Re[2]: freebsd-update and portsnap users still at risk of compromise

Mail Lists mlists at mail.ru
Wed Aug 10 17:43:22 UTC 2016 



sorry but this is blabla and does not come even near to answering the real problem:

It appears that freebsd and the US-government is more connected that some of us might like:

Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one.

Just my thoughts...



>Tuesday, August  9, 2016 8:21 PM UTC from Matthew Donovan <kitche at kitchetech.com>:
>
>You mean operating system as distribution is a Linux term. There's not much
>different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>vulnerabilities and has a an excellent ASLR system compared to the proposed
>one for FreeBSD.
>
>On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote:
>
>> Timely update via Hackernews:
>>
>>  <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
>> y-update-libarchive>
>>
>> Note in particular:
>>
>>  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>>  and libarchive vulnerabilities."
>>
>> Not sure why the portsec team has not commented or published an advisory
>> (possibly because the freebsd list spam filters are so bad that
>> subscriptions are being blocked) but from where I sit it seems that
>> those exposed should consider:
>>
>>  cd /usr/ports
>>  svn{lite} co  https://svn.FreeBSD.org/ports/head /usr/ports
>>  make index
>>  rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>
>> I'd also be interested in hearing from hardenedbsd users regarding the
>> pros and cons of cutting over to that distribution.
>>
>> Roger
>>
>>
>>
>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>
>>>>
>>>> not sure if you've been contacted privately, but  I believe the answer is
>>>> "we're working on it"
>>>>
>>>
>>> My concerns are as follows:
>>>
>>> 1. This is already out there, and FreeBSD users haven't been alerted that
>>> they should avoid running freebsd-update/portsnap until the problems are
>>> fixed.
>>>
>>> 2. There was no mention in the bspatch advisory that running
>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>>> are apparently already in operation.
>>>
>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>>> heap corruption, even though a more complete fix is available. That's
>>> what prompted my post. If FreeBSD learned of the problem from the same
>>> source document we all did, which seems likely given the coincidental
>>> timing of an advisory for a little-known utility a week or two after that
>>> source document appeared, then surely FreeBSD had the complete fix
>>> available.
>>>
>>> _______________________________________________
>>  freebsd-ports at freebsd.org mailing list
>>  https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe at freebsd.org "
>>
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to " freebsd-security-unsubscribe at freebsd.org "


Best regards,
Mail Lists
mlists at mail.ru

More information about the freebsd-security mailing list