On 2014-04-11 15:23, David Noel wrote:
If you look at the portsnap build code you'll see that the first
thing portsnap does is pull the ports tree from Subversion. It uses
the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh
the entire ports archive is exposed to corruption right from
I've also added the affected system information for CVE-2014-0076 and
corrected a issue with the affected values.
-r
On (04/11/14 17:13), Ryan Steinmetz wrote:
On (04/11/14 21:56), Matthew Seaman wrote:
http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.html
This is appli
On (04/11/14 21:56), Matthew Seaman wrote:
http://vuxml.freebsd.org/freebsd/b72bad1c-20ed-11e3-be06-000c29ee3065.html
This is applied inconsistently though. While there is an entry for
OpenSSL Heartbleed, it doesn't contain any reference to the FreeBSD base
system and the security advisories (
On 11/04/2014 15:34, Erik Trulsson wrote:
> Quoting sbre...@hotmail.com:
>
>> I receive daily email from the host which normally shows port audits
>> and vulnerabilities. However, I did not sport anything related to
>> CVE-2014-0160 in this email. I expected the same info comes in this
>> email ab
>> If you look at the portsnap build code you'll see that the first
>> thing portsnap does is pull the ports tree from Subversion. It uses
>> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh
>> the entire ports archive is exposed to corruption right from the
>> start.
>
> Just to cl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/11/14 09:08, David Noel wrote:
>> Your report aside, I find portsnap to be far superior in security
>> for ports and users.
>
> If you look at the portsnap build code you'll see that the first
> thing portsnap does is pull the ports tree from
On Fri, Apr 11, 2014 at 2:26 PM, wrote:
> I receive daily email from the host which normally shows port audits and
> vulnerabilities. However, I did not sport anything related to CVE-2014-0160
> in this email. I expected the same info comes in this email about the base
> system as well.
>
> Ho
Quoting sbre...@hotmail.com:
I receive daily email from the host which normally shows port audits
and vulnerabilities. However, I did not sport anything related to
CVE-2014-0160 in this email. I expected the same info comes in this
email about the base system as well.
How do you normally
> Your report aside, I find portsnap to be far superior in security for
> ports and users.
If you look at the portsnap build code you'll see that the first thing
portsnap does is pull the ports tree from Subversion. It uses the URL
svn://svn.freebsd.org/ports. By not using ssl or svn+ssh the entir
On Thu, Apr 10, 2014 at 06:38:39PM -0500, Bryan Drewery wrote:
> On 4/10/2014 12:03 PM, David Noel wrote:
> > I found a few bugs in portsnap and freebsd-update that I'd like to
> > bring to the community's attention and hopefully recruit people to
> > help fix. I mentioned them to Colin (their auth
I receive daily email from the host which normally shows port audits and
vulnerabilities. However, I did not sport anything related to CVE-2014-0160 in
this email. I expected the same info comes in this email about the base system
as well.
How do you normally inform about recent vulnerability i
On 11.4.2014, at 15.53, sbre...@hotmail.com wrote:
> ext 65281 (renegotiation info, length=1)
> ext 00011 (EC point formats, length=4)
> ext 00035 (session ticket, length=0)
> ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is
> possible when linking against OpenSSL 1.0.1
On Fri, 11 Apr 2014, sbre...@hotmail.com wrote:
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is
possible when linking against OpenSSL 1.0.1f or older
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is
possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 wo
What is so confusing about this ?
I don't see anything here that would cause worry besides the zealot attitudes
you would typically find in the openbsd community. For them to be so security
conscious and open source but yet not have the decency or common sense to
mitigate major security concern
On Fri, 11 Apr 2014, sbre...@hotmail.com wrote:
Hello
Could anyone comment this? Worry, not to worry, upgrade, upgrade to what
version?
There are few contradicting information coming out in regards to the check of
my server related to the 'heartbleed' bug:
1. http://heartbleed.com/
...
S
Hello
Could anyone comment this? Worry, not to worry, upgrade, upgrade to what
version?
There are few contradicting information coming out in regards to the check of
my server related to the 'heartbleed' bug:
1. http://heartbleed.com/
...
Status of different versions:
---> OpenSSL 1.0.1 t
Tue, Apr 08, 2014 at 03:47:29PM -0700, Xin Li wrote:
> I have done a quick check on Linux systems and found they don't carry
> a patchlevel for "openssl" either however they do provide a way to
> tell the patchlevel because it's a package. However, they do bump the
> date as part of the update.
>
18 matches
Mail list logo
