Reminder notice about FreeBSD Security Advisories

FreeBSD Security Advisories security-advisories at freebsd.org
Fri Feb 9 13:44:13 PST 2001


-----BEGIN PGP SIGNED MESSAGE-----

This is a reminder notice that all FreeBSD Security Advisories are
signed with the PGP key of the security officer, available from the
following location:

  ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

A copy of the public key containing more signatures may be retrieved
from the http://keys.pgp.com key server.

The PGP signature should be verified on all FreeBSD Security
Advisories prior to trusting its contents -- recent events have
reminded the community that e-mail may be trivially spoofed, and this
is in fact the precise reason the security officer signs all official
advisories.

Advisories with missing or invalid signatures must be assumed to be
written by third parties, and therefore unofficial and unsanctioned by
the FreeBSD Project.

While the recent examples of spoofed advisories were childish and
easily seen to be counterfeits, the originator has done the service of
reinforcing the point that signature verification is necessary.
Consider the example of a spoofed advisory which appears to be fully
legitimate and describes an abstruse and difficult to understand
"security vulnerability", and which contains instructions which
subtlely weaken or compromise the security of machines upon which the
instructions are carried out.

At this time, GnuPG is the PGP software recommended by the security
officer for use on FreeBSD.  This and other PGP software are also
included in the FreeBSD ports collection and available commercially.

Most modern mail software allows PGP signature verification to be done
automatically at the time the message is displayed.  Consult the
documentation for your mail and PGP software to find out how to
configure it to automatically verify signatures in e-mail.  A sample
configuration file for the mutt mail reader to allow automatic
signature verfication (suitable for addition to the user's ~/.muttrc
file) is available from:

  http://www.freebsd.org/~kris/muttrc-gpg

This relies on the availability of the gnupg software
(/usr/ports/security/gnupg).  Note that the security-officer PGP key
uses the IDEA algorithm for encrypted (as opposed to signed) messages
you may wish to send to us, which is not included in gnupg by default.
IDEA is covered by a patent, but the licensing terms permit use for
non-commercial purposes.  To install IDEA support, perform the
following steps as root:

# cd /usr/ports/security/gnupg-idea
# make all install clean MAKE_IDEA=yes

IDEA support is not required to verify signatures made by the security
officer.

Kris Kennaway
FreeBSD Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOoRf/lUuHi5z0oilAQFSegQAkkzFwV/1uGv0W6CJmsNWExCrSZlGBk7p
NixT7iXXa3CF0IllKadoTPr735IO3yKUsg/ujgWU0tpwnSLh6A9C8QqAkBBO2BJQ
y/rLA9qFuz+a3sbrtBVSV7GSzQm7ebzyVpef/ThMfM69C5bnmnhlPWdB6qNbYQAj
2c7MKMGIHuQ=
=Ud07
-----END PGP SIGNATURE-----


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org


To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message




More information about the freebsd-announce mailing list