Re: freebsd-update and portsnap users still at risk of compromise

2016-08-11 Thread Vincent Hoffman-Kazlauskas 
For those not on freebsd-announce (or reddit or anywhere else it got posted)

"FreeBSD Core statement on recent freebsd-update and related
vulnerabilities"
https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html



Vince

On 11/08/2016 05:22, Julian Elischer wrote:
> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:
>>
>>
>> sorry but this is blabla and does not come even near to answering the
>> real problem:
>>
>> It appears that freebsd and the US-government is more connected that
>> some of us might like:
>>
>> Not publishing security issues concerning update mechanisms - we all
>> can think WHY freebsd is not eager on this one.
>>
>> Just my thoughts...
> 
> this has been in discussion a lot in private circles within FreeBSD.
> It's not being ignored and a "correct" patch is being developed.
> 
> from one email I will quote just a small part..
> ===
> 
> As of yet, [the] patches for the libarchive vulnerabilities have not
> been released
> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has
> created
> patches for some of the libarchive vulnerabilities, the first[3] is being
> considered for inclusion in FreeBSD, at least until a complete fix is
> committed upstream, however the second[4] is considered too brute-force and
> will not be committed as-is. Once the patches are in FreeBSD and updated
> binaries are available, a Security Advisory will be issued.
> 
> ===
> so expect something soon.
> I will go on to say that the threat does need to come from an advanced
> MITM actor,
> though that does not make it a non threat..
> 
>>
>>
>>> Tuesday, August  9, 2016 8:21 PM UTC from Matthew Donovan
>>> :
>>>
>>> You mean operating system as distribution is a Linux term. There's
>>> not much
>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>>> vulnerabilities and has a an excellent ASLR system compared to the
>>> proposed
>>> one for FreeBSD.
>>>
>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marq...@roble.com > wrote:
>>>
 Timely update via Hackernews:

   >>> y-update-libarchive>

 Note in particular:

   "FreeBSD is still vulnerable to the portsnap, freebsd-update,
 bspatch,
   and libarchive vulnerabilities."

 Not sure why the portsec team has not commented or published an
 advisory
 (possibly because the freebsd list spam filters are so bad that
 subscriptions are being blocked) but from where I sit it seems that
 those exposed should consider:

   cd /usr/ports
   svn{lite} co  https://svn.FreeBSD.org/ports/head /usr/ports
   make index
   rm -rf /usr/sbin/portsnap /var/db/portsnap/*

 I'd also be interested in hearing from hardenedbsd users regarding the
 pros and cons of cutting over to that distribution.

 Roger



 On 2016-07-29 09:00, Julian Elischer wrote:
>> not sure if you've been contacted privately, but  I believe the
>> answer is
>> "we're working on it"
>>
> My concerns are as follows:
>
> 1. This is already out there, and FreeBSD users haven't been
> alerted that
> they should avoid running freebsd-update/portsnap until the
> problems are
> fixed.
>
> 2. There was no mention in the bspatch advisory that running
> freebsd-update to "fix" bspatch would expose systems to MITM
> attackers who
> are apparently already in operation.
>
> 3. Strangely, the "fix" in the advisory is incomplete and still
> permits
> heap corruption, even though a more complete fix is available. That's
> what prompted my post. If FreeBSD learned of the problem from the same
> source document we all did, which seems likely given the coincidental
> timing of an advisory for a little-known utility a week or two
> after that
> source document appeared, then surely FreeBSD had the complete fix
> available.
>
> ___
   freebsd-ports@freebsd.org mailing list
   https://lists.freebsd.org/mailman/listinfo/freebsd-ports
 To unsubscribe, send any mail to "
 freebsd-ports-unsubscr...@freebsd.org "

>>> ___
>>> freebsd-secur...@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to "
>>> freebsd-security-unsubscr...@freebsd.org "
>>
>> Best regards,
>> Mail Lists
>> mli...@mail.ru
>> ___
>> freebsd-secur...@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscr...@freebsd.org"
>>
> 
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Julian Elischer 

On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote:



sorry but this is blabla and does not come even near to answering the real 
problem:

It appears that freebsd and the US-government is more connected that some of us 
might like:

Not publishing security issues concerning update mechanisms - we all can think 
WHY freebsd is not eager on this one.

Just my thoughts...


this has been in discussion a lot in private circles within FreeBSD.
It's not being ignored and a "correct" patch is being developed.

from one email I will quote just a small part..
===

As of yet, [the] patches for the libarchive vulnerabilities have not been 
released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.

===
so expect something soon.
I will go on to say that the threat does need to come from an advanced 
MITM actor,

though that does not make it a non threat..





Tuesday, August  9, 2016 8:21 PM UTC from Matthew Donovan 
:

You mean operating system as distribution is a Linux term. There's not much
different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
vulnerabilities and has a an excellent ASLR system compared to the proposed
one for FreeBSD.

On Aug 9, 2016 3:10 PM, "Roger Marquis" < marq...@roble.com > wrote:


Timely update via Hackernews:

  

Note in particular:

  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
  and libarchive vulnerabilities."

Not sure why the portsec team has not commented or published an advisory
(possibly because the freebsd list spam filters are so bad that
subscriptions are being blocked) but from where I sit it seems that
those exposed should consider:

  cd /usr/ports
  svn{lite} co  https://svn.FreeBSD.org/ports/head /usr/ports
  make index
  rm -rf /usr/sbin/portsnap /var/db/portsnap/*

I'd also be interested in hearing from hardenedbsd users regarding the
pros and cons of cutting over to that distribution.

Roger



On 2016-07-29 09:00, Julian Elischer wrote:

not sure if you've been contacted privately, but  I believe the answer is
"we're working on it"


My concerns are as follows:

1. This is already out there, and FreeBSD users haven't been alerted that
they should avoid running freebsd-update/portsnap until the problems are
fixed.

2. There was no mention in the bspatch advisory that running
freebsd-update to "fix" bspatch would expose systems to MITM attackers who
are apparently already in operation.

3. Strangely, the "fix" in the advisory is incomplete and still permits
heap corruption, even though a more complete fix is available. That's
what prompted my post. If FreeBSD learned of the problem from the same
source document we all did, which seems likely given the coincidental
timing of an advisory for a little-known utility a week or two after that
source document appeared, then surely FreeBSD had the complete fix
available.

___

  freebsd-ports@freebsd.org mailing list
  https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to " freebsd-ports-unsubscr...@freebsd.org "


___
freebsd-secur...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to " freebsd-security-unsubscr...@freebsd.org "


Best regards,
Mail Lists
mli...@mail.ru
___
freebsd-secur...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"



___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re[2]: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Mail Lists via freebsd-ports 



sorry but this is bullshit and does not come even near to answering the real 
problem:

It appears that freebsd and the US-government is more connected that some of us 
might like:

Not publishing security issues concerning update mechanisms - we all can think 
WHY freebsd is not eager on this one

don't trust anyone..

Just my thoughts...



>Tuesday, August  9, 2016 8:21 PM UTC from Matthew Donovan 
>:
>
>You mean operating system as distribution is a Linux term. There's not much
>different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>vulnerabilities and has a an excellent ASLR system compared to the proposed
>one for FreeBSD.
>
>On Aug 9, 2016 3:10 PM, "Roger Marquis" < marq...@roble.com > wrote:
>
>> Timely update via Hackernews:
>>
>>  > y-update-libarchive>
>>
>> Note in particular:
>>
>>  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>>  and libarchive vulnerabilities."
>>
>> Not sure why the portsec team has not commented or published an advisory
>> (possibly because the freebsd list spam filters are so bad that
>> subscriptions are being blocked) but from where I sit it seems that
>> those exposed should consider:
>>
>>  cd /usr/ports
>>  svn{lite} co  https://svn.FreeBSD.org/ports/head /usr/ports
>>  make index
>>  rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>
>> I'd also be interested in hearing from hardenedbsd users regarding the
>> pros and cons of cutting over to that distribution.
>>
>> Roger
>>
>>
>>
>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>

 not sure if you've been contacted privately, but  I believe the answer is
 "we're working on it"

>>>
>>> My concerns are as follows:
>>>
>>> 1. This is already out there, and FreeBSD users haven't been alerted that
>>> they should avoid running freebsd-update/portsnap until the problems are
>>> fixed.
>>>
>>> 2. There was no mention in the bspatch advisory that running
>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>>> are apparently already in operation.
>>>
>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>>> heap corruption, even though a more complete fix is available. That's
>>> what prompted my post. If FreeBSD learned of the problem from the same
>>> source document we all did, which seems likely given the coincidental
>>> timing of an advisory for a little-known utility a week or two after that
>>> source document appeared, then surely FreeBSD had the complete fix
>>> available.
>>>
>>> ___
>>  freebsd-ports@freebsd.org mailing list
>>  https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to " freebsd-ports-unsubscr...@freebsd.org "
>>
>___
>freebsd-secur...@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to " freebsd-security-unsubscr...@freebsd.org "


Best regards,
Mail Lists
mli...@mail.ru
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re[2]: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Mail Lists via freebsd-ports 



sorry but this is blabla and does not come even near to answering the real 
problem:

It appears that freebsd and the US-government is more connected that some of us 
might like:

Not publishing security issues concerning update mechanisms - we all can think 
WHY freebsd is not eager on this one.

Just my thoughts...



>Tuesday, August  9, 2016 8:21 PM UTC from Matthew Donovan 
>:
>
>You mean operating system as distribution is a Linux term. There's not much
>different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
>vulnerabilities and has a an excellent ASLR system compared to the proposed
>one for FreeBSD.
>
>On Aug 9, 2016 3:10 PM, "Roger Marquis" < marq...@roble.com > wrote:
>
>> Timely update via Hackernews:
>>
>>  > y-update-libarchive>
>>
>> Note in particular:
>>
>>  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>>  and libarchive vulnerabilities."
>>
>> Not sure why the portsec team has not commented or published an advisory
>> (possibly because the freebsd list spam filters are so bad that
>> subscriptions are being blocked) but from where I sit it seems that
>> those exposed should consider:
>>
>>  cd /usr/ports
>>  svn{lite} co  https://svn.FreeBSD.org/ports/head /usr/ports
>>  make index
>>  rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>>
>> I'd also be interested in hearing from hardenedbsd users regarding the
>> pros and cons of cutting over to that distribution.
>>
>> Roger
>>
>>
>>
>> On 2016-07-29 09:00, Julian Elischer wrote:
>>>

 not sure if you've been contacted privately, but  I believe the answer is
 "we're working on it"

>>>
>>> My concerns are as follows:
>>>
>>> 1. This is already out there, and FreeBSD users haven't been alerted that
>>> they should avoid running freebsd-update/portsnap until the problems are
>>> fixed.
>>>
>>> 2. There was no mention in the bspatch advisory that running
>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>>> are apparently already in operation.
>>>
>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>>> heap corruption, even though a more complete fix is available. That's
>>> what prompted my post. If FreeBSD learned of the problem from the same
>>> source document we all did, which seems likely given the coincidental
>>> timing of an advisory for a little-known utility a week or two after that
>>> source document appeared, then surely FreeBSD had the complete fix
>>> available.
>>>
>>> ___
>>  freebsd-ports@freebsd.org mailing list
>>  https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to " freebsd-ports-unsubscr...@freebsd.org "
>>
>___
>freebsd-secur...@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to " freebsd-security-unsubscr...@freebsd.org "


Best regards,
Mail Lists
mli...@mail.ru
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Shawn Webb 
On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote:
> On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan 
> wrote:
> 
> > You mean operating system as distribution is a Linux term. There's not much
> > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
> > vulnerabilities and has a an excellent ASLR system compared to the proposed
> > one for FreeBSD.
> >
> 
> And what are your sources on which you're formulating this statement? What
> is the HBSD authors security, or even general coding, track record? How
> well are they known for their code, whitepapers, implementations? I'd say,
> not at all. You can have the example of their 'ASLR' code quality in the
> FreeBSD reviews system, where known and respected coders point out very
> basic and critical code mistakes, where well known and respected system
> designers point out flaws in their lack of design, so on and so forth. The
> only thing that's excellent about them is how they spread this opinion
> about their code to other people, including you ;)
> 
> I'd much rather take my bet with kib's implementation knowing who he is and
> how long and how well he does what he does (that is, quality code for
> FreeBSD) than untested, un-designed, self-procclaimed code from relatively
> young, inexperienced and unknown person, that's not willing to take advices
> on fixing their code, when given so.
> 
> With all due respect :)

Hey there,

ASLR shouldn't be part of the discussion revolving the freebsd-update,
portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help
with these vulnerabilities in particular as they are logic
vulnerabilities. ASLR helps make more difficult the successful
exploitation of buffer overflows, format string vulnerabilities, etc.

In HardenedBSD, we've fixed the two libarchive vulnerabilities that
FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD
publishes their fixes, which they are planning on to do before
11.0-RELEASE goes out the door.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Franco Fichtner 

> On 10 Aug 2016, at 10:50 AM, Big Lebowski  wrote:
> 
> With all due respect :)

Not really.  Feel free to try again.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-10 Thread Big Lebowski 
On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan 
wrote:

> You mean operating system as distribution is a Linux term. There's not much
> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
> vulnerabilities and has a an excellent ASLR system compared to the proposed
> one for FreeBSD.
>

And what are your sources on which you're formulating this statement? What
is the HBSD authors security, or even general coding, track record? How
well are they known for their code, whitepapers, implementations? I'd say,
not at all. You can have the example of their 'ASLR' code quality in the
FreeBSD reviews system, where known and respected coders point out very
basic and critical code mistakes, where well known and respected system
designers point out flaws in their lack of design, so on and so forth. The
only thing that's excellent about them is how they spread this opinion
about their code to other people, including you ;)

I'd much rather take my bet with kib's implementation knowing who he is and
how long and how well he does what he does (that is, quality code for
FreeBSD) than untested, un-designed, self-procclaimed code from relatively
young, inexperienced and unknown person, that's not willing to take advices
on fixing their code, when given so.

With all due respect :)


>
> On Aug 9, 2016 3:10 PM, "Roger Marquis"  wrote:
>
> > Timely update via Hackernews:
> >
> >   > y-update-libarchive>
> >
> > Note in particular:
> >
> >  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
> >  and libarchive vulnerabilities."
> >
> > Not sure why the portsec team has not commented or published an advisory
> > (possibly because the freebsd list spam filters are so bad that
> > subscriptions are being blocked) but from where I sit it seems that
> > those exposed should consider:
> >
> >  cd /usr/ports
> >  svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
> >  make index
> >  rm -rf /usr/sbin/portsnap /var/db/portsnap/*
> >
> > I'd also be interested in hearing from hardenedbsd users regarding the
> > pros and cons of cutting over to that distribution.
> >
> > Roger
> >
> >
> >
> > On 2016-07-29 09:00, Julian Elischer wrote:
> >>
> >>>
> >>> not sure if you've been contacted privately, but  I believe the answer
> is
> >>> "we're working on it"
> >>>
> >>
> >> My concerns are as follows:
> >>
> >> 1. This is already out there, and FreeBSD users haven't been alerted
> that
> >> they should avoid running freebsd-update/portsnap until the problems are
> >> fixed.
> >>
> >> 2. There was no mention in the bspatch advisory that running
> >> freebsd-update to "fix" bspatch would expose systems to MITM attackers
> who
> >> are apparently already in operation.
> >>
> >> 3. Strangely, the "fix" in the advisory is incomplete and still permits
> >> heap corruption, even though a more complete fix is available. That's
> >> what prompted my post. If FreeBSD learned of the problem from the same
> >> source document we all did, which seems likely given the coincidental
> >> timing of an advisory for a little-known utility a week or two after
> that
> >> source document appeared, then surely FreeBSD had the complete fix
> >> available.
> >>
> >> ___
> > freebsd-ports@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
> >
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
>
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-09 Thread Matthew Donovan 
You mean operating system as distribution is a Linux term. There's not much
different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
vulnerabilities and has a an excellent ASLR system compared to the proposed
one for FreeBSD.

On Aug 9, 2016 3:10 PM, "Roger Marquis"  wrote:

> Timely update via Hackernews:
>
>   y-update-libarchive>
>
> Note in particular:
>
>  "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
>  and libarchive vulnerabilities."
>
> Not sure why the portsec team has not commented or published an advisory
> (possibly because the freebsd list spam filters are so bad that
> subscriptions are being blocked) but from where I sit it seems that
> those exposed should consider:
>
>  cd /usr/ports
>  svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
>  make index
>  rm -rf /usr/sbin/portsnap /var/db/portsnap/*
>
> I'd also be interested in hearing from hardenedbsd users regarding the
> pros and cons of cutting over to that distribution.
>
> Roger
>
>
>
> On 2016-07-29 09:00, Julian Elischer wrote:
>>
>>>
>>> not sure if you've been contacted privately, but  I believe the answer is
>>> "we're working on it"
>>>
>>
>> My concerns are as follows:
>>
>> 1. This is already out there, and FreeBSD users haven't been alerted that
>> they should avoid running freebsd-update/portsnap until the problems are
>> fixed.
>>
>> 2. There was no mention in the bspatch advisory that running
>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who
>> are apparently already in operation.
>>
>> 3. Strangely, the "fix" in the advisory is incomplete and still permits
>> heap corruption, even though a more complete fix is available. That's
>> what prompted my post. If FreeBSD learned of the problem from the same
>> source document we all did, which seems likely given the coincidental
>> timing of an advisory for a little-known utility a week or two after that
>> source document appeared, then surely FreeBSD had the complete fix
>> available.
>>
>> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
>
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: freebsd-update and portsnap users still at risk of compromise

2016-08-09 Thread Roger Marquis 

Timely update via Hackernews:

 

Note in particular:

 "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch,
 and libarchive vulnerabilities."

Not sure why the portsec team has not commented or published an advisory
(possibly because the freebsd list spam filters are so bad that
subscriptions are being blocked) but from where I sit it seems that
those exposed should consider:

 cd /usr/ports
 svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports
 make index
 rm -rf /usr/sbin/portsnap /var/db/portsnap/*

I'd also be interested in hearing from hardenedbsd users regarding 
the pros and cons of cutting over to that distribution.


Roger




On 2016-07-29 09:00, Julian Elischer wrote:


not sure if you've been contacted privately, but  I believe the answer is
"we're working on it"


My concerns are as follows:

1. This is already out there, and FreeBSD users haven't been alerted that
they should avoid running freebsd-update/portsnap until the problems are
fixed.

2. There was no mention in the bspatch advisory that running
freebsd-update to "fix" bspatch would expose systems to MITM attackers who
are apparently already in operation.

3. Strangely, the "fix" in the advisory is incomplete and still permits
heap corruption, even though a more complete fix is available. That's
what prompted my post. If FreeBSD learned of the problem from the same
source document we all did, which seems likely given the coincidental
timing of an advisory for a little-known utility a week or two after that
source document appeared, then surely FreeBSD had the complete fix
available.


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"