freebsd-update and portsnap users still at risk of compromise

Martin Schroeder mschroeder at
Sun Jul 31 21:29:39 UTC 2016

On 2016-07-29 09:00, Julian Elischer wrote:
> not sure if you've been contacted privately, but  I believe the answer 
> is
> "we're working on it"

My concerns are as follows:

1. This is already out there, and FreeBSD users haven't been alerted 
they should avoid running freebsd-update/portsnap until the problems are

2. There was no mention in the bspatch advisory that running
freebsd-update to "fix" bspatch would expose systems to MITM attackers 
are apparently already in operation.

3. Strangely, the "fix" in the advisory is incomplete and still permits
heap corruption, even though a more complete fix is available. That's
what prompted my post. If FreeBSD learned of the problem from the same
source document we all did, which seems likely given the coincidental
timing of an advisory for a little-known utility a week or two after 
source document appeared, then surely FreeBSD had the complete fix


ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

More information about the freebsd-security mailing list