Hacker Newsnew | past | comments | ask | show | jobs | submit | ggeorg's commentslogin

* The FreeBSD "base" system can now be installed and managed using the pkg(8) package manager.

This is huge! No more freebsd-update! Thank you for the hard work! Can't wait to test this...


This sounds great! The site left me a bit confused however. Is it open in respect to software/firmware? Or also the hardware? Can I just build my own with stock components? Something was mentioned about a DIY kit... The WM12 is basically two TW4 modules ... Um, TW4? As an ignoramus I need some introduction please...


Apparently it isn't open source at all, firmware is CC BY-NC-SA 4.0. It appears that the author does not know what open source means.


Quoting https://community.openstreetmap.org/t/openstreetmap-org-curr...

Firefishy Forums governance team

OpenStreetMap.org and a number of related services are currently offline. 15 December 2024 starting approximagely 4:00AM (GMT/UTC).

We have an ISP outage affecting our servers in Amsterdam. Our ISP has an engineer on-route to fix the issue.

We will continue to monitor. If the ISP update us with an ETA / Estimated Time of Resolution, I will update with the additional information.


Not doing much dev work at the moment... In the rare event I need to do some file comparisons or git commits I use meld. How does it compare to more novel tools like this? Any tools that consider the syntactic structure of code for diff/merging?


From the qualys advisory (https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....):

With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc's addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.

It is a race condition in a signal handler. The behaviour depends on the implementation of various standard library functions on the target system (syslog, malloc). This may very well be exploitable on other architectures (and systems). Apparently it is non-trivial to trigger. But it is possibly remote code execution with root permissions. Definetely nobody wants this in sshd.


We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration.

So SIGALRM because of the timer firing?

Out of curiosity... any rust sshd implementations? I found libraries, but no plug&play replacement for openssh?


Sorry, duplicate of https://news.ycombinator.com/item?id=40843778


I do like the headline of this post better though...


I learned about the vulnerability by the FreeBSD advisory and searched for ssh on hacker news and didn't find the other post... just to find the other post on the front page... well.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: