Search

Items tagged with: hardenedbsd

Today has been a busy day. In addition to regular work, I helped a friend determine the cause of #nginx crashing on their #HardenedBSD 15-CURRENT server.

Turns out, #brotli is buggy.

#nginx #hardenedbsd #brotli

Seven day embargo limit for #curl: git.hardenedbsd.org/shawn.webb…

It can take the #HardenedBSD project a full month to rebuild its package repos. And since we've built this software monoculture against libcurl, this will be FUN!

#infosec #libcurl


VULN-DISCLOSURE-POLICY.md: 7 days embargo is max (af81e8fe) · Commits · Shawn Webb / Curl · GitLab

It was recently updated in this doc to seven, but there were *two* numbers mentioned and only one of them was updated leaving the paragraph quite confusing. Follow-up to 83c90e50472f32b74e388f6e524d...
GitLab
#infosec #curl #libcurl #hardenedbsd

@bagder because you seem to me to be somewhat confused. Like statements like "if they're transparent, what's there to support?"

But, whatever, I already maintain a patch for #HardenedBSD users to remove the prohibition. The problem is solved on HardenedBSD.

#hardenedbsd @daniel:// stenberg://

@bagder Essentially, #curl commit 0ae0abbe72514a75c10bfc4108d9f254f594c086 broke updating #HardenedBSD packages for certain users who use HardenedBSD behind a fully Tor-ified network (a network that uses transparent Tor proxying).

Those users were unable to update their HardenedBSD systems since the package manager uses libcurl behind-the-scenes. Some of these users live in malicious environments (malicious to human life), with actively-exploited applications.

So, this prohibition had a real negative impact, putting our users in harm's way.

If curl had a way to bypass the prohibition, we would've been able to keep our users safe.

This is why I mention #Radicle: they, too, do not support the .onion TLD by default, but can be configured to provide that support.

Radicle has three options:

  1. Default: No support, .onion domain lookups will fail.
  2. SOCKS support where .onion lookups succeed.
  3. Explicit transparent proxying support, so .onion lookups succeed

curl is missing that third option.

#curl #hardenedbsd #radicle @daniel:// stenberg://

#opnsense #hbsdfw #hardenedbsd