From owner-freebsd-security Sun Jul 9 1:14:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 838D437B54F for ; Sun, 9 Jul 2000 01:14:13 -0700 (PDT) (envelope-from vdrifter@ocis.ocis.net) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id BAA20446 for ; Sun, 9 Jul 2000 01:14:12 -0700 Date: Sun, 9 Jul 2000 01:14:12 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: Re: Firewall help In-Reply-To: <20000708015002.5601.qmail@web213.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone, On a few occasions I get firewall log entries that look something like this: ipfw: 59000 Deny TCP 210.205.2.50:49088 255.255.255.255:80 My question is how does this happen? I mean I know 255.255.255.255 is the network broadcast but how did I receive this entry? Does it mean the source (210.205.2.50) scanned the entire class C network and the router abbreviated the entry as destination 255.255.255.255 or is this a FreeBSD logging abreviation for a range of ip's? (the entire network). Any thoughts would be sincerely appreciated ... (Ps: I'm using FreeBSD 4.0) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 9 12:39:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from djl01.djl.co.uk (djl01.djl.co.uk [195.58.135.195]) by hub.freebsd.org (Postfix) with ESMTP id 98AC337B51F; Sun, 9 Jul 2000 12:39:25 -0700 (PDT) (envelope-from David.Larkin@djl.co.uk) Received: from DJL.co.uk (djl02.djl.co.uk [195.58.135.196]) by djl01.djl.co.uk (8.9.2/8.9.2) with ESMTP id UAA02181; Sun, 9 Jul 2000 20:39:24 +0100 (BST) Message-ID: <3968C77C.98F55720@DJL.co.uk> Date: Sun, 09 Jul 2000 19:42:04 +0100 From: David Larkin Organization: DJL Software Consultancy Ltd X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: questions@freebsd.org, security@freebsd.org Subject: Re: apache mod_ssl freebsd tutorial References: <39689688.6FC8D8A8@DJL.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > Anybody aware of a tutorial / primer for > installation & configuration of apache & mod_ssl ? > > I've found the port, and the mod_ssl user manual > but was looking around for some reading material. > > Thanks > Dave OK , I've managed to install the port OK, I now get an encouraging page which tells me Hey, it worked ! The SSL/TLS-aware Apache webserver was successfully installed on this website. As a newcomer to the world of secure servers, I'm not too sure what to do next. Where do I look to find out how to say 'hello world' over https ? The mod_ssl appears very comprehensive from a reference perspective, but is their any 'getting started' material out there ? either online, or at the the local bookstore ? Thanks Again Dave PS : Could you CC me directly on replies I'm not a member of list PPS : I'm in UK if that matters To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 9 14:33: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c1870039.telekabel.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 0289A37B669; Sun, 9 Jul 2000 14:33:01 -0700 (PDT) (envelope-from roelof@nisser.com) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id XAA42853; Sun, 9 Jul 2000 23:32:45 +0200 (CEST) (envelope-from roelof@nisser.com) Message-ID: <3968EFE3.E8F137F1@nisser.com> Date: Sun, 09 Jul 2000 23:34:27 +0200 From: Roelof Osinga Organization: eboa - engineering buro Office Automation X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: David Larkin Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: apache mod_ssl freebsd tutorial References: <39689688.6FC8D8A8@DJL.co.uk> <3968C77C.98F55720@DJL.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Larkin wrote: > > ... > The mod_ssl appears very comprehensive from a > reference perspective, but is their any 'getting started' > material out there ? > > either online, or at the the local bookstore ? O'Reilly: Laurie & Laurie, Apache The Definitive Guide Roelof -- Dog's home @ http://cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 6: 3:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from frontier.formoza.ru (cavanaugh.formoza.ru [195.14.44.11]) by hub.freebsd.org (Postfix) with ESMTP id DB77B37B622 for ; Mon, 10 Jul 2000 06:03:06 -0700 (PDT) (envelope-from Bely@china.formoza.ru) Received: from china.formoza.ru (china-dft.china.formoza.ru [192.168.20.251]) by frontier.formoza.ru (8.9.3/8.9.3) with ESMTP id QAA75106 for ; Mon, 10 Jul 2000 16:57:54 +0400 (MSD) (envelope-from Bely@china.formoza.ru) Message-Id: <200007101257.QAA75106@frontier.formoza.ru> Received: from CHINA-DFT/SpoolDir by china.formoza.ru (Mercury 1.44); 10 Jul 00 17:02:53 MSK-3MSD Received: from SpoolDir by CHINA-DFT (Mercury 1.44); 10 Jul 00 17:02:46 MSK-3MSD From: "Dmitry Bely" Organization: Formoza 'Kitai-gorod' branch To: FreeBSD-security@FreeBSD.org Date: Mon, 10 Jul 2000 17:02:39 +0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: help X-mailer: Pegasus Mail for Win32 (v3.12a) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org help ---------------------------- Dmitry Bely. Formoza-Island. Formoza Island Ltd, division of Formoza company, Moscow, Russia Phone +7-095-7284004 Fax +7-095-9170072 ---------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 17:48:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f49.hotmail.com [209.185.130.37]) by hub.freebsd.org (Postfix) with SMTP id 72E4137B614 for ; Mon, 10 Jul 2000 17:48:08 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 52888 invoked by uid 0); 11 Jul 2000 00:48:07 -0000 Message-ID: <20000711004807.52885.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Mon, 10 Jul 2000 17:48:06 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-security@freebsd.org Subject: OpenSSH Date: Mon, 10 Jul 2000 17:48:06 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, This is probably a simple problem. I'm setting up 'sshd' on a FreeBSD 4.0-RELEASE box, but I can't start '/usr/sbin/sshd'. I get the following error message: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory I looked around in 'man sshd' and the FreeBSD Handbook, but couldn't find the fix. Does anyone happen to know what I'm overlooking? TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 17:53:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from dastor.albury.net.au (dastor.albury.NET.AU [203.15.244.203]) by hub.freebsd.org (Postfix) with ESMTP id 6637837B985 for ; Mon, 10 Jul 2000 17:53:49 -0700 (PDT) (envelope-from nicks@dastor.albury.net.au) Received: (from nicks@localhost) by dastor.albury.net.au (8.10.2/8.10.2) id e6B0rfB34167; Tue, 11 Jul 2000 10:53:41 +1000 (EST) Date: Tue, 11 Jul 2000 10:53:41 +1000 From: Nick Slager To: Ron Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Message-ID: <20000711105341.A33785@albury.net.au> References: <20000711004807.52885.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000711004807.52885.qmail@hotmail.com>; from ronnetron@hotmail.com on Mon, Jul 10, 2000 at 05:48:06PM -0700 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thus spake Ron Smith (ronnetron@hotmail.com): > This is probably a simple problem. I'm setting up 'sshd' on a FreeBSD > 4.0-RELEASE box, but I can't start '/usr/sbin/sshd'. I get the following > error message: > > error: Could not load host key: /etc/ssh/ssh_host_key: No such file or > directory You need to generate an RSA host key for the box. Something like: /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key as root should do the trick. If you have ssh_enable set to "YES" in /etc/rc.conf, the key will be generated automatically on reboot if it doesn't exist. Regards, Nick. -- From a Sun Microsystems bug report (#4102680): "Workaround: don't pound on the mouse like a wild monkey." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 18:15:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f31.hotmail.com [209.185.131.94]) by hub.freebsd.org (Postfix) with SMTP id CD10837BA60 for ; Mon, 10 Jul 2000 18:15:33 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 8614 invoked by uid 0); 11 Jul 2000 01:15:33 -0000 Message-ID: <20000711011533.8613.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Mon, 10 Jul 2000 18:15:33 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: nicks@albury.net.au Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH Date: Mon, 10 Jul 2000 18:15:33 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yep! That did the trick. Thanks Nick, R.S. >From: Nick Slager >To: Ron Smith >CC: freebsd-security@FreeBSD.ORG >Subject: Re: OpenSSH >Date: Tue, 11 Jul 2000 10:53:41 +1000 > >Thus spake Ron Smith (ronnetron@hotmail.com): > > > This is probably a simple problem. I'm setting up 'sshd' on a FreeBSD > > 4.0-RELEASE box, but I can't start '/usr/sbin/sshd'. I get the following > > error message: > > > > error: Could not load host key: /etc/ssh/ssh_host_key: No such file or > > directory > >You need to generate an RSA host key for the box. Something like: > >/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key > >as root should do the trick. If you have ssh_enable set to "YES" in >/etc/rc.conf, the key will be generated automatically on reboot if >it doesn't exist. > >Regards, > > >Nick. > >-- > From a Sun Microsystems bug report (#4102680): > "Workaround: don't pound on the mouse like a wild monkey." > ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 19:37:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.gb.com.cn (public.gb.com.cn [203.93.18.3]) by hub.freebsd.org (Postfix) with ESMTP id 6674437BBB9 for ; Mon, 10 Jul 2000 19:37:24 -0700 (PDT) (envelope-from renjiang@yahoo.com) Received: from yahoo.com ([202.106.78.60]) by public.gb.com.cn (8.10.2/8.10.2) with ESMTP id e6B2cPI14360 for ; Tue, 11 Jul 2000 10:38:27 +0800 (CST) Message-ID: <396A886E.860A1FB0@yahoo.com> Date: Tue, 11 Jul 2000 10:37:34 +0800 From: Kevin Ren Reply-To: kevinren@public.gb.com.cn X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: SUBSCRIBE Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SUBSCRIBE renjiang@public.gb.com.cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 21:19:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id BAFE737BC5A for ; Mon, 10 Jul 2000 21:19:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA26546 for ; Mon, 10 Jul 2000 22:19:29 -0600 (MDT) Message-Id: <4.3.2.7.2.20000710221547.043d0e60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 10 Jul 2000 22:19:25 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: OpenSSH in 4.0 doesn't seem to work out of the box Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Have been experimenting with the OpenSSH implementation that's included in 4.0-STABLE. After one enables it in rc.conf and rebooting to generate host keys, the sshd that's part of the package seems not to be compatible with any of the clients I use. It refuses to accept connections, saying that it can't find an RSAREF library. And when I install RSAREF from the Ports Collection, it *still* rejects connections from clients with the same (long) error message on the console. Why is it being so recalcitrant? Is there a reason why it doesn't work out of the box? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 21:53:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from penry.dugard.org (adsl-151-200-15-151.bellatlantic.net [151.200.15.151]) by hub.freebsd.org (Postfix) with ESMTP id 2DBD237B83D for ; Mon, 10 Jul 2000 21:53:14 -0700 (PDT) (envelope-from dave@dugard.org) Received: from localhost (dave@localhost) by penry.dugard.org (8.9.3/6.6.6) with ESMTP id AAA08127; Tue, 11 Jul 2000 00:53:11 -0400 (EDT) (envelope-from dave@dugard.org) Date: Tue, 11 Jul 2000 00:53:07 -0400 (EDT) From: Dave To: security@FreeBSD.ORG Cc: brett@lariat.org Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <4.3.2.7.2.20000710221547.043d0e60@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What clients are you using? You might want to add the blowfish cypher to them. Dave _____________ I'm not panicking. I'm watching you panic. It's much more entertaining. pgp key: http://www.dugard.org/dave.pgp.asc On Mon, 10 Jul 2000, Brett Glass wrote: > Have been experimenting with the OpenSSH implementation that's included in > 4.0-STABLE. After one enables it in rc.conf and rebooting to generate host > keys, the sshd that's part of the package seems not to be compatible with > any of the clients I use. It refuses to accept connections, saying that it > can't find an RSAREF library. And when I install RSAREF from the Ports > Collection, it *still* rejects connections from clients with the same > (long) error message on the console. > > Why is it being so recalcitrant? Is there a reason why it doesn't work out > of the box? > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOWqoN4Zz2iHxXqnlEQKYQgCgpYQXEl7F4dvhUq04/Afv4g5V8VUAniAr Bl1yut9bNWZapYckc+LJ8Svh =OGgr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 10 23:26:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 7638A37BE00 for ; Mon, 10 Jul 2000 23:26:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA27525; Tue, 11 Jul 2000 00:25:56 -0600 (MDT) Message-Id: <4.3.2.7.2.20000711002012.00e7cd80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 11 Jul 2000 00:25:53 -0600 To: Dave , security@FreeBSD.ORG From: Brett Glass Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: References: <4.3.2.7.2.20000710221547.043d0e60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need to come in from some Windows workstations, and have tried Igaly SSH and Tera Term with the SSH module. (The latter has MUCH better terminal emulation than the former.) Neither can get through; I get lots of console error messages but no successful login. Making Blowfish the preferred cipher doesn't seem to help. --Brett P.S. -- I've always wondered why El Gamal wasn't one of the encryption options, since it's unencumbered and already used in PGP. At 10:53 PM 7/10/2000, Dave wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >What clients are you using? You might want to add the blowfish cypher to >them. > >Dave > >_____________ >I'm not panicking. I'm watching you panic. It's much more entertaining. >pgp key: http://www.dugard.org/dave.pgp.asc > >On Mon, 10 Jul 2000, Brett Glass wrote: > >> Have been experimenting with the OpenSSH implementation that's included in >> 4.0-STABLE. After one enables it in rc.conf and rebooting to generate host >> keys, the sshd that's part of the package seems not to be compatible with >> any of the clients I use. It refuses to accept connections, saying that it >> can't find an RSAREF library. And when I install RSAREF from the Ports >> Collection, it *still* rejects connections from clients with the same >> (long) error message on the console. >> >> Why is it being so recalcitrant? Is there a reason why it doesn't work out >> of the box? >> >> --Brett >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBOWqoN4Zz2iHxXqnlEQKYQgCgpYQXEl7F4dvhUq04/Afv4g5V8VUAniAr >Bl1yut9bNWZapYckc+LJ8Svh >=OGgr >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 1:53:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from pr.infosec.ru (pr.infosec.ru [194.135.141.98]) by hub.freebsd.org (Postfix) with ESMTP id 6E22737B742 for ; Tue, 11 Jul 2000 01:53:49 -0700 (PDT) (envelope-from blaze@infosec.ru) Received: from blaze (WS_BLAZE [200.0.0.51]) by pr.infosec.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3WLXZ1JT; Tue, 11 Jul 2000 12:53:59 +0400 Date: Tue, 11 Jul 2000 12:53:23 +0400 (MSD) From: Andrey Sverdlichenko X-Sender: blaze@blaze To: freebsd-security@freebsd.org Subject: Re: Hardware crypto (Re: KAME stable 20000704) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Jul 2000, Jun-ichiro itojun Hagino wrote: > In case anyone got confused: please note that "IPsec support for > crypto card" and "crypto card support as user-mode device file" > are totally different thing. Former one needs MAJOR work in > network IP layer design (BSD IP layer runs under software interrupt, > killing possibility for offloading CPU). OpenBSD did a truely > super job on this. Hmmm... i don't know about KAME/IPSEC, but in our cryptorouter i made it in easy way: 1) in software interrupt context packet goes to "crypto task queue" 2) kernel process gets packet from this queue and passes it to encryption/decryption functions (currently software, but i see nothing special in hardware support) 3) after processing packet injected back to ip_input()/ip_output(). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 5:13:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 65A0C37BBB5 for ; Tue, 11 Jul 2000 05:13:17 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: from earth.causticlabs.com (oca-p1-39.hitter.net [207.192.76.39]) by pawn.primelocation.net (Postfix) with ESMTP id BD2739B1C; Tue, 11 Jul 2000 08:13:06 -0400 (EDT) Date: Tue, 11 Jul 2000 08:13:30 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: jedgar@earth.causticlabs.com To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <4.3.2.7.2.20000710221547.043d0e60@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Jul 2000, Brett Glass wrote: > Have been experimenting with the OpenSSH implementation that's included in > 4.0-STABLE. After one enables it in rc.conf and rebooting to generate host > keys, the sshd that's part of the package seems not to be compatible with > any of the clients I use. It refuses to accept connections, saying that it > can't find an RSAREF library. And when I install RSAREF from the Ports > Collection, it *still* rejects connections from clients with the same > (long) error message on the console. > > Why is it being so recalcitrant? Is there a reason why it doesn't work out > of the box? > You will probably have to restart sshd(8) after installing the rsa libs. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 5:34:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from server.bitmcnit.bryansk.su (bitmcnit.bryansk.ru [195.239.213.9]) by hub.freebsd.org (Postfix) with ESMTP id 1692B37BE5F for ; Tue, 11 Jul 2000 05:33:45 -0700 (PDT) (envelope-from alex@kapran.bitmcnit.bryansk.su) Received: (from uucp@localhost) by server.bitmcnit.bryansk.su (8.9.3/8.9.3) with UUCP id QAA13299; Tue, 11 Jul 2000 16:18:27 +0400 Received: (from alex@localhost) by kapran.bitmcnit.bryansk.su (8.9.3/8.9.3) id QAA02406; Tue, 11 Jul 2000 16:17:56 +0400 (MSD) (envelope-from alex@kapran.bitmcnit.bryansk.su) X-Authentication-Warning: kapran.bitmcnit.bryansk.su: alex set sender to alex@kapran.bitmcnit.bryansk.su using -f Date: Tue, 11 Jul 2000 16:17:56 +0400 From: Alex Kapranoff To: Brett Glass Cc: security@freebsd.org Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box Message-ID: <20000711161755.A1895@kapran.bitmcnit.bryansk.su> References: <4.3.2.7.2.20000710221547.043d0e60@localhost> <4.3.2.7.2.20000711002012.00e7cd80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <4.3.2.7.2.20000711002012.00e7cd80@localhost>; from brett@lariat.org on Tue, Jul 11, 2000 at 12:25:53AM -0600 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 11, 2000 at 12:25:53AM -0600, Brett Glass wrote: > I need to come in from some Windows workstations, and have tried Igaly > SSH and Tera Term with the SSH module. (The latter has MUCH better terminal > emulation than the former.) Neither can get through; I get lots of console > error messages but no successful login. Making Blowfish the preferred > cipher doesn't seem to help. > > --Brett There's a wonderful telnet/ssh client for Win32 at ftp://dbserv.stu.lipetsk.su/pub/telneat/ It's a Win32 console app, has convinient Alt-F? vtys, Scroll Lock history and mouse as well as keyboard driven Select&Paste. It is unique due to the fact that it interprets termcap files to emulate terminals properly. If server and client termcap are the same, then (as you can imagine) emulation is exactly perfect no matter what terminal type you selected. I use it all the time to reach FreeBSD 4.0-RELEASE and OpenBSD 2.6 boxen via ssh v1 (3des). Config file comments are in russian, unfortunately. Author's email is: telneat@stu.lipetsk.su (that's not me). > At 10:53 PM 7/10/2000, Dave wrote: > > >What clients are you using? You might want to add the blowfish cypher to > >them. -- Alex Kapranoff, 2:50/383.20@fidonet, Voice: +7(0832)791845. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 6: 7:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 8661A37BB48 for ; Tue, 11 Jul 2000 06:07:39 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id JAA27698; Tue, 11 Jul 2000 09:07:23 -0400 (EDT) Date: Tue, 11 Jul 2000 09:07:23 -0400 (EDT) From: Igor Roshchin Message-Id: <200007111307.JAA27698@giganda.komkon.org> To: brett@lariat.org, dave@dugard.org, security@FreeBSD.ORG Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <4.3.2.7.2.20000711002012.00e7cd80@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From igor Tue Jul 11 09:02:06 2000 > Date: Tue, 11 Jul 2000 00:25:53 -0600 > To: Dave , security@FreeBSD.ORG > From: Brett Glass > Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box > > I need to come in from some Windows workstations, and have tried Igaly > SSH and Tera Term with the SSH module. (The latter has MUCH better terminal > emulation than the former.) Neither can get through; I get lots of console > error messages but no successful login. Making Blowfish the preferred > cipher doesn't seem to help. > > --Brett > I installed a FreeBSD-4.0-RELEASE box just recently, and have OpenSSH running (using rsaref installed from the ports collection, with the USA_RESIDENT=YES). I was able to login to it using Igaly's SSH (cipher set to blowfish) without any problem or additional tweaking. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 7:59:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id EE23637B741 for ; Tue, 11 Jul 2000 07:59:09 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 49358 invoked by uid 1000); 11 Jul 2000 14:59:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Jul 2000 14:59:08 -0000 Date: Tue, 11 Jul 2000 10:59:06 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: FreeBSD-SECURITY Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-2039304394-963327546=:49164" X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-2039304394-963327546=:49164 Content-Type: TEXT/PLAIN; charset=US-ASCII -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Brett, Here I use SecureCRT 3.0.3 to get into my FreeBSD machines running OpenSSH from my sole Windows machine. It's not a free client, but it's fairly nice and does a myriad of things. It does fsck up my scroll keys, but I bet you can fix that, I just never bothered to try :) As was mentioned, you'll need to restart sshd after you installed rsaref. I use both base OpenSSH and ports OpenSSH without any problems. I have attached my sshd_config file, see if that doesn't help you out with a known working configuration. Good luck, * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5azY8dMMtMcA1U5ARAudlAKDw+jZoYBVMlYtX7LDmw8jpZwheKwCgpHFj H0F3rB9D4JoBbUb7RiIsJw8= =YxQB -----END PGP SIGNATURE----- --0-2039304394-963327546=:49164 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=sshd_config Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: sshd_config Content-Disposition: attachment; filename=sshd_config IyAkRnJlZUJTRDogc3JjL2NyeXB0by9vcGVuc3NoL3NzaGRfY29uZmlnLHYg MS40IDIwMDAvMDIvMjYgMDI6MjQ6MzggcGV0ZXIgRXhwICQNCg0KUG9ydCAy Mg0KTGlzdGVuQWRkcmVzcyAwLjAuMC4wDQpIb3N0S2V5IC9ldGMvc3NoL3Nz aF9ob3N0X2tleQ0KU2VydmVyS2V5Qml0cyA3NjgNCkxvZ2luR3JhY2VUaW1l IDYwDQpLZXlSZWdlbmVyYXRpb25JbnRlcnZhbCAzNjAwDQpDb25uZWN0aW9u c1BlclBlcmlvZCA1LzEwDQpQZXJtaXRSb290TG9naW4gbm8NClN0cmljdE1v ZGVzIHllcw0KWDExRm9yd2FyZGluZyBubw0KSWdub3JlUmhvc3RzIHllcw0K SWdub3JlVXNlcktub3duSG9zdHMgeWVzDQpSaG9zdHNBdXRoZW50aWNhdGlv biBubw0KUmhvc3RzUlNBQXV0aGVudGljYXRpb24gbm8NClJTQUF1dGhlbnRp Y2F0aW9uIHllcw0KUGFzc3dvcmRBdXRoZW50aWNhdGlvbiB5ZXMNClBlcm1p dEVtcHR5UGFzc3dvcmRzIG5vDQpVc2VMb2dpbiBubw0KUHJpbnRNb3RkIHll cw0KS2VlcEFsaXZlIHllcw0KU3lzbG9nRmFjaWxpdHkgTE9DQUwxDQpMb2dM ZXZlbCBWRVJCT1NFDQo= --0-2039304394-963327546=:49164-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 12: 5:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id C786737B715 for ; Tue, 11 Jul 2000 12:05:08 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id VAA18030; Tue, 11 Jul 2000 21:05:40 +0200 (CEST) Message-ID: <20000711210540.B17911@foobar.franken.de> Date: Tue, 11 Jul 2000 21:05:40 +0200 From: Harold Gutch To: Brett Glass , Dave , security@FreeBSD.ORG Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box References: <4.3.2.7.2.20000710221547.043d0e60@localhost> <4.3.2.7.2.20000711002012.00e7cd80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.3.2.7.2.20000711002012.00e7cd80@localhost>; from Brett Glass on Tue, Jul 11, 2000 at 12:25:53AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 11, 2000 at 12:25:53AM -0600, Brett Glass wrote: > I need to come in from some Windows workstations, and have tried Igaly > SSH and Tera Term with the SSH module. (The latter has MUCH better terminal > emulation than the former.) Neither can get through; I get lots of console > error messages but no successful login. Making Blowfish the preferred > cipher doesn't seem to help. > > --Brett > > P.S. -- I've always wondered why El Gamal wasn't one of the encryption > options, since it's unencumbered and already used in PGP. The ElGamal encryption algorithm I know of doubles the size of the plaintext; that's not really a problem with PGP, since the actual encryption algorithm uses a private key, which is transferred after being encrypted with a public key algorithm. If you would want to encrypt the whole session using ElGamal, you would double the amount of data being transferred. Also ElGamal should be fairly slow (that's just a guess), therefore in practice it isn't usable for much more than a key-exchange or the encryption of short messages. bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 13:17:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from compton.cnmnetwork.com (prometheus.cnmnetwork.com [209.79.28.5]) by hub.freebsd.org (Postfix) with ESMTP id 9CB8237B73E for ; Tue, 11 Jul 2000 13:17:41 -0700 (PDT) (envelope-from jrz@cnmnetwork.com) Received: (from jrz@localhost) by compton.cnmnetwork.com (8.9.3/8.9.3) id NAA14718 for security@freebsd.org; Tue, 11 Jul 2000 13:17:34 -0700 (PDT) (envelope-from jrz@cnmnetwork.com) X-Authentication-Warning: compton.cnmnetwork.com: jrz set sender to jrz@cnmnetwork.com using -f Date: Tue, 11 Jul 2000 13:17:34 -0700 From: Jacob Zehnder To: security@freebsd.org Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box Message-ID: <20000711131734.A89231@cnmnetwork.com> References: <4.3.2.7.2.20000710221547.043d0e60@localhost> <4.3.2.7.2.20000711002012.00e7cd80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000711002012.00e7cd80@localhost>; from brett@lariat.org on Tue, Jul 11, 2000 at 12:25:53AM -0600 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett, You should check out Putty. http://www.chiark.greenend.org.uk/~sgtatham/putty/ It does telnet/ssh/scp for win32, provides source code, and of course is free. -jrz On Tue, Jul 11, 2000 at 12:25:53AM -0600, Brett Glass wrote: > I need to come in from some Windows workstations, and have tried Igaly > SSH and Tera Term with the SSH module. (The latter has MUCH better terminal > emulation than the former.) Neither can get through; I get lots of console > error messages but no successful login. Making Blowfish the preferred > cipher doesn't seem to help. > > --Brett > -- Jacob Zehnder || System Administrator CNM Network || +1 805.520.7170 (http://www.cnmnetwork.com) ====================================== | Business: jrz@cnmnetwork.com | | Other: jrz@rackmount.org | ================================================ | I would rather have 15 minutes of wonderful, | | than a lifetime of nothing special. | | - Albert Einstein | ================================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 13:43:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from firewall.f5.com (firewall.f5.com [207.17.117.200]) by hub.freebsd.org (Postfix) with ESMTP id 639BE37B805 for ; Tue, 11 Jul 2000 13:43:44 -0700 (PDT) (envelope-from m.mcpherson@f5.com) Received: by firewall.f5.com; id NAA14258; Tue, 11 Jul 2000 13:19:49 GMT Received: from klar.f5.com(192.50.100.9) by firewall.f5.com via smap (4.1) id xma014220; Tue, 11 Jul 00 13:19:24 GMT Received: from f5-exchange2.win.net by klar.f5.com; (8.8.7/1.1.8.2/18Jul96-1139AM) id NAA23296; Tue, 11 Jul 2000 13:43:16 -0700 Received: by f5-exchange2.win.net with Internet Mail Service (5.5.2448.0) id ; Tue, 11 Jul 2000 13:47:01 -0700 Message-ID: From: Mike McPherson To: "'Jacob Zehnder'" , security@FreeBSD.ORG Subject: RE: OpenSSH in 4.0 doesn't seem to work out of the box Date: Tue, 11 Jul 2000 13:43:11 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett, Note that PuTTY only supports ssh1. Mike > -----Original Message----- > From: Jacob Zehnder [mailto:jrz@cnmnetwork.com] > Sent: Tuesday, July 11, 2000 1:18 PM > To: security@FreeBSD.ORG > Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box > > > Brett, > > You should check out Putty. > http://www.chiark.greenend.org.uk/~sgtatham/putty/ > > It does telnet/ssh/scp for win32, provides source code, and > of course is free. > > -jrz > > On Tue, Jul 11, 2000 at 12:25:53AM -0600, Brett Glass wrote: > > I need to come in from some Windows workstations, and have > tried Igaly > > SSH and Tera Term with the SSH module. (The latter has MUCH > better terminal > > emulation than the former.) Neither can get through; I get > lots of console > > error messages but no successful login. Making Blowfish the > preferred > > cipher doesn't seem to help. > > > > --Brett > > > > -- > > Jacob Zehnder || System Administrator > CNM Network || +1 805.520.7170 > (http://www.cnmnetwork.com) > ====================================== > | Business: jrz@cnmnetwork.com | > | Other: jrz@rackmount.org | > ================================================ > | I would rather have 15 minutes of wonderful, | > | than a lifetime of nothing special. | > | - Albert Einstein | > ================================================ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 13:49:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id B67E837B833 for ; Tue, 11 Jul 2000 13:49:40 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA04101; Tue, 11 Jul 2000 14:49:22 -0600 (MDT) Message-Id: <4.3.2.7.2.20000711144608.04b8eec0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 11 Jul 2000 14:49:17 -0600 To: Jacob Zehnder , security@FreeBSD.ORG From: Brett Glass Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <20000711131734.A89231@cnmnetwork.com> References: <4.3.2.7.2.20000711002012.00e7cd80@localhost> <4.3.2.7.2.20000710221547.043d0e60@localhost> <4.3.2.7.2.20000711002012.00e7cd80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:17 PM 7/11/2000, Jacob Zehnder wrote: >Brett, > >You should check out Putty. >http://www.chiark.greenend.org.uk/~sgtatham/putty/ > >It does telnet/ssh/scp for win32, provides source code, and of course is free. I've looked at it. Unfortuately, it does not do port redirection, which is necessary for some of the things we do -- especially when we take laptops on the road and need to get back into the local LAN for e-mail. Port redirection provides VPN capabilities with near-zero overhead. In any event, there has been no indication that the problem has to do with the client. We are experiencing the same problems with several very different clients. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 14:22:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 4D78C37B91D; Tue, 11 Jul 2000 14:22:48 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id OAA02393; Tue, 11 Jul 2000 14:22:46 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Tue, 11 Jul 2000 14:22:46 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: IPF performance data Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, Does anyone out there have any data pertaining to possible degradation of tcp performance using IPF? (pre-ruleset/pass all) Thanks. - Todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 14:50:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 6715137B7DA; Tue, 11 Jul 2000 14:50:47 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA93798; Tue, 11 Jul 2000 14:50:47 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 11 Jul 2000 14:50:47 -0700 (PDT) From: Kris Kennaway To: Harold Gutch Cc: Brett Glass , Dave , security@FreeBSD.ORG Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <20000711210540.B17911@foobar.franken.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Jul 2000, Harold Gutch wrote: > > P.S. -- I've always wondered why El Gamal wasn't one of the encryption > > options, since it's unencumbered and already used in PGP. > > The ElGamal encryption algorithm I know of doubles the size of > the plaintext; that's not really a problem with PGP, since the > actual encryption algorithm uses a private key, which is > transferred after being encrypted with a public key algorithm. ITYM "session key" - RSA and DSA modes work by negotiating a session key which is used with a conventional (symmetric) cipher to encrypt the bulk data. I don't know much about El Gamal, but if it can negotiate a session key then there's nothing preventing you from using it as a SSH2 key format in the same way, except that no other clients or servers out there will support you :-) The real reason RSA is used in OpenSSH SSH1 mode is because that's what was implemented in the SSH1 protocol, probably because it's the most suitable public-key algorithm for the job. SSH1 didn't allow for other algorithms, and SSH2, which does, uses DSA (an algorithm which is patented but usable without restrictions) which does everything you'd need. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 14:55:45 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5C73937B7DA; Tue, 11 Jul 2000 14:55:37 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:26.popper [REVISED] Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000711215537.5C73937B7DA@hub.freebsd.org> Date: Tue, 11 Jul 2000 14:55:37 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:26 Security Advisory FreeBSD, Inc. Topic: popper port contains remote vulnerability [REVISED] Category: ports Module: popper Announced: 2000-07-05 Revised: 2000-07-11 Credits: Prizm Affects: Ports collection. Corrected: 2000-05-25 Vendor status: Notified FreeBSD only: NO I. Background QPopper is a popular POP3 mail server. II. Problem Description The qpopper port, version 2.53 and earlier, incorrectly parses string formatting operators included in part of the email message header. A remote attacker can send a malicious email message to a local user which can cause arbitrary code to be executed on the server when a POP client retrieves the message using the UIDL command. The code is executed as the user who is retrieving mail: thus if root reads email via POP3 this can lead to a root compromise. This vulnerability is not present in qpopper-3.0.2, also available in FreeBSD ports. The qpopper port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3500 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release, but it was fixed in time for FreeBSD 3.5. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can cause arbitrary code to be executed as the retrieving user when a POP client retrieves email. If you have not chosen to install the qpopper-2.53 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the qpopper-2.53 port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the qpopper port, or upgrade to qpopper-3.0.2 available in /usr/ports/mail/popper3. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper-2.53.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper-2.53.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper-2.53.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper-2.53.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper-2.53.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper3-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper3-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper3-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper3-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper3-3.0.2.tgz 3) download a new port skeleton for the qpopper port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision History v1.0 2000-07-05 Initial release v1.1 2000-07-11 Correct URL of qpopper-2.53 package and note availability of qpopper3-3.0.2. Update size of ports collection. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWuXjlUuHi5z0oilAQGviQP/TQqQXqwU0TBkJbvdtuLLXZdcjywbX39p O5EgHOjsHxnLkfOCYXJ+wQ+2s88OZouFhsR4OcTJDC8UobgVlKicOOEShov6IkrN rwJfkc7fgxuLVOW8Y3ef3gixqhCkCsgMI5NlvKt88YThr1y0Z8GnK5u9gxz1YUKA M9iveHnUsSU= =5bHQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 14:58:14 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 233B237B944; Tue, 11 Jul 2000 14:58:00 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000711215800.233B237B944@hub.freebsd.org> Date: Tue, 11 Jul 2000 14:58:00 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:23 Security Advisory FreeBSD, Inc. Topic: Remote denial-of-service in IP stack [REVISED] Category: core Module: kernel Announced: 2000-06-19 Revised: 2000-07-11 Affects: FreeBSD systems prior to the correction date Credits: NetBSD Security Advisory 2000-002, and Jun-ichiro itojun Hagino Corrected: (Several bugs fixed, the date below is that of the most recent fix) 2000-06-08 (3.4-STABLE) 2000-06-08 (4.0-STABLE) 2000-06-02 (5.0-CURRENT) FreeBSD only: NO I. Background II. Problem Description There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets. This set of bugs includes the instance of the vulnerability described in NetBSD Security Advisory 2000-002 (see ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc) as well as other bugs with similar effect. III. Impact Remote users can cause a FreeBSD system to panic and reboot. IV. Workaround Incoming packets containing IP Options can be blocked at a perimeter firewall or on the local system, using ipfw(8) (ipf(8) is also capable of blocking packets with IP Options, but is not described here). The following ipfw rules are believed to prevent the denial-of-service attack (replace the rule numbers '100'-'103' with whichever rule numbers are appropriate for your local firewall, if you are already using ipfw): ipfw add 100 deny log ip from any to any ipopt rr ipfw add 101 deny log ip from any to any ipopt ts ipfw add 102 deny log ip from any to any ipopt ssrr ipfw add 103 deny log ip from any to any ipopt lsrr Note that there are legitimate uses for IP options, although they are no believed to be in common use, and blocking them should not cause any problems. Therefore the log entries generated by these ipfw rules will not necessarily be evidence of an attempted attack. Furthermore, the packets may be spoofed and have falsified source addresses. V. Solution One of the following: 1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the respective correction dates. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc # cd /usr/src/sys/netinet # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] VI. Revision History v1.0 2000-06-19 Initial release v1.1 2000-07-11 Note workaround using ipfw. Index: ip_icmp.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.39 diff -u -r1.39 ip_icmp.c --- ip_icmp.c 2000/01/28 06:13:09 1.39 +++ ip_icmp.c 2000/06/08 15:26:39 @@ -662,8 +662,11 @@ if (opt == IPOPT_NOP) len = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + break; len = cp[IPOPT_OLEN]; - if (len <= 0 || len > cnt) + if (len < IPOPT_OLEN + sizeof(*cp) || + len > cnt) break; } /* Index: ip_input.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.130 diff -u -r1.130 ip_input.c --- ip_input.c 2000/02/23 20:11:57 1.130 +++ ip_input.c 2000/06/08 15:25:46 @@ -1067,8 +1067,12 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) { + code = &cp[IPOPT_OLEN] - (u_char *)ip; + goto bad; + } optlen = cp[IPOPT_OLEN]; - if (optlen <= 0 || optlen > cnt) { + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } @@ -1174,6 +1178,10 @@ break; case IPOPT_RR: + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { + code = &cp[IPOPT_OFFSET] - (u_char *)ip; + goto bad; + } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; Index: ip_output.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.99 diff -u -r1.99 ip_output.c --- ip_output.c 2000/03/09 14:57:15 1.99 +++ ip_output.c 2000/06/08 15:27:08 @@ -1302,8 +1302,10 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + goto bad; optlen = cp[IPOPT_OLEN]; - if (optlen <= IPOPT_OLEN || optlen > cnt) + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) goto bad; } switch (opt) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWuYHFUuHi5z0oilAQEp+wP/bK5jRQXK/d3sQw9cph/usAbiYUD6Ux3l MIo1R1ZPWnIE20Hx334hvr3u5AUnbtjkFg+86WZcpv5bgWjKS2VLyV4UjJIMMOQr sSDXta5X4XRO0aXv1Td/Jlkoh2UcoayhKssYa3LLwgcYq++BBGrwbJM+ShUGmllS qQ86FwHKdow= =5Ksz -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 15: 2:40 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4D26637B8FC; Tue, 11 Jul 2000 15:02:20 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:31.canna [REVISED] Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000711220220.4D26637B8FC@hub.freebsd.org> Date: Tue, 11 Jul 2000 15:02:20 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:31 Security Advisory FreeBSD, Inc. Topic: Canna port contains remote vulnerability [REVISED] Category: ports Module: Canna Announced: 2000-07-05 Revised: 2000-07-11 Affects: Ports collection. Corrected: 2000-06-29 Credits: Shadow Penguin Security Vendor status: Contacted FreeBSD only: NO I. Background Canna is a Kana-Kanji conversion server. II. Problem Description The Canna server contains an overflowable buffer which may be exploited by a remote user to execute arbitrary code on the local system as user 'bin'. The Canna port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3500 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 3.5 contains this vulnerability since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can run arbitrary code as user 'bin' on the local system. Depending on the local system configuration, the attacker may be able to upgrade privileges further by exploiting local vulnerabilities. If you have not chosen to install the Canna port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the Canna port/package, if you you have installed it. 2) Consider limiting remote access to the Canna server using ipfw(8) or ipf(8). 3) Create a /etc/hosts.canna file on the Canna server and list the hosts which you wish to allow access to the Canna server. For example, if you want to allow access via localhost only, include the following in your /etc/hosts.canna file: localhost unix If you want to allow access via localhost and some-other-host.com, which has IP address x.y.z.w, include the following: localhost unix x.y.z.w V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the Canna port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/ja-Canna-3.2.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/ja-Canna-3.2.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/ja-Canna-3.2.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/ja-Canna-3.2.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/japanese/ja-Canna-3.2.2.tgz Note: it may be several days before updated packages are available. 3) download a new port skeleton for the Canna port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision History v1.0 2000-07-05 Initial release v1.1 2000-07-11 Add additional access-control method submitted by KOJIMA Hajime Correct package URL. Update size of ports collection. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWuZD1UuHi5z0oilAQEAOgP9FFIPBLNxpRkRC4lQqNHDcBQ/7EOapw1p YstPyT2sJkykj66QtS4CC5Wd4r7qy4EPQodAqYFgQqMRNyZX3PNzuoRTB+CNzE3f bV1bQq75FTpWBlDhD1LMxSjywgENeBUkuq214diIzUJMBucOa9caFDZ5K+22WquR S5O/SGoqI/A= =dynV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 15: 5:42 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8BC5137C225; Tue, 11 Jul 2000 15:05:26 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd [REVISED] Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000711220526.8BC5137C225@hub.freebsd.org> Date: Tue, 11 Jul 2000 15:05:26 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:29 Security Advisory FreeBSD, Inc. Topic: wu-ftpd port contains remote root compromise [REVISED] Category: ports Module: wu-ftpd Announced: 2000-07-05 Revised: 2000-07-11 Credits: tf8 Affects: Ports collection. Corrected: 2000-06-24 Vendor status: Contacted FreeBSD only: NO I. Background wu-ftpd is a popular FTP server. II. Problem Description The wu-ftpd port, versions 2.6.0 and below, contains a vulnerability which allows FTP users, both anonymous FTP users and those with a valid account, to execute arbitrary code as root on the local machine, by inserting string-formatting operators into command input, which are incorrectly parsed by the FTP server. The wu-ftpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact FTP users, including anonymous FTP users, can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the wu-ftpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the wu-ftpd port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the wu-ftpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/wu-ftpd-2.6.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/wu-ftpd-2.6.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/wu-ftpd-2.6.0.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the wu-ftpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision History v1.0 2000-07-05 Initial release v1.1 2000-07-11 Clarify that vulnerability affects all FTP users, not just anonymous FTP. Correct URL of package. Update size of ports collection. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWuZzVUuHi5z0oilAQH+bgQAhpYzJ0xiU787xQFr/YnOJHe0k/CJiDOU yrfyvGq4Grl4F/czojsyRTd5DwQzBKqIYm1H/z73gxI6nbEe0KaP+omfpzaAy7iK pLyQJ5qbjQLuc54ed+gV1+lH84QkuMHzUygj5iqvjn91uAA5nMKEMnGbESZz3J4J NjYmA1EfXbI= =T7IG -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 15:48:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from neptun.rz.uni-duesseldorf.de (sirene.rz.uni-duesseldorf.de [134.99.128.2]) by hub.freebsd.org (Postfix) with ESMTP id 422C937B74E for ; Tue, 11 Jul 2000 15:48:15 -0700 (PDT) (envelope-from ponomare@uni-duesseldorf.de) Received: from ponomare.krion (pc.unistrasse-1.uni-duesseldorf.de [134.99.26.17]) by neptun.rz.uni-duesseldorf.de (Sun Internet Mail Server sims.4.0.1999.06.13.00.20) with SMTP id <0FXK00MGU20D2L@neptun.rz.uni-duesseldorf.de> for security@FreeBSD.org; Wed, 12 Jul 2000 00:48:13 +0200 (MET DST) Date: Wed, 12 Jul 2000 00:46:46 +0200 From: Kirill Ponomarew Subject: re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] To: security@FreeBSD.org Reply-To: ponomare@uni-duesseldorf.de Message-id: <00071200504500.01431@ponomare.krion> MIME-version: 1.0 X-Mailer: KMail [version 1.0.28] Content-type: text/plain Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- I have FreeBSD4.0 -STABLE I downloaded this patch and installed it then I had to recompile the kernel: bash# make cc -c -O -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 ../../netinet/ip_icmp.c cc -c -O -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 ../../netinet/ip_input.c ../../netinet/ip_input.c: In function `ip_input': ../../netinet/ip_input.c:665: warning: assignment from incompatible pointer type cc -c -O -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 ../../netinet/ip_output.c cc -c -O -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 setdef0.c cc -c -O -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 param.c param.c:114: `SHMMAXPGS' undeclared here (not in a function) param.c:114: initializer element is not constant param.c:114: (near initialization for `shminfo.shmmax') param.c:118: `SHMMAXPGS' undeclared here (not in a function) param.c:119: initializer element is not constant param.c:119: (near initialization for `shminfo.shmall') *** Error code 1 I got it in 3 seconds after make any suggestions ? -- Kirill Ponomarew -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: W6Ud0DWMMVGGnGkcImq0HLxyYu012Ika iQA/AwUBOWukybSU3AmMQCDLEQKIRwCgoT2L/lk50Fy1VtJrfh+1vJnhEZoAnjE0 CFbzVQQZSVMvkTb/+Zxrm32p =vwwn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 17:38:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 8211537B903 for ; Tue, 11 Jul 2000 17:38:33 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 98145 invoked by uid 1000); 12 Jul 2000 00:38:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Jul 2000 00:38:32 -0000 Date: Tue, 11 Jul 2000 19:38:32 -0500 (CDT) From: Mike Silbersack To: Jacob Zehnder Cc: security@freebsd.org Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <20000711131734.A89231@cnmnetwork.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Jul 2000, Jacob Zehnder wrote: > Brett, > > You should check out Putty. > http://www.chiark.greenend.org.uk/~sgtatham/putty/ > > It does telnet/ssh/scp for win32, provides source code, and of course is free. > > -jrz And for the enxt few months at least, it's techically illegal for those of us in the US to use. I really hope the author updates it to use the OpenSSH code so that it can also support SSHv2 connections; it appears to be quite a nice terminal emulator. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 20:20:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BD04B37BB64; Tue, 11 Jul 2000 20:20:24 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA40231; Tue, 11 Jul 2000 20:20:23 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 11 Jul 2000 20:20:23 -0700 (PDT) From: Kris Kennaway To: Kirill Ponomarew Cc: security@FreeBSD.org Subject: re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] In-Reply-To: <00071200504500.01431@ponomare.krion> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Jul 2000, Kirill Ponomarew wrote: > param.c:114: `SHMMAXPGS' undeclared here (not in a function) > param.c:114: initializer element is not constant > param.c:114: (near initialization for `shminfo.shmmax') > param.c:118: `SHMMAXPGS' undeclared here (not in a function) > param.c:119: initializer element is not constant > param.c:119: (near initialization for `shminfo.shmall') Use config -r, then make depend and make all again. If it still fails, chances are you have out of sync sources. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 11 23:38:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by hub.freebsd.org (Postfix) with ESMTP id B503B37BA01 for ; Tue, 11 Jul 2000 23:38:23 -0700 (PDT) (envelope-from larry@home.com) Received: from cx408168-b.escnd1.sdca.home.com ([24.20.227.61]) by mail.rdc1.sdca.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000712063823.SLSW11127.mail.rdc1.sdca.home.com@cx408168-b.escnd1.sdca.home.com>; Tue, 11 Jul 2000 23:38:23 -0700 Date: Tue, 11 Jul 2000 23:39:16 -0700 (PDT) From: Lawrence Sica X-Sender: larry@cx408168-b.escnd1.sdca.home.com To: Alex Kapranoff Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box In-Reply-To: <20000711161755.A1895@kapran.bitmcnit.bryansk.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Jul 2000, Alex Kapranoff wrote: > On Tue, Jul 11, 2000 at 12:25:53AM -0600, Brett Glass wrote: > > > I need to come in from some Windows workstations, and have tried Igaly > > SSH and Tera Term with the SSH module. (The latter has MUCH better terminal > > emulation than the former.) Neither can get through; I get lots of console > > error messages but no successful login. Making Blowfish the preferred > > cipher doesn't seem to help. what is the error? Are you sure sshd is runing (sorry have to ask). > > > > --Brett > > There's a wonderful telnet/ssh client for Win32 at > ftp://dbserv.stu.lipetsk.su/pub/telneat/ > > It's a Win32 console app, has convinient Alt-F? vtys, Scroll Lock > history and mouse as well as keyboard driven Select&Paste. > > It is unique due to the fact that it interprets termcap files to > emulate terminals properly. If server and client termcap are the same, > then (as you can imagine) emulation is exactly perfect no matter what > terminal type you selected. > > I use it all the time to reach FreeBSD 4.0-RELEASE and OpenBSD 2.6 > boxen via ssh v1 (3des). > > Config file comments are in russian, unfortunately. Author's email is: > telneat@stu.lipetsk.su (that's not me). > > > At 10:53 PM 7/10/2000, Dave wrote: > > > > >What clients are you using? You might want to add the blowfish cypher to > > >them. > > -- > Alex Kapranoff, > 2:50/383.20@fidonet, > Voice: +7(0832)791845. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Lawrence Sica lsica1@home.com larry@interactivate.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 8:50:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 5A4D437B809; Wed, 12 Jul 2000 08:50:47 -0700 (PDT) (envelope-from jeff@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id KAA16421; Wed, 12 Jul 2000 10:50:47 -0500 (CDT) (envelope-from jeff@mountin.net) Received: from dial-96.max1.wa.cyberlynk.net(207.227.118.96) by peak.mountin.net via smap (V1.3) id sma016419; Wed Jul 12 10:50:28 2000 Message-Id: <4.3.2.20000712104239.00c7dba0@mixcom.com> X-Sender: jeffm@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 12 Jul 2000 10:49:48 -0500 To: security@FreeBSD.ORG, security-officer@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Security Advisories Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Did something change... Something I just realized: From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:20.krb5 Reply-To: security-officer@FreeBSD.ORG From: FreeBSD Security Officer Message-Id: <20000526174039.514AE37BF77@hub.freebsd.org> Date: Fri, 26 May 2000 10:40:39 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG This was the last advisory to be sent to the announce list, which I thought was supposed to receive SA messages. Oversight? Figure this was worth mention due to the number of them in recent history and the fact that there must be people wanting them, but are not subscribed to the security list. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 10: 1:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9CAF737B5EB for ; Wed, 12 Jul 2000 10:01:25 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA13304; Wed, 12 Jul 2000 11:00:42 -0600 (MDT) Message-Id: <4.3.2.7.2.20000712105913.04bc2f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 12 Jul 2000 11:00:37 -0600 To: Lawrence Sica , Alex Kapranoff From: Brett Glass Subject: Re: OpenSSH in 4.0 doesn't seem to work out of the box Cc: security@FreeBSD.ORG In-Reply-To: References: <20000711161755.A1895@kapran.bitmcnit.bryansk.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:39 AM 7/12/2000, Lawrence Sica wrote: >what is the error? Are you sure sshd is runing (sorry have to ask). sshd complains that it can't find library routines it needs, and suggests installing RSAREF. But RSAREF is already installed on the system. If it were not running, I doubt it could generate an error message. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 13:41:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from camus.cybercable.fr (camus.cybercable.fr [212.198.0.200]) by hub.freebsd.org (Postfix) with SMTP id 20DBC37BF02 for ; Wed, 12 Jul 2000 13:41:47 -0700 (PDT) (envelope-from obsidian@cybercable.fr) Received: (qmail 13472515 invoked from network); 12 Jul 2000 20:41:45 -0000 Received: from r223m148.cybercable.tm.fr (HELO cybercable.fr) ([195.132.223.148]) (envelope-sender ) by camus.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 12 Jul 2000 20:41:45 -0000 Message-ID: <396CD8A5.D91C53F@cybercable.fr> Date: Wed, 12 Jul 2000 22:44:21 +0200 From: Saad KADHI Organization: SOFTWAY X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16 i686) X-Accept-Language: en MIME-Version: 1.0 To: Kartic Krishnamurthy Cc: FreeBSD Q , FreeBSD Secu Subject: Re: OpenSSH 2.1.1 Port broken? References: <004e01bfeb4d$6112e2a0$0445a8c0@private.solutionsforyou.com> <396B7457.36ACEE6D@cybercable.fr> <000901bfeb78$23e3d580$0445a8c0@private.solutionsforyou.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Kartic, > Yes, I tried --with-ssl-dir (Openssh-1.2.2 found my distribution without this problem but not so with Openssh 2.1.1). And I _did_ > read the install notes at openssh.com, which is very much contrary to your assumption that I did not! You are completely right. I've tried it myself today and I didn't succeed (shame on me :-) sorry for the RTFM but NOM). I really tried virtually everything: installing the original Openssl stuff, installing the ports, giving to $ssldir all possible paths in the original openssh code ... > Anyway, any ideas why the FreeBSD port is not "make"ing? It seems to be a common problem with the port as per the archives, there > are no conclusive solutions. What I think happens is that : 1-in the openssh port, the patches don't patch a single thing. Try again (after removing the work/.*_done files) and you'll notice that after the extract message, it tries to apply the patches and then spat at you that it cannot find sth to patch anywhere 2-due to 1, it is like if you are trying to build the original openssh source code since it didn't get patched. I get the same messages from the original openssh source code (after some hack to make it believe that openssl has been found on the sys). Someone suggested on previous postings to get the ports/Mk files (current) but it didn't make it better. I also updated ALL the ports dir to current (including Openssl, OpenSSH ..) but I got the same darned weirdo messages. So : 1-rather the port will be fixed by the maintainer or one of the tribe 2-or we'll stick with 1.2.2 for a moment. Regards. > Thanks > --Kartic > > > Please get a look at the documentation before posting a question. If you looked @ www.openssh.com, they have installation > instructions > > for the portable OpenSSH (which is the one who will run on non-OpenBSD boxes) here: > > http://www.openssh.com/install.html -- Saad KADHI -- Security Consultant --------------------------------- "Given enough eyeballs, all bugs are shallow" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 14:42:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 826C837C2BB; Wed, 12 Jul 2000 14:42:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA11271; Wed, 12 Jul 2000 14:42:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 12 Jul 2000 14:42:16 -0700 (PDT) From: Kris Kennaway To: "Jeffrey J. Mountin" Cc: security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Security Advisories In-Reply-To: <4.3.2.20000712104239.00c7dba0@mixcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Jul 2000, Jeffrey J. Mountin wrote: > From: FreeBSD Security Officer > Subject: FreeBSD Security Advisory: FreeBSD-SA-00:20.krb5 > Reply-To: security-officer@FreeBSD.ORG > From: FreeBSD Security Officer > Message-Id: <20000526174039.514AE37BF77@hub.freebsd.org> > Date: Fri, 26 May 2000 10:40:39 -0700 (PDT) > Sender: owner-freebsd-announce@FreeBSD.ORG > > This was the last advisory to be sent to the announce list, which I thought > was supposed to receive SA messages. Oversight? Hmm. This may have been about the time we changed to sending them from "security-advisories@FreeBSD.org" to avoid bounce spam ending up in the security-officer mailing list. Probably security-advisories doesn't have posting permission to announce - good catch. Thanks! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 15:37:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id DF4DF37C359; Wed, 12 Jul 2000 15:36:59 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA18508; Wed, 12 Jul 2000 15:36:59 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 12 Jul 2000 15:36:59 -0700 (PDT) Message-Id: <200007122236.PAA18508@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:33.kerberosIV Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:33 Security Advisory FreeBSD, Inc. Topic: kerberosIV distribution contains multiple vulnerabilities under FreeBSD 3.x Category: core Module: kerberosIV Announced: 2000-07-12 Credits: Assar Westerlund Affects: FreeBSD 3.x systems prior to the correction date Corrected: 2000-07-06 FreeBSD only: NO I. Background KTH Kerberos is an implementation of the Kerberos 4 protocol which is distributed as an optional component of the base system. II. Problem Description Vulnerabilities in the MIT Kerberos 5 port were the subject of an earlier FreeBSD Security Advisory (SA-00:20). At the time it was believed that the implementation of Kerberos distributed with FreeBSD was not vulnerable to these problems, but it was later discovered that FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in fact vulnerable to at least some of these vulnerabilities. FreeBSD 4.0-RELEASE and later are unaffected by this problem, although FreeBSD 3.5-RELEASE is vulnerable. The exact extent of the vulnerabilities are not known, but are likely to include local root vulnerabilities on both Kerberos clients and servers, and remote root vulnerabilities on Kerberos servers. For the client vulnerabilities, it is not necessary that Kerberos client functionality be actually configured, merely that the binaries be present on the system. III. Impact Local or remote users can obtain root access on the system running Kerberos, whether as client or server. If you have not chosen to install the KerberosIV distribution on your FreeBSD 3.x system, then your system is not vulnerable to this problem. IV. Workaround Due to the nature of the vulnerability there are several programs and network services which are affected. The following libraries and utilities are installed by the KerberosIV distribution and must be removed or replaced with non-Kerberos versions to disable all Kerberos-related code. bin/rcp (*) sbin/dump (*) sbin/restore (*) usr/bin/kadmin usr/bin/kauth usr/bin/kdestroy usr/bin/kinit usr/bin/klist usr/bin/ksrvtgt usr/bin/telnet (*) usr/bin/cvs (*) usr/bin/passwd (*) usr/bin/rlogin (*) usr/bin/rsh (*) usr/bin/su (*) usr/lib/libacl.a usr/lib/libacl_p.a usr/lib/libacl.so.3 usr/lib/libacl.so usr/lib/libkadm.a usr/lib/libkadm_p.a usr/lib/libkadm.so.3 usr/lib/libkadm.so usr/lib/libkafs.a usr/lib/libkafs_p.a usr/lib/libkafs.so.3 usr/lib/libkafs.so usr/lib/libkdb.a usr/lib/libkdb_p.a usr/lib/libkdb.so.3 usr/lib/libkdb.so usr/lib/libkrb.a usr/lib/libkrb_p.a usr/lib/libkrb.so.3 usr/lib/libkrb.so usr/lib/libtelnet.a usr/lib/libtelnet_p.a usr/libexec/kauthd usr/libexec/kipd usr/libexec/kpropd usr/libexec/telnetd (*) usr/libexec/rlogind (*) usr/libexec/rshd (*) usr/sbin/ext_srvtab usr/sbin/kadmind usr/sbin/kdb_destroy usr/sbin/kdb_edit usr/sbin/kdb_init usr/sbin/kdb_util usr/sbin/kerberos usr/sbin/kip usr/sbin/kprop usr/sbin/ksrvutil usr/sbin/kstash The files marked with a "(*)" are part of the base FreeBSD system when the Kerberos distribution is not installed, and are replaced when Kerberos is installed. Therefore you will need to replace them with non-Kerberos versions from another system, or perform a recompilation or reinstallation of FreeBSD after removal, if you wish to continue to use them. If you have chosen to install any ports with Kerberos support, such as the security/ssh port, then you should also remove, or recompile these with support disabled. As an interim measure, access control measures (either a perimeter firewall, or a local firewall on the affected machine - see the ipfw(8) manpage for more information) can be used to prevent remote systems from connecting to Kerberos services on a vulnerable Kerberos server. V. Solution Upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD dated after the correction date (FreeBSD 3.5-STABLE dated after the correction date, 4.0-RELEASE or 4.0-STABLE). See http://www.freebsd.org/handbook/makeworld.html for more information about upgrading FreeBSD from source. Be sure to install the Kerberos code when performing an upgrade (whether by source or by a binary upgrade) to ensure that the old binaries are no longer present on the system. See the note in section IV. above about recompiling ports which were compiled with Kerberos support. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWzyeVUuHi5z0oilAQFJEwP/ZaecQhuSYfdR4ckwsDtGF86AvmRuqkTo 8A55zz2DeBUPKAVrvJAEuzM15zEL4+w+dofCep9gMAPWlgpNoNHRs4H3BLUjMiXc UpFgKDYtY/gwYXZKOLVbe4as++G2Polk+oQXrRItV1LGKbjrtjuozPRGmkwCYwOk /rUWX1tCNLI= =ysen -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 22:14:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.godsey.net (supernal.godsey.net [206.129.156.33]) by hub.freebsd.org (Postfix) with ESMTP id 2612837C1A7; Wed, 12 Jul 2000 22:14:02 -0700 (PDT) (envelope-from godsey@godsey.net) Received: from harmony.godsey.net (godsey@harmony.godsey.net [206.129.159.1]) by mail.godsey.net (8.10.0/8.10.0) with ESMTP id e6D5E1O70706; Wed, 12 Jul 2000 22:14:01 -0700 (PDT) Date: Wed, 12 Jul 2000 22:14:01 -0700 (PDT) From: Jason Godsey To: FreeBSD Security Advisories Cc: security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] In-Reply-To: <20000711215800.233B237B944@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This doesn't look to fit the subject: FreeBSD Ports I have a filter that looks for FreeBSD and pages me, it however skips port advisories since I don't use any ports. Thanks! On Tue, 11 Jul 2000, FreeBSD Security Advisories wrote: > Date: Tue, 11 Jul 2000 14:58:00 -0700 > From: FreeBSD Security Advisories > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options > [REVISED] > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:23 Security Advisory > FreeBSD, Inc. > > Topic: Remote denial-of-service in IP stack [REVISED] > > Category: core > Module: kernel > Announced: 2000-06-19 > Revised: 2000-07-11 > Affects: FreeBSD systems prior to the correction date > Credits: NetBSD Security Advisory 2000-002, and > Jun-ichiro itojun Hagino > Corrected: (Several bugs fixed, the date below is that of the most > recent fix) > 2000-06-08 (3.4-STABLE) > 2000-06-08 (4.0-STABLE) > 2000-06-02 (5.0-CURRENT) > FreeBSD only: NO > > I. Background > > II. Problem Description > > There are several bugs in the processing of IP options in the FreeBSD > IP stack, which fail to correctly bounds-check arguments and contain > other coding errors leading to the possibility of data corruption and > a kernel panic upon reception of certain invalid IP packets. > > This set of bugs includes the instance of the vulnerability described > in NetBSD Security Advisory 2000-002 (see > ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc) > as well as other bugs with similar effect. > > III. Impact > > Remote users can cause a FreeBSD system to panic and reboot. > > IV. Workaround > > Incoming packets containing IP Options can be blocked at a perimeter > firewall or on the local system, using ipfw(8) (ipf(8) is also capable > of blocking packets with IP Options, but is not described here). > > The following ipfw rules are believed to prevent the denial-of-service > attack (replace the rule numbers '100'-'103' with whichever rule > numbers are appropriate for your local firewall, if you are already > using ipfw): > > ipfw add 100 deny log ip from any to any ipopt rr > ipfw add 101 deny log ip from any to any ipopt ts > ipfw add 102 deny log ip from any to any ipopt ssrr > ipfw add 103 deny log ip from any to any ipopt lsrr > > Note that there are legitimate uses for IP options, although they are > no believed to be in common use, and blocking them should not cause > any problems. Therefore the log entries generated by these ipfw rules > will not necessarily be evidence of an attempted attack. Furthermore, > the packets may be spoofed and have falsified source addresses. > > V. Solution > > One of the following: > > 1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or > 5.0-CURRENT after the respective correction dates. > > 2) Apply the patch below and recompile your kernel. > > Either save this advisory to a file, or download the patch and > detached PGP signature from the following locations, and verify the > signature using your PGP utility. > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc > > # cd /usr/src/sys/netinet > # patch -p < /path/to/patch_or_advisory > > [ Recompile your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html and reboot the > system ] > > VI. Revision History > > v1.0 2000-06-19 Initial release > v1.1 2000-07-11 Note workaround using ipfw. > > Index: ip_icmp.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.39 > diff -u -r1.39 ip_icmp.c > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > +++ ip_icmp.c 2000/06/08 15:26:39 > @@ -662,8 +662,11 @@ > if (opt == IPOPT_NOP) > len = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + break; > len = cp[IPOPT_OLEN]; > - if (len <= 0 || len > cnt) > + if (len < IPOPT_OLEN + sizeof(*cp) || > + len > cnt) > break; > } > /* > Index: ip_input.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.130 > diff -u -r1.130 ip_input.c > --- ip_input.c 2000/02/23 20:11:57 1.130 > +++ ip_input.c 2000/06/08 15:25:46 > @@ -1067,8 +1067,12 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > + goto bad; > + } > optlen = cp[IPOPT_OLEN]; > - if (optlen <= 0 || optlen > cnt) { > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > code = &cp[IPOPT_OLEN] - (u_char *)ip; > goto bad; > } > @@ -1174,6 +1178,10 @@ > break; > > case IPOPT_RR: > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > + goto bad; > + } > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > goto bad; > Index: ip_output.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > retrieving revision 1.99 > diff -u -r1.99 ip_output.c > --- ip_output.c 2000/03/09 14:57:15 1.99 > +++ ip_output.c 2000/06/08 15:27:08 > @@ -1302,8 +1302,10 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + goto bad; > optlen = cp[IPOPT_OLEN]; > - if (optlen <= IPOPT_OLEN || optlen > cnt) > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > goto bad; > } > switch (opt) { > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOWuYHFUuHi5z0oilAQEp+wP/bK5jRQXK/d3sQw9cph/usAbiYUD6Ux3l > MIo1R1ZPWnIE20Hx334hvr3u5AUnbtjkFg+86WZcpv5bgWjKS2VLyV4UjJIMMOQr > sSDXta5X4XRO0aXv1Td/Jlkoh2UcoayhKssYa3LLwgcYq++BBGrwbJM+ShUGmllS > qQ86FwHKdow= > =5Ksz > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 12 22:41:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D0B3A37B7EA; Wed, 12 Jul 2000 22:41:33 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id WAA74304; Wed, 12 Jul 2000 22:41:33 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 12 Jul 2000 22:41:33 -0700 (PDT) From: Kris Kennaway To: Jason Godsey Cc: FreeBSD Security Advisories , security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Jul 2000, Jason Godsey wrote: > This doesn't look to fit the subject: FreeBSD Ports Yes, it was a typo..I forgot to remove 'Ports' from the mail header from the previous advisory I sent out. > I have a filter that looks for FreeBSD and pages me, it however skips port > advisories since I don't use any ports. Thanks! You must have set that up quickly, since I only started doing that a few days ago :-) I'll try and be more vigilant in future, but I can't guarantee I won't slip up again. I suggest you don't autofilter them, but do it manually - it will only take a second to verify from the contents that it's a ports advisory. If you really must do this, I suggest you filter on "Catgeory: ports" in the body, not the message header which is tacked on at the last step when I send the advisory out. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 1:53: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5896437B57C; Thu, 13 Jul 2000 01:53:06 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA14233; Thu, 13 Jul 2000 01:53:06 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 01:53:06 -0700 (PDT) From: Kris Kennaway To: security@freebsd.org Subject: Security webpage updated with recent advisories Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Just wanted to let you know that I've updated (finally) the list of security advisories on the FreeBSD website at http://www.freebsd.org/security.html up to the most recent, SA-00:33. Apologies for letting this lag behind the released advisories - we are working on improving the process by which advisories are shuffled around internally so hopefully this won't be such an issue in future. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 5:36:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by hub.freebsd.org (Postfix) with ESMTP id 1325937C429 for ; Thu, 13 Jul 2000 05:36:16 -0700 (PDT) (envelope-from bob@eng.ufl.edu) Received: from eng.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by wasp.eng.ufl.edu (8.9.3/8.9.3) with ESMTP id IAA26874 for ; Thu, 13 Jul 2000 08:36:13 -0400 (EDT) Message-ID: <396DB7BC.9CD4900B@eng.ufl.edu> Date: Thu, 13 Jul 2000 08:36:12 -0400 From: Bob Johnson Organization: University of Florida X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Security Advisories Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By an amazing coincidence (?), I planned to complain today that freebsd-security-notifications had not received any security alerts since May. They stopped at the same time. > Date: Wed, 12 Jul 2000 10:49:48 -0500 > From: "Jeffrey J. Mountin" > Subject: Security Advisories > > Did something change... > > Something I just realized: > > From: FreeBSD Security Officer > Subject: FreeBSD Security Advisory: FreeBSD-SA-00:20.krb5 > Reply-To: security-officer@FreeBSD.ORG > From: FreeBSD Security Officer > Message-Id: <20000526174039.514AE37BF77@hub.freebsd.org> > Date: Fri, 26 May 2000 10:40:39 -0700 (PDT) > Sender: owner-freebsd-announce@FreeBSD.ORG > > > This was the last advisory to be sent to the announce list, which I thought > was supposed to receive SA messages. Oversight? > > Figure this was worth mention due to the number of them in recent history > and the fact that there must be people wanting them, but are not subscribed > to the security list. > > Jeff Mountin - jeff@mountin.net > Systems/Network Administrator > FreeBSD - the power to serve > -- ********************************************************* Bob Johnson Senior Systems Programmer bob@eng.ufl.edu College of Engineering 523 Weil Hall 352-392-9217 Office University of Florida 352-392-7063 Fax Gainesville, FL 32611 ********************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:12:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9C40E37BF6C for ; Thu, 13 Jul 2000 11:12:22 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA25834 for ; Thu, 13 Jul 2000 12:12:17 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713120631.04d53b60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 12:12:11 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Two kinds of advisories? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've recently added some of my clients to the Bugtraq mailing list, and whenever a message goes out with a subject like "FreeBSD Ports Security Advisory: ," they think it's a security hole in FreeBSD. Of course, WE know it's not, but they don't understand what "FreeBSD Ports" means and get the wrong idea. Any ideas about how to rephrase the subject lines so that people who see these messages will get the right idea without knowing what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:14:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 4715E37C50A for ; Thu, 13 Jul 2000 11:14:18 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id MAA22497; Thu, 13 Jul 2000 12:14:09 -0600 (MDT) Message-Id: <200007131814.MAA22497@faith.cs.utah.edu> Subject: Re: Two kinds of advisories? To: brett@lariat.org (Brett Glass) Date: Thu, 13 Jul 2000 12:14:09 -0600 (MDT) Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20000713120631.04d53b60@localhost> from "Brett Glass" at Jul 13, 2000 12:12:11 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's a matter of client education, and it's not going to be fixed by changing the subject. The subject of the matter is the FreeBSD ports collection. The disclaimer in the message is a pretty good place to start educating your clients. -Dave Lo and behold, Brett Glass once said: > > I've recently added some of my clients to the Bugtraq mailing list, and > whenever a message goes out with a subject like "FreeBSD Ports Security > Advisory: ," they think it's a security hole in FreeBSD. Of course, > WE know it's not, but they don't understand what "FreeBSD Ports" means and > get the wrong idea. Any ideas about how to rephrase the subject lines so > that people who see these messages will get the right idea without knowing > what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:21:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C0F5A37B513 for ; Thu, 13 Jul 2000 11:21:19 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id OAA70778; Thu, 13 Jul 2000 14:21:09 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 14:21:09 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713120631.04d53b60@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > I've recently added some of my clients to the Bugtraq mailing list, and > whenever a message goes out with a subject like "FreeBSD Ports Security > Advisory: ," they think it's a security hole in FreeBSD. Of course, > WE know it's not, but they don't understand what "FreeBSD Ports" means and > get the wrong idea. Any ideas about how to rephrase the subject lines so > that people who see these messages will get the right idea without knowing > what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? That was the whole point of putting "ports" in there in the first place, a relatively recent change. The advisories are very careful to distinguish the ports/packages from the base system, and to disclaim responsibility for them. I think we've done the right thing as it stands. At some point, people will need to understand that distinction for themselves. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:27:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id BA3FB37C576 for ; Thu, 13 Jul 2000 11:27:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA26016; Thu, 13 Jul 2000 12:26:12 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713122244.00b06410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 12:26:06 -0600 To: "David G. Andersen" From: Brett Glass Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: <200007131814.MAA22497@faith.cs.utah.edu> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Many of them don't read the disclaimers because they're scanning the subject lines. When they see one with "FreeBSD" in it, some of them call in a panic. They often don't read the message because they believe that they won't understand it. Yes, I know, it'd be nice if they weren't so clueless about computer security and FreeBSD, but then, they're experts in their own fields, which WE don't know much about. Instead of writing them off, why not make the subject lines clearer? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:27:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 0A41B37C559; Thu, 13 Jul 2000 11:27:39 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id A4B861C66; Thu, 13 Jul 2000 14:27:35 -0400 (EDT) Date: Thu, 13 Jul 2000 14:27:35 -0400 From: Bill Fumerola To: Robert Watson Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <20000713142735.K4034@jade.chc-chimes.com> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from rwatson@FreeBSD.ORG on Thu, Jul 13, 2000 at 02:21:09PM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 13, 2000 at 02:21:09PM -0400, Robert Watson wrote: > That was the whole point of putting "ports" in there in the first place, a > relatively recent change. The advisories are very careful to distinguish > the ports/packages from the base system, and to disclaim responsibility > for them. I think we've done the right thing as it stands. At some > point, people will need to understand that distinction for themselves. Well, it is when we do it right. See the "ports advisory" for the recent ipopts pagefault stuff. -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:31:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id BC75737C560 for ; Thu, 13 Jul 2000 11:31:19 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id MAA23590 for security@freebsd.org; Thu, 13 Jul 2000 12:31:18 -0600 (MDT) Message-Id: <200007131831.MAA23590@faith.cs.utah.edu> Subject: Re: Two kinds of advisories? To: security@freebsd.org Date: Thu, 13 Jul 2000 12:31:18 -0600 (MDT) In-Reply-To: <4.3.2.7.2.20000713122244.00b06410@localhost> from "Brett Glass" at Jul 13, 2000 12:26:06 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Brett Glass once said: > > Many of them don't read the disclaimers because they're scanning the > subject lines. When they see one with "FreeBSD" in it, some of them > call in a panic. They often don't read the message because they > believe that they won't understand it. > > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? Because they're already clear. It says "FreeBSD" - it's related to FreeBSD, and if you run FreeBSD, you'd damn well better read the message. It says "Ports" - it has to do with the FreeBSD ports collection. Inside the message, you find a description of the problem. You say, "Oh, I don't run setuid-emacs-with-gaping-security-hole, so I'm safe." That's exactly the process that *should* occur. If people immediately disregard it because it's a ports advisory, they're shooting themselves in the foot if they run any ports. If they don't, they can be happy and relax after 3 seconds of reading the advisory. The label is accurate. Don't fix something that isn't broken. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:42:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from marble.fbcc.com (ns2.fbcc.com [216.54.252.3]) by hub.freebsd.org (Postfix) with SMTP id 3035837B924 for ; Thu, 13 Jul 2000 11:42:43 -0700 (PDT) (envelope-from jim@jimking.net) Received: (qmail 22372 invoked from network); 13 Jul 2000 18:45:28 -0000 Received: from unknown (HELO bluto.jimking.net) (216.54.255.8) by ns2.fbcc.com with SMTP; 13 Jul 2000 18:45:28 -0000 Received: from jking (jking.lgc.com [134.132.75.164]) by bluto.jimking.net (8.9.3/8.9.3) with SMTP id NAA35960; Thu, 13 Jul 2000 13:42:22 -0500 (CDT) (envelope-from jim@jimking.net) Message-ID: <007201bfecfa$1d807440$a44b8486@jking> From: "Jim King" To: "David G. Andersen" , "Brett Glass" Cc: References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Subject: Re: Two kinds of advisories? Date: Thu, 13 Jul 2000 13:42:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > Many of them don't read the disclaimers because they're scanning the > subject lines. When they see one with "FreeBSD" in it, some of them > call in a panic. They often don't read the message because they > believe that they won't understand it. > > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? Why are they reading the advisories at all if they don't understand them? Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:54: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 8AC7A37B924 for ; Thu, 13 Jul 2000 11:53:49 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id PAA02673; Thu, 13 Jul 2000 15:52:38 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200007131852.PAA02673@ns1.via-net-works.net.ar> Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713122244.00b06410@localhost> from Brett Glass at "Jul 13, 0 12:26:06 pm" To: brett@lariat.org (Brett Glass) Date: Thu, 13 Jul 2000 15:52:37 -0300 (GMT) Cc: dga@POBOX.COM, security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Brett Glass escribió: > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? Maybe they shouldn't read bugtraq if they are not cualified (as I don't read the New England Medical Journal scanning for new deseases). Regards! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:57:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F3E8137B874 for ; Thu, 13 Jul 2000 11:57:34 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id OAA71079; Thu, 13 Jul 2000 14:57:23 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 14:57:23 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bill Fumerola Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <20000713142735.K4034@jade.chc-chimes.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Bill Fumerola wrote: > On Thu, Jul 13, 2000 at 02:21:09PM -0400, Robert Watson wrote: > > > That was the whole point of putting "ports" in there in the first place, a > > relatively recent change. The advisories are very careful to distinguish > > the ports/packages from the base system, and to disclaim responsibility > > for them. I think we've done the right thing as it stands. At some > > point, people will need to understand that distinction for themselves. > > Well, it is when we do it right. See the "ports advisory" for the recent > ipopts pagefault stuff. The theory is right, it's just the implementation that is lacking. Like in physics... :-) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 11:58:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 5086C37BDED for ; Thu, 13 Jul 2000 11:58:38 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.10.0/ignatz) with ESMTP id e6DIwEF19254; Thu, 13 Jul 2000 11:58:14 -0700 (PDT) Date: Thu, 13 Jul 2000 11:58:14 -0700 (PDT) From: "f.johan.beisser" To: Fernando Schapachnik Cc: Brett Glass , dga@POBOX.COM, security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <200007131852.PAA02673@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org on a sick voyeuristic note, i like reading things i'm not qualified to understand (NEMJ being one of them). on the other hand, i find bugtraq to have alot of junk in it, and just generally useless cruft. On Thu, 13 Jul 2000, Fernando Schapachnik wrote: > En un mensaje anterior, Brett Glass escribi=F3: > > Yes, I know, it'd be nice if they weren't so clueless about computer > > security and FreeBSD, but then, they're experts in their own fields, > > which WE don't know much about. Instead of writing them off, why > > not make the subject lines clearer? >=20 > Maybe they shouldn't read bugtraq if they are not cualified (as I=20 > don't read the New England Medical Journal scanning for new deseases). >=20 > Regards! >=20 >=20 >=20 > Fernando P. Schapachnik > Administraci=F3n de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 +-----/ f. johan beisser /------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan=20 "knowledge is power. power corrupts. study hard, be evil." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12: 6:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id 2CFEA37C37E for ; Thu, 13 Jul 2000 12:06:55 -0700 (PDT) (envelope-from bmilekic@dsuper.net) Received: from modemcable009.62-201-24.mtl.mc.videotron.net ([24.201.62.9]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FXN002Q0GMOIR@field.videotron.net> for security@FreeBSD.ORG; Thu, 13 Jul 2000 14:56:48 -0400 (EDT) Date: Thu, 13 Jul 2000 14:59:05 -0400 (EDT) From: Bosko Milekic Subject: Re: Two kinds of advisories? In-reply-to: <4.3.2.7.2.20000713122244.00b06410@localhost> X-Sender: bmilekic@jehovah.technokratis.com To: Brett Glass Cc: security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > Many of them don't read the disclaimers because they're scanning the > subject lines. When they see one with "FreeBSD" in it, some of them > call in a panic. They often don't read the message because they > believe that they won't understand it. > > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? > > --Brett Because relatively educated people in North-America can read. If they refuse to read it then you should probably not subscribe them to Bugtraq. Is this *really* a topic of discussion for -security ? (If you want to reply, address your reply to -chat only, please). :-) -- Bosko Milekic * Voice/Mobile: 514.865.7738 * Pager: 514.921.0237 bmilekic@technokratis.com * http://www.technokratis.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12: 8:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from voltage.net (voltage.net [208.189.4.3]) by hub.freebsd.org (Postfix) with ESMTP id 4F7A337C6B0 for ; Thu, 13 Jul 2000 12:08:23 -0700 (PDT) (envelope-from sward@voltage.net) Received: from amavis by voltage.net with scanned-ok (Exim 3.14 #4) id 13CoLN-000OJD-00 for security@freebsd.org; Thu, 13 Jul 2000 14:08:21 -0500 Received: from basketcase.voltage.net ([208.189.4.20]) by voltage.net with esmtp (Exim 3.14 #4) id 13CoLH-000OG3-00; Thu, 13 Jul 2000 14:08:15 -0500 Message-Id: <4.3.1.2.20000713140640.00dcdcd0@mail.voltage.net> X-Sender: sward@mail.voltage.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Thu, 13 Jul 2000 14:08:23 -0500 To: Brett Glass From: Susie Ward Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20000713122244.00b06410@localhost> References: <200007131814.MAA22497@faith.cs.utah.edu> <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-AntiVirus: This email was scanned for known viruses (http://www.voltage.net/virusalert.html) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:26 PM 7/13/00 -0600, Brett Glass wrote: >Many of them don't read the disclaimers because they're scanning the >subject lines. When they see one with "FreeBSD" in it, some of them >call in a panic. They often don't read the message because they >believe that they won't understand it. > >Yes, I know, it'd be nice if they weren't so clueless about computer >security and FreeBSD, but then, they're experts in their own fields, >which WE don't know much about. Instead of writing them off, why >not make the subject lines clearer? If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? Susie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:23:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9316637C59C for ; Thu, 13 Jul 2000 12:23:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA26544; Thu, 13 Jul 2000 13:22:47 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713132105.04b65f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 13:22:42 -0600 To: "Jim King" , "David G. Andersen" From: Brett Glass Subject: Re: Two kinds of advisories? Cc: In-Reply-To: <007201bfecfa$1d807440$a44b8486@jking> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:42 PM 7/13/2000, Jim King wrote: >Why are they reading the advisories at all if they don't understand them? They often aren't. Many are just scanning the headers. Unfortunately, the headers leave the uninitiated with the wrong impression. I think that this could be avoided with a slight rephrasing. It would sure save me a bunch of panicky e-mails and phone calls, which seem to happen no matter how often I try to educate people. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:25:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 2DBFA37C1A3 for ; Thu, 13 Jul 2000 12:25:08 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA26557; Thu, 13 Jul 2000 13:24:55 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713132400.04b73af0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 13:24:52 -0600 To: Susie Ward From: Brett Glass Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: <4.3.1.2.20000713140640.00dcdcd0@mail.voltage.net> References: <4.3.2.7.2.20000713122244.00b06410@localhost> <200007131814.MAA22497@faith.cs.utah.edu> <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:08 PM 7/13/2000, Susie Ward wrote: >If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? I think it would help if they listed the name of the PORT first, and then mentioned something about the FreeBSD security team or port maintainers finding the problem. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:39:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id B8E3537BC8C for ; Thu, 13 Jul 2000 12:39:04 -0700 (PDT) (envelope-from root@infowest.com) Received: by ns1.infowest.com (Postfix, from userid 0) id 8FC3F20F55; Thu, 13 Jul 2000 13:39:03 -0600 (MDT) To: luigi@labinfo.iet.unipi.it, security@freebsd.org, Subject: ipfw patches Reply-To: From: "Aaron D. Gifford" Message-Id: <20000713193903.8FC3F20F55@ns1.infowest.com> Date: Thu, 13 Jul 2000 13:39:03 -0600 (MDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Here are some patches to the kernel's ipfw code and to the ipfw program that give fine-grained control to dynamic keep-state rule lifetimes. I've used them on several boxes for over a month now with no troubles at all. I think the changes are quite stable. I found that the sysctl variables that controlled TCP and non-TCP dynamic rules (using keep-state) did not give enough control over dthe rule lifetimes. For instance, TCP connectiongs like SSH or TELNET on my boxes use a very long dynamic rule lifetime so that idle sessions (those that pass no traffic for over 5 minutes, the default lifetime of ipfw dynamic TCP sessions) while HTTP TCP sessions use the default 5-minute rule lifetimes since that is usually sufficient. To the ipfw maintainer(s), would this functionality warrant integration into the FreeBSD code base? Here's a sample of how I use the patches: ... ipfw check-state ipfw add deny tcp from any to any established ipfw add pass tcp from any to ${ip} 22 in keep-state lifetime 3600 ipfw add pass tcp from any to ${ip} 80 in keep-state ... ipfw add pass udp from ${ip} to any 53 out keep-state ipfw add pass udp from ${ip} to ${icqnet1} 4000 out keep-state lifetime 300 ipfw add pass udp from ${ip} to ${icqnet2} 4000 out keep-state lifetime 300 ... ipfw deny log all from any to any In the above example, SSH traffic expires only after an hour of inactivity while HTTP traffic uses the sysctl variables (which were left at the default of 300 seconds/5-minutes in the example). For UDP, ICQ traffic uses a longer 5-minute expiration while DNS traffic uses the sysctl variable values. As you can see, the patches add the "lifetime XXXX" ability to any keep-state rules. The number (XXXX) is just an integer representing the number of seconds after which the rule will expire. For TCP rules, the patches permit any individual rule to override the use of the sysctl variable net.inet.ip.fw.dyn_ack_lifetime (which defaults to 5 minutes or 300 seconds). For non TCP rules, the patches override the value of the sysctl variable net.inet.ip.fw.dyn_short_lifetime which I believe defaults to 5 seconds. I noticed that the kernel ipfw code for non TCP dynamic rules uses an initial lifetime from net.inet.ip.fw.dyn_syn_lifetime but subsequent packets that match the dynamic rule use net.inet.ip.fw.dyn_short_lifetime to update the lifetime of the rule. That means that UDP traffic will initally use a 20-second timeout as things work currently, then any subsequent matching packets set the lifetime to 5 seconds. I was unsure whether or not this was intentional. My patches treat this as a bug and use only net.inet.ip.fw.dyn_short_lifetime instead (in the absense of an explicit lifetime) specified on the command line with the "lifetime XXXX" extension). If this behavior was intentional and deliberate, I need to fix my patches and this should really be documented in the man page. With my patches on my boxes, I increase net.inet.ip.fw.dyn_short_lifetime to 30 seconds and things work very well. I don't think I want a 5 second lifetime on UDP traffic anyway by default. It works just fine (the current method of 20 seconds then 5 seconds) for most simple UDP traffic like DNS queries or NTP stuff, but more complex UDP traffic that relies on more subsequent packets might be terminated by the short 5-second lifetime after the first matching packet. After applying the patches, just recompile your kernel and recompile the ipfw command and install both. As far as I know, these two items are the only ones necessary to recompile. Please let me know if this is useful. Also let me know if I've overlooked anything. Thanks! Aaron Gifford ===== PATCHES ARE BELOW: cd /usr/src ; patch -p < patch-file ====== --- sys/netinet/ip_fw.c.orig Wed May 31 14:43:58 2000 +++ sys/netinet/ip_fw.c Mon Jun 5 08:08:51 2000 @@ -651,7 +651,7 @@ break ; case TH_SYN | (TH_SYN << 8) : /* move to established */ - q->expire = time_second + dyn_ack_lifetime ; + q->expire = time_second + (q->lifetime ? q->lifetime : dyn_ack_lifetime) ; break ; case TH_SYN | (TH_SYN << 8) | TH_FIN : case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) : @@ -673,7 +673,7 @@ } } else { /* should do something for UDP and others... */ - q->expire = time_second + dyn_short_lifetime ; + q->expire = time_second + (q->lifetime ? q->lifetime : dyn_short_lifetime) ; } if (match_direction) *match_direction = dir ; @@ -721,7 +721,13 @@ if (mask) r->mask = *mask ; r->id = *id ; - r->expire = time_second + dyn_syn_lifetime ; + r->lifetime = chain->rule->fw_dyn_lifetime ; + if (r->lifetime) + r->expire = time_second + r->lifetime ; + else if (r->id.proto == IPPROTO_TCP) + r->expire = time_second + dyn_syn_lifetime ; + else + r->expire = time_second + dyn_short_lifetime ; r->chain = chain ; r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ; --- sys/netinet/ip_fw.h.orig Thu Feb 10 07:17:39 2000 +++ sys/netinet/ip_fw.h Mon Jun 5 08:08:51 2000 @@ -73,6 +73,7 @@ u_short fu_skipto_rule; /* SKIPTO command rule number */ u_short fu_reject_code; /* REJECT response code */ struct sockaddr_in fu_fwd_ip; + u_int32_t fu_dyn_lifetime; /* Explicit dynamic rule lifetime */ } fw_un; u_char fw_prot; /* IP protocol */ /* @@ -121,6 +122,7 @@ #define fw_reject_code fw_un.fu_reject_code #define fw_pipe_nr fw_un.fu_pipe_nr #define fw_fwd_ip fw_un.fu_fwd_ip +#define fw_dyn_lifetime fw_un.fu_dyn_lifetime struct ip_fw_chain { LIST_ENTRY(ip_fw_chain) chain; @@ -147,6 +149,7 @@ struct ipfw_flow_id mask ; struct ip_fw_chain *chain ; /* pointer to parent rule */ u_int32_t type ; /* rule type */ + u_int32_t lifetime ; /* per-rule specified lifetime */ u_int32_t expire ; /* expire time */ u_int64_t pcnt, bcnt; /* match counters */ u_int32_t bucket ; /* which bucket in hash table */ --- sbin/ipfw/ipfw.c.orig Sun Feb 13 04:46:59 2000 +++ sbin/ipfw/ipfw.c Mon Jun 5 08:09:29 2000 @@ -381,6 +381,8 @@ printf(" keep-state %d", (int)chain->next_rule_ptr); else printf(" keep-state"); + if (chain->fw_dyn_lifetime) + printf(" lifetime %d", (int)chain->fw_dyn_lifetime); } /* Direction */ if (chain->fw_flg & IP_FW_BRIDGED) @@ -1553,6 +1555,15 @@ (int)rule.next_rule_ptr = type ; av++; ac--; } + if (ac > 0 && !strncmp(*av,"lifetime",strlen(*av))) { + u_long lifetime ; + + av++; ac--; + if (ac > 0 && (lifetime = atoi(*av)) != 0) { + rule.fw_dyn_lifetime = lifetime; + av++; ac--; + } + } continue; } if (!strncmp(*av,"bridged",strlen(*av))) { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:39:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.uscreativetypes.com (ns1.uscreativetypes.com [199.45.183.33]) by hub.freebsd.org (Postfix) with ESMTP id 7D8C537B606 for ; Thu, 13 Jul 2000 12:39:44 -0700 (PDT) (envelope-from joe@ns1.uscreativetypes.com) Received: from localhost (localhost [127.0.0.1]) by ns1.uscreativetypes.com (8.10.0/8.9.3) with ESMTP id e6DJCel33415; Thu, 13 Jul 2000 13:12:44 -0600 (MDT) (envelope-from joe@ns1.uscreativetypes.com) Date: Thu, 13 Jul 2000 13:12:40 -0600 (MDT) From: "Jumpin' Joe Schroedl" X-Sender: joe@localhost To: Brett Glass Cc: Jim King , "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713132105.04b65f00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett: I don't think your problem is the wording in the advisory headers -- I think its with yer people. There are a million things out there which generate panicy and time-wasting calls and emails...I get them every day from teh mundane to the absolutely ludicrous. Your people need to understand that if the word 'ports' shows up in the header, as I believe is now the standard, then it relates to ports. My point is that the headers can be changed again and again, but that only solves a symptom, not the disease. And if the panicy calls keep coming in, there is one solution: bill 'em. If their lack of critical reading skills wastes your time, waste their capital. Sometimes that is the only way :\ Peace all Jumpin Joe Schroedl UCT Digital Designs -------------------- On Thu, 13 Jul 2000, Brett Glass wrote: > At 12:42 PM 7/13/2000, Jim King wrote: > > >Why are they reading the advisories at all if they don't understand them? > > They often aren't. Many are just scanning the headers. Unfortunately, > the headers leave the uninitiated with the wrong impression. I think > that this could be avoided with a slight rephrasing. It would sure save > me a bunch of panicky e-mails and phone calls, which seem to happen no > matter how often I try to educate people. > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:43:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 5804737C53E for ; Thu, 13 Jul 2000 12:43:04 -0700 (PDT) (envelope-from marc@milestonerdl.com) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id e6DJgoL31457; Thu, 13 Jul 2000 14:42:50 -0500 (CDT) Date: Thu, 13 Jul 2000 14:42:50 -0500 (CDT) From: Marc Rassbach To: Brett Glass Cc: "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713122244.00b06410@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We went through this once before on this list, and the manner in which it is done now is just fine. If you don't like your clients calling you in a panic, then start CHARGING them for the time you spend with them on the phone. It is amazing how a $130+ bill for talking to your local users (lusers) on the phone to read to them the message they SHOULD have read will to towards driving better luser behavior. Another solution: Start your own list for youur lusers and you can then give them what you think they should see. On Thu, 13 Jul 2000, Brett Glass wrote: > Many of them don't read the disclaimers because they're scanning the > subject lines. When they see one with "FreeBSD" in it, some of them > call in a panic. They often don't read the message because they > believe that they won't understand it. > > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:43:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8118B37B8F5 for ; Thu, 13 Jul 2000 12:43:10 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id PAA71708; Thu, 13 Jul 2000 15:42:52 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 15:42:52 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713132400.04b73af0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > At 01:08 PM 7/13/2000, Susie Ward wrote: > > >If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? > > I think it would help if they listed the name of the PORT first, and > then mentioned something about the FreeBSD security team or port > maintainers finding the problem. Wait, I thought that activity was restricted to application developers, 14-year-old code hackers and attention-starved start-up security companies looking for a quick buck. But seriously. I think the current advisory subject line accurately reflects the situation: we distributed a piece of security-hold-ridden third-party software in the ports collection. As the vehicle by which people got the software, we have a responsibility to notify them of security problems of which we are aware. So "FreeBSD Ports Security Advisory" perfectly reflects this concern. Here's a recent sample: Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd What information could we add here that would improve things? Teaching someone the distinction between "FreeBSD Ports Security Advisory" and "FreeBSD Security Advisory" should not be that difficult, as the distinction between the base system and ports is important. The difference manifests in degree of support, integration with the base system, security auditing level, and install/update mechanism. Understanding that distinction is essentialy to day-to-day management of the system. The advisory is careful to identify precisely the software that is vulnerable, how to tell if you are vulnerable, and available fixes, work-arounds, etc. I'm not sure we can really ask much more. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:46:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.scls.lib.wi.us (mail.scls.lib.wi.us [198.150.40.25]) by hub.freebsd.org (Postfix) with ESMTP id 0A1D237C5B0 for ; Thu, 13 Jul 2000 12:46:27 -0700 (PDT) (envelope-from admin@scls.lib.wi.us) Received: from netadmin (natgate.scls.lib.wi.us [198.150.40.60]) by mail.scls.lib.wi.us (8.7.5/8.7.3) with ESMTP id OAA00359; Thu, 13 Jul 2000 14:46:48 -0500 (CDT) Message-Id: <4.2.2.20000713144144.03d34ed0@mail.scls.lib.wi.us> X-Sender: admin@mail.scls.lib.wi.us X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 13 Jul 2000 14:46:24 -0500 To: security@freebsd.org, Brett Glass From: Network Administrator Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713132105.04b65f00@localhost> References: <007201bfecfa$1d807440$a44b8486@jking> <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:22 PM 7/13/00 , you wrote: >the headers leave the uninitiated with the wrong impression. I think >that this could be avoided with a slight rephrasing. It would sure save >me a bunch of panicky e-mails and phone calls, which seem to happen no >matter how often I try to educate people. suggested workaround: set up a private list service for your clients and forward those messages from BugTraq, security@freebsd, etc. that you think they ought to see, with your own comments appended, e.g. "you don't have to worry about this because the system I set up for you doesn't rely on "subsystem Z". No muss, no fuss, pertinent info delivered and panic assuaged in one fell swoop. In short, if you want your clients' hands held, you should be the one to step up and do it. ;-) ----------------------------------- Greg Barniskis Network Administrator Library Interchange Network (LINK) South Central Library System (SCLS) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:53:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.godsey.net (supernal.godsey.net [206.129.156.33]) by hub.freebsd.org (Postfix) with ESMTP id 15AC937C607; Thu, 13 Jul 2000 12:53:22 -0700 (PDT) (envelope-from godsey@godsey.net) Received: from harmony.godsey.net (godsey@harmony.godsey.net [206.129.159.1]) by mail.godsey.net (8.10.0/8.10.0) with ESMTP id e6DJrKO86756; Thu, 13 Jul 2000 12:53:20 -0700 (PDT) Date: Thu, 13 Jul 2000 12:53:19 -0700 (PDT) From: Jason Godsey To: Kris Kennaway Cc: FreeBSD Security Advisories , security@FreeBSD.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org below: Category: ports.. the Ports subject threw me a bit in the page :) From security-officer@freebsd.org Thu Jul 13 12:52:07 2000 Date: Wed, 17 May 2000 14:36:49 -0700 From: FreeBSD Security Officer To: BUGTRAQ@SECURITYFOCUS.COM Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx [REVISED] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:08 Security Advisory FreeBSD, Inc. Topic: Lynx ports contain numerous buffer overflows Category: ports Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current Announced: 2000-03-15 Revised: 2000-05-17 Affects: Ports collection before the correction date. Corrected: 2000-04-16 [lynx-current] 2000-04-21 [lynx] FreeBSD only: NO I. Background Lynx is a popular text-mode WWW browser, available in several versions including SSL support and Japanese language localization. II. Problem Description Versions of the lynx software prior to version 2.8.3pre.5 were written in a very insecure style and contain numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server. The lynx ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious server which is visited by a user with the lynx browser can exploit the browser security holes in order to execute arbitrary code as the local user. If you have not chosen to install any of the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then your system is not vulnerable. IV. Workaround Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you you have installed them. V. Solution Upgrade to lynx or lynx-current after the correction date. After the initial release of this advisory, the Lynx development team conducted an audit of the source code, and have corrected the known vulnerabilities in lynx as well as increasing the robustness of the string-handling code. As of lynx-2.8.3pre.5, we consider it safe enough to use again. Note that there may be undiscovered vulnerabilities remaining in the code, as with all software - but should any further vulnerabilities be discovered a new advisory will be issued. At this time the lynx-ssl/ja-lynx/ja-lynx-current ports are not yet updated to a safe version of lynx: this advisory will be reissued again once they are. 1) Upgrade your entire ports collection and rebuild the lynx or lynx-current port. 2) Reinstall a lynx new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/lynx-2.8.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/lynx-2.8.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/lynx-2.8.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/lynx-2.8.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/lynx-2.8.3.1.tgz Note that the lynx-current port is not automatically built as a package. 3) download a new port skeleton for the lynx/lynx-current port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision History v1.0 2000-03-15 Initial release v1.1 2000-05-17 Update to note fix of lynx and lynx-current ports. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOSMQT1UuHi5z0oilAQHlgwP9EiLqvf8MM55fvftEXPMfL6PJ6HFQPYMH +TqX5Q/P9s0mgBFiGfN8wblmtEUyZ1GwF8goPa9fqqJIfNg8Qu2zWqJOYPjc20hW yo3Rxbi+lEWOYxLpxBKDhvBH7yWxiV8Nm1+w73a76BjaZ20E0b91hgw2lebFiZPi uzK38WjnFNQ= =qWEC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 12:56:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 1A11037B634 for ; Thu, 13 Jul 2000 12:56:02 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 67987 invoked by uid 1000); 13 Jul 2000 19:56:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jul 2000 19:56:00 -0000 Date: Thu, 13 Jul 2000 15:55:58 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713120631.04d53b60@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *sigh* Yeah.. This has been bugging me for a while too. It creates alot of misinformation about FreeBSD and makes us look worse than what the truth is. Ever go to any of the uhm.. "security" sites and do a search on FreeBSD? On Thu, 13 Jul 2000, Brett Glass wrote: : : I've recently added some of my clients to the Bugtraq mailing list, and : whenever a message goes out with a subject like "FreeBSD Ports Security : Advisory: ," they think it's a security hole in FreeBSD. Of course, : WE know it's not, but they don't understand what "FreeBSD Ports" means and : get the wrong idea. Any ideas about how to rephrase the subject lines so : that people who see these messages will get the right idea without knowing : what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? : : --Brett : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5bh7QdMMtMcA1U5ARAnQSAKDD4IBfxPxJF0VOtoEuN6gUG1WWdQCgrsXx rssiu6SsQmpuoKKMcx7EQQI= =Ceow -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13: 2: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BCBF437B5DE for ; Thu, 13 Jul 2000 13:01:56 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA60130; Thu, 13 Jul 2000 14:01:54 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA26673; Thu, 13 Jul 2000 14:01:42 -0600 (MDT) Message-Id: <200007132001.OAA26673@harmony.village.org> To: Brett Glass Subject: Re: Two kinds of advisories? Cc: "David G. Andersen" , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 13 Jul 2000 12:26:06 MDT." <4.3.2.7.2.20000713122244.00b06410@localhost> References: <4.3.2.7.2.20000713122244.00b06410@localhost> <4.3.2.7.2.20000713120631.04d53b60@localhost> Date: Thu, 13 Jul 2000 14:01:42 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.7.2.20000713122244.00b06410@localhost> Brett Glass writes: : Many of them don't read the disclaimers because they're scanning the : subject lines. When they see one with "FreeBSD" in it, some of them : call in a panic. They often don't read the message because they : believe that they won't understand it. : : Yes, I know, it'd be nice if they weren't so clueless about computer : security and FreeBSD, but then, they're experts in their own fields, : which WE don't know much about. Instead of writing them off, why : not make the subject lines clearer? At present, I think the subject lines are just fine. However, I'm always open to positive suggestions about how, specifically, to change them. Until such time as I see a good, specific suggestion, they will remain the way they are. I gave the matter a lot of thought when it was suggested, and this seemed to be the best way to deal with it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13: 5:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4712D37B634; Thu, 13 Jul 2000 13:05:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26974; Thu, 13 Jul 2000 14:04:55 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713135632.04b63890@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 14:04:51 -0600 To: Robert Watson From: Brett Glass Subject: Re: Two kinds of advisories? Cc: Susie Ward , security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000713132400.04b73af0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:42 PM 7/13/2000, Robert Watson wrote: >Here's a recent sample: > >Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd > >What information could we add here that would improve things? Let's look closely at this and see why this might cause a panicky call from a client (which it did, by the way; and, yes, I did bill him for the time I spent making sure he wasn't running wu-ftpd). First, it mentions FreeBSD twice and wu-ftpd only once. Second, wu-ftpd is mentioned at the end where it may fall off the end of the recipient's e-mail window, leaving TWO mentions of FreeBSD visible and no mention of the offending app. Finally, by giving the problem a code, or number, beginning with FreeBSD, it makes it look like a FreeBSD problem. Personally, I'm very glad for the advisories -- you may recall that I returned from my honeymoon to find a system rooted due to a QPopper exploit. I only wish that the CDs were updated quickly enough to prevent more copies of exploitable ports from going out! (People who install from the CDs often don't know how to pick up new ports, and it's not obvious from the sysinstall UI.) But if the advisory said: Security Advisory: Remote root exploit in wu-ftpd (FreeBSD-SA-00:29) it'd produce fewer calls from nervous clients. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13: 7:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 528AB37C65B for ; Thu, 13 Jul 2000 13:06:37 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA60147; Thu, 13 Jul 2000 14:06:35 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA26706; Thu, 13 Jul 2000 14:06:23 -0600 (MDT) Message-Id: <200007132006.OAA26706@harmony.village.org> To: Brett Glass Subject: Re: Two kinds of advisories? Cc: "Jim King" , "David G. Andersen" , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 13 Jul 2000 13:22:42 MDT." <4.3.2.7.2.20000713132105.04b65f00@localhost> References: <4.3.2.7.2.20000713132105.04b65f00@localhost> <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Date: Thu, 13 Jul 2000 14:06:23 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.7.2.20000713132105.04b65f00@localhost> Brett Glass writes: : They often aren't. Many are just scanning the headers. Unfortunately, : the headers leave the uninitiated with the wrong impression. I think : that this could be avoided with a slight rephrasing. It would sure save : me a bunch of panicky e-mails and phone calls, which seem to happen no : matter how often I try to educate people. Do you have a specific suggestion on what that wording might be? As far as I could tell the wording was about the best we could get from given the extreme limitations of the subject line. Do you have a suggestion for improvement? "FreeBSD Optional Package/Ports Advisory" is a better description, but is too long. "Ports Adviosry" doesn't tie it to FreeBSD. These advisories are specific to FreeBSD. "FreeBSD Ports Advisory, don't Panic" would defeat the purpose of the advisory: namely to encourage users to upgrade. Help me help you here. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:10:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 1C00B37B896 for ; Thu, 13 Jul 2000 13:10:17 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 68074 invoked by uid 1000); 13 Jul 2000 20:10:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jul 2000 20:10:16 -0000 Date: Thu, 13 Jul 2000 16:10:14 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-SECURITY Subject: Re: Two kinds of advisories? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, The way I see it, this isn't a problem with our system so to speak, but what our perfectly reasonable system does to our reputation. Go around to the "security" web sites and see how many "ports" exploits are labeled as "FreeBSD remote root exploit" or something equally alarming. Stuff like the above really damages us out there in the real world you know. Any idea how many times I hear "FreeBSD is an insecure OS!" with many references to these "ports" advisories. So ok, they can't read and report false information, that isn't OUR problem, is it? Simple fact is, it IS our problem, as it turns new users off to FreeBSD. These 'clueless' people could after a bit of time become the clueful, I mean hey, we weren't ALWAYS clueful were we? You shouldn't allow such misinformation to be propagated around the world. Would you rather that FreeBSD /appears/ to be an insecure operating system? * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5biIndMMtMcA1U5ARAmJQAKCb0mOhzdb7cNlP01/LAxO0fS6gAgCfUXED LmCPlKrRXTq2Gk638hmYAIc= =l/Cu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:10:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id EC89B37C5FC for ; Thu, 13 Jul 2000 13:10:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA27028; Thu, 13 Jul 2000 14:10:17 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713140559.04b7aec0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 14:10:12 -0600 To: Matt Heckaman From: Brett Glass Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:55 PM 7/13/2000, Matt Heckaman wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >*sigh* Yeah.. This has been bugging me for a while too. It creates alot of >misinformation about FreeBSD and makes us look worse than what the truth >is. Ever go to any of the uhm.. "security" sites and do a search on FreeBSD? Yep. You get tons of hits. A recent article also overestimated the number of security problems in FreeBSD because the person who compiled the statistics used message headers from Bugtraq and didn't cull the problems which were due to ports. One way to deal with this problem would be to remove the name FreeBSD from the header altogether, labeling the effort to report bugs in ports with some other name. Other ideas? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:12:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 5051E37B531 for ; Thu, 13 Jul 2000 13:12:18 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id QAA328170; Thu, 13 Jul 2000 16:11:54 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <4.3.1.2.20000713140640.00dcdcd0@mail.voltage.net> References: <200007131814.MAA22497@faith.cs.utah.edu> <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.1.2.20000713140640.00dcdcd0@mail.voltage.net> Date: Thu, 13 Jul 2000 16:12:56 -0400 To: Susie Ward , Brett Glass From: Garance A Drosihn Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:08 PM -0500 7/13/00, Susie Ward wrote: >At 12:26 PM 7/13/00 -0600, Brett Glass wrote: >>Many of them don't read the disclaimers because they're scanning >>the subject lines. When they see one with "FreeBSD" in it, some >>of them call in a panic. They often don't read the message because >>they believe that they won't understand it. > >If they don't understand it, then maybe you shouldn't be encouraging >them to join bugtraq, but I am curious what you'd like to see the >subject lines say? Instead of "FreeBSD Ports Security Advisory: " Perhaps: "Ports for FreeBSD Security Advisory: " I am not sure that is much of an improvement, but I can see the basic point that Brett is concerned about here. I don't know if there is any good solution, because a really unambiguous description would probably be too long for a 1-line subject... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:17:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 642A437C5D8 for ; Thu, 13 Jul 2000 13:17:44 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 68125 invoked by uid 1000); 13 Jul 2000 20:17:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jul 2000 20:17:43 -0000 Date: Thu, 13 Jul 2000 16:17:42 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713140559.04b7aec0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jul 2000, Brett Glass wrote: ... : Yep. You get tons of hits. A recent article also overestimated the : number of security problems in FreeBSD because the person who compiled : the statistics used message headers from Bugtraq and didn't cull the : problems which were due to ports. Exactly. The 'local root' exploits to applications that aren't set-uid root is another matter as well :) : One way to deal with this problem would be to remove the name FreeBSD : from the header altogether, labeling the effort to report bugs in ports : with some other name. Other ideas? Well, I don't know how this would play out, but I like your example for the header, perhaps it wouldn't be a bad idea to do something like: PORTS-SA:00:XX or whatnot. Keep the FreeBSD and Ports announcements strictly seperate like that might not be a bad idea. : --Brett * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5biPndMMtMcA1U5ARAmTkAJoDDhkhp/4g28HC4NFDLmWjYllgKACePQJM CEPuWkjOkrlGeq13ILey+QQ= =sNq0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:22: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id BCCC237B9E9 for ; Thu, 13 Jul 2000 13:21:56 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([208.187.122.225]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id OAA03496; Thu, 13 Jul 2000 14:20:47 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <396E253C.A07A93D7@softweyr.com> Date: Thu, 13 Jul 2000 14:23:24 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Many of them don't read the disclaimers because they're scanning the > subject lines. When they see one with "FreeBSD" in it, some of them > call in a panic. They often don't read the message because they > believe that they won't understand it. > > Yes, I know, it'd be nice if they weren't so clueless about computer > security and FreeBSD, but then, they're experts in their own fields, > which WE don't know much about. Instead of writing them off, why > not make the subject lines clearer? Why not just educate them to RTFMessage? They clearly say "FreeBSD ports", all you need to do is educate them about what that means. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:34: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D96B237C578 for ; Thu, 13 Jul 2000 13:33:39 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA27310; Thu, 13 Jul 2000 14:33:03 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713142419.04b82ce0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 14:32:58 -0600 To: Wes Peters From: Brett Glass Subject: Re: Two kinds of advisories? Cc: "David G. Andersen" , security@FreeBSD.ORG In-Reply-To: <396E253C.A07A93D7@softweyr.com> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713122244.00b06410@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:23 PM 7/13/2000, Wes Peters wrote: >Why not just educate them to RTFMessage? They clearly say "FreeBSD ports", >all you need to do is educate them about what that means. Wes: As a fellow writer, I'm sure you understand that this isn't always enough. When a copy editor makes what s/he thinks is an immaterial change to a headline, the consequences can be nasty. (I've gotten intense flames about stories whose headlines were phrased in such a way that they could be misinterpreted, even when just reading the article would have cleared up any confusion.) It's a fact of life that people are in the throes of information overload. They skim headlines and don't have time to delve. For the sake of FreeBSD's reputation, it makes good sense to make the subject lines SUPER-unambiguous. I'm not the only one who has noticed that the current format has caused third-party bugs to be seen as security holes in FreeBSD. Let's make it so there's no chance of this misperception continuing. I really like Matt's idea of numbering Ports advisories as PORTS- to distinguish them from bugs in FreeBSD proper. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:38:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8C60A37C561; Thu, 13 Jul 2000 13:38:27 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA74316; Thu, 13 Jul 2000 13:38:27 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 13:38:27 -0700 (PDT) From: Kris Kennaway To: Brett Glass Cc: Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713132400.04b73af0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > At 01:08 PM 7/13/2000, Susie Ward wrote: > > >If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? > > I think it would help if they listed the name of the PORT first, and > then mentioned something about the FreeBSD security team or port > maintainers finding the problem. So, something like: "Wu-ftpd: SA-00:29 FreeBSD Ports Collection Security Advisory"? Apart from the clumsiness of the above sentence, the most important part (the first word) is the name of the vulnerable software, and the fact that it's an optional component of FreeBSD is relegated to a position somewhere in the middle. IMO, this is *worse* for getting the point across that it's not a FreeBSD system advisory, which is clearly the more important aim. Your two goals for juggling the topic (#1 - the desire for your clients to know whether their system is vulnerable, and #2 - the desire to have the "FreeBSD Ports" bit prominent) - seem to be mutually exclusive. In fact, it doesn't seem to help at all if your clients aren't bright enough to know whether or not they're using wu-ftpd in the first place, as you suggested. Do you have a better suggestion? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:44:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id CA1DE37C561; Thu, 13 Jul 2000 13:44:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA75186; Thu, 13 Jul 2000 13:44:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 13:44:13 -0700 (PDT) From: Kris Kennaway To: Brett Glass Cc: Wes Peters , "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713142419.04b82ce0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > I'm not the only one who has noticed that the current format has caused > third-party bugs to be seen as security holes in FreeBSD. Let's make it You are incorrect: the *old* naming scheme (no mention of 'Ports') in the subject was in force when this happened. I only started putting 'Ports' in the subject on July 5th, 8 days ago. This was done with the express intention of differentiating between the two streams. > Matt's idea of numbering Ports advisories as PORTS- to > distinguish them from bugs in FreeBSD proper. "Ports" is already in the subject. If someone doesn't know what "Ports" means, how will changing the advisory numbering make any difference? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:45: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id 52BBE37C578 for ; Thu, 13 Jul 2000 13:44:57 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id NAA38358 for ; Thu, 13 Jul 2000 13:44:50 -0700 (PDT) Date: Thu, 13 Jul 2000 13:44:50 -0700 (PDT) From: Justin Wolf To: security@FreeBSD.ORG Subject: Displacement of Blame[tm] In-Reply-To: <4.3.2.7.2.20000713142419.04b82ce0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe I missed it in this really long thread somewhere, but why do we have to say that it concerns FreeBSD at all? If it's a bug/hole in a port, it has nothing to do with FreeBSD except for the fact that the user MAY have installed this port, which of course comes from a third party, but was compiled by the FreeBSD organization. Instead, how about just sending an email from the FreeBSD security 'organization' stating that a port has a bug/hole in it. No one assumes that CERT or BUGTRAQ have any security holes, but the products they alert about do. I think this type of advisory would provide the same information within a context that removes FreeBSD proper of having any connotation of holes itself. This also allows the complete removal of 'FreeBSD' in the subject all together. Flame on, -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:46:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from p01mail03.midata.com (p01mail03.midata.com [207.250.225.33]) by hub.freebsd.org (Postfix) with ESMTP id 5300637BF5D for ; Thu, 13 Jul 2000 13:46:00 -0700 (PDT) (envelope-from Bob.Gorichanaz@midata.com) Received: from p51mail02.midata.com (localhost [127.0.0.1]) by p01mail03.midata.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA28812 for ; Thu, 13 Jul 2000 15:45:18 -0500 (CDT) From: Bob.Gorichanaz@midata.com Subject: Re: Two kinds of advisories? To: security@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: Date: Thu, 13 Jul 2000 15:45:43 -0500 X-MIMETrack: Serialize by Router on DSGATE02/MICORPEX/US(Release 5.0.2a |November 23, 1999) at 07/13/2000 03:45:57 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How about changing the subject line to: "NOT-FREEBSD: Ports Security Advisory (saXX-YY-ZZZZ)" Of course, web-bots that scan for the words SECURITY, ADVISORY, and FREEBSD will still blindly pull this as a FreeBSD Security Advisory. And you'll probably STILL get calls from clients asking "Do I have this installed?" No amount of over-clarifying the subject line will guarantee 100% that everyone that reads it will understand that it does NOT apply to the FreeBSD Core Operating System. You can make a human READ, but you cannot make him COMPREHEND. -=bob=- Brett Glass @FreeBSD.ORG on 07/13/2000 03:32:58 PM Sent by: owner-freebsd-security@FreeBSD.ORG Sent From the mail file of: Bob Gorichanaz To: Wes Peters cc: "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? At 02:23 PM 7/13/2000, Wes Peters wrote: >Why not just educate them to RTFMessage? They clearly say "FreeBSD ports", >all you need to do is educate them about what that means. Wes: As a fellow writer, I'm sure you understand that this isn't always enough. When a copy editor makes what s/he thinks is an immaterial change to a headline, the consequences can be nasty. (I've gotten intense flames about stories whose headlines were phrased in such a way that they could be misinterpreted, even when just reading the article would have cleared up any confusion.) It's a fact of life that people are in the throes of information overload. They skim headlines and don't have time to delve. For the sake of FreeBSD's reputation, it makes good sense to make the subject lines SUPER-unambiguous. I'm not the only one who has noticed that the current format has caused third-party bugs to be seen as security holes in FreeBSD. Let's make it so there's no chance of this misperception continuing. I really like Matt's idea of numbering Ports advisories as PORTS- to distinguish them from bugs in FreeBSD proper. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:48:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.uscreativetypes.com (ns1.uscreativetypes.com [199.45.183.33]) by hub.freebsd.org (Postfix) with ESMTP id 8D72237C651; Thu, 13 Jul 2000 13:48:29 -0700 (PDT) (envelope-from joe@ns1.uscreativetypes.com) Received: from localhost (localhost [127.0.0.1]) by ns1.uscreativetypes.com (8.10.0/8.9.3) with ESMTP id e6DKLwl33840; Thu, 13 Jul 2000 14:21:59 -0600 (MDT) (envelope-from joe@ns1.uscreativetypes.com) Date: Thu, 13 Jul 2000 14:21:58 -0600 (MDT) From: "Jumpin' Joe Schroedl" X-Sender: joe@localhost To: Kris Kennaway Cc: Brett Glass , Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All: How 'bout: "Security Advisory: Wu-ftpd (FreeBSD Ports Collection) SA-00:29" This just makes it less clumsy. Joe On Thu, 13 Jul 2000, Kris Kennaway wrote: > On Thu, 13 Jul 2000, Brett Glass wrote: > > > At 01:08 PM 7/13/2000, Susie Ward wrote: > > > > >If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? > > > > I think it would help if they listed the name of the PORT first, and > > then mentioned something about the FreeBSD security team or port > > maintainers finding the problem. > > So, something like: > > "Wu-ftpd: SA-00:29 FreeBSD Ports Collection Security Advisory"? > > Apart from the clumsiness of the above sentence, the most important part > (the first word) is the name of the vulnerable software, and the fact that > it's an optional component of FreeBSD is relegated to a position somewhere > in the middle. IMO, this is *worse* for getting the point across that it's > not a FreeBSD system advisory, which is clearly the more important aim. > > Your two goals for juggling the topic (#1 - the desire for your clients to > know whether their system is vulnerable, and #2 - the desire to have the > "FreeBSD Ports" bit prominent) - seem to be mutually exclusive. In fact, > it doesn't seem to help at all if your clients aren't bright enough to > know whether or not they're using wu-ftpd in the first place, as you > suggested. > > Do you have a better suggestion? > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:49:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from p01mail03.midata.com (p01mail03.midata.com [207.250.225.33]) by hub.freebsd.org (Postfix) with ESMTP id 5D25637C6A1; Thu, 13 Jul 2000 13:49:20 -0700 (PDT) (envelope-from Bob.Gorichanaz@midata.com) Received: from p51mail02.midata.com (localhost [127.0.0.1]) by p01mail03.midata.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA29011; Thu, 13 Jul 2000 15:48:31 -0500 (CDT) From: Bob.Gorichanaz@midata.com Subject: Re: Two kinds of advisories? To: kris@FreeBSD.ORG Cc: brett@lariat.org, wes@softweyr.com, dga@POBOX.COM, security@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: Date: Thu, 13 Jul 2000 15:48:56 -0500 X-MIMETrack: Serialize by Router on DSGATE02/MICORPEX/US(Release 5.0.2a |November 23, 1999) at 07/13/2000 03:49:10 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org And besides, he'll STILL get calls from clients who don't know what software they have INSTALLED! The phone conversation will go from: Client: "Do I have to worry about this SA?" Tech: "Nope, it has to do with the PORTS collection, as indicated in the subject line" to: Client: "Do I have to worry about this SA?" Tech: "Nope, it has to do with the PORTS collection, and you don't have this port installed" -=bob=- Kris Kennaway @FreeBSD.ORG on 07/13/2000 03:44:13 PM Sent by: owner-freebsd-security@FreeBSD.ORG Sent From the mail file of: Bob Gorichanaz To: Brett Glass cc: Wes Peters , "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? On Thu, 13 Jul 2000, Brett Glass wrote: > I'm not the only one who has noticed that the current format has caused > third-party bugs to be seen as security holes in FreeBSD. Let's make it You are incorrect: the *old* naming scheme (no mention of 'Ports') in the subject was in force when this happened. I only started putting 'Ports' in the subject on July 5th, 8 days ago. This was done with the express intention of differentiating between the two streams. > Matt's idea of numbering Ports advisories as PORTS- to > distinguish them from bugs in FreeBSD proper. "Ports" is already in the subject. If someone doesn't know what "Ports" means, how will changing the advisory numbering make any difference? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 13:54:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 0356B37C688 for ; Thu, 13 Jul 2000 13:54:13 -0700 (PDT) (envelope-from dave@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1088) id B0F312B23C; Thu, 13 Jul 2000 15:54:01 -0500 (CDT) Date: Thu, 13 Jul 2000 15:54:01 -0500 From: Dave McKay To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <20000713155401.A91428@elvis.mu.org> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <4.3.2.7.2.20000713120631.04d53b60@localhost>; from brett@lariat.org on Thu, Jul 13, 2000 at 12:12:11PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe I wrote in about almost this same exact question a few months back. Releasing all of these vulnerabilities in the name of FreeBSD has problems. Not all people who read mailing lists have a clue, others don't really READ the mail they recieve. Releasing all of these third party vulnerability alerts when the product is not part of FreeBSD can become cumbersome to the average joe reading Bugtraq. He sees all of this and thinks, I'm not using FreeBSD, it has more bugs then a hippie's hair after being outside for 3 weeks. Brett Glass (brett@lariat.org) wrote: > I've recently added some of my clients to the Bugtraq mailing list, and > whenever a message goes out with a subject like "FreeBSD Ports Security > Advisory: ," they think it's a security hole in FreeBSD. Of course, > WE know it's not, but they don't understand what "FreeBSD Ports" means and > get the wrong idea. Any ideas about how to rephrase the subject lines so > that people who see these messages will get the right idea without knowing > what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14: 5:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 02E6D37C6A2 for ; Thu, 13 Jul 2000 14:04:55 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id RAA72911; Thu, 13 Jul 2000 17:04:33 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 17:04:32 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Matt Heckaman Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Matt Heckaman wrote: > PORTS-SA:00:XX or whatnot. Keep the FreeBSD and Ports announcements > strictly seperate like that might not be a bad idea. At the very least, it should be FBSD-PORTS-SA:00:XX, as it is our ports collection, not someone elses. And as "ports" and "packages" mean different things in the context of different operating systems, it would be equally deceiving to have people believe the problem was not associated with FreeBSD :-). Besides which, in the past, at least a few of the security problems in the ports collection have had to do with the laziness or sloppiness of the porter: handing out root access to get kvm rights, or handing out kvm rights to get access to things available via sysctl, or just handing out setuid because the program required it under Linux, or for a feature that was only available under Linux anyway. These are advisories about security problems in software distributed with FreeBSD. The nature of the problem is often specific to FreeBSD, as well as the details of it in practice, the fixes, and the work-arounds. Sometimes the security problem is *less* serious on our platform than other platforms. Especially on a list like bugtraq, which is a full disclosure list, it is important to provide all of the pertinent details, and specifically not be ambiguous about whether or not an advisory has to do with FreeBSD. If your friends and clients are worried by the number of advisories coming out of FreeBSD, ask them if they'd feel more comfortable using another operating system where the bugs are well-known in the security (and hacker) communities, but aren't documented or fixed by the OS vendor. In general, for every ports advisory coming out of FreeBSD, you should expect to see an advisory from the software author, as well as from most other BSD and Linux distributions. When you don't, that is a reason for concern. Clearly there are a few exceptions, but it's worth considering, and explaining to people. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14:10:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id 8015737C5EF; Thu, 13 Jul 2000 14:10:04 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 13CqF5-0001Uf-00; Thu, 13 Jul 2000 21:09:59 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp3.email.verio.net with smtp (Exim 3.15 #4) id 13CqF4-0003V8-00; Thu, 13 Jul 2000 21:09:58 +0000 Message-Id: <3.0.5.32.20000713141242.0093fbc0@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 13 Jul 2000 14:12:42 -0700 To: Robert Watson From: Bengt Richter Subject: Re: Two kinds of advisories? Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000713132400.04b73af0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 15:42 2000-07-13 -0400 Robert Watson wrote: [...] >Here's a recent sample: > >Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd > >What information could we add here that would improve things? Teaching >someone the distinction between "FreeBSD Ports Security Advisory" and >"FreeBSD Security Advisory" should not be that difficult, as the >distinction between the base system and ports is important. The >difference manifests in degree of support, integration with the base >system, security auditing level, and install/update mechanism. >Understanding that distinction is essentialy to day-to-day management of >the system. The advisory is careful to identify precisely the software >that is vulnerable, how to tell if you are vulnerable, and available >fixes, work-arounds, etc. I'm not sure we can really ask much more. > (1) How about some simple categorization in the subject line, e.g., Subject: FreeBSD Ports(SysUtil) Security Advisory: FreeBSD-SA-00:29.wu-ftpd vs Subject: FreeBSD Ports(Game) Security Advisory: FreeBSD-SA-...some-game etc. (2) Also, perhaps s/Ports/Optional Port/ to reinforce the idea that ports are not a part of FreeBSD per se (and that a particular advisory is talking about a particular port in the singular), for the panic-prone folks described, who don't get to the disclaimer etc. before it's too late. (3) If you want to get fancy, add tagged lines in the advisory itself tailored for automatic extraction and (safe :) use in facilitating scripted verification of whether the receiving system had the vulnerable software installed, or had the problem patched and fixed. With system log entry, and optional email emitted about the check performed. Seems like an SA-Evaluation daemon job, acting on emails filtered to it? Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14:15:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 3C12F37C579; Thu, 13 Jul 2000 14:15:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA81069; Thu, 13 Jul 2000 14:15:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 14:15:47 -0700 (PDT) From: Kris Kennaway To: "Jumpin' Joe Schroedl" Cc: Brett Glass , Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Jumpin' Joe Schroedl wrote: > "Security Advisory: Wu-ftpd (FreeBSD Ports Collection) SA-00:29" > > This just makes it less clumsy. But doesn't fix the fact that "FreeBSD Ports Collection", which Brett and others are claiming is the most important part (and I agree) is relegated to an afterthought. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14:44: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 59E1437BD6C for ; Thu, 13 Jul 2000 14:43:51 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id RAA104470; Thu, 13 Jul 2000 17:43:45 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 13 Jul 2000 17:44:47 -0400 To: Justin Wolf , security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: Displacement of Blame[tm] Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 1:44 PM -0700 7/13/00, Justin Wolf wrote: >Maybe I missed it in this really long thread somewhere, but >why do we have to say that it concerns FreeBSD at all? Because we are trying to provide a service to FreeBSD users. If there is NO mention of freebsd, then they will either ignore it completely, or they will send messages to this (freebsd) mailing list saying "Does security advisory X apply to FreeBSD?". So we want some mention of freebsd, but it would be nice if we could come up with a subject-format which didn't make it so easy to assume the advisory is for the core freebsd operating system. In my case, I am thinking how these subjects look to people are NOT currently running freebsd, and thus they have absolutely no reason to read the whole article to "learn" the distinction between "FreeBSD" and "FreeBSD Ports". Note that this means my concern isn't exactly the same as Brett's original message, but it is mighty similar. (also note that I do think that the recent addition of the word "Ports" to the subject line may be enough to address these concerns) --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14:48:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id E7FE537B819; Thu, 13 Jul 2000 14:48:43 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA84693; Thu, 13 Jul 2000 14:48:43 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 14:48:43 -0700 (PDT) From: Kris Kennaway To: Garance A Drosihn Cc: Justin Wolf , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Garance A Drosihn wrote: > (also note that I do think that the recent addition of the > word "Ports" to the subject line may be enough to address > these concerns) I think it's amusing that these concerns only came up *after* I made the change to try and address the very issue they now raise. How about the following: FreeBSD Security Advisory - SA-00:23.ip-options FreeBSD 3rd-party Ports Security Advisory - SA-00:29.wu-ftpd (i.e. drop the second FreeBSD and add '3rd-party' to ports to *further* disclaim responsibility. If you don't like it, suggest something better instead of just saying so :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 14:59:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id 8B96E37C778 for ; Thu, 13 Jul 2000 14:59:14 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id OAA38562; Thu, 13 Jul 2000 14:59:10 -0700 (PDT) Date: Thu, 13 Jul 2000 14:59:10 -0700 (PDT) From: Justin Wolf To: Garance A Drosihn Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Because we are trying to provide a service to FreeBSD users. Then send it to freebsd-security. Any emails sent to non-FreeBSD lists could still omit the FreeBSD bit from the header. > In my case, I am thinking how these subjects look to people are NOT > currently running freebsd, and thus they have absolutely no reason to > read the whole article to "learn" the distinction between "FreeBSD" > and "FreeBSD Ports". I thought the advisory had to do with anyone running the version of the software which was included in the ports and had nothing to do with the FreeBSD association. In which case, maybe it would be good to have people read it if they're running the affected version on an OS other than FBSD. > (also note that I do think that the recent addition of the > word "Ports" to the subject line may be enough to address > these concerns) "What's a port?" -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:13: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id DA21037B843 for ; Thu, 13 Jul 2000 15:12:49 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.79.1) by relay1.inwind.it; 14 Jul 2000 00:12:38 +0200 From: Salvo Bartolotta Date: Thu, 13 Jul 2000 23:13:34 GMT Message-ID: <20000713.23133400@bartequi.ottodomain.org> Subject: Re: Two kinds of advisories? To: freebsd-security@FreeBSD.ORG In-Reply-To: References: X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org <0.000000000002 Euro> Third-Party FreeBSD Software Advisory: Port[s] foo [bar] [baz]. =20 Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:20:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2842D37B6A2 for ; Thu, 13 Jul 2000 15:20:44 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA32669; Thu, 13 Jul 2000 15:19:51 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32667; Thu Jul 13 15:19:46 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id PAA01808; Thu, 13 Jul 2000 15:19:46 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdCg1806; Thu Jul 13 15:19:30 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e6DMJUS02335; Thu, 13 Jul 2000 15:19:30 -0700 (PDT) Message-Id: <200007132219.e6DMJUS02335@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdUs2330; Thu Jul 13 15:18:33 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Warner Losh Cc: Brett Glass , "David G. Andersen" , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-reply-to: Your message of "Thu, 13 Jul 2000 14:01:42 MDT." <200007132001.OAA26673@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 13 Jul 2000 15:18:33 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200007132001.OAA26673@harmony.village.org>, Warner Losh writes: > In message <4.3.2.7.2.20000713122244.00b06410@localhost> Brett Glass writes: > : Many of them don't read the disclaimers because they're scanning the > : subject lines. When they see one with "FreeBSD" in it, some of them > : call in a panic. They often don't read the message because they > : believe that they won't understand it. > : > : Yes, I know, it'd be nice if they weren't so clueless about computer > : security and FreeBSD, but then, they're experts in their own fields, > : which WE don't know much about. Instead of writing them off, why > : not make the subject lines clearer? > > At present, I think the subject lines are just fine. However, I'm > always open to positive suggestions about how, specifically, to change > them. Until such time as I see a good, specific suggestion, they will > remain the way they are. I gave the matter a lot of thought when it > was suggested, and this seemed to be the best way to deal with it. The arguments I've read are political rather than substantial, so I remain unconvinced as well. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:26:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id CB15337B9C4 for ; Thu, 13 Jul 2000 15:26:04 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.79.1) by relay1.inwind.it; 14 Jul 2000 00:25:59 +0200 From: Salvo Bartolotta Date: Thu, 13 Jul 2000 23:26:54 GMT Message-ID: <20000713.23265400@bartequi.ottodomain.org> Subject: Re: Two kinds of advisories? To: freebsd-security@FreeBSD.ORG In-Reply-To: <20000713.23133400@bartequi.ottodomain.org> References: <20000713.23133400@bartequi.ottodomain.org> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/14/00, 12:13:34 AM, Salvo Bartolotta wrote=20 regarding Re: Two kinds of advisories?: Sorry, I left out something :-(=20 <2 picoEuro> Third-Party FreeBSD Software Security Advisory: Port[s] foo [bar]=20 [baz]. Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:38:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id ED05137B5F6 for ; Thu, 13 Jul 2000 15:38:12 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id SAA74471; Thu, 13 Jul 2000 18:38:06 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 18:38:06 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Justin Wolf Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Justin Wolf wrote: > Maybe I missed it in this really long thread somewhere, but why do we have > to say that it concerns FreeBSD at all? If it's a bug/hole in a port, it > has nothing to do with FreeBSD except for the fact that the user MAY have > installed this port, which of course comes from a third party, but was > compiled by the FreeBSD organization. Except that we specifically modify ports to fit our environment, (a) meaning that they are not in the form provided by the software provider, (b) we compile the software with our run-time environment, (c) and we distribute the software. In each case, the opportunity for vulnerabilities arises, and like it or not, (d) by providing the software we appear to be providing some official sanctioning of the software. (a) Witness vmware, which relies on custom kernel modules for our platform, and runs with elevated privileges. (b) Witness mrg, which was vulnerable to a security problem because our ncurses library was buggy, even though the application itself was fine. (c) Witness the CDROMs we distribute, and the fact that the trend has been to migrate some of the base system behavior (fortran, etc) out into ports/packages. (d) Witness that our system installation program specifically encourages installing of the ports collection, and that many of the selling points of a FreeBSD system are features such as Samba, Apache, et al. > Instead, how about just sending an email from the FreeBSD security > 'organization' stating that a port has a bug/hole in it. No one assumes > that CERT or BUGTRAQ have any security holes, but the products they alert > about do. I think this type of advisory would provide the same > information within a context that removes FreeBSD proper of having any > connotation of holes itself. This also allows the complete removal of > 'FreeBSD' in the subject all together. Let's see -- we could just release software advisories for other people's software without discussing the relationship with FreeBSD, and appear just like the attention-grabbing pseudo-legitimate security organizations out there, or we could take responsibility for software we prepare, integrate, and distribute. I posted a message about this a few months back on bugtraq -- saying, ``Oh no, it's someone else's code'' doesn't excuse the problem if we distribute it. And every time we say, ``Well, why don't we drop that port from the ports collection,'' there are strong objections. In some cases, I believe ports have even been reenabled due to a slow response from the vendor, which I personally consider irresponsible. I'm all for a stronger disclaimer in sysinstall, carrying the same warning that our advisories do, to let people know that when they install ports they take risks. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:47:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id 5C3EC37BC25 for ; Thu, 13 Jul 2000 15:47:30 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id PAA38758 for ; Thu, 13 Jul 2000 15:47:30 -0700 (PDT) Date: Thu, 13 Jul 2000 15:47:30 -0700 (PDT) From: Justin Wolf To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Except that we specifically modify ports to fit our environment > ... Ah, I didn't realize any changes beyond just making it compile werre made. In the case of 'mrg' I would hold that FreeBSD had the bug, not mrg, so therefore it doesn't really apply to this thread. I'm all for encouraging the value-add side of FBSD. I've been a proponent of it for many years and have seen it slip in favor to Linux due to the preceived "It's hard to use, it's not supported" reputation it has. So I wouldn't recommend pulling ports, but would instead, as you suggest, better educate the users to the liability of installing pre-compiled 3rd party software. Not that RTFM has ever worked in the past, but... > Let's see -- we could just release software advisories for other people's > software without discussing the relationship with FreeBSD, and appear just > like the attention-grabbing pseudo-legitimate security organizations out > there, or we could take responsibility for software we prepare, integrate, > and distribute. I didn't say we shouldn't take responsibility for things which are obviously due to FBSD's work. I was talking under the context that the fault was with the base code and had nothing to do with FBSD at all - the case where EVERY instance of the software had the same problem under ANY OS. This is still providing an advisory service to our users, and simultaneously doesn't provide anti-FBSD fodder for the less educated. Anyway... I think this is starting to deviate from the initial problem. -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:50:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 3FCCC37BC72 for ; Thu, 13 Jul 2000 15:50:26 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mail.owp.csus.edu [130.86.232.247]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id PAA70179; Thu, 13 Jul 2000 15:50:16 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <396E4712.EC5888B@owp.csus.edu> Date: Thu, 13 Jul 2000 15:47:46 -0700 From: Joseph Scott X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Justin Wolf Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Wolf wrote: > > Maybe I missed it in this really long thread somewhere, but why do we have > to say that it concerns FreeBSD at all? If it's a bug/hole in a port, it > has nothing to do with FreeBSD except for the fact that the user MAY have > installed this port, which of course comes from a third party, but was > compiled by the FreeBSD organization. This is one of those balancing acts. However, I believe it's important for a couple of reasons. 1. The method that the person recieves the at risk program is from FreeBSD. IE: I installed it from the ports collection. While the software it's self is not developed by FreeBSD, the distribution method is. I imagine this is something similar to Toys'R'Us removing a dangerous toy from their shelves and telling the whole world about it. Toys'R'us didn't make they toy, but there are responsible for making it available to the portion of the public that shops there. 2. The "why didn't I hear about this from you instead of a third party" case. Someone people get upset if it's their uncle who tells them they have a security hole instead of the vendor that they got the OS from in the first place. > Instead, how about just sending an email from the FreeBSD security > 'organization' stating that a port has a bug/hole in it. No one assumes > that CERT or BUGTRAQ have any security holes, but the products they alert > about do. I think this type of advisory would provide the same > information within a context that removes FreeBSD proper of having any > connotation of holes itself. This also allows the complete removal of > 'FreeBSD' in the subject all together. It's difficult to say if removing it altogether is really a benefit or not. One way to look at it is that this gives FreeBSD additional coverage. If someone reads that additional coverage incorrectly then you know have an oppertunity to correct them and provide additional details/info about FreeBSD. > > Flame on, -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:55:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 1E84037B849 for ; Thu, 13 Jul 2000 15:55:15 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mail.owp.csus.edu [130.86.232.247]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id PAA70222; Thu, 13 Jul 2000 15:54:59 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <396E482C.A41CEAFF@owp.csus.edu> Date: Thu, 13 Jul 2000 15:52:29 -0700 From: Joseph Scott X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Dave McKay Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <20000713155401.A91428@elvis.mu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dave McKay wrote: > > I believe I wrote in about almost this same exact question a few months > back. Releasing all of these vulnerabilities in the name of FreeBSD has > problems. Not all people who read mailing lists have a clue, others don't > really READ the mail they recieve. Releasing all of these third party > vulnerability alerts when the product is not part of FreeBSD can become > cumbersome to the average joe reading Bugtraq. He sees all of this and > thinks, I'm not using FreeBSD, it has more bugs then a hippie's hair after > being outside for 3 weeks. Perhaps there is an opportunity here then. Time for someone to write an article about what the FreeBSD security team is doing, detailing why these advisories are going out, etc. Then submit it to some of the big names that PHBs read (ZDnet, etc). My feelings are that all of these items going out to Bugtraq are a mixed blessing. Personally, I've found them useful. I suppose that means I actually read them, at least enough to determine if I'm affected by them. > Brett Glass (brett@lariat.org) wrote: > > I've recently added some of my clients to the Bugtraq mailing list, and > > whenever a message goes out with a subject like "FreeBSD Ports Security > > Advisory: ," they think it's a security hole in FreeBSD. Of course, > > WE know it's not, but they don't understand what "FreeBSD Ports" means and > > get the wrong idea. Any ideas about how to rephrase the subject lines so > > that people who see these messages will get the right idea without knowing > > what the Ports Collection is? Perhaps if the name "FreeBSD" didn't come first? > > > > --Brett -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 15:58:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id 5B66E37B532 for ; Thu, 13 Jul 2000 15:58:45 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id PAA38795 for ; Thu, 13 Jul 2000 15:58:35 -0700 (PDT) Date: Thu, 13 Jul 2000 15:58:35 -0700 (PDT) From: Justin Wolf To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <396E4712.EC5888B@owp.csus.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 1. The method that the person recieves the at risk program is from > FreeBSD. IE: I installed it from the ports collection. While the > software it's self is not developed by FreeBSD, the distribution > method is. I imagine this is something similar to Toys'R'Us removing > a dangerous toy from their shelves and telling the whole world about > it. Toys'R'us didn't make they toy, but there are responsible for > making it available to the portion of the public that shops there. Everyone know's Toys 'R' Us doesn't make toys, so it can be assumed it's not their fault the toy was dangerous. FBSD does, however, make software. So the distinction is a little more blurred (nevermind the fact that FBSD is an OS and the ports are applications... this is a little too gray of an area for most users - I know some people who think Word is an OS). > 2. The "why didn't I hear about this from you instead of a third > party" case. Someone people get upset if it's their uncle who tells > them they have a security hole instead of the vendor that they got the > OS from in the first place. I didn't say not to send out the advisory. > It's difficult to say if removing it altogether is really a benefit > or not. One way to look at it is that this gives FreeBSD additional > coverage. If someone reads that additional coverage incorrectly then > you know have an oppertunity to correct them and provide additional > details/info about FreeBSD. I doubt you'll find the opportunity in enough cases to make a dent. In some cases there's no such thing as bad publicity... however, when it comes to people's data, they get a little antsy. On a side note, I like pointing out that 80% of the BugTraq mail is about Linux holes... but it really depends on how much of a marketing snow job you want to pull. -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16: 0:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 8B8CF37B70F; Thu, 13 Jul 2000 16:00:07 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mail.owp.csus.edu [130.86.232.247]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id QAA70282; Thu, 13 Jul 2000 16:00:06 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <396E4960.B9D9B9AA@owp.csus.edu> Date: Thu, 13 Jul 2000 15:57:36 -0700 From: Joseph Scott X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Bengt Richter Cc: Robert Watson , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: <4.3.2.7.2.20000713132400.04b73af0@localhost> <3.0.5.32.20000713141242.0093fbc0@mail.accessone.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bengt Richter wrote: > (1) How about some simple categorization in the subject line, e.g., > Subject: FreeBSD Ports(SysUtil) Security Advisory: FreeBSD-SA-00:29.wu-ftpd > vs > Subject: FreeBSD Ports(Game) Security Advisory: FreeBSD-SA-...some-game > etc. I think this idea has some possibilities. I think this would be helpful for a wider range of people than just the unclued. > (2) Also, perhaps s/Ports/Optional Port/ to reinforce the idea that ports > are not a part of FreeBSD per se (and that a particular advisory is talking > about a particular port in the singular), for the panic-prone folks described, > who don't get to the disclaimer etc. before it's too late. This idea also has some merit. The concern would be the length of the subject, making it to big will defeat the purpose. > (3) If you want to get fancy, add tagged lines in the advisory itself tailored > for automatic extraction and (safe :) use in facilitating scripted > verification > of whether the receiving system had the vulnerable software installed, > or had the problem patched and fixed. With system log entry, and optional > email emitted about the check performed. Seems like an SA-Evaluation daemon > job, > acting on emails filtered to it. This would be even more interesting, although more of a separate discussion than just what to do to make the subject line more helpful. -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16: 5: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.osd.bsdi.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 0A8D737B8D1 for ; Thu, 13 Jul 2000 16:05:02 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id QAA02756; Thu, 13 Jul 2000 16:05:51 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) To: Justin Wolf Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-reply-to: Your message of "Thu, 13 Jul 2000 15:58:35 PDT." Date: Thu, 13 Jul 2000 16:05:51 -0700 Message-ID: <2753.963529551@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This whole thread is giving me carpal tunnel syndrome. Is Brett really the focus of 90% of our mailing list traffic these days or does it just seem that way? That would seem to make him either someone with really important things to say or someone who simply nitpicks minutiae to the point of physical pain. My fingers hurt. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16: 9:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id D15EC37B8D1; Thu, 13 Jul 2000 16:09:46 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id TAA416722; Thu, 13 Jul 2000 19:09:45 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 13 Jul 2000 19:10:46 -0400 To: Kris Kennaway From: Garance A Drosihn Subject: Re: Displacement of Blame[tm] Cc: Justin Wolf , security@FreeBSD.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:48 PM -0700 7/13/00, Kris Kennaway wrote: >On Thu, 13 Jul 2000, Garance A Drosihn wrote: > > > (also note that I do think that the recent addition of the > > word "Ports" to the subject line may be enough to address > > these concerns) > >I think it's amusing that these concerns only came up *after* I >made the change to try and address the very issue they now raise. Well, actually, I remember being concerned about this back when the we decided to be more serious about security advisories. I tried to say something at the time, but I think people were so tired of the debate of WHETHER to do advisories that I don't think anyone wanted another debate of what exact format the subjects should be in. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16:16:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id EF1DD37B628 for ; Thu, 13 Jul 2000 16:16:35 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id QAA38873 for ; Thu, 13 Jul 2000 16:16:35 -0700 (PDT) Date: Thu, 13 Jul 2000 16:16:35 -0700 (PDT) From: Justin Wolf To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > tried to say something at the time, but I think people were so > tired of the debate of WHETHER to do advisories that I don't > think anyone wanted another debate of what exact format the > subjects should be in. sounds like a good job for a sub-commitee, but i digress... On the topic of subject lines: They're getting too long. I only see the first 40 characters of a subject anyway, so making it 100 characters long just to avoid any confusion on subject alone also doesn't work. I think as long as it contains the words "FreeBSD", "ports", and "[port-name]" somewhere in the header, we're fine. Adding words (i.e., "Security Advisory") and numbers (i.e., bug tracking information) aside from that should go after the important things so those of us with little brains and smaller terms can still get the message without having to read the body. As for abreviations in the subject, if we can't get people to understand the message, how is abbreviating something to 'SA' going to help matters? -justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16:16:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from camel.ethereal.net (camel.ethereal.net [216.200.22.209]) by hub.freebsd.org (Postfix) with ESMTP id E61B537B602 for ; Thu, 13 Jul 2000 16:16:34 -0700 (PDT) (envelope-from jkb@camel.ethereal.net) Received: (from jkb@localhost) by camel.ethereal.net (8.10.0.Beta10/8.10.0.Beta10) id e6DNGCk21573 for security@FreeBSD.ORG; Thu, 13 Jul 2000 16:16:12 -0700 (PDT) Date: Thu, 13 Jul 2000 16:16:12 -0700 From: Jan Koum To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000713161612.D59932@ethereal.net> References: <2753.963529551@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.1i In-Reply-To: <2753.963529551@localhost>; from jkh@zippy.osd.bsdi.com on Thu, Jul 13, 2000 at 04:05:51PM -0700 X-Operating-System: FreeBSD camel.ethereal.net 3.4-RELEASE FreeBSD 3.4-RELEASE X-Unix-Uptime: 5:09PM up 3 days, 9:58, 38 users, load averages: 3.31, 3.50, 3.48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i have to agree with jkh here. my mail box is not shrinking and if people are dumb enough not to make a distinction between freebsd kernel and xjigsaw port, nothing we do will help them. not even sending them a 6 pack of clue with fedex overnight express delivery. on top of that, brett does not realize how much effort and work kris and warner put into making ports advisories already. instead of saying thanks, you ask for more! this thread must die. On Thu, Jul 13, 2000 at 04:05:51PM -0700, "Jordan K. Hubbard" wrote: > This whole thread is giving me carpal tunnel syndrome. Is Brett > really the focus of 90% of our mailing list traffic these days or does > it just seem that way? That would seem to make him either someone > with really important things to say or someone who simply nitpicks > minutiae to the point of physical pain. > > My fingers hurt. > > - Jordan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16:19:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id CAFC537B602 for ; Thu, 13 Jul 2000 16:19:11 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id TAA60142; Thu, 13 Jul 2000 19:19:09 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 13 Jul 2000 19:20:12 -0400 To: Justin Wolf From: Garance A Drosihn Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:59 PM -0700 7/13/00, Justin Wolf wrote: > > Because we are trying to provide a service to FreeBSD users. > >Then send it to freebsd-security. Any emails sent to non-FreeBSD >lists could still omit the FreeBSD bit from the header. That was the earlier debate. That debate had been settled, and we do want to provide this service, and the bugtraq list is a reasonable place to do it, and the subject should say something about freebsd in it if it has to do with anything installed via the freebsd ports collection. I really don't want to rehash THAT debate. I wouldn't mind a little brain-storming to see if we can come up with a better format for the subjects, but I don't want to start back at square one and debate every aspect of this all over again. In fact, the main reason I haven't wanted to ask about the format of subjects was because I was afraid we WOULD end up debating the entire topic all over again. That's just my opinion, of course. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16:51:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 5C74937B827 for ; Thu, 13 Jul 2000 16:49:42 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 68801 invoked by uid 1000); 13 Jul 2000 23:44:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jul 2000 23:44:38 -0000 Date: Thu, 13 Jul 2000 19:44:27 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Garance A Drosihn Cc: Justin Wolf , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jul 2000, Garance A Drosihn wrote: ... : I really don't want to rehash THAT debate. I wouldn't mind a little : brain-storming to see if we can come up with a better format for the : subjects, but I don't want to start back at square one and debate : every aspect of this all over again. In fact, the main reason I : haven't wanted to ask about the format of subjects was because I was : afraid we WOULD end up debating the entire topic all over again. I don't think the debate is really about whether we should do advisories or not, I think all would agree that advisories are good. The question is how to hammer it into the general public's heads that it's not a FreeBSD hole per se? Take this wu-ftpd exploit, it's hit just about everyone, and what two names do I see beyond anything else? RedHat & FreeBSD. As if no one else was effected by it. I realize it's most likely a losing battle to try to change that kind of mentality, but I can't help being somewhat bothered by it. I guess it's doubtful that changing the subjects would fix anything, though I do think it could use a little work, per my last mail. I sometimes wonder if making the field that says "FreeBSD specific: [YES|NO]" a little more prominent wouldn't hurt... Personally, I love advisories about ports, keeps me from accidently missing some exploit that I hit 'D' too quickly over when topic-scanning, and in several cases, various environment modifications have rendered the exploit unusable on FreeBSD. That's great! Though, I wonder why we send FreeBSD-Port specific advisories out to a forum like bugtraq, where the non-FreeBSD users will say "Huh? Port?" or "FreeBSD root!" - I would hope that those who use FreeBSD track -security? Or more to the point, why would a FreeBSD user track a list like bugtraq but NOT -security? It's almost like saying "I care about general security, but who cares about the security of the OS I use". Now, since I'm sure someone else will do it, I'll debunk myself by replying, "Well, they could simply know that all FreeBSD advisories will end up on bugtraq, so there is no need for the extra -security traffic". I suppose that would work for some, but it doesn't work for me. Just an opinion though. I have my views on how they should look and be handled, but I think this is a no-win situation for all involved that will just end up making Jordan's fingers hurt more. : --- : Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu : Senior Systems Programmer or drosih@rpi.edu : Rensselaer Polytechnic Institute * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5blRcdMMtMcA1U5ARAtU9AJ4jRRfq+4hizfoLc1++akiQ7OEbvwCbBRFd FyDaNF4DV6XQix08EVl/qFI= =ahxN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 16:53:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from beast.daemontech.com (beast.daemontech.com [208.138.46.45]) by hub.freebsd.org (Postfix) with SMTP id 5713737BAF7 for ; Thu, 13 Jul 2000 16:53:31 -0700 (PDT) (envelope-from nicole@daemontech.com) Received: (qmail 83425 invoked by uid 200); 13 Jul 2000 23:53:30 -0000 Received: from xwin.nmhtech.com (208.138.46.10) by beast.daemontech.com with SMTP; 13 Jul 2000 23:53:30 -0000 Content-Length: 2257 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000713161612.D59932@ethereal.net> Date: Thu, 13 Jul 2000 16:53:30 -0700 (PDT) Organization: Daemon Technologies From: Nicole Harrington To: Jan Koum Subject: Re: Displacement of Blame[tm] - NOT Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 13-Jul-00 Jan Koum did Say'th via email: > > i have to agree with jkh here. my mail box is not shrinking and if people > are dumb enough not to make a distinction between freebsd kernel and > xjigsaw port, nothing we do will help them. not even sending them a 6 pack > of clue with fedex overnight express delivery. > Yes but Brett is not talking about people... he is talking about Management :) INMHO when a security advisory come out for wuftpd/popper what have you.. It should be just that. An advisory for That Program. It is comming via the FreeBSD security list, thus it Must have something to do with BSD. Besides I don't care if it is a FreeBSD port, I appreciatte hearing about a flaw in X and it is my job to see/know if it applies to me. I am sure that many of us work in multiple OS shops were "port" flaws apply across the board. Besides "Advisory: WUFTPD Buffer overflow Warning" is much shorter in the subject line :) I am amazed at how may Linux people I have met were I talk about how much more secure FreeBSD is and they say " I don't agree, I am always seeing security advisories for FreeBSD" > on top of that, brett does not realize how much effort and work kris and > warner put into making ports advisories already. instead of saying thanks, you ask for more! > I really appreciatte the work they do, and I know others do to. Unfortunatly it is often a thankless job. Who knows how many hacking attempts that were not successfull becouse of their work! Nicole > this thread must die. > > > On Thu, Jul 13, 2000 at 04:05:51PM -0700, "Jordan K. Hubbard" > wrote: >> This whole thread is giving me carpal tunnel syndrome. Is Brett >> really the focus of 90% of our mailing list traffic these days or does >> it just seem that way? That would seem to make him either someone >> with really important things to say or someone who simply nitpicks >> minutiae to the point of physical pain. >> >> My fingers hurt. >> >> - Jordan >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 17: 1:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 3217A37B6E6 for ; Thu, 13 Jul 2000 17:01:08 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 68889 invoked by uid 1000); 14 Jul 2000 00:01:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jul 2000 00:01:07 -0000 Date: Thu, 13 Jul 2000 20:01:06 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Jan Koum Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <20000713161612.D59932@ethereal.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jul 2000, Jan Koum wrote: ... : on top of that, brett does not realize how much effort and work kris : and warner put into making ports advisories already. instead of saying : thanks, you ask for more! This is NOT how I wanted to come across[1]. Believe me, I[2] appreciate very much that there are ports advisories, it saves me alot of time not having to filter through bugtraq every morning to find "critical" e-mail, which of course all FreeBSD security mail goes to. So, yes: Thank you Kris and Warner, formatting aside, your work helps save alot of my time, and for that I'm greatful. While we may disagree about formats and forums, the attention to detail and extending your responsibility to programs outside of FreeBSD control is just one of the many reasons I love this OS. : this thread must die. * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5blhDdMMtMcA1U5ARAo/9AKCmAUv0RcoHpakILh5Qgr0OsSdJ9ACfZ8ME ad0Txp3eFZZMIXQix42IbfY= =yKdv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 17: 2:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 3B5E937B812 for ; Thu, 13 Jul 2000 17:02:43 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 68906 invoked by uid 1000); 14 Jul 2000 00:02:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jul 2000 00:02:42 -0000 Date: Thu, 13 Jul 2000 20:02:41 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Jan Koum Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jul 2000, Matt Heckaman wrote: : This is NOT how I wanted to come across[1]. Believe me, I[2] appreciate ... *sigh* two emails on different terminals and I hit send on the wrong one before I'm done with it. Anyhow: [1] I know you said "Brett" but it was a reasonable assumption that you also included anyone who participated. [2] I speak for myself, and only myself. I do not claim to know the minds and hearts of others, yet. * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5bliidMMtMcA1U5ARAsHuAJwLB+QB2pZC5WV8v7VXlb9JzYI6dgCfcIBf NxtJZfVgFbmjvZjz0AZka+A= =jHLu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 17: 5: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from srh0902.urh.uiuc.edu (srh0902.urh.uiuc.edu [130.126.76.224]) by hub.freebsd.org (Postfix) with SMTP id E060D37BA30 for ; Thu, 13 Jul 2000 17:04:58 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: (qmail 62455 invoked by uid 1000); 14 Jul 2000 00:04:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jul 2000 00:04:57 -0000 Date: Thu, 13 Jul 2000 19:04:42 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0902.urh.uiuc.edu To: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kris Kennaway, at 13:44 -0700 on Thu, 13 Jul 2000, wrote: > "Ports" is already in the subject. If someone doesn't know what "Ports" > means, how will changing the advisory numbering make any difference? Because management won't know what "Ports" means, but will make decisions about the use of FreeBSD irregardless of whether the advisory is really for FreeBSD. - -- Frank Tobin http://www.uiuc.edu/~ftobin/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: pgpenvelope 2.8.9 - http://pgpenvelope.sourceforge.net/ iEYEARECAAYFAjluWSgACgkQVv/RCiYMT6MjKACePjuptQtrnbs4kbOoMwjjYHlC ch0AoIhaO6ntmXcgrSmaTrrsvwe2Bx71 =I13e -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 17:18:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id DB67937B901 for ; Thu, 13 Jul 2000 17:18:06 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id CAA07147; Fri, 14 Jul 2000 02:22:32 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Fri, 14 Jul 2000 02:22:26 +0200 (CEST) From: Bart van Leeuwen To: Matt Heckaman Cc: Garance A Drosihn , Justin Wolf , security@freebsd.org Subject: Re: Displacement of Blame[tm] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well... I understand some of the issues brought up... the wu-ftpd issue for example however is one that can work 2 ways. I can tell my customer that there is a problem with wu-ftpd, and they'll notice that one of the few OSes who actually send an advisory about it is FreeBSD. This might make them question the security policies of ther OSes, and in some cases it does. A little education and explanation can easily turn this into an advantage instead of a disadvantage. Yes, FreeBSD does have a lot of security advisories, but look, those go far beyond the core system, and they mention things that should be mentioned by others as well... while those others do not mention those things. Its a matter of trust, and I can explain to almost all of my customers that a distributor who actually publishes such information is far better then one that does not. Imho it needs to be clear that the problems mentioned in such advisories apply to more sustems then just FreeBSD. maybe it would be nice to add the word multivendor to th subject line, this will most likely give customers a better idea what the advisory is about. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 18:12:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A600C37BB06 for ; Thu, 13 Jul 2000 18:12:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA00338; Thu, 13 Jul 2000 19:12:01 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713190150.04b9fc80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 19:11:57 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: <2753.963529551@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan: I can't help it if I bring up thought-provoking (or discussion-provoking) topics. Those just happen to be the kinds of things I'm interested in. (Hopefully, this will prove to make me a good organizer for the conference next week.) I realize that it requires an asbestos suit to bring up some topics, and that some people who don't like online brainstorming or vigorous debate may tune out (PHK and DES are two unfortunate examples of people who have associated me with such things and therefore have blocked me personally). It's sad, but hey -- they're free to filter what they read as they see fit. Discussion is always important, and there should be more of it in the various BSD communities. (Witness the paucity of discussion on Daemon News.... Sigh.) Not flamage, but good discussion. The issue at hand here could really have an effect on FreeBSD's reputation for security, so I hope you'll agree that this thread is worthwhile. --Brett At 05:05 PM 7/13/2000, Jordan K. Hubbard wrote: >This whole thread is giving me carpal tunnel syndrome. Is Brett >really the focus of 90% of our mailing list traffic these days or does >it just seem that way? That would seem to make him either someone >with really important things to say or someone who simply nitpicks >minutiae to the point of physical pain. > >My fingers hurt. > >- Jordan > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 18:17:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id C530437B7EC; Thu, 13 Jul 2000 18:17:13 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA00365; Thu, 13 Jul 2000 19:17:05 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713191253.04ba03e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 19:15:20 -0600 To: Jan Koum , security@FreeBSD.ORG From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: Warner Losh , Kris Kennaway In-Reply-To: <20000713161612.D59932@ethereal.net> References: <2753.963529551@localhost> <2753.963529551@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:16 PM 7/13/2000, Jan Koum wrote: >i have to agree with jkh here. my mail box is not shrinking and if people >are dumb enough not to make a distinction between freebsd kernel and >xjigsaw port, nothing we do will help them. not even sending them a 6 pack >of clue with fedex overnight express delivery. Let's be fair. They're not idiots, and I think we can help them (and ourselves) at least a little. At the very least, we should make sure that people who try to count bugs automatically by monitoring Bugtraq posts do not attribute bugs in ported software to FreeBSD. >on top of that, brett does not realize how much effort and work kris and warner >put into making ports advisories already. instead of saying thanks, you ask for >more! Actually, if I haven't said thanks to them loud enough, I'll do so now: THANK YOU! But let's also make sure that the messages have the best possible effect. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 18:17:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id DBE0937B60B for ; Thu, 13 Jul 2000 18:17:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA00368; Thu, 13 Jul 2000 19:17:08 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713191546.04ba5100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 19:17:01 -0600 To: Justin Wolf , security@FreeBSD.ORG From: Brett Glass Subject: Re: Displacement of Blame[tm] In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:16 PM 7/13/2000, Justin Wolf wrote: >On the topic of subject lines: They're getting too long. I only see the >first 40 characters of a subject anyway, so making it 100 characters long >just to avoid any confusion on subject alone also doesn't work. I think >as long as it contains the words "FreeBSD", "ports", and "[port-name]" >somewhere in the header, we're fine. Should it say FreeBSD, or something like FBST (FreeBSD Security Team) so that it's not mistakenly counted as a bug in FreeBSD itself? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 18:42:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9970E37B7EC; Thu, 13 Jul 2000 18:42:22 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA15914; Thu, 13 Jul 2000 18:42:22 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 18:42:22 -0700 (PDT) From: Kris Kennaway To: Frank Tobin Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Frank Tobin wrote: > Kris Kennaway, at 13:44 -0700 on Thu, 13 Jul 2000, wrote: > > > "Ports" is already in the subject. If someone doesn't know what "Ports" > > means, how will changing the advisory numbering make any difference? > > Because management won't know what "Ports" means, but will make decisions > about the use of FreeBSD irregardless of whether the advisory is really > for FreeBSD. Turn this to your advantage: we acknowledge and fix our security bugs in public, and those in software we ship, regardless of how embarrassing they may be, because we care about the security of our users. The majority of these holes are also present in other OSes, many of whom do not bother to ackowledge them (as) publically. This is already apparent from the "FreeBSD only: NO" in most of the 33 advisories this year, but it's not professional to name the other platforms explicitly (besides the fact that we can't always be sure, as I learned once the hard way when I overestimated the severity of a NetBSD vulnerability). In other words, this is an advocacy issue, not one which can be magically fixed by cramming more into the subject line of advisories. I'm not one to blow my own horn, but it's the kind of thing which might make a good article or two to get this point across to the world and provide something to point to when people make that claim. As long as I'm the one writing these advisories I'm not going to do anything to make them less visible to the wider community - I want it to be known that a) FreeBSD fixes its security vulnerabilities and tells people when we do, and b) there is an awful lot of bad code out there which hurts *EVERYONE*, not just FreeBSD. I see myself as providing a service to a larger community than just FreeBSD users here precisely because these advisories are widely distributed, and (compared to what other vendors produce) more informative - in fact I've gotten feedback from people who don't even use FreeBSD who have been impressed by this. I am trying to build FreeBSD's reputation as an OS which takes security damn seriously, and so far I think I've had at least moderate success. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 18:50:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id BCBB037BB0A; Thu, 13 Jul 2000 18:50:39 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id LAA73346; Fri, 14 Jul 2000 11:47:28 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <200007140147.LAA73346@mail.theinternet.com.au> Subject: Re: Displacement of Blame[tm] In-Reply-To: <4.3.2.7.2.20000713191253.04ba03e0@localhost> from Brett Glass at "Jul 13, 2000 07:15:20 pm" To: Brett Glass Date: Fri, 14 Jul 2000 11:47:28 +1000 (EST) Cc: Jan Koum , security@FreeBSD.ORG, Warner Losh , Kris Kennaway X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Brett Glass ]--------------------------------------------- | At 05:16 PM 7/13/2000, Jan Koum wrote: | | >i have to agree with jkh here. my mail box is not shrinking and if people | >are dumb enough not to make a distinction between freebsd kernel and | >xjigsaw port, nothing we do will help them. not even sending them a 6 pack | >of clue with fedex overnight express delivery. | | Let's be fair. They're not idiots, and I think we can help them (and ourselves) | at least a little. At the very least, we should make sure that people who | try to count bugs automatically by monitoring Bugtraq posts do not attribute | bugs in ported software to FreeBSD. If they're not idiots then the distinction between FreeBSD and third party products should be obvious. I see little value in simply counting bugs, for countings sake. There are other people more qualified to do that, because they can make the distinction that your 'clients' obviously cannot, or cannot be bothered to. If on the other hand they are monitoring the bugs because they want to do something about them, they should actually be reading the content. Perhaps they should take the time to understand what they're monitoring, or you should take the time to explain it to them, since you subscribed them to BugTRAQ in the first place. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 19:58:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 13CE037BC8C for ; Thu, 13 Jul 2000 19:58:25 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id VAA27015; Thu, 13 Jul 2000 21:58:20 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-91.max1.wa.cyberlynk.net(207.227.118.91) by peak.mountin.net via smap (V1.3) id sma027013; Thu Jul 13 21:58:00 2000 Message-Id: <4.3.2.20000713210451.00cf81c0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Thu, 13 Jul 2000 21:57:15 -0500 To: Brett Glass , "Jordan K. Hubbard" From: "Jeffrey J. Mountin" Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20000713190150.04b9fc80@localhost> References: <2753.963529551@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:11 PM 7/13/00 -0600, Brett Glass wrote: >Jordan: > >I can't help it if I bring up thought-provoking (or discussion-provoking) >topics. Those just happen to be the kinds of things I'm interested >in. (Hopefully, this will prove to make me a good organizer for the >conference next week.) I realize that it requires an asbestos suit to >bring up some topics, and that some people who don't like online >brainstorming or vigorous debate may tune out (PHK and DES are two >unfortunate examples of people who have associated me with such things >and therefore have blocked me personally). It's sad, but hey -- they're >free to filter what they read as they see fit. Controversial would be a better term or maybe sensitive. In this case we are talking more about *your* clients and *their* lack of education. In my eyes that is your problem. Perhaps you should explain that they keyword "Ports" means the problem is not FreeBSD specific *and* the port may not be installed in the first place. Then they should learn how to view the list of installed ports. For other advisories that *are* in fact (potential) holes in the OS itself, there may be no reason to do other than say "Oh, OK, but that service is not in use." Frankly I don't understand why one would subscribe their customers to a list for which they, obviously, are not qualified to evaluate and isn't the quality of their systems what they pay you for. It's almost like you want them to 2nd guess you. >Discussion is always important, and there should be more of it in the >various BSD communities. (Witness the paucity of discussion on Daemon >News.... Sigh.) Not flamage, but good discussion. > >The issue at hand here could really have an effect on FreeBSD's reputation >for security, so I hope you'll agree that this thread is worthwhile. In part I agree about the reputation, but if they don't read the complete advisory. What's the use? How in the hell are we going to improve (l)users reading and, more importantly, comprehension skills. THIS has always been an issue for docs and mailing lists. Perhaps in your case you should send out a message or better yet, two messages. One letting them know of this "potential problem" and another to let a client know that you need to upgrade/change to fix a possible security issue. The second is by far a better "value added service" for the clients. Think about a web page or something as well. Also consider charging them for your (wasted) time. As other mention, it will do wonders to reduce the number of "Chicken Little" calls. I'd almost imagine that they call asking or telling about the latest WinBloze virus, which I've strongly discouraged for many years. Hopefully I didn't flame you too bad, but this kind of thread seems to bring everyone out with a different opinion and endless discussion that goes absolutely nowhere. Tends to irk me more on -security than anything. Can't recall if it was mentioned by perhaps a very small change in the subject line: FreeBSD Ports Security Advisory . to Port(s) Security Advisory (FreeBSD) . Note: Even though it is a single port, perhaps keeping it plural will help those that are dumb as a rock to understand that it still is part of the "ports collection." When doing a simple subject sort this means the OS based advisories are not mixed in with the ports. Certainly then the (l)user may not either know how to sort or use a client that can sort. Not to throw another log on the fire... Some of the advisories for the "OS" are really 3rd party software, so the argument with some that since FreeBSD makes changes with the port, however minor, and we alone may be responsible, then the changes made to 3rd party software in src/contrib show that any FreeBSD specific advisory (even if before or after another advisory CERT, BugTraq, or other). How do we glorify these. Is the goal to absolve FreeBSD of blame or what? Sorry, but the allusion to this and the subject get my goat, since too many people don't have the balls to take responsibility and finger-pointing is way of life for many. Thus my change makes it sound like "ports" is another entity, but in fact FreeBSD is taking the time and effort to find and fix problems with 3rd party software when it runs on FreeBSD. It's all a matter of perception and we all know the public is fickle when it comes to PR. Better stop, somehow touched a nerve and sent me off on a rant. Didn't want to add to the static that blossomed on the list in the past few hours, but what the hell. Maybe FreeBSD/BSDi needs a copy editor, but then we might end up with some watered-down drivel that points elsewhere and then moves focus away from the fact that FreeBSD should take credit for working on problems with 3rd party software. Brett, I think you should take a moment and explain this to your clients and sell it as the best thing since sliced bread and one of the reasons for choosing an open source OS, along with the other merits. All that rant aside the addition of "Ports" to the subject was not without notice by me, but then I tend to look at all of them, even if it's for programs that I have not and may never use. The increased number of advisories should also be encouraging. Of course then some will say FreeBSD has more advisories than brand "X" does. One can always then use M$ as an example of how damaging silence can be. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20: 7:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 82F6437BB45 for ; Thu, 13 Jul 2000 20:07:23 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 8E31E1C6E; Thu, 13 Jul 2000 23:07:22 -0400 (EDT) Date: Thu, 13 Jul 2000 23:07:22 -0400 From: Bill Fumerola To: "Jeffrey J. Mountin" Cc: Brett Glass , "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000713230722.M4034@jade.chc-chimes.com> References: <2753.963529551@localhost> <4.3.2.7.2.20000713190150.04b9fc80@localhost> <4.3.2.20000713210451.00cf81c0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.20000713210451.00cf81c0@207.227.119.2>; from jeff-ml@mountin.net on Thu, Jul 13, 2000 at 09:57:15PM -0500 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 13, 2000 at 09:57:15PM -0500, Jeffrey J. Mountin wrote: > >I can't help it if I bring up thought-provoking (or discussion-provoking) > >topics. Those just happen to be the kinds of things I'm interested > >in. (Hopefully, this will prove to make me a good organizer for the > >conference next week.) I realize that it requires an asbestos suit to > >bring up some topics, and that some people who don't like online > >brainstorming or vigorous debate may tune out (PHK and DES are two > >unfortunate examples of people who have associated me with such things > >and therefore have blocked me personally). It's sad, but hey -- they're > >free to filter what they read as they see fit. > > Controversial would be a better term or maybe sensitive. Bikeshed, useless, time wasting, inane all come to mind. Brett, you're not the martyr you think you are. Don't be a hero. -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:25:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CA07537BD35 for ; Thu, 13 Jul 2000 20:25:32 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA01263; Thu, 13 Jul 2000 21:25:19 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713211759.0585de60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 21:25:15 -0600 To: "Jeffrey J. Mountin" , "Jordan K. Hubbard" From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.20000713210451.00cf81c0@207.227.119.2> References: <4.3.2.7.2.20000713190150.04b9fc80@localhost> <2753.963529551@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:57 PM 7/13/2000, Jeffrey J. Mountin wrote: >In this case we are talking more about *your* clients and *their* >lack of education. Well, that's why they hire me; because they don't want to have to be extremely knowledgeable about computers! They're doctors and lawyers, among other things, and Heaven knows there's enough going on in their own fields to keep them busy. >Frankly I don't understand why one would subscribe their customers >to a list for which they, obviously, are not qualified to evaluate For the same reason you might read a magazine that covers medical issues and occasionally call up your doctor to ask, "Is this something I should worrry about?" >>The issue at hand here could really have an effect on FreeBSD's reputation >>for security, so I hope you'll agree that this thread is worthwhile. > >In part I agree about the reputation, but if they don't read the complete advisory. What's the use? The use is that the skimmers will get a more accurate impression from their skimming. >Also consider charging them for your (wasted) time. I do. But they still have doubts, deep down, about the security of FreeBSD after seeing all of these advisories which look like they MIGHT be FreeBSD holes. >Hopefully I didn't flame you too bad, but this kind of thread seems to bring everyone out with a different opinion and endless discussion that goes absolutely nowhere. Tends to irk me more on -security than anything. I never expected it to go on so long, actually. I figured that there would be relatively quick consensus on a better format for the subject line. So far, we've seen some good suggestions! >Can't recall if it was mentioned by perhaps a very small change in the subject line: > >FreeBSD Ports Security Advisory . > >to > >Port(s) Security Advisory (FreeBSD) . Yes, I like this. However, I'd put the name of the port FIRST, so it looked more like: Security Advisory (From FreeBSD Security Team) A little longer, but it's clearer. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:28: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 19ACB37BD21 for ; Thu, 13 Jul 2000 20:28:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA01285; Thu, 13 Jul 2000 21:27:52 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713212558.05859920@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 21:27:48 -0600 To: Bill Fumerola , "Jeffrey J. Mountin" From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: "Jordan K. Hubbard" , security@FreeBSD.ORG In-Reply-To: <20000713230722.M4034@jade.chc-chimes.com> References: <4.3.2.20000713210451.00cf81c0@207.227.119.2> <2753.963529551@localhost> <4.3.2.7.2.20000713190150.04b9fc80@localhost> <4.3.2.20000713210451.00cf81c0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:07 PM 7/13/2000, Bill Fumerola wrote: >Brett, you're not the martyr you think you are. I never claimed to be a martyr. That's Stallman's job. I'm an idea person. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:31:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D48B937BC7B; Thu, 13 Jul 2000 20:31:52 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA27606; Thu, 13 Jul 2000 20:31:52 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 13 Jul 2000 20:31:52 -0700 (PDT) From: Kris Kennaway To: Brett Glass Cc: "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <4.3.2.7.2.20000713211759.0585de60@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > Yes, I like this. However, I'd put the name of the port FIRST, so it > looked more like: > > Security Advisory (From FreeBSD Security Team) > > A little longer, but it's clearer. As per your usual tactic, you have completely ignored my earlier message to you deconstructing this exact suggestion (well, except for the "From FreeBSD Security Team", which is just moronic since that's what "From:" headers in mail are for). Therefore I assume you are just wasting mine and everyone else's time here, and will not reply to any further mails from you about this matter. Thankyou for playing, goodnight! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:38: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 9FE0A37B7FE for ; Thu, 13 Jul 2000 20:37:57 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id ED43A1C6E; Thu, 13 Jul 2000 23:37:56 -0400 (EDT) Date: Thu, 13 Jul 2000 23:37:56 -0400 From: Bill Fumerola To: Brett Glass Cc: "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000713233756.N4034@jade.chc-chimes.com> References: <4.3.2.20000713210451.00cf81c0@207.227.119.2> <2753.963529551@localhost> <4.3.2.7.2.20000713190150.04b9fc80@localhost> <4.3.2.20000713210451.00cf81c0@207.227.119.2> <20000713230722.M4034@jade.chc-chimes.com> <4.3.2.7.2.20000713212558.05859920@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.7.2.20000713212558.05859920@localhost>; from brett@lariat.org on Thu, Jul 13, 2000 at 09:27:48PM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 13, 2000 at 09:27:48PM -0600, Brett Glass wrote: > At 09:07 PM 7/13/2000, Bill Fumerola wrote: > > >Brett, you're not the martyr you think you are. > > I never claimed to be a martyr. That's Stallman's job. I'm > an idea person. .. but what is an idea person without [good] ideas? -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:44: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 41A5437BCF7; Thu, 13 Jul 2000 20:44:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA01439; Thu, 13 Jul 2000 21:43:58 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713213735.04b81670@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 21:43:54 -0600 To: Kris Kennaway From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.org In-Reply-To: References: <4.3.2.7.2.20000713211759.0585de60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:31 PM 7/13/2000, Kris Kennaway wrote: >As per your usual tactic, you have completely ignored my earlier message >to you deconstructing this exact suggestion (well, except for the "From >FreeBSD Security Team", which is just moronic since that's what "From:" >headers in mail are for). Fine; leave out the "From." I'm not passionately attached to any one format, just so it is clearer that the advisory is about the third-party software and not about FreeBSD. > Therefore I assume you are just wasting mine and everyone else's time >here, Your "assumption" is incorrect. I am quite busy and wouldn't waste my OWN time -- much less anyone else's -- if I didn't think the issue was important. Others have stated that they think it's important, too. >and will not reply to any further mails from >you about this matter. I think that you should address the issue for the sake of ALL of those who are concerned about FreeBSD's image, not just for my sake. >Thankyou for playing, goodnight! A summary dismissal such as the one above is not only bad form but shows a lack of concern for FreeBSD's reputation. Hopefully, instead of stomping off, you'll take note of people's concerns and do something about them. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:45:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 18FE737B594 for ; Thu, 13 Jul 2000 20:45:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA01450; Thu, 13 Jul 2000 21:44:57 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713214405.04b89ba0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 21:44:54 -0600 To: Bill Fumerola From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG In-Reply-To: <20000713233756.N4034@jade.chc-chimes.com> References: <4.3.2.7.2.20000713212558.05859920@localhost> <4.3.2.20000713210451.00cf81c0@207.227.119.2> <2753.963529551@localhost> <4.3.2.7.2.20000713190150.04b9fc80@localhost> <4.3.2.20000713210451.00cf81c0@207.227.119.2> <20000713230722.M4034@jade.chc-chimes.com> <4.3.2.7.2.20000713212558.05859920@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:37 PM 7/13/2000, Bill Fumerola wrote: >.. but what is an idea person without [good] ideas? Someone who tries to shout good ideas down, as you seem to take great pride in doing. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:52:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2576237BCF7; Thu, 13 Jul 2000 20:52:39 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id XAA78360; Thu, 13 Jul 2000 23:52:13 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 23:52:12 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: Jan Koum , security@FreeBSD.ORG, Warner Losh , Kris Kennaway Subject: Re: Displacement of Blame[tm] In-Reply-To: <4.3.2.7.2.20000713191253.04ba03e0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > Let's be fair. They're not idiots, and I think we can help them (and > ourselves) at least a little. At the very least, we should make sure > that people who try to count bugs automatically by monitoring Bugtraq > posts do not attribute bugs in ported software to FreeBSD. Brett, When the figures came out, a number of members of the FreeBSD development team contacted the folks at Security Focus and met with a very positive and understanding response. One thing that will make a difference in the accounting of security advisory rate is our recent subject change, making it easy for the gatherers of statistics to distinguish the types of advisories. I think you can rest assured that we maintain a positive working relationship with Security Focus and endeavour to provide accurate reports to them of security issues in FreeBSD, as well as help them maintain their high level of accuracy in their reporting of security issues and incidents. One aspect of security education for our users needs to be learning to distinguish "lots of advisories" with "lots of holes". If your customers are in doubt, explain to them that these holes existing in many of not all of the other free operating systems. Just as we have educated our users about the benefits of open source, we can help them understand the admittedly complex technical and social issues associated with computer security. Yes, there may be an up-front reaction against "tell everyone about the security problems of the world," but maybe that reaction is a lot like the, "open source software is unreliable and unsupported." Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 20:58: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0007A37BDEC; Thu, 13 Jul 2000 20:57:55 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id XAA78420; Thu, 13 Jul 2000 23:57:52 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 23:57:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Kris Kennaway Cc: Frank Tobin , security@FreeBSD.org Subject: Re: Two kinds of advisories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Kris Kennaway wrote: > This is already apparent from the "FreeBSD only: NO" in most of the 33 > advisories this year, but it's not professional to name the other > platforms explicitly (besides the fact that we can't always be sure, as I > learned once the hard way when I overestimated the severity of a NetBSD > vulnerability). Absolutely. I see anything other than a claim about it being specific to us as being unprofessional. I've seen some other advisories from other groups that rashly claim things like, ``Affects all other UNIX operating systems,'' which is almost always false :-). The best we can do is declare whether or not we believe there is the potential for affecting other operating systems or not, and accept that the bug affects us. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 21: 0: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E5CB537BB53; Thu, 13 Jul 2000 20:59:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA62261; Thu, 13 Jul 2000 21:59:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA30871; Thu, 13 Jul 2000 21:59:40 -0600 (MDT) Message-Id: <200007140359.VAA30871@harmony.village.org> To: Kris Kennaway Subject: Re: Two kinds of advisories? Cc: Frank Tobin , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 13 Jul 2000 18:42:22 PDT." References: Date: Thu, 13 Jul 2000 21:59:40 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : I am trying to build FreeBSD's reputation as an OS which takes security : damn seriously, and so far I think I've had at least moderate success. So far you've done a much better job than others in raising these issues. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 21: 2:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5526A37BED2; Thu, 13 Jul 2000 21:02:55 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA01638; Thu, 13 Jul 2000 22:02:47 -0600 (MDT) Message-Id: <4.3.2.7.2.20000713215913.04b6b510@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Jul 2000 22:02:44 -0600 To: Robert Watson From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: Jan Koum , security@FreeBSD.ORG, Warner Losh , Kris Kennaway In-Reply-To: References: <4.3.2.7.2.20000713191253.04ba03e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:52 PM 7/13/2000, Robert Watson wrote: >When the figures came out, a number of members of the FreeBSD development >team contacted the folks at Security Focus and met with a very positive >and understanding response. That's great! But what happens when a mainstream publication does its own survey and gets it wrong? The correction, in 8 point type on a page mostly covered with masthead information, will hardly be noticed. Revising the subject line is easy, and I think it's worth doing. I can't believe that anyone would make a fuss about it. >One aspect of security education for our users needs to be learning to >distinguish "lots of advisories" with "lots of holes". I agree! Unfortunately, Red Hat has both, and has established the impression, among many, that they correlate. I think we should keep up the advisories but make it unmistakable even to the casual reader where the hole is. Agreed? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 21: 3:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2D90C37BEF5 for ; Thu, 13 Jul 2000 21:03:42 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA62284; Thu, 13 Jul 2000 22:03:40 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA30906; Thu, 13 Jul 2000 22:03:27 -0600 (MDT) Message-Id: <200007140403.WAA30906@harmony.village.org> To: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 13 Jul 2000 21:25:15 MDT." <4.3.2.7.2.20000713211759.0585de60@localhost> References: <4.3.2.7.2.20000713211759.0585de60@localhost> <4.3.2.7.2.20000713190150.04b9fc80@localhost> <2753.963529551@localhost> Date: Thu, 13 Jul 2000 22:03:27 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.7.2.20000713211759.0585de60@localhost> Brett Glass writes: : Security Advisory (From FreeBSD Security Team) This is getting closer. It is still a little long, but maybe we can work with it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 23:37:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.osd.bsdi.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 9477037BDEC for ; Thu, 13 Jul 2000 23:37:33 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id XAA18575; Thu, 13 Jul 2000 23:38:21 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) To: Brett Glass Cc: Bill Fumerola , "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-reply-to: Your message of "Thu, 13 Jul 2000 21:44:54 MDT." <4.3.2.7.2.20000713214405.04b89ba0@localhost> Date: Thu, 13 Jul 2000 23:38:21 -0700 Message-ID: <18572.963556701@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Someone who tries to shout good ideas down, as you > seem to take great pride in doing. > > --Brett Argh. Not this defense again. Brett, I have to say that it's my true and honest opinion that I've YET to see a single good idea from you. Your ideas, not to put too fine a point on it, tend to be wild flights of hallucinogenic fantasy and are not "good" by any stretch of the imagination. I'm reminded more of certain marketing meetings I've been forced to sit in where guys in suits stand up periodically to shout "I've got it! We'll include a free package of rubbers in every copy of our firewall software! People will thus associate us with ``protection'' since most of them already know what rubbers are for!" Everyone else in the room (except for the other marketdroids) is, of course, rolling their eyes so wildly that some are toppling from their seats. You know those Avis commercials where they show a group of people brainstorming about how to improve the car rental business by renting jet packs to executives or including aromatherapy candles in the back seats? That's what reading Advocacy and Security has been like lately. Not a bunch of good ideas well presented, just a bunch of wild ideas presented by our resident wild man, Brett Glass. Please Brett, learn to recognise your own limitations! - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 23:52:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 6CE5637C08E for ; Thu, 13 Jul 2000 23:52:42 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 2F86E1C6E; Fri, 14 Jul 2000 02:52:41 -0400 (EDT) Date: Fri, 14 Jul 2000 02:52:41 -0400 From: Bill Fumerola To: "Jordan K. Hubbard" Cc: Brett Glass , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000714025241.S4034@jade.chc-chimes.com> References: <4.3.2.7.2.20000713214405.04b89ba0@localhost> <18572.963556701@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <18572.963556701@localhost>; from jkh@zippy.osd.bsdi.com on Thu, Jul 13, 2000 at 11:38:21PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 13, 2000 at 11:38:21PM -0700, Jordan K. Hubbard wrote: > > Someone who tries to shout good ideas down, as you > > seem to take great pride in doing. > > Argh. Not this defense again. Brett, I have to say that it's my true > and honest opinion that I've YET to see a single good idea from you. > Your ideas, not to put too fine a point on it, tend to be wild flights > of hallucinogenic fantasy and are not "good" by any stretch of the > imagination. ... and while I'm here I don't like you(Brett) accusing me of trying to shout good ideas down. I actually have ports and code in the FreeBSD tree. I back up what I say with 'cvs ci' and before I could, I backed it up with send-pr(1). Do you? Have you ever? Don't feed me the "I'm just an idea man" line again, most companies have a term for employees who work like that: Alumni. -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 13 23:56:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 428D537BB69 for ; Thu, 13 Jul 2000 23:56:41 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA02881; Fri, 14 Jul 2000 00:56:28 -0600 (MDT) Message-Id: <4.3.2.7.2.20000714004715.04b8bc00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Jul 2000 00:56:25 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: Bill Fumerola , "Jeffrey J. Mountin" , "Jordan K. Hubbard" , security@FreeBSD.ORG In-Reply-To: <18572.963556701@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:38 AM 7/14/2000, Jordan K. Hubbard wrote: >Argh. Not this defense again. It wasn't a "defense;" it was a rejoinder. Bill was hurling a gratuitous insult. > Brett, I have to say that it's my true >and honest opinion that I've YET to see a single good idea from you. You seemed to like the idea of starting a BSD track at the O'Reilly conference -- after I did it on my own initiative. >Your ideas, not to put too fine a point on it, tend to be wild flights >of hallucinogenic fantasy and are not "good" by any stretch of the >imagination. Now YOU are hurling insults. >You know those Avis commercials where they show a group of people >brainstorming about how to improve the car rental business by renting >jet packs to executives or including aromatherapy candles in the back >seats? That's what reading Advocacy and Security has been like >lately. Not a bunch of good ideas well presented, just a bunch of >wild ideas presented by our resident wild man, Brett Glass. Please >Brett, learn to recognise your own limitations! Jordan, while you seem to be good at doing releases and organizing development, you have not done well at promoting the platform. In fact, you seem to be allergic to serious advocacy and highly resistant to new ideas (none of mine have been anywhere near as wild as you imply above). Perhaps you should learn to recognize YOUR limitations. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 0: 9:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from redshells.net (athaliah.redshells.net [208.189.113.129]) by hub.freebsd.org (Postfix) with SMTP id D1B3B37C76B for ; Fri, 14 Jul 2000 00:08:08 -0700 (PDT) (envelope-from redz@redshells.net) Received: (qmail 88313 invoked from network); 14 Jul 2000 02:07:48 -0000 Received: from winbox.redshells.net (HELO redshells.net) (208.189.113.130) by mail.redshells.net with SMTP; 14 Jul 2000 02:07:48 -0000 Message-ID: <396EBC81.1C99973C@redshells.net> Date: Fri, 14 Jul 2000 02:08:49 -0500 From: Chris X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: "Jordan K. Hubbard" , Bill Fumerola , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] References: <4.3.2.7.2.20000714004715.04b8bc00@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps we should learn to keep our arguments private instead of including the whole FreeBSD- Security list in on it ;P Brett Glass wrote: > At 12:38 AM 7/14/2000, Jordan K. Hubbard wrote: > > >Argh. Not this defense again. > > It wasn't a "defense;" it was a rejoinder. Bill was hurling a > gratuitous insult. > > > Brett, I have to say that it's my true > >and honest opinion that I've YET to see a single good idea from you. > > You seemed to like the idea of starting a BSD track at the O'Reilly > conference -- after I did it on my own initiative. > > >Your ideas, not to put too fine a point on it, tend to be wild flights > >of hallucinogenic fantasy and are not "good" by any stretch of the > >imagination. > > Now YOU are hurling insults. > > >You know those Avis commercials where they show a group of people > >brainstorming about how to improve the car rental business by renting > >jet packs to executives or including aromatherapy candles in the back > >seats? That's what reading Advocacy and Security has been like > >lately. Not a bunch of good ideas well presented, just a bunch of > >wild ideas presented by our resident wild man, Brett Glass. Please > >Brett, learn to recognise your own limitations! > > Jordan, while you seem to be good at doing releases and organizing > development, you have not done well at promoting the platform. In > fact, you seem to be allergic to serious advocacy and highly > resistant to new ideas (none of mine have been anywhere near as > wild as you imply above). Perhaps you should learn to recognize > YOUR limitations. > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 0:11:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AF64E37C962 for ; Fri, 14 Jul 2000 00:11:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id BAA02985; Fri, 14 Jul 2000 01:10:56 -0600 (MDT) Message-Id: <4.3.2.7.2.20000714005812.04b90c20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Jul 2000 01:10:53 -0600 To: Bill Fumerola From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: <20000714025241.S4034@jade.chc-chimes.com> References: <18572.963556701@localhost> <4.3.2.7.2.20000713214405.04b89ba0@localhost> <18572.963556701@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:52 AM 7/14/2000, Bill Fumerola wrote: >I actually have ports and code in the FreeBSD tree. I back up what >I say with 'cvs ci' and before I could, I backed it up with send-pr(1). "Justification by code." Good for you. I could possibly contribute code as well, but thus far naysayers such as you and Mike Smith have been sufficiently discouraging that I have not done so. One of the things that I've observed is that code may be the *least* of the things that FreeBSD needs. Right now, it needs advocacy and strategic direction much more than it needs more cooks. And some of the people involved, such as yourself, also need better manners. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 0:30:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id ACB8D37C0CD for ; Fri, 14 Jul 2000 00:30:51 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id DAA00664; Fri, 14 Jul 2000 03:30:37 -0400 (EDT) Date: Fri, 14 Jul 2000 03:30:36 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass Cc: "Jordan K. Hubbard" , Bill Fumerola , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <4.3.2.7.2.20000714004715.04b8bc00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Brett Glass wrote: > Perhaps you should learn to recognize YOUR limitations. Just guessing but I'd have to say that Jordan has more at stake than you do when it comes to the success or failure of FreeBSD. I think he's done a pretty good job of protecting his interests. (And to address your next thought, if he were (more of?) a money grubbing bastard he would have moved off to greener pastures long ago, no?) I think you're among the small minority that believes that Jordan is somehow acting contrary to the interests of the project. You may not like him, or his methods, but his direction is rather clear. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 2:51:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 5BA1237BDE9 for ; Fri, 14 Jul 2000 02:51:42 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13D27e-000GWS-00; Fri, 14 Jul 2000 11:51:06 +0200 Date: Fri, 14 Jul 2000 11:51:06 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Matt Heckaman , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <20000714115106.A63233@mithrandr.moria.org> References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <4.3.2.7.2.20000713140559.04b7aec0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000713140559.04b7aec0@localhost>; from brett@lariat.org on Thu, Jul 13, 2000 at 02:10:12PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-07-13 (14:10), Brett Glass wrote: > >*sigh* Yeah.. This has been bugging me for a while too. It creates alot of > >misinformation about FreeBSD and makes us look worse than what the truth > >is. Ever go to any of the uhm.. "security" sites and do a search on FreeBSD? > > Yep. You get tons of hits. A recent article also overestimated the > number of security problems in FreeBSD because the person who compiled > the statistics used message headers from Bugtraq and didn't cull the > problems which were due to ports. We have to keep FreeBSD in there. We are not _only_ catering to bugtraq subscribers, automatic advisory counting, and any other form of weirdo out there. We are, possibly primarily, catering to FreeBSD users. If they get: "Security Advisory wu-ftpd" in their mail, and then have to open the mail, and then find out it is about FreeBSD, and then they will read it is about ports, and then work it all out. However, if they see: "FreeBSD Ports Security Advisory: wu-ftpd (FreeBSD-SA.000123123-wuftpd", (or something a bit shorter), then they get all that immediately, and can act upon it. > One way to deal with this problem would be to remove the name FreeBSD > from the header altogether, labeling the effort to report bugs in ports > with some other name. Other ideas? We shouldn't hide our name simply because there are people out there making stupid assumptions. They're going to do their automatic scripts whether we label them as ports, change the format, or do anything but remove the name. Removing our name is not really an option, since it _does_ have something to do with us, and we _do_ want our users to know. Whatever happens, the people doing automated advisory counting will be wrong. If we remove our name, or reformat, our existing users are going to get confused, or not heed the message, or ask "Does this apply to FreeBSD?". In addition, people with automated advisory counting might count advisories sent out to our users, or sent out by a particular address, or any number of algorithms. They're just fooling themselves, and we aren't going to help them by obscuring our subjects. Educate them. Have an established document about these issues. At least locally, FreeBSD has a great reputation for security, and our move to include ports advisories has bolstered our reputation even more. I've used this fact to convince a whole bunch of people and companies to try FreeBSD out during a recent trip to Johannesburg (that's in South Africa, but still a long trip from Cape Town). Obscuring things is going to hamper advocacy, and short-change those people I've convinced to try us out. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 2:53:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id ECEC537B530 for ; Fri, 14 Jul 2000 02:53:29 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13D29g-0002Hb-00; Fri, 14 Jul 2000 10:53:12 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 13D29h-0006WZ-00; Fri, 14 Jul 2000 10:53:13 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Warner Losh Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-reply-to: Your message of "Thu, 13 Jul 2000 22:03:27 MDT." <200007140403.WAA30906@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Jul 2000 10:53:13 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <4.3.2.7.2.20000713211759.0585de60@localhost> Brett Glass writes: > : Security Advisory (From FreeBSD Security Team) > > This is getting closer. It is still a little long, but maybe we can > work with it. A little shorter: FreeBSD Port Security Advisory 1) puts the package name first indicating it's *probably* a problem with the package itself, and in any case only matters if you are running that package 2) says it contains *specific* advice for people running the FreeBSD port (as I hope the content would)! 3) contains the advisory number at the end, when this is the least significant data in the header, but useful for indexing archives Alternatively: FreeBSD Port of : Security Advisory changes the emphasis a bit between the "FreeBSD" and the "" but still indicated it's the that's significant. Tiny gramatical connectives can help getting the sense over sometimes; too often we don't actually write in English. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 3:10:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id AA59F37C639 for ; Fri, 14 Jul 2000 03:09:50 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13D2PU-000Gbm-00; Fri, 14 Jul 2000 12:09:32 +0200 Date: Fri, 14 Jul 2000 12:09:32 +0200 From: Neil Blakey-Milner To: David Pick Cc: Warner Losh , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000714120932.A63784@mithrandr.moria.org> References: <200007140403.WAA30906@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Fri, Jul 14, 2000 at 10:53:13AM +0100 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-07-14 (10:53), David Pick wrote: > A little shorter: > FreeBSD Port Security Advisory This will still be counted by automated advisory things, which was one of the stated problems. > Alternatively: > FreeBSD Port of : Security Advisory > This will still be counted by automated advisory things, which was one of the stated problems. It also claims the problem is in the FreeBSD port of , and not in . Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 3:21:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 0A29037B76F for ; Fri, 14 Jul 2000 03:21:21 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13D2as-0002UO-00 for security@freebsd.org; Fri, 14 Jul 2000 11:21:18 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for security@FreeBSD.ORG id 13D2as-0006Yk-00; Fri, 14 Jul 2000 11:21:18 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-reply-to: Your message of "Fri, 14 Jul 2000 12:09:32 +0200." <20000714120932.A63784@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Jul 2000 11:21:18 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri 2000-07-14 (10:53), David Pick wrote: > > A little shorter: > > FreeBSD Port Security Advisory > > This will still be counted by automated advisory things, which was one > of the stated problems. Depends on how they classify the text; if they use only the first word then this statement is true. > > Alternatively: > > FreeBSD Port of : Security Advisory > > > > This will still be counted by automated advisory things, which was one > of the stated problems. Ditto. > It also claims the problem is in the FreeBSD port of , and not in > . Not quite - I was trying to indicate that the message contained *advice* about the FreeBSD port of . The root problem might be in: - the original package - the port itself - FreeBSD core facility as used by the port and the advisory will hopefully contain details of patches or avoidance methods that are applicable specifically to the FreeBSD environment. But I suspect no form of words will satisy everyone. Perhaps after a few more people have put their heads above the parapet and actually made suggestions an election would be in order. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 3:38:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id DC35437B5A6 for ; Fri, 14 Jul 2000 03:38:32 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13D2rT-000Gin-00; Fri, 14 Jul 2000 12:38:27 +0200 Date: Fri, 14 Jul 2000 12:38:27 +0200 From: Neil Blakey-Milner To: David Pick Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000714123827.A64184@mithrandr.moria.org> References: <20000714120932.A63784@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Fri, Jul 14, 2000 at 11:21:18AM +0100 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-07-14 (11:21), David Pick wrote: > > On Fri 2000-07-14 (10:53), David Pick wrote: > > > A little shorter: > > > FreeBSD Port Security Advisory > > > > This will still be counted by automated advisory things, which was one > > of the stated problems. > > Depends on how they classify the text; if they use only the first > word then this statement is true. I don't think you understand. The stated problem is that people are automatically counting advisories based on false assumptions. > > > > Alternatively: > > > FreeBSD Port of : Security Advisory > > > > > > > This will still be counted by automated advisory things, which was one > > of the stated problems. > > Ditto. See above. Existing advisories have: FreeBSD Ports Security Advisory: FreeBSD-SA-00:26.popper If people are going to make false assumptions, then they're going to do so. They _can_ be shown that "FreeBSD Ports" is not a base system problem as easily as we can shown them that "FreeBSD Port of " or "mumble: FreeBSD Port Advisory" is not in the base system. Your suggestion that "FreeBSD Port of : Security Advisory" is just as likely to get misunderstood as being a security problem with only the software on FreeBSD, or in the porting procedure to FreeBSD. Currently, we can either acknowledge that people who don't care to understand will never understand, or we can obscure our topics more and more to get past the latest person who didn't care to understand. > But I suspect no form of words will satisy everyone. Perhaps after a > few more people have put their heads above the parapet and actually > made suggestions an election would be in order. Elections on mailing lists don't work. How long do you wait? Who is your electorate? People who want the status quo generally don't vote. People will subscribe from the list. And so forth. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 3:54:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from jake.akitanet.co.uk (jake.akitanet.co.uk [212.1.130.131]) by hub.freebsd.org (Postfix) with ESMTP id 2A0AA37B5A6 for ; Fri, 14 Jul 2000 03:54:41 -0700 (PDT) (envelope-from wigstah@akitanet.co.uk) Received: from ppp-4b-136.3com.telinco.net ([212.159.135.136] helo=foo.akitanet.co.uk) by jake.akitanet.co.uk with smtp (Exim 3.13 #3) id 13D35i-000CPI-00; Fri, 14 Jul 2000 11:53:10 +0100 From: Paul Robinson Organization: Akita Ltd. To: Neil Blakey-Milner , David Pick Subject: Re: Displacement of Blame[tm] Date: Fri, 14 Jul 2000 11:45:24 +0100 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain Cc: Warner Losh , security@FreeBSD.ORG References: <200007140403.WAA30906@harmony.village.org> <20000714120932.A63784@mithrandr.moria.org> In-Reply-To: <20000714120932.A63784@mithrandr.moria.org> MIME-Version: 1.0 Message-Id: <00071411574600.46406@foo.akitanet.co.uk> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Neil Blakey-Milner wrote: > It also claims the problem is in the FreeBSD port of , and not in > . I think we're now getting into the deepest symantic meanings that are just confusing people generally. The way I see it is that the following issues have to be addressed: - Users subscribed to freebsd-security wish to be made aware of any security problems that might occur on their system - freebsd-security attempts to inform users as soon as possible about any new holes or patches that may be required to maintain adequate security - sometimes, holes appear in applications shipped as part of /usr/ports - the FreeBSD team don't like it when people think this is the fault of the FreeBSD team - some people don't want to see the ports announcements in the first place - there are lots of clashing personalities around here There are a couple of very easy solutions to this, but first I'm going to have my 2 cents and have my rant. Anybody who just does cd /usr/ports// and then types 'make; make install' deserves to be r00ted in 5 minutes anyway. Ports are there to make it easier to make and install packages - not for you to not have to go and read the packages homepage and documentation. If you install something, perhaps you should keep an eye on the mailing lists around it, or check the homepage occasionally. Maybe even subscribe to BUGTRAQ if you do this a lot. What I would propose is this - why don't we have 2 lists - one for freebsd-security where genuine issues with security in the core FreeBSD distro are discussed, and another (freebsd-ports-security for example) where announcments on ports shipped with FreeBSD are announced. This solves the problem that those who don't want ports announcements don't get them, those who do want them do actually get them, it's clear that the announcements are either about freebsd or a port and finally it means we can stop having this argument. Or has this idea already been dismissed because of some grammatical argument over whether it should be ports-security or security-ports??? -- Paul Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 4: 1: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 8799C37B630 for ; Fri, 14 Jul 2000 04:00:57 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13D3D9-0002kY-00 for security@freebsd.org; Fri, 14 Jul 2000 12:00:51 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for security@FreeBSD.ORG id 13D3DA-0006b1-00; Fri, 14 Jul 2000 12:00:52 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-reply-to: Your message of "Fri, 14 Jul 2000 12:38:27 +0200." <20000714123827.A64184@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Jul 2000 12:00:52 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri 2000-07-14 (11:21), David Pick wrote: > > > On Fri 2000-07-14 (10:53), David Pick wrote: > > > > A little shorter: > > > > FreeBSD Port Security Advisory > > > > > > This will still be counted by automated advisory things, which was one > > > of the stated problems. > > > > Depends on how they classify the text; if they use only the first > > word then this statement is true. > > I don't think you understand. The stated problem is that people are > automatically counting advisories based on false assumptions. Agreed. If we are *really* worried about that we need to make sure that the word FreeBSD doesn't appear at all. If we also want to make the messages interpretable by humans, perhaps we could replace the word "FreeBSD" by "F r e e B S D" (or some similar modification). But some people (at least) have "stated" that the problem is managers (who I think we have to admit are human, not machines) see subject lines that makes them think there's a problem with FreeBSD itself, and who then don't allow the techies in their organisation to use FreeBSD "because it's got lots of security problems". > See above. See above. > Existing advisories have: > > FreeBSD Ports Security Advisory: FreeBSD-SA-00:26.popper > > If people are going to make false assumptions, then they're going to do > so. They _can_ be shown that "FreeBSD Ports" is not a base system > problem as easily as we can shown them that "FreeBSD Port of " or > "mumble: FreeBSD Port Advisory" is not in the base system. > > Your suggestion that "FreeBSD Port of : Security Advisory" is just > as likely to get misunderstood as being a security problem with only the > software on FreeBSD, or in the porting procedure to FreeBSD. Currently, > we can either acknowledge that people who don't care to understand will > never understand, or we can obscure our topics more and more to get past > the latest person who didn't care to understand. I think we have two problems here, probably mutually incompatible: 1) Automatic classification "systems" 2) Clarity for human readers. If we are to be clear about what the advisory covers for our human readership, we *have* to include both the port name and the word "FreeBSD" (whatever actual language we employ). If we want to avoid counting "systems" with broken classification schemes, we *have* to avoid using the word "FreeBSD". > > But I suspect no form of words will satisy everyone. Perhaps after a > > few more people have put their heads above the parapet and actually > > made suggestions an election would be in order. > > Elections on mailing lists don't work. How long do you wait? c48 hours. > Who is > your electorate? Anyone who votes within the time limit. > People who want the status quo generally don't vote. Unless it's specifically included as one option in the election. > People will subscribe from the list. And so forth. OK. No election. We can all start shouting instead. Or agree not to shout at the poor, beleagured, Security Officer when he makes a unilateral decision. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 8:54:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 2FEE337CB0B for ; Fri, 14 Jul 2000 08:54:04 -0700 (PDT) (envelope-from marc@milestonerdl.com) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id e6EFrWL33405; Fri, 14 Jul 2000 10:53:32 -0500 (CDT) Date: Fri, 14 Jul 2000 10:53:32 -0500 (CDT) From: Marc Rassbach To: Paul Robinson Cc: Neil Blakey-Milner , David Pick , Warner Losh , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <00071411574600.46406@foo.akitanet.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Paul Robinson wrote: > > Anybody who just does cd /usr/ports// and then types 'make; > make install' deserves to be r00ted in 5 minutes anyway. This is a rather poor attitude. The less sites the script kiddies have to launch thier attacks from, the harder it will be for the kids to hide. It is in ALL of our interests to have hosts secure. And doesn't comment well on how you think the ports of FreeBSD is done. Ports and the job done there is part of what makes FreeBSD as nice as it is. ANY system 'set up and forgotten' is subject to attack and eventually will fail. The white hats only have to screw up once. The black hats get to try over and over again. But to blame ports for making FreeBSD 'less secure', it sounds like you should then be looking at OpenBSD. A nice minimalist system, lacking the richness of FreeBSD. > What I would propose is this - why don't we have 2 lists - one for > freebsd-security where genuine issues with security in the core FreeBSD > distro are discussed, and another (freebsd-ports-security for example) where > announcments on ports shipped with FreeBSD are announced. Nothing stopping you, Brett or someone else making a second list. This whole idea came up a few months ago, and the same suggestion was made for a different list to serve this need. If you feel the present list doesn't do the job, start your own version that you feel *DOES* do the job. And, if it *IS* is a better list (better==more popular) one of two things will happen: 1) you will get the job of managing the security list. 2) your ideas will be taken, and used to manage the security list. Taking the action of creating a new list controlled by the people who want change, doen on their serveres, done there way, would address the concerns the people who want change have. And, like the history of UNIX itself, if the new list has the better idea, it will float to the top. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 9:15:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailer.seidata.com (mailer.seidata.com [208.10.211.10]) by hub.freebsd.org (Postfix) with ESMTP id C71AA37C899 for ; Fri, 14 Jul 2000 09:15:11 -0700 (PDT) (envelope-from pboehmer@seidata.com) Received: from wopr (lan-gw.seidata.com [208.10.211.26]) by mailer.seidata.com (8.9.3/Pro-8.9.3) with SMTP id MAA62443 for ; Fri, 14 Jul 2000 12:11:36 -0400 (EDT) Message-Id: <3.0.6.32.20000714120812.007dc4d0@mail.seidata.com> X-Sender: pboehmer@mail.seidata.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Fri, 14 Jul 2000 12:08:12 -0400 To: freebsd-security@freebsd.org From: Paul Boehmer Subject: Re: Displacement of Blame[tm]/All Other BS In-Reply-To: References: <00071411574600.46406@foo.akitanet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Someone do me a favor and notify freebsd-isp when this thread is dead and gone. I am tired of checking my mail in the morning only to find 70+ messages of nothing more that childish rants about how this list should work. I for one, just want to notified that a FreeBSD security problem exist anywhere, either it be the core system or ports. Does it not make sense just to state in the subject if this is core or port related security problem. If you dont want to read it, just delete the message. It does not get any easier than that. Just my .02 worth of salt, not gasoline on the fire. At 10:53 AM 7/14/00 -0500, you wrote: > > >On Fri, 14 Jul 2000, Paul Robinson wrote: > >> >> Anybody who just does cd /usr/ports// and then types 'make; >> make install' deserves to be r00ted in 5 minutes anyway. > >This is a rather poor attitude. The less sites the script kiddies have >to launch thier attacks from, the harder it will be for the kids to >hide. It is in ALL of our interests to have hosts secure. > >And doesn't >comment well on how you think >the ports of FreeBSD is done. Ports and the job done there is part of >what makes FreeBSD as nice as it is. > >ANY system 'set up and forgotten' is subject to attack and eventually will >fail. The white hats only have to screw up once. The black hats get to >try over and over again. > >But to blame ports for making FreeBSD 'less secure', it sounds like you >should then be looking at OpenBSD. A nice minimalist system, lacking the >richness of FreeBSD. > > >> What I would propose is this - why don't we have 2 lists - one for >> freebsd-security where genuine issues with security in the core FreeBSD >> distro are discussed, and another (freebsd-ports-security for example) where >> announcments on ports shipped with FreeBSD are announced. > >Nothing stopping you, Brett or someone else making a second list. > >This whole idea came up a few months ago, and the same suggestion >was made for a different list to serve this need. > >If you feel the present list doesn't do the job, start your own version >that you feel *DOES* do the job. And, if it *IS* is a better list >(better==more popular) one of two things will happen: >1) you will get the job of managing the security list. >2) your ideas will be taken, and used to manage the security list. > >Taking the action of creating a new list controlled by the people who want >change, doen on their serveres, done there way, would address the >concerns the people who want change have. >And, like the history of UNIX itself, if the new list has the better idea, >it will float to the top. > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Paul Boehmer Systems Administrator SEI Data, Inc pboehmer@seidata.com (888)200-4392 Voice (812)744-8000 Fax To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 10: 5:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id D99C237C88F; Fri, 14 Jul 2000 10:05:23 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA01432; Fri, 14 Jul 2000 12:05:21 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-73.max1.wa.cyberlynk.net(207.227.118.73) by peak.mountin.net via smap (V1.3) id sma001430; Fri Jul 14 12:05:12 2000 Message-Id: <4.3.2.20000714114005.00b67100@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 14 Jul 2000 12:04:22 -0500 To: Kris Kennaway From: "Jeffrey J. Mountin" Subject: Newer advisories (was Re: Two kinds of advisories?) Cc: security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:42 PM 7/13/00 -0700, Kris Kennaway wrote: Hopefully won't start another wild thread... Not really on-topic >Turn this to your advantage: we acknowledge and fix our security bugs in >public, and those in software we ship, regardless of how embarrassing they >may be, because we care about the security of our users. The majority of >these holes are also present in other OSes, many of whom do not bother to >ackowledge them (as) publically. Much better than trying to sweep them under the rug. >This is already apparent from the "FreeBSD only: NO" in most of the 33 >advisories this year, but it's not professional to name the other >platforms explicitly (besides the fact that we can't always be sure, as I >learned once the hard way when I overestimated the severity of a NetBSD >vulnerability). It seems I overlooked that addition. Tend to read the 5 sections. >In other words, this is an advocacy issue, not one which can be magically >fixed by cramming more into the subject line of advisories. I'm not one to >blow my own horn, but it's the kind of thing which might make a good >article or two to get this point across to the world and provide something >to point to when people make that claim. > >As long as I'm the one writing these advisories I'm not going to do >anything to make them less visible to the wider community - I want it to >be known that a) FreeBSD fixes its security vulnerabilities and tells >people when we do, and b) there is an awful lot of bad code out there >which hurts *EVERYONE*, not just FreeBSD. > >I see myself as providing a service to a larger community than just >FreeBSD users here precisely because these advisories are widely >distributed, and (compared to what other vendors produce) more informative >- in fact I've gotten feedback from people who don't even use FreeBSD who >have been impressed by this. > >I am trying to build FreeBSD's reputation as an OS which takes security >damn seriously, and so far I think I've had at least moderate success. Of course then the addition of the "FreeBSD only: " should make a subtle, but obvious point should a person stop and think. Those using other OS's may wish to get FreeBSD's advisories just to hear about possible problems with 3rd party software. Perhaps an article should be done up and emphasis made on this. Some general credit should also be given to the authors of 3rd party software that merge in fixes, which then helps advocate open-source in general to push your idea a tad further. That in turn should show that open-source, free software has commercial value. There are exceptions and in recent history the ports list has contained more tidbits of useful info. Best not to mention them. Will say that some on the -ports list have expressed interest in fixing software that the author(s) don't seem to care about. Not that another list is really needed. One just for ports advisories may be a good thing from a PR standpoint. Of course they then need to check out the ports collection and may end up trying out FreeBSD. 8-) Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 10:21:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 5E28437C7B7 for ; Fri, 14 Jul 2000 10:21:39 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA01507; Fri, 14 Jul 2000 12:21:23 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-73.max1.wa.cyberlynk.net(207.227.118.73) by peak.mountin.net via smap (V1.3) id sma001505; Fri Jul 14 12:21:17 2000 Message-Id: <4.3.2.20000714120547.00b2f730@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 14 Jul 2000 12:20:29 -0500 To: Marc Rassbach , Paul Robinson From: "Jeffrey J. Mountin" Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: References: <00071411574600.46406@foo.akitanet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:53 AM 7/14/00 -0500, Marc Rassbach wrote: >On Fri, 14 Jul 2000, Paul Robinson wrote: > > > > > Anybody who just does cd /usr/ports// and then types 'make; > > make install' deserves to be r00ted in 5 minutes anyway. > >This is a rather poor attitude. The less sites the script kiddies have >to launch thier attacks from, the harder it will be for the kids to >hide. It is in ALL of our interests to have hosts secure. And networks as part of a "good neighbor" policy. >And doesn't >comment well on how you think >the ports of FreeBSD is done. Ports and the job done there is part of >what makes FreeBSD as nice as it is. Convenient they are. On the negative side, they tend to make one a bit lazy. >ANY system 'set up and forgotten' is subject to attack and eventually will >fail. The white hats only have to screw up once. The black hats get to >try over and over again. > >But to blame ports for making FreeBSD 'less secure', it sounds like you >should then be looking at OpenBSD. A nice minimalist system, lacking the >richness of FreeBSD. The ultimate security is a good memory. Rather than blame ports one should evalute the risks. > > What I would propose is this - why don't we have 2 lists - one for > > freebsd-security where genuine issues with security in the core FreeBSD > > distro are discussed, and another (freebsd-ports-security for example) > where > > announcments on ports shipped with FreeBSD are announced. > >Nothing stopping you, Brett or someone else making a second list. > >This whole idea came up a few months ago, and the same suggestion >was made for a different list to serve this need. And it came up on -stable a few days back. Again because of too many messages that didn't seem to suit the person's needs and/or perception of the list. >If you feel the present list doesn't do the job, start your own version >that you feel *DOES* do the job. And, if it *IS* is a better list >(better==more popular) one of two things will happen: >1) you will get the job of managing the security list. >2) your ideas will be taken, and used to manage the security list. > >Taking the action of creating a new list controlled by the people who want >change, doen on their serveres, done there way, would address the >concerns the people who want change have. >And, like the history of UNIX itself, if the new list has the better idea, >it will float to the top. Out of the lists I read regularly and infrequently -security is low traffic, high content, and low noise. Generally. Starting a new list due to a surge of OT postings could result in a proliferation of lists and those wishing to catch messages of value would need to track even more lists. No thanks. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 11: 1: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 1B01337B7A0 for ; Fri, 14 Jul 2000 11:01:01 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA277842; Fri, 14 Jul 2000 14:00:42 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Fri, 14 Jul 2000 14:01:41 -0400 To: David Pick , Warner Losh From: Garance A Drosihn Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:53 AM +0100 7/14/00, David Pick wrote: > >A little shorter: > FreeBSD Port Security Advisory > >1) puts the package name first indicating it's *probably* a problem > with the package itself, and in any case only matters if you are > running that package > >2) says it contains *specific* advice for people running the FreeBSD > port (as I hope the content would)! > >3) contains the advisory number at the end, when this is the least > significant data in the header, but useful for indexing archives For what it is worth, I think I like this suggestion the most. My opinion is probably influenced by the fact that I sort my mailboxes by subject name. My hope is that some other OS's might pick up on this subject-format strategy, and thus all the security advisories for a given would sort together (for those of us who sort by subject... :-). If that did happen, then it would become much more obvious to the casual onlooker that was something that was not unique and specific to a single operating system, while at the same time helping freebsd users see which issues MAY be effecting them. I also like having the name at the start of the subject, instead of at the end where it is more likely to be trimmed off. I also want the words 'FreeBSD' and 'Port' to show up early in the subject line. >Alternatively: > FreeBSD Port of : Security Advisory This would be fine with me too. And in case I haven't explicitly mentioned it before, I do think all these security advisories are a very excellent service to FreeBSD users, and help to show freebsd is serious about security issues. All I have been wondering about is if we could come up with a slightly better format for the subject lines. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 11:16:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id A4CBE37B73F for ; Fri, 14 Jul 2000 11:16:41 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA59550; Fri, 14 Jul 2000 14:16:25 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20000714123827.A64184@mithrandr.moria.org> References: <20000714120932.A63784@mithrandr.moria.org> <20000714123827.A64184@mithrandr.moria.org> Date: Fri, 14 Jul 2000 14:17:27 -0400 To: Neil Blakey-Milner , David Pick From: Garance A Drosihn Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:38 PM +0200 7/14/00, Neil Blakey-Milner wrote: >On Fri 2000-07-14 (11:21), David Pick wrote: > > > > Depends on how they classify the text; if they use only the > > first word then this statement is true. > >I don't think you understand. The stated problem is that people >are automatically counting advisories based on false assumptions. I am one of the people who is actively "stating the problem". I think you do not understand. I believe that everyone knows that some objection can be imagined for any format which is suggested. We all know that no matter how careful we are, there is someone out in the world who is so dumb that they will misunderstand it. The fact that there is no perfect subject-format does not mean that every subject-format is equally good. Thus, the fact that you can throw stones at one specific suggestion is not helpful. All I wish for is a little brain-storming, just to see if there is any subject-format strategy that we feel will do a little better. I do agree that some things will still get the wrong idea from the subject-format that David suggested, but I do still think that his suggestion is BETTER than some of the other alternatives. Thus, I like his suggestion. If you have an alternative which is even better, than it would be helpful to suggest that alternative. We're just brain-storming for ideas here, and someone (not me!) will pick the most promising one. Just MO. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 12:16:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id EE59A37C19B for ; Fri, 14 Jul 2000 12:16:07 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: Firewall allows smtp To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 14 Jul 2000 14:18:28 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 07/14/2000 02:17:32 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My firewall is below. I thought this would only allow ssh in, and anything local out. SMTP still works even though I think it should be denied. Please advise. # set these to your outside interface network and netmask and ip oif="mx0" onet="24.2.119.0" omask="255.255.255.0" oip="X.X.X.X" <- hide the guilty # set these to your inside interface network and netmask and ip iif="mx1" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.1" # Allow inside out $fwcmd add divert natd all from any to any via ${oif} $fwcmd add pass all from any to any # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded #$fwcmd add pass tcp from any to any established # SSH only. $fwcmd add pass tcp from any to ${oip} 22 setup # Allow setup of incoming email #$fwcmd add pass tcp from any to ${oip} 25 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 12:22:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id C614537C565 for ; Fri, 14 Jul 2000 12:21:55 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id WAA63182; Fri, 14 Jul 2000 22:21:02 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Fri, 14 Jul 2000 22:21:02 +0300 (EEST) From: Evren Yurtesen To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall allows smtp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # Allow inside out $fwcmd add divert natd all from any to any via ${oif} >>> $fwcmd add pass all from any to any that line in your firewall config file allows everything so the ssh line below is not working your firewall stops at that rule when it sees pass for everything. just take it out and make some experiments =) +---------------------------------------------------------+ | Name : Evren Yurtesen - yurtesen@ispro.net.tr | | Job Title : Technical Consultant & System Administrator| | S-Mail : Talikkokatu 6B 26, Turku 20540, Finland | | Work Tel. : +90-232-2463992 | | Mobile Tel.: +358-40-5073940 | +---------------------------------------------------------+ On Fri, 14 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote: > My firewall is below. I thought this would only allow ssh in, and anything > local out. SMTP still works even though I think it should be denied. > > Please advise. > > # set these to your outside interface network and netmask and ip > oif="mx0" > onet="24.2.119.0" > omask="255.255.255.0" > oip="X.X.X.X" <- hide the guilty > > # set these to your inside interface network and netmask and ip > iif="mx1" > inet="10.0.0.0" > imask="255.255.255.0" > iip="10.0.0.1" > > # Allow inside out > $fwcmd add divert natd all from any to any via ${oif} > $fwcmd add pass all from any to any > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow TCP through if setup succeeded > #$fwcmd add pass tcp from any to any established > > # SSH only. > $fwcmd add pass tcp from any to ${oip} 22 setup > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 13:40:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 028BE37C64D for ; Fri, 14 Jul 2000 13:40:01 -0700 (PDT) (envelope-from dave@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1088) id 63F8E2B23D; Fri, 14 Jul 2000 15:39:50 -0500 (CDT) Date: Fri, 14 Jul 2000 15:39:50 -0500 From: Dave McKay To: "Jordan K. Hubbard" Cc: Brett Glass , Bill Fumerola , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <20000714153950.A12082@elvis.mu.org> References: <4.3.2.7.2.20000713214405.04b89ba0@localhost> <18572.963556701@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <18572.963556701@localhost>; from jkh@zippy.osd.bsdi.com on Thu, Jul 13, 2000 at 11:38:21PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard (jkh@zippy.osd.bsdi.com) wrote: > > Someone who tries to shout good ideas down, as you > > seem to take great pride in doing. > > > > --Brett > > Argh. Not this defense again. Brett, I have to say that it's my true > and honest opinion that I've YET to see a single good idea from you. I have a good idea. Kill this thread. My side hurts from laughing at this "my cock is bigger than yours" war. Well, my cock is bigger then all of yours. :) DIE THREAD DIE!! -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 14:18: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by hub.freebsd.org (Postfix) with ESMTP id BE7C337BAE0 for ; Fri, 14 Jul 2000 14:17:57 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp (Exim 3.12 #7) id 13DCqJ-0002vR-00 for freebsd-security@freebsd.org; Fri, 14 Jul 2000 21:17:55 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp2.email.verio.net with smtp (Exim 3.15 #4) id 13DCqI-0003lJ-00 for freebsd-security@FreeBSD.ORG; Fri, 14 Jul 2000 21:17:55 +0000 Message-Id: <3.0.5.32.20000714142038.00908650@mail.accessone.com> X-Sender: bokr@mail.accessone.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 14 Jul 2000 14:20:38 -0700 To: freebsd-security@FreeBSD.ORG From: Bengt Richter Subject: RFC for Advisories? (Was Re: Newer/Two kinds of advisories?) In-Reply-To: <4.3.2.20000714114005.00b67100@207.227.119.2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are a lot of RFCs for automated notifications over the internet. Perhaps it would be useful to think of security advisories in this light. FreeBSD SA's provide a reference implementation of content and distribution methodology. Others also distribute advisory information. Sometimes there is useful cross-platform content, even beyond the immediate OS family tree. Establishment of a standard, platform-independent (sectioned to distinguish generic vs platform/version-specific info) format suitable for human skimming and automated processing could have widespread benefits (IMHO). Ideally, one could visualize logging in and seeing an automatically edited MOTD or additional message something like: "NOTICE: vulnscand has received and authenticated advisory , and has (per vulnscand.conf auto option) disabled execution of / due to a level 7.2 ('Immediate Action Urgent') vulnerability. Type vulnscan -i for full info." The RFC should not exclude the possibility of an NT-based vulnscand.exe service whereby possibly seeing something relevant to NT in the security log of the NT event viewer, with automated email to the system administrator. For those writing cgi for score-keeping web presentation, perhaps a simple numeric scale of seriousness like the earth quake Richter (no relation :) scale would help keep things in perspective. HTIU (Hope this is useful) Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 14:44: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id A5D4137C1FA for ; Fri, 14 Jul 2000 14:43:52 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 76182 invoked by uid 1000); 14 Jul 2000 21:43:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jul 2000 21:43:48 -0000 Date: Fri, 14 Jul 2000 17:43:46 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Bengt Richter Cc: freebsd-security@FreeBSD.ORG Subject: Re: RFC for Advisories? (Was Re: Newer/Two kinds of advisories?) In-Reply-To: <3.0.5.32.20000714142038.00908650@mail.accessone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 14 Jul 2000, Bengt Richter wrote: ... : Ideally, one could visualize logging in and seeing an automatically edited : MOTD : or additional message something like: : : "NOTICE: vulnscand has received and authenticated advisory , : and has (per vulnscand.conf auto option) disabled execution of : / : due to a level 7.2 ('Immediate Action Urgent') vulnerability. : Type vulnscan -i for full info." Can I just say: "wow" - I like this alot, alot, alot, and .. you get the idea. This would just be wonderful, being that we're all human and don't always see an advisory the minute it comes out, I'm sure we've all had a system running something vulnerable for a good 12-24 hours because of that, something like this would.. Really set us apart. : The RFC should not exclude the possibility of an NT-based vulnscand.exe : service : whereby possibly seeing something relevant to NT in the security log of the : NT event viewer, with automated email to the system administrator. *nods* : For those writing cgi for score-keeping web presentation, perhaps a simple : numeric scale of seriousness like the earth quake Richter (no relation :) : scale would help keep things in perspective. What do you mean no relation? Come on, I can't be the only one invisoning a building (read; system) falling down, can I? :) : HTIU (Hope this is useful) I should hope so, time for me to go ponder about the possibility and get my hopes up for some reason :) : Regards, : Bengt Richter * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5b4mTdMMtMcA1U5ARAoBKAJ9Wt8zgvQsdNbHMT7NhM9j/MppjAwCg0pty 8+jHAOEOnj+PEC3NeCdrV54= =PVn+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 14:55:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 0CA3437BB2D; Fri, 14 Jul 2000 14:55:41 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA34771; Fri, 14 Jul 2000 14:55:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 14 Jul 2000 14:55:40 -0700 (PDT) From: Kris Kennaway To: Bengt Richter Cc: freebsd-security@FreeBSD.ORG Subject: Re: RFC for Advisories? (Was Re: Newer/Two kinds of advisories?) In-Reply-To: <3.0.5.32.20000714142038.00908650@mail.accessone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I await your proof of concept code :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 14:58:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [206.40.34.50]) by hub.freebsd.org (Postfix) with ESMTP id D0C6737BB98 for ; Fri, 14 Jul 2000 14:58:24 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [206.40.34.52]) by roble.com with SMTP id OAA10382 for ; Fri, 14 Jul 2000 14:58:27 -0700 (PDT) Date: Fri, 14 Jul 2000 14:58:22 -0700 (PDT) From: Roger Marquis To: security@freebsd.org Subject: Re: Displacement of Blame[tm] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > At the very least, we should make sure > that people who try to count bugs automatically by monitoring Bugtraq > posts do not attribute bugs in ported software to FreeBSD. Brett's made an excellent point. It's important to keep in mind that people evaluating operating system security are, by definition, not familiar with that operating system. Usually they are managers and other marginally technical types, not the gurus who read this list (assuming they could find it). Even to the technically semi-literate it is still difficult to distinguish port vulnerabilities with OS vulnerabilities. The FreeBSD moniker is too prominently displayed at the top of each advisory for that. This much is clear from the non-techies I've spoken with. Perhaps what we need are "BSD Port" advisories instead of "FreeBSD" advisories? Shoot the messinger(s) if you wish, but be prepared for the results (i.e., declining customer base). Then again, given the lack of civility displayed in this thread, maybe the OS does have some real weaknesses... -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 15:18:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 81FF837BA78 for ; Fri, 14 Jul 2000 15:18:54 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA10041; Fri, 14 Jul 2000 16:18:26 -0600 (MDT) Message-Id: <4.3.2.7.2.20000714161714.04b5bb00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Jul 2000 16:18:22 -0600 To: Garance A Drosihn From: Brett Glass Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG, Warner Losh In-Reply-To: References: <20000714123827.A64184@mithrandr.moria.org> <20000714120932.A63784@mithrandr.moria.org> <20000714123827.A64184@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree with Garance 100%. Nothing will be perfect, but several of the schemes suggested here are better. Hopefully, Warner will consider these and choose one. --Brett At 12:17 PM 7/14/2000, Garance A Drosihn wrote: >I am one of the people who is actively "stating the problem". I >think you do not understand. I believe that everyone knows that >some objection can be imagined for any format which is suggested. >We all know that no matter how careful we are, there is someone >out in the world who is so dumb that they will misunderstand it. >The fact that there is no perfect subject-format does not mean >that every subject-format is equally good. > >Thus, the fact that you can throw stones at one specific suggestion >is not helpful. All I wish for is a little brain-storming, just to >see if there is any subject-format strategy that we feel will do >a little better. I do agree that some things will still get the >wrong idea from the subject-format that David suggested, but I do >still think that his suggestion is BETTER than some of the other >alternatives. Thus, I like his suggestion. > >If you have an alternative which is even better, than it would be >helpful to suggest that alternative. We're just brain-storming for >ideas here, and someone (not me!) will pick the most promising one. > >Just MO. > > >--- >Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu >Senior Systems Programmer or drosih@rpi.edu >Rensselaer Polytechnic Institute > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 16:24:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id C869837BFDB for ; Fri, 14 Jul 2000 16:24:22 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 73ED99EE01; Fri, 14 Jul 2000 16:24:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 6C2A19B001; Fri, 14 Jul 2000 16:24:15 -0700 (PDT) Date: Fri, 14 Jul 2000 16:24:15 -0700 (PDT) From: Mike Hoskins To: Neil Blakey-Milner Cc: David Pick , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <20000714123827.A64184@mithrandr.moria.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Neil Blakey-Milner wrote: > I don't think you understand. The stated problem is that people are > automatically counting advisories based on false assumptions. I think the problem is we're wasting an incredable amount of bandwidth over some individual's/group's false assumption(s) or general lack of clue. This thread isn't solving anything or helping anyone, but if you really, truly, honestly believe it is... How about moving it to -advocacy? It's become much more relevant to -advocacy than it is to -security. My -security bucket is swelling with banter that has very little [nothing] to do with the security of my FreeBSD system. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 16:27:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8856A37C4F0 for ; Fri, 14 Jul 2000 16:27:18 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 30CFD9EE01; Fri, 14 Jul 2000 16:27:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 28F5C9B001; Fri, 14 Jul 2000 16:27:11 -0700 (PDT) Date: Fri, 14 Jul 2000 16:27:11 -0700 (PDT) From: Mike Hoskins To: Paul Robinson Cc: Neil Blakey-Milner , David Pick , Warner Losh , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <00071411574600.46406@foo.akitanet.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Paul Robinson wrote: > What I would propose is this - why don't we have 2 lists - one for > freebsd-security where genuine issues with security in the core FreeBSD > distro are discussed, and another (freebsd-ports-security for example) where > announcments on ports shipped with FreeBSD are announced. I like it. Has this already been proposed and dismissed? If so, why? Sounds good to me. I can subscribe to both lists, and those who don't want ports advisories won't have to see them. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 16:28:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 38B9B37C112 for ; Fri, 14 Jul 2000 16:28:43 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA67454; Fri, 14 Jul 2000 17:28:37 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA39908; Fri, 14 Jul 2000 17:28:21 -0600 (MDT) Message-Id: <200007142328.RAA39908@harmony.village.org> To: Mike Hoskins Subject: Re: Displacement of Blame[tm] Cc: Paul Robinson , Neil Blakey-Milner , David Pick , security@FreeBSD.ORG In-reply-to: Your message of "Fri, 14 Jul 2000 16:27:11 PDT." References: Date: Fri, 14 Jul 2000 17:28:21 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Hoskins writes: : On Fri, 14 Jul 2000, Paul Robinson wrote: : : > What I would propose is this - why don't we have 2 lists - one for : > freebsd-security where genuine issues with security in the core FreeBSD : > distro are discussed, and another (freebsd-ports-security for example) where : > announcments on ports shipped with FreeBSD are announced. : : I like it. Has this already been proposed and dismissed? If so, : why? Sounds good to me. I can subscribe to both lists, and those who : don't want ports advisories won't have to see them. I don't think it woudl work. Bugtraq would subscribe to both of them and Brett's clients would still be concerned. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 17: 5: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id B950A37BEC6 for ; Fri, 14 Jul 2000 17:04:53 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 3F3E39EE01; Fri, 14 Jul 2000 17:04:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 35B4A9B001; Fri, 14 Jul 2000 17:04:46 -0700 (PDT) Date: Fri, 14 Jul 2000 17:04:46 -0700 (PDT) From: Mike Hoskins To: Warner Losh Cc: Paul Robinson , Neil Blakey-Milner , David Pick , security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] In-Reply-To: <200007142328.RAA39908@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Warner Losh wrote: > : I like it. Has this already been proposed and dismissed? If so, > : why? Sounds good to me. I can subscribe to both lists, and those who > : don't want ports advisories won't have to see them. > > I don't think it woudl work. Bugtraq would subscribe to both of them > and Brett's clients would still be concerned. Fair enough. Then I'll resort to my first thought... I site an example from the recent BitchX advisory: Topic: bitchx port contains client-side vulnerability FreeBSD only: NO The bitchx port is not installed by default, nor is it "part of FreeBSD" Now... Maybe manager-types are getting confused or maybe someone is misunderstanding the meaning of 'port', but given the above SA format, it would seem such confusion is the result of an inability to read. So, for those touting this as someting in dire need of everyone's attention, I'd propose investing in a copy of 'Hooked on Phonics'. Give that to your managers, and anyone else who is confused... Then, once they can actually read, they'll be able to benefit from the hard work done by the FreeBSD Security team. Meanwhile (being a NetOps manager for an ASP using FreeBSD), I'm glad myself and my manager types can read. If they couldn't, I'd work somewhere else... as that inability isn't something I'd trust my future with in the first place. Rant on... -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 17:20:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.osd.bsdi.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 2AD9237B90B for ; Fri, 14 Jul 2000 17:20:16 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id RAA22860 for ; Fri, 14 Jul 2000 17:21:14 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) Date: Fri, 14 Jul 2000 17:21:14 -0700 Message-ID: <22853.963620474.1@localhost> From: "Jordan K. Hubbard" Subject: OK, I admit I blew it... MIME-Version: 1.0 Content-Type: multipart/digest; boundary="----- =_aaaaaaaaaa" Content-Description: Blind Carbon Copy Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- =_aaaaaaaaaa Content-Type: message/rfc822 Content-Description: Original Message To: chat@freebsd.org Subject: OK, I admit I blew it... Date: Fri, 14 Jul 2000 17:21:14 -0700 Message-ID: <22853.963620474@localhost> From: "Jordan K. Hubbard" MIME-Version: 1.0 The whole thread with Brett is an embarassment I'm willing to own up to playing a significant part in. Any lack of esteem I might have had for his opinions should have stayed in my brain, where they belong, nor should I have ever even read the postings in the first place - I truly do know better than that and I screwed the pooch anyway. My apologies to anyone I offended. I'm also now taking the suggestion which many people have made to heart. I do hereby promise, quite publically and openly, to avoid any and all future interaction with Brett Glass in the name of the public good (to say nothing of my own sanity). Procmail will help to provide the self-control I so clearly lacked in this instance. This is a strictly win-win policy for all of us anyway since, should Brett ever have any suggestions which are of value to the FreeBSD project, I'm sure he'll get other people to champion them (as they would any good idea) and I'll hear about them in any case. Procmail is a semi-permeable membrane when it comes to truly good suggestions. :) Regards, - Jordan ------- =_aaaaaaaaaa-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 17:37:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 1FE9A37B954 for ; Fri, 14 Jul 2000 17:37:14 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id SAA18699 for ; Fri, 14 Jul 2000 18:31:27 -0600 (MDT) (envelope-from cfaber@fpsn.net) Message-ID: <396FB1D5.33A36340@fpsn.net> Date: Fri, 14 Jul 2000 18:35:33 -0600 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.6 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: ENOUGH Re: Displacement of Blame[tm] References: <00071411574600.46406@foo.akitanet.co.uk> <4.3.2.20000714120547.00b2f730@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org COULD YOU PLEASE CLOSE THIS DAMN TOPIC Im tried of hearing you all bicker "Jeffrey J. Mountin" wrote: > > At 10:53 AM 7/14/00 -0500, Marc Rassbach wrote: > > >On Fri, 14 Jul 2000, Paul Robinson wrote: > > > > > > > > Anybody who just does cd /usr/ports// and then types 'make; > > > make install' deserves to be r00ted in 5 minutes anyway. > > > >This is a rather poor attitude. The less sites the script kiddies have > >to launch thier attacks from, the harder it will be for the kids to > >hide. It is in ALL of our interests to have hosts secure. > > And networks as part of a "good neighbor" policy. > > >And doesn't > >comment well on how you think > >the ports of FreeBSD is done. Ports and the job done there is part of > >what makes FreeBSD as nice as it is. > > Convenient they are. On the negative side, they tend to make one a bit lazy. > > >ANY system 'set up and forgotten' is subject to attack and eventually will > >fail. The white hats only have to screw up once. The black hats get to > >try over and over again. > > > >But to blame ports for making FreeBSD 'less secure', it sounds like you > >should then be looking at OpenBSD. A nice minimalist system, lacking the > >richness of FreeBSD. > > The ultimate security is a good memory. Rather than blame ports one should > evalute the risks. > > > > What I would propose is this - why don't we have 2 lists - one for > > > freebsd-security where genuine issues with security in the core FreeBSD > > > distro are discussed, and another (freebsd-ports-security for example) > > where > > > announcments on ports shipped with FreeBSD are announced. > > > >Nothing stopping you, Brett or someone else making a second list. > > > >This whole idea came up a few months ago, and the same suggestion > >was made for a different list to serve this need. > > And it came up on -stable a few days back. Again because of too many > messages that didn't seem to suit the person's needs and/or perception of > the list. > > >If you feel the present list doesn't do the job, start your own version > >that you feel *DOES* do the job. And, if it *IS* is a better list > >(better==more popular) one of two things will happen: > >1) you will get the job of managing the security list. > >2) your ideas will be taken, and used to manage the security list. > > > >Taking the action of creating a new list controlled by the people who want > >change, doen on their serveres, done there way, would address the > >concerns the people who want change have. > >And, like the history of UNIX itself, if the new list has the better idea, > >it will float to the top. > > Out of the lists I read regularly and infrequently -security is low > traffic, high content, and low noise. Generally. > > Starting a new list due to a surge of OT postings could result in a > proliferation of lists and those wishing to catch messages of value would > need to track even more lists. > > No thanks. > > Jeff Mountin - jeff@mountin.net > Systems/Network Administrator > FreeBSD - the power to serve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 18:14:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f17.law10.hotmail.com [64.4.15.17]) by hub.freebsd.org (Postfix) with SMTP id 5CE6337BF60 for ; Fri, 14 Jul 2000 18:14:04 -0700 (PDT) (envelope-from freebsd_security@hotmail.com) Received: (qmail 49833 invoked by uid 0); 15 Jul 2000 01:14:00 -0000 Message-ID: <20000715011400.49832.qmail@hotmail.com> Received: from 204.120.50.1 by www.hotmail.com with HTTP; Fri, 14 Jul 2000 18:14:00 PDT X-Originating-IP: [204.120.50.1] From: "FreeBSD Security" To: freebsd-security@freebsd.org Subject: FreeBSD User Security Advisory: FreeBSD-SA-00:BG Date: Sat, 15 Jul 2000 01:14:00 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:BG Security Advisory FreeBSD, Inc. Topic: The Brett Glass user can DOS the FreeBSD mailing lists. Category: user Module: Brett Glass Announced: 2000-07-14 Affects: Mailing lists Corrected: 2000-07-14 Vendor status: Patch released FreeBSD only: Yes I. Background The Brett Glass user is an active participant in various FreeBSD mailing lists. II. Problem Description The FreeBSD mailing lists are a vital part of the FreeBSD community and are the primary means by which many users obtain support and exchange important information. A mailing list participant named Brett Glass has been in recent weeks posting crack smoking ideas to the lists generating a lot of noise and rendering the mailing lists next to useless as a means of obtaining support and exchanging information. In other words, causing a Denial Of Service. The Brett Glass user is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD mailing lists, which are a publicly available resource. FreeBSD makes no claim about the benefits of having certain users participate in the mailing list discussions. Note, Linux mailing lists are thought not to be vulnerable due to the license under which Linux is covered. The Brett Glass user seems to avoid software distributed under the GPL. III. Impact Posts from the Brett Glass user can cause readers to miss vital information contained in some posts. It also has the effect of driving away some of the critical participants in the mailing lists. IV. Workaround Use your mail reader, or procmail, to filter all posts from the Brett Glass user. V. Solution Add the following to your procmail filter: :0 * ^From: brett@lariat\.org /dev/null -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ y3lsjiEL3F0= =daPy -----END PGP SIGNATURE----- ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 18:18:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id A56BA37B7D9 for ; Fri, 14 Jul 2000 18:18:38 -0700 (PDT) (envelope-from jslivko@simphost.com) Received: by alpha.simphost.com (Postfix, from userid 1004) id 7AF503071D; Fri, 14 Jul 2000 19:18:34 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 6F6B32C90F; Fri, 14 Jul 2000 19:18:34 -0600 (MDT) Date: Fri, 14 Jul 2000 19:18:34 -0600 (MDT) From: "Jonathan M. Slivko" To: FreeBSD Security Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: <20000715011400.49832.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wouldn't appreciate this if I were him. Just think if it happened to you? ________________________________________________ Jonathan M. Slivko Technical Support: Simple Hosting Solutions Website: http://www.simphost.com, check us out! "The statements I make are not the statements of my employer!" -- Jonathan M. Slivko ________________________________________________ On Sat, 15 Jul 2000, FreeBSD Security wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:BG Security Advisory > FreeBSD, > Inc. > > Topic: The Brett Glass user can DOS the FreeBSD mailing lists. > > Category: user > Module: Brett Glass > Announced: 2000-07-14 > Affects: Mailing lists > Corrected: 2000-07-14 > Vendor status: Patch released > FreeBSD only: Yes > > I. Background > > The Brett Glass user is an active participant in various FreeBSD > mailing lists. > > II. Problem Description > > The FreeBSD mailing lists are a vital part of the FreeBSD community > and are the primary means by which many users obtain support and > exchange important information. > > A mailing list participant named Brett Glass has been in recent > weeks posting crack smoking ideas to the lists generating a lot of > noise and rendering the mailing lists next to useless as a means > of obtaining support and exchanging information. In other words, > causing a Denial Of Service. > > The Brett Glass user is not installed by default, nor is it "part > of FreeBSD" as such: it is part of the FreeBSD mailing lists, which > are a publicly available resource. > > FreeBSD makes no claim about the benefits of having certain users > participate in the mailing list discussions. > > Note, Linux mailing lists are thought not to be vulnerable due to > the license under which Linux is covered. The Brett Glass user > seems to avoid software distributed under the GPL. > > III. Impact > > Posts from the Brett Glass user can cause readers to miss vital > information contained in some posts. It also has the effect of > driving away some of the critical participants in the mailing lists. > > IV. Workaround > > Use your mail reader, or procmail, to filter all posts from the Brett > Glass user. > > V. Solution > > Add the following to your procmail filter: > > :0 > * ^From: brett@lariat\.org > /dev/null > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA > vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As > lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ > y3lsjiEL3F0= > =daPy > -----END PGP SIGNATURE----- > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 18:24:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 1A6C637C701 for ; Fri, 14 Jul 2000 18:24:18 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 76694 invoked by uid 1000); 15 Jul 2000 01:24:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jul 2000 01:24:15 -0000 Date: Fri, 14 Jul 2000 21:24:14 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD Security Cc: FreeBSD-SECURITY Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: <20000715011400.49832.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For someone claiming to be bitching about ... this very thing, you seem to do a good job propagating it yourself. This is beyond immature, hiding behind a hotmail account is rather lame as well. Are you not confident enough in your convictions to speak of them publically without being an anonymous coward? Grow up, you certaintly aren't making your case. This has just hit an all new low. On Fri, 14 Jul 2000, FreeBSD Security wrote: : Date: Fri, 14 Jul 2000 21:14:00 -0400 : From: FreeBSD Security : To: freebsd-security@freebsd.org : Subject: FreeBSD User Security Advisory: FreeBSD-SA-00:BG : : -----BEGIN PGP SIGNED MESSAGE----- : : ============================================================================= : FreeBSD-SA-00:BG Security Advisory : FreeBSD, : Inc. : : Topic: The Brett Glass user can DOS the FreeBSD mailing lists. : : Category: user : Module: Brett Glass : Announced: 2000-07-14 : Affects: Mailing lists : Corrected: 2000-07-14 : Vendor status: Patch released : FreeBSD only: Yes : : I. Background : : The Brett Glass user is an active participant in various FreeBSD : mailing lists. : : II. Problem Description : : The FreeBSD mailing lists are a vital part of the FreeBSD community : and are the primary means by which many users obtain support and : exchange important information. : : A mailing list participant named Brett Glass has been in recent : weeks posting crack smoking ideas to the lists generating a lot of : noise and rendering the mailing lists next to useless as a means : of obtaining support and exchanging information. In other words, : causing a Denial Of Service. : : The Brett Glass user is not installed by default, nor is it "part : of FreeBSD" as such: it is part of the FreeBSD mailing lists, which : are a publicly available resource. : : FreeBSD makes no claim about the benefits of having certain users : participate in the mailing list discussions. : : Note, Linux mailing lists are thought not to be vulnerable due to : the license under which Linux is covered. The Brett Glass user : seems to avoid software distributed under the GPL. : : III. Impact : : Posts from the Brett Glass user can cause readers to miss vital : information contained in some posts. It also has the effect of : driving away some of the critical participants in the mailing lists. : : IV. Workaround : : Use your mail reader, or procmail, to filter all posts from the Brett : Glass user. : : V. Solution : : Add the following to your procmail filter: : : :0 : * ^From: brett@lariat\.org : /dev/null : : -----BEGIN PGP SIGNATURE----- : Version: 2.6.2 : : iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA : vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As : lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ : y3lsjiEL3F0= : =daPy : -----END PGP SIGNATURE----- : : ________________________________________________________________________ : Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5b70/dMMtMcA1U5ARAl2gAJ9isTPusqos/x09M6zs9D65gW5KIACg0ioI QXJ85Mm3oBJfsQQP89B+0A0= =S1YE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 18:29:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id 575B937B855 for ; Fri, 14 Jul 2000 18:29:30 -0700 (PDT) (envelope-from jslivko@simphost.com) Received: by alpha.simphost.com (Postfix, from userid 1004) id 8F9AB3071D; Fri, 14 Jul 2000 19:29:27 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 8946F2C90F; Fri, 14 Jul 2000 19:29:27 -0600 (MDT) Date: Fri, 14 Jul 2000 19:29:27 -0600 (MDT) From: "Jonathan M. Slivko" To: Matt Heckaman Cc: FreeBSD Security , FreeBSD-SECURITY Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I FULLY AGREE! ________________________________________________ Jonathan M. Slivko Technical Support: Simple Hosting Solutions Website: http://www.simphost.com, check us out! "The statements I make are not the statements of my employer!" -- Jonathan M. Slivko ________________________________________________ On Fri, 14 Jul 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > For someone claiming to be bitching about ... this very thing, you seem to > do a good job propagating it yourself. This is beyond immature, hiding > behind a hotmail account is rather lame as well. Are you not confident > enough in your convictions to speak of them publically without being an > anonymous coward? Grow up, you certaintly aren't making your case. > > This has just hit an all new low. > > On Fri, 14 Jul 2000, FreeBSD Security wrote: > > : Date: Fri, 14 Jul 2000 21:14:00 -0400 > : From: FreeBSD Security > : To: freebsd-security@freebsd.org > : Subject: FreeBSD User Security Advisory: FreeBSD-SA-00:BG > : > : -----BEGIN PGP SIGNED MESSAGE----- > : > : ============================================================================= > : FreeBSD-SA-00:BG Security Advisory > : FreeBSD, > : Inc. > : > : Topic: The Brett Glass user can DOS the FreeBSD mailing lists. > : > : Category: user > : Module: Brett Glass > : Announced: 2000-07-14 > : Affects: Mailing lists > : Corrected: 2000-07-14 > : Vendor status: Patch released > : FreeBSD only: Yes > : > : I. Background > : > : The Brett Glass user is an active participant in various FreeBSD > : mailing lists. > : > : II. Problem Description > : > : The FreeBSD mailing lists are a vital part of the FreeBSD community > : and are the primary means by which many users obtain support and > : exchange important information. > : > : A mailing list participant named Brett Glass has been in recent > : weeks posting crack smoking ideas to the lists generating a lot of > : noise and rendering the mailing lists next to useless as a means > : of obtaining support and exchanging information. In other words, > : causing a Denial Of Service. > : > : The Brett Glass user is not installed by default, nor is it "part > : of FreeBSD" as such: it is part of the FreeBSD mailing lists, which > : are a publicly available resource. > : > : FreeBSD makes no claim about the benefits of having certain users > : participate in the mailing list discussions. > : > : Note, Linux mailing lists are thought not to be vulnerable due to > : the license under which Linux is covered. The Brett Glass user > : seems to avoid software distributed under the GPL. > : > : III. Impact > : > : Posts from the Brett Glass user can cause readers to miss vital > : information contained in some posts. It also has the effect of > : driving away some of the critical participants in the mailing lists. > : > : IV. Workaround > : > : Use your mail reader, or procmail, to filter all posts from the Brett > : Glass user. > : > : V. Solution > : > : Add the following to your procmail filter: > : > : :0 > : * ^From: brett@lariat\.org > : /dev/null > : > : -----BEGIN PGP SIGNATURE----- > : Version: 2.6.2 > : > : iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA > : vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As > : lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ > : y3lsjiEL3F0= > : =daPy > : -----END PGP SIGNATURE----- > : > : ________________________________________________________________________ > : Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > : > : > : > : To Unsubscribe: send mail to majordomo@FreeBSD.org > : with "unsubscribe freebsd-security" in the body of the message > : > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.1 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5b70/dMMtMcA1U5ARAl2gAJ9isTPusqos/x09M6zs9D65gW5KIACg0ioI > QXJ85Mm3oBJfsQQP89B+0A0= > =S1YE > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 19: 6:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 0CC7A37BA51 for ; Fri, 14 Jul 2000 19:06:40 -0700 (PDT) (envelope-from dave@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1088) id DF2B12B24B; Fri, 14 Jul 2000 21:06:33 -0500 (CDT) Date: Fri, 14 Jul 2000 21:06:33 -0500 From: Dave McKay To: FreeBSD Security Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG Message-ID: <20000714210633.A16306@elvis.mu.org> References: <20000715011400.49832.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000715011400.49832.qmail@hotmail.com>; from freebsd_security@hotmail.com on Sat, Jul 15, 2000 at 01:14:00AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Account being canceled at this moment. FreeBSD Security (freebsd_security@hotmail.com) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:BG Security Advisory > FreeBSD, > Inc. > > Topic: The Brett Glass user can DOS the FreeBSD mailing lists. > > Category: user > Module: Brett Glass > Announced: 2000-07-14 > Affects: Mailing lists > Corrected: 2000-07-14 > Vendor status: Patch released > FreeBSD only: Yes > > I. Background > > The Brett Glass user is an active participant in various FreeBSD > mailing lists. > > II. Problem Description > > The FreeBSD mailing lists are a vital part of the FreeBSD community > and are the primary means by which many users obtain support and > exchange important information. > > A mailing list participant named Brett Glass has been in recent > weeks posting crack smoking ideas to the lists generating a lot of > noise and rendering the mailing lists next to useless as a means > of obtaining support and exchanging information. In other words, > causing a Denial Of Service. > > The Brett Glass user is not installed by default, nor is it "part > of FreeBSD" as such: it is part of the FreeBSD mailing lists, which > are a publicly available resource. > > FreeBSD makes no claim about the benefits of having certain users > participate in the mailing list discussions. > > Note, Linux mailing lists are thought not to be vulnerable due to > the license under which Linux is covered. The Brett Glass user > seems to avoid software distributed under the GPL. > > III. Impact > > Posts from the Brett Glass user can cause readers to miss vital > information contained in some posts. It also has the effect of > driving away some of the critical participants in the mailing lists. > > IV. Workaround > > Use your mail reader, or procmail, to filter all posts from the Brett > Glass user. > > V. Solution > > Add the following to your procmail filter: > > :0 > * ^From: brett@lariat\.org > /dev/null > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA > vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As > lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ > y3lsjiEL3F0= > =daPy > -----END PGP SIGNATURE----- > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 19:18:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id 3D2B037BA88 for ; Fri, 14 Jul 2000 19:18:23 -0700 (PDT) (envelope-from jslivko@simphost.com) Received: by alpha.simphost.com (Postfix, from userid 1004) id CAFEA3071D; Fri, 14 Jul 2000 20:18:21 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id C68D22C90F; Fri, 14 Jul 2000 20:18:21 -0600 (MDT) Date: Fri, 14 Jul 2000 20:18:21 -0600 (MDT) From: "Jonathan M. Slivko" To: Dave McKay Cc: FreeBSD Security , freebsd-security@freebsd.org Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: <20000714210633.A16306@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I hope so. But, if he's still subscribed to this list. FreeBSD DOESN'T have the power to serve you, bitch! ________________________________________________ Jonathan M. Slivko Technical Support: Simple Hosting Solutions Website: http://www.simphost.com, check us out! "The statements I make are not the statements of my employer!" -- Jonathan M. Slivko ________________________________________________ On Fri, 14 Jul 2000, Dave McKay wrote: > Account being canceled at this moment. > > FreeBSD Security (freebsd_security@hotmail.com) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > > > ============================================================================= > > FreeBSD-SA-00:BG Security Advisory > > FreeBSD, > > Inc. > > > > Topic: The Brett Glass user can DOS the FreeBSD mailing lists. > > > > Category: user > > Module: Brett Glass > > Announced: 2000-07-14 > > Affects: Mailing lists > > Corrected: 2000-07-14 > > Vendor status: Patch released > > FreeBSD only: Yes > > > > I. Background > > > > The Brett Glass user is an active participant in various FreeBSD > > mailing lists. > > > > II. Problem Description > > > > The FreeBSD mailing lists are a vital part of the FreeBSD community > > and are the primary means by which many users obtain support and > > exchange important information. > > > > A mailing list participant named Brett Glass has been in recent > > weeks posting crack smoking ideas to the lists generating a lot of > > noise and rendering the mailing lists next to useless as a means > > of obtaining support and exchanging information. In other words, > > causing a Denial Of Service. > > > > The Brett Glass user is not installed by default, nor is it "part > > of FreeBSD" as such: it is part of the FreeBSD mailing lists, which > > are a publicly available resource. > > > > FreeBSD makes no claim about the benefits of having certain users > > participate in the mailing list discussions. > > > > Note, Linux mailing lists are thought not to be vulnerable due to > > the license under which Linux is covered. The Brett Glass user > > seems to avoid software distributed under the GPL. > > > > III. Impact > > > > Posts from the Brett Glass user can cause readers to miss vital > > information contained in some posts. It also has the effect of > > driving away some of the critical participants in the mailing lists. > > > > IV. Workaround > > > > Use your mail reader, or procmail, to filter all posts from the Brett > > Glass user. > > > > V. Solution > > > > Add the following to your procmail filter: > > > > :0 > > * ^From: brett@lariat\.org > > /dev/null > > > > -----BEGIN PGP SIGNATURE----- > > Version: 2.6.2 > > > > iQCVAwUBOW+p97KP7aiUpF5FAQGy3AP/UEfoMb6C6IjUnXPe6prdSDMzOTlqcmYA > > vquAomCIfTLbGaFkWsZL64xXSE0mfs5/X8LoubBi75RhnQ/TMYvE9GTMDIuUn6As > > lI3lL0wiQoAr0TX2R6TiPMvQK7JisvcoYr9NUWkXG8BuwZ1c+RKBgzgEseVP4UU/ > > y3lsjiEL3F0= > > =daPy > > -----END PGP SIGNATURE----- > > > > ________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Dave McKay > Network Engineer - Google Inc. > dave@mu.org - dave@google.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 20:11:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5489637BBD4 for ; Fri, 14 Jul 2000 20:11:12 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA68214 for ; Fri, 14 Jul 2000 21:11:10 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA41080 for ; Fri, 14 Jul 2000 21:10:54 -0600 (MDT) Message-Id: <200007150310.VAA41080@harmony.village.org> To: freebsd-security@freebsd.org Subject: The recent stuff here, please let it die Date: Fri, 14 Jul 2000 21:10:54 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK. Can we just let all this crap die now? Whatever good and positive results could have come from an open and frank discussion of the issues raised has been swamped by ill manners that have been displayed here. Let the issue, the thread and the excessive dog piling die die die die die for now. We'll revisit the heart of the matter later when progress can be made. Warner P.S. It is a good thing that I don't know who issued that DoS advisory. Wearing my security-officer hat, I would have to have *EXTREMELY* sharp words with them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 22: 8: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 3F2F337C2F0 for ; Fri, 14 Jul 2000 22:08:00 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2053 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 15 Jul 2000 00:06:17 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sat, 15 Jul 2000 00:06:16 -0500 (CDT) From: James Wyatt To: Matt Heckaman Cc: FreeBSD-SECURITY Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does the fact that everyone posts their reponses with the *FULL* text of the original message while complaining of waste strike folks as ironic? The original advisory *was* a cheap shot and Jordan's tone wasn't too professional as well. Lastly, this kind of advisory can make us look stupid or trigger customer qustions about how serious FreeBSD is. I really agree with Matt. Can this stuff just go away? - Jy@ On Fri, 14 Jul 2000, Matt Heckaman wrote: > For someone claiming to be bitching about ... this very thing, you seem to > do a good job propagating it yourself. This is beyond immature, hiding > behind a hotmail account is rather lame as well. Are you not confident > enough in your convictions to speak of them publically without being an > anonymous coward? Grow up, you certaintly aren't making your case. > > This has just hit an all new low. > > On Fri, 14 Jul 2000, FreeBSD Security wrote: > > : Date: Fri, 14 Jul 2000 21:14:00 -0400 > : From: FreeBSD Security > : To: freebsd-security@freebsd.org > : Subject: FreeBSD User Security Advisory: FreeBSD-SA-00:BG > : > : -----BEGIN PGP SIGNED MESSAGE----- > : > : ============================================================================= > : FreeBSD-SA-00:BG Security Advisory > : FreeBSD, > : Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 22:29: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from voltage.net (voltage.net [208.189.4.3]) by hub.freebsd.org (Postfix) with ESMTP id BB4FF37C3B3 for ; Fri, 14 Jul 2000 22:28:59 -0700 (PDT) (envelope-from sward@voltage.net) Received: from amavis by voltage.net with scanned-ok (Exim 3.14 #4) id 13DKVZ-0002m2-00 for freebsd-security@freebsd.org; Sat, 15 Jul 2000 00:29:01 -0500 Received: from basketcase.voltage.net ([208.189.4.20]) by voltage.net with esmtp (Exim 3.14 #4) id 13DKVY-0002kV-00 for freebsd-security@freebsd.org; Sat, 15 Jul 2000 00:29:00 -0500 Message-Id: <4.3.1.2.20000715002354.00ddf620@mail.voltage.net> X-Sender: sward@mail.voltage.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sat, 15 Jul 2000 00:30:14 -0500 To: FreeBSD-SECURITY From: Susie Ward Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-AntiVirus: This email was scanned for known viruses (http://www.voltage.net/virusalert.html) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:29 PM 7/14/00 -0600, Jonathan M. Slivko wrote: >I FULLY AGREE! ME TOO!11!!!1 Give me a fucking break! Someone please tell me that the list "freebsd-security-notifications" is what it appears to be ... a list that all SA's are posted to, but is read only? If so, it might be helpful to describe it as "read only" like the other read only list(s). As a relative newbie to FreeBSD, I find it very helpful to read the input other members more knowledgeable than myself have in response to SA's posted here, but the outbursts of crap are just a bit more than I can handle sometimes. Susie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 14 22:41:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by hub.freebsd.org (Postfix) with ESMTP id 5F3DB37B6BA for ; Fri, 14 Jul 2000 22:41:42 -0700 (PDT) (envelope-from mb3006@mindspring.com) Received: from mindspring.com (user-2ive4ac.dialup.mindspring.com [165.247.17.76]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id BAA05557 for ; Sat, 15 Jul 2000 01:41:40 -0400 (EDT) Message-ID: <396FB283.86D8F63C@mindspring.com> Date: Sat, 15 Jul 2000 00:38:27 +0000 From: Mark Bitting X-Mailer: Mozilla 4.7 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD-SECURITY Subject: Buh-bye Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll wait for the advisories to show up at LWN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 1: 5:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a13c249.neo.rr.com [204.210.212.249]) by hub.freebsd.org (Postfix) with ESMTP id A771137B76C for ; Sat, 15 Jul 2000 01:05:51 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e6F852B24873; Sat, 15 Jul 2000 04:05:02 -0400 Date: Sat, 15 Jul 2000 04:05:02 -0400 (EDT) From: Mike Nowlin To: Dave McKay Cc: FreeBSD Security , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: <20000714210633.A16306@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Topic: The Brett Glass user can DOS the FreeBSD mailing lists. Come on, people -- use some common sense... If you don't think that Brett's suggestions are useful (I haven't read them, so no opinions here as to their validity or his postings - I'm skipping these whole threads), just IGNORE them. Talk about adding fuel to the fire... In the two threads in question ("Two Kinds of Advisories" and "Displacement of Blame"), here's some stats as of right now: TKoB: 47 messages, 7 by BG DoB: 57 messages, 10 by BG Somehow, I don't think that he would have repeatedly responded to silence. Quit complaining about him clogging the list - BG's not the only one at fault here... --mike (combustible entity #492256 in the last week) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 2:16:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 278C337BC11 for ; Sat, 15 Jul 2000 02:16:18 -0700 (PDT) (envelope-from carock@kira.epconline.net) Received: from localhost (carock@localhost) by kira.epconline.net (8.9.3/8.9.3) with ESMTP id EAA59485 for ; Sat, 15 Jul 2000 04:16:16 -0500 (CDT) Date: Sat, 15 Jul 2000 04:16:15 -0500 (CDT) From: Chuck Rock To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe if FreeBSD wasn't so trouble free people would have real issues to talk about. See there's a good side here too... :) Chuck Rock EPC On Sat, 15 Jul 2000, James Wyatt wrote: > Does the fact that everyone posts their reponses with the *FULL* text of > the original message while complaining of waste strike folks as ironic? > The original advisory *was* a cheap shot and Jordan's tone wasn't too > professional as well. Lastly, this kind of advisory can make us look > stupid or trigger customer qustions about how serious FreeBSD is. > > I really agree with Matt. Can this stuff just go away? - Jy@ > > On Fri, 14 Jul 2000, Matt Heckaman wrote: > > For someone claiming to be bitching about ... this very thing, you seem to > > do a good job propagating it yourself. This is beyond immature, hiding > > behind a hotmail account is rather lame as well. Are you not confident > > enough in your convictions to speak of them publically without being an > > anonymous coward? Grow up, you certaintly aren't making your case. > > > > This has just hit an all new low. > > > > On Fri, 14 Jul 2000, FreeBSD Security wrote: > > > > : Date: Fri, 14 Jul 2000 21:14:00 -0400 > > : From: FreeBSD Security > > : To: freebsd-security@freebsd.org > > : Subject: FreeBSD User Security Advisory: FreeBSD-SA-00:BG > > : > > : -----BEGIN PGP SIGNED MESSAGE----- > > : > > : ============================================================================= > > : FreeBSD-SA-00:BG Security Advisory > > : FreeBSD, > > : Inc. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 3:24:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 16FD737C423 for ; Sat, 15 Jul 2000 03:23:41 -0700 (PDT) (envelope-from marc@milestonerdl.com) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id e6FANYL37254; Sat, 15 Jul 2000 05:23:34 -0500 (CDT) Date: Sat, 15 Jul 2000 05:23:33 -0500 (CDT) From: Marc Rassbach To: Mark Bitting Cc: FreeBSD-SECURITY Subject: Re: Buh-bye In-Reply-To: <396FB283.86D8F63C@mindspring.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for sharing. (are you upset that e-mail bandwidth was wasted on non-security topics, and if so, how did your message help?) On Sat, 15 Jul 2000, Mark Bitting wrote: > I'll wait for the advisories to show up at LWN. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 4:28:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 67FBD37B7A5 for ; Sat, 15 Jul 2000 04:28:07 -0700 (PDT) (envelope-from netchild@leidinger.net) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout0.freenet.de with esmtp (Exim 3.15 #1) id 13DQ70-0006mj-00; Sat, 15 Jul 2000 13:28:02 +0200 Received: from a2c54.pppool.de ([213.6.44.84] helo=Magelan.Leidinger.net) by mx3.freenet.de with esmtp (Exim 3.15 #1) id 13DQ6z-0002vQ-00; Sat, 15 Jul 2000 13:28:01 +0200 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.9.3/8.9.3) with ESMTP id NAA01794; Sat, 15 Jul 2000 13:02:01 +0200 (CEST) (envelope-from netchild@Leidinger.net) Message-Id: <200007151102.NAA01794@Magelan.Leidinger.net> Date: Sat, 15 Jul 2000 13:01:56 +0200 (CEST) From: Alexander Leidinger Subject: Re: RFC for Advisories? To: bokr@accessone.com Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.5.32.20000714142038.00908650@mail.accessone.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14 Jul, Bengt Richter wrote: > There are a lot of RFCs for automated notifications over the internet. > Perhaps it would be useful to think of security advisories in this light. [...] > Establishment of a standard, platform-independent (sectioned to distinguish > generic vs platform/version-specific info) format suitable for human skimming > and automated processing could have widespread benefits (IMHO). [...] > HTIU (Hope this is useful) I think securityfocus is a much better place to make such a (good) system independand proposal. Please go ahead and share your ideas with them. Bye, Alexander. -- Press every key to continue. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 8:53: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D9A7F37BBA7 for ; Sat, 15 Jul 2000 08:53:00 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA15666; Sat, 15 Jul 2000 11:52:56 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 15 Jul 2000 11:52:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bengt Richter Cc: freebsd-security@FreeBSD.ORG Subject: Re: RFC for Advisories? (Was Re: Newer/Two kinds of advisories?) In-Reply-To: <3.0.5.32.20000714142038.00908650@mail.accessone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Jul 2000, Bengt Richter wrote: > "NOTICE: vulnscand has received and authenticated advisory , > and has (per vulnscand.conf auto option) disabled execution of > / > due to a level 7.2 ('Immediate Action Urgent') vulnerability. > Type vulnscan -i for full info." I've thought through this idea a few times, and it has come up every now and then on various lists. So here's my spin on some of the ideas in your e-mail. Machine-readable advisories are generally accepted as a good idea, allowing them to be conveniently pulled into databases and managed. If you want to propose such a cross-platform format, I'm sure there would be wide-spread interest. In particular, you may want to attempt to measure the machine-readableness of the existing advisory formats from various vendors and determine if they are adequate, and if not, in what ways not. You might succeed in pursuading the industry as a whole to adopt the format, and you would probably garner support from a number of groups. That said, the idea of automated response is a worrying one. Generally speaking, I would feel uncomfortable having no human sitting between the FreeBSD-generated advisory and the implementation of the work-aroud. There are concerns about potential abuse, denial of service, as well as timing issues, and management issues. A distributed management mechanism that could read in an approved advisory and apply that change across a cluster of FreeBSD boxes would be useful, but if the bug is in the kerberos libraries, I certainly wouldn't want an automated disabling of all remote login mechanisms across a cluster of 400 headless boxes :-). Any form of automated upgrade has its dangers -- there have been times where I have purposefully not tracked the front edge of -STABLE or -CURRENT to avoid feature changes that would damage the service-providing capabilities of a box. I certainly wouldn't want an automated tool performing that upgrade. Even with human intervention, this would introduce a new upgrade path that would have to be carefully integrated and well-understood. Dealing with this mechanism would probably require first dealing with the base system install and upgrade issues--the two mechanisms should be the same. I first useful step would be if the advisory could be read in, and your vulnerability automatically assessed. You would be informed if the relevant library were installed, what binaries depended on it, if the port was installed, and if so what depended on it. This all requires us to be more concise about describing the vulnerability and its potential effects. Ideally, all of this should be able to occur in an automated manner -- the SO identifies a library or binary increasing risk, and to a large extent the grunt-work of identifying dependencies and generating a risk report would be automated. There are some vulnerability scanning products that claim to support automated correction. It would be worth looking at those to see what, if anything, they do to solve the problem. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 8:54:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 7557437B7E0; Sat, 15 Jul 2000 08:54:38 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id JAA05235; Sat, 15 Jul 2000 09:54:36 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <396F3408.22A29617@softweyr.com> Date: Fri, 14 Jul 2000 09:38:48 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Kris Kennaway , Frank Tobin , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > On Thu, 13 Jul 2000, Kris Kennaway wrote: > > > This is already apparent from the "FreeBSD only: NO" in most of the 33 > > advisories this year, but it's not professional to name the other > > platforms explicitly (besides the fact that we can't always be sure, as I > > learned once the hard way when I overestimated the severity of a NetBSD > > vulnerability). > > Absolutely. I see anything other than a claim about it being specific to > us as being unprofessional. I've seen some other advisories from other > groups that rashly claim things like, ``Affects all other UNIX operating > systems,'' which is almost always false :-). The best we can do is > declare whether or not we believe there is the potential for affecting > other operating systems or not, and accept that the bug affects us. Precisely. I'd like to thank Kris, Warner, and anyone else involved in the Security team for the professional quality of the FreeBSD Security Advisories, and for the volume of them and the work that represents. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 9:28: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BBBAC37B5E2 for ; Sat, 15 Jul 2000 09:28:02 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA16004 for ; Sat, 15 Jul 2000 12:28:00 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 15 Jul 2000 12:28:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Subject: syslog and stopping name lookup for remote logging Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right now, I believe syslogd attached the hostname of the source of a network-sourced log message. Needless to say, this can be a disadvantage, as DNS spoofing and IP spoofing are both easy, but IP spoofing can be stopped at the border router, whereas DNS spoofing is just dumb. I was wondering if anyone had patches to force syslogd to use the IP address instead? (-n or something) If not, I'll go ahead and write them. Thanks! Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 14:59:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 5A6B537B516 for ; Sat, 15 Jul 2000 14:59:33 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id PAA05864; Sat, 15 Jul 2000 15:57:59 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3970DF32.6D988E56@softweyr.com> Date: Sat, 15 Jul 2000 16:01:22 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Nowlin Cc: Dave McKay , FreeBSD Security , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin wrote: > > > > Topic: The Brett Glass user can DOS the FreeBSD mailing lists. > > Come on, people -- use some common sense... > > If you don't think that Brett's suggestions are useful (I haven't read > them, so no opinions here as to their validity or his postings - I'm > skipping these whole threads), just IGNORE them. > > Talk about adding fuel to the fire... In the two threads in question > ("Two Kinds of Advisories" and "Displacement of Blame"), here's some > stats as of right now: > > TKoB: 47 messages, 7 by BG > DoB: 57 messages, 10 by BG > > Somehow, I don't think that he would have repeatedly responded to > silence. Quit complaining about him clogging the list - BG's not the only > one at fault here... Yes, it seems that the BrettGlass attack is an "amplifying reflector", like the multicast TCP ACK in the Stream attack. Since we can't quench the source, it seems that rate-limiting the replies is the most effective protection. I've been trying... ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 15:25:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 2BF2237B5BF for ; Sat, 15 Jul 2000 15:25:35 -0700 (PDT) (envelope-from djkanter@northwestern.edu) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id RAA22166 for ; Sat, 15 Jul 2000 17:25:34 -0500 (CDT) Received: from localhost.localdomain (coconut-30-028050.nuts.nwu.edu [165.124.28.50]) by hecky.acns.nwu.edu via smap (V2.0) id xma022150; Sat, 15 Jul 00 17:25:25 -0500 Received: (from david@localhost) by localhost.localdomain (8.9.3/8.9.3) id RAA43593 for freebsd-security@freebsd.org; Sat, 15 Jul 2000 17:25:24 -0500 (CDT) (envelope-from david) Date: Sat, 15 Jul 2000 17:25:24 -0500 From: "David J. Kanter" To: FreeBSD security Subject: Is KerberosIV in base 4.X system? Message-ID: <20000715172524.A43579@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i X-Organization: Northwestern University X-Operating-System: FreeBSD localhost.localdomain 4.0-STABLE FreeBSD 4.0-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm confused as to whether KerberosIV is a part of the 4.X base system. I have programs like kinit and kdestroy, so I'm assuming it is (and is a part of the new base crypto system). But then why are there variables in make.conf regarding versions IV and V? Thanks. -- David Kanter djkanter@northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 15:27: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id AF76737B7C7; Sat, 15 Jul 2000 15:27:04 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA05968; Sat, 15 Jul 2000 15:27:04 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 15 Jul 2000 15:27:04 -0700 (PDT) From: Kris Kennaway To: "David J. Kanter" Cc: FreeBSD security Subject: Re: Is KerberosIV in base 4.X system? In-Reply-To: <20000715172524.A43579@localhost.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Jul 2000, David J. Kanter wrote: > I'm confused as to whether KerberosIV is a part of the 4.X base system. It is, if you choose to install it :-) > I have programs like kinit and kdestroy, so I'm assuming it is (and is a > part of the new base crypto system). But then why are there variables in > make.conf regarding versions IV and V? Sounds like you did. KerberosIV is an optional part of the system which you don't have to install if you don't want/need to. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 17:43:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4B96E37B53E for ; Sat, 15 Jul 2000 17:43:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA20490; Sat, 15 Jul 2000 18:43:25 -0600 (MDT) Message-Id: <4.3.2.7.2.20000715183431.04e2a580@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 15 Jul 2000 18:43:23 -0600 To: Wes Peters From: Brett Glass Subject: The Flame Blame Game Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3970DF32.6D988E56@softweyr.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:01 PM 7/15/2000, Wes Peters wrote: >Yes, it seems that the BrettGlass attack is an "amplifying reflector", >like the multicast TCP ACK in the Stream attack. Since we can't quench >the source, it seems that rate-limiting the replies is the most effective >protection. Actually, the problem is simpler: Certain people seem to be engaging in what I call the "Flame Blame Game." Here's how it works: 1) Wait for the target to post an opinion in an online forum. 2) Turn the topic (even if it is legitimate) into an irritating flame war that wastes time and bandwidth. Drown out any VALID remarks, regardless of the source, with annoying flames. 3) Blame the flame war on the target and encourage others to see him or her as a troublemaker, filter his or her messages, and/or eject him or her from the list. The target is in a tough spot. If he does NOT respond to the nasty messages posted by the flamer(s), then the flamers have effectively silenced him. If he DOES respond, he's seen as fanning the flames. Either way, blame is laid on him rather than upon the guilty parties -- UNLESS people see through the ruse. I've seen this happen to other folks, on other lists, and apparently the meme has spread. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 19:25:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id A236737B5DC; Sat, 15 Jul 2000 19:25:25 -0700 (PDT) (envelope-from djkanter@northwestern.edu) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id VAA27565; Sat, 15 Jul 2000 21:25:24 -0500 (CDT) Received: from localhost.localdomain (coconut-40-028060.nuts.nwu.edu [165.124.28.60]) by hecky.acns.nwu.edu via smap (V2.0) id xma027553; Sat, 15 Jul 00 21:25:17 -0500 Received: (from david@localhost) by localhost.localdomain (8.9.3/8.9.3) id VAA43923; Sat, 15 Jul 2000 21:25:15 -0500 (CDT) (envelope-from david) Date: Sat, 15 Jul 2000 21:25:15 -0500 From: "David J. Kanter" To: Kris Kennaway Cc: FreeBSD security Subject: Re: Is KerberosIV in base 4.X system? Message-ID: <20000715212515.A43881@localhost.localdomain> References: <20000715172524.A43579@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from kris@FreeBSD.ORG on Sat, Jul 15, 2000 at 03:27:04PM -0700 X-Organization: Northwestern University X-Operating-System: FreeBSD localhost.localdomain 4.0-STABLE FreeBSD 4.0-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jul 15, 2000 at 03:27:04PM -0700, Kris Kennaway wrote: > > I'm confused as to whether KerberosIV is a part of the 4.X base system. > > It is, if you choose to install it :-) > > > I have programs like kinit and kdestroy, so I'm assuming it is (and is a > > part of the new base crypto system). But then why are there variables in > > make.conf regarding versions IV and V? > > Sounds like you did. ---end quoted text--- Then why, if MAKE_KERBEROS4 is commented out in /etc/defaults/make.conf and /etc/make.conf, did I get KerberosIV installed? I'm not complaining, just trying to understand. Could it have been installed when I first installed 3.4-Release? (I remember the installer program asking if I wanted to install the Kerberos libraries. Maybe I just answered my own question.) Since I seem to have KerberosIV, I tried compiling Fetchmail with KPOP support. Used make MAKE_KERBEROS4=yes install, but fetchmail --configdump doesn't show KPOP support (although it now does show ssl support). -- David Kanter djkanter@northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 19:29:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 239D037B6AF for ; Sat, 15 Jul 2000 19:29:45 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id EAA08178; Sun, 16 Jul 2000 04:29:42 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: "FreeBSD Security" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD User Security Advisory: FreeBSD-SA-00:BG References: <20000715011400.49832.qmail@hotmail.com> From: Dag-Erling Smorgrav Date: 16 Jul 2000 04:29:41 +0200 In-Reply-To: "FreeBSD Security"'s message of "Sat, 15 Jul 2000 01:14:00 GMT" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "FreeBSD Security" writes: > A mailing list participant named Brett Glass has been in recent > weeks posting crack smoking ideas to the lists generating a lot of s/weeks/years/ > noise and rendering the mailing lists next to useless as a means > of obtaining support and exchanging information. s/support.*$/attention./ DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 20:13: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 1366337B5DA; Sat, 15 Jul 2000 20:13:01 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA67329; Sat, 15 Jul 2000 20:13:01 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 15 Jul 2000 20:13:00 -0700 (PDT) From: Kris Kennaway To: "David J. Kanter" Cc: FreeBSD security Subject: Re: Is KerberosIV in base 4.X system? In-Reply-To: <20000715212515.A43881@localhost.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Jul 2000, David J. Kanter wrote: > Could it have been installed when I first installed 3.4-Release? (I remember > the installer program asking if I wanted to install the Kerberos libraries. > Maybe I just answered my own question.) Probably. > Since I seem to have KerberosIV, I tried compiling Fetchmail with KPOP > support. Used make MAKE_KERBEROS4=yes install, but fetchmail --configdump > doesn't show KPOP support (although it now does show ssl support). MAKE_KERBEROS4 is for controlling 'make world'. I don't know how (or if) the fetchmail port supports it. See however Security Advisory 00-33 Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 15 23:41:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 2EE2037B5DA; Sat, 15 Jul 2000 23:41:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA06831; Sun, 16 Jul 2000 00:40:57 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <397159C8.76E5E29@softweyr.com> Date: Sun, 16 Jul 2000 00:44:24 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Robert Watson , Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? References: <4.3.2.7.2.20000713132400.04b73af0@localhost> <4.3.2.7.2.20000713135632.04b63890@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Personally, I'm very glad for the advisories -- you may recall > that I returned from my honeymoon to find a system rooted due > to a QPopper exploit. I only wish that the CDs were updated > quickly enough to prevent more copies of exploitable ports > from going out! (People who install from the CDs often don't > know how to pick up new ports, and it's not obvious from the > sysinstall UI.) But if the advisory said: > > Security Advisory: Remote root exploit in wu-ftpd (FreeBSD-SA-00:29) > > it'd produce fewer calls from nervous clients. This looks like a good proposal to me. In order to do this, we must first verify the vulnerability is in the ported application, wu-ftpd in this case, and not in the FreeBSD-specific modifications (patches etc.), but I can see that this does tie the problem more closely to wu-ftpd and less closely to FreeBSD in the eyes of someone scanning the advisories. I'm not sure, Brett, that this would really help your situation that much. From the way you describe your clients, it seems they're probably not capable of discerning the difference unless you spoon-feed it to them. Maybe you could make a bar graph or a pie chart for them? ;^) If your clients aren't clueful enough to know how to upgrade something like qpopper or wu-ftpd from ports, they should be clueful enough to pay you a few hundred dollars to do it for them. If they've been warned and chose to ignore the warnings, that's their choice. They paid their money, now they get to collect their prize. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message