# Each FreeBSD system is still vulnerable to attacks?



## teo (Sep 8, 2016)

Greetings!

On Reddit they report on that topic:

The FreeBSD attacks are from earlier this year.

g2k16 Hackathon Report:

Marc Espie on package signing evolution.  So, the gist of that idea is that FreeBSD got a fairly sophisticated attack against some upgrade mechanism. The upgrade data is signed, but everything is inside an archive, and the attack was against the archive, most specifically the decompression code, before signatures are even checked.  Not quite. There are five independent attacks, any one of which can be used in isolation to compromise a system, and every FreeBSD system is still vulnerable to at least one of the attacks, with -RELEASE users still being vulnerable to all five:

1.  portsnap because of flawed signature checking (gunzip-related).
2.  portsnap because of an easily achievable file-prediction attack.
3.  portsnap because of decompression-unrelated libarchive vulnerabilities, with each libarchive vulnerability also being independent and upstream taking its royal time on fixing all of them. 

4.  portsnap because of bspatch vulnerabilities, with each attack path being independent and with only one path patched for -RELEASE users, who are yet to receive the Capsicum + other fixes.

5.  freebsd-update because of bspatch vulnerabilities, with each attack path being independent and with only one path patched for -RELEASE users, who are yet to receive the Capsicum + other fixes.

Because the package manager (pkg) does not have a separation of privileges and keeps everything running as root?


----------



## Murph (Sep 9, 2016)

teo said:


> … every FreeBSD system is still vulnerable to at least one of the attacks, with -RELEASE users still being vulnerable to all five: …


My FreeBSD systems are not vulnerable to any of those, never have been, and never will be.  I use SVN to get both base and ports, as do more than a few other people, so "every" is stretching it slightly.

I honestly don't know what the status is on those, other than they were clearly working on it a little while ago.  I think I saw some libarchive updates going into releng the other day, so that might have been an indication of some progress.

Use SVN and build from source if you need a short term fix.  This would also probably be a good time to make sure that your DNSSEC resolver is properly configured and working correctly.


----------



## SirDice (Sep 9, 2016)

https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html


----------

