From owner-freebsd-security Thu Mar 12 11:28:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07829 for freebsd-security-outgoing; Thu, 12 Mar 1998 11:28:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07673; Thu, 12 Mar 1998 11:27:36 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA17298; Thu, 12 Mar 1998 20:27:25 +0100 (MET) Message-Id: <199803121927.UAA17298@gvr.gvr.org> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-98:01.land Date: Thu, 12 Mar 1998 20:27:00 +0100 (MET) Reply-To: security-officer@FreeBSD.ORG From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:01 Security Advisory FreeBSD, Inc. Topic: LAND attack can cause harm to running FreeBSD systems Category: core Module: kern Announced: 1997-12-01 Affects: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R FreeBSD-stable and FreeBSD-current Doesn't Affect: FreeBSD 2.2.2R Corrected: FreeBSD 2.2.6R, FreeBSD-current as of Jan 21, 1998 FreeBSD-stable as of Jan 30, 1998 FreeBSD only: no Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:01/ ============================================================================= IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT ============================================================================= I. Background In most TCP stacks state is kept based on the source and destination address of a packet received. II. Problem Description A problem exists in most FreeBSD derived stacks that allows a malicious user to send a packet that causes the sytsem to lock up, thus producing a denial of service attack. III. Impact Any person on the Internet who can send a FreeBSD machine a packet can cause it to lock up and be taken out of service. IV. Workaround A firewall can be used to filter packets from the Internet that appear to be from your local network. This will not eliminate the threat, but will eliminate external attacks. V. Solution Apply the enclosed patch. There are two patches, one for FreeBSD -current, and another for FreeBSD 2.2-stable. patch for -current prior to Jan 21, 1998. Found in land-current. Index: tcp_input.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v retrieving revision 1.67 retrieving revision 1.68 diff -u -r1.67 -r1.68 --- tcp_input.c 1997/12/19 23:46:15 1.67 +++ tcp_input.c 1998/01/21 02:05:59 1.68 @@ -626,6 +613,7 @@ * If the state is LISTEN then ignore segment if it contains an RST. * If the segment contains an ACK then it is bad and send a RST. * If it does not contain a SYN then it is not interesting; drop it. + * If it is from this socket, drop it, it must be forged. * Don't bother responding if the destination was a broadcast. * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial * tp->iss, and send a segment: @@ -644,6 +632,9 @@ goto dropwithreset; if ((tiflags & TH_SYN) == 0) goto drop; + if ((ti->ti_dport == ti->ti_sport) && + (ti->ti_dst.s_addr == ti->ti_src.s_addr)) + goto drop; /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN * in_broadcast() should never return true on a received @@ -762,6 +753,23 @@ } /* + * If the state is SYN_RECEIVED: + * if seg contains SYN/ACK, send a RST. + * if seg contains an ACK, but not for our SYN/ACK, send a RST. + */ + case TCPS_SYN_RECEIVED: + if (tiflags & TH_ACK) { + if (tiflags & TH_SYN) { + tcpstat.tcps_badsyn++; + goto dropwithreset; + } + if (SEQ_LEQ(ti->ti_ack, tp->snd_una) || + SEQ_GT(ti->ti_ack, tp->snd_max)) + goto dropwithreset; + } + break; + + /* * If the state is SYN_SENT: * if seg contains an ACK, but not for our SYN, drop the input. * if seg contains a RST, then drop the connection. @@ -1176,14 +1184,11 @@ switch (tp->t_state) { /* - * In SYN_RECEIVED state if the ack ACKs our SYN then enter - * ESTABLISHED state and continue processing, otherwise - * send an RST. + * In SYN_RECEIVED state, the ack ACKs our SYN, so enter + * ESTABLISHED state and continue processing. + * The ACK was checked above. */ case TCPS_SYN_RECEIVED: - if (SEQ_GT(tp->snd_una, ti->ti_ack) || - SEQ_GT(ti->ti_ack, tp->snd_max)) - goto dropwithreset; tcpstat.tcps_connects++; soisconnected(so); patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22 Index: tcp_input.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v retrieving revision 1.54.2.6 retrieving revision 1.54.2.7 diff -u -r1.54.2.6 -r1.54.2.7 --- tcp_input.c 1997/11/20 21:45:34 1.54.2.6 +++ tcp_input.c 1998/01/30 19:13:55 1.54.2.7 @@ -627,6 +614,7 @@ * If the state is LISTEN then ignore segment if it contains an RST. * If the segment contains an ACK then it is bad and send a RST. * If it does not contain a SYN then it is not interesting; drop it. + * If it is from this socket, drop it, it must be forged. * Don't bother responding if the destination was a broadcast. * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial * tp->iss, and send a segment: @@ -646,6 +634,9 @@ goto dropwithreset; if ((tiflags & TH_SYN) == 0) goto drop; + if ((ti->ti_dport == ti->ti_sport) && + (ti->ti_dst.s_addr == ti->ti_src.s_addr)) + goto drop; /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN * in_broadcast() should never return true on a received @@ -765,6 +756,23 @@ } /* + * If the state is SYN_RECEIVED: + * if seg contains SYN/ACK, send a RST. + * if seg contains an ACK, but not for our SYN/ACK, send a RST. + */ + case TCPS_SYN_RECEIVED: + if (tiflags & TH_ACK) { + if (tiflags & TH_SYN) { + tcpstat.tcps_badsyn++; + goto dropwithreset; + } + if (SEQ_LEQ(ti->ti_ack, tp->snd_una) || + SEQ_GT(ti->ti_ack, tp->snd_max)) + goto dropwithreset; + } + break; + + /* * If the state is SYN_SENT: * if seg contains an ACK, but not for our SYN, drop the input. * if seg contains a RST, then drop the connection. @@ -1179,14 +1187,11 @@ switch (tp->t_state) { /* - * In SYN_RECEIVED state if the ack ACKs our SYN then enter - * ESTABLISHED state and continue processing, otherwise - * send an RST. + * In SYN_RECEIVED state, the ack ACKs our SYN, so enter + * ESTABLISHED state and continue processing. + * The ACK was checked above. */ case TCPS_SYN_RECEIVED: - if (SEQ_GT(tp->snd_una, ti->ti_ack) || - SEQ_GT(ti->ti_ack, tp->snd_max)) - goto dropwithreset; tcpstat.tcps_connects++; soisconnected(so); ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQg21FUuHi5z0oilAQFsYAP/TSdBmRb90H9/JqCvM/7pn1FOngoJgLPV GzEBEKe1cbeY5tOY/rCLPVX3g+JjRjPFkMICaTYk0JdFEO29CLhw5qoX/OAm4M+M erMJvXUJ3SPaEAEgK7zh5c73t9I4573Rbp1IxU3uZiqVSc3myJxCtFa4ZW2O6zkm G57fsHlGRKo= =4fC3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 11:47:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA12838 for freebsd-security-outgoing; Thu, 12 Mar 1998 11:47:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA12738; Thu, 12 Mar 1998 11:47:10 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA17528; Thu, 12 Mar 1998 20:47:03 +0100 (MET) Message-Id: <199803121947.UAA17528@gvr.gvr.org> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap Date: Thu, 12 Mar 1998 20:47:00 +0100 (MET) Reply-To: security-officer@FreeBSD.ORG From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:02 Security Advisory FreeBSD, Inc. Topic: security compromise via mmap Category: core Module: kernel Announced: 1998-03-12 Affects: FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current before 1998/03/11 suffer from this problem. Corrected: FreeBSD-current as of 1998/03/11 FreeBSD-stable as of 1998/03/11 FreeBSD only: no (also other 4.4BSD based systems may be affected) Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:02/ ============================================================================= IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT ============================================================================= I. Background The 4.4BSD VM system allows files to be "memory mapped", which causes the specified contents of a file to be made available to a process via its address space. Manipulations of that file can then be performed simply by manipulating memory, rather than using filesystem I/O calls. This technique is used to simplify code, speed up access to files, and provide interprocess communication. II. Problem Description Due to a 4.4BSD VM system problem, it is possible to memory-map a read-only descriptor to a character device in read-write mode. III. Impact The hole can be used by members of group kmem to gain superuser privileges. It also allows the superuser to lower the system securelevel. IV. Workaround No workaround is known. V. Solution Apply one of the following patches, rebuild your kernel, install it and reboot your system. The patches below can be found on ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:02/ Patch for 3.0-current systems: Index: vm_mmap.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v retrieving revision 1.74 diff -u -r1.74 vm_mmap.c --- vm_mmap.c 1998/03/07 21:37:01 1.74 +++ vm_mmap.c 1998/03/10 21:51:30 @@ -162,6 +162,7 @@ vm_prot_t prot, maxprot; void *handle; int flags, error; + int disablexworkaround; off_t pos; addr = (vm_offset_t) uap->addr; @@ -252,6 +253,26 @@ pos = 0; } else { /* + * cdevs does not provide private mappings of any kind. + */ + /* + * However, for XIG X server to continue to work, + * we should allow the superuser to do it anyway. + * We only allow it at securelevel < 1. + * (Because the XIG X server writes directly to video + * memory via /dev/mem, it should never work at any + * other securelevel. + * XXX this will have to go + */ + if (securelevel >= 1) + disablexworkaround = 1; + else + disablexworkaround = suser(p->p_ucred, + &p->p_acflag); + if (vp->v_type == VCHR && disablexworkaround && + (flags & (MAP_PRIVATE|MAP_COPY))) + return (EINVAL); + /* * Ensure that file and memory protections are * compatible. Note that we only worry about * writability if mapping is shared; in this case, @@ -265,12 +286,20 @@ maxprot |= VM_PROT_READ; else if (prot & PROT_READ) return (EACCES); - if (flags & MAP_SHARED) { - if (fp->f_flag & FWRITE) - maxprot |= VM_PROT_WRITE; - else if (prot & PROT_WRITE) - return (EACCES); - } else + /* + * If we are sharing potential changes (either via + * MAP_SHARED or via the implicit sharing of character + * device mappings), and we are trying to get write + * permission although we opened it without asking + * for it, bail out. Check for superuser, only if + * we're at securelevel < 1, to allow the XIG X server + * to continue to work. + */ + if (((flags & MAP_SHARED) != 0 || + (vp->v_type == VCHR && disablexworkaround)) && + (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0) + return (EACCES); + else maxprot |= VM_PROT_WRITE; handle = (void *)vp; } Patch for 2.2 systems: Index: vm_mmap.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v retrieving revision 1.53.2.2 diff -u -r1.53.2.2 vm_mmap.c --- vm_mmap.c 1997/03/25 04:54:29 1.53.2.2 +++ vm_mmap.c 1998/03/10 21:50:46 @@ -157,6 +157,9 @@ vm_prot_t prot, maxprot; caddr_t handle; int flags, error; + int disablexworkaround; + + addr = (vm_offset_t) uap->addr; prot = uap->prot & VM_PROT_ALL; flags = uap->flags; @@ -230,6 +233,26 @@ flags |= MAP_ANON; } else { /* + * cdevs does not provide private mappings of any kind. + */ + /* + * However, for XIG X server to continue to work, + * we should allow the superuser to do it anyway. + * We only allow it at securelevel < 1. + * (Because the XIG X server writes directly to video + * memory via /dev/mem, it should never work at any + * other securelevel. + * XXX this will have to go + */ + if (securelevel >= 1) + disablexworkaround = 1; + else + disablexworkaround = suser(p->p_ucred, + &p->p_acflag); + if (vp->v_type == VCHR && disablexworkaround && + (flags & (MAP_PRIVATE|MAP_COPY))) + return (EINVAL); + /* * Ensure that file and memory protections are * compatible. Note that we only worry about * writability if mapping is shared; in this case, @@ -243,12 +266,20 @@ maxprot |= VM_PROT_READ; else if (prot & PROT_READ) return (EACCES); - if (flags & MAP_SHARED) { - if (fp->f_flag & FWRITE) - maxprot |= VM_PROT_WRITE; - else if (prot & PROT_WRITE) - return (EACCES); - } else + /* + * If we are sharing potential changes (either via + * MAP_SHARED or via the implicit sharing of character + * device mappings), and we are trying to get write + * permission although we opened it without asking + * for it, bail out. Check for superuser, only if + * we're at securelevel < 1, to allow the XIG X server + * to continue to work. + */ + if (((flags & MAP_SHARED) != 0 || + (vp->v_type == VCHR && disablexworkaround)) && + (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0) + return (EACCES); + else maxprot |= VM_PROT_WRITE; handle = (caddr_t) vp; } VI. Thanks This advisory is based on the OpenBSD Security Advisory, dated February 20 2, 1998. Thanks to "Thomas H. Ptacek" for allowing this. Thanks to "Cy Schubert" for porting the OpenBSD patch to FreeBSD. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQg5QlUuHi5z0oilAQGxJQP/YRbQ4Ox0R7zELYIfiYY4ZTec53DlkNTm +NWLqqMJWFAQQ2BfTLmcxJdcaUlPkZmKU21ZUFVxKFuCjjp1MSiFApLJRcXuX6u6 ZYgwvrrLB5ppU2L/uWG+mlJKrf/j6R28B/NQ7b/OB9hcRlNdOFyu7K44M+yKxaPb SRJ4LR1rQKk= =qDrb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 15:53:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29944 for freebsd-security-outgoing; Thu, 12 Mar 1998 15:53:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from newton.physics.uiowa.edu (newton.physics.uiowa.edu [128.255.34.132]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA29810; Thu, 12 Mar 1998 15:52:06 -0800 (PST) (envelope-from shauser@newton.physics.uiowa.edu) Received: from localhost by newton.physics.uiowa.edu (SMI-8.6/SMI-SVR4) id RAA14083; Thu, 12 Mar 1998 17:51:59 -0600 Date: Thu, 12 Mar 1998 17:51:58 -0600 (CST) From: Steven Hauser X-Sender: shauser@newton To: security-officer@FreeBSD.ORG cc: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap In-Reply-To: <199803121947.UAA17528@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk How did I get unsubscribed? I thought I sent an "unsubscribe" message to the majordomo but I guess it didn't work and I've deleted the instructions on how to bail out of this. Thanks, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 17:56:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA21911 for freebsd-security-outgoing; Thu, 12 Mar 1998 17:56:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA21588; Thu, 12 Mar 1998 17:54:27 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.1] (a.mcn.actrix.gen.nz [203.96.56.128]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id OAA06350; Fri, 13 Mar 1998 14:54:12 +1300 (NZDT) X-Sender: squiz1@pop.actrix.gen.nz Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Mar 1998 14:55:57 +1300 To: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk At 8:27 AM 13/3/98, FreeBSD Security Officer wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================= >FreeBSD-SA-98:01 Security Advisory > FreeBSD, Inc. > >Topic: LAND attack can cause harm to running FreeBSD systems > >Category: core >Module: kern >Announced: 1997-12-01 >Affects: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R > FreeBSD-stable and FreeBSD-current >Doesn't Affect: FreeBSD 2.2.2R >Corrected: FreeBSD 2.2.6R, FreeBSD-current as of Jan 21, 1998 > FreeBSD-stable as of Jan 30, 1998 >FreeBSD only: no > >Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:01/ > >============================================================================= >IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from >ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT >============================================================================= The stated location of The FreeBSD advisory archive is incorrect. These files can be found at ftp://freebsd.org/pub/FreeBSD/CERT Andrew McNaughton The effort to understand the universe is Andrew McNaughton one of the very few things that lifts ++64 4 389 6891 human life above the level of farce, andrew@squiz.co.nz and gives it some of the grace http://www.squiz.co.nz of tragedy - Steven Weinberg http://www.newsroom.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 18:46:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA00350 for freebsd-security-outgoing; Thu, 12 Mar 1998 18:46:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA00235; Thu, 12 Mar 1998 18:45:42 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.6.9) with ESMTP id SAA08892; Thu, 12 Mar 1998 18:43:25 -0800 (PST) To: andrew@squiz.co.nz (Andrew McNaughton) cc: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land In-reply-to: Your message of "Fri, 13 Mar 1998 14:55:57 +1300." Date: Thu, 12 Mar 1998 18:43:25 -0800 Message-ID: <8889.889757005@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > The stated location of The FreeBSD advisory archive is incorrect. These > files can be found at ftp://freebsd.org/pub/FreeBSD/CERT Nope, service at this FTP site has been discontinued for several months now. Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 19:19:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA06252 for freebsd-security-outgoing; Thu, 12 Mar 1998 19:19:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.actrix.gen.nz (mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA05412; Thu, 12 Mar 1998 19:17:21 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.1] (a.mcn.actrix.gen.nz [203.96.56.128]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id QAA14830; Fri, 13 Mar 1998 16:16:42 +1300 (NZDT) X-Sender: squiz1@pop.actrix.gen.nz Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Mar 1998 16:18:27 +1300 To: "Jordan K. Hubbard" From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land Cc: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk At 3:43 PM 13/3/98, Jordan K. Hubbard wrote: >> The stated location of The FreeBSD advisory archive is incorrect. These >> files can be found at ftp://freebsd.org/pub/FreeBSD/CERT > >Nope, service at this FTP site has been discontinued for several >months now. Oops. Right directory, wrong server. All of the URL's listed to date are incorrect. ie these don't work: ftp://freebsd.org/pubCERT/ ftp://ftp.freebsd.org/pub/CERT/ ftp://freebsd.org/pub/FreeBSD/CERT/ This one does work: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/ DISCLAIMER: The Entire Physical Universe, Including Andrew McNaughton This Message, May One Day Collapse Back into an ++64 4 389 6891 Infinitesimally Small Space. Should Another Universe andrew@squiz.co.nz Subsequently Re-emerge, the Validity of Statements http://www.squiz.co.nz in This Message Cannot Be Guaranteed. http://www.newsroom.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 12 21:21:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23869 for freebsd-security-outgoing; Thu, 12 Mar 1998 21:21:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from chickasaw.gate.net (root@chickasaw.gate.net [198.206.134.26]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23836; Thu, 12 Mar 1998 21:20:38 -0800 (PST) (envelope-from kwaddell@gate.net) Received: from kronos1.tvci.com (miafl3-14.gate.net [199.227.35.141]) by chickasaw.gate.net (8.8.6/8.6.12) with SMTP id AAA101476; Fri, 13 Mar 1998 00:20:23 -0500 Message-ID: <3508C50C.63DECDAD@gate.net> Date: Fri, 13 Mar 1998 00:33:00 -0500 From: Karl Waddell X-Mailer: Mozilla 3.04 (X11; I; FreeBSD 2.2.5-RELEASE i386) MIME-Version: 1.0 To: "Jordan K. Hubbard" CC: Andrew McNaughton , security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land References: <8889.889757005@time.cdrom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Jordon: Yes, your are right; however, the correct URL is: ftp://ftp.freebsd.org/pub/FreeeBSD/CERT I downloaded the patches just now. Just thought I would let others know as well. Karl Jordan K. Hubbard wrote: > > > The stated location of The FreeBSD advisory archive is incorrect. These > > files can be found at ftp://freebsd.org/pub/FreeBSD/CERT > > Nope, service at this FTP site has been discontinued for several > months now. > > Jordan > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > To unsubscribe from freebsd-announce, send a mail to > majordomo@freebsd.org with the body > > unsubscribe freebsd-announce > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 04:15:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA14843 for freebsd-security-outgoing; Fri, 13 Mar 1998 04:15:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA14818; Fri, 13 Mar 1998 04:14:32 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA24464; Fri, 13 Mar 1998 09:12:14 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199803131212.JAA24464@ns1.sminter.com.ar> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land To: security-officer@FreeBSD.ORG Date: Fri, 13 Mar 1998 09:12:14 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199803121927.UAA17298@gvr.gvr.org> from "FreeBSD Security Officer" at Mar 12, 98 08:27:00 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Does any one know is there are there patches available for 2.1.7.1? Thanks. PS: I tried both the current and the 2.2 versions but I get rejects. En un mensaje anterior, FreeBSD Security Officer escribió: > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-98:01 Security Advisory > FreeBSD, Inc. > > Topic: LAND attack can cause harm to running FreeBSD systems > Fernando P. Schapachnik S&M Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 06:36:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA00843 for freebsd-security-outgoing; Fri, 13 Mar 1998 06:36:14 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from r.scl.ameslab.gov (r.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA00808; Fri, 13 Mar 1998 06:35:54 -0800 (PST) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.scl.ameslab.gov (demios.ether.scl.ameslab.gov [147.155.137.54]) by r.scl.ameslab.gov (8.8.5/8.8.3) with SMTP id IAA00823; Fri, 13 Mar 1998 08:35:50 -0600 (CST) Date: Fri, 13 Mar 1998 08:35:49 -0600 (CST) From: Guy Helmer To: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Missing advisories Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk While checking and revising my pointers to advisories due to the advisories having been moved to ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/, I noticed advisories 97:06 (f00f) and 97:05 (open) seem to be missing from the new archive location. I didn't keep copies of those advisories -- are they available anywhere else? Guy Guy Helmer, Computer Science Graduate Student - ghelmer@scl.ameslab.gov Iowa State University http://www.cs.iastate.edu/~ghelmer Research Assistant, Scalable Computing Laboratory, Ames Laboratory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 07:39:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA08761 for freebsd-security-outgoing; Fri, 13 Mar 1998 07:39:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA08739 for ; Fri, 13 Mar 1998 07:39:03 -0800 (PST) (envelope-from jdl@chrome.jdl.com) Received: from localhost (localhost [127.0.0.1]) by chrome.jdl.com (8.8.4/8.8.4) with SMTP id JAA05104 for ; Fri, 13 Mar 1998 09:36:27 -0600 (CST) Message-Id: <199803131536.JAA05104@chrome.jdl.com> X-Authentication-Warning: chrome.jdl.com: localhost [127.0.0.1] didn't use HELO protocol To: freebsd-security@FreeBSD.ORG Subject: PGP Key? Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Compiler-Motto: Wintermute is dead. Long live Wintermute. Date: Fri, 13 Mar 1998 09:36:27 -0600 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi folks, Recently, a couple security advisories floated around the FreeBSD mail lists: ========================================================================= FreeBSD-SA-98:01 Security Advisory FreeBSD, Inc. Topic: LAND attack can cause harm to running FreeBSD systems Category: core Module: kern Announced: 1997-12-01 Affects: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R FreeBSD-stable and FreeBSD-current Doesn't Affect: FreeBSD 2.2.2R Corrected: FreeBSD 2.2.6R, FreeBSD-current as of Jan 21, 1998 FreeBSD-stable as of Jan 30, 1998 FreeBSD only: no Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:01/ And the following confusing notice was included: ========================================================================= IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT ========================================================================= Note that the "from" and "to" places are the same. Actually checking that location yields nothing. And in particular, I was looking for the public key: Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org >> PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Where should I really look? Thanks! jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 08:04:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA13923 for freebsd-security-outgoing; Fri, 13 Mar 1998 08:04:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA13913 for ; Fri, 13 Mar 1998 08:04:07 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id LAA10989; Fri, 13 Mar 1998 11:03:52 -0500 (EST) Date: Fri, 13 Mar 1998 11:03:51 -0500 (EST) From: Snob Art Genre To: Jon Loeliger cc: freebsd-security@FreeBSD.ORG Subject: Re: PGP Key? In-Reply-To: <199803131536.JAA05104@chrome.jdl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 13 Mar 1998, Jon Loeliger wrote: > ========================================================================= > IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from > ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT > ========================================================================= > > Note that the "from" and "to" places are the same. > nslookup freebsd.org Name: freebsd.org Address: 204.216.27.18 > nslookup ftp.freebsd.org Name: wcarchive.cdrom.com Address: 165.113.121.81 Aliases: ftp.freebsd.org > Actually checking that location yields nothing. It should be ftp://ftp.freebsd.org/pub/FreeBSD/CERT/. > And in particular, I was looking for the public key: > >> PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc > Where should I really look? ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 08:10:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA15351 for freebsd-security-outgoing; Fri, 13 Mar 1998 08:10:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA15264 for ; Fri, 13 Mar 1998 08:09:52 -0800 (PST) (envelope-from nash@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id KAA08486; Fri, 13 Mar 1998 10:09:52 -0600 (CST) Received: from localhost (nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id KAA02980; Fri, 13 Mar 1998 10:09:52 -0600 (CST) Date: Fri, 13 Mar 1998 10:09:52 -0600 (CST) From: Alex Nash To: Jon Loeliger cc: freebsd-security@FreeBSD.ORG Subject: Re: PGP Key? In-Reply-To: <199803131536.JAA05104@chrome.jdl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 13 Mar 1998, Jon Loeliger wrote: > Web Site: http://www.freebsd.org/ > Confidential contacts: security-officer@freebsd.org > >> PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc > Security notifications: security-notifications@freebsd.org > Security public discussion: security@freebsd.org > > > Where should I really look? Section 27.1.1 of the handbook, currently at: http://www.freebsd.org/handbook/handbook329.html Or, more generally: http://www.freebsd.org/handbook/pgpkeys.html Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 09:56:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA08147 for freebsd-security-outgoing; Fri, 13 Mar 1998 09:56:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA08035; Fri, 13 Mar 1998 09:56:28 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yDYgt-0000N2-00; Fri, 13 Mar 1998 10:56:19 -0700 Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id KAA08547; Fri, 13 Mar 1998 10:56:00 -0700 (MST) Message-Id: <199803131756.KAA08547@harmony.village.org> To: Fernando Schapachnik Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:01.land Cc: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 13 Mar 1998 09:12:14 -0300." <199803131212.JAA24464@ns1.sminter.com.ar> References: <199803131212.JAA24464@ns1.sminter.com.ar> Date: Fri, 13 Mar 1998 10:56:00 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk In message <199803131212.JAA24464@ns1.sminter.com.ar> Fernando Schapachnik writes: : Does any one know is there are there patches available for 2.1.7.1? There currently has been no patch submitted to the 2.1 branch. No patch has been checked into the CVS tree (as of the last CTM update that I got). The patch that went out won't apply against 2.1-stable, and my quick look at the patch showed that it would take a little bit of doing to make it apply. If someone wants to create a patch for 2.1, feel free to submit it to me and I'll check it in. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 13 17:09:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26334 for freebsd-security-outgoing; Fri, 13 Mar 1998 17:09:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sophie.bolix.com (sophie.bolix.com [209.107.35.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26219 for ; Fri, 13 Mar 1998 17:08:39 -0800 (PST) (envelope-from imp@pencil-box.village.org) Received: from pencil-box.village.org (tape-box [209.107.35.22]) by sophie.bolix.com (8.8.6/8.8.6) with ESMTP id SAA26752; Fri, 13 Mar 1998 18:08:10 -0700 (MST) Received: from pencil-box.village.org (localhost [127.0.0.1]) by pencil-box.village.org (8.8.8/8.8.3) with ESMTP id SAA01223; Fri, 13 Mar 1998 18:07:41 -0700 (MST) Message-Id: <199803140107.SAA01223@pencil-box.village.org> To: Snob Art Genre Subject: Re: PGP Key? Cc: Jon Loeliger , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 13 Mar 1998 11:03:51 EST." References: Date: Fri, 13 Mar 1998 18:07:40 -0700 From: "M. Warner Losh" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- In message Snob Art Genre writes: : > And in particular, I was looking for the public key: : > >> PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc : > Where should I really look? : : ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc I certify that this is correct. You can test this certification by using the key in the above location to check my signature. If it works, then it is OK, otherwise something bad is afoot. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNQnYWVUuHi5z0oilAQHbCQQAkPqPNXg0z2apVPTLI3tQlz1X8C4md72s y6T/EE8jIbU69O44BiNAQurwczzZq8K6Ppu/kHhhWpSNLCXQVhFnXoNjR5qnzC2n qKMM+IkPf00KjgqebTlJQ4+9VeUs+snl9I0u13v9pc3k0g2Xaqug2rkiDQXw5pC1 1TLyDTdUTTs= =PbDm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Mar 16 10:56:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16656 for freebsd-security-outgoing; Mon, 16 Mar 1998 10:56:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16612; Mon, 16 Mar 1998 10:56:27 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id TAA04726; Mon, 16 Mar 1998 19:56:08 +0100 (MET) From: Guido van Rooij Message-Id: <199803161856.TAA04726@gvr.gvr.org> Subject: Re: Missing advisories In-Reply-To: from Guy Helmer at "Mar 13, 98 08:35:49 am" To: ghelmer@scl.ameslab.gov (Guy Helmer) Date: Mon, 16 Mar 1998 19:56:08 +0100 (MET) Cc: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Guy Helmer wrote: > While checking and revising my pointers to advisories due to the > advisories having been moved to > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/, I noticed advisories > 97:06 (f00f) and 97:05 (open) seem to be missing from the new archive > location. I didn't keep copies of those advisories -- are they available > anywhere else? > Thanks for the notification. I have restored the missing ones. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Mar 16 11:21:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA24346 for freebsd-security-outgoing; Mon, 16 Mar 1998 11:21:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA24308; Mon, 16 Mar 1998 11:21:01 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA04937; Mon, 16 Mar 1998 20:20:45 +0100 (MET) Message-Id: <199803161920.UAA04937@gvr.gvr.org> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap Date: Mon, 16 Mar 1998 20:22:00 +0100 (MET) Reply-To: security-officer@FreeBSD.ORG From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Recently, the FreeBSD CERT archive has been moved. The move has been announced in the latest 2 advisories, SA-98:01 and SA-98:02. Unfortunately, an error was made in both advisories, so the wrong location was published. The correct location of the FreeBSD advisory archive is now: ftp://ftp.freebsd.org/pub/FreeBSD/CERT ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQ17cFUuHi5z0oilAQGszgP/Qci+Ti40fIPtkphfQRPTyBBpDP8rmr8j uk4gcAO9wLGqMJ25imPPuDVSJ3H6RDIFoQmTbi7QkHYCjD+kn7+haOm6M28Y78iF 9Yy0josdgUpPdEXc1kpnAgt3cvwlz0ZJnCbx8CjFLpjrM2plWdlksfd7mX5tt3c+ f1ARitF5IuU= =X76C -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Mar 17 07:08:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA25970 for freebsd-security-outgoing; Tue, 17 Mar 1998 07:08:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from butch.transport.com (butch.transport.com [204.119.17.85]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25924; Tue, 17 Mar 1998 07:08:03 -0800 (PST) (envelope-from mgweiss@transport.com) Received: from GATSBY (pdx2-92.transport.com [209.51.88.219]) by butch.transport.com (8.8.5/8.8.5) with SMTP id HAA28321; Tue, 17 Mar 1998 07:09:07 -0800 Date: Tue, 17 Mar 1998 07:09:07 -0800 Message-Id: <199803171509.HAA28321@butch.transport.com> From: Mathew Weiss MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: MathewX_Weiss@ccm.hf.intel.com Cc: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap In-Reply-To: <199803161920.UAA04937@gvr.gvr.org> References: <199803161920.UAA04937@gvr.gvr.org> X-Mailer: VM 6.34 under Emacs 19.34.6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk FreeBSD Security Officer , FreeBSD Security Officer writes: > -----BEGIN PGP SIGNED MESSAGE----- > > Recently, the FreeBSD CERT archive has been moved. The move has been > announced in the latest 2 advisories, SA-98:01 and SA-98:02. > > Unfortunately, an error was made in both advisories, so the wrong > location was published. > > The correct location of the FreeBSD advisory archive is now: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT > > ============================================================================= > The FreeBSD Project, Inc. > > Web Site: http://www.freebsd.com/ > Confidential contacts: security-officer@freebsd.org > Security notifications: security-notifications@freebsd.org > Security public discussion: freebsd-security@freebsd.org > PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc > > ============================================================================= > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBNQ17cFUuHi5z0oilAQGszgP/Qci+Ti40fIPtkphfQRPTyBBpDP8rmr8j > uk4gcAO9wLGqMJ25imPPuDVSJ3H6RDIFoQmTbi7QkHYCjD+kn7+haOm6M28Y78iF > 9Yy0josdgUpPdEXc1kpnAgt3cvwlz0ZJnCbx8CjFLpjrM2plWdlksfd7mX5tt3c+ > f1ARitF5IuU= > =X76C > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > To unsubscribe from freebsd-announce, send a mail to > majordomo@freebsd.org with the body > > unsubscribe freebsd-announce > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Mar 18 05:36:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA06482 for freebsd-security-outgoing; Wed, 18 Mar 1998 05:36:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vs1.virtualisys.com ([207.137.172.173]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA06399; Wed, 18 Mar 1998 05:36:12 -0800 (PST) (envelope-from randyk@ccsales.com) Received: from ntrkcasa (pool30.hiper.net [207.137.172.30] (may be forged)) by vs1.virtualisys.com (8.8.8/8.8.8) with SMTP id FAA04103; Wed, 18 Mar 1998 05:36:21 -0800 (PST) Message-Id: <3.0.5.32.19980318053555.02e196f0@ccsales.com> X-Sender: randyk@ccsales.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 18 Mar 1998 05:35:55 -0800 To: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org From: "Randy A. Katz" Subject: FreeBSD Security Advisory In-Reply-To: <199803161920.UAA04937@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hello, How do I: 1. Update my machines source to the Released product. 2. Apply the security patches. Example: The current released product is now 2.2.5. Do I change the tag=RELENG_2_2_5_RELEASE in my cvsupfile and bring it all it, recompile, etc... Then how do I get up to date, automatically, with the security advisories? Is there a syntax to use with cvsup? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Mar 18 06:37:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA19683 for freebsd-security-outgoing; Wed, 18 Mar 1998 06:37:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vs1.virtualisys.com ([207.137.172.173]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA19535; Wed, 18 Mar 1998 06:36:28 -0800 (PST) (envelope-from randyk@ccsales.com) Received: from ntrkcasa (pool30.hiper.net [207.137.172.30] (may be forged)) by vs1.virtualisys.com (8.8.8/8.8.8) with SMTP id GAA08926; Wed, 18 Mar 1998 06:36:34 -0800 (PST) Message-Id: <3.0.5.32.19980318063607.02e5daf0@ccsales.com> X-Sender: randyk@ccsales.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 18 Mar 1998 06:36:07 -0800 To: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org From: "Randy A. Katz" Subject: Re: FreeBSD Security Advisory In-Reply-To: <3.0.5.32.19980318053555.02e196f0@ccsales.com> References: <199803161920.UAA04937@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Sorry for the cross-post, I pushed reply-all, accident. >How do I: > >1. Update my machines source to the Released product. >2. Apply the security patches. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Mar 18 11:51:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10141 for freebsd-security-outgoing; Wed, 18 Mar 1998 11:51:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10129 for ; Wed, 18 Mar 1998 11:51:39 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id OAA14051 for ; Wed, 18 Mar 1998 14:48:41 -0500 (EST) Date: Wed, 18 Mar 1998 14:51:34 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: I need some proxies! :) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I hate anti-commercial licenses :) I'm about to build a security/internet connection for a local corp. That goes a little something like this: Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. Everything is just peachy till I hat the freakin proxy server. My choice is FWTK proxies or SOCKS. And im not sure if there unable to be used because it's for a commercial entity or not. The license for FWTK to *ME* reads that it can be used even commercial as long as its not used by a commercial entity to make a product. I.e. in this instance to just run internally to the corp. and thats all. But im not positive im checking on this. So my problem comes if I can't use the FWTK proxies since its for a commercial use. What other choices for proxies do i have for a FreeBSD box? who out there is using or has found a good proxy solution to get around this blasted commercial license problem. Don't get me wrong im not pissing and moaning because they don't want it used for free in a commercial environment, im pissing and moaning because they wont port their commercial firewall to FreeBSD. so i get wedged between not using the free one for commercial use and them pretty much refusing to port their commercial product to fbsd. There trying to have their cake and eat it to in my opinion and that sucks. So my snafu right now is trying to find a solution for proxies. ANY ideas anyone has or any pointers would really be appreciated! Chris -- "I am closed minded. It keeps the rain out." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Mar 18 15:23:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20587 for freebsd-security-outgoing; Wed, 18 Mar 1998 15:23:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fang.cs.sunyit.edu (root@fang.cs.sunyit.edu [192.52.220.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20518 for ; Wed, 18 Mar 1998 15:23:11 -0800 (PST) (envelope-from perlsta@cs.sunyit.edu) Received: from win95.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241]) by fang.cs.sunyit.edu (8.8.5/8.7.3) with SMTP id TAA00637; Wed, 18 Mar 1998 19:24:59 GMT Message-ID: <002701bd52c4$6425abe0$0600a8c0@win95.local.sunyit.edu> From: "Alfred Perlstein" To: , "Randy A. Katz" Subject: Re: FreeBSD Security Advisory Date: Wed, 18 Mar 1998 18:20:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk oopps, i forgot, you will need to look in the "cert" directory, therin lies the patch files, i've never done this so i'm not exactly sure how to go about using them. AND QUIT THE DAMN CROSSPOSTING!!! :) (you did it again) -Alfred -----Original Message----- From: Randy A. Katz To: security-officer@FreeBSD.ORG ; freebsd-security-notifications@FreeBSD.ORG ; freebsd-announce@FreeBSD.ORG ; freebsd-security@FreeBSD.ORG ; first-teams@first.org Date: Wednesday, March 18, 1998 5:57 AM Subject: Re: FreeBSD Security Advisory >Sorry for the cross-post, I pushed reply-all, accident. > >>How do I: >> >>1. Update my machines source to the Released product. >>2. Apply the security patches. >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 17:55:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA23650 for freebsd-security-outgoing; Thu, 19 Mar 1998 17:55:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA23626 for ; Thu, 19 Mar 1998 17:55:38 -0800 (PST) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id WAA00059 for FreeBSD.ORG!freebsd-security; Thu, 19 Mar 1998 22:54:37 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.5/8.8.5) id XAA00429; Wed, 18 Mar 1998 23:05:37 -0300 (ARST) From: "Fernando P. Schapachnik" Message-Id: <199803190205.XAA00429@localhost.schapachnik.com.ar> Subject: Re: I need some proxies! :) To: opsys@mail.webspan.net (Open Systems Networking) Date: Wed, 18 Mar 1998 23:05:37 -0300 (ARST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from Open Systems Networking at "Mar 18, 98 02:51:34 pm" Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Why don't you try squid? (www.nlanr.net/squid if I'm not wrong). There is a FBSD port. It's an excellent proxy server and http acelerator. Good luck! En un mensaje anterior Open Systems Networking escribi˘: > > I hate anti-commercial licenses :) > > I'm about to build a security/internet connection for a local corp. > That goes a little something like this: > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > Everything is just peachy till I hat the freakin proxy server. > My choice is FWTK proxies or SOCKS. And im not sure if there unable to be > used because it's for a commercial entity or not. > Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 18:08:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA25376 for freebsd-security-outgoing; Thu, 19 Mar 1998 18:08:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ripco.com (relay.ripco.com [209.100.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA25170 for ; Thu, 19 Mar 1998 18:07:36 -0800 (PST) (envelope-from rezidew@rezidew.net) Received: (qmail 1895 invoked from network); 20 Mar 1998 02:07:44 -0000 Received: from soap.rezidew.net (HELO rezidew.net) (209.100.228.86) by relay.ripco.com with SMTP; 20 Mar 1998 02:07:44 -0000 Message-ID: <3511D0C8.2EC8A24C@rezidew.net> Date: Thu, 19 Mar 1998 20:13:28 -0600 From: Graphic Rezidew Organization: rezidew.net X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-971225-SNAP i386) MIME-Version: 1.0 To: Open Systems Networking CC: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Open Systems Networking wrote: > > I hate anti-commercial licenses :) > > I'm about to build a security/internet connection for a local corp. > That goes a little something like this: > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > Just out of curiosity, why would you need a proxy on the "inside" of the ''firewall''? I could see using it in select situations, but you may be walking up a hill that you don't need to. -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I really hate this damned machine I wish that they would sell it. It never does quite what I want But only what I tell it. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Graphic Rezidew rezidew@rezidew.net http://Graphic.Rezidew.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 18:18:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA27596 for freebsd-security-outgoing; Thu, 19 Mar 1998 18:18:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ripco.com (relay.ripco.com [209.100.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA27577 for ; Thu, 19 Mar 1998 18:18:15 -0800 (PST) (envelope-from rezidew@rezidew.net) Received: (qmail 2644 invoked from network); 20 Mar 1998 02:18:24 -0000 Received: from soap.rezidew.net (HELO rezidew.net) (209.100.228.86) by relay.ripco.com with SMTP; 20 Mar 1998 02:18:24 -0000 Message-ID: <3511D348.52EC503C@rezidew.net> Date: Thu, 19 Mar 1998 20:24:08 -0600 From: Graphic Rezidew Organization: rezidew.net X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-971225-SNAP i386) MIME-Version: 1.0 To: fpscha@schapachnik.com.ar CC: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: <199803190205.XAA00429@localhost.schapachnik.com.ar> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk but what, then, does he do for services other than HTTP? Fernando P. Schapachnik wrote: > > Why don't you try squid? (www.nlanr.net/squid if I'm not wrong). There is > a FBSD port. It's an excellent proxy server and http acelerator. > Good luck! > > En un mensaje anterior Open Systems Networking escribi˘: > > > > I hate anti-commercial licenses :) > > > > I'm about to build a security/internet connection for a local corp. > > That goes a little something like this: > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > > > Everything is just peachy till I hat the freakin proxy server. > > My choice is FWTK proxies or SOCKS. And im not sure if there unable to be > > used because it's for a commercial entity or not. > > > > Fernando P. Schapachnik > fpscha@schapachnik.com.ar > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ We can predict everything, except the future. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Graphic Rezidew rezidew@rezidew.net http://Graphic.Rezidew.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 20:02:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14230 for freebsd-security-outgoing; Thu, 19 Mar 1998 20:02:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14211 for ; Thu, 19 Mar 1998 20:02:26 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id WAA02792; Thu, 19 Mar 1998 22:59:26 -0500 (EST) Date: Thu, 19 Mar 1998 23:02:11 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) In-Reply-To: <3511D0C8.2EC8A24C@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 19 Mar 1998, Graphic Rezidew wrote: > Open Systems Networking wrote: > > > > I hate anti-commercial licenses :) > > > > I'm about to build a security/internet connection for a local corp. > > That goes a little something like this: > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > > > Just out of curiosity, why would you need a proxy on the "inside" of the > ''firewall''? I could see using it in select situations, but you may be > walking up a hill that you don't need to. Funny you should ask :) thats the EXACT same thought I had. I'd rather run the proxies ON the firewall machine. BUT in order to sell them this idea i have to comply with their corporate IT security dept. specs. I have little respect for most "security professionals" people anyway, and to me this seems futile and just extra work, but im sure somewhere someone can bring ONE valid point for this. It just eludes me right now. But yes the main reason is too sell them this idea and bag this contract i have to follow their corporate security plan. (READ pain in the ass). Chris -- "I am closed minded. It keeps the rain out." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 20:05:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14592 for freebsd-security-outgoing; Thu, 19 Mar 1998 20:05:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14579 for ; Thu, 19 Mar 1998 20:05:38 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id XAA03258; Thu, 19 Mar 1998 23:01:51 -0500 (EST) Date: Thu, 19 Mar 1998 23:04:43 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Graphic Rezidew cc: fpscha@schapachnik.com.ar, freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) In-Reply-To: <3511D348.52EC503C@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 19 Mar 1998, Graphic Rezidew wrote: > but what, then, does he do for services other than HTTP? Yes, it does FTP as well. But other than that with SQUID im SOL i believe. Although I think obtuse has a free SMTPD proxy. All I really need is an mail proxy, and a web proxy, maybe FTP. Other than that this corporate IT security plan pretty much nukes everything else from being run. Chris -- "I am closed minded. It keeps the rain out." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 19 20:18:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA16786 for freebsd-security-outgoing; Thu, 19 Mar 1998 20:18:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA16773 for ; Thu, 19 Mar 1998 20:18:48 -0800 (PST) (envelope-from Dewayne.Geraghty@digital.com) Received: from snopf1.dhcp.sno.dec.com (snopf1.dhcp.sno.dec.com [16.172.128.251]) by mail13.digital.com (8.8.8/8.8.8/WV1.0c) with ESMTP id XAA06373; Thu, 19 Mar 1998 23:18:37 -0500 (EST) Received: by snopf1.dhcp.sno.dec.com with Internet Mail Service (5.5.1960.3) id ; Fri, 20 Mar 1998 15:18:28 +1100 Message-ID: From: Dewayne Geraghty To: "'Graphic Rezidew'" Cc: freebsd-security@FreeBSD.ORG Subject: RE: I need some proxies! :) Date: Fri, 20 Mar 1998 15:18:23 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I think that the problem needs further clarification. To answer your question, Graphic. You'd put a proxy behind the firewall to minimize the types of attacks that can be launched against the proxy. If the proxy has nothing but the proxy software, then this is a pretty fair solution. A slight improvement on this stratgy is to place a relay on the outside of the firewall which is permitted, via the firewall, to only access the internal proxy server. internet - (external proxy relay/bastion host) - filter gateway - internal proxy server - internal backbone Some books call these different things: here the "proxy server" is internal, and the "proxy relay" is external. BTW: squid's a good choice for the internal proxy/cache server - but as I'm very new to FreeBSD (and UNIX in general), I'm unsure of what applications provide relay services? Kind regards, Dewayne. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 20 07:54:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA12123 for freebsd-security-outgoing; Fri, 20 Mar 1998 07:54:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.34.39]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA12108 for ; Fri, 20 Mar 1998 07:54:24 -0800 (PST) (envelope-from swann@nosc.mil) Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id KAA01982; Fri, 20 Mar 1998 10:53:26 -0500 (EST) X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs Date: Fri, 20 Mar 1998 10:53:26 -0500 (EST) From: Bryan Swann X-Sender: swann@mailbox To: Open Systems Networking cc: Graphic Rezidew , freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I too have had runins with local network security specialists that know very little about security. Generally they are more concerned about the locks on the doors that protect the systems from a few people versus the network security that protects the systems from millions of people. However, a seperate web proxy is often a good idea, especially for a large corporate office. Even with the latest hardware and proxy firewall, it is difficult for the firewall to meet the demand for throughput on a fast serial connection. The SQUID proxy server not only proxies the web data, it will cache the information for future access. This could significantly reduce the amount of data managed by the firewall. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/566-0086 803/554-0015 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Thu, 19 Mar 1998, Open Systems Networking wrote: > On Thu, 19 Mar 1998, Graphic Rezidew wrote: > > > Open Systems Networking wrote: > > > > > > I hate anti-commercial licenses :) > > > > > > I'm about to build a security/internet connection for a local corp. > > > That goes a little something like this: > > > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > > > > > > Just out of curiosity, why would you need a proxy on the "inside" of the > > ''firewall''? I could see using it in select situations, but you may be > > walking up a hill that you don't need to. > > Funny you should ask :) thats the EXACT same thought I had. I'd rather run > the proxies ON the firewall machine. BUT in order to sell them this idea i > have to comply with their corporate IT security dept. specs. > I have little respect for most "security professionals" people anyway, and > to me this seems futile and just extra work, but im sure somewhere someone > can bring ONE valid point for this. It just eludes me right now. > But yes the main reason is too sell them this idea and bag this contract i > have to follow their corporate security plan. (READ pain in the ass). > > Chris > > -- > "I am closed minded. It keeps the rain out." > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 20 08:55:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA27786 for freebsd-security-outgoing; Fri, 20 Mar 1998 08:55:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.34.39]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA27718 for ; Fri, 20 Mar 1998 08:55:14 -0800 (PST) (envelope-from swann@nosc.mil) Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id LAA02207; Fri, 20 Mar 1998 11:54:17 -0500 (EST) X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs Date: Fri, 20 Mar 1998 11:54:17 -0500 (EST) From: Bryan Swann X-Sender: swann@mailbox To: Graphic Rezidew cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) In-Reply-To: <3511D0C8.2EC8A24C@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk In case you didm't see my last post, there are valid reasons for having a seperate web proxy server. A web proxy like SQUID not only serves as a proxy, it caches the web data. When SQUID already has a web page in cache, there is no need fot it to go out on the Internat to get it. This can greatly reduce the amount of traffic going through the firewall. A second reason for a seperate web proxy is to reduce the processing the firewall has to perform. The firewall could simply use a packet screen rule, instead of a proxy, to only allow the REAL proxy server external access. The packet screen requires less processing than the proxy. I'm currently aiding a group in developing a parallel firewall solution. This design will include an internal web proxy/cache server. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/566-0086 803/554-0015 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Thu, 19 Mar 1998, Graphic Rezidew wrote: > Open Systems Networking wrote: > > > > I hate anti-commercial licenses :) > > > > I'm about to build a security/internet connection for a local corp. > > That goes a little something like this: > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > > > Just out of curiosity, why would you need a proxy on the "inside" of the > ''firewall''? I could see using it in select situations, but you may be > walking up a hill that you don't need to. > > > -- > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > I really hate this damned machine > I wish that they would sell it. > It never does quite what I want > But only what I tell it. > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Graphic Rezidew > rezidew@rezidew.net > http://Graphic.Rezidew.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 20 09:11:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02545 for freebsd-security-outgoing; Fri, 20 Mar 1998 09:11:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02526 for ; Fri, 20 Mar 1998 09:11:38 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id MAA22390; Fri, 20 Mar 1998 12:08:39 -0500 (EST) Date: Fri, 20 Mar 1998 12:11:30 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Bryan Swann cc: Graphic Rezidew , freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 20 Mar 1998, Bryan Swann wrote: > In case you didm't see my last post, there are valid reasons for having a > seperate web proxy server. A web proxy like SQUID not only serves as a > proxy, it caches the web data. When SQUID already has a web page in > cache, there is no need fot it to go out on the Internat to get it. This > can greatly reduce the amount of traffic going through the firewall. Yes i have used squid before, but I need not JUST web proxy services :) I was going to try and get them more than just mail and web service. But since there not willing to spend much my generosity over what their willing to pay for and what they COULD use is falling rapidly. So I think im just going to stick to mail and web/ftp since SQUID does FTP traffic as well. The rest they can pay me for when they get tired of not having it :) > A second reason for a seperate web proxy is to reduce the processing the > firewall has to perform. The firewall could simply use a packet screen > rule, instead of a proxy, to only allow the REAL proxy server external > access. The packet screen requires less processing than the proxy. Yeah squid is really great. Its an eye opern for users when they use it. but to keep them configured to use it with netscape or IE, etc.. gets tedious sometimes, but thats their local admins problem not mine. > I'm currently aiding a group in developing a parallel firewall solution. > This design will include an internal web proxy/cache server. You know, im not sure what platform your using, but I've been thinking of starting a FreeBSD consultants mailing list. A closed moderated list for all of us FreeBSD consultants to exchange ideas and help each other out. Since posting to -hackers is not quite the exact narrow audience I shoot for sometimes. It's a great list! dont get me wrong. It's just sometimes you want to get to the people who do exactly what you do, and apply it the same way. Not to mention there would be alot more information you could dish out to a closed list about who/where/pricing etc.. when talking about a certain client. Just an idea I have been kicking around. -- "I am closed minded. It keeps the rain out." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 20 21:51:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23630 for freebsd-security-outgoing; Fri, 20 Mar 1998 21:51:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ripco.com (relay.ripco.com [209.100.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA23608 for ; Fri, 20 Mar 1998 21:51:09 -0800 (PST) (envelope-from rezidew@rezidew.net) Received: (qmail 7227 invoked from network); 21 Mar 1998 05:51:19 -0000 Received: from soap.rezidew.net (HELO rezidew.net) (209.100.228.86) by relay.ripco.com with SMTP; 21 Mar 1998 05:51:19 -0000 Message-ID: <351356BD.F971649E@rezidew.net> Date: Fri, 20 Mar 1998 23:57:17 -0600 From: Graphic Rezidew Organization: rezidew.net X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-971225-SNAP i386) MIME-Version: 1.0 To: Bryan Swann CC: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I completely understand that there MAY be cause for having a seperate ipfw and proxy server. I was just wondering if it were absolutely necessary in this case. I understand the pinch that corporate security guys can put on a project and that's all I was wondering. Bryan Swann wrote: > > In case you didm't see my last post, there are valid reasons for having a > seperate web proxy server. A web proxy like SQUID not only serves as a > proxy, it caches the web data. When SQUID already has a web page in > cache, there is no need fot it to go out on the Internat to get it. This > can greatly reduce the amount of traffic going through the firewall. > > A second reason for a seperate web proxy is to reduce the processing the > firewall has to perform. The firewall could simply use a packet screen > rule, instead of a proxy, to only allow the REAL proxy server external > access. The packet screen requires less processing than the proxy. > > I'm currently aiding a group in developing a parallel firewall solution. > This design will include an internal web proxy/cache server. ---big snip--- > > Just out of curiosity, why would you need a proxy on the "inside" of the > > ''firewall''? I could see using it in select situations, but you may be > > walking up a hill that you don't need to. ---snip--- -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ One of the advantages of being a captain is being able to ask for advice without necessarily having to take it. -- Kirk, "Dagger of the Mind", stardate 2715.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Graphic Rezidew rezidew@rezidew.net http://Graphic.Rezidew.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Mar 20 23:46:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07880 for freebsd-security-outgoing; Fri, 20 Mar 1998 23:46:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07872 for ; Fri, 20 Mar 1998 23:46:22 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from trojanhorse.watson.org (SOLOMON.RES.CMU.EDU [128.2.91.111]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id CAA28190 for ; Sat, 21 Mar 1998 02:46:21 -0500 (EST) Date: Sat, 21 Mar 1998 02:48:22 -0500 (EST) From: Robert Watson X-Sender: robert@trojanhorse.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Subject: lpd security problem fixed? (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk This did not get through; we try again? :) Apologies if this is the second pass for anyone. ---------- Forwarded message ---------- Date: Fri, 20 Mar 1998 16:19:53 -0500 (EST) From: Robert Watson To: security@freebsd.org Subject: lpd security problem fixed? A whiles back there was a post on bugtraq re: security exploits in the BSD print daemon (lpd). I was wondering if it had been fixed? We're about to deploy network printing, but we are not interested in people doing nasty things to us :). Thanks, Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Mar 21 15:12:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA17810 for freebsd-security-outgoing; Sat, 21 Mar 1998 15:12:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bsdserve1.comsite.net (bsdserve1.comsite.net [205.238.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA17789 for ; Sat, 21 Mar 1998 15:12:18 -0800 (PST) (envelope-from dave@comsite.net) Received: from localhost (dave@localhost) by bsdserve1.comsite.net (8.8.7/8.8.5) with SMTP id RAA09020 for ; Sat, 21 Mar 1998 17:11:41 -0600 (CST) Date: Sat, 21 Mar 1998 17:11:40 -0600 (CST) From: dave To: freebsd-security@FreeBSD.ORG Subject: FreeBSD security audit, etc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Ok, I've just about hit my limit with respect to people bashing FreeBSD for security. (Specifically certain members of the OpenBSD community :) So, I have looked at the archives of the FreeBSD-security list and it looked like the security audit pretty much stopped some time ago and never restarted...Someone please correct me if I am wrong. So, to correct this, I would like to start making an effort to break apart the changes made to OpenBSD that will affect FreeBSD security and integrate those changes into the FreeBSD tree. If this actually sounds like a good thing to do, then I will need to know who the contact is that will be able to review my changes and check them into the necessary trees. I definitely want to avoid integrating any politically incorrect features from OpenBSD, but I want to make any changes that will improve security. If this stuff has already been done and I just missed it somewhere, please let me know. I think that if we can get some of the major integration work done then it will be a good time to restart the audit from scratch and pick up what was missed. Comments? --Dave Ferovick dave@comsite.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Mar 21 15:25:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20582 for freebsd-security-outgoing; Sat, 21 Mar 1998 15:25:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20576 for ; Sat, 21 Mar 1998 15:25:16 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id XAA27379; Sat, 21 Mar 1998 23:25:00 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id AAA29328; Sun, 22 Mar 1998 00:24:56 +0100 (MET) Message-ID: <19980322002455.40800@follo.net> Date: Sun, 22 Mar 1998 00:24:55 +0100 From: Eivind Eklund To: dave , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD security audit, etc. References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from dave on Sat, Mar 21, 1998 at 05:11:40PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Sat, Mar 21, 1998 at 05:11:40PM -0600, dave wrote: > So, to correct this, I would like to start making an effort to break apart > the changes made to OpenBSD that will affect FreeBSD security and > integrate those changes into the FreeBSD tree. If this actually sounds > like a good thing to do, then I will need to know who the contact is that > will be able to review my changes and check them into the necessary trees. > I definitely want to avoid integrating any politically incorrect features > from OpenBSD, but I want to make any changes that will improve security. > > If this stuff has already been done and I just missed it somewhere, please > let me know. It has been partially done, but only partially. Hats off to Warner Losh for doing a lot of it. (I've done a little, but not really much.) /bin is AFAIK clean (everything is merged) - for everywhere else I don't know. I'll review and check in if these fixes if you sent them to me. (I can't guarantee commiting them verbatim, but I will do my best to make sure a patch is committed rapidly for any real problem.) If known, please indicate who in OpenBSD did the original fix. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Mar 21 20:46:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA03945 for freebsd-security-outgoing; Sat, 21 Mar 1998 20:46:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA03916 for ; Sat, 21 Mar 1998 20:45:56 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id UAA05481; Sat, 21 Mar 1998 20:45:47 -0800 (PST) (envelope-from jkh@time.cdrom.com) To: dave cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD security audit, etc. In-reply-to: Your message of "Sat, 21 Mar 1998 17:11:40 CST." Date: Sat, 21 Mar 1998 20:45:47 -0800 Message-ID: <5477.890541947@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > So, I have looked at the archives of the FreeBSD-security list and it > looked like the security audit pretty much stopped some time ago and never > restarted...Someone please correct me if I am wrong. You are not wrong. Things just sort of ground to a halt with that. > like a good thing to do, then I will need to know who the contact is that > will be able to review my changes and check them into the necessary trees. If it's something that's more cosmetic than critical then filing a simple PR is probably adequate, otherwise please send it to security-officer@freebsd.org directly. Thanks! Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Mar 21 23:16:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA18971 for freebsd-security-outgoing; Sat, 21 Mar 1998 23:16:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA18966 for ; Sat, 21 Mar 1998 23:16:36 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (W8zF5wtc+oyMC6eJjzcDNSenJw22myaw@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.8.8/8.8.8) with ESMTP id JAA14753; Sun, 22 Mar 1998 09:16:21 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (VgACHbR+f5z4h8+k0CxrlgXigVXmEu90@localhost [127.0.0.1]) by greenpeace.grondar.za (8.8.8/8.8.8) with ESMTP id JAA00351; Sun, 22 Mar 1998 09:16:20 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199803220716.JAA00351@greenpeace.grondar.za> To: Eivind Eklund cc: dave , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD security audit, etc. Date: Sun, 22 Mar 1998 09:16:18 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Eivind Eklund wrote: > /bin is AFAIK clean (everything is merged) - for everywhere else I > don't know. secure/ is clean. kerberosIV is as clean as KTH is (which is pretty good). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message