Re: /etc/periodic/weekly/320.whatis: /usr/libexec/makewhatis.local: not found

2016-02-17 Thread Bryan Drewery 
On 2/15/2016 8:12 AM, Eric van Gyzen wrote:
> I just set up a workstation running head.  The weekly 320.whatis script always
> reports:
> 
>   /usr/libexec/makewhatis.local: not found
> 
> Indeed, it doesn't exist.  Does the 320.whatis script need to be updated for
> r283777?
> 

makewhatis.local is an optimization wrapper. Rather than blow it away I
will move it out of usr.bin/makewhatis (to avoid accidentally removing
it later and a more proper place) and fix the installation of it.

-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: Open Sound System - OSS "soundon" command causes KERNEL PANIC FreeBSD-11

2016-02-17 Thread Joe Nosay 
The Creative Labs Xfi cards use OSS as the driver. Other cards based on the
same chipset would also be dependent upon OSS.

On Sun, Feb 14, 2016 at 9:33 PM, Greg Quinlan  wrote:

> Thanks.
>
> I am not going to use OSS anymore...
>
> I am going to stick to stick with a custom kernel
>
> device sounddevice snd_hda From: Hans Petter Selasky 
>  To: Greg Quinlan ; "freebsd-current@freebsd.org" <
> freebsd-current@freebsd.org>
>  Sent: Saturday, 13 February 2016, 18:55
>  Subject: Re: Open Sound System - OSS "soundon" command causes KERNEL
> PANIC FreeBSD-11
>
> On 02/12/16 01:04, Greg Quinlan wrote:
> > Spoke too soon...
> >
> > I applied the patch (kern_module.diff - which was successful)
> >
> > # cd /usr/src# patch  to me...
> > The text leading up to this was:
> > --
> > |Index: sys/kern/kern_module.c
> > |===
> > |--- sys/kern/kern_module.c(revision 295464)
> > |+++ sys/kern/kern_module.c(working copy)
> > --
> > Patching file sys/kern/kern_module.c using Plan A...
> > Hunk #1 succeeded at 214.
> > done
> > # make buildkernel:
> > # make installkernel:
> > # shutdown -r now
> > Logged in and ran# soundon
> > No panic!!
> >
> > Thought the problem was fixed ... unfortunately, I assumed that the
> contents of /usr/local/lib/oss/etc/installed_drivers still contained
> >  oss_hdaudio #Intel High Definition Audio (CPT)
> > but somehow the file was empty
> > I ran
> >  # ossdetect# soundon
> >
> > Another KERNEL PANIC...  this time it scrolled off the screen. I tried
> setting this (below) in /etc/rc.conf but there is nothing in /var/crash
> >
> > [entries in /etc/rc.conf]
> >  dumpdev="AUTO"
> >  dumpdir="/var/crash"
> > I need help to recover the backtrace, please?
> >
> > Thanks
> >
> >From: Greg Quinlan 
> > To: Hans Petter Selasky ; "freebsd-current@freebsd.org"
> 
> >  Sent: Thursday, 11 February 2016, 22:19
> >  Subject: Re: Open Sound System - OSS "soundon" command causes KERNEL
> PANIC FreeBSD-11
> >
> > Well done!!
> > Fixed. Thanks!
> >
> >
> >
> >From: Hans Petter Selasky 
> >  To: Greg Quinlan ; "freebsd-current@freebsd.org" <
> freebsd-current@freebsd.org>
> >  Sent: Thursday, 11 February 2016, 17:54
> >  Subject: Re: Open Sound System - OSS "soundon" command causes KERNEL
> PANIC FreeBSD-11
> >
> > On 02/11/16 03:02, Greg Quinlan wrote:
> >> Hi HPS,
> >> Note: Does not happen on FreeBSD 10.1-Stable!
> >>
> >
> > Yes, that's because WITNESS is off in 10.x by default.
> >
> > Does the attached patch solve your problem?
> >
> > --HPS
>
> Hi,
>
> It might be that audio/oss is not compatible with 11-current if it
> crashes like that.
>
> --HPS
>
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>
>
>
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Kubilay Kocak 
On 18/02/2016 4:23 AM, Warren Block wrote:
> On Thu, 18 Feb 2016, Kubilay Kocak wrote:
> 
>> On 18/02/2016 3:51 AM, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
>>>
 On 02/17/2016 08:19, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>
>> A short note on the www.freebsd.org website would probably be
>> helpful,
>> as this case will produce a lot of noise.
>
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>
>
>

 Articles are permanent, which makes sense for the recurring issue of
 leap seconds.  This vulnerability is transient, so I would suggest a
 news item.
>>>
>>> Yes, but news items are usually just links.  For the amount of
>>> information we have so far, an article seems like the easiest way to do
>>> this.  Or maybe an addition to the security part of the web site?
>>>
>>> For now, I'll collect the information as just text.
>>
>> Don't we also want our sec teams to investigate/confirm it anyway,
>> independent of how it's communicated?
> 
> Absolutely.
> 
>> If so, doesn't a security advisory (with secteam and/or ports-secteam as
>> appropriate) make the most sense here, given the scope of vulnerability
>> for base/linux emulation/ports is yet to be completely established and
>> is still to be investigated properly?
> 
> Have there been security advisories for unconfirmed or
> not-actually-a-problem events before?  My impression was that they have
> only been announced when a problem exists and action needs to be taken.

This "No SA, no problem" pattern is reasonable for default case, and the
vast majority of issues. This glibc issue, like heartbleed and others
may be sufficiently high-profile to warrant special treatment, even if
not in "SA" form.

> However, a real problem *does* exist for Linux VMs and applications on
> FreeBSD, so it could be addressed that way.  A "we are investigating"
> advisory right now could do some good, if the protocols allow it.
> 
>> Finally, would users expect a news item, an article or a heads up from
>> our security teams for something like this, even in the case where it's
>> only a "confirmed we're not affected" ?
> 
> A news item linking to a "it's not us!" advisory would be no problem.
> People have to go looking for that.
> 
> Those who are subscribed to the security mailing list will receive those
> notices directly, and because those are expected to be problems that
> need to be addressed immediately, it might cause some initial
> palpitations as if it were an actual problem with FreeBSD.

Yup, and let me make clear an out-there-in-the-world distinction between
'an advisory by freebsd security people ' and a FreeBSD "SA" the
implementation format.

./koobs
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Warren Block 

On Thu, 18 Feb 2016, Kubilay Kocak wrote:


On 18/02/2016 3:51 AM, Warren Block wrote:

On Wed, 17 Feb 2016, Eric van Gyzen wrote:


On 02/17/2016 08:19, Warren Block wrote:

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html




Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.


Yes, but news items are usually just links.  For the amount of
information we have so far, an article seems like the easiest way to do
this.  Or maybe an addition to the security part of the web site?

For now, I'll collect the information as just text.


Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?


Absolutely.


If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?


Have there been security advisories for unconfirmed or 
not-actually-a-problem events before?  My impression was that they have 
only been announced when a problem exists and action needs to be taken.


However, a real problem *does* exist for Linux VMs and applications on 
FreeBSD, so it could be addressed that way.  A "we are investigating" 
advisory right now could do some good, if the protocols allow it.



Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?


A news item linking to a "it's not us!" advisory would be no problem. 
People have to go looking for that.


Those who are subscribed to the security mailing list will receive those 
notices directly, and because those are expected to be problems that 
need to be addressed immediately, it might cause some initial 
palpitations as if it were an actual problem with FreeBSD.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Kubilay Kocak 
On 18/02/2016 3:51 AM, Warren Block wrote:
> On Wed, 17 Feb 2016, Eric van Gyzen wrote:
> 
>> On 02/17/2016 08:19, Warren Block wrote:
>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>>>
 A short note on the www.freebsd.org website would probably be helpful,
 as this case will produce a lot of noise.
>>>
>>> Maybe a short article like we did for leap seconds?
>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>>>
>>>
>>
>> Articles are permanent, which makes sense for the recurring issue of
>> leap seconds.  This vulnerability is transient, so I would suggest a
>> news item.
> 
> Yes, but news items are usually just links.  For the amount of
> information we have so far, an article seems like the easiest way to do
> this.  Or maybe an addition to the security part of the web site?
> 
> For now, I'll collect the information as just text.

Don't we also want our sec teams to investigate/confirm it anyway,
independent of how it's communicated?

If so, doesn't a security advisory (with secteam and/or ports-secteam as
appropriate) make the most sense here, given the scope of vulnerability
for base/linux emulation/ports is yet to be completely established and
is still to be investigated properly?

Finally, would users expect a news item, an article or a heads up from
our security teams for something like this, even in the case where it's
only a "confirmed we're not affected" ?

./koobs
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Warren Block 

On Wed, 17 Feb 2016, Eric van Gyzen wrote:


On 02/17/2016 08:19, Warren Block wrote:

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html



Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.


Yes, but news items are usually just links.  For the amount of 
information we have so far, an article seems like the easiest way to do 
this.  Or maybe an addition to the security part of the web site?


For now, I'll collect the information as just text.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Eric van Gyzen 
On 02/17/2016 08:19, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
>
>> A short note on the www.freebsd.org website would probably be helpful,
>> as this case will produce a lot of noise.
>
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
>

Articles are permanent, which makes sense for the recurring issue of
leap seconds.  This vulnerability is transient, so I would suggest a
news item.

Eric
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Chagin Dmitry 
On Wed, Feb 17, 2016 at 07:19:07AM -0700, Warren Block wrote:
> On Wed, 17 Feb 2016, Kurt Jaeger wrote:
> 
> > Hi!
> >
> >> The project that's vulnerable is called "glibc", not "libc". The BSDs
> >> don't use glibc, so the phrase "nothing to see here" applies. glibc
> >> isn't even available in FreeBSD's ports tree.
> >>
> >> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> What about software that uses emulators/linux_base?
> 
see PR/207272

> > A short note on the www.freebsd.org website would probably be helpful,
> > as this case will produce a lot of noise.
> 
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
> 
> I can help with that.
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Daniel Kalchev 

> On 17.02.2016 г., at 15:40, Shawn Webb  wrote:
> 
> TL;DR: FreeBSD is not affected by CVE-2015-7547.


Unless you use Linux applications under emulation.

Daniel


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Kurt Jaeger 
Hi!

> >> TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> What about software that uses emulators/linux_base?
> 
> > A short note on the www.freebsd.org website would probably be helpful,
> > as this case will produce a lot of noise.
> 
> Maybe a short article like we did for leap seconds?
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html
> 
> I can help with that.

Just write the piece, there's no-one else doin' it 8-}

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Warren Block 

On Wed, 17 Feb 2016, Kurt Jaeger wrote:


Hi!


The project that's vulnerable is called "glibc", not "libc". The BSDs
don't use glibc, so the phrase "nothing to see here" applies. glibc
isn't even available in FreeBSD's ports tree.

TL;DR: FreeBSD is not affected by CVE-2015-7547.


What about software that uses emulators/linux_base?


A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.


Maybe a short article like we did for leap seconds?
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html

I can help with that.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Shawn Webb 
On Wed, Feb 17, 2016 at 04:07:25PM +0200, Daniel Kalchev wrote:
> 
> > On 17.02.2016 ??., at 15:40, Shawn Webb  wrote:
> > 
> > TL;DR: FreeBSD is not affected by CVE-2015-7547.
> 
> 
> Unless you use Linux applications under emulation.

True. I didn't think of that since I don't use the linuxulator and am
not a big fan of it. Good catch.

-- 
Shawn Webb
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Kurt Jaeger 
Hi!

> The project that's vulnerable is called "glibc", not "libc". The BSDs
> don't use glibc, so the phrase "nothing to see here" applies. glibc
> isn't even available in FreeBSD's ports tree.
> 
> TL;DR: FreeBSD is not affected by CVE-2015-7547.

A short note on the www.freebsd.org website would probably be helpful,
as this case will produce a lot of noise.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Tommi Pernila 
Hi,

as Shawn types faster then me...

the libc issue has been found from glibc which is not used in the BSD
family.
This is the affected libc
https://en.wikipedia.org/wiki/GNU_C_Library

What FreeBSD uses:
https://en.wikipedia.org/wiki/BSD_libc

-Tommi


On Wed, Feb 17, 2016 at 3:24 PM, O. Hartmann 
wrote:

> It is around now in the media also for non-OS developers: CVE-2015-7547
> describes a bug in libc which is supposed to affects all Linux versions.
>
> big price question: is FreeBSD > 9.3 also affected?
>
> Some reporters tell us that Linux/UNIX is affected, so sometimes this
> terminus
> is used to prevent the "Linux-nailed" view, but sometimes it also referes
> to
> everything else those people can not imagine but consider them Linux-like.
> So
> I'm a bit puzzled, since there is no report about *BSD is affected, too.
>
> Thanks in advance for shedding light onto CVE-2015-7547.
>
> Regards,
>
> oh
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CVE-2015-7547: critical bug in libc

2016-02-17 Thread Shawn Webb 
On Wed, Feb 17, 2016 at 02:24:10PM +0100, O. Hartmann wrote:
> It is around now in the media also for non-OS developers: CVE-2015-7547
> describes a bug in libc which is supposed to affects all Linux versions.
> 
> big price question: is FreeBSD > 9.3 also affected?
> 
> Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus
> is used to prevent the "Linux-nailed" view, but sometimes it also referes to
> everything else those people can not imagine but consider them Linux-like. So
> I'm a bit puzzled, since there is no report about *BSD is affected, too.
> 
> Thanks in advance for shedding light onto CVE-2015-7547.

The project that's vulnerable is called "glibc", not "libc". The BSDs
don't use glibc, so the phrase "nothing to see here" applies. glibc
isn't even available in FreeBSD's ports tree.

TL;DR: FreeBSD is not affected by CVE-2015-7547.

Thanks,

-- 
Shawn Webb
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

CVE-2015-7547: critical bug in libc

2016-02-17 Thread O. Hartmann 
It is around now in the media also for non-OS developers: CVE-2015-7547
describes a bug in libc which is supposed to affects all Linux versions.

big price question: is FreeBSD > 9.3 also affected?

Some reporters tell us that Linux/UNIX is affected, so sometimes this terminus
is used to prevent the "Linux-nailed" view, but sometimes it also referes to
everything else those people can not imagine but consider them Linux-like. So
I'm a bit puzzled, since there is no report about *BSD is affected, too.

Thanks in advance for shedding light onto CVE-2015-7547.

Regards,

oh
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"