Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

2015-05-21 Thread Winfried Neessen 
Hi,

> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
> 

Unfortunately the documentation does only offer guidance for Apache 2.4.
As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter,
I've created a "rather ugly but seems to work" workaround for Apache 2.2,
which switches the pre-shipped default 512/1024 bits DH parameters to a
set of self-generated 2048/3072 bit DH params. There is also a quick and
dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, 
that automagically applies the workaround. It can be found here:
http://nop.li/dy


Winni
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

2015-05-21 Thread Matthew Seaman 
On 05/20/15 23:48, Xin Li wrote:
> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.

The part of that https://weakdh.org/ site that concerns me most is the
statement about 25.7% of SSH servers being vulnerable if the 1024bit D-H
group is broken.  We've got pretty good instructions for hardening
anything that uses TLS against this attack, but not a lot on SSH.  About
the only relevant thing I've found is:

  http://blog.mro.name/2015/05/hardening-ssh-debian-wheezy/

which inter-alia suggests upgrading to OpenSSH-6.6 -- which has been in
FreeBSD-10 since March ---, modifying some config parameters:
KexAlgorithms, Ciphers, MACs and then regenerating ed25519 and rsa host
keys.  Err... what? How are ed25519 and rsa host keys affected by a
downgrade attack on Diffie-Helman?

Cheers,

Matthew





signature.asc
Description: OpenPGP digital signature

Re: Webcam not working

2015-05-21 Thread Kubilay Kocak 
On 21/05/2015 2:45 AM, sergio de Almeida Lenzi wrote:
> For me the solution is in the PR
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194345
> 
> an explanation is there and a patch that solved for me...
> 
>

Thanks for prodding Sergio.

I have moved the issue from In Progress (incorrect) to Open and
(re)triaged it correctly so that committers can find it easily

--
Regards,

Koobs
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: www/chromium : make[1]: stopped in /usr/ports/www/chromium

2015-05-21 Thread Avinash Sonawane 
On Tue, May 19, 2015 at 8:01 PM, Avinash Sonawane  wrote:
> Hello!
>
> # uname -a
> FreeBSD titanic.rootkea.me 10.1-RELEASE FreeBSD 10.1-RELEASE #0
> r274401: Tue Nov 11 21:02:49 UTC 2014
> r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>
> When I tried to build www/chromium the compilation failed abruptly.
> Here is the complete log http://pastebin.com/6wuBFuWv

Is anybody using FreeBSD 10.1-RELEASE able to build www/chromium on
his/her end? I'm still getting the same error.

-- 
Avinash Sonawane (RootKea)
PICT, Pune
http://rootkea.wordpress.com
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: www/firefox : Script "configure" failed unexpectedly

2015-05-21 Thread Avinash Sonawane 
On Tue, May 19, 2015 at 7:57 PM, Avinash Sonawane  wrote:
> Hello!
>
> # uname -a
> FreeBSD titanic.rootkea.me 10.1-RELEASE FreeBSD 10.1-RELEASE #0
> r274401: Tue Nov 11 21:02:49 UTC 2014
> r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>
> When I tried to build www/firefox the compilation failed abruptly.
> Here is the complete log http://pastebin.com/TYM0NHrT

Is anybody using FreeBSD 10.1-RELEASE able to build www/firefox on
his/her end? I'm still getting the same error.

-- 
Avinash Sonawane (RootKea)
PICT, Pune
http://rootkea.wordpress.com
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: USE_GITHUB and submodules

2015-05-21 Thread Jonathan Anderson 
Ok, I've updated the port and it passes portlint (with one warning that
I can't seem to fix without introducing more warnings). Is the next step
to create a Phabricator review request via arcanist? If so, do I list
the folks you replied to this thread as reviewers? :) I suppose I would
also list people who I find with 'svn blame'?

Cheers,


Jon
> Jonathan Anderson 
> May 20, 2015 at 11:00 AM
> Thanks everybody for the input! With a security hat on, I definitely
> concur with the policy of no fetching outside of fetch and of
> requiring reproducibility/verifiability (e.g., commit hashes). With my
> getting-this-darn-port-updated hat, however... :)
>
> I think that I'll try to go with Shane's solution, if others concur
> that it's a good idea. I don't want to create a rust-llvm port, since
> Rust's customized version of LLVM isn't much good outside of Rust, it
> doesn't expose any external libraries and it's intended to eventually
> go away. So, until GitHub implements the "give me a tarball with all
> of the submodules" feature, I might try hacking up MASTER_SITES as
> Shane suggests.
>
> Cheers,
>
>
> Jon
>
> Shane Ambler 
> May 19, 2015 at 10:16 PM
> On 20/05/2015 04:14, Jonathan Anderson wrote:
>> Hi all,
>>
>> Is there a mechanism for using the USE_GITHUB variable in a port that
>> depends on submodules? For instance, the Rust port requires an embedded
>> (and modified) version of LLVM, which it includes as a submodule. Right
>> now I'm attempting to add the following to a `post-extract` rule:
>
> While you can setup multiple files to be downloaded for a port this
> doesn't work with USE_GITHUB, see my 3 year old report -
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172964
>
> This isn't an official port, but the workaround I came up with was to
> setup multiple files by setting MASTER_SITES using --
>
> MASTER_SITES= https://github.com/sambler/myblender/tarball/:base \
> https://github.com/sambler/myblendertranslations/tarball/:trans \
> https://github.com/sambler/myblenderaddons/tarball/:addons \
> https://github.com/sambler/myblendercontrib/tarball/:contrib
> DISTFILES= sambler-${PORTVERSION}.${PORTREVISION}:base \
> translate-${PORTVERSION}.${PORTREVISION}:trans \
> addons-${PORTVERSION}.${PORTREVISION}:addons \
> contrib-${PORTVERSION}.${PORTREVISION}:contrib
> DIST_SUBDIR= ${PORTNAME}
>
> The DISTFILES names are setup to match my tag format.
>
> This gives you multiple archives for the port, each will be extracted
> into the work dir, I then use post-extract to move them into place
> within the main source tree and don't depend on git for the port--
>
> post-extract:
> # tanslations
> @${MV} ${WRKDIR}/sambler-myblendertranslations-*/*
>   ${WRKSRC}/release/datafiles/locale/
> # addons
> @${MV} ${WRKDIR}/sambler-myblenderaddons-*/*
>   ${WRKSRC}/release/scripts/addons/
> # contrib
> @${MV} ${WRKDIR}/sambler-myblendercontrib-*/*
>   ${WRKSRC}/release/scripts/addons_contrib/
>
>
>> post-extract:
>>  cd ${WRKSRC} && \
>>  git init && \
>>  git remote add origin
>> https://github.com/${GH_ACCOUNT}/${PORTNAME} && \
>>  git fetch && \
>>  git reset --hard ${PORTVERSION} && \
>>  git submodule init && \
>>  git submodule update --recursive
>>
>> But this seems quite hackish! It would be great if submodules Just
>> Worked... but alternatively, is there a USE_GITHUB_URL or somesuch that
>> would check things out via Git instead of tarball to save me the `git
>> init` through `git reset` steps?
>>
>> Cheers,
>>
>>
>> Jon
>> -- 
>> jonat...@freebsd.org
>> ___
>> freebsd-ports@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
>>
>
>
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

2015-05-21 Thread Mark Felder 


On Wed, May 20, 2015, at 17:48, Xin Li wrote:
]> 
> Well, currently OpenSSL do accept weak DH so _arguably_ it does affect
> FreeBSD, and it's likely to break existing applications if we enforce
> such restrictions (namely, Java 6).
> 

AFAIK, Java doesn't support >1024 DH key until Java 8.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

2015-05-21 Thread Royce Williams 
On Thu, May 21, 2015 at 6:21 AM, Mark Felder  wrote:

>
>
> On Wed, May 20, 2015, at 17:48, Xin Li wrote:
> ]>
> > Well, currently OpenSSL do accept weak DH so _arguably_ it does affect
> > FreeBSD, and it's likely to break existing applications if we enforce
> > such restrictions (namely, Java 6).
> >
>
> AFAIK, Java doesn't support >1024 DH key until Java 8.


According to the simulated handshakes in the Qualys SSL Labs test results,
Java 7 is OK with DH at 2048.

Royce
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: www/chromium : make[1]: stopped in /usr/ports/www/chromium

2015-05-21 Thread Christoph Moench-Tegeder 
## Avinash Sonawane (root...@gmail.com):

> Is anybody using FreeBSD 10.1-RELEASE able to build www/chromium on
> his/her end? I'm still getting the same error.

Yes. Both, chromium and firefox, compile and work just fine, here.
As both fail in roughly the same way, I still suspect your python
installation - did you reinstall lang/python27 with default OPTIONs?
There're lines like "[22983 refs]" in your output, I do not see
them on any of my machines. How did those get there?

Regards,
Christoph

-- 
Spare Space
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Port License Changes Depending on Options

2015-05-21 Thread Reed A. Cartwright 
I have submitted a patch to add a port: biology/bcftools.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199747

The port is dual licensed (MIT/GPL); however,  If it is compiled with
option GPL, then some features are enabled with require it to be
licensed under GPL.

I've solved this by choosing to change the license if GPL is enabled:

LICENSE= MIT
[snip...]
.if ${PORT_OPTIONS:MGPL}
MAKE_ENV+= USE_GPL=1
LICENSE= GPLv3
.endif

However, I am not sure if this is the accepted way to specify the
license in this case.  Does anyone have any other opinion?

-- 
Reed A. Cartwright, PhD
Barrett Honors Faculty
Assistant Professor of Genomics, Evolution, and Bioinformatics
School of Life Sciences
Center for Evolutionary Medicine and Informatics
The Biodesign Institute
Arizona State University
==
Address: The Biodesign Institute, PO Box 875301, Tempe, AZ 85287-5301 USA
Packages: The Biodesign Institute, 1001 S. McAllister Ave, Tempe, AZ
85287-5301 USA
Office: Biodesign A-224A, 1-480-965-9949
Website: http://cartwrig.ht/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

FreeBSD Port: php56-5.6.8

2015-05-21 Thread M. Zoon 
Please upgrade php56 port to latest release.

 

Regards,

Michael

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"