Fix remote code execution which can occur with a specially crafted
audit file. The attacker would need to get the portaudit(1) to
download the bad audit database, e.g. by performing a man in the
middle attack.
Add signature verification of the portaudit database. The public key
is for the database generated for portaudit.FreeBSD.org is included
in the distribution.
(This parts add the portaudit public key missed in initial commit.)
Submitted by: Michael Gmelin <freebsd@grem.de>
Reported by: Michael Gmelin <freebsd@grem.de>, Joerg Scheinert
Security: Remote code execution
Security: http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Feature safe: yes
With hat: so
Fix remote code execution which can occur with a specially crafted
audit file. The attacker would need to get the portaudit(1) to
download the bad audit database, e.g. by performing a man in the
middle attack.
Add signature verification of the portaudit database. The public key
is for the database generated for portaudit.FreeBSD.org is included
in the distribution.
Submitted by: Michael Gmelin <freebsd@grem.de>
Reported by: Michael Gmelin <freebsd@grem.de>, Joerg Scheinert
Security: Remote code execution
Security: http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Feature safe: yes
With hat: so
This patch changes the order in which the conf file is read vs.
when the default variable assignments are made in order to provide
the ability to override them in the conf file. It also adds the
ability to include a conf file in the same directory as the script.
The patch also changes some of the = assignments to := where
having a null setting by mistake would be fatal.
The use case for these changes is the ability to "package" all
of the elements together in one place for use on multiple systems
that can all mount the same central location.
PR: 154518
Submitted by: dougb
Hat: secteam
Feature safe: yes
of http://www.FreeBSD.org/ports/portaudit/.
This is primarily done to work around bug in lighttpd on www.FreeBSD.org
where If-Modified-Since isn't handled correctly possibly resulting in
users behind web proxies getting an outdated version of the portaudit
database.
Bump portaudit version number.
Big thanks to the reporter for the detailed PR with good information
about reproducing the issue.
PR: www/134505
Reported by: Christian Ullrich <chris@chrullrich.net>
Prodding by: remko, Christian Ullrich
- Remove support for FreeBSD older than 4.11 and 5.3.
- Remove conditional dependency on bzip2 which I can't really see how
could be activated automatically.
Reported by: "J. Martin Petersen" <jmp@alvorlig.dk> [1]
PR: ports/117845 [1]
With hat: maintainer / secteam
package is installed or not using a precalculated regex.
This speeds up "portaudit -a" with around a factor of 10.
The change is slightly modified from the one from the PR by using
pkg_info -aE instead of ls /var/db/pkg for determining installed
packages.
Submitted by: Kuang-che Wu <kcwu@csie.org>
PR: ports/92942
secteam@ instead of security@ to make it more clear that the ports are
not maintained by the freebsd-security@ mailing list. Both addresses
go to the same people.
- Unbreak portaudit -vF.
- Sync usage with reality.
- Document the q, v, and V options.
- Markup fixes for the portaudit(1) manual page.
- Make quiet mode output even less "redundant" text [1].
- Set maintainership to security@. [2]
Suggested by: Phil Kernick philk at rotfl dot com dot au [1]
Suggested by: nectar, remko [2]
modify the vulnerability report depending on -q/-v (experimental)
PR: 69935, 68942
Submitted by: Chris Pepper <pepper@reppep.com>, Johan Karlsson <k@numeri.campus.luth.se>
*** NOTE ***
The preferences file format has changed, as have the periodic.conf(5) names.
Normally the default settings should be adequate, except when you need to
configure a proxy. Use $PREFIX/etc/portaudit.conf.sample as an example.
- moved portaudit to sbin
- clean up, merging stuff into the portaudit script
- better return codes and errors to stderr
- -f can check stdin now
- dropped ports tree auditing
- merged the periodic(8) scripts into one
- run daily auditing as `nobody'
- use passive ftp by default, don't retry on failure [1]
- add a -C flag, portlint style
- don't keep databases that are tool old [2]
Requested by: hubs [1]
Noticed by: Nicolas Rachinsky <nicolas@rachinsky.de> [2]
Since we are using the official VuXML database
the auditing should be pretty complete.
- mention web page
- add more mirrors, disabling .ru mirror (too much lag)
- allow combined options in portaudit shell script
- add sample configuration file
- use absolute paths for binaries, to ease use in crontab scripts [1]
- correct type in man page [2]
PR: 64005 [2]
Submitted by: Tomasz Pilat <poncki@axelspringer.com.pl> [1]
Nathan Dove <njdove@wafer.sandia.gov> [2]
- new command line tool
- new man page
- reworked database update code, incorporating feedback from
Max Khon <fjoe>, Radim Kolar <hsn@netmag.cz> (PR 63066) and
Ion-Mihai Tetcu <itetcu@apropo.ro> (PR 62655)
two databases cause more confusion than it is worth.
portaudit uses ports/security/vuxml/vuln.xml in the meantime,
please commit your changes there and send feedback wich format
you prefer.
Currently we have to migrate gnats, mailman, monkey and some
apache versions.