The FreeBSD Core & Security teams have made a recent announcement concerning freebsd-update and portsnap vulnerabilities. See the full the message from the mailing list which should address any concerns among the community.

Dear FreeBSD Community:

The FreeBSD Core team and FreeBSD Security team would like to update the community on the reports of security vulnerabilities in freebsd-update, portsnap, libarchive, and bspatch.

We understand the severity of this issue, and are actively working to resolve the issues and improve the security of FreeBSD.

A recent post[1] to the freebsd-security@ list raised a number of questions[2] and we would like to address those.

  1. Since there are known vulnerabilities in freebsd-update and portsnap, why has there been no notification to the community from secteam@?

  As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch. We are reviewing this policy for cases where a proof-of-concept or working exploit is already public.

  2. Why was there no mention of the fact that running freebsd-update to install the fix for the bspatch advisory [SA-16:25] may actually expose users to the vulnerability?

  To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches. The Security Advisory did not contain information on the theoretical implications of the vulnerability. A more explicit paragraph in the 'Impact' statement may have been warranted. As always, instructions on how to compile the patched bspatch manually rather than using freebsd-update were provided as part of the advisory.

  3. The patch included in SA-16:25 is incomplete, and may still permit heap corruption. The patch included in the document dump is more complete. Why only a partial fix?

Original announcement: