From owner-freebsd-security Mon Mar 23 11:10:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA11632 for freebsd-security-outgoing; Mon, 23 Mar 1998 11:10:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10899; Mon, 23 Mar 1998 11:08:09 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA00993; Mon, 23 Mar 1998 20:05:23 +0100 (MET) From: Guido van Rooij Message-Id: <199803231905.UAA00993@gvr.gvr.org> Subject: Re: FreeBSD Security Advisory In-Reply-To: <3.0.5.32.19980318053555.02e196f0@ccsales.com> from "Randy A. Katz" at "Mar 18, 98 05:35:55 am" To: randyk@ccsales.com Date: Mon, 23 Mar 1998 20:05:22 +0100 (MET) Cc: security-officer@FreeBSD.ORG, freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Randy A. Katz wrote: > Hello, > > How do I: > > 1. Update my machines source to the Released product. > 2. Apply the security patches. > > Example: > > The current released product is now 2.2.5. Do I change the > tag=RELENG_2_2_5_RELEASE in my cvsupfile and bring it all it, recompile, > etc... > > Then how do I get up to date, automatically, with the security advisories? > > Is there a syntax to use with cvsup? Please go to www.freebsd.org and checkout the handbook. It is all in there! -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Mar 24 06:55:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA06409 for freebsd-security-outgoing; Tue, 24 Mar 1998 06:55:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f129.hotmail.com [207.82.251.8]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA06371 for ; Tue, 24 Mar 1998 06:54:42 -0800 (PST) (envelope-from web_bot15@hotmail.com) Received: (qmail 7398 invoked by uid 0); 24 Mar 1998 14:54:08 -0000 Message-ID: <19980324145408.7397.qmail@hotmail.com> Received: from 209.131.174.149 by www.hotmail.com with HTTP; Tue, 24 Mar 1998 06:54:07 PST X-Originating-IP: [209.131.174.149] From: "Andrej Aderhold" To: freebsd-security@FreeBSD.ORG Content-Type: text/plain Date: Tue, 24 Mar 1998 06:54:07 PST Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk who freebsd-security who freebsd-isp ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 26 09:59:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA24148 for freebsd-security-outgoing; Thu, 26 Mar 1998 09:59:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from techpower.net (hometeam@techpower.net [205.133.231.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24121; Thu, 26 Mar 1998 09:59:08 -0800 (PST) (envelope-from hometeam@techpower.net) Received: from localhost (hometeam@localhost) by techpower.net (8.8.8/8.8.8) with SMTP id MAA01133; Thu, 26 Mar 1998 12:58:05 -0500 (EST) (envelope-from hometeam@techpower.net) Date: Thu, 26 Mar 1998 12:58:05 -0500 (EST) From: Jt To: security-officer@FreeBSD.ORG cc: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap In-Reply-To: <199803121947.UAA17528@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1912272664-890935085=:424" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1912272664-890935085=:424 Content-Type: TEXT/PLAIN; charset=US-ASCII Why was the patch Alex Nash added to ip_fw.c not added to the new release ? This is a needed option in ipfw . hometeam@techpower.net --We cannot all be masters, nor all masters Cannot be truly follow'd-- -----BEGIN PGP MESSAGE----- Version: 2.6.2 owEBqwBU/4kAlQMFADRCxNWhsddKSTR+6QEBelED/jzeC3btZfqSdIfrNoCgwUJJ iNQ33UQoMyJ2ygkfl72xP5J79yml/F4P73GnNaDVbaMOmOG2NNAi5ElE73wRh54U 17kH+n5XnYeqekV8T2TG2Q6ex3UotXPyZ1vvrCrSxapOz6a4hh0GQeA55rcwLy2W ROHwxfvaVsrX5iVOkRoerBFiC21lc3NhZ2UudHh0AAAAAA== =jCvF -----END PGP MESSAGE----- --0-1912272664-890935085=:424 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=diff Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: LS0tIC9zeXMvbmV0aW5ldC9pcF9mdy5jCUZyaSBGZWIgMjcgMTY6MTc6NDMg MTk5OA0KKysrIGlwX2Z3LmMJVHVlIE1hciAxNyAxMTozMzowNCAxOTk4DQpA QCAtMTYzLDYgKzE2MywyMyBAQA0KIH0NCiANCiBzdGF0aWMgaW50DQoraXNf aWNtcF9xdWVyeShzdHJ1Y3QgaXAgKmlwKQ0KK3sNCisJY29uc3Qgc3RydWN0 IGljbXAgKmljbXA7DQorCWludCBpY21wX3R5cGU7DQorDQorCWljbXAgPSAo c3RydWN0IGljbXAgKikoKHVfbG9uZyAqKWlwICsgaXAtPmlwX2hsKTsNCisJ aWNtcF90eXBlID0gaWNtcC0+aWNtcF90eXBlOw0KKw0KKwlpZiAoaWNtcF90 eXBlID09IElDTVBfRUNITyB8fCBpY21wX3R5cGUgPT0gSUNNUF9ST1VURVJT T0xJQ0lUIHx8DQorCSAgICBpY21wX3R5cGUgPT0gSUNNUF9UU1RBTVAgfHwg aWNtcF90eXBlID09IElDTVBfSVJFUSB8fA0KKwkgICAgaWNtcF90eXBlID09 IElDTVBfTUFTS1JFUSkNCisJCXJldHVybigxKTsNCisNCisJcmV0dXJuKDAp Ow0KK30NCisNCitzdGF0aWMgaW50DQogaXBvcHRzX21hdGNoKHN0cnVjdCBp cCAqaXAsIHN0cnVjdCBpcF9mdyAqZikNCiB7DQogCXJlZ2lzdGVyIHVfY2hh ciAqY3A7DQpAQCAtNTkyLDExICs2MDksMTEgQEANCiAJICogU2VuZCBhIHJl amVjdCBub3RpY2UgaWYgYWxsIG9mIHRoZSBmb2xsb3dpbmcgYXJlIHRydWU6 DQogCSAqDQogCSAqIC0gVGhlIHBhY2tldCBtYXRjaGVkIGEgcmVqZWN0IHJ1 bGUNCi0JICogLSBUaGUgcGFja2V0IGlzIG5vdCBhbiBJQ01QIHBhY2tldA0K KwkgKiAtIFRoZSBwYWNrZXQgaXMgbm90IGFuIElDTVAgcGFja2V0LCBvciBp cyBhbiBJQ01QIHF1ZXJ5IHBhY2tldA0KIAkgKiAtIFRoZSBwYWNrZXQgaXMg bm90IGEgbXVsdGljYXN0IG9yIGJyb2FkY2FzdCBwYWNrZXQNCiAJICovDQog CWlmICgocnVsZS0+ZndfZmxnICYgSVBfRldfRl9DT01NQU5EKSA9PSBJUF9G V19GX1JFSkVDVA0KLQkgICAgJiYgaXAtPmlwX3AgIT0gSVBQUk9UT19JQ01Q DQorCSAgICAmJiAoaXAtPmlwX3AgIT0gSVBQUk9UT19JQ01QIHx8IGlzX2lj bXBfcXVlcnkoaXApKQ0KIAkgICAgJiYgISgoKm0pLT5tX2ZsYWdzICYgKE1f QkNBU1R8TV9NQ0FTVCkpDQogCSAgICAmJiAhSU5fTVVMVElDQVNUKG50b2hs KGlwLT5pcF9kc3Quc19hZGRyKSkpIHsNCiAJCXN3aXRjaCAocnVsZS0+Zndf cmVqZWN0X2NvZGUpIHsNCg== --0-1912272664-890935085=:424-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 26 10:01:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA24597 for freebsd-security-outgoing; Thu, 26 Mar 1998 10:01:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from jli.com (jli.com [199.2.111.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA24583 for ; Thu, 26 Mar 1998 10:01:33 -0800 (PST) (envelope-from trost@cloud.rain.com) Received: (qmail 9785 invoked by uid 4); 26 Mar 1998 18:01:02 -0000 Message-ID: <19980326180102.9784.qmail@jli.com> Received: (qmail 1275 invoked from network); 26 Mar 1998 17:46:48 -0000 Received: from localhost.cloud.rain.com (127.0.0.1) by localhost.cloud.rain.com with SMTP; 26 Mar 1998 17:46:48 -0000 To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: In-reply-to: Your message of Thu, 19 Mar 1998 23:02:11 EST. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1271.890934408.1@cloud.rain.com> Date: Thu, 26 Mar 1998 09:46:48 -0800 From: Bill Trost Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 19 Mar 1998, Graphic Rezidew wrote: > Open Systems Networking wrote: > > I'm about to build a security/internet connection for a local corp. > > That goes a little something like this: > > > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > Just out of curiosity, why would you need a proxy on the "inside" of the > ''firewall''? I could see using it in select situations, but you may be > walking up a hill that you don't need to. To keep outsiders from telnetting to the proxy server? Actually, I was more wondering why you wanted to run NAT. The only box that needs to speak to the outside world is the proxy server, so you could just give it a real IP address. Put the internal network on net 10.0.0.0, don't put any routes to net 10 on the firewall, and there is "no way" that an attacker could send any packets to the inside hosts. Gee, and that's a reason to keep the packet filter and the proxy separate, too. You can't do routing restrictions in a single-box implementation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 26 10:01:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA24610 for freebsd-security-outgoing; Thu, 26 Mar 1998 10:01:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from jli.com (jli.com [199.2.111.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA24584 for ; Thu, 26 Mar 1998 10:01:32 -0800 (PST) (envelope-from trost@cloud.rain.com) Received: (qmail 9781 invoked by uid 4); 26 Mar 1998 18:01:01 -0000 Message-ID: <19980326180101.9780.qmail@jli.com> Received: (qmail 1189 invoked from network); 26 Mar 1998 17:38:12 -0000 Received: from localhost.cloud.rain.com (127.0.0.1) by localhost.cloud.rain.com with SMTP; 26 Mar 1998 17:38:12 -0000 To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: In-reply-to: Your message of Thu, 19 Mar 1998 23:04:43 EST. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1185.890933891.1@cloud.rain.com> Date: Thu, 26 Mar 1998 09:38:12 -0800 From: Bill Trost Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Open Systems Networking writes: Yes, it does FTP as well. But other than that with SQUID im SOL i believe. Squid does WAIS and gopher as well ("Do you care?" is a different question). Although I think obtuse has a free SMTPD proxy. FreeBSD comes with a mail proxy: It's called "sendmail". Personally, though, I'd replace it with qmail, just for the paranoia value. There's no reason the mailer on your proxy boxy should have to run as root. I really doubt you want local delivery on the box at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Mar 26 15:26:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA10136 for freebsd-security-outgoing; Thu, 26 Mar 1998 15:26:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nash.pr.mcs.net (nash.pr.mcs.net [204.95.47.72]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA10129 for ; Thu, 26 Mar 1998 15:26:29 -0800 (PST) (envelope-from alex@nash.pr.mcs.net) Received: (from alex@localhost) by nash.pr.mcs.net (8.8.8/8.8.7) id RAA08454; Thu, 26 Mar 1998 17:25:36 -0600 (CST) (envelope-from alex) Message-Id: <199803262325.RAA08454@nash.pr.mcs.net> Date: Thu, 26 Mar 1998 17:25:36 -0600 (CST) From: Alex Nash Subject: ipfw patch in 2.2.6 (was Re: FreeBSD Security Advisory: FreeBSD-SA- 98:02.mmap) To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ For some reason I seem to have fallen off the security mailing list, but luckly someone forwarded this to me. Apologies if I've missed any subsequent discussion about this...] Jt wrote: > Why was the patch Alex Nash added to ip_fw.c not added to the new > release ? This is a needed option in ipfw . As I explained to Jt earlier today, this patch was generated close enough to the 2.2.6 release that I did not feel comfortable bringing it in until after 2.2.6 was released. I will be merging this into -stable shortly. I would like to point out that this is NOT a security hole of any kind, but merely a missing feature in the previous implementation. The patch allows firewalls to send back ICMP unreachable requests in response to ICMP query messages. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message