. But this does bring up a good point i.e, that no
IDS should be operated without a well thought-out whitelist.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
problem.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]
the reference
implementation, head-and-shoulders better than up2date, yum, rpm,
apt-get, or anything else out there.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman
that 'make *world' cannot parse
OPENSSL_OVERWRITE_BASE and requires NO_OPENSSL instead?
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
A) which version of openssl a new port or upgrade
(i.e., openssh) will use, and B) how to update systems with
openssl-overwrite-base installed.
Is there a best practice/recommendation for updating
openssl-overwrite-base without having to maintain multiple
versions?
Roger Marquis
Roble Systems
.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]
, response-time-wise, patch-wise, finance-wise, or otherwise,
our OS won't last long. The competition has gotten too good.
Question is, OT but very relevant, how can FreeBSD get some decent corporate
sponsorship?
Roger Marquis
___
freebsd-security@freebsd.org
it would be trivial
to create such a patch.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]
These source addresses are likely spoofed, but am still curious whether
other FreeBSD admins saw a preponderance of DNS probes originating from
Microsoft corp subnets ahead of the recent ISC bind vulnerability
announcement?
Roger Marquis
Jul 28 16:51:23 PDT named[...]: client 94.245.67.253
://www.elstel.com/checkroot/) for openSUSE. This is often the only
way to spot an intrusion.
Unlike SuSE and Solaris, FreeBSD is most often compiled on the local
host. Wouldn't that make global checksums relatively useless?
Roger Marquis
___
freebsd-security
and Linux default installs but SA's don't have to
restrict their systems to those defaults.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd
in large part because it is not like POSIX' Austin
group in those respects.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd-security-unsubscr
The correct format is 2012-02-20T01:23:45.6789+01:00
You guys are aware that RFC 5424 is a proposed standard I trust? By
being proposed it is not a standard, at least not yet.
Perhaps the differences in human-readability of the proposed timestamp,
or the fact that it has variable field types
-modified to whatever uname prints for the
userland version. Attempting to do more than that, IMO, would have a
negative ROI.
IMO,
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
feature missing from openntpd that we could use is a way to set the
egress interface. Openntpd's listen on directive only defines the
ingress tcp adddress, outgoing queries still use the server's primary ip.
Roger Marquis
___
freebsd-security@freebsd.org
with addressing this security advicory situation? Since quick
publication of advisories is critical this also raises the question of
what might be an effective way to subsequently publish more granular
update instructions.
Roger Marquis
___
freebsd-security
Dag-Erling Sm?rgrav wrote:
Roger Marquis marq...@roble.com writes:
... or those with constrained resources are never going to be able
to make/build/installworld for something as simple as a single binary
update.
These sites would be better served using freebsd-update to download and
apply
Before pkgng it was easy to list a system's port dependencies by
(starting with):
grep glib /var/db/pkg/*/*
Is there an equivalent (single) command for pkgng?
Roger
___
freebsd-security@freebsd.org mailing list
Please note that the glibc has nothing to do with glib.
Is FreeBSD glib always linked to libc (vs glibc)?
# ldd /usr/local/lib/libglib* 2/dev/null| grep libc | sort -u
libc.so.7 = /lib/libc.so.7 (0x800648000)
Roger
___
freebsd-security@freebsd.org
Is FreeBSD glib always linked to libc (vs glibc)?
Apparently it is, at least on the systems I've tested where there were no
glibc dependencies at all. Another item added to the list of BSD
(security) advantages.
Roger
___
If SCTP is NOT compiled in the kernel, are you still vulnerable ?
No -- we should have mentioned that too. For GENERIC kernel however
SCTP is compiled in.
Should probably fix that too, in GENERIC, considering how little used this
protocol is.
It is not used much because there is not
DES wrote:
I do it all the time:
$ sudo env UNAME_r=X.Y-RELEASE freebsd-update fetch install
Not sure if using a jail to test is relevant but this never updates (my)
binaries to the specified RELEASE/RELENG, only to the current kernel's patch
level.
Then there's the issue of specifying
that overwrites base and
guarantees compatibility with RELEASE. Then we could at least have all
versions of openssl in vuln.xml (not that that's been a reliable
indicator of security of late).
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http
I would like to contribute on that level as well.
Still interested in the team's policies and procedures, if those are
online somewhere.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
You're not understanding the situation: the vulnerability isn't in
OpenSSL; it's a design flaw / weakness in the protocol. This is why
everyone is running like mad from SSL 3.0 and TLS 1.0.
Right, there are two issues being discussed that should be separated.
The thread was originally about SSL
Mark Felder wrote:
Another option is a second openssl port, one that overwrites base and
guarantees compatibility with RELEASE. Then we could at least have all
versions of openssl in vuln.xml (not that that's been a reliable
indicator of security of late).
This will never work. You can't
Walter Parker wrote:
What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that
their systems are secure? An audit trail of CVE issues fixed, while a
good start. is hardly a strong assurance that the system is secure.
An important point and thank you for making it Walter. There is
use full set of its own libraries for everything
either.
I'd be happy just to to 'make buildworld -DWITHOUT_OPENSSL'.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe
* operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
OpenBSD server operators) have no assurance that their systems are
secure.
Slow down here for a second. Where's the command-line tool on RedHat or
Debian that lists only the known vulnerable packages?
In RedHat
FreeBSD servers and
looking to the freebsd.org website for help securing their systems.
The signifiance of these 7 bullets should not be overlooked or
understated. They call in to question the viability of FreeBSD itself.
IMO,
Roger Marquis
FYI regarding these new and significant failures of FreeBSD security
policy and procedures.
PHP55 vulnerabilities announced over a week ago
https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/) have still
not been ported to lang/php55. You can, however, edit the Makefile,
increment the
is not more widely
used today is that many sysadmins aren't familiar with it.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-uns
d it be to write a
translation script?
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
ood and timely subjects given recently published details of
NSA/5 eyes methodologies as well as the issues freebsd security teams
were having as recently as a few months ago.
Roger Marquis
Refs.
https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/
http://www.li
rhi wrote:
Until now, I have avoided installing the OpenSSL port because the base
OpenSSL gets security updates via freebsd-update and so it's one thing less
to care about... also, I don't like the idea of having two different
versions of the same thing on the system
A fair number of sites
These vulnerabilities seem to be missing from the current vuln.xml, FYI.
Roger
Date: Wed, 22 Jun 2016 11:02:59 +0100
From: Mark Thomas
Reply-To: annou...@tomcat.apache.org
To: "us...@tomcat.apache.org"
Cc: "d...@tomcat.apache.org"
Hi. Is there any reliable way to verify checksums of all local files for some
FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed
FreeBSD instances, how can I be sure there are no any patches\changes in a
kernel\services etc?
At the filesystem-level there's
that goal I'm wondering if FreeBSD base has ever been analyzed
for patterns of suspicious commits[4]?
Roger Marquis
Refs.
[1] http://www.viva64.com/en/b/0377/
[2]
http://tech.slashdot.org/story/16/02/19/001202/pvs-studio-analyzer-spots-40-bugs-in-the-freebsd-kernel
[3] http://www.apple.com/customer
Despite the risk of beating a dead horse (apologies to non-native
english speakers for the acronym), as I cannot recall discussion of
migrating base, and since replacing ntpd with openntpd has been standard
practice in security-oriented environments for a few years now, perhaps
someone on the sec
Who needs millisecond accuracy anyway?
Cell phones, cell phone towers, computers handling financial transactions, etc.
I manage security for several dozen FreeBSD computers handling financial
transactions and they all run openntpd in client-only mode. It was the
only way we could avoid an
Large builds over NFS filesystems, particularly secure NFS (i.e.,
Kerberos) are one the best tests of time synchronization. Clients with
bad clocks can further exercise this not uncommon infrastructure. The
reason you don't typically see build errors even here, IME, is because
the timehosts tend
Totally the opposite, it means one rollout instead of X rollouts making it
simpler not harder.
I don't know, isn't that the logic behind Microsoft's failed
patch-Tuesdays?
It's important not to confound security with usability. Any delay to a
security advisory is an invitation to hackers. I
Question is does this warrant moving from portsnap to svn?
Also have to wonder why the security team hasn't issued a vulnerability
announcement.
Roger
On July 18, John Leyden, security editor at The Register, tweeted a link
to a libarchive ticket that had been sitting without a response
Timely update via Hackernews:
Note in particular:
"FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
and libarchive vulnerabilities."
Not sure why the portsec team has not commented or published an advisory
(possibly because the freebsd list spam filters are so bad
I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only
for SSHv1. People using such port should know the consequences of it.
This could be a good candidate for a new ports category,
/usr/ports/legacy
If implemented there is a lot of code, in both ports and base, that
tions that do not
require patches.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
today there was a new entry added to the vuxml file including all
outdated ports. Where is the value in this Entry.
This is good news for many of us Gerhard, who depend on the output of
'pkg audit' for vulnerability information.
In this file should only are real vulnerabilities and not maybe
Is an outdated (EOL) port a vulnerability? I don't think so. It's a
possible vulnerability, but not a real one.
Exactly. The meta-discussion we're having is regarding the word 'audit'
(in 'pkg audit'). When you or I audit a server or a site the client
always wants to know about potential
Matthew Seaman wrote:
FTP as a protocol is archaic and needs to die.
A good step towards that would be the deprecation of ftpd in base.
IMO,
Roger
___
freebsd-security@freebsd.org mailing list
Matthew Seaman wrote:
FTP as a protocol is archaic and needs to die.
A good step towards that would be the deprecation of ftpd in base.
As well as the rest of the legacy daemons under /usr/libexec(/*d, other
than tcpd).
Roger
___
Found a couple of ecp binaries in /tmp, apparently created concurrent
with an 11.0 x86_64 kernel build. Anyone else seen this? Could they
be related to a "make buildkernel"?
Confirmed 'make buildkernel' does create these files, apparently via
/usr/src/contrib/elftoolchain/elfcopy/main.c
Found a couple of ecp binaries in /tmp, apparently created concurrent
with an 11.0 x86_64 kernel build. Anyone else seen this? Could they
be related to a "make buildkernel"?
# ls -l /tmp/ecp*
-rw-r--r-- 1 root wheel 4229 Dec 27 06:21 ecp.Aak1ruL8
-rw-r--r-- 1 root wheel 2371 Dec 27
It had been resolved for dovecot (it will now match both variants, since people
might still have
the old variant of the port installed) and there is a new paragraph added to
the porters handbook
which tells that we need to have a look at the vuxml entries.
Thanks Remko.
Hope this solves
of installed but deprecated ports OTOH, seems to have fallen
through the cracks. Even the FreeBSD Foundation and the ports-security
teams appear to be ignoring this issue.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https
I do not think that holds:
17521 php -- multiple vulnerabilities
17522
17523
17524 php55
17525 5.5.38
17526
This is an entry from svnweb, for php55, which was added in 2016(07-26).
So this entry is there. Thus it did not disappear from VuXML
That leaves just unpackaged base as FreeBSD's remaining audit weakness.
Hi, I am happy that I can reduce your worry factor a bit ;-)
Can you share what the audit weakness is? freebsd-update cron checks
whether or not an update is available and then emails you. If you run
-RELEASE, then that
In the past pkg-audit and even pkg-version have not been reliable tools
where installed ports or packages have been subsequently discontinued or
renamed. Today, however, I notice that dovecot2 is still showing up in
the output of pkg-version despite the port having been renamed to
dovecot
regarding the
validity of FreeBSD's vulnerability database is larger than this CVE.
We are concerned about update processes and procedures, especially
considering how this topic has come up in the past (for different apps).
Roger Marquis
___
freebs
signature presharing mechanism would be
more secure (than the CA maintained by EFF/LetsEncrypt at least).
IMO,
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send
Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux
container? Can it be done in such a way that a breached daemon would
not have access to the host?
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org
Dag-Erling Sm?rgrav wrote:
Hang on a sec ? localhost should be [::1], not [::], which is the
equivalent of 0.0.0.0. My guess is a software bug. Jails look a little
weird from the inside unless you use a fully virtualized network stack.
The proxy probably doesn't have sufficient error checking
has seen this?
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
is that the ports-secteam is a volunteer
effort and nobody really expects 'pkg audit' to be timely anyhow.
Such easily fixable problems. Even the FreeBSD Foundation for all the
projects it funds, and could fund with +$2.5M in the bank, doesn't seem
to care.
Roger Marquis
have been saved by migrating ntpd to ports and openntpd to base.
One too many cases exactly like this are why OpenBSD and HardenedBSD
forked of course, but it is still not at all clear why openntpd and
other tested and proven security changes haven't been pulled in to
FreeBSD.
Rog
is not able to properly maintain the vulnerability
database?
If the latter perhaps someone from the security team could let us know
how such a significant vulnerability could go unflagged for so long and,
more importantly, what might be done to address the gap in reporting?
Roger Marquis
of keeping end-users safe and making everyone's contribution to
the project more effective.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "fr
on December 4th.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
viewpoints are simply Linux advocates.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
FYI re potential cuts to STABLE long-term support. Does this affect the
RELEASE branch as well? Anyone know where this is being discussed? The
announcement mentions community feedback but that seems unlikely given
there has been no mention of it on the freebsd-security list.
Roger Marquis
somewhere accessible for security-conscious end-users. To
eliminate it would only benefit those with commercial interests in
proprietary and hosted (vendor lock-in) MFA solutions.
IMO,
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.f
t wouldn't it be better to at
least try beefing-up security support and creating a sustainable
SECURITY BUDGET? If it grew the user-base by only a few percent that
would at the very least make everyone's contribution more valuable.
IMO,
Roger Marquis
___
freebs
why it is no longer bundled.
Roger Marquis
Upstream OpenSSH-portable removed libwrap support in version 6.7,
released in October 2014. We've maintained a patch in our tree to
restore it, but it causes friction on each OpenSSH update and may
introduce security vulnerabilities not present
and
Annual reports occasionally mention them but only in passing. How
do we get someone on the Board/Foundation who is willing and able to
prioritize these important issues?
Roger Marquis
Hi,
Last years all Security Advisories regarding base system in the "update
your vulnerable syste
Anyone know if www/moinmoin is abandonware? The maintainer is listed as
pyt...@freebsd.org and the version in ports has had an unpatched
vulnerability for the last couple of weeks.
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https
/2020 12:55 pm, Roger Marquis wrote:
Anyone know if www/moinmoin is abandonware? The maintainer is listed as
pyt...@freebsd.org and the version in ports has had an unpatched
vulnerability for the last couple of weeks.
Hi Roger,
I don't believe so, but development is slow
Can you point us
are, particularly considering
/usr/sbin/sysrc starts with "#!/bin/sh" (as does and should every system
shell script).
Roger Marquis
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe
uns-license-violations-and-bad-code-freebsd-13s-close-call/3/>
The only downside, no idea how it got by Ars' editors, is an
irrelevant side-thread on 'Macy's record as a landlord. That
aside the article is a must-read for anyone concerned with
FreeBSD security.
Roger M
Whatever the fix I hope we all agree that a policy is needed allowing or
requiring the ports and security teams to reject ports and patches which
exfiltrate (i.e, upload) _any_ local information without an explicit,
detailed and robust opt-in.
Roger Marquis
On 08/04/2021 18:24, Shawn Webb
share/certs/trusted/TrustCor*" but there's sure to
be room for options to better harden PKI.
Roger Marquis
Also note that the update can be as easy as:
gitup src
cd /usr/src
make buildworld
cd sbin/ping
make install
ls -l /sbin/ping
/sbin/ping ...
Roger Marquis
On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote:
On 11/30/2022 4:58 PM, Dev Null wrote:
Easily to exploit
80 matches
Mail list logo