem at all. > > This has been proved by the handling of this last

Re: FreeBSD Security Advisory FreeBSD-SA-21:08.vm missing in vuxml

> On Apr 12, 2021, at 03:21, Miroslav Lachman <000.f...@quip.cz> wrote: > > On 11/04/2021 21:49, Gian Piero Carrubba wrote: >> * [Sun, Apr 11, 2021 at 09:36:05PM +0200] Miroslav Lachman: On 11/04/2021 21:21, Gian Piero Carrubba wrote: > CCing ports-secteam@ as it seems a more

Re: Wrong patch link in FreeBSD-EN-21:24.libcrypto

There's always one. Thanks for the check. I've just pushed this to the website with the corrected link. It should be corrected in the next 5-10 minutes online. Regards, Gordon On Tue, Aug 24, 2021 at 2:36 PM Alan Somers wrote: > The just published errata notice contains a bad url. > is: fetch

Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl

> On Aug 25, 2021, at 4:59 AM, mike tancsa wrote: > > On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >> >> Branch/path Hash Revision >> - >> stable/13/

Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl

> On Aug 25, 2021, at 8:32 AM, mike tancsa wrote: > > On 8/25/2021 11:22 AM, Gordon Tetlow wrote: >> Hi All, >>>Was reading the original advisory at >>> https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.openssl.org/news/secadv/2021082

Re: Important note for future FreeBSD base system OpenSSH update

> On Sep 12, 2021, at 7:40 AM, Karl Denninger wrote: > > I have in the field a BUNCH of "smart" rack power strips that have this > problem; their management firmware does NOT support more-modern cipher sets > and SSL requirements. I get it, those older SSL versions are insecure and we >