From owner-freebsd-announce Mon Mar 19 12:48:40 2001 Delivered-To: freebsd-announce@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id 6EF9837B719 for ; Sun, 18 Mar 2001 00:49:12 -0800 (PST) (envelope-from jkh@osd.bsdi.com) Received: from localhost (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.2/8.11.1) with ESMTP id f2I8m3H66492 for ; Sun, 18 Mar 2001 00:48:03 -0800 (PST) (envelope-from jkh@osd.bsdi.com) To: announce@freebsd.org Subject: This mailing list, its charter and purpose. X-Mailer: Mew version 1.94.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010318004803T.jkh@osd.bsdi.com> Date: Sun, 18 Mar 2001 00:48:03 -0800 From: Jordan Hubbard X-Dispatcher: imput version 20000228(IM140) Lines: 51 Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As the FreeBSD handbook states in Internet Resources section: "This is the mailing list for people interested only in occasional announcements of significant FreeBSD events. This includes announcements about snapshots and other releases. It contains announcements of new FreeBSD capabilities. It may contain calls for volunteers etc. This is a low volume, strictly moderated mailing list." This, of course, leaves the question of just what constitutes a "significant FreeBSD event" somewhat poorly defined. This message is an attempt to clarify that somewhat. The FreeBSD-announce subscription list currently has some 22,000 entries in it, a large number of which are mailing lists which contain even more users of their own. Suffice it to say that a very conservative estimate would put the total readership of this list well above 50,000 individuals scattered across many different countries. This means that whatever gets posted to it has to have some *global* relevance or a large percentage of these 50,000+ people will not benefit from your posting at all. At various times in the past, certain material such as announcements for local user group meetings has also been posted to this list, resulting in a situation where shivering people up beyond the Arctic circle see messages like "The Gresham Oregon FreeBSD User's Group (GOFUG) will be meeting at the Fosters Freeze tonite at 8:00, everyone please be sure to bring one goat and a CD in order that ..." It's just not widely relevant to FreeBSD or the "average" FreeBSD user as a whole and it's something which will be strongly discouraged from now on. This should not be taken as a rebuke to those -announce users who were never quite clear on this before and may now feel accused of having done something evil and wicked. As I said above, the charter has always left this ill-defined and so freebsd-announce, which never sees a lot of traffic anyway, simply got used for such purposes. A good example of an "appropriate" use of freebsd-announce would be to shout about a truly announce-worthy new feature, service or product which applies to FreeBSD users world-wide. If someone were to port FreeBSD to the IBM 3090, for example, that would certainly be a rather announce-worthy event. If a major ISV like Oracle were to suddenly offer FreeBSD-native versions of their commercial products on the open market, that would be another. The availability of each major release of FreeBSD, for that matter, falls into that category. I think you all get the idea. With apologies to all for any previous misunderstandings on this topic, - Jordan ----- End forwarded message ----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Mar 22 13:12:46 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD32F37B71B; Thu, 22 Mar 2001 13:12:32 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2MLCWm14901; Thu, 22 Mar 2001 13:12:32 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 22 Mar 2001 13:12:32 -0800 (PST) Message-Id: <200103222112.f2MLCWm14901@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:30.ufs-ext2fs Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:30 Security Advisory FreeBSD, Inc. Topic: UFS/EXT2FS allows disclosure of deleted data Category: kernel Module: ufs/ext2fs Announced: 2001-03-22 Credits: Sven Berkvens , Marc Olzheim Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2000-12-22 (FreeBSD 3.5-STABLE) 2000-12-22 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background UFS is the Unix File System, used by default on FreeBSD systems and many other UNIX variants. EXT2FS is a filesystem used by default on many Linux systems, which is also available on FreeBSD. II. Problem Description There exists a data consistency race condition which allows users to obtain access to areas of the filesystem containing data from deleted files. The filesystem code is supposed to ensure that all filesystem blocks are zeroed before becoming available to user processes, but in a certain specific case this zeroing does not occur, and unzeroed blocks are passed to the user with their previous contents intact. Thus, if the block contains data which used to be part of a file or directory to which the user did not have access, the operation results in unauthorized access of data. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem. This problem is not specific to FreeBSD systems and is believed to exist on many filesystems. This problem was corrected prior to the forthcoming release of FreeBSD 4.3. III. Impact Unprivileged users may obtain access to data which was part of deleted files. IV. Workaround None appropriate. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply against FreeBSD 3.5.1-RELEASE, FreeBSD 4.1.1-RELEASE and FreeBSD 4.2-RELEASE. It may or may not apply to older, unsupported releases. # cd /usr/src # patch -p < /path/to/patch Rebuild and reinstall your kernel as described in the FreeBSD handbook at the following URL: http://www.freebsd.org/handbook/kernelconfig.html and reboot for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOrpp2lUuHi5z0oilAQEXFwQAjIKJPtcwJOW2nyLkkIl9Ma59xpuOWEHL gZr7KQ6xi2KVH8D6Jztt8gaF+Qb3HRyq8BQUzqL20f+O8yfr8IyX0w5OWu1VkEYu ctKKwhMRtd+Cc4L9Y56Ck3DhK5CgDwCVUlThNShR8/omKFd+pWulYcaIdKwTzZIe aCnSgvTvAHU= =Jn5m -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message