From owner-freebsd-security Sun Apr 9 9:28:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 764E037B609; Sun, 9 Apr 2000 09:27:40 -0700 (PDT) (envelope-from rwatson@freebsd.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA06961; Sun, 9 Apr 2000 12:26:28 -0400 (EDT) (envelope-from rwatson@freebsd.org) Date: Sun, 9 Apr 2000 12:26:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: TrustedBSD Discussion List To: TrustedBSD Announcements List Subject: Announcement: TrustedBSD Extensions Project Message-ID: Approved: Announcement: TrustedBSD Extensions Project MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm happy to announce the TrustedBSD Project, a set of trusted operating system extensions for the FreeBSD operating system. TrustedBSD consists of a set of kernel and user-land extensions targeting the Orange Book B1 evaluation criteria. Development is currently underway, and most of the code is destined to go back into the base FreeBSD operating system; however, as some components are both extensive and intrusive, the TrustedBSD project provides a forum for discussion, design, and development in the interim. Trusted operating systems have a variety of requirements above and beyond the normal operating system feature set, including the requirement that they be extensively documented. To whet your appetite, the following features are among those under development: o Extensible and audited authorization framework for integrating third-party authorization modules, including general-purpose subject and object labeling and centralized policy management. o Fine-grained capabilities for system functions so as to implement least- privilege and reduce the risks of compromise. o Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. o Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control o Event auditing support and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities The TrustedBSD extensions will be made available under a two-clause BSD-style license, which permits integration of the extensions into projects under almost any licensing model, both free and commercial. A web site is now online to act as a central source of information about the project, and as a distribution point for code not yet committed to the FreeBSD source repository. http://www.trustedbsd.org/ There are also two mailing lists, trustedbsd-discuss and trustedbsd-announce; more mailing lists will be created as necessary. To subscribe to these mailing lists, please send email to: majordomo@trustedbsd.org Further information is available on the web site. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 10 2:43:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from free.transecon.ru (free.transecon.ru [194.67.127.6]) by hub.freebsd.org (Postfix) with ESMTP id 1088237B6A7 for ; Mon, 10 Apr 2000 02:43:20 -0700 (PDT) (envelope-from CoreDumped@CoreDumped.null.ru) Received: from localhost (core@localhost) by free.transecon.ru (8.9.3/8.9.3) with ESMTP id NAA56545 for ; Mon, 10 Apr 2000 13:42:59 +0400 (MSD) (envelope-from CoreDumped@CoreDumped.null.ru) Date: Mon, 10 Apr 2000 13:42:58 +0400 (MSD) From: Eugeny Kuzakov X-Sender: core@free.transecon.ru Reply-To: CoreDumped@CoreDumped.null.ru To: security@freebsd.org Subject: ipsec in 4.0R and kame.net Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi*& ppl, which snapshot/version of kame compatible with ipsec, that embedded in 4.0R? I have 4.0R&3.4R machines. I neeed to setup ipsec communications between these machines. thanks, Eugeny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 10 13:59: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BC7A037B687; Mon, 10 Apr 2000 13:58:53 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA07113; Mon, 10 Apr 2000 13:58:54 -0700 (PDT) (envelope-from security-officer@freebsd.org) Date: Mon, 10 Apr 2000 13:58:54 -0700 (PDT) Message-Id: <200004102058.NAA07113@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-officer@freebsd.org using -f From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:11.ircii Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:11 Security Advisory FreeBSD, Inc. Topic: ircII port contains a remote overflow Category: ports Module: ircII Announced: 2000-04-10 Credits: Derek Callaway via BugTraq "bladi" via BugTraq Affects: Ports collection before the correction date. Corrected: 2000-03-19 FreeBSD only: NO I. Background ircII is a popular text-mode IRC client. II. Problem Description ircII version 4.4 contained a remotely-exploitable buffer overflow in the /DCC CHAT command which allows remote users to execute arbitrary code as the client user. The bug was originally reported in 1997 in a much older version of ircII, but was apparently not corrected at the time, and the problem was recently rediscovered independently. Development on the version of ircII previously in ports ceased several years ago, and has been taken up by a new group who have fixed this problem (and possibly others). FreeBSD now provides this new version of ircII. The ircII port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. FreeBSD 4.0 did not ship with the ircII package available because this vulnerability was reported to us late in the release cycle and it was not possible to upgrade the port in time. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A remote user can cause arbitrary code to be executed on the local system as the user running ircII. If you have not chosen to install the ircII port/package, then your system is not known to be vulnerable to this problem, although there are several other IRC clients which are derived from ircII including Epic and BitchX. At this time it is unknown whether other clients are vulnerable to this problem. IV. Workaround Remove the ircII port, if you you have installed it. V. Solution 1) Upgrade your entire ports collection and rebuild the ircII port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-3-stable/irc/ircII-4.4S.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/ircII-4.4S.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/ircII-4.4S.tgz 3) download a new port skeleton for the ircII port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOPJAMVUuHi5z0oilAQHKpgQAjdphg+Xaw4J7J5+dowvgrgoggA4YG0P5 a7Nodawpvm2ya8jBStmi0cs3LhYIXZUPQfY3lqiAfEbf4Ndd4r5KUbQ+iAjgz4lZ XHG0PjUGE98dK3eHZbLszaMIwPbBaCyicCD0gLPCVm40O0VOlqY+WHO9MfITgpec GFF3l8b8Ym0= =IU1d -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 10 13:59:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2B4CD37BA2F; Mon, 10 Apr 2000 13:59:33 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA07231; Mon, 10 Apr 2000 13:59:33 -0700 (PDT) (envelope-from security-officer@freebsd.org) Date: Mon, 10 Apr 2000 13:59:33 -0700 (PDT) Message-Id: <200004102059.NAA07231@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-officer@freebsd.org using -f From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:12.healthd Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:12 Security Advisory FreeBSD, Inc. Topic: healthd allows a local root compromise Category: ports Module: healthd Announced: 2000-04-10 Credits: Discovered during FreeBSD ports collection auditing. Affects: Ports collection before the correction date. Corrected: 2000-03-25 Vendor status: Updated version released. FreeBSD only: NO I. Background healthd is a small utility for monitoring the temperature, fan speed and voltage levels of certain motherboards. II. Problem Description healthd v0.3 installs a utility which is setuid root in order to monitor the system status. This utility contains a trivial buffer overflow which allows an unprivileged local user to obtain root privileges on the system. The healthd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can obtain root privileges by exploiting a vulnerability in the healthd utility. If you have not chosen to install the healthd port/package, then your system is not vulnerable. IV. Workaround Remove the healthd port, if you you have installed it. V. Solution 1) Upgrade your entire ports collection and rebuild the healthd port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/healthd-0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/healthd-0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-3-stable/sysutils/healthd-0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/healthd-0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/healthd-0.3.tgz 3) download a new port skeleton for the healthd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOPJABVUuHi5z0oilAQGEjgP/VQi4gknLQTpons+W/D3pT1fsk9F55HjQ 80pdBIfRxWNekFA+ZlfDNESLbG3qPyr+R4UaVxIZMnMVM/ZZRGPc/suYOxoHWZv0 F29AqveqINRewGHJoF+hw+DDGJPrrWy2t25BW9AX8KXPCJ2C1uiyChN+2egdJT5J EcTA8JgVU8I= =RtRI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 0: 9:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from castelan.in.skynet.cz (gate.in.skynet.cz [193.165.192.32]) by hub.freebsd.org (Postfix) with SMTP id 7A68F37BD87 for ; Tue, 11 Apr 2000 00:09:18 -0700 (PDT) (envelope-from josef.pojsl@skynet.cz) Received: (qmail 18561 invoked from network); 10 Apr 2000 08:56:33 -0000 Received: from regent.in.skynet.cz (192.168.192.14) by hub.freebsd.org with SMTP; 10 Apr 2000 08:56:33 -0000 Received: (qmail 55692 invoked by uid 1000); 10 Apr 2000 08:56:32 -0000 From: "Josef Pojsl" Date: Mon, 10 Apr 2000 10:56:32 +0200 To: tom Cc: freebsd-security@freebsd.org Subject: Re: IPSec implementation's question Message-ID: <20000410105632.A55528@regent.in.skynet.cz> Mail-Followup-To: tom , freebsd-security@freebsd.org References: <38EB2B30.79A7105E@cgf.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.1i In-Reply-To: <38EB2B30.79A7105E@cgf.net>; from tomb@cgf.net on Wed, Apr 05, 2000 at 12:01:52PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 05, 2000 at 12:01:52PM +0000, tom wrote: > Hi, > > I'm not sure if this is the right place to ask, but.. > > I'm trying for the first time to build IPSec from 4.0-Release. There > seem to me, a multitude of different ways to do this and I feel a bit > lost as to which way to go (Is there and official way?). I've seem > the KAME stuff and found an whole load of different resources, all > witha slightly different approach. > > If anyone has any strong opinions about the good/bad/ugly methods I'd > love to hear them. > > Tom Tom, sorry for answering that late. I don't know what you mean by different methods of building IPsec. You have only 1 method for building the FreeBSD kernel with IPSec: just specify options IPSEC and IPSEC_ESP in your kernel configuration file and build a new kernel. If your concern is about IPSec configuration, then it is far more complicated as there really are many ways of using IPSec. The three mainly used examples include: 1 machine against 1 machine - look for transport mode 1 machine against a network - look for tunnel mode a network against another network - tunnel mode again Look at examples of racoon configuration, do a "man racoon", "man racoon.conf" and "man setkey". You can also post your questions to snap-users@kame.net mailing list. Hope this helps, Josef -- Josef Pojsl mailto:josef.pojsl@skynet.cz SkyNet, a.s. Network Security Czech Republic http://www.skynet.cz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 3: 6:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from lsmls01.we.mediaone.net (lsmls01.we.mediaone.net [24.130.1.20]) by hub.freebsd.org (Postfix) with ESMTP id A3F9C37B69F for ; Tue, 11 Apr 2000 03:06:33 -0700 (PDT) (envelope-from ronnet@mediaone.net) Received: from mediaone.net (we-24-130-48-52.we.mediaone.net [24.130.48.52]) by lsmls01.we.mediaone.net (8.8.7/8.8.7) with ESMTP id DAA10238 for ; Tue, 11 Apr 2000 03:06:30 -0700 (PDT) Message-ID: <38F2880D.473F8F8D@mediaone.net> Date: Tue, 11 Apr 2000 03:03:57 +0100 From: Ron Smith X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to all, I have a dual-homed gateway running FreeBSD. The internal LAN (NIC) is class "C" (192.168.c.d). The external NIC has been assigned a static IP address from the ISP (63.203.c.d). I'm running NAT, and would like to know if this will provide enough protection for the internal LAN? I also have a firewall compiled into the kernel, but the rules prevent NAT from working whenever the firewall is in any other state except allowing "any to any". When the firewall is using "open" rules (allowing any to any) is NAT still providing protection to the internal network? If not, does anyone have any additional suggestions? TIA Ron Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 4:29:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 6EF3637BA46 for ; Tue, 11 Apr 2000 04:29:45 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id HAA43086; Tue, 11 Apr 2000 07:29:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id HAA25253; Tue, 11 Apr 2000 07:29:44 -0400 (EDT) Message-Id: <4.2.2.20000411072232.0527e2e0@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 11 Apr 2000 07:27:26 -0400 To: "Josef Pojsl" From: Mike Tancsa Subject: Re: IPSec implementation's question Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20000410105632.A55528@regent.in.skynet.cz> References: <38EB2B30.79A7105E@cgf.net> <38EB2B30.79A7105E@cgf.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:56 AM 4/10/2000 +0200, Josef Pojsl wrote: >Look at examples of racoon configuration, do a "man racoon", >"man racoon.conf" and "man setkey". I dont think racoon is part of the IPSec distribution on 4.x. It least it was not there as of a few days ago. http://www.freebsd.org/handbook/ipsec.html has some docs. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 7:47:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5A3A837B997 for ; Tue, 11 Apr 2000 07:47:30 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA24588; Tue, 11 Apr 2000 11:46:33 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200004111446.LAA24588@ns1.via-net-works.net.ar> Subject: Re: (no subject) In-Reply-To: <38F2880D.473F8F8D@mediaone.net> from Ron Smith at "Apr 11, 0 03:03:57 am" To: ronnet@mediaone.net (Ron Smith) Date: Tue, 11 Apr 2000 11:46:29 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Ron Smith escribió: > Thanks to all, > > I have a dual-homed gateway running FreeBSD. The internal LAN (NIC) is > class "C" (192.168.c.d). The external NIC has been assigned a static IP > address from the ISP (63.203.c.d). I'm running NAT, and would like to > know if this will provide enough protection for the internal LAN? I also > have a firewall compiled into the kernel, but the rules prevent NAT from > working whenever the firewall is in any other state except allowing "any > to any". When the firewall is using "open" rules (allowing any to any) > is NAT still providing protection to the internal network? If not, does > anyone have any additional suggestions? My advice would be to tcpdump the external interface and see what packets it generates. This will give you an idea about how to handcraft your firewall rules. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 16: 2:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from ptldpop2.ptld.uswest.net (ptldpop2.ptld.uswest.net [198.36.160.2]) by hub.freebsd.org (Postfix) with SMTP id 386F837B60F for ; Tue, 11 Apr 2000 16:02:21 -0700 (PDT) (envelope-from wwoods@cybcon.com) Received: (qmail 3444 invoked by alias); 11 Apr 2000 23:02:18 -0000 Delivered-To: fixup-freebsd-security@freebsd.org@fixme Received: (qmail 3428 invoked by uid 0); 11 Apr 2000 23:02:17 -0000 Received: from unknown (HELO laptop.cybcon.com) (63.227.213.90) by ptldpop2.ptld.uswest.net with SMTP; 11 Apr 2000 23:02:17 -0000 Content-Length: 828 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 11 Apr 2000 16:02:11 -0700 (PDT) Reply-To: bwoods2@uswest.net From: William Woods To: freebsd-security@freebsd.org Subject: Weird log entry ..... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Came home from work and was doing a check of my server logs and ran accross this, anyone tell me whats up here? cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" "Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" What worries me is the try to execute a cgi-bin command here. Thanks ---------------------------------- E-Mail: bwoods2@uswest.net Date: 11-Apr-00 Time: 15:59:50l ---------------------------------- NOTICE TO BULK E-MAILERS: Pursuant to US Code, Title 47, Chapter 5, Subchapter II, 227, and all unsolicited commercial e-mail sent to this address is subject to a download and archival fee in the amount of $500 US To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 16:45:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (dt090n4a.san.rr.com [204.210.46.74]) by hub.freebsd.org (Postfix) with ESMTP id 17C1337B61E for ; Tue, 11 Apr 2000 16:45:35 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.9.3/8.9.3) with ESMTP id QAA63804; Tue, 11 Apr 2000 16:45:20 -0700 (PDT) (envelope-from bigby@ephemeron.org) Date: Tue, 11 Apr 2000 16:45:20 -0700 (PDT) From: Bigby Findrake To: bwoods2@uswest.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Weird log entry ..... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Apr 2000, William Woods wrote: > Came home from work and was doing a check of my server logs and ran accross > this, anyone tell me whats up here? > > cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 > 4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b > b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" > "Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" > > What worries me is the try to execute a cgi-bin command here. I'm not sure why they were trying to find that page on your server, but I've seen *many* people come to my servers who've been referred from a page that looks a lot like that. I've included one log line below. blah:242.omaha-01-02rs.ne.dial-access.att.net - - [16/Mar/2000:18:53:45 +0000] "GET /~christy/ HTTP/1.1" 200 588 " http://216.33.236.250/cgi-bin/linkrd?_lang=&lah=d11f5445fcce05360957baed6934bce3&lat=953261532&hm___action=http%3a %2f%2fhome%2eephemeron%2eorg%2f%7echristy" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98; AT&T WNS5.0)" Based on what I know, I'd say don't worry unless you see tons of people trying to hit up such pages. In that case, I'd say turn on ther referrers so that you can see who's directing people to that page on your server and contact that admin. /-------------------------------------------------------------------------/ "What reason weaves, by passion is undone." -- Alexander Pope finger bigby@ephemeron.org for my pgpkey or http://home.ephemeron.org/~bigby/pgp_key.txt e-mail bigby@pager.ephemeron.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 16:53: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from viagara.salon.com (viagara.salon.com [208.48.211.122]) by hub.freebsd.org (Postfix) with ESMTP id BE21237BA3E for ; Tue, 11 Apr 2000 16:53:02 -0700 (PDT) (envelope-from spidaman@salon.com) Received: from salon.com (localhost [127.0.0.1]) by viagara.salon.com (8.9.3/8.9.3) with ESMTP id QAA14616; Tue, 11 Apr 2000 16:52:44 -0700 (PDT) (envelope-from spidaman@salon.com) Message-ID: <38F3BACC.7DEAE133@salon.com> Date: Tue, 11 Apr 2000 16:52:44 -0700 From: Ian Kallen Organization: Salon Media X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Bigby Findrake Cc: bwoods2@uswest.net, freebsd-security@FreeBSD.ORG Subject: Re: Weird log entry ..... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This isn't a FreeBSD security issue and you both should learn how to read common log format: those "cgi requests" you're fretting over _are_ referers. The requests of your servers look like vanilla status 200 HTTP requests for non-CGI URL's, so get on with life and close out this topic: it's a non-issue. Bigby Findrake wrote: > > On Tue, 11 Apr 2000, William Woods wrote: > > > Came home from work and was doing a check of my server logs and ran accross > > this, anyone tell me whats up here? > > > > cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 > > 4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b > > b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" > > "Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" > > > > What worries me is the try to execute a cgi-bin command here. > > I'm not sure why they were trying to find that page on your server, but > I've seen *many* people come to my servers who've been referred from a > page that looks a lot like that. I've included one log line below. > > blah:242.omaha-01-02rs.ne.dial-access.att.net - - [16/Mar/2000:18:53:45 > +0000] "GET /~christy/ HTTP/1.1" 200 588 " > http://216.33.236.250/cgi-bin/linkrd?_lang=&lah=d11f5445fcce05360957baed6934bce3&lat=953261532&hm___action=http%3a > %2f%2fhome%2eephemeron%2eorg%2f%7echristy" "Mozilla/4.0 (compatible; MSIE > 4.01; Windows 98; AT&T WNS5.0)" > > Based on what I know, I'd say don't worry unless you see tons of people > trying to hit up such pages. In that case, I'd say turn on ther referrers > so that you can see who's directing people to that page on your server and > contact that admin. > > /-------------------------------------------------------------------------/ > "What reason weaves, by passion is undone." -- Alexander Pope > > finger bigby@ephemeron.org for my pgpkey or > http://home.ephemeron.org/~bigby/pgp_key.txt > e-mail bigby@pager.ephemeron.org to page me > /-------------------------------------------------------------------------/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Salon Internet http://www.salon.com/ Manager, Software and Systems "Livin' La Vida Unix!" Ian Kallen / AIM: iankallen / Fax: (415) 354-3326 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 11 17: 0:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id C285937B98D for ; Tue, 11 Apr 2000 17:00:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA08912 for ; Tue, 11 Apr 2000 18:00:42 -0600 (MDT) Message-Id: <4.2.2.20000411180028.00af46d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 11 Apr 2000 18:00:38 -0600 To: freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Weird log entry ..... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:02 PM 4/11/2000 , William Woods wrote: >Came home from work and was doing a check of my server logs and ran accross >this, anyone tell me whats up here? > >cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 >4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b >b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" >"Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" If you're using the standard Apache log format, don't worry; that's just a referer field. My guess, without doing a lot of research, is that what you're seeing is a Hotmail internal URL. (Their mail reader uses URLs like that in the list of e-mail messages you see when you view the contents of your mailbox.) Not long ago, in fact, there was a widely publicized security hole which let you access anyone's Hotmail account without a password. All you needed to do was construct a URL similar to the one you see above. So, the most likely explanation of that entry is that somebody who uses AOL as their ISP also has a Hotmail account. He or she probably clicked through to your site from a link in a Hotmail message. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 12 14:44:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from almazs.pacex.net (dns1.pacex.net [209.189.111.246]) by hub.freebsd.org (Postfix) with ESMTP id 28AFF37B6B6 for ; Wed, 12 Apr 2000 14:44:18 -0700 (PDT) (envelope-from admin@pacex.net) Received: from almazs.pacex.net (almazs.pacex.net [209.189.111.246]) by almazs.pacex.net (8.9.3/8.9.3) with ESMTP id OAA61438 for ; Wed, 12 Apr 2000 14:44:18 -0700 (PDT) Date: Wed, 12 Apr 2000 14:44:18 -0700 (PDT) From: net admin To: FreeBSD-security@FreeBSD.org Subject: VPN and Firewall security implementation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Folks; I am posting this question with the full understanding of the the posting gudelines for this list and according to the list charters I think my question qualifies as a security thechnical issue. If I am wrong I appologize. We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a Cisco IOS firewall/router setup, with some servers running ipfw for added security. Some of our corporate dialup clients are using various VPN implementation to dial to corporate networks through our network (some use MS VPN stuff and some use proprietory remote access S/W). The problem we're having is that configuring our firewalls for mail/DNS/HTTP/RADIUS allows user full access to those services but not remote access to corporate LANs and we don't know what services to allow to accomodate the corp. customer because of the varied implementation of VPN stuff out there. We are now considering redesigning our fire wall to deny specific services (known security holes) and allow the rest, I know it is bad design policy but revenue is at stake here. What will be a sensible security consious solution to this kind of problem. Thanks and sorry if am being trival. Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 12 15:27: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.securify.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with SMTP id 23AC737B943 for ; Wed, 12 Apr 2000 15:27:02 -0700 (PDT) (envelope-from paulm@securify.com) Received: by relay.securify.com; id PAA18094; Wed, 12 Apr 2000 15:29:16 -0700 Received: from unknown(10.5.63.6) by relay.securify.com via smap (V5.5) id xma018079; Wed, 12 Apr 00 15:28:54 -0700 Received: from kestrel (dude.securify.com [10.5.63.6]) by dude.securify.com (8.9.3/8.9.3) with ESMTP id PAA80143; Wed, 12 Apr 2000 15:28:53 -0700 (PDT) (envelope-from paulm@securify.com) Message-Id: <4.2.0.58.20000412141035.00a06470@localhost> X-Sender: paulm@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 12 Apr 2000 14:29:52 -0700 To: Ron Smith , FreeBSD Security From: Paul Mielke Subject: Re: (no subject) In-Reply-To: <38F2880D.473F8F8D@mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:03 AM 4/11/00 +0100, Ron Smith wrote: >Thanks to all, > >I have a dual-homed gateway running FreeBSD. The internal LAN (NIC) is >class "C" (192.168.c.d). The external NIC has been assigned a static IP >address from the ISP (63.203.c.d). I'm running NAT, and would like to >know if this will provide enough protection for the internal LAN? I also >have a firewall compiled into the kernel, but the rules prevent NAT from >working whenever the firewall is in any other state except allowing "any >to any". When the firewall is using "open" rules (allowing any to any) >is NAT still providing protection to the internal network? If not, does >anyone have any additional suggestions? > >TIA >Ron Smith Hi, Ron. Just running NAT in the configuration that you describe should provide pretty good protection for the hosts on your internal net in that someone coming in from outside has no way to address any of your internal hosts (since the 192.168.x.x addresses are not routable). The external interface of your firewall box, however, gets no protection from this. If one simply runs no services on the firewall box, then that may not be an issue. In my case, I want to use my firewall for other things than being a firewall, so I want to run services for the use of other hosts on my internal net. If that is your situation, then you'll probably want to get either ipfw or ipfilter working. One other thing to consider is that turning off TCP services doesn't protect you against ICMP and UDP based attacks on your external interface. Unless your ISP has really good filters in place, you're probably better off running ipfw or ipfilter in addition to NAT. NAT and IPFW can coexist just fine. Take a look at the 'simple' firewall mode code in /etc/rc.firewall. You just have to be conscious when you write your firewall rules that you're seeing the packets after they've been through NAT on the external interface, meaning that, e.g., packets originating from 192.168.x.x hosts on your internal net will have source addresses equal to the IP address of your external NIC. I've got a NAT + IPFW config running in a situation very similar to yours and it works great. Start with rc.firewall and play around with the rules to get the effect that you want. The easiest way to figure out what's going on is to turn on logging on all your rules and use the log messages to understand what your rules are doing. Regards, Paul Paul Mielke paulm@alumni.stanford.org Securify, Inc. 650-812-9400 x4118 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 12 17:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f126.hotmail.com [209.185.131.189]) by hub.freebsd.org (Postfix) with SMTP id BAFEE37B691 for ; Wed, 12 Apr 2000 17:23:23 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 98450 invoked by uid 0); 13 Apr 2000 00:23:23 -0000 Message-ID: <20000413002323.98449.qmail@hotmail.com> Received: from 209.179.56.34 by www.hotmail.com with HTTP; Wed, 12 Apr 2000 17:23:23 PDT X-Originating-IP: [209.179.56.34] From: "Ron Smith" To: freebsd-security@FreeBSD.ORG Cc: support@cdrom.com Subject: NAT and /etc/rc.firewall Date: Wed, 12 Apr 2000 17:23:23 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org bash-2.03# uname -a FreeBSD stargate.crcfx.com 3.4-RELEASE FreeBSD 3.4-RELEASE #0: Fri Mar 31 14:39:09 PST 2000 root@stargate.crcfx..com:/usr/src/sys/compile/STARGATE i386 I recompiled the kernal with: options IPFIREWALL options IPDIVERT The problem is as follows: NAT only works with 'firewall_type="open". Here are the particulars: bash-2.03$ cat /etc/rc.conf # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. linux_enable="YES" moused_port="/dev/cuaa0" moused_type="microsoft" moused_enable="YES" inetd_enable="NO" sendmail_enable="NO" dumpdev=/dev/wd0s1b firewall_enable="YES" firewall_type="simple" firewall_script="/etc/rc.firewall" gateway_enable="YES" defaultrouter="63.203.c.d" natd_enable="YES" natd_interface="pn0" ifconfig_fxp0="inet 192.168.c.d netmask 255.255.255.0" ifconfig_pn0="inet 63.203.c.d netmask 255.255.255.248" hostname="stargate.crcfx.com" named_enable="YES" ~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ Following is a portion of 'cat /etc/rc.firewall' elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine # as a named server and ntp server, and point all the machines on the inside # at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="pn0" onet="63.203.c.d" #cidr given by the ISP; one below the gateway omask="255.255.255.248" oip="63.203.c.d" # Static IP address of the external NIC # set these to your inside interface network and netmask and ip iif="fxp0" inet="192.168.c.d" # IP range of internal LAN imask="255.255.255.0" iip="192.168.c.d" # IP address of the internal NIC NAT doesn't work for anyone on the LAN trying to reach the internet through 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you think the above setting are correct, and in the right place. Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing something. Maybe there's something I'm missing altogether when I try to go 'firewall_type="simple"' and use those stock rules, as is, in '/etc/rc.firewall'. If I need to make changes there, could someone mail me a sample of some rules that work for NAT+ipfw. TIA Ron Smith ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 12 17:39:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.securify.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with SMTP id 0480037B9E1 for ; Wed, 12 Apr 2000 17:39:31 -0700 (PDT) (envelope-from paulm@securify.com) Received: by relay.securify.com; id RAA19569; Wed, 12 Apr 2000 17:41:45 -0700 Received: from unknown(10.5.63.6) by relay.securify.com via smap (V5.5) id xma019555; Wed, 12 Apr 00 17:40:51 -0700 Received: from kestrel (dude.securify.com [10.5.63.6]) by dude.securify.com (8.9.3/8.9.3) with ESMTP id RAA82090; Wed, 12 Apr 2000 17:40:50 -0700 (PDT) (envelope-from paulm@securify.com) Message-Id: <4.2.0.58.20000412163416.00b74a20@localhost> X-Sender: paulm@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 12 Apr 2000 16:41:54 -0700 To: "Ron Smith" , freebsd-security@FreeBSD.ORG From: Paul Mielke Subject: Re: NAT and /etc/rc.firewall Cc: support@cdrom.com In-Reply-To: <20000413002323.98449.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:23 PM 4/12/00 -0700, Ron Smith wrote: ... >NAT doesn't work for anyone on the LAN trying to reach the internet through 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you think the above setting are correct, and in the right place. > >Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing something. Maybe there's something I'm missing altogether when I try to go 'firewall_type="simple"' and use those stock rules, as is, in '/etc/rc.firewall'. If I need to make changes there, could someone mail me a sample of some rules that work for NAT+ipfw. Hi, Ron. I just took a quick look at the stock rc.firewall and I don't think that's enough info to allow remote diagnosis of the problem. I don't have access to my firewall from my current location, so I can't send you my working config files at this point. Maybe later this evening. For now, I would suggest that you try to diagnose the problem by either using "ipfw show" or by using the 'log' keyword on all the ipfw rules to figure out which rule is the one that is trashing your packets. For example, do the following: ipfw show > fw.stats.after do some operation that fails ipfw show > fw.stats.after ipfw will update the counters on each rule every time one of them fires. By diffing the two stats files, you can figure out which rule is the offending one. When I went through the initial phase of getting my setup working, I spent a lot of time iterating on the above steps interspersed with poring over the ipfw manpage. Regards, Paul Paul Mielke paulm@alumni.stanford.org Securify, Inc. 650-812-9400 x4118 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 4:21:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.x-treme.gr (mail2.x-treme.gr [212.120.196.24]) by hub.freebsd.org (Postfix) with ESMTP id E488337B5DB for ; Thu, 13 Apr 2000 04:21:27 -0700 (PDT) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (pat51.x-treme.gr [212.120.197.243]) by mail2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with SMTP id OAA30786 for ; Thu, 13 Apr 2000 14:21:21 +0300 Received: (qmail 22124 invoked by uid 1001); 13 Apr 2000 02:29:53 -0000 Date: Thu, 13 Apr 2000 05:29:52 +0300 From: Giorgos Keramidas To: Paul Mielke Cc: Ron Smith , security@freebsd.org Subject: Re: NAT and /etc/rc.firewall Message-ID: <20000413052952.A21547@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <20000413002323.98449.qmail@hotmail.com> <4.2.0.58.20000412163416.00b74a20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.2.0.58.20000412163416.00b74a20@localhost>; from paulm@securify.com on Wed, Apr 12, 2000 at 04:41:54PM -0700 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 12, 2000 at 04:41:54PM -0700, Paul Mielke wrote: > At 05:23 PM 4/12/00 -0700, Ron Smith wrote: > > ... > > For now, I would suggest that you try to diagnose the problem by > either using "ipfw show" or by using the 'log' keyword on all the > ipfw rules to figure out which rule is the one that is trashing your > packets. > > For example, do the following: > > ipfw show > fw.stats.after > do some operation that fails > ipfw show > fw.stats.after Of course this was meant to be: ipfw show > fw.stats.before do some operation that fails ipfw show > fw.stats.after and then a simple diff should be enough to provide with information on what rules were triggered: diff -u fw.stats.before fw.stats.after -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public pgp key: finger keramida@diogenis.ceid.upatras.gr See the headers of this message for the key finger-print. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 7:20:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 8DF8937BD5A for ; Thu, 13 Apr 2000 07:20:42 -0700 (PDT) (envelope-from erwan@amelie.frmug.org) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.7/nospam) with UUCP id QAA20618 for security@freebsd.org; Thu, 13 Apr 2000 16:20:31 +0200 (CEST) (envelope-from erwan@amelie.frmug.org) Received: by amelie.frmug.org (Postfix, from userid 1000) id 363A925FC; Thu, 13 Apr 2000 16:11:49 +0200 (CEST) Date: Thu, 13 Apr 2000 16:11:49 +0200 From: Erwan Arzur To: security@freebsd.org Subject: Where is racoon ? Message-ID: <20000413161148.A55344@amelie.frmug.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Did somebody manage to get any kind of IKE daemon running on FreeBSD (both -current and 4.0-STABLE are the targets) ? After finding out that racoon was not included in our KAME stack, i've been digging various KAME dists and i could not find any way to compile it, mostly because of changes in the pf_key* syscalls between current's kernel and the KAME snaps ... I'm currently digging OpenBSD's isakmpd, but i'm a little pessimistic, because i'm not really a kernel hacker, and this relies heavily on kernel's SADB ... I found a recent (03/22) message from Yoshinobu Inoue saying that he would make a port from it, but i could not find it, even on the "ported applications" page on www.freebsd.org ... thanks for any help ! -- UNIX *IS* user friendly. It's just selective about who its friends are. --unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 8: 8:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.telemere.net (shell.telemere.net [63.224.9.3]) by hub.freebsd.org (Postfix) with ESMTP id A20DA37BD6E for ; Thu, 13 Apr 2000 08:08:12 -0700 (PDT) (envelope-from visigoth@telemere.net) Received: by shell.telemere.net (Postfix, from userid 1001) id 00F4770601; Thu, 13 Apr 2000 10:16:00 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by shell.telemere.net (Postfix) with ESMTP id F17226C801; Thu, 13 Apr 2000 10:16:00 -0500 (CDT) Date: Thu, 13 Apr 2000 10:16:00 -0500 (CDT) From: Visigoth To: net admin Cc: FreeBSD-security@FreeBSD.org Subject: Re: VPN and Firewall security implementation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Apr 2000, net admin wrote: > Hi Folks; > I am posting this question with the full understanding of the the posting > gudelines for this list and according to the list charters I think my > question qualifies as a security thechnical issue. If I am wrong I > appologize. > We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a > Cisco IOS firewall/router setup, with some servers running ipfw > for added security. > Some of our corporate dialup clients are using various VPN implementation > to dial to corporate networks through our network (some use MS VPN stuff > and some use proprietory remote access S/W). How many different pieces of software are you talking about? If it isn't more than a few, and you would like to maintain the rampant paranoia of default deny (my personal fav) Maybe try doing a little tcpdump and other homework to see exactly what they need. I understand that this is probably unreasonable if you are talking like 50 kinds of software (unless they all comply to some standard). > The problem we're having is that configuring our firewalls for > mail/DNS/HTTP/RADIUS allows user full access to those services but not > remote access to corporate LANs and we don't know what services to allow > to accomodate the corp. customer because of the varied implementation of > VPN stuff out there. We are now considering redesigning our fire wall to > deny specific services (known security holes) and allow the rest, I know > it is bad design policy but revenue is at stake here. If your network is going to be very dynamic and have lots of different software being used for VPN, this may end up being your only solution. Many isp's have some of the same issues, and most of the ones that I have seen deal with it this second way, but I would recomend doing a system audit on each of your servers to find out what it has open, and maybe even implementing software firewalls for each box... ;) This also sort of depends if the firewall is intended to protect your machines, or the machines of your clients (which you can't secure yourself)... > What will be a > sensible security consious solution to this kind of problem. > > Thanks and sorry if am being trival. I dont' think this issue is trivial at all.. Visigoth Damieon Stark Sr. Unix Systems Administrator visigoth@telemere.net ____________________________________________________________________________ | - M$ Win 2K was built for the internet. | - Unix _BUILT_ the internet. | FreeBSD - The POWER to serve | http://www.freebsd.org your call... | | How do I set this laser printer to stun?| ---------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 8:20: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id D0D5B37B52E for ; Thu, 13 Apr 2000 08:19:58 -0700 (PDT) (envelope-from cameron@ctc.com) Received: from server2.ctc.com (server2.ctc.com [147.160.1.4]) by drawbridge.ctc.com (8.9.3/8.9.3) with ESMTP id LAA12218; Thu, 13 Apr 2000 11:19:56 -0400 (EDT) Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (8.9.3/8.9.3) with ESMTP id LAA00441; Thu, 13 Apr 2000 11:19:26 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2650.21) id <2THVD1Z4>; Thu, 13 Apr 2000 11:19:26 -0400 Message-ID: From: "Cameron, Frank" To: net admin Cc: FreeBSD-security@FreeBSD.ORG Subject: RE: VPN and Firewall security implementation Date: Thu, 13 Apr 2000 11:19:25 -0400 X-Mailer: Internet Mail Service (5.5.2650.21) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might want to check out ports/net/nstreams; I've never used it, so I don't know if it's any good or not: Port description for net/nstreams Nstreams is a program which analyzes the streams that occur on a network. It displays which streams are generated by the users between several networks, and between the networks and the outside. It can optionally generate the ipchains or ipfw rules that will match these streams, thus only allowing what is required for the users, and nothing more. Nstreams can parse the tcpdump output, or the files generated with the -w option of tcpdump. It can also directly sniff the data that occurs on the network (the use of tcpdump is however recommanded as long as nstreams is in version 0.99.x). This product was designed by HSC and coded by Renaud Deraison (deraison@cvs.nessus.org), author of the Nessus software (www.nessus.org). It is available for free and under GNU license. -frank -----Original Message----- From: Visigoth [mailto:visigoth@telemere.net] Sent: Thursday, April 13, 2000 11:16 AM To: net admin Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: VPN and Firewall security implementation On Wed, 12 Apr 2000, net admin wrote: > Hi Folks; > I am posting this question with the full understanding of the the posting > gudelines for this list and according to the list charters I think my > question qualifies as a security thechnical issue. If I am wrong I > appologize. > We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a > Cisco IOS firewall/router setup, with some servers running ipfw > for added security. > Some of our corporate dialup clients are using various VPN implementation > to dial to corporate networks through our network (some use MS VPN stuff > and some use proprietory remote access S/W). How many different pieces of software are you talking about? If it isn't more than a few, and you would like to maintain the rampant paranoia of default deny (my personal fav) Maybe try doing a little tcpdump and other homework to see exactly what they need. I understand that this is probably unreasonable if you are talking like 50 kinds of software (unless they all comply to some standard). > The problem we're having is that configuring our firewalls for > mail/DNS/HTTP/RADIUS allows user full access to those services but not > remote access to corporate LANs and we don't know what services to allow > to accomodate the corp. customer because of the varied implementation of > VPN stuff out there. We are now considering redesigning our fire wall to > deny specific services (known security holes) and allow the rest, I know > it is bad design policy but revenue is at stake here. If your network is going to be very dynamic and have lots of different software being used for VPN, this may end up being your only solution. Many isp's have some of the same issues, and most of the ones that I have seen deal with it this second way, but I would recomend doing a system audit on each of your servers to find out what it has open, and maybe even implementing software firewalls for each box... ;) This also sort of depends if the firewall is intended to protect your machines, or the machines of your clients (which you can't secure yourself)... > What will be a > sensible security consious solution to this kind of problem. > > Thanks and sorry if am being trival. I dont' think this issue is trivial at all.. Visigoth Damieon Stark Sr. Unix Systems Administrator visigoth@telemere.net ____________________________________________________________________________ | - M$ Win 2K was built for the internet. | - Unix _BUILT_ the internet. | FreeBSD - The POWER to serve | http://www.freebsd.org your call... | | How do I set this laser printer to stun?| ---------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 9:47:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-051.resnet.wisc.edu [146.151.42.51]) by hub.freebsd.org (Postfix) with SMTP id EE33D37BD9B for ; Thu, 13 Apr 2000 09:47:38 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 57900 invoked by uid 1000); 13 Apr 2000 16:47:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Apr 2000 16:47:34 -0000 Date: Thu, 13 Apr 2000 11:47:34 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: stream.c followup / MFC request Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've recently noticed that the patches to mitigate stream.c (RST rate limiting + multicast filtering) which were applied to 4.0 haven't been applied to the 3.x branch. Luckily, Wes Peters's patch still seems to apply cleanly to the current 3.4-stable. It's available at http://docs.freebsd.org/cgi/getmsg.cgi?fetch=325531+0+archive/2000/freebsd-security/20000130.freebsd-security So, my question is this: Would someone be willing to give Wes's patch one more lookover and commit it to the RELENG_3 branch? Thanks, Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 10:31:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from pandora.worldonline.nl (pandora.worldonline.nl [195.241.48.140]) by hub.freebsd.org (Postfix) with ESMTP id 10E7937B8A7 for ; Thu, 13 Apr 2000 10:31:18 -0700 (PDT) (envelope-from maikel@intramail.worldonline.nl) Received: from intramail.worldonline.nl. (intramail.worldonline.nl [194.151.129.159]) by pandora.worldonline.nl (Postfix) with ESMTP id 21F9936BF4 for ; Thu, 13 Apr 2000 19:31:56 +0200 (MET DST) Received: (from maikel@localhost) by intramail.worldonline.nl. (8.9.3/8.8.8) id TAA27093 for security@FreeBSD.ORG; Thu, 13 Apr 2000 19:30:31 +0200 (CEST) (envelope-from maikel) Date: Thu, 13 Apr 2000 19:30:31 +0200 From: Maikel Verheijen To: security@FreeBSD.ORG Subject: Re: Where is racoon ? Message-ID: <20000413193031.C26406@intramail.worldonline.nl> References: <20000413161148.A55344@amelie.frmug.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0lnxQi9hkpPO77W3" X-Mailer: Mutt 1.0i In-Reply-To: <20000413161148.A55344@amelie.frmug.org>; from erwan@amelie.frmug.org on Thu, Apr 13, 2000 at 04:11:49PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0lnxQi9hkpPO77W3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On Thu, Apr 13, 2000 at 04:11:49PM +0200, Erwan Arzur wrote: > Hello,=20 Hi, > Did somebody manage to get any kind of IKE daemon running on FreeBSD > (both -current and 4.0-STABLE are the targets) ? Yep, I did.=20 get my patched version at: http://home.worldonline.nl/~maikel/racoon.tar.gz I'm not quite sure if it is ok, since I haven't got the time to figure out how to set it up for dynamic keying.... If someone has a howto on how to use racoon, I'd be gratefull to receive it (it would save me a lot of time :) > thanks for any help ! Groetjes, Maikel Verheijen. =20 I didn't say it was your fault. I said I was going to blame it on you. =20 --0lnxQi9hkpPO77W3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: /DcofvXWnhvx705XqWU42IlPHLvbvHjP iQA/AwUBOPYENqmWNQ7RrPkAEQLSTgCfTwFxabCucGwmRrhAFlFDxHSXnBgAoKyX U2HtmZ4h4zf3t3aDs/W6BwOC =QlJi -----END PGP SIGNATURE----- --0lnxQi9hkpPO77W3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 13 12:59:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id F3EFE37BD5D for ; Thu, 13 Apr 2000 12:59:39 -0700 (PDT) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by juice.shallow.net (8.9.3/8.9.3) with ESMTP id WAA20324; Thu, 13 Apr 2000 22:00:02 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Thu, 13 Apr 2000 22:00:02 +0200 (CEST) From: Joshua Goodall X-Sender: joshua@juice.shallow.net To: Ron Smith Cc: freebsd-security@FreeBSD.ORG, support@cdrom.com Subject: Re: NAT and /etc/rc.firewall In-Reply-To: <20000413002323.98449.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a known problem. Since the implications compromise natd security, it should have been fixed in the distro. It isn't in 4.0-STABLE. However there is a potential fix. See http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 -- Joshua Goodall "Bandwidth Evangelist" On Wed, 12 Apr 2000, Ron Smith wrote: > bash-2.03# uname -a > FreeBSD stargate.crcfx.com 3.4-RELEASE FreeBSD 3.4-RELEASE #0: Fri Mar > 31 14:39:09 PST 2000 root@stargate.crcfx..com:/usr/src/sys/compile/STARGATE > i386 > > I recompiled the kernal with: > > options IPFIREWALL > options IPDIVERT > > The problem is as follows: > > NAT only works with 'firewall_type="open". > > Here are the particulars: > > bash-2.03$ cat /etc/rc.conf > > # This file now contains just the overrides from /etc/defaults/rc.conf > # please make all changes to this file. > > linux_enable="YES" > moused_port="/dev/cuaa0" > moused_type="microsoft" > moused_enable="YES" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > gateway_enable="YES" > defaultrouter="63.203.c.d" > natd_enable="YES" > natd_interface="pn0" > ifconfig_fxp0="inet 192.168.c.d netmask 255.255.255.0" > ifconfig_pn0="inet 63.203.c.d netmask 255.255.255.248" > hostname="stargate.crcfx.com" > named_enable="YES" > ~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~~~~~~~~ > Following is a portion of 'cat /etc/rc.firewall' > > elif [ "${firewall_type}" = "simple" ]; then > > ############ > # This is a prototype setup for a simple firewall. Configure this > machine > # as a named server and ntp server, and point all the machines on > the inside > # at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.203.c.d" #cidr given by the ISP; one below the gateway > omask="255.255.255.248" > oip="63.203.c.d" # Static IP address of the external NIC > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.168.c.d" # IP range of internal LAN > imask="255.255.255.0" > iip="192.168.c.d" # IP address of the internal NIC > > NAT doesn't work for anyone on the LAN trying to reach the internet through > 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you > think the above setting are correct, and in the right place. > > Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing > something. Maybe there's something I'm missing altogether when I try to go > 'firewall_type="simple"' and use those stock rules, as is, in > '/etc/rc.firewall'. If I need to make changes there, could someone mail me a > sample of some rules that work for NAT+ipfw. > > TIA > Ron Smith > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 15 19:21:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id BA75037B986 for ; Sat, 15 Apr 2000 19:21:14 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.9.3/8.9.3) id GAA28270 for security@freebsd.org; Sun, 16 Apr 2000 06:21:10 +0400 (MSD) (envelope-from ache) Date: Sun, 16 Apr 2000 06:21:09 +0400 From: "Andrey A. Chernov" To: security@freebsd.org Subject: Re-enabling lynx-current again Message-ID: <20000416062109.A28187@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As I see in lynx CHANGES file, buffer overflows fixed at 2000-03-26 (2.8.3dev.23). Is this step solve known problems? I plan to re-enable lynx-current, if nobody disagree. -- Andrey A. Chernov http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 15 19:39:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from rock.ghis.net (rock.ghis.net [209.222.164.7]) by hub.freebsd.org (Postfix) with ESMTP id CD04837B8DA for ; Sat, 15 Apr 2000 19:39:14 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from argon.blackdawn.com (01-037.dial.008.popsite.net [209.69.194.37]) by rock.ghis.net (8.9.3/8.9.3) with ESMTP id TAA31900; Sat, 15 Apr 2000 19:39:10 -0700 (PDT) Received: by argon.blackdawn.com (Postfix, from userid 1000) id 9604F18B9; Sat, 15 Apr 2000 22:39:00 -0400 (EDT) Date: Sat, 15 Apr 2000 22:39:00 -0400 From: Will Andrews To: "Andrey A. Chernov" Cc: security@FreeBSD.ORG Subject: Re: Re-enabling lynx-current again Message-ID: <20000415223900.H33593@argon.blackdawn.com> References: <20000416062109.A28187@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000416062109.A28187@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Apr 16, 2000 at 06:21:09AM +0400 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Apr 16, 2000 at 06:21:09AM +0400, Andrey A. Chernov wrote: > As I see in lynx CHANGES file, buffer overflows fixed at 2000-03-26 > (2.8.3dev.23). Is this step solve known problems? I plan to re-enable > lynx-current, if nobody disagree. If you are CERTAIN that these security holes have been fixed, then by all means re-enable lynx. But make sure they are, before you update the lynx port. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 15 20:14:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1B7E937B9C2 for ; Sat, 15 Apr 2000 20:14:20 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id XAA03777; Sat, 15 Apr 2000 23:14:05 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Sat, 15 Apr 2000 23:14:05 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Will Andrews Cc: "Andrey A. Chernov" , security@FreeBSD.ORG Subject: Re: Re-enabling lynx-current again In-Reply-To: <20000415223900.H33593@argon.blackdawn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My understanding is that Kris has been reviewing the changes, and would presumably be the correct person to remove the BROKEN tag. I'd recommend leaving it there until he's had a chance to do the review (all bow down to the Port security officer). Robert On Sat, 15 Apr 2000, Will Andrews wrote: > On Sun, Apr 16, 2000 at 06:21:09AM +0400, Andrey A. Chernov wrote: > > As I see in lynx CHANGES file, buffer overflows fixed at 2000-03-26 > > (2.8.3dev.23). Is this step solve known problems? I plan to re-enable > > lynx-current, if nobody disagree. > > If you are CERTAIN that these security holes have been fixed, then by all > means re-enable lynx. But make sure they are, before you update the lynx > port. > > -- > Will Andrews > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ > G++>+++ e->++++ h! r-->+++ y? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 15 20:33:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 6BB3D37B8C9; Sat, 15 Apr 2000 20:33:42 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.9.3/8.9.3) id HAA33994; Sun, 16 Apr 2000 07:33:35 +0400 (MSD) (envelope-from ache) Date: Sun, 16 Apr 2000 07:33:34 +0400 From: "Andrey A. Chernov" To: Robert Watson Cc: Will Andrews , security@FreeBSD.ORG, kris@FreeBSD.ORG Subject: Re: Re-enabling lynx-current again Message-ID: <20000416073334.A33963@nagual.pp.ru> References: <20000415223900.H33593@argon.blackdawn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from robert@cyrus.watson.org on Sat, Apr 15, 2000 at 11:14:05PM -0400 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 15, 2000 at 11:14:05PM -0400, Robert Watson wrote: > My understanding is that Kris has been reviewing the changes, and would > presumably be the correct person to remove the BROKEN tag. I'd recommend > leaving it there until he's had a chance to do the review (all bow down to > the Port security officer). Well, I just upgrade lynx-current port to latest version but leave FORBIDDEN status active. I hope Kris review will not take much time: what is suspected as fix was issued by Lynx maintainer at March 26 and still not reviewed. -- Andrey A. Chernov http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message