freebsd-update and portsnap users still at risk of compromise
Vincent Hoffman-Kazlauskas
vince at unsane.co.uk
Thu Aug 11 10:00:06 UTC 2016
For those not on freebsd-announce (or reddit or anywhere else it got posted)
"FreeBSD Core statement on recent freebsd-update and related
vulnerabilities"
https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
Vince
On 11/08/2016 05:22, Julian Elischer wrote:
> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:
>>
>>
>> sorry but this is blabla and does not come even near to answering the
>> real problem:
>>
>> It appears that freebsd and the US-government is more connected that
>> some of us might like:
>>
>> Not publishing security issues concerning update mechanisms - we all
>> can think WHY freebsd is not eager on this one.
>>
>> Just my thoughts...
>
> this has been in discussion a lot in private circles within FreeBSD.
> It's not being ignored and a "correct" patch is being developed.
>
> from one email I will quote just a small part..
> =======
>
> As of yet, [the] patches for the libarchive vulnerabilities have not
> been released
> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has
> created
> patches for some of the libarchive vulnerabilities, the first[3] is being
> considered for inclusion in FreeBSD, at least until a complete fix is
> committed upstream, however the second[4] is considered too brute-force and
> will not be committed as-is. Once the patches are in FreeBSD and updated
> binaries are available, a Security Advisory will be issued.
>
> =======
> so expect something soon.
> I will go on to say that the threat does need to come from an advanced
> MITM actor,
> though that does not make it a non threat..
>
>>
>>
>>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan
>>> <kitche at kitchetech.com>:
>>>
>>> You mean operating system as distribution is a Linux term. There's
>>> not much
>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>>> vulnerabilities and has a an excellent ASLR system compared to the
>>> proposed
>>> one for FreeBSD.
>>>
>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote:
>>>
>>>> Timely update via Hackernews:
>>>>
>>>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
>>>> y-update-libarchive>
>>>>
>>>> Note in particular:
>>>>
>>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update,
>>>> bspatch,
>>>> and libarchive vulnerabilities."
>>>>
>>>> Not sure why the portsec team has not commented or published an
>>>> advisory
>>>> (possibly because the freebsd list spam filters are so bad that
>>>> subscriptions are being blocked) but from where I sit it seems that
>>>> those exposed should consider:
>>>>
>>>> cd /usr/ports
>>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
>>>> make index
>>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>>>
>>>> I'd also be interested in hearing from hardenedbsd users regarding the
>>>> pros and cons of cutting over to that distribution.
>>>>
>>>> Roger
>>>>
>>>>
>>>>
>>>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>>>> not sure if you've been contacted privately, but I believe the
>>>>>> answer is
>>>>>> "we're working on it"
>>>>>>
>>>>> My concerns are as follows:
>>>>>
>>>>> 1. This is already out there, and FreeBSD users haven't been
>>>>> alerted that
>>>>> they should avoid running freebsd-update/portsnap until the
>>>>> problems are
>>>>> fixed.
>>>>>
>>>>> 2. There was no mention in the bspatch advisory that running
>>>>> freebsd-update to "fix" bspatch would expose systems to MITM
>>>>> attackers who
>>>>> are apparently already in operation.
>>>>>
>>>>> 3. Strangely, the "fix" in the advisory is incomplete and still
>>>>> permits
>>>>> heap corruption, even though a more complete fix is available. That's
>>>>> what prompted my post. If FreeBSD learned of the problem from the same
>>>>> source document we all did, which seems likely given the coincidental
>>>>> timing of an advisory for a little-known utility a week or two
>>>>> after that
>>>>> source document appeared, then surely FreeBSD had the complete fix
>>>>> available.
>>>>>
>>>>> _______________________________________________
>>>> freebsd-ports at freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>>>> To unsubscribe, send any mail to "
>>>> freebsd-ports-unsubscribe at freebsd.org "
>>>>
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to "
>>> freebsd-security-unsubscribe at freebsd.org "
>>
>> Best regards,
>> Mail Lists
>> mlists at mail.ru
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>
More information about the freebsd-ports
mailing list