freebsd-update and portsnap users still at risk of compromise
Joe Shevland
jshevland at calm-horizons.net
Thu Aug 11 12:17:23 UTC 2016
The HN discussion:
https://news.ycombinator.com/item?id=12261347
On 11/08/2016 7:59 PM, Vincent Hoffman-Kazlauskas wrote:
> For those not on freebsd-announce (or reddit or anywhere else it got posted)
>
> "FreeBSD Core statement on recent freebsd-update and related
> vulnerabilities"
> https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
>
>
>
> Vince
>
> On 11/08/2016 05:22, Julian Elischer wrote:
>> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:
>>>
>>> sorry but this is blabla and does not come even near to answering the
>>> real problem:
>>>
>>> It appears that freebsd and the US-government is more connected that
>>> some of us might like:
>>>
>>> Not publishing security issues concerning update mechanisms - we all
>>> can think WHY freebsd is not eager on this one.
>>>
>>> Just my thoughts...
>> this has been in discussion a lot in private circles within FreeBSD.
>> It's not being ignored and a "correct" patch is being developed.
>>
>> from one email I will quote just a small part..
>> =======
>>
>> As of yet, [the] patches for the libarchive vulnerabilities have not
>> been released
>> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has
>> created
>> patches for some of the libarchive vulnerabilities, the first[3] is being
>> considered for inclusion in FreeBSD, at least until a complete fix is
>> committed upstream, however the second[4] is considered too brute-force and
>> will not be committed as-is. Once the patches are in FreeBSD and updated
>> binaries are available, a Security Advisory will be issued.
>>
>> =======
>> so expect something soon.
>> I will go on to say that the threat does need to come from an advanced
>> MITM actor,
>> though that does not make it a non threat..
>>
>>>
>>>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan
>>>> <kitche at kitchetech.com>:
>>>>
>>>> You mean operating system as distribution is a Linux term. There's
>>>> not much
>>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>>>> vulnerabilities and has a an excellent ASLR system compared to the
>>>> proposed
>>>> one for FreeBSD.
>>>>
>>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis at roble.com > wrote:
>>>>
>>>>> Timely update via Hackernews:
>>>>>
>>>>> <hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerabilit
>>>>> y-update-libarchive>
>>>>>
>>>>> Note in particular:
>>>>>
>>>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update,
>>>>> bspatch,
>>>>> and libarchive vulnerabilities."
>>>>>
>>>>> Not sure why the portsec team has not commented or published an
>>>>> advisory
>>>>> (possibly because the freebsd list spam filters are so bad that
>>>>> subscriptions are being blocked) but from where I sit it seems that
>>>>> those exposed should consider:
>>>>>
>>>>> cd /usr/ports
>>>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
>>>>> make index
>>>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>>>>
>>>>> I'd also be interested in hearing from hardenedbsd users regarding the
>>>>> pros and cons of cutting over to that distribution.
>>>>>
>>>>> Roger
>>>>>
>>>>>
>>>>>
>>>>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>>>>> not sure if you've been contacted privately, but I believe the
>>>>>>> answer is
>>>>>>> "we're working on it"
>>>>>>>
>>>>>> My concerns are as follows:
>>>>>>
>>>>>> 1. This is already out there, and FreeBSD users haven't been
>>>>>> alerted that
>>>>>> they should avoid running freebsd-update/portsnap until the
>>>>>> problems are
>>>>>> fixed.
>>>>>>
>>>>>> 2. There was no mention in the bspatch advisory that running
>>>>>> freebsd-update to "fix" bspatch would expose systems to MITM
>>>>>> attackers who
>>>>>> are apparently already in operation.
>>>>>>
>>>>>> 3. Strangely, the "fix" in the advisory is incomplete and still
>>>>>> permits
>>>>>> heap corruption, even though a more complete fix is available. That's
>>>>>> what prompted my post. If FreeBSD learned of the problem from the same
>>>>>> source document we all did, which seems likely given the coincidental
>>>>>> timing of an advisory for a little-known utility a week or two
>>>>>> after that
>>>>>> source document appeared, then surely FreeBSD had the complete fix
>>>>>> available.
>>>>>>
>>>>>> _______________________________________________
>>>>> freebsd-ports at freebsd.org mailing list
>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>>>>> To unsubscribe, send any mail to "
>>>>> freebsd-ports-unsubscribe at freebsd.org "
>>>>>
>>>> _______________________________________________
>>>> freebsd-security at freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>>>> To unsubscribe, send any mail to "
>>>> freebsd-security-unsubscribe at freebsd.org "
>>> Best regards,
>>> Mail Lists
>>> mlists at mail.ru
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe at freebsd.org"
>>>
>> _______________________________________________
>> freebsd-ports at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list