FreeBSD includes software from the OpenSSL Project for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL has multiple vulnerabilities on a FreeBSD. Currently, no workaround is available. You need to update OpenSSL on FreeBSD version 10.x and 11.x.
I’ve just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.
This will likely break certain things that for whatever reason still don’t support TLS 1.2. I strongly suggest that if it’s not supported that you add support for it, or get the other side to add support for it.
OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don’t need to enable them again.
OpenSSH is critical for both sysadmin and programmers. It is an implementation of the SSH protocol suite, from OpenBSD project. It provides an encrypted session to your server.
OpenSSH multiple vulnerabilities
OpenSSH has multiple vulnerabilities as of 11th January 2017 running on FreeBSD operating system. From the advisory:
The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]
When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of ‘root’ instead of the authenticated user. [CVE-2016-10010]
I updated my vulnerable FreeBSD box via a binary patch: # freebsd-update fetch # freebsd-update install # service sshd restart # ps aux | grep -i ssh-agent If found any ssh-agent process, kill all running ssh-agent: # killall ssh-agent
HTTPS enables privacy and integrity by default. It is going to be next big thing. The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic. Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections. Investing in HTTPS makes it faster, cheaper, and easier for everyone.
In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Nginx web server along with how to properly deploy Diffie-Hellman on your nginx server to get SSL labs A+ score.
Well, that was fast. Touch ID is a fingerprint recognition security feature, designed and released by Apple. It is currently available on the iPhone 5s/6/7 and Macbook pro-2016 editions. Many consider it as a huge security win for the MacBook Pro’s. This sounds amazing feature for command line users.
Say hello to sudo-touchid
sudo-touchid is a fork of sudo with Touch ID support on macOS (powered by the LocalAuthentication framework). Once compiled, it will allow you to authenticate sudo commands with Touch ID in the Terminal on supported Macs (such as the late 2016 MacBook Pros). Since Darwin sources for macOS 10.12 are not available yet, this project is based on sudo sources corresponding to OS X 10.11.6 and obtained from opensource.apple.com.
I have two internet connections (fiber and 4G LTE) configured in load balanced mode using pfSense FreeBSD based firewall. One of my wan connection is running out of bandwidth quota. How can I force and turn off this interface to save bandwidth until month end and enable it again from next billing cycle?
This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue. Services have been restored to normal as of 13:20 UTC on 21/Oct/2016. But, I’m still seeing problems.
This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue. — Oct 21, 2016 – 16:48 UTC
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. A local unprivileged user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. In other words, the normal user can overwrite files they are allowed just to read it. For example, /etc/passwd can be edited or deleted by a normal user. The vulnerability easily exploited with a local shell account.
How old is this bug?
I can not belive, but bug existed for in the kernel for eleven years, to give normal users full root access.
How do I fix my server or desktop powered by Linux?
SSH keys provide a better and secure way of logging into a server with SSH than using a password. If you are a sysadmin or programmer, you may need to use SSH to fix server or update code. This guide explains how to setup SSH keys securely between your server and client computer.