Colin,
Thank you so much for alerting us and providing a temporary patch. I had
a user attempt to use the public exploit today, but due to /tmp being
noexec, it failed. Luckily I caught him before he modified the script to
work though. Now I am patched and can sleep tonight :)
Thanks,
Bryan
Fernan,
You can disable newsyslog by adding newsyslog_enable=NO to your
/etc/rc.conf or /etc/rc.conf.local
Also be aware that you will need to reboot with
kern_securelevel_enable=NO in one of those files, to lower the
securelevel.
You should also consider a remote syslog host.
Bryan
On 6/9/2012 6:34 AM, Mike Tancsa wrote:
Sort of a security issue considering this assessment of MD5
You can use blf (blowfish) as well.
Regards,
Bryan Drewery
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
On 11/22/2012 6:02 PM, FreeBSD Security Advisories wrote:
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
compatibility layer is loaded:
#
On 11/22/2012 6:30 PM, Bryan Drewery wrote:
On 11/22/2012 6:02 PM, FreeBSD Security Advisories wrote:
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
in the future:
echo 'security.bsd.unprivileged_proc_debug=0' /etc/sysctl.conf
service sysctl start
You should still hastily patch/reboot your system though.
--
Regards,
Bryan Drewery
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org
/local/etc/ssh/sshd_config).
Apparently security/openssh-portable needs a fix similar to the base
system head/crypto/openssh r251088.
-GAWollman
Yup. I didn't realize I had put that into the port.
Fixed for upcoming 6.3.
Thanks,
Bryan Drewery
signature.asc
Description: OpenPGP digital
. 1.0.1_10 has the fix.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
for security updates.
Right now pkgng binary packages are not really suitable for production
use because of lacking essential security updates. (There should be a
loud and clear warning about this in the Handbook if it stays this way?)
Best Regards,
--
Regards,
Bryan Drewery
portsnap how to speak SVN, while still behaving the same, may
cover my concerns.
To be fair SVN does have its advantages:
1. Quicker updates for users.
2. Easier patch generation for PR submission.
3. Similarly, viewing your changes more easily.
--
Regards,
Bryan Drewery
signature.asc
Description
of the optional patches available in the port had issues.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
maintaining a ca-root-freebsd.pem even
better, as long as you are willing to.
IMHO always install it, don't depend on MK_OPENSSL. Is the file actually
specific to OpenSSL? Ports would love to have it be available all the
time regardless of SSL library choices.
--
Regards,
Bryan Drewery
On 9/21/2013 5:49 AM, Bryan Drewery wrote:
Ports now support enabling Stack Protector [1] support on FreeBSD 10
i386 and amd64, and older releases on amd64 only currently.
Support may be added for earlier i386 releases once all ports properly
respect LDFLAGS.
To enable, just add WITH_SSP
shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
Cheers,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote:
On 9/26/2014 2:36 AM, Steve Clement wrote:
Dear all,
In case you urgently need to go the manual route, here is one way to really
patch your systems:
https
the fixes since yesterday. The packages are building.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote:
On 9/26/2014 2:36 AM, Steve Clement wrote:
Dear all,
In case you urgently need to go the manual route, here is one way
not well prepared for security updates to packages yet. We have
many technical challenges to work through still.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly
On 9/30/2014 1:54 PM, Jung-uk Kim wrote:
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM
On 9/30/2014 1:54 PM, Jung-uk Kim wrote:
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM
On 7/2/2014 8:55 PM, Bryan Drewery wrote:
On 7/2/2014 6:45 PM, Xin Li wrote:
Hi,
Currently, FreeBSD does not install a default /etc/ssl/cert.pem
because we do not maintain one ourselves. We do, however, provide a
port, security/ca_root_nss, which have an option to install a symbolic
link
On 10/2/2014 8:25 AM, Eric van Gyzen wrote:
On 10/01/2014 16:58, Bryan Drewery wrote:
On 7/2/2014 8:55 PM, Bryan Drewery wrote:
On 7/2/2014 6:45 PM, Xin Li wrote:
Hi,
Currently, FreeBSD does not install a default /etc/ssl/cert.pem
because we do not maintain one ourselves. We do, however
/usr/local/etc/pkg/repos/ for the ssp or new_xorg repositories.
Regards,
Bryan Drewery on behalf of portmgr
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd
,
and committers, feel the file is not easy to contribute to.
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
On 11/11/2015 1:23 AM, Dag-Erling Smørgrav wrote:
> Bryan Drewery <bdrew...@freebsd.org> writes:
>> Actually I am missing the client-side VersionAddendum support (ssh.c). I
>> only have server-side (sshd.c). This is just due to lack of motivation
>> to import the chang
p rsyncd on the
> backup server.
>
Yes, it's more a matter of convenience with key management. I admit that
after some recent changes I've made I did resort to using the base SSH
and rsync:// to achieve my backups over VPN out of not wanting to
customize the the new system further with the port
On 11/11/2015 8:51 AM, Dag-Erling Smørgrav wrote:
> Bryan Drewery <bdrew...@freebsd.org> writes:
>> Another thing that I did with the port was restore the tcpwrapper
>> support that upstream removed. Again, if we decide it is not worth
>> keeping in base I will remov
e
> request. Damien is generally pretty open to suggestions.
>
My own experience here has been positive, both with patches, feature
suggestion, and general discussion. The upstream is more open than
people may think.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
why having a NONE cypher compiled in,
> but disabled in the configuration is a bad idea?
My reasoning for wanting SSH/SCP with NONE is precisely because of the
ssh key support. It simplifies a lot to be able to use the same key over
a VPN and not over the VPN to connect to the same system.
--
Reg
On 11/11/15 4:05 PM, Slawa Olhovchenkov wrote:
> On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote:
>
>>> Some for as ports version?
>>> Or ports version different?
>>> Or port mantainer have more time (this is not to blame for DES)?
>>> I am
On 11/11/2015 3:56 PM, Slawa Olhovchenkov wrote:
> On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote:
>
>> On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote:
>>> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote:
>>>
>>>> B
On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote:
> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote:
>
>> Bryan Drewery <bdrew...@freebsd.org> writes:
>>> Another thing that I did with the port was restore the tcpwrapper
>>> support that u
and fixed upstream in the last day and
I wrote in a similar fix in the port. That speaks a lot about its usage
in the port currently.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
e case now. There is nothing different
compared to upstream OpenSSH now for logging.
--
Regards,
Bryan Drewery
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to &q
anges (which I did
upstream, and did apply to the base HPN as well) and the logging changes
(which were far too intrusive to maintain).
--
Regards,
Bryan Drewery
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/free
performance should be more than acceptable for
> today's uses (i.e. cipher performance is 2GB/sec+).
AES-NI doesn't help the absurdity of double-encrypting when using scp or
rsync/ssh over an encrypted VPN, which is where NONE makes sense to use
for me.
--
Regards
On 11/10/15 4:40 PM, Bryan Drewery wrote:
> Anyway, reverting the base SSH to stock, and then importing all patches
> from the ports default version should result in the same base patches
> applied and a working HPN.
Actually I am missing the client-side VersionAddendum support (ssh.c
vulnerabilities Affects:
All supported versions of FreeBSD.
I know RELENG_8 is no longer supported, but does this issue impact
FreeBSD 8.x ?
Yes. The port (not quarterly one) is fully updated to 7.1 with the fixes
as a workaround.
--
Regards,
Bryan Drewery
bdrewery@freenode/EFNet
audit' output are normally backported to the
quarterly branch quickly.
I am exploring ways of making the quarterly builds run multiples times
per day.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
==
>> --- head/lib/libpam/modules/pam_ssh/pam_ssh.cMon Aug 22 19:05:11
>> 2016(r304625)
>> +++ head/lib/libpam/modules/pam_ssh/pam_ssh.cMon Aug 22 19:27:20
>> 2016 (r304626)
>>
s lifted. I do
know that the right people are definitely aware of what's going on.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
bly keep the patch in the tree for some time, to support
> MFCs to stable branches; the patch will be removed entirely later on.
FYI if you need this feature the port still has it and is at 8.2 now.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
44 matches
Mail list logo
