Re: Need urgent help regarding security

. But this does bring up a good point i.e, that no IDS should be operated without a well thought-out whitelist. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo

Re: Need urgent help regarding security

problem. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD Security Survey

the reference implementation, head-and-shoulders better than up2date, yum, rpm, apt-get, or anything else out there. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman

Re: I cannot upgrade openssl-stablr

that 'make *world' cannot parse OPENSSL_OVERWRITE_BASE and requires NO_OPENSSL instead? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security

openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh)

A) which version of openssl a new port or upgrade (i.e., openssh) will use, and B) how to update systems with openssl-overwrite-base installed. Is there a best practice/recommendation for updating openssl-overwrite-base without having to maintain multiple versions? Roger Marquis Roble Systems

Re: openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh)

. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: BIND update?

, response-time-wise, patch-wise, finance-wise, or otherwise, our OS won't last long. The competition has gotten too good. Question is, OT but very relevant, how can FreeBSD get some decent corporate sponsorship? Roger Marquis ___ freebsd-security@freebsd.org

Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV

it would be trivial to create such a patch. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED]

DNS probe sources

These source addresses are likely spoofed, but am still curious whether other FreeBSD admins saw a preponderance of DNS probes originating from Microsoft corp subnets ahead of the recent ISC bind vulnerability announcement? Roger Marquis Jul 28 16:51:23 PDT named[...]: client 94.245.67.253

Re: online cheksum verification for FreeBSD

://www.elstel.com/checkroot/) for openSUSE. This is often the only way to spot an intrusion. Unlike SuSE and Solaris, FreeBSD is most often compiled on the local host. Wouldn't that make global checksums relatively useless? Roger Marquis ___ freebsd-security

Re: periodic security run output gives false positives after 1 year

and Linux default installs but SA's don't have to restrict their systems to those defaults. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd

Re: periodic security run output gives false positives after 1 year

in large part because it is not like POSIX' Austin group in those respects. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr

Re: periodic security run output gives false positives after 1 year

The correct format is 2012-02-20T01:23:45.6789+01:00 You guys are aware that RFC 5424 is a proposed standard I trust? By being proposed it is not a standard, at least not yet. Perhaps the differences in human-readability of the proposed timestamp, or the fact that it has variable field types

Re: getting the running patch level

-modified to whatever uname prints for the userland version. Attempting to do more than that, IMO, would have a negative ROI. IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security

Re: ntpd vulnerabilities

feature missing from openntpd that we could use is a way to set the egress interface. Openntpd's listen on directive only defines the ingress tcp adddress, outgoing queries still use the server's primary ip. Roger Marquis ___ freebsd-security@freebsd.org

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

with addressing this security advicory situation? Since quick publication of advisories is critical this also raises the question of what might be an effective way to subsequently publish more granular update instructions. Roger Marquis ___ freebsd-security

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

Dag-Erling Sm?rgrav wrote: Roger Marquis marq...@roble.com writes: ... or those with constrained resources are never going to be able to make/build/installworld for something as simple as a single binary update. These sites would be better served using freebsd-update to download and apply

Enumerating glibc dependencies

Before pkgng it was easy to list a system's port dependencies by (starting with): grep glib /var/db/pkg/*/* Is there an equivalent (single) command for pkgng? Roger ___ freebsd-security@freebsd.org mailing list

Re: Enumerating glibc dependencies

Please note that the glibc has nothing to do with glib. Is FreeBSD glib always linked to libc (vs glibc)? # ldd /usr/local/lib/libglib* 2/dev/null| grep libc | sort -u libc.so.7 = /lib/libc.so.7 (0x800648000) Roger ___ freebsd-security@freebsd.org

Re: Enumerating glibc dependencies

Is FreeBSD glib always linked to libc (vs glibc)? Apparently it is, at least on the systems I've tested where there were no glibc dependencies at all. Another item added to the list of BSD (security) advantages. Roger ___

Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem

If SCTP is NOT compiled in the kernel, are you still vulnerable ? No -- we should have mentioned that too. For GENERIC kernel however SCTP is compiled in. Should probably fix that too, in GENERIC, considering how little used this protocol is. It is not used much because there is not

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

DES wrote: I do it all the time: $ sudo env UNAME_r=X.Y-RELEASE freebsd-update fetch install Not sure if using a jail to test is relevant but this never updates (my) binaries to the specified RELEASE/RELENG, only to the current kernel's patch level. Then there's the issue of specifying

Re: Forums.FreeBSD.org - SSL Issue?

that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). Roger Marquis ___ freebsd-security@freebsd.org mailing list http

Re: pkg audit / vuln.xml failures

I would like to contribute on that level as well. Still interested in the team's policies and procedures, if those are online somewhere. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd

Re: Forums.FreeBSD.org - SSL Issue?

You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. Right, there are two issues being discussed that should be separated. The thread was originally about SSL

Re: Forums.FreeBSD.org - SSL Issue?

Mark Felder wrote: Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). This will never work. You can't

Re: New pkg audit / vuln.xml failures (php55, unzoo)

Walter Parker wrote: What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There is

Re: avoiding base openssl when building ports

use full set of its own libraries for everything either. I'd be happy just to to 'make buildworld -DWITHOUT_OPENSSL'. Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe

Re: New pkg audit / vuln.xml failures (php55, unzoo)

* operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and OpenBSD server operators) have no assurance that their systems are secure. Slow down here for a second. Where's the command-line tool on RedHat or Debian that lists only the known vulnerable packages? In RedHat

Re: New pkg audit / vuln.xml failures (php55, unzoo)

FreeBSD servers and looking to the freebsd.org website for help securing their systems. The signifiance of these 7 bullets should not be overlooked or understated. They call in to question the viability of FreeBSD itself. IMO, Roger Marquis

New pkg audit / vuln.xml failures (php55, unzoo)

FYI regarding these new and significant failures of FreeBSD security policy and procedures. PHP55 vulnerabilities announced over a week ago https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/) have still not been ported to lang/php55. You can, however, edit the Makefile, increment the

Re: OpenSSH HPN

is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-uns

vuln.xml to oval script?

d it be to write a translation script? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: HTTPS on freebsd.org, git, reproducible builds

ood and timely subjects given recently published details of NSA/5 eyes methodologies as well as the issues freebsd security teams were having as recently as a few months ago. Roger Marquis Refs. https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ http://www.li

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

rhi wrote: Until now, I have avoided installing the OpenSSL port because the base OpenSSL gets security updates via freebsd-update and so it's one thing less to care about... also, I don't like the idea of having two different versions of the same thing on the system A fair number of sites

Re: [SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

These vulnerabilities seem to be missing from the current vuln.xml, FYI. Roger Date: Wed, 22 Jun 2016 11:02:59 +0100 From: Mark Thomas Reply-To: annou...@tomcat.apache.org To: "us...@tomcat.apache.org" Cc: "d...@tomcat.apache.org"

Re: verify FreeBSD installation

Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? At the filesystem-level there's

PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

that goal I'm wondering if FreeBSD base has ever been analyzed for patterns of suspicious commits[4]? Roger Marquis Refs. [1] http://www.viva64.com/en/b/0377/ [2] http://tech.slashdot.org/story/16/02/19/001202/pvs-studio-analyzer-spots-40-bugs-in-the-freebsd-kernel [3] http://www.apple.com/customer

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Despite the risk of beating a dead horse (apologies to non-native english speakers for the acronym), as I cannot recall discussion of migrating base, and since replacing ntpd with openntpd has been standard practice in security-oriented environments for a few years now, perhaps someone on the sec

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Who needs millisecond accuracy anyway? Cell phones, cell phone towers, computers handling financial transactions, etc. I manage security for several dozen FreeBSD computers handling financial transactions and they all run openntpd in client-only mode. It was the only way we could avoid an

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

Large builds over NFS filesystems, particularly secure NFS (i.e., Kerberos) are one the best tests of time synchronization. Clients with bad clocks can further exercise this not uncommon infrastructure. The reason you don't typically see build errors even here, IME, is because the timehosts tend

Re: Batching errata & advisories in heaps degrades security.

Totally the opposite, it means one rollout instead of X rollouts making it simpler not harder. I don't know, isn't that the logic behind Microsoft's failed patch-Tuesdays? It's important not to confound security with usability. Any delay to a security advisory is an invitation to hackers. I

Re: freebsd-update and portsnap users still at risk of compromise

Question is does this warrant moving from portsnap to svn? Also have to wonder why the security team hasn't issued a vulnerability announcement. Roger On July 18, John Leyden, security editor at The Register, tweeted a link to a libarchive ticket that had been sitting without a response

Re: freebsd-update and portsnap users still at risk of compromise

Timely update via Hackernews: Note in particular: "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities." Not sure why the portsec team has not commented or published an advisory (possibly because the freebsd list spam filters are so bad

Re: fbsd11 & sshv1

I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only for SSHv1. People using such port should know the consequences of it. This could be a good candidate for a new ports category, /usr/ports/legacy If implemented there is a lot of code, in both ports and base, that

pkg audit false negatives (was: Perl upgrade - 5.20.x vulnerable)

tions that do not require patches. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Ports EOL vuxml entry

today there was a new entry added to the vuxml file including all outdated ports. Where is the value in this Entry. This is good news for many of us Gerhard, who depend on the output of 'pkg audit' for vulnerability information. In this file should only are real vulnerabilities and not maybe

Re: Ports EOL vuxml entry

Is an outdated (EOL) port a vulnerability? I don't think so. It's a possible vulnerability, but not a real one. Exactly. The meta-discussion we're having is regarding the word 'audit' (in 'pkg audit'). When you or I audit a server or a site the client always wants to know about potential

Re: ftpd leaks info which might be useful to an attacker

Matthew Seaman wrote: FTP as a protocol is archaic and needs to die. A good step towards that would be the deprecation of ftpd in base. IMO, Roger ___ freebsd-security@freebsd.org mailing list

Re: ftpd leaks info which might be useful to an attacker

Matthew Seaman wrote: FTP as a protocol is archaic and needs to die. A good step towards that would be the deprecation of ftpd in base. As well as the rest of the legacy daemons under /usr/libexec(/*d, other than tcpd). Roger ___

Re: /tmp/ecp.* created during kernel build?

Found a couple of ecp binaries in /tmp, apparently created concurrent with an 11.0 x86_64 kernel build. Anyone else seen this? Could they be related to a "make buildkernel"? Confirmed 'make buildkernel' does create these files, apparently via /usr/src/contrib/elftoolchain/elfcopy/main.c

/tmp/ecp.* created during kernel build?

Found a couple of ecp binaries in /tmp, apparently created concurrent with an 11.0 x86_64 kernel build. Anyone else seen this? Could they be related to a "make buildkernel"? # ls -l /tmp/ecp* -rw-r--r-- 1 root wheel 4229 Dec 27 06:21 ecp.Aak1ruL8 -rw-r--r-- 1 root wheel 2371 Dec 27

Re: pkg audit false negatives

It had been resolved for dovecot (it will now match both variants, since people might still have the old variant of the port installed) and there is a new paragraph added to the porters handbook which tells that we need to have a look at the vuxml entries. Thanks Remko. Hope this solves

Re: pkg audit false negatives

of installed but deprecated ports OTOH, seems to have fallen through the cracks. Even the FreeBSD Foundation and the ports-security teams appear to be ignoring this issue. Roger Marquis ___ freebsd-security@freebsd.org mailing list https

Re: pkg audit false negatives

I do not think that holds: 17521 php -- multiple vulnerabilities 17522 17523 17524 php55 17525 5.5.38 17526 This is an entry from svnweb, for php55, which was added in 2016(07-26). So this entry is there. Thus it did not disappear from VuXML

Re: pkg audit false negatives

That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that

pkg audit false negatives

In the past pkg-audit and even pkg-version have not been reliable tools where installed ports or packages have been subsequently discontinued or renamed. Today, however, I notice that dovecot2 is still showing up in the output of pkg-version despite the port having been renamed to dovecot

New pkg audit FNs

regarding the validity of FreeBSD's vulnerability database is larger than this CVE. We are concerned about update processes and procedures, especially considering how this topic has come up in the past (for different apps). Roger Marquis ___ freebs

Re: http subversion URLs should be discontinued in favor of https URLs

signature presharing mechanism would be more secure (than the CA maintained by EFF/LetsEncrypt at least). IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send

Jailing {open,}ntpd

Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux container? Can it be done in such a way that a breached daemon would not have access to the host? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org

Re: Malicious URL ? https://[::]/

Dag-Erling Sm?rgrav wrote: Hang on a sec ? localhost should be [::1], not [::], which is the equivalent of 0.0.0.0. My guess is a software bug. Jails look a little weird from the inside unless you use a fully virtualized network stack. The proxy probably doesn't have sufficient error checking

Malicious URL ? https://[::]/

has seen this? Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Fwd: [tor-relays] FreeBSD 11.1 ZFS Tor Image

is that the ports-secteam is a volunteer effort and nobody really expects 'pkg audit' to be timely anyhow. Such easily fixable problems. Even the FreeBSD Foundation for all the projects it funds, and could fund with +$2.5M in the bank, doesn't seem to care. Roger Marquis

Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp

have been saved by migrating ntpd to ports and openntpd to base. One too many cases exactly like this are why OpenBSD and HardenedBSD forked of course, but it is still not at all clear why openntpd and other tested and proven security changes haven't been pulled in to FreeBSD. Rog

SQLite vulnerability

is not able to properly maintain the vulnerability database? If the latter perhaps someone from the security team could let us know how such a significant vulnerability could go unflagged for so long and, more importantly, what might be done to address the gap in reporting? Roger Marquis

Re: SQLite vulnerability

of keeping end-users safe and making everyone's contribution to the project more effective. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "fr

Re: SQLite vulnerability

on December 4th. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: SQLite vulnerability

viewpoints are simply Linux advocates. Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Interim support guarantee for FreeBSD 12

FYI re potential cuts to STABLE long-term support. Does this affect the RELEASE branch as well? Anyone know where this is being discussed? The announcement mentions community feedback but that seems unlikely given there has been no mention of it on the freebsd-security list. Roger Marquis

Re: Untrusted terminals: OPIE vs security/pam_google_authenticator

somewhere accessible for security-conscious end-users. To eliminate it would only benefit those with commercial interests in proprietary and hosted (vendor lock-in) MFA solutions. IMO, Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.f

Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK}

t wouldn't it be better to at least try beefing-up security support and creating a sustainable SECURITY BUDGET? If it grew the user-base by only a few percent that would at the very least make everyone's contribution more valuable. IMO, Roger Marquis ___ freebs

Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd

why it is no longer bundled. Roger Marquis Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilities not present

Re: A question about Security Advisories

and Annual reports occasionally mention them but only in passing. How do we get someone on the Board/Foundation who is willing and able to prioritize these important issues? Roger Marquis Hi, Last years all Security Advisories regarding base system in the "update your vulnerable syste

Moinmoin

Anyone know if www/moinmoin is abandonware? The maintainer is listed as pyt...@freebsd.org and the version in ports has had an unpatched vulnerability for the last couple of weeks. Roger Marquis ___ freebsd-security@freebsd.org mailing list https

Re: Moinmoin

/2020 12:55 pm, Roger Marquis wrote: Anyone know if www/moinmoin is abandonware? The maintainer is listed as pyt...@freebsd.org and the version in ports has had an unpatched vulnerability for the last couple of weeks. Hi Roger, I don't believe so, but development is slow Can you point us

Re: sysrc bug

are, particularly considering /usr/sbin/sysrc starts with "#!/bin/sh" (as does and should every system shell script). Roger Marquis ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe

Re: Buffer overruns, license violations, and bad code: FreeBSD 13s close call

uns-license-violations-and-bad-code-freebsd-13s-close-call/3/> The only downside, no idea how it got by Ars' editors, is an irrelevant side-thread on 'Macy's record as a landlord. That aside the article is a must-read for anyone concerned with FreeBSD security. Roger M

Re: Security leak: Public disclosure of user data without their consent by installing software via pkg

Whatever the fix I hope we all agree that a policy is needed allowing or requiring the ports and security teams to reject ports and patches which exfiltrate (i.e, upload) _any_ local information without an explicit, detailed and robust opt-in. Roger Marquis On 08/04/2021 18:24, Shawn Webb

Re: CA's TLS Certificate Bundle in base = BAD

share/certs/trusted/TrustCor*" but there's sure to be room for options to better harden PKI. Roger Marquis

Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping

Also note that the update can be as easy as: gitup src cd /usr/src make buildworld cd sbin/ping make install ls -l /sbin/ping /sbin/ping ... Roger Marquis On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: On 11/30/2022 4:58 PM, Dev Null wrote: Easily to exploit