FreeBSD devs ponder changes to security processes The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users. This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and …
Does the author have an issue with the way the FreeBSD is addressing this? Not commenting on security problems for which there is no patch is common procedure for all vendors.
This particular situation — where a proof of concept for the attack has been released but for which a suitable patch is not yet available — is certainly uncomfortable. But, let's see who and what is affected:
To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches.
In other words: a compromised update process is probably the least of the worries!
Rushing out an untested patch could, as Microsoft and others can testify, cause more problems than it solves: the proverbial swallowing a spider to catch the fly. Security has often as much to do with procedure as it does with code and the advisory provides detailed information for admins on how to mitigate the threat until a patch can be made available. This isn't perfect but is good practice.
Perhaps the most surprising thing is why signed packages aren't already a requirement of the process. But I'm not familiar with the details. The update toolchain is obviously a vulnerability for any system, as once it has been compromised the whole system is effectively compromised. But hardening the toolchain is easier said than done: you have the repositories, transport and code to worry about.
freebsd-update is used to update the base system, though in 'binary' format. The other alternative is to check out the source code using Subversion and then compiling that yourself. I'll admit it's more tedious than letting freebsd-update handle things, but its still a way to work around using it.
Portnsnap is another example. A very easy way to keep your ports collection (usual location being /usr/ports) up to date. But once again you can also use Subversion.
There have been grumblings about the security in the binary update and the age of the freebsd-update system since I started playing with FreeBSD 4 years ago. As has been stated, use svn and build from sources if you think there is an issue.
I think @Rainer is talking about using the pkgng system for binary updates to the base packages (as well as the user packages). I didn't hear why it won't be in 11.0 though?
It was planned for 11.0, but people realized there were a few loose ends.
And FreeBSD generally doesn't like loose ends ;-)
As such, it will apparently mature over the 11-series.
I always sort of liked the way it is: base just a tar-ball, the rest packages, especially after pkg-ng started to arrive.
But doing freebsd-update on a lot of servers really takes the joy out of it a bit ;-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
