From owner-freebsd-bugbusters@FreeBSD.ORG  Sat Feb 15 21:00:49 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B18EFA54
 for <bugbusters@freebsd.org>; Sat, 15 Feb 2014 21:00:49 +0000 (UTC)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44])
 by mx1.freebsd.org (Postfix) with ESMTP id 6FE9018D3
 for <bugbusters@freebsd.org>; Sat, 15 Feb 2014 21:00:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by power.freeradius.org (Postfix) with ESMTP id C36E0224033D;
 Sat, 15 Feb 2014 22:00:10 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1])
 by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id JIyE5L9CDEdi; Sat, 15 Feb 2014 22:00:10 +0100 (CET)
Received: from Thor.local (unknown [70.50.217.206])
 by power.freeradius.org (Postfix) with ESMTPSA id 0ACC9224017A;
 Sat, 15 Feb 2014 22:00:08 +0100 (CET)
Message-ID: <52FFD55C.5030408@freeradius.org>
Date: Sat, 15 Feb 2014 16:00:12 -0500
From: Alan DeKok <aland@freeradius.org>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Florian Weimer <fw@deneb.enyo.de>
Subject: Re: freeradius denial of service in authentication flow
References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com>	<52FC1916.4060501@freeradius.org>
 <87sirkm8uo.fsf@mid.deneb.enyo.de>
In-Reply-To: <87sirkm8uo.fsf@mid.deneb.enyo.de>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 16 Feb 2014 01:24:36 +0000
Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>,
 pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com,
 security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org,
 bugbusters <bugbusters@freebsd.org>, product.security@airbnb.com
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 21:00:49 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
> * Alan DeKok:
> 
>>   That's an issue, but a rare one IMHO.  The user has to exist on the
>> system.  So this isn't a remote DoS.
> 
> Could you elaborate on this assessment?  Is this because typical data
> sources for SSHA passwords limit the length of the salt and thus the
> length of the SSHA hash?

  Partly.  The typical use-case for a remote DoS is for an
unauthenticated user to take down the system.  Here, the user has to be
known, *and* be able to create a long SSHA password.

  To me, this puts the issue into the category of "known users can do
bad things", which is very different from "unknown users can do bad things".

  Alan DeKok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBUv/VXKkul4vkAkl9AQLdvwQAgx4bd5aJOUA5l8sno2RwhzrLpXxDhLi0
ctaOcAcSmYdPabe5PMcb09lc9EbOGsuTr+lHOuNqWvE+63pFuw/7qom9IpdNtmkz
JMY1qSrCWbq7X/IE6M3MU90u3h/3IgO7rLCDXKipUL9CXf/Og/fH04DdNq6B2V8p
fRuJjdVRbLU=
=HrY0
-----END PGP SIGNATURE-----

From owner-freebsd-bugbusters@FreeBSD.ORG  Sun Feb 16 09:39:39 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 55AD6F85
 for <bugbusters@freebsd.org>; Sun, 16 Feb 2014 09:39:39 +0000 (UTC)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 11DEE1D5E
 for <bugbusters@freebsd.org>; Sun, 16 Feb 2014 09:39:38 +0000 (UTC)
Received: from [172.17.135.4] (helo=deneb.enyo.de)
 by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 id 1WEyC7-0002u6-Pt; Sun, 16 Feb 2014 10:39:27 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80)
 (envelope-from <fw@deneb.enyo.de>)
 id 1WEyC7-0002Z8-FR; Sun, 16 Feb 2014 10:39:27 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Alan DeKok <aland@freeradius.org>
Subject: Re: freeradius denial of service in authentication flow
References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com>
 <52FC1916.4060501@freeradius.org> <87sirkm8uo.fsf@mid.deneb.enyo.de>
 <52FFD55C.5030408@freeradius.org>
Date: Sun, 16 Feb 2014 10:39:27 +0100
In-Reply-To: <52FFD55C.5030408@freeradius.org> (Alan DeKok's message of "Sat, 
 15 Feb 2014 16:00:12 -0500")
Message-ID: <87y51bwg4w.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>,
 pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com,
 security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org,
 bugbusters <bugbusters@freebsd.org>
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2014 09:39:39 -0000

* Alan DeKok:

> Florian Weimer wrote:
>> * Alan DeKok:
>> 
>>>   That's an issue, but a rare one IMHO.  The user has to exist on the
>>> system.  So this isn't a remote DoS.
>> 
>> Could you elaborate on this assessment?  Is this because typical data
>> sources for SSHA passwords limit the length of the salt and thus the
>> length of the SSHA hash?
>
>   Partly.  The typical use-case for a remote DoS is for an
> unauthenticated user to take down the system.  Here, the user has to be
> known, *and* be able to create a long SSHA password.
>
>   To me, this puts the issue into the category of "known users can do
> bad things", which is very different from "unknown users can do bad things".

Okay, fair enough.

As this is already public via

<http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html>

, I will request a CVE on oss-security.

From owner-freebsd-bugbusters@FreeBSD.ORG  Thu Feb 20 20:48:23 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 60F6A4FD
 for <bugbusters@freebsd.org>; Thu, 20 Feb 2014 20:48:23 +0000 (UTC)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E02391D58
 for <bugbusters@freebsd.org>; Thu, 20 Feb 2014 20:48:22 +0000 (UTC)
Received: by mail-wg0-f44.google.com with SMTP id k14so1855366wgh.11
 for <bugbusters@freebsd.org>; Thu, 20 Feb 2014 12:48:15 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-type;
 bh=Ww5UHXZgUJ5UlPE3BTFLM/FmV5vkDqkQ/r/55HmLH7w=;
 b=ClwSDxS/I+HNROwjMhsKq20GGFO5mhUfb96IKiy1p65KDtbcDTW7lh5FsN2vUJ/Y+M
 b5sKoyUyrHCqJf9F60CT4vyZ0qjjq9ZIcott/i0AZoV89IYq4Zl0dMKyuzc9iZHO7MoO
 q8yXUzbM4pGYP/4S60mRKepgVY8+K8zVDQQgz+hGyfAoSwP+f8oQEKjbHFo1+1iINzJz
 L5fTKLcZKG93dD6jb2mmJfIXm9Hm1bjk/O+AcTYTz3lx9rTTEXo8CG5XPT0m1x0RTf/t
 2OUd8MdPx+KkA0q7FUWEnzNqvwqluafWtMpWwbAMR2P3nGX2Qaryy+bk3Xbs3V+/FLTh
 e5EQ==
X-Gm-Message-State: ALoCoQlra36ainSAvYBPOqB30/SUwBV4MviFfSc597MFQpu/Ey95zu4IVZAOIIZ/03s0bbKvQFPk
X-Received: by 10.194.108.41 with SMTP id hh9mr3871320wjb.89.1392928886776;
 Thu, 20 Feb 2014 12:41:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.241.168 with HTTP; Thu, 20 Feb 2014 12:41:06 -0800 (PST)
In-Reply-To: <87y51bwg4w.fsf@mid.deneb.enyo.de>
References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com>
 <52FC1916.4060501@freeradius.org> <87sirkm8uo.fsf@mid.deneb.enyo.de>
 <52FFD55C.5030408@freeradius.org> <87y51bwg4w.fsf@mid.deneb.enyo.de>
From: Pierre Carrier <pierre.carrier@airbnb.com>
Date: Thu, 20 Feb 2014 12:41:06 -0800
Message-ID: <CAM7LUF6OW5V=nRWHv_Of4hs8COmkgFJwMUKb41EMbXhdBwMKBA@mail.gmail.com>
Subject: Re: freeradius denial of service in authentication flow
To: Florian Weimer <fw@deneb.enyo.de>
Content-Type: text/plain; charset=UTF-8
Cc: secalert <secalert@redhat.com>,
 pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com,
 security@freeradius.org, Alan DeKok <aland@freeradius.org>,
 pupykin.s+arch@gmail.com, security@debian.org,
 bugbusters <bugbusters@freebsd.org>
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 20:48:23 -0000

On Sun, Feb 16, 2014 at 1:39 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> I will request a CVE on oss-security.

Thanks.

I'm gonna drop this thread as I don't expect to prioritize this issue
much further.
Everyone, feel free to reach out off thread if you need anything else from me.


Best,

-- 
Pierre Carrier

From owner-freebsd-bugbusters@FreeBSD.ORG  Sat Feb 22 02:11:16 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CDC49A67
 for <bugbusters@freebsd.org>; Sat, 22 Feb 2014 02:11:16 +0000 (UTC)
Received: from mayerbrown.com (dpc6744226115.direcpc.com [67.44.226.115])
 by mx1.freebsd.org (Postfix) with SMTP id 4D2EB16ED
 for <bugbusters@freebsd.org>; Sat, 22 Feb 2014 02:10:49 +0000 (UTC)
Message-ID: <002e01cf2f734f557e826701a8c0@test>
From: "Eviction Notice" <service@mayerbrown.com>
To: <bugbusters@freebsd.org>
Subject: Notice to quit the occupied premises Item No 0784
Date: Fri, 21 Feb 2014 20:10:51 -0500
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: XimianEvolution1.4.6
X-MimeOLE: Produced By XimianEvolution1.4.6
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2014 02:11:16 -0000

 Eviction notice,

   We hereby give you a notice that due to multiple violations
   your tenancy of the premises you occupy
   will be terminated on March 02, 2014.

   Detailed description of the violations and
   adjudication are attached herewith.

   Unless you vacate the property until March 25, 2014,
   the Court will provide an order to evict you and require
   you to pay all the costs incurred in bringing this action.

   Court bailiff,
   NIELSEN BUCKNER