From owner-freebsd-security Sun Feb 4 22:24:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomsknet.ru (oit.tomsknet.ru [217.18.138.19]) by hub.freebsd.org (Postfix) with ESMTP id 928F937B491 for ; Sun, 4 Feb 2001 22:23:51 -0800 (PST) Received: (from agv@localhost) by tomsknet.ru (T.1/T.1) id NAA08158 for freebsd-security@freebsd.org; Mon, 5 Feb 2001 13:23:49 +0700 (KRAT) Date: Mon, 5 Feb 2001 13:23:48 +0700 From: Alexandr Goncharov To: freebsd-security@freebsd.org Subject: 3.5-STABLE & bind 8.2.3 - Whats is? Message-ID: <20010205132348.A6070@tomsknet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I cvsup-ed my system to 3.5-STABLE 02.02.2001. Now uname -a reports: FreeBSD dale.tomsknet.ru 3.5-STABLE FreeBSD 3.5-STABLE #0: Fri Feb 2 13:13:06 KRAT 2001 root@dale.tomsknet.ru:/usr/src/sys/compile/DALE i386 after make world and rebooting system: ; <<>> DiG 8.3 <<>> @127.0.0.1 version.bind CHAOS TXT ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-REL" ^^^^^^^^^^^ ;; Total query time: 6 msec ;; FROM: dale.tomsknet.ru to SERVER: 127.0.0.1 ;; WHEN: Mon Feb 5 12:57:11 2001 ;; MSG SIZE sent: 30 rcvd: 64 Ok. I hope it good. But today, 05.02.2001 named died. In log I found next line: Feb 5 10:13:31 dale named[147]: /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. Feb 5 10:13:31 dale named[147]: /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. Feb 5 10:13:34 dale /kernel: pid 147 (named), uid 0: exited on signal 6 (core dumped) What is? And why report about *.c files? Now, after "ndc start" named work. How long? When next crash? -- Alexandr V. Goncharov, | Digital Networks, TomsktÅlecom AGV-RIPE, | agv@tomsknet.ru AGV3-RIPN | phone: +7(382-2)662510 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 4 23:47:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from easynet-gw.netvalue.fr (unknown [212.180.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 5904337B6C4 for ; Sun, 4 Feb 2001 23:46:55 -0800 (PST) Received: from mail.netvalue.fr (unknown [192.168.1.13]) by easynet-gw.netvalue.fr (Postfix) with ESMTP id 0B9838C32 for ; Mon, 5 Feb 2001 08:48:54 +0100 (CET) Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA943 for ; Mon, 5 Feb 2001 08:46:12 +0100 Received: from erwan.netvalue.fr ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G89XKJ00.ISB; Mon, 5 Feb 2001 15:45:55 +0800 Received: from netvalue.com (localhost [127.0.0.1]) by erwan.netvalue.fr (Postfix) with ESMTP id 5C4FD198A; Mon, 5 Feb 2001 15:45:58 +0800 (HKT) Message-ID: <3A7E5A36.5A3B66EA@netvalue.com> Date: Mon, 05 Feb 2001 15:45:58 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Sam Wun Cc: freebsd-security@FreeBSD.ORG Subject: Re: packets in ipmon References: <00c901c08a66$5f1ce3c0$0101a8c0@pavilion> <3A789196.B9771209@esec.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sam Wun wrote: > > Hi, > > I am wondering which part of the output from ipmon message indicate number of packets has been blocked? > for example: > > Feb 1 09:25:14 swun ipmon[55]: 09:25:14.540972 dc0 @0:18 b 203.21.85.29,631 -> 203.21.85.255,631 PR udp len 20 34816 IN > > Thanks > Sam > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Feb 5 04:11:03 gate ipmon[229]: 04:11:03.386880 2x xl0 @0:33 b xxx.xxx.xxx.xxx , 25057 -> ^^ yyy.yyy.yyy.yyy,53 PR udp len 20 15616 IN It's just after the timestamp part. -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 6: 8:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 6A50737B401 for ; Mon, 5 Feb 2001 06:08:04 -0800 (PST) Received: from ocsinternet.com (localhost.upan.org [127.0.0.1]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f15E8Pn49031; Mon, 5 Feb 2001 09:08:25 -0500 (EST) (envelope-from mikel@ocsinternet.com) Message-ID: <3A7EB3D9.E4D797DC@ocsinternet.com> Date: Mon, 05 Feb 2001 09:08:25 -0500 From: Mikel King Organization: OCS Internet X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: jeff Cc: security@FreeBSD.ORG Subject: Re: ftp References: <000e01c08d51$0b9ed580$0200a8c0@mshome.net> Content-Type: multipart/alternative; boundary="------------A38A72A38D71699DB8BEEAEA" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------A38A72A38D71699DB8BEEAEA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit jeff, http://www.ocsny.com/main/index.ocs?url=ftpchroot cheers, mikel jeff wrote: > Im looking for a ftp client that will keep the user in there home dir > a lot of the new ftp software is letting users browse the server's > other dirs any scripts I can use that would handel this issuse Jeff > Gray cfm --------------A38A72A38D71699DB8BEEAEA Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit jeff,

    http://www.ocsny.com/main/index.ocs?url=ftpchroot

cheers,
mikel

jeff wrote:

 Im looking for a ftp client that will keep the user in there home dir a lot of the new ftp software is letting users browse the server's other dirs  any scripts I can use that would handel this issuse Jeff Gray cfm 
--------------A38A72A38D71699DB8BEEAEA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 8:19:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id DE0BB37B401 for ; Mon, 5 Feb 2001 08:18:53 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14PoPI-0000KS-00; Mon, 05 Feb 2001 09:22:25 -0700 Message-ID: <3A7ED340.68D8BE62@softweyr.com> Date: Mon, 05 Feb 2001 09:22:24 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > Wes Peters wrote: > > > Bind was written on BSD. What's the point of using a port to > > > upgrade it? All FreeBSD's bind port does is increase your chances > > > of errors, reduce your system's overall QA, and install duplicate > > > files in non-standard places. > > > > You completely and utterly fail to understand how the ports system works. > > What FreeBSD's bind port really does is decrease your chance of errors, > > increase your systems's overall QA, install all of the bind configuration > > and executable files in standard FreeBSD locations, track which files > > were installed and allow you to deinstall them simply, and provide a > > one-stop upgrade path. > > Wes, I believe you "utterly fail to understand" the level of quality > assurance in FreeBSD's ports collection. I understand it completely, having provided a few of them myself. There is no implied "audit" of ports, most of them are simply the attempt of the port maintainer to make the program compile and install easily under FreeBSD. > Certainly ports are vastly > better than Linux rpms but they have more than enough bugs to render > such blind faith ill-advised. > > Install bind first via ports and then via the bind-supplied Makefile. > You may find, as I did, that the port _increases_ your chances of No. > errors and _does_not_ install files in their original locations. Correct, it installs them in *FreeBSD standard* locations. I fail to see how this increases the chance of errors. > The only feature this particular port adds, when it works, is a > log under /var/db/pkg that's easier to parse than `make -n`. > > I've been big fan of ports since 2.0.5. They are, IMHO, FreeBSD's > best feature. However, that does not mean they should be trusted > like a Windows setup.exe. Oh, yeah, because windows setup.exe files never have bugs or virus attached, right? You have perverse idea of security. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 12: 5:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id 3B43237B401; Mon, 5 Feb 2001 12:05:33 -0800 (PST) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.2/8.11.2) with ESMTP id f15K50v25676; Mon, 5 Feb 2001 21:05:16 +0100 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian 8.9.3-21) id VAA03847; Mon, 5 Feb 2001 21:05:00 +0100 Date: Mon, 5 Feb 2001 21:05:00 +0100 From: Markus Holmberg To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org Subject: Package integrity check? Message-ID: <20010205210459.A2479@acc.umu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. Is there any way to perform an integrity check on packages that are fetched with "pkg_add -r "? (Similarly to building a package manually with a trusted /usr/ports and checksumming downloaded files) I assume there is no way to do integrity checking on packages, which leads me to the question if the general opinion among the security conscious is that packages (from untrusted parties, like any ftp site on the mirror list) should not be used at all? Markus -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 16: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipex.com.au (mail.ipex.com.au [202.14.143.150]) by hub.freebsd.org (Postfix) with ESMTP id 7DC5B37B401 for ; Mon, 5 Feb 2001 16:02:15 -0800 (PST) Received: by mail.ipex.com.au with Internet Mail Service (5.5.2653.19) id ; Tue, 6 Feb 2001 10:43:48 +1100 Message-ID: From: Damien O'Connell To: "'freebsd-security@freebsd.org'" Subject: subscribe Date: Tue, 6 Feb 2001 10:43:29 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------------------------------------------------------------ This e-mail may be confidential. Any opinions expressed herein are the opinion of the writer unless there is an express indication to the contrary. If you are not the intended recipient of this communication please delete and destroy all copies and immediately reply by return e-mail. Ipex ITG disclaims all liability and responsibility for any direct or indirect loss arising from this e-mail and/or any attachments. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 17:38:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from usc.edu (usc.edu [128.125.253.136]) by hub.freebsd.org (Postfix) with ESMTP id 3556537B491; Mon, 5 Feb 2001 17:38:34 -0800 (PST) Received: from scf-fs.usc.edu (root@scf-fs.usc.edu [128.125.253.183]) by usc.edu (8.9.3.1/8.9.3/usc) with ESMTP id RAA26327; Mon, 5 Feb 2001 17:38:34 -0800 (PST) Received: from phoenix (res-4097.usc.edu [128.125.235.95]) by scf-fs.usc.edu (8.9.3.1/8.9.3/usc) with SMTP id RAA28862; Mon, 5 Feb 2001 17:38:33 -0800 (PST) From: "Khairuddin Ghani" To: , Subject: dynamic ipfw ruleset to deny outgoing icmp attacks Date: Mon, 5 Feb 2001 17:40:57 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there. I have a 4.2-S machine which lacks an upstream firewall to the net. While letting FreeBSD's ICMP_BANDLIM to do its work, I want to also be able to disallow users to send outgoing ICMP packets with malicious intent, while also allowing innocent users to be able to use ping(8)/etc. How would I set up my ipfw ruleset for this scenario, if possible? Also, what other concerns should I have regarding other net protocols to avoid incoming/outgoing attacks? Regards and thanks, Khairuddin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 22:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 120CB37B503; Mon, 5 Feb 2001 22:24:26 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Q1gs-0000aE-00; Mon, 05 Feb 2001 23:33:26 -0700 Message-ID: <3A7F9AB6.5CAA983B@softweyr.com> Date: Mon, 05 Feb 2001 23:33:26 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Markus Holmberg Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Markus Holmberg wrote: > > Hello. > > Is there any way to perform an integrity check on packages that are fetched > with "pkg_add -r "? > > (Similarly to building a package manually with a trusted /usr/ports and > checksumming downloaded files) > > I assume there is no way to do integrity checking on packages, which > leads me to the question if the general opinion among the security > conscious is that packages (from untrusted parties, like any ftp site on > the mirror list) should not be used at all? I have package signing tools, integrated into the pkg_ commands, sitting on Freefall waiting to be committed. They let you sign a package with an MD5 checksum (this mechanism is a little weird, inherited from the OpenBSD code), a PGP signature (this code is also inherited from OpenBSD, uses PGP 2.xx command line tools, and kinda sucks in my opinion) and X.509 signatures. If you need it, I'll go ahead and commit what I have. I opened a discussion about this on the -ports mailing list a while ago, which immediately veered off into outer space. I haven't commited these bits since then, but am willing to do so now. We could discuss some of the sensible things people asked for and add them after the fact. For instance, somebody mentioned that pkg_info should report if the package is signed or not; pkg_add should (perhaps optionally) refuse to install a signed package whose signature does not match. What is not clear is whether it is OK to force pkg_add and pkg_info to link against the crypto libraries, or if they should call the pkg_check executable (if it is installed) to do the work. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 22:39:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (unknown [195.254.160.132]) by hub.freebsd.org (Postfix) with ESMTP id 6AE2A37B4EC; Mon, 5 Feb 2001 22:39:07 -0800 (PST) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar.krsu.edu.kg (8.9.1a/8.9.1) with ESMTP id NAA03503; Wed, 13 Dec 2000 13:02:53 +0500 (KGT) Received: from localhost (ildar@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id LAA31425; Tue, 6 Feb 2001 11:46:30 +0500 (KGT) (envelope-from ildar@krsu.edu.kg) Date: Tue, 6 Feb 2001 11:46:30 +0500 (KGT) From: -Digger To: Khairuddin Ghani Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: dynamic ipfw ruleset to deny outgoing icmp attacks In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, > Also, what other concerns should I have regarding other net protocols to > avoid incoming/outgoing attacks? look in /usr/ports/security/portsentry, /usr/ports/security/snort --- -Digger, BOFH ;) Telecommunication Centre of KRSU ICQ# 48385535 SOAP: ildar@krsu.edu.kg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 5 22:48:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 0233D37B491; Mon, 5 Feb 2001 22:47:51 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Q23f-0000aj-00; Mon, 05 Feb 2001 23:56:59 -0700 Message-ID: <3A7FA03B.D74270AD@softweyr.com> Date: Mon, 05 Feb 2001 23:56:59 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Markus Holmberg Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Markus Holmberg wrote: > > Hello. > > Is there any way to perform an integrity check on packages that are fetched > with "pkg_add -r "? OK, I committed it. Take a look, ask questions, let me know what you think. If nobody has a fit, I can actually wire this up in the pkg_install/Makefile later this week. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 1:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp5.mail.yahoo.com (smtp5.mail.yahoo.com [128.11.69.102]) by hub.freebsd.org (Postfix) with SMTP id 8F2AE37B684 for ; Tue, 6 Feb 2001 01:51:40 -0800 (PST) Received: from dialin125.pg12-nt.frankfurt.nikoma.de (HELO oemcomputer) (213.54.43.125) by smtp.mail.vip.suc.yahoo.com with SMTP; 6 Feb 2001 09:51:39 -0000 X-Apparently-From: From: "Manager" To: Subject: 15% bonus for you! Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 6 Feb 2001 10:50:10 Message-Id: <20010206095140.8F2AE37B684@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Gambling Friends, the time is come, we welcome you to the Abyss Online Casino we have designed a new Online Casino for you, with the newest Games availible on the net. we guarantee the loosest slots on the net ( 98,5 % ) payout. - No download - New Account Bonuses!! When you open a new account, the Abyss Casino will give you a BONUS of up to 15% on your initial deposit! That's right! Register now and deposit up to $500 in your new account, and you'll receive a automatic 15% bonus click here for details http://www.abysscasino.com/bonus_page.htm?vip Now, in addition to the 15 % first deposit bonus, Abyss Casino is offering a 5 % bonus to all deposits after the first. watch out for upcoming promotions and special offers. we wish you good luck and we are more then happy to welcome you at the http://www.abysscasino.com your first choice in Online Entertainment. If you have any questions please e-mail us at: manager@abysscasino.com Lucie Dollinger Promotion Dept. Abyss Online Casino Please note that you have received this e-mail because you have signed up to one of our gaming sites or portals. If you don´t wish to receive promotional e-mails, just e-mail abysscasino@yahoo.com subject=Remove _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 2:14:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (helpful.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 62C5D37B491; Tue, 6 Feb 2001 02:14:15 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14Q58H-0002WI-00; Tue, 06 Feb 2001 12:13:57 +0200 Date: Tue, 6 Feb 2001 12:13:57 +0200 (IST) From: Roman Shterenzon To: Wes Peters Cc: Markus Holmberg , , Subject: Re: Package integrity check? In-Reply-To: <3A7F9AB6.5CAA983B@softweyr.com> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 5 Feb 2001, Wes Peters wrote: > Markus Holmberg wrote: > > > > Hello. > > > > Is there any way to perform an integrity check on packages that are fetched > > with "pkg_add -r "? > > > > (Similarly to building a package manually with a trusted /usr/ports and > > checksumming downloaded files) > > > > I assume there is no way to do integrity checking on packages, which > > leads me to the question if the general opinion among the security > > conscious is that packages (from untrusted parties, like any ftp site on > > the mirror list) should not be used at all? > > I have package signing tools, integrated into the pkg_ commands, sitting > on Freefall waiting to be committed. They let you sign a package with > an MD5 checksum (this mechanism is a little weird, inherited from the > OpenBSD code), a PGP signature (this code is also inherited from OpenBSD, > uses PGP 2.xx command line tools, and kinda sucks in my opinion) and Hmm.. GnuPG flags suppport would be nice. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 4:56:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from twizors.rug.ac.be (twizors.rug.ac.be [157.193.55.153]) by hub.freebsd.org (Postfix) with ESMTP id 4610037B65D for ; Tue, 6 Feb 2001 04:56:00 -0800 (PST) Received: from localhost (ageorges@localhost) by twizors.rug.ac.be (8.9.3/8.9.3) with ESMTP id NAA63180 for ; Tue, 6 Feb 2001 13:50:23 +0100 (CET) (envelope-from ageorges@twizors.rug.ac.be) Date: Tue, 6 Feb 2001 13:50:23 +0100 (CET) From: Andy Georges To: freebsd-security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 7:27:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id D019837B4EC; Tue, 6 Feb 2001 07:27:27 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA31832; Tue, 6 Feb 2001 10:26:58 -0500 (EST) (envelope-from wollman) Date: Tue, 6 Feb 2001 10:26:58 -0500 (EST) From: Garrett Wollman Message-Id: <200102061526.KAA31832@khavrinen.lcs.mit.edu> To: Wes Peters Cc: freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? In-Reply-To: <3A7F9AB6.5CAA983B@softweyr.com> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > We could discuss some of the sensible things people asked for and > add them after the fact. We also need to be very clear about what it means for a package to be signed -- particularly in light of laws in the US and elsewhere giving legal status to digital signatures. If there's one good thing to be said about X.509, there's a lot of ways to stick signed blobs of text into those certificates.... -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 9: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 74DB337B401; Tue, 6 Feb 2001 09:04:13 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14QBbz-0000AU-00; Tue, 06 Feb 2001 10:09:03 -0700 Message-ID: <3A802FAF.792F61F5@softweyr.com> Date: Tue, 06 Feb 2001 10:09:03 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > We could discuss some of the sensible things people asked for and > > add them after the fact. > > We also need to be very clear about what it means for a package to be > signed -- particularly in light of laws in the US and elsewhere giving > legal status to digital signatures. If there's one good thing to be > said about X.509, there's a lot of ways to stick signed blobs of text > into those certificates.... That's pretty much at the discretion of the parties signing and verifying the packages. One of the signatures is a simple SHA1 crypto checksum, that implies little other than you got what the package creator put together to a fair degree of certainty. Everyone reading this thread should note that the signature exists ONLY in the gzip header for a .tgz package; no attempt is made to sign the extracted onto the system or anything like that. It is the package that is signed, not the application. OTOH, the idea of signed executables intrigues me... -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 10: 3: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 19E1337B491; Tue, 6 Feb 2001 10:02:43 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA33086; Tue, 6 Feb 2001 13:02:08 -0500 (EST) (envelope-from wollman) Date: Tue, 6 Feb 2001 13:02:08 -0500 (EST) From: Garrett Wollman Message-Id: <200102061802.NAA33086@khavrinen.lcs.mit.edu> To: Wes Peters Cc: freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? In-Reply-To: <3A802FAF.792F61F5@softweyr.com> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > One of the signatures is a simple SHA1 crypto checksum, > that implies little other than you got what the package creator put > together to a fair degree of certainty. Erm, no. It implies that whomever last modified (read: trojaned) the package knew enough to update the checksum. This provides no additional security, unless: 1) Whatever process generates and checksums the packages also makes and signs a master list of all the checksums from each package, and 2) Whatever process installs software from the package compares its checksum against this master list, and verifies the signature of the master list. I think that this would be both useful and worthwhile, but again, we need to make sure that legally we are not promising anything other than ``these packages have not been modified since generation''. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 16:41: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 290B837B401; Tue, 6 Feb 2001 16:40:38 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id BAA94762; Wed, 7 Feb 2001 01:40:16 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A809970.EC5D31FF@nisser.com> Date: Wed, 07 Feb 2001 01:40:16 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Wes Peters Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > ... > That's pretty much at the discretion of the parties signing and verifying > the packages. One of the signatures is a simple SHA1 crypto checksum, > that implies little other than you got what the package creator put > together to a fair degree of certainty. That - 'simple' - was not my impression. I 'needed' to implement both MD-4/5 and SHA-1 in Delphi a while ago and the thing that struck me from the FIPS notes was that it claimed - hah, here's the print-out - the following properties: "it is computationally infeasible to find a message which corresponds to a given MD, or to find two different messages which produce the same MD." That's pretty plain language. It does not say "it is CURRENTLY...". Nope. Just that it is infeasible. Then again, I'm neither a lawyer nor a cryptologist so... > ... > "Where am I, and what am I doing in this handbasket?" I dunno. Are those snoring noses coincedential? Roelof -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 6 23:33:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 45AA037B491; Tue, 6 Feb 2001 23:32:49 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14QPEh-0000Fs-00; Wed, 07 Feb 2001 00:41:55 -0700 Message-ID: <3A80FC43.AE335524@softweyr.com> Date: Wed, 07 Feb 2001 00:41:55 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roelof Osinga Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <3A809970.EC5D31FF@nisser.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roelof Osinga wrote: > > Wes Peters wrote: > > > > ... > > That's pretty much at the discretion of the parties signing and verifying > > the packages. One of the signatures is a simple SHA1 crypto checksum, > > that implies little other than you got what the package creator put > > together to a fair degree of certainty. > > That - 'simple' - was not my impression. I 'needed' to implement > both MD-4/5 and SHA-1 in Delphi a while ago and the thing that > struck me from the FIPS notes was that it claimed - hah, here's the > print-out - the following properties: "it is computationally > infeasible to find a message which corresponds to a given MD, > or to find two different messages which produce the same MD." > > That's pretty plain language. It does not say "it is CURRENTLY...". > Nope. Just that it is infeasible. Then again, I'm neither a > lawyer nor a cryptologist so... A "simple SHA1" as opposed to "digital certificate that contains data other than the crypto checksum." -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 0: 3:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 42AAF37B491; Wed, 7 Feb 2001 00:02:58 -0800 (PST) Received: from xor.obsecurity.org ([64.165.226.103]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8D00EKHNGLNF@mta5.snfc21.pbi.net>; Tue, 6 Feb 2001 23:57:58 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id CF2E566B62; Wed, 07 Feb 2001 00:00:36 -0800 (PST) Date: Wed, 07 Feb 2001 00:00:36 -0800 From: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq In-reply-to: <20010203121643.C40178@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Feb 03, 2001 at 12:16:43PM -0800 To: Kris Kennaway Cc: Igor Roshchin , security-officer@FreeBSD.ORG, security@FreeBSD.ORG Message-id: <20010207000036.A21383@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200102031829.NAA71216@giganda.komkon.org> <20010203121643.C40178@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 03, 2001 at 12:16:43PM -0800, Kris Kennaway wrote: > On Sat, Feb 03, 2001 at 01:29:39PM -0500, Igor Roshchin wrote: > >=20 > > Hello! > >=20 > > micq packages (at least for 3-stable and 4-stable) are not > > available yet. > >=20 > > Is it that they just haven't been generated yet, or > > somebody forgot about them ? >=20 > They're generated automatically by bento.freebsd.org. I don't know > what's going on, they should be getting built (bento doesn't complain > about any build errors). Packages are now available.. Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6gQCkWry0BWjoQKURAjV/AKCusIeE0TjdCGgfWxzK9ANdvRPBGACg/g2/ 52oLo6oLKQJeHsQg8iWW2CA= =l1sz -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 6:57: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 1554637B698 for ; Wed, 7 Feb 2001 06:56:45 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id A68EB6A904 for ; Wed, 7 Feb 2001 09:56:43 -0500 (EST) Message-ID: <00a101c09116$49dca980$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Subject: ipfw question Date: Wed, 7 Feb 2001 09:57:27 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, I have the following lines in my firewall config file (fragment from ipfw show): 03010 108 10919 allow udp from local.ip to any 50000 0 0 allow udp from any 40000-50000 to local.ip 40000-50000 50001 21 1694 allow log logamount 1024 udp from any to any And I have the following records in security log: Feb 7 08:49:33 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.1:4000 local.ip:49160 in via dc0 Feb 7 08:49:42 myhost last message repeated 10 times Feb 7 08:52:10 myhost last message repeated 2 times Feb 7 09:00:34 myhost last message repeated 7 times Feb 7 09:02:34 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.2:4000 local.ip:49160 in via dc0 My question is why those packets ware not captured from rule 50000 but from 50001? Tanks, Rossen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 6:59:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 6103737B401 for ; Wed, 7 Feb 2001 06:59:22 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 8C85813614; Wed, 7 Feb 2001 09:59:21 -0500 (EST) Date: Wed, 7 Feb 2001 09:59:21 -0500 From: Chris Faulhaber To: Rossen Raykov Cc: freebsd-security@freebsd.org Subject: Re: ipfw question Message-ID: <20010207095921.A61787@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Rossen Raykov , freebsd-security@freebsd.org References: <00a101c09116$49dca980$4c00000a@sage> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00a101c09116$49dca980$4c00000a@sage>; from rraykov@sageian.com on Wed, Feb 07, 2001 at 09:57:27AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 07, 2001 at 09:57:27AM -0500, Rossen Raykov wrote: > Hi All, > > I have the following lines in my firewall config file (fragment from ipfw > show): > > 03010 108 10919 allow udp from local.ip to any > 50000 0 0 allow udp from any 40000-50000 to local.ip 40000-50000 > 50001 21 1694 allow log logamount 1024 udp from any to any > > And I have the following records in security log: > > Feb 7 08:49:33 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.1:4000 > local.ip:49160 in via dc0 > Feb 7 08:49:42 myhost last message repeated 10 times > Feb 7 08:52:10 myhost last message repeated 2 times > Feb 7 09:00:34 myhost last message repeated 7 times > Feb 7 09:02:34 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.2:4000 > local.ip:49160 in via dc0 > > My question is why those packets ware not captured from rule 50000 but from > 50001? > Because they don't originate in the 40000-50000 range? -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 7: 0:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C1D3737B69E for ; Wed, 7 Feb 2001 06:59:52 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA23282; Wed, 7 Feb 2001 12:01:41 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102071501.MAA23282@ns1.via-net-works.net.ar> Subject: Re: ipfw question In-Reply-To: <00a101c09116$49dca980$4c00000a@sage> "from Rossen Raykov at Feb 7, 2001 09:57:27 am" To: Rossen Raykov Date: Wed, 7 Feb 2001 12:01:41 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Rossen Raykov escribió: > Hi All, > > I have the following lines in my firewall config file (fragment from ipfw > show): > > 03010 108 10919 allow udp from local.ip to any > 50000 0 0 allow udp from any 40000-50000 to local.ip 40000-50000 > 50001 21 1694 allow log logamount 1024 udp from any to any > > And I have the following records in security log: > > Feb 7 08:49:33 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.1:4000 > local.ip:49160 in via dc0 Origin port is 4000 and rule 50000 says 40000. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 7: 0:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool57-tch-1.Sofia.0rbitel.net [212.95.170.57]) by hub.freebsd.org (Postfix) with SMTP id 9EE7537B491 for ; Wed, 7 Feb 2001 07:00:27 -0800 (PST) Received: (qmail 16237 invoked by uid 1000); 7 Feb 2001 14:58:45 -0000 Date: Wed, 7 Feb 2001 16:58:45 +0200 From: Peter Pentchev To: Rossen Raykov Cc: freebsd-security@freebsd.org Subject: Re: ipfw question Message-ID: <20010207165845.P487@ringworld.oblivion.bg> Mail-Followup-To: Rossen Raykov , freebsd-security@freebsd.org References: <00a101c09116$49dca980$4c00000a@sage> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00a101c09116$49dca980$4c00000a@sage>; from rraykov@sageian.com on Wed, Feb 07, 2001 at 09:57:27AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 07, 2001 at 09:57:27AM -0500, Rossen Raykov wrote: > Hi All, > > I have the following lines in my firewall config file (fragment from ipfw > show): > > 03010 108 10919 allow udp from local.ip to any > 50000 0 0 allow udp from any 40000-50000 to local.ip 40000-50000 > 50001 21 1694 allow log logamount 1024 udp from any to any > > And I have the following records in security log: > > Feb 7 08:49:33 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.1:4000 > local.ip:49160 in via dc0 > Feb 7 08:49:42 myhost last message repeated 10 times > Feb 7 08:52:10 myhost last message repeated 2 times > Feb 7 09:00:34 myhost last message repeated 7 times > Feb 7 09:02:34 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.2:4000 > local.ip:49160 in via dc0 > > My question is why those packets ware not captured from rule 50000 but from > 50001? Are you sure you've listed your firewall rules right? Rule 50000 wants the incoming packet to be between 40,000 and 50,000, and a source port of 4,000 is definitely less than 40,000 :) G'luck, Peter -- This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 7:16:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 6095A37B401 for ; Wed, 7 Feb 2001 07:16:29 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id A3D136A904 for ; Wed, 7 Feb 2001 10:16:26 -0500 (EST) Message-ID: <00bd01c09119$0aff5750$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: References: <00a101c09116$49dca980$4c00000a@sage> <20010207165845.P487@ringworld.oblivion.bg> Subject: Re: ipfw question Date: Wed, 7 Feb 2001 10:17:11 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looks like I can not count zeros :( (I'm going for a cup of coffee...) Thanks! ----- Original Message ----- From: To: Cc: Sent: Wednesday, February 07, 2001 9:58 AM Subject: Re: ipfw question > On Wed, Feb 07, 2001 at 09:57:27AM -0500, Rossen Raykov wrote: > > Hi All, > > > > I have the following lines in my firewall config file (fragment from ipfw > > show): > > > > 03010 108 10919 allow udp from local.ip to any > > 50000 0 0 allow udp from any 40000-50000 to local.ip 40000-50000 > > 50001 21 1694 allow log logamount 1024 udp from any to any > > > > And I have the following records in security log: > > > > Feb 7 08:49:33 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.1:4000 > > local.ip:49160 in via dc0 > > Feb 7 08:49:42 myhost last message repeated 10 times > > Feb 7 08:52:10 myhost last message repeated 2 times > > Feb 7 09:00:34 myhost last message repeated 7 times > > Feb 7 09:02:34 myhost /kernel: ipfw: 50001 Accept UDP forien.ip.2:4000 > > local.ip:49160 in via dc0 > > > > My question is why those packets ware not captured from rule 50000 but from > > 50001? > > Are you sure you've listed your firewall rules right? Rule 50000 > wants the incoming packet to be between 40,000 and 50,000, and > a source port of 4,000 is definitely less than 40,000 :) > > G'luck, > Peter > > -- > This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:26:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from dudley.dnc.net (dudley.dnc.net [206.58.127.16]) by hub.freebsd.org (Postfix) with ESMTP id 98E3637B401 for ; Wed, 7 Feb 2001 11:25:53 -0800 (PST) Received: from netadmin (dialup-c5-30.pdx.or.uspops.net [207.189.165.30] (may be forged)) by dudley.dnc.net (8.9.3/8.9.3) with SMTP id LAA80760 for ; Wed, 7 Feb 2001 11:40:51 -0800 (PST) (envelope-from cdinsmore@vatyx.com) Message-ID: <002301c0913d$8555d000$1717a8c0@netadmin> From: "Casey Dinsmore" To: Subject: Interesting ipfw response Date: Wed, 7 Feb 2001 11:38:15 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0020_01C090FA.75715800" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0020_01C090FA.75715800 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I've had a couple interesting entries in my log lately and wonder if = someone could shed some light on these. How is it that they are being = rejected with rule number -1? If I am having a problem with a ipfw = ruleset could someone offer recommendations to fix and prevent this? =20 Feb 4 14:25:22 axisintegrated /kernel: ipfw: -1 Refuse UDP = 64.80.89.149:27015 1.1.1.1:1261 in via de0 Feb 4 14:25:22 axisintegrated /kernel: ipfw: -1 Refuse UDP = 64.80.89.149:27015 1.1.1.1:1261 in via de0 Feb 6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.105:12336 1.1.1.1:22866 in via de0 Feb 6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.105:0 1.1.1.1:0 in via de0 Feb 6 09:24:38 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.105:12336 1.1.1.1:22871 in via de0 Feb 6 09:24:42 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.105:12336 1.1.1.1:23089 in via de0 Feb 6 09:24:42 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.105:0 1.1.1.1:0 in via de0 Feb 6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.30:65533 1.1.1.1:256 in via de0 Feb 6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.30:65533 1.1.1.1:1023 in via de0 Feb 6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP = 207.189.165.30:0 1.1.1.1:0 in via de0 My ip was changed to 1.1.1.1 obviously and the scanner IP address was = not changed to protect the guilty. Thanks Casey Dinsmore ------=_NextPart_000_0020_01C090FA.75715800 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I've had a couple interesting entries = in my log=20 lately and wonder if someone could shed some light on these. How is it = that they=20 are being rejected with rule number -1? If I am having a problem with a = ipfw=20 ruleset could someone offer recommendations to fix and prevent = this?=20  
 
 
Feb  4 14:25:22 axisintegrated = /kernel: ipfw:=20 -1 Refuse UDP 64.80.89.149:27015 1.1.1.1:1261 in via de0
Feb  4 = 14:25:22=20 axisintegrated /kernel: ipfw: -1 Refuse UDP 64.80.89.149:27015 = 1.1.1.1:1261 in=20 via de0
Feb  6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse = TCP=20 207.189.165.105:12336 1.1.1.1:22866 in via de0
Feb  6 09:24:31=20 axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.105:0 1.1.1.1:0 = in via=20 de0
Feb  6 09:24:38 axisintegrated /kernel: ipfw: -1 Refuse TCP=20 207.189.165.105:12336 1.1.1.1:22871 in via de0
Feb  6 09:24:42=20 axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.105:12336 = 1.1.1.1:23089=20 in via de0
Feb  6 09:24:42 axisintegrated /kernel: ipfw: -1 = Refuse TCP=20 207.189.165.105:0 1.1.1.1:0 in via de0
Feb  6 17:04:44 = axisintegrated=20 /kernel: ipfw: -1 Refuse TCP 207.189.165.30:65533 1.1.1.1:256 in = via=20 de0
Feb  6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP=20 207.189.165.30:65533 1.1.1.1:1023 in via de0
Feb  6 = 17:04:44=20 axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.30:0 1.1.1.1:0 = in via=20 de0
 
 
My ip was changed=20 to 1.1.1.1 obviously and the scanner IP address was not = changed to=20 protect the guilty.
 
 
Thanks
Casey = Dinsmore
------=_NextPart_000_0020_01C090FA.75715800-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:29: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AD74837B401; Wed, 7 Feb 2001 11:28:33 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JSXp03541; Wed, 7 Feb 2001 11:28:33 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:28:33 -0800 (PST) Message-Id: <200102071928.f17JSXp03541@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:10 Security Advisory FreeBSD, Inc. Topic: bind remote denial of service [REVISED] Category: core, ports Module: bind Announced: 2001-01-23 Revised: 2001-02-07 Credits: Fabio Pietrosanti Affects: FreeBSD 3.x prior to the correction date. Ports collection prior to the correction date. Corrected: 2000-11-27 (FreeBSD 3.5-STABLE) 2001-01-05 (Ports collection) Vendor status: Updated version released FreeBSD only: NO 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-02-07 Rerelease to note the far more serious problems described in SA-01:18 I. Background bind is an implementation of the Domain Name System (DNS) protocols. II. Problem Description NOTE: It has come to our attention that there are a great deal more users downloading this advisory than the recently released SA-01:18, which also deals with the bind software. The latter advisory details a far more serious vulnerability, which affects all releases of FreeBSD, and it is recommended that all DNS administrators read advisory SA-01:18 immediately. A vulnerability exists with the bind nameserver dealing with compressed zone transfers. Due to a problem with the compressed zone transfer (ZXFR) implementation, if named is configured for zone transfers and recursive resolving, it will crash after a ZXFR for the authoritative zone and a query of a remote hostname. Since named is not configured under a watchdog process which will automatically restart it after a failure, this will lead to the denial of DNS service on the server. All versions of FreeBSD 3.x prior to the correction date including 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 port in the ports collection is also vulnerable. FreeBSD 4.x is not affected since it contains versions of BIND 8.2.3. III. Impact Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. IV. Workaround A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised or contain malicious users, name servers with this bug will be vulnerable to the denial of service attack. V. Solution [Base system] Upgrade your vulnerable FreeBSD system to 3.5.1-STABLE after the correction date. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Upgrade your entire ports collection and rebuild the bind8 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.2p7.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGhrlUuHi5z0oilAQFgewP+NVsp0tymZ5KZvgy6sqewZzqcxPUDgBxw nBR9KI2BVofLD71wawX/uWmVM5mqeMeCjpVo3Vn6cZyB2JDqCEeK174ULmJJa/Yr OGQhfKMoIKRtRZcpF5U6mT/RpAJuhaAFyAvwZjAMoZv8AORxxydJGpa3MuH2YKFh V6PWzjcfkpk= =G19W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:33:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5635F37B65D; Wed, 7 Feb 2001 11:32:41 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JWfV04151; Wed, 7 Feb 2001 11:32:41 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:32:41 -0800 (PST) Message-Id: <200102071932.f17JWfV04151@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:08 Security Advisory FreeBSD, Inc. Topic: ipfw/ip6fw allows bypassing of 'established' keyword [REVISED] Category: core Module: kernel Announced: 2001-01-23 Revised: 2001-02-07 Credits: Aragon Gouveia Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date. Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) Patch regression existed between 2001-02-01 and 2001-02-03 2001-01-12 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-02-07 Note accidental reversion of changes in 4.2-STABLE I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ip6fw is the corresponding utility for IPv6 networks, included in FreeBSD 4.0 and above. It is based on an old version of ipfw and does not contain as many features. II. Problem Description Due to overloading of the TCP reserved flags field, ipfw and ip6fw incorrectly treat all TCP packets with the ECE flag set as being part of an established TCP connection, which will therefore match a corresponding ipfw rule containing the 'established' qualifier, even if the packet is not part of an established connection. The ECE flag is not believed to be in common use on the Internet at present, but is part of an experimental extension to TCP for congestion notification. At least one other major operating system will emit TCP packets with the ECE flag set under certain operating conditions. Only systems which have enabled ipfw or ip6fw and use a ruleset containing TCP rules which make use of the 'established' qualifier, such as "allow tcp from any to any established", are vulnerable. The exact impact of the vulnerability on such systems is undetermined and depends on the exact ruleset in use. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was corrected prior to the (future) release of FreeBSD 4.3. Unfortunately, the security fix was accidentally reverted during a merge of ipfw changes from FreeBSD 5.0-CURRENT. The regression existed between the following dates: Problem introduced: Thu, 1 Feb 2001 12:25:10 -0800 (PST) Problem fixed: Sat, 3 Feb 2001 21:49:00 -0800 (PST) The affected revision was CVS revision 1.131.2.13 of /usr/src/sys/netinet/ip_fw.c and the corrrected revision is 1.131.2.14. Note that revisions prior to 1.131.2.11 are vulnerable to the problem described in this advisory. Version 1.131.2.11, and prior versions patched using the original patch distributed with the advisory are not vulnerable to the problem. To verify the CVS revision of your ip_fw.c file, perform the following command: mollari# ident /usr/src/sys/netinet/ip_fw.c /usr/src/sys/netinet/ip_fw.c: $FreeBSD: src/sys/netinet/ip_fw.c,v 1.131.2.14 2001/02/04 05:48:59 rwatson Exp $ If you have revision 1.131.2.13, download the "regression" patch described in section V below. III. Impact Remote attackers who construct TCP packets with the ECE flag set may bypass certain ipfw rules, allowing them to potentially circumvent the firewall. The regression described above is actually a more serious vulnerability: instead of only allowing packets with the ECE flag set, typically requiring special tools, all TCP packets regardless of flags would be passed by the ipfw rule. IV. Workaround Because the vulnerability only affects 'established' rules and ECE- flagged TCP packets, this vulnerability can be removed by adjusting the system's rulesets. In general, it is possible to express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule, but may require some restructuring and renumbering of the ruleset. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or or 4.2-STABLE after the correction date. 2) Patch your present system by downloading the relevant patch from the below location: [FreeBSD 4.x - patch for regression introduced on 2001-02-01] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.2-regression.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.2-regression.patch.asc [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc [FreeBSD 3.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch.asc Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install # cd /usr/src/sys/modules/ipfw # make depend && make all install For 4.x systems, perform the following additional steps: # cp /usr/src/sys/netinet6/ip6_fw.h /usr/include/netinet6/ # cd /usr/src/sbin/ip6fw # make depend && make all install # cd /usr/src/sys/modules/ip6fw # make depend && make all install NOTE: The ip6fw patches have not yet been tested but are believed to be correct. The ip6fw software is not currently maintained and may be removed in a future release. If the system is using the ipfw or ip6fw kernel modules (see kldstat(8)), the module may be unloaded and the corrected module loaded into the kernel using kldload(8)/kldunload(8). This will require that the firewall rules be reloaded, usually be executing the /etc/rc.firewall script. Because the loading of the ipfw or ip6fw module will result in the system denying all packets by default, this should only be attempted when accessing the system via console or by careful use of a command such as: # kldload ipfw && sh /etc/rc.firewall which performs both operations sequentially. Otherwise, if the system has ipfw or ip6fw compiled into the kernel, the kernel will also have to be recompiled and installed, and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGip1UuHi5z0oilAQGwNQP/ROCEDN4TCR147vZGfYEMuDOf9L3QS5u1 fT/kgz/h+wpHOr5jf6MAxkgxQCjkEBhdtp8OdWsXXY6/3RYfAbqnFGKFQw71XalF 7iUXrmz8jQ9nmmW7BaMn0+omSwhmWgQkIL3IjZx7krND/X9OIvGCXk7Yk9+XdpIH OVshiguHbl4= =iSD2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:35:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 90B8B37B65D; Wed, 7 Feb 2001 11:34:55 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JYtL04378; Wed, 7 Feb 2001 11:34:55 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:34:55 -0800 (PST) Message-Id: <200102071934.f17JYtL04378@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files [REVISED] Category: core Module: inetd Announced: 2001-01-29 Revised: 2001-02-07 Credits: dynamo Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter v1.2 2001-02-07 Include more details about vulnerability, correct patch instructions I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. This is only true if the internal ident service is run using the '-f' flag. An additional problem with the '-f' flag is that under certain circumstances the child inetd process can be made to block, potentially allowing a resource starvation condition on the server. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" and which contain the '-f' option to the auth service in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/usr.sbin/inetd # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/usr.sbin/inetd # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGjQFUuHi5z0oilAQHp+wP6Ai0vulXi0pMas+T6NhSd0VCyB+veEqKS LqPvJG0Tb4j23qtBvNN9A6sHGVNopibFaj4nS06ztsCY7OX90uZPb1dRFkizIk5S 5BjQ6w4/ykvex5kTBm+O6rN2gtBk94h4ZzS3eqnjX9wkv+vjFdP83Z3vUKoCbI+x 2ZRgAJOrGyo= =+57x -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:39:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B94F037B65D; Wed, 7 Feb 2001 11:39:13 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JdDS04961; Wed, 7 Feb 2001 11:39:13 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:39:13 -0800 (PST) Message-Id: <200102071939.f17JdDS04961@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:19.ja-xklock Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:19 Security Advisory FreeBSD, Inc. Topic: ja-xklock port contains a local root compromise Category: ports Module: ja-xklock Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: See below. Vendor status: N/A FreeBSD only: No I. Background The ja-xklock is a localized xlock clone, which locks an X display. II. Problem Description The ja-xklock port, versions 2.7.1 and earlier, contains an exploitable buffer overflow. Because the xklock program is also setuid root, unprivileged local users may gain root privileges on the local system. Because the ja-xklock port is unmaintained and due to the software's age, this vulnerability has not yet been corrected. Additionally, the ja-xklock port is scheduled for removal from the ports system if it has not been audited and fixed within one month of discovery. In the event the ja-xlock port is corrected, this advisory will be rereleased with updated information. The ja-xklock port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain root privileges on the local system. If you have not chosen to install the ja-xklock port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the ja-xklock port/package, if you have installed it. V. Solution It is suggested that an alternative, such as xlock or xlockmore, is used instead of the ja-xklock port. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGkUFUuHi5z0oilAQGzvwQAkiQisnaY94dUvy+a/RJoeY5j04yQf92u P8I5aTWn6CfVP2a5xpRW8I2xRpJtiUAVzNmAYflW9gGgzQL9GXHy8roiaYMP+V7Y X3zWhRV7Kb/L9jVKEGurwLaygF6m11AkmWUKbb8Hi95rzsJokTWA93MZK+exKfZ9 lFBOA3QC2vA= =gIGE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:40:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id E8A8E37B4EC for ; Wed, 7 Feb 2001 11:39:43 -0800 (PST) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f17JcqC47079; Wed, 7 Feb 2001 21:39:05 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200102071939.f17JcqC47079@gratis.grondar.za> To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: full PAM support patch for ftpd and fix for login References: <14961.32333.212703.615370@jenkins.web.us.uu.net> In-Reply-To: <14961.32333.212703.615370@jenkins.web.us.uu.net> ; from "David J. MacKenzie" "Fri, 26 Jan 2001 08:40:29 EST." Date: Wed, 07 Feb 2001 21:39:21 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I've been watching with both interest and glee your PAM work. Up until now, I've not had the time to do anything about it. I've applied your patches to my CURRENT sources, and there is a bit of a su(1) conflict. Sadly, it is a biggish patch. How to fix this? I can give you an account on my home network if you don't have CURRENT anywhere? M -- Mark Murray Warning: this .sig is umop ap!sdn PS - I work for UUNET (South Africa)! :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:42:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 748EC37B401; Wed, 7 Feb 2001 11:42:07 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17Jg7N05262; Wed, 7 Feb 2001 11:42:07 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:42:07 -0800 (PST) Message-Id: <200102071942.f17Jg7N05262@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:20.mars_nwe Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:20 Security Advisory FreeBSD, Inc. Topic: mars_nwe contains potential remote root compromise Category: ports Module: mars_nwe Announced: 2001-02-07 Credits: Przemyslaw Frasunek Affects: Ports collection prior to the correction date. Corrected: 2001-01-30 Vendor status: Vendor notified FreeBSD only: NO I. Background mars_nwe is a Novell Netware server emulator. II. Problem Description The mars_nwe port, versions prior to 0.99.b19_1, contains a remote format string vulerability. Because of this vulnerability, a malicious remote user sending specially-crafted packets may be able to execute arbitrary code on the local system, potentially gaining root access. The mars_nwe port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause arbitrary code to be executed on the local system, potentially gaining root access. If you have not chosen to install the mars_nwe port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mars_nwe port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mars_nwe port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mars_nwe-0.99.b19_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the mars_nwe port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGk4VUuHi5z0oilAQFwUAP9HAYPxR6z25Lg6QzlsWMBJt8UDx7JKZx8 bR4U9l6IFzNS3p4IgwtiFDrqfCNpRRBtWDrXYmpWdwL2g1cx6MGWLayCeGq6g1ha MfKTTPlFrmSorXm6NdtcH33wDD05ScWQPCjhATJT3b4VxcbfmR1SEPxqXBOw6Whe MFKc9SisWEc= =m02+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 11:45:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C672F37B4EC; Wed, 7 Feb 2001 11:44:59 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17Jixq05555; Wed, 7 Feb 2001 11:44:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:44:59 -0800 (PST) Message-Id: <200102071944.f17Jixq05555@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:21.ja-elvis Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:21 Security Advisory FreeBSD, Inc. Topic: ja-elvis and ko-helvis ports contain a local root compromise Category: ports Module: ja-elvis/ko-helvis Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2001-01-28 Vendor status: Vendor notified FreeBSD only: No I. Background The ja-elvis and ko-helvis ports are localized versions of elvis, a vi editor clone. II. Problem Description The ja-elvis and ko-helvis ports, versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1, contain an exploitable buffer overflow in the elvrec utility. Because elvrec is setuid root, unprivileged local users may gain root privileges on the local system. The ja-elvis and ko-helvis ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain root privileges on the local system. If you have not chosen to install the ja-elvis or ko-helvis ports/packages, then your system is not vulnerable to this problem. IV. Workaround Deinstall the ja-elvis or ko-helvis port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the ja-elvis or ko-helvis port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] [ja-elvis] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/japanese/ja-elvis-1.8.4_1.tgz [ko-helvis] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/korean/ko-helvis-1.8h2_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the ja-elvis or ko-helvis port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGlh1UuHi5z0oilAQE/ggP/QR9lSQtamdAZCI1WXR2HwwVgu+UITBdK QCmYhia7H+YVRUp9Oiya1zZ/FyKQlz1VjoRVQEtU9jeHuo1tocABn6pobZLqc1z+ gyUHX6vbC4wNVB1PFMX6RYUCpP50K4/QS6kQmLJdspYteCE7om374QyKTzQgoObh 1FNmh60FcbI= =uB1V -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 12:38:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A976537B4EC; Wed, 7 Feb 2001 12:38:11 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17KcB513558; Wed, 7 Feb 2001 12:38:11 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 12:38:11 -0800 (PST) Message-Id: <200102072038.f17KcB513558@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:22.dc20ctrl Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:22 Security Advisory FreeBSD, Inc. Topic: dc20ctrl port contains a locally exploitable buffer overflow yielding gid dialer Category: ports Module: dc20ctrl Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2001-02-07 Vendor status: Vendor notified FreeBSD only: No I. Background dc20ctrl is a program to control Kodak DC20 digital cameras. II. Problem Description The dc20ctrl port, versions prior to 0.4_1, contains a locally exploitable buffer overflow. Because the dc20ctrl program is also setgid dialer, unprivileged local users may gain gid dialer on the local system. This may allow the users to gain unauthorized access to the serial port devices. The dc20ctrl port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain increased privileges on the local system including potentially unauthorized access to the serial port devices. If you have not chosen to install the dc20ctrl port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the dc20ctrl port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the dc20ctrl port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/graphics/dc20ctrl-0.4_1.tgz NOTE: it may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the dc20ctrl from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGyClUuHi5z0oilAQFzvgP/fhW32mvqDBlqUodUFjjWYmRaLJmaU3Wi zNm5C/eb36jA9auvmZv9lE4UOlkPng1Kvhg8z0cSvWzhEUNk9IAdklvGsGXhvN/I rjJHdVG6qSFmmsfSrlQwwfNqbhivPITM7Iv2xH0WPLoaStvMnFFmm4bERPJ/4hAq 8O9ZKoRXqyA= =J8Ao -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 7 23: 3: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 85C0737B4EC for ; Wed, 7 Feb 2001 23:02:45 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 7 Feb 2001 23:00:37 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1872NQ25155; Wed, 7 Feb 2001 23:02:23 -0800 (PST) (envelope-from cjc) Date: Wed, 7 Feb 2001 23:02:22 -0800 From: "Crist J. Clark" To: Casey Dinsmore Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interesting ipfw response Message-ID: <20010207230222.M91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <002301c0913d$8555d000$1717a8c0@netadmin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <002301c0913d$8555d000$1717a8c0@netadmin>; from cdinsmore@vatyx.com on Wed, Feb 07, 2001 at 11:38:15AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 07, 2001 at 11:38:15AM -0800, Casey Dinsmore wrote: > I've had a couple interesting entries in my log lately and wonder if someone could shed some light on these. How is it that they are being rejected with rule number -1? If I am having a problem with a ipfw ruleset could someone offer recommendations to fix and prevent this? Rule -1 is reported if the packet is dropped by sanity checks the firewall performs that are not associated with a rule. The only such checks I am aware of and the only ones I can find in the code are for "bogus" fragments. These are fragments that do not occur normally and their only use would be trying to circumvent a firewall. There is nothing to fix unless you have good reason to believe that these packets should not have been denied. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 4:21:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id 6C08437B401; Thu, 8 Feb 2001 04:21:28 -0800 (PST) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.2/8.11.2) with ESMTP id f18CLOv23786; Thu, 8 Feb 2001 13:21:25 +0100 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian 8.9.3-21) id NAA07539; Thu, 8 Feb 2001 13:21:23 +0100 Date: Thu, 8 Feb 2001 13:21:23 +0100 From: Markus Holmberg To: Garrett Wollman Cc: Wes Peters , freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? Message-ID: <20010208132123.A4400@acc.umu.se> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <200102061802.NAA33086@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i In-Reply-To: <200102061802.NAA33086@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Feb 06, 2001 at 01:02:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks Wes. I'm running -STABLE (and I was mostly just curious, not in a hurting need for this functionality right away) so I'm not sure I'm trying it out. But it's good to know it's available. On Tue, Feb 06, 2001 at 01:02:08PM -0500, Garrett Wollman wrote: > 1) Whatever process generates and checksums the packages also makes > and signs a master list of all the checksums from each package, and > > 2) Whatever process installs software from the package compares its > checksum against this master list, and verifies the signature of the > master list. It was these two things that I was thinking of in first place.. (When asking if it was possible to check for package integrity). But I realize it is not conceivable without a good deal of effort, so I was merely wondering if anyone else thought of it. > I think that this would be both useful and worthwhile, but again, we > need to make sure that legally we are not promising anything other > than ``these packages have not been modified since generation''. Of course, one could not ask for anything else either (more than to know that the packages were built by the FreeBSD Project and have not been modified since, as is the same with building software from the ports system). Markus -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 9:32:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1599937B503; Thu, 8 Feb 2001 09:32:05 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Qv3m-0000Kc-00; Thu, 08 Feb 2001 10:40:47 -0700 Message-ID: <3A82DA1E.BC4A9CDD@softweyr.com> Date: Thu, 08 Feb 2001 10:40:46 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Markus Holmberg Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <200102061802.NAA33086@khavrinen.lcs.mit.edu> <20010208132123.A4400@acc.umu.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Markus Holmberg wrote: > > Thanks Wes. > > I'm running -STABLE (and I was mostly just curious, not in a hurting need > for this functionality right away) so I'm not sure I'm trying it out. But > it's good to know it's available. As soon as we get a couple of other issues (mostly Makefile) worked out, I'll MFC the package-signing stuff. It runs fine on my laptop, which is: FreeBSD homer 4.2-STABLE FreeBSD 4.2-STABLE #0: Mon Jan 29 10:13:07 MST 2001 > On Tue, Feb 06, 2001 at 01:02:08PM -0500, Garrett Wollman wrote: > > 1) Whatever process generates and checksums the packages also makes > > and signs a master list of all the checksums from each package, and > > > > 2) Whatever process installs software from the package compares its > > checksum against this master list, and verifies the signature of the > > master list. > > It was these two things that I was thinking of in first place.. (When > asking if it was possible to check for package integrity). But I realize > it is not conceivable without a good deal of effort, so I was merely > wondering if anyone else thought of it. That's the nice thing about X.509 certs, you only have to distribute the cert from whoever is providing the package. The package contains the checksum, verifying the contents, and the signing process assures you that the checksum contained in the cert hasn't been tampered with. Now all you need is a secure way to get the certificate from the originator. > > I think that this would be both useful and worthwhile, but again, we > > need to make sure that legally we are not promising anything other > > than ``these packages have not been modified since generation''. ^^^^^^^^^^ signing -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 9:50:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.millic.com.ar (unknown [64.76.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 6603837B503 for ; Thu, 8 Feb 2001 09:50:39 -0800 (PST) Received: from spod.mic_ar ([64.76.16.15]) by smtp2.millic.com.ar with Microsoft SMTPSVC(5.5.1877.357.35); Thu, 8 Feb 2001 14:48:05 -0300 From: Christian G.Charette Organization: Millicom Argentina Date: Thu, 8 Feb 2001 14:51:30 -0300 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" To: Subject: ipfw MIME-Version: 1.0 Message-Id: <01020814513000.00915@spod.mic_ar> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and I want to build some Firewall but all the instructives I found are about firewalling for gateways. All I need is an example of a rule set or something like that. What I want to do is block ICMP and only allow a couple of IPs make telnet to the box. Thanks and sorry for boring you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 9:52:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id A2D0637B67D; Thu, 8 Feb 2001 09:52:20 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA50931; Thu, 8 Feb 2001 12:52:19 -0500 (EST) (envelope-from str) Date: Thu, 8 Feb 2001 12:52:19 -0500 (EST) From: Igor Roshchin Message-Id: <200102081752.MAA50931@giganda.komkon.org> To: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I already made this comment when the earlier advisory on bind was issued: Reference to 4.x is not completely correct (or at least, confusing) , since 4.0-RELEASE had earlier, vulnerable version of bind. Kris, you probably forgot about your intention to correct that part of the advisory. Best, Igor > From owner-freebsd-security@FreeBSD.ORG Wed Feb 7 14:29:17 2001 > Date: Wed, 7 Feb 2001 11:28:33 -0800 (PST) > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:10 Security Advisory > FreeBSD, Inc. > > Topic: bind remote denial of service [REVISED] > > Category: core, ports > Module: bind > Announced: 2001-01-23 > Revised: 2001-02-07 > Credits: Fabio Pietrosanti > Affects: FreeBSD 3.x prior to the correction date. > Ports collection prior to the correction date. > Corrected: 2000-11-27 (FreeBSD 3.5-STABLE) > 2001-01-05 (Ports collection) > Vendor status: Updated version released > FreeBSD only: NO > > 0. Revision History > > v1.0 2001-01-23 Initial release > v1.1 2001-02-07 Rerelease to note the far more serious problems described > in SA-01:18 > <..> > > All versions of FreeBSD 3.x prior to the correction date including > 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 > port in the ports collection is also vulnerable. FreeBSD 4.x is not > affected since it contains versions of BIND 8.2.3. > <...> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 10: 1: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from unix.infoserve.net (unix.infoserve.net [199.175.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 3D88E37B699 for ; Thu, 8 Feb 2001 10:00:50 -0800 (PST) Received: from nitrogen (d31-22.infoserve.net [209.82.22.31]) by unix.infoserve.net (8.9.0/8.9.0) with SMTP id KAA00343 for ; Thu, 8 Feb 2001 10:11:40 -0800 (PST) Message-ID: <000b01c091f8$fed0fd40$1f1652d1@timberauctiononline.com> From: "wlodek" To: Subject: Hi Date: Thu, 8 Feb 2001 09:59:31 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello I was wonder if you can help me in mounting the FreeBSD in read-only mode I will need to scenarios one only for two DNS server and one for Http server: Here is what I need to know Which file shall I absolutely move to read -write partition? I will have three very small HD with task as follow 1 only swap partition r-w 2 files system and binaries r only HD 2 user file r-w but not execute. Questions are Which files from the binaries and file system shall I move (and do symbolic link) on to write able partition? The above will probably have some variations for apache machine and for bind machine Thank you very much Any help will be appreciated Regards Wlodek To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 10: 3: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from omta01.mta.everyone.net (sitemail.everyone.net [216.200.145.35]) by hub.freebsd.org (Postfix) with ESMTP id 137A037B699 for ; Thu, 8 Feb 2001 10:02:46 -0800 (PST) Received: from sitemail.everyone.net (reports [216.200.145.62]) by omta01.mta.everyone.net (Postfix) with ESMTP id 063201C3A60; Thu, 8 Feb 2001 10:02:46 -0800 (PST) Received: by sitemail.everyone.net (Postfix, from userid 99) id 56CA936FA; Thu, 8 Feb 2001 10:02:42 -0800 (PST) Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Date: Thu, 8 Feb 2001 10:02:42 -0800 (PST) From: Benjamin Ossei To: Christian G.Charette , freebsd-security@freebsd.org Subject: Re: ipfw Reply-To: ben@cahostnet.net X-Originating-Ip: [162.6.224.88] Message-Id: <20010208180242.56CA936FA@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check out this site. http://www.mostgraveconcern.com/freebsd/ipfw.html --- Christian G.Charette > wrote: >Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and >I want to build some Firewall but all the instructives I found are >about firewalling for gateways. All I need is an example of a rule >set or something like that. >What I want to do is block ICMP and only allow a couple of IPs make >telnet to the box. > >Thanks and sorry for boring you. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _____________________________________________________________ ========GET YOUR FREE E-MAIL============ http://freemail.cahostnet.net Web Hosting http://www.cahostnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 10:45:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-80.nav.kiev.ua [213.169.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 9060D37B6AA; Thu, 8 Feb 2001 10:45:17 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f18Iibv07095; Thu, 8 Feb 2001 20:44:37 +0200 (EET) (envelope-from never) Date: Thu, 8 Feb 2001 20:44:35 +0200 From: Nevermind To: "Christian G.Charette" Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw Message-ID: <20010208204435.A4867@nevermind.kiev.ua> References: <01020814513000.00915@spod.mic_ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01020814513000.00915@spod.mic_ar>; from chcharette@millic.com.ar on Thu, Feb 08, 2001 at 02:51:30PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Christian G.Charette! On Thu, Feb 08, 2001 at 02:51:30PM -0300, you wrote: > Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and > I want to build some Firewall but all the instructives I found are > about firewalling for gateways. All I need is an example of a rule > set or something like that. > What I want to do is block ICMP and only allow a couple of IPs make > telnet to the box. Cris, first you should include "options IPFIREWALL" (without quotes) into your custom kernel config. Then you should decide wether you want closed or opened firewall type. The differences are: closed firewall: everything that is not allowed is denied. opened firewall: everything that is not denied is allowed. If you need to restrict only telnet and icmp, you will need opened firewall, so, you will need following rules: ipfw add deny icmp from any to any ipfw add allow ip from first_box_ip to any 23 ipfw add allow ip from second_box_ip to any 23 ... ipfw add allow ip from any 23 to first_box_ip ipfw add allow ip from any 23 to second_box_ip ... ipfw add deny ip from any to any 23 ipfw add deny ip from any 23 to any ipfw add allow ip from any to any You need the last rule because default is that last rule in ruleset is deny ip from any to any. There is also another option to kernel which sets default to allow, but I don't have LINT here, so, let somebody other to tell it to you. Be aware that this ruleset is only good for home pc because it is not secure and "sdelan na kolenke"(russian, means that it was made in few seconds :>). Or, there is a second way of doing the same thing. Then you'll need closed firewall. I'm not very good at this though, because I'm too lazy to write all of these allowing rules. But I'm working on it on my home box. Maybe there is volounteers to answer Cris about closed firewall with detailed instructions? :) Anyways, it is question for -questions maillist, so I Cc:'ing it there. P.S. Forgive me my owful English. -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 11: 3:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from clavin.efn.org (clavin.efn.org [206.163.176.10]) by hub.freebsd.org (Postfix) with ESMTP id BF40837B684 for ; Thu, 8 Feb 2001 11:03:22 -0800 (PST) Received: from garcia.efn.org (c_deless@garcia.efn.org [206.163.176.5]) by clavin.efn.org (8.10.1/8.10.1) with ESMTP id f18J3KZ14642 for ; Thu, 8 Feb 2001 11:03:20 -0800 (PST) Received: from localhost (c_deless@localhost) by garcia.efn.org (8.10.1/8.10.1) with ESMTP id f18J3HG13327 for ; Thu, 8 Feb 2001 11:03:19 -0800 (PST) X-Authentication-Warning: garcia.efn.org: c_deless owned process doing -bs Date: Thu, 8 Feb 2001 11:03:15 -0800 (PST) From: cdel To: freebsd-security@freebsd.org Subject: ipfw make failure Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please forgive me if I'm doing this wrong. I supped in new 4.2-S source a few minutes ago and re-made /usr/src/sbin/ipfw. I got this... firewall# make cc -O -pipe -Wall -c /usr/src/sbin/ipfw/ipfw.c /usr/src/sbin/ipfw/ipfw.c: In function `show_ipfw': /usr/src/sbin/ipfw/ipfw.c:429: structure has no member named `fw_ipflg' /usr/src/sbin/ipfw/ipfw.c:429: `IP_FW_IF_TCPEST' undeclared (first use in this f unction) /usr/src/sbin/ipfw/ipfw.c:429: (Each undeclared identifier is reported only once /usr/src/sbin/ipfw/ipfw.c:429: for each function it appears in.) /usr/src/sbin/ipfw/ipfw.c: In function `add': /usr/src/sbin/ipfw/ipfw.c:1896: structure has no member named `fw_ipflg' /usr/src/sbin/ipfw/ipfw.c:1896: `IP_FW_IF_TCPEST' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/sbin/ipfw. firewall# Am I doing something wrong or is this something you should be aware of? MTIA Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 12:37: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 09F5437B6C5 for ; Thu, 8 Feb 2001 12:36:41 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id VAA16237; Thu, 8 Feb 2001 21:36:38 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14Qxny-0007QD-00 for ; Thu, 08 Feb 2001 21:36:38 +0100 Date: Thu, 8 Feb 2001 21:36:38 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: "humorous" SA jokes Message-ID: <20010208213638.C23134@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everybody, Maybe it is just me, but I am increasingly pissed off by that guy who keeps posting "funny" SA-s about the advantages of OpenBSD vs FreeBSD. Now, he has done it again. Nothin new with that. But he posted on freebsd-announce. Now this is something I don't understand. Every message on that mailing list has the following footer: This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org This, for me, means that you cannot simply walk up and post if you want. And I seriously doubt that this message was approved by the moderator. Or was it? Or am I just misunderstanding the meaning of the word "moderated"? Anyway, in case anybody is amused by this "humour" of the anonymous (= coward) poster, I am not. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 12:42:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 08DD437B6C5 for ; Thu, 8 Feb 2001 12:42:03 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f18Kfqt41696; Thu, 8 Feb 2001 15:41:53 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Szilveszter Adam" , Subject: RE: "humorous" SA jokes Date: Thu, 8 Feb 2001 15:40:36 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20010208213638.C23134@petra.hos.u-szeged.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oh, but the website pardoies their site refer to can be. ;-) http://www.antioffline.com/freebsd.html :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Szilveszter Adam :Sent: February 8, 2001 15:37 PM :To: freebsd-security@FreeBSD.ORG :Subject: "humorous" SA jokes : : :Hello everybody, : :Maybe it is just me, but I am increasingly pissed off by that guy who keeps :posting "funny" SA-s about the advantages of OpenBSD vs FreeBSD. Now, he :has done it again. Nothin new with that. But he posted on freebsd-announce. :Now this is something I don't understand. Every message on that mailing :list has the following footer: : :This is the moderated mailing list freebsd-announce. :The list contains announcements of new FreeBSD capabilities, :important events and project milestones. :See also the FreeBSD Web pages at http://www.freebsd.org : :This, for me, means that you cannot simply walk up and post if you want. :And I seriously doubt that this message was approved by the moderator. Or :was it? Or am I just misunderstanding the meaning of the word "moderated"? : :Anyway, in case anybody is amused by this "humour" of the anonymous (= :coward) poster, I am not. : :-- :Regards: : :Szilveszter ADAM :Szeged University :Szeged Hungary : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 13:20:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id C055C37B65D for ; Thu, 8 Feb 2001 13:19:56 -0800 (PST) Received: from dakar-27.budapest.interware.hu ([195.70.51.91] helo=no) by mail.interware.hu with smtp (Exim 3.16 #1 (Debian)) id 14QyTp-0002bm-00 for ; Thu, 08 Feb 2001 22:19:53 +0100 Message-ID: <002c01c09215$c7291220$5b3346c3@no> From: "David Beck" To: Subject: security improvement ? Date: Thu, 8 Feb 2001 22:26:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, First of all, I would like to mention that this thing I describe here: - is not for production use (!!!) - have serious problems (look at the readme file) - mainly for generating discussion about the idea - might introduce security problems The idea here is to introduce further limitations for the usage of syscalls. That is to say x process cannot call y syscall, and if he tries it log it (somewhere). This is like a user (root) configurable profile for a process for calling syscalls. At the moment I wrote a simplified representation of the idea which can limit the usage of the syscalls in a specfied jail. This was faster to do and shows what I think. http://dbeck.beckground.hu/download/scf-0.0.1.tar.gz I'm sure that the way it is implemented is bad and instead of writing a kernel modul like this should make a patch for the kernel. I'm working on the patch, but in the meantime I'm very much interested what the experts say about this. Cheers, David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 19:47:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from phnxpop3.phnx.uswest.net (phnxpop3.phnx.uswest.net [206.80.192.3]) by hub.freebsd.org (Postfix) with SMTP id 84B1937B503 for ; Thu, 8 Feb 2001 19:47:13 -0800 (PST) Received: (qmail 15150 invoked by uid 0); 9 Feb 2001 03:47:11 -0000 Received: from audialup176.phnx.uswest.net (HELO mac.com) (63.225.210.176) by phnxpop3.phnx.uswest.net with SMTP; 9 Feb 2001 03:47:11 -0000 Date: Thu, 08 Feb 2001 20:50:35 -0700 Message-ID: <3A83690B.F9188A59@mac.com> From: "james pye" To: freebsd-security@freebsd.org X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 Subject: subscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 8 23: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 479AA37B491 for ; Thu, 8 Feb 2001 23:03:21 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 8 Feb 2001 23:01:26 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1973Gx28360; Thu, 8 Feb 2001 23:03:16 -0800 (PST) (envelope-from cjc) Date: Thu, 8 Feb 2001 23:03:15 -0800 From: "Crist J. Clark" To: wlodek Cc: security@FreeBSD.ORG Subject: Read-Only Partitions Again (was Re: Hi) Message-ID: <20010208230315.R91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <000b01c091f8$fed0fd40$1f1652d1@timberauctiononline.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000b01c091f8$fed0fd40$1f1652d1@timberauctiononline.com>; from wlodek@infoserve.net on Thu, Feb 08, 2001 at 09:59:31AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 08, 2001 at 09:59:31AM -0800, wlodek wrote: > Hello > I was wonder if you can help me in mounting the FreeBSD in read-only mode > I will need to scenarios one only for two DNS server and one for Http > server: > Here is what I need to know > Which file shall I absolutely move to read -write partition? > I will have three very small HD with task as follow > 1 only swap partition r-w > 2 files system and binaries r only HD > 2 user file r-w but not execute. > Questions are > Which files from the binaries and file system shall I move (and do symbolic > link) on to write able partition? > The above will probably have some variations for apache machine and for bind > machine You will want a writable /var partition. Make everything else on the system a read-only root partition (put what is often broken up into / and /usr in this one partition). If you are changing your zones or webpages with any regularity, you may either want a partition for that or if there is not a lot of space involved, put it on /var too. Also, remember that if your machine is a secondary, you need to write the zone files somewhere. The real trick with having a read-only root partition is how to deal with /dev. Depending on how you use the box, you may be able to get away with a read-only /dev, but it can break things. There are ways to hack around this if you need to. After I've gone to all that trouble to tell you how to do it, I should point out that mounting partitions read-only is not really a security feature. There is no way to prevent root from chaning a read-only mount to read-write (with one very, very ugly exception) if the disk is not write protected at the hardware level. And if we are talking about partitions on the same disk, you cannot have some read-only and some read-write partitions with a hardware read-write protect. And after that, I'll tell you I made a really, really trivial hack to the kernel code so that the mount(2) call is deactivated at raised securelevels which does make read-only mounts a security feature. If you can't find it in the archive, I can dig it up. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 0: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id AEFE137B503 for ; Fri, 9 Feb 2001 00:00:01 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id f197xLH72948; Fri, 9 Feb 2001 09:59:21 +0200 (EET) (envelope-from ru) Date: Fri, 9 Feb 2001 09:59:21 +0200 From: Ruslan Ermilov To: cdel Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw make failure Message-ID: <20010209095921.A70882@sunbay.com> Mail-Followup-To: cdel , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from c_deless@efn.org on Thu, Feb 08, 2001 at 11:03:15AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 08, 2001 at 11:03:15AM -0800, cdel wrote: > Please forgive me if I'm doing this wrong. I supped in new 4.2-S source a > few minutes ago and re-made /usr/src/sbin/ipfw. I got this... > > firewall# make cc -O -pipe -Wall -c /usr/src/sbin/ipfw/ipfw.c > /usr/src/sbin/ipfw/ipfw.c: In function `show_ipfw': > /usr/src/sbin/ipfw/ipfw.c:429: structure has no member named `fw_ipflg' > /usr/src/sbin/ipfw/ipfw.c:429: `IP_FW_IF_TCPEST' undeclared (first use in > this f unction) /usr/src/sbin/ipfw/ipfw.c:429: (Each undeclared identifier > is reported only once /usr/src/sbin/ipfw/ipfw.c:429: for each function it > appears in.) /usr/src/sbin/ipfw/ipfw.c: In function `add': > /usr/src/sbin/ipfw/ipfw.c:1896: structure has no member named `fw_ipflg' > /usr/src/sbin/ipfw/ipfw.c:1896: `IP_FW_IF_TCPEST' undeclared (first use in > this function) *** Error code 1 Stop in /usr/src/sbin/ipfw. > firewall# > > > Am I doing something wrong or is this something you should be aware of? > Yes, /usr/include should be upgraded first, ``make world'' is advised. freebsd-security is not an appropriate list for the questions like this. freebsd-stable is. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 0: 7:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 6787A37B491 for ; Fri, 9 Feb 2001 00:07:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id DC55E1C7EC for ; Fri, 9 Feb 2001 09:07:08 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 09A8F1C7D8 for ; Fri, 9 Feb 2001 09:07:03 +0100 (CET) Date: Fri, 9 Feb 2001 09:07:02 +0100 (CET) From: Dan Larsson To: Subject: Lots of attempts to connect to sunrpc port Message-ID: Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I assume that there was/is a bug in the sunrpc daemon. Exploting that bug might render access to the computer in some way. Fortunately there's nothing listening on that port on the attacked computer. Is this something to take seriously or am I looking at the effects of script kiddies? Log snippet: Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 200.47.77.226:1855 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 211.216.53.156:4629 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 64.94.79.200:2912 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 64.94.79.200:2912 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 211.174.58.101:111 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 217.13.4.50:1774 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 64.56.207.76:1137 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 212.184.103.11:4622 xxx.xxx.xxx.xxx:111 in via fxp0 Deny TCP 211.219.84.99:2779 xxx.xxx.xxx.xxx:111 in via fxp0 Regards +------ Dan Larsson | Tel: +46 8 550 120 21 Tyfon Svenska AB | Fax: +46 8 550 120 02 GPG and PGP keys | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 0:16:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id 0A82537B491 for ; Fri, 9 Feb 2001 00:16:30 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id AAA01538; Fri, 9 Feb 2001 00:16:33 -0800 (PST) (envelope-from root@noops.org) Date: Fri, 9 Feb 2001 00:16:33 -0800 (PST) From: Thomas Cannon To: Dan Larsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lots of attempts to connect to sunrpc port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is this something to take seriously or am I looking at the effects of > script kiddies? > > Log snippet: > > Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0 > Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0 > Deny TCP 200.47.77.226:1855 xxx.xxx.xxx.xxx:111 in via fxp0 Well, not having timestamps makes it tough to say, but if all those came at the same time I'd guess someone is using the -D flag on nmap and hiding in a crowd of IPs to mask their own. If that's your logs from the course of a day, it's just random script kid traffic. I see a similar amount each day. Cheers, Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 1:54:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id A21C337B491 for ; Fri, 9 Feb 2001 01:54:30 -0800 (PST) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14RAG5-0006LD-00 for security@freebsd.org; Fri, 9 Feb 2001 09:54:29 +0000 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f199sTX79146 for security@freebsd.org; Fri, 9 Feb 2001 09:54:29 GMT (envelope-from rasputin) Date: Fri, 9 Feb 2001 09:54:29 +0000 From: Rasputin To: security@freebsd.org Subject: Is this a problem for us too? Message-ID: <20010209095428.A79098@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just noticed a couple of openssh security advisories on deadly.org: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Is this openbsd -specific, or related ot any openssh implementation? -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 2:30:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 53B3D37B401 for ; Fri, 9 Feb 2001 02:30:34 -0800 (PST) Received: from deneb (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f19AUTe22801; Fri, 9 Feb 2001 11:30:29 +0100 (MET) Date: Fri, 9 Feb 2001 11:30:28 +0100 (CET) From: Gerald Pfeifer To: Cc: Alfred Perlstein , Garrett Wollman , Subject: Re: nfsd lacks support for tcp_wrapper In-Reply-To: <200101310138.UAA58984@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Alfred Perlstein wrote: >> Or are we just missing something? > Missing the fact that nfsd is an in-kernel process and therefore > pretty hard to link against libwrap. Hard, or impossible? ;-) > Otherwise... i dunno, use ipfw? :) Well, we could do that. But it really would be nice to have *one* place to configure such services. Logically (I realize that it's not easy to implement), I don't see why nfsd shouldn't honor /etc/hosts.allow. On Tue, 30 Jan 2001, Garrett Wollman wrote: > A good deal, since NFS has access-control at a higher level built in > to the kernel. mountd will do the right magic to tell the kernel what > your access-control list is. Well, we're also using that, but this doesn't prevent non-authorized clients to access the NFS port in the first place. And in case that at some point we forget to configure some specific mount correctly security-wise, that would be a second line of defense. And having multiple lines of defense seems like a good idea. :-) Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 2:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id EB22237B503 for ; Fri, 9 Feb 2001 02:40:54 -0800 (PST) Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by orhi.sarenet.es (Postfix) with ESMTP id C9D6F4A54 for ; Fri, 9 Feb 2001 11:40:48 +0100 (MET) Received: from sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.1/8.11.1) with ESMTP id f19Aepp10673 for ; Fri, 9 Feb 2001 11:40:52 +0100 (CET) (envelope-from borjamar@sarenet.es) Message-ID: <3A83C933.8F89DC69@sarenet.es> Date: Fri, 09 Feb 2001 11:40:51 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: nfsd support for tcp_wrapper -> General RPC solution References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerald Pfeifer wrote: > > On Tue, 30 Jan 2001, Alfred Perlstein wrote: > >> Or are we just missing something? > > Missing the fact that nfsd is an in-kernel process and therefore > > pretty hard to link against libwrap. > > Hard, or impossible? ;-) Well, nfsd must serve requests at high speed. Having it call TCP Wrapper can be a big overhead, depending on how you have configured /etc/hosts.allow and /etc/hosts.deny I was thinking about a different (and general) solution, but I have had no time to implement it. Perhaps I will try to find some time. The trick is to use the portmapper with TCP Wrapper with a slight twist. You keep a set of firewall (ipfw or ipfilter) rules in a file, and whenever portmap receives the RPC service registration from the daemon, it "runs" the ipfw or ipfilter configuration script passing it the port number where the service has registered. This provides good protection for *any* RPC service, you don't need to tinker with RPC daemons -only the portmapper- and the overhead is minimal: only a call to the TCP Wrapper library whenever a service registers itself to the portmapper. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 2:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 6E04337B401 for ; Fri, 9 Feb 2001 02:48:01 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id LAA07802; Fri, 9 Feb 2001 11:47:59 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14RB5q-0003d4-00 for ; Fri, 09 Feb 2001 11:47:58 +0100 Date: Fri, 9 Feb 2001 11:47:58 +0100 From: Szilveszter Adam To: security@freebsd.org Subject: Re: Is this a problem for us too? Message-ID: <20010209114758.C6167@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@freebsd.org References: <20010209095428.A79098@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010209095428.A79098@dogma.freebsd-uk.eu.org>; from rasputin@FreeBSD-uk.eu.org on Fri, Feb 09, 2001 at 09:54:29AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 09:54:29AM +0000, Rasputin wrote: > > Just noticed a couple of openssh security advisories > on deadly.org: > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html > > Is this openbsd -specific, or related ot any openssh implementation? -CURRENT and -STABLE have 2.3.0 so they are not vulnerable. 3.x stil doesn't have OpenSSH at all AFAIK. The ports have just been marked FORBIDDEN for both ssh and openssh. Something else? No, I think we have covered all bases:-) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 4:38:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 381F137B491 for ; Fri, 9 Feb 2001 04:38:13 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8H00DZ2PM5F1@mta6.snfc21.pbi.net> for security@freebsd.org; Fri, 9 Feb 2001 04:34:54 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 5CDBA66CBE; Fri, 09 Feb 2001 02:30:05 -0800 (PST) Date: Fri, 09 Feb 2001 02:30:05 -0800 From: Kris Kennaway Subject: Re: Is this a problem for us too? In-reply-to: <20010209095428.A79098@dogma.freebsd-uk.eu.org>; from rasputin@FreeBSD-uk.eu.org on Fri, Feb 09, 2001 at 09:54:29AM +0000 To: Rasputin Cc: security@freebsd.org Message-id: <20010209023005.A57959@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010209095428.A79098@dogma.freebsd-uk.eu.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 09:54:29AM +0000, Rasputin wrote: >=20 > Just noticed a couple of openssh security advisories > on deadly.org: >=20 > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html >=20 > Is this openbsd -specific, or related ot any openssh implementation? FreeBSD uses a lightly modified version of OpenSSH from OpenBSD. Whichever revision numbers it talks about there also apply to FreeBSD. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6g8atWry0BWjoQKURAhaqAJ0R5mINKu7hRN/RySQo9Qq6abC6ygCfdL1q k4dLOhSiFohBWpCWRtp+R8g= =Ps6v -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 5:36:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9A20437B846 for ; Fri, 9 Feb 2001 05:36:36 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA04527; Fri, 9 Feb 2001 05:35:59 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda04525; Fri Feb 9 05:35:57 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f19DZqO59870; Fri, 9 Feb 2001 05:35:52 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdZ59868; Fri Feb 9 05:35:04 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f19DZ4684120; Fri, 9 Feb 2001 05:35:04 -0800 (PST) Message-Id: <200102091335.f19DZ4684120@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdV84116; Fri Feb 9 05:35:02 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "David Beck" Cc: freebsd-security@FreeBSD.ORG Subject: Re: security improvement ? In-reply-to: Your message of "Thu, 08 Feb 2001 22:26:18 +0100." <002c01c09215$c7291220$5b3346c3@no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Feb 2001 05:35:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <002c01c09215$c7291220$5b3346c3@no>, "David Beck" writes: > Hi, > > First of all, I would like to mention that this thing I describe here: > - is not for production use (!!!) > - have serious problems (look at the readme file) > - mainly for generating discussion about the idea > - might introduce security problems > > The idea here is to introduce further limitations for the usage of syscalls. > That is to say x process cannot call y syscall, and if he tries it log it > (somewhere). > This is like a user (root) configurable profile for a process for calling > syscalls. > > At the moment I wrote a simplified representation of the idea which can > limit the usage of the syscalls in a specfied jail. This was faster to do > and > shows what I think. > > http://dbeck.beckground.hu/download/scf-0.0.1.tar.gz > > I'm sure that the way it is implemented is bad and instead of writing > a kernel modul like this should make a patch for the kernel. I'm working > on the patch, but in the meantime I'm very much interested what the experts > say about this. You may also wish to take a look at Spy. http://people.freebsd.org/~abial/spy-1.0.tgz Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 5:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.outblaze.com (proxy.outblaze.com [202.77.223.120]) by hub.freebsd.org (Postfix) with SMTP id CF69737B75B for ; Fri, 9 Feb 2001 05:44:46 -0800 (PST) Received: (qmail 73218 invoked from network); 9 Feb 2001 13:44:44 -0000 Received: from unknown (HELO yusufg.portal2.com) (202.77.181.217) by proxy.outblaze.com with SMTP; 9 Feb 2001 13:44:44 -0000 Received: (qmail 20098 invoked by uid 500); 9 Feb 2001 13:50:09 -0000 Date: Fri, 9 Feb 2001 21:50:09 +0800 From: Yusuf Goolamabbas To: freebsd-security@freebsd.org Subject: x86 version of crypto libs ? Message-ID: <20010209215009.A20063@outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, NetBSD's page http://www.netbsd.org/Changes/000804.html mentions the speedup which x86 assembly specifc versions of crypto stuff brings to their system. I am not sure if these have been merged in or FreeBSD already has them via OpenSSL In case FreeBSD doesn't have x86 assembly versions of these libraries, would it be possible to incorporate NetBSD's changes Regards, Yusuf -- Yusuf Goolamabbas yusufg@outblaze.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 6:29:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id B1BFF37C21B for ; Fri, 9 Feb 2001 06:29:28 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id JAA78992; Fri, 9 Feb 2001 09:29:27 -0500 (EST) (envelope-from str) Date: Fri, 9 Feb 2001 09:29:27 -0500 (EST) From: Igor Roshchin Message-Id: <200102091429.JAA78992@giganda.komkon.org> To: security@FreeBSD.ORG, sziszi@petra.hos.u-szeged.hu Subject: Re: Is this a problem for us too? In-Reply-To: <20010209114758.C6167@petra.hos.u-szeged.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Fri, 9 Feb 2001 11:47:58 +0100 > From: Szilveszter Adam > > On Fri, Feb 09, 2001 at 09:54:29AM +0000, Rasputin wrote: > > > > Just noticed a couple of openssh security advisories > > on deadly.org: > > > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html > > > > Is this openbsd -specific, or related ot any openssh implementation? > > -CURRENT and -STABLE have 2.3.0 so they are not vulnerable. 3.x stil > doesn't have OpenSSH at all AFAIK. The ports have just been marked > FORBIDDEN for both ssh and openssh. Something else? No, I think we have > covered all bases:-) > Well, I believe such a message, based on some type of "hometown pride", could be confusing to some people. Many people are running earlier releases of 4.x, and they do not have 2.3.0 (e.g. 4.0-release has Open-SSH-1.2.2), and therefore are probably vulnerable (1) . Those who are running 3.5-STABLE and have ssh from the ports collection, ^^^^^^ (many people do use ssh) are probably (1) vulnerable as well. I believe (and hope), security-officer's team is already working on the fix and the advisory. (1) Note: Unless it is not vulnerable due to some specifics of FreeBSD implementation, but that doesn't seem to be the case. Igor PS. I'd say you response does not "cover all bases", but rather is an ostrich-like behavior: "My head is hidden, something else ?" :))) Nothing personal, just let's not to confuse people with a false sense of that everything is fine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 7:18:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from kobayashi.uits.iupui.edu (kobayashi.uits.iupui.edu [134.68.5.17]) by hub.freebsd.org (Postfix) with ESMTP id 5965737B8CD for ; Fri, 9 Feb 2001 07:07:29 -0800 (PST) Received: from localhost (ajk@localhost) by kobayashi.uits.iupui.edu (8.11.1/8.11.1) with ESMTP id f19F7FS22130; Fri, 9 Feb 2001 10:07:26 -0500 (EST) (envelope-from ajk@iu.edu) Date: Fri, 9 Feb 2001 10:07:15 -0500 (EST) From: "Andrew J. Korty" X-X-Sender: To: Igor Roshchin Cc: , Subject: Re: Is this a problem for us too? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001 09:29:27 -0500 (EST), Igor Roshchin wrote: > > Date: Fri, 9 Feb 2001 11:47:58 +0100 > > From: Szilveszter Adam > > > > On Fri, Feb 09, 2001 at 09:54:29AM +0000, Rasputin wrote: > > > > > > Just noticed a couple of openssh security advisories > > > on deadly.org: > > > > > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html > > > > > > Is this openbsd -specific, or related ot any openssh implementation? > > > > -CURRENT and -STABLE have 2.3.0 so they are not vulnerable. 3.x stil > > doesn't have OpenSSH at all AFAIK. The ports have just been marked > > FORBIDDEN for both ssh and openssh. Something else? No, I think we have > > covered all bases:-) > > > > Well, I believe such a message, based on some type of "hometown pride", > could be confusing to some people. > > Many people are running earlier releases of 4.x, and they do not have > 2.3.0 (e.g. 4.0-release has Open-SSH-1.2.2), and therefore are > probably vulnerable (1) . > Those who are running 3.5-STABLE and have ssh from the ports collection, > ^^^^^^ > (many people do use ssh) are probably (1) vulnerable as well. Have we forsaken 4.2-RELEASE already? It contains OpenSSH 2.2.0. -- Andrew J. Korty, Principal Security Engineer Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 9:15: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.logilune.com (hermes.logilune.com [195.154.174.37]) by hub.freebsd.org (Postfix) with ESMTP id 3D93737B76C for ; Fri, 9 Feb 2001 08:44:59 -0800 (PST) Received: from [192.168.1.2] (talisker.logilune.com [192.168.1.2]) by hermes.logilune.com (Postfix) with ESMTP id 877DF175F4B for ; Fri, 9 Feb 2001 17:44:55 +0100 (CET) Date: Fri, 09 Feb 2001 17:44:45 +0100 From: Eric Cholet To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Message-ID: <2488141552.981740685@[192.168.1.2]> In-Reply-To: <200102082014.PAA29877@vws3.interlog.com> X-Mailer: Mulberry/2.0.5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I received the following, what worries me is that the PGP signature verified, and it's not April 1st. WTF ?? --On 08/02/01 15:14 -0500 FreeBSD Security Advisories mumbled: > ========================================================================= > ==== FreeBSD-SA-01:INSERT_NUMBER_HERE Security > Advisory FreeBSD, Inc. > > Topic: FreeBSD on record to set most advisory releases for > year 2001 > > Category: All > Announced: 2001-02-07 > Credits: sil@loopback.antioffline.com http://www.antioffline.com > Vendor status: Developers sleeping right now > FreeBSD only: Yes > > I. Background > > FreeBSD is the most robust chopperating sysdumb in the world and we > mean it. Our TCP stack will kick your TCP stacks hynee. Currently we > are releasing an advisory every 1.95 days which means we are bound > to surpass Microsoft. > > II. Problem Description > > We normally do not assess security when creating the ports distribution > often allowing anyone to build any program we decide to run in the ports > directory. Recently we have noticed that we can no longer fool users > into thinking because we provide checksumming for the programs, that > they will be secure. > > Unlinke other operating systems and the developers of them who audit > their ports, we feel it is not our problem if someone accessess your > system because we're too lazy to do things right the first time. > > > III. Impact > > Obviously anyone can end up control your machine or worse. > > IV. Workaround > > We will not be mentioning the ultra secure OpenBSD operating system > since we feel it is not our problem and does not help to promote a > better OS than our own. > > V. Solution > > One of the following: > > 1) Rub a magic lamp and wait for the security genie to fix it. > > 2) Download NSA Linux so you too can have miniscule backdoors in it > which you won't see. > > 3) Pray to the hacker god Kevin Mitnick for assistance. > > 4) Install a more secure O(penBSD)S > > NOTE: FreeBSD developers are now red faced > > VI. Shouts > > Hard Lee Strange > Mike Hunt > Ivana Swallows > Mike Hock > Dick Famous > Kathie Lee Gifford > > > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 9:16:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 7094D37B77A for ; Fri, 9 Feb 2001 08:46:39 -0800 (PST) Received: from mharding ([213.219.53.82]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f19GkOu99486 for ; Fri, 9 Feb 2001 11:46:25 -0500 (EST) From: "Mason Harding" To: Subject: SSH Vulnerability Date: Fri, 9 Feb 2001 16:41:15 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal In-Reply-To: <20010209114758.C6167@petra.hos.u-szeged.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am guessing this OpenSSH vulnerability applies to FreeBSD...does anyone know? Also thought others might like to know about it. http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Mason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 9:16:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id 026F237BE1E for ; Fri, 9 Feb 2001 09:05:33 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f19FIpr13030; Fri, 9 Feb 2001 17:18:52 +0200 (EET) (envelope-from never) Date: Fri, 9 Feb 2001 17:17:31 +0200 From: Nevermind To: james pye Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe Message-ID: <20010209171731.B12628@nevermind.kiev.ua> References: <3A83690B.F9188A59@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A83690B.F9188A59@mac.com>; from diomed@mac.com on Thu, Feb 08, 2001 at 08:50:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, james pye! On Thu, Feb 08, 2001 at 08:50:35PM -0700, you wrote: > subscribe please, send mail with "subscribe freebsd-security" in the body of the message to majordomo@FreeBSD.ORG -- NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 9:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from freeside.fc.net (freeside.fc.net [207.170.70.2]) by hub.freebsd.org (Postfix) with ESMTP id 8293737E683 for ; Fri, 9 Feb 2001 09:46:27 -0800 (PST) Received: from freeside.fc.net (freeside.fc.net [207.170.70.2]) by freeside.fc.net (8.9.3/8.8.8) with ESMTP id LAA78478 for ; Fri, 9 Feb 2001 11:46:26 -0600 (CST) Date: Fri, 9 Feb 2001 11:46:26 -0600 (CST) From: Chris To: freebsd-security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 9:51:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 4598637EA87 for ; Fri, 9 Feb 2001 09:51:14 -0800 (PST) Received: (qmail 86492 invoked by uid 1000); 9 Feb 2001 17:51:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Feb 2001 17:51:12 -0000 Date: Fri, 9 Feb 2001 11:51:12 -0600 (CST) From: Mike Silbersack To: Szilveszter Adam Cc: Subject: Re: Is this a problem for us too? In-Reply-To: <20010209114758.C6167@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001, Szilveszter Adam wrote: > -CURRENT and -STABLE have 2.3.0 so they are not vulnerable. 3.x stil > doesn't have OpenSSH at all AFAIK. The ports have just been marked > FORBIDDEN for both ssh and openssh. Something else? No, I think we have > covered all bases:-) > > -- > Regards: > > Szilveszter ADAM > Szeged University > Szeged Hungary Well, marking the ports forbidden doesn't really _fix_ the bug. However, the patch is only one line long, so I imagine the maintainers will have the two ports fixed in a quick hurry. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 10:41:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 62C4A37B401 for ; Fri, 9 Feb 2001 10:41:35 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f19IfNQ84385; Fri, 9 Feb 2001 10:41:23 -0800 (PST) (envelope-from dillon) Date: Fri, 9 Feb 2001 10:41:23 -0800 (PST) From: Matt Dillon Message-Id: <200102091841.f19IfNQ84385@earth.backplane.com> To: "Mason Harding" Cc: Subject: How to rebuild ssh w/ latest sources (was Re: SSH Vulnerability) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I am guessing this OpenSSH vulnerability applies to FreeBSD...does anyone :know? :Also thought others might like to know about it. :http://razor.bindview.com/publish/advisories/adv_ssh1crc.html : :Mason Yes. If your sources are reasonably up to date (since Jan 23), just rebuild it: cd /usr/src/secure/lib/libssh make clean obj all cd /usr/src/secure/usr.sbin/sshd make clean obj all install cd /usr/src/secure/usr.bin/ssh make clean obj all install (kill your old sshd daemon, start a new one) Verify you are running the new version of the daemon: % ssh -v localhost earth:/home/dillon> ssh -v localhost SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 101 geteuid 101 anon 1 debug: Connecting to localhost [127.0.0.1] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ debug: match: OpenSSH_2.3.0 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 10:57:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0063C37B699 for ; Fri, 9 Feb 2001 10:56:53 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f19Iurp06264; Fri, 9 Feb 2001 10:56:53 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200102091856.f19Iurp06264@iguana.aciri.org> Subject: adding securelevel control to r/w sysctl variables... To: security@freebsd.org Date: Fri, 9 Feb 2001 10:56:53 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, the attached code (for -STABLE, but should be similar for -CURRENT) permits to limit write access to sysctl variables basing on the value of "securelevel". If there are no objections, i would like to commit and MFC this code (and start protecting some of the sysctl knobs which definitely need it!!). For the records, CTLFLAG_SECURE was in the header but was not used by any variable that i know of, so the change of semantics should not give problems. Furthermore -- this is not implemented yet, but the header reserves a couple of flags to mark that a given variable cannot be raised or lowered. Implementation is trivial (once i sort out how to get the old and new value of the parameters in sysctl_handle_*() ) and when present it could be used to replace the implementation of kern.securelevel with a standard SYSCTL_INT. Feedback welcome... possibly to me as well, as i do not subscribe to the security list. cheers luigi Index: sys/sysctl.h =================================================================== RCS file: /home/ncvs/src/sys/sys/sysctl.h,v retrieving revision 1.81.2.3 diff -u -r1.81.2.3 sysctl.h --- sys/sysctl.h 2000/09/25 12:09:20 1.81.2.3 +++ sys/sysctl.h 2001/02/09 18:02:40 @@ -79,9 +79,19 @@ #define CTLFLAG_RW (CTLFLAG_RD|CTLFLAG_WR) #define CTLFLAG_NOLOCK 0x20000000 /* XXX Don't Lock */ #define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */ -#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */ +#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<0 */ #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ + +#define CTLFLAG_NORAISE 0x01000000 /* cannot be raised */ +#define CTLFLAG_NOLOWER 0x00800000 /* cannot be lowered */ +#define CTLFLAG_S_MASK 0x000f0000 /* max securelevel to change */ +#define CTLFLAG_S_MASK_OFS 16 /* rightmost 1 in above */ +/* + * cannot modify variable if (securelevel >= i) + */ +#define CTLFLAG_SECURELEVEL(i) \ + ( (((i)<newptr && (!(oid->oid_kind & CTLFLAG_WR) || - ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0))) - return (EPERM); + if (req->newptr) { + if (!(oid->oid_kind & CTLFLAG_WR)) + return EPERM ; + if (oid->oid_kind & CTLFLAG_SECURE) { + int i = (oid->oid_kind & CTLFLAG_S_MASK) >> CTLFLAG_S_MASK_OFS; + if (securelevel >= i) + return (EPERM); + } + } /* Most likely only root can write */ if (!(oid->oid_kind & CTLFLAG_ANYBODY) && To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 10:58: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id B004C37B503 for ; Fri, 9 Feb 2001 10:57:28 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f19IuuN00785; Fri, 9 Feb 2001 20:56:57 +0200 (EET) (envelope-from never) Date: Fri, 9 Feb 2001 20:56:55 +0200 From: Nevermind To: Eric Cholet Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Message-ID: <20010209205655.A560@nevermind.kiev.ua> References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2488141552.981740685@[192.168.1.2]>; from cholet@logilune.com on Fri, Feb 09, 2001 at 05:44:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Eric Cholet! On Fri, Feb 09, 2001 at 05:44:45PM +0100, you wrote: > I received the following, what worries me is that the PGP signature > verified, and it's not April 1st. WTF ?? Ah... They have no ntpdate on their OpenBSD boxes unfortunately :(( > > --On 08/02/01 15:14 -0500 FreeBSD Security Advisories mumbled: > > > ========================================================================= > > ==== FreeBSD-SA-01:INSERT_NUMBER_HERE Security > > Advisory FreeBSD, Inc. > > > > Topic: FreeBSD on record to set most advisory releases for > > year 2001 > > > > Category: All > > Announced: 2001-02-07 > > Credits: sil@loopback.antioffline.com http://www.antioffline.com > > Vendor status: Developers sleeping right now > > FreeBSD only: Yes [snip] > > IV. Workaround > > > > We will not be mentioning the ultra secure OpenBSD operating system > > since we feel it is not our problem and does not help to promote a > > better OS than our own. > > > > V. Solution > > > > One of the following: > > > > 1) Rub a magic lamp and wait for the security genie to fix it. > > > > 2) Download NSA Linux so you too can have miniscule backdoors in it > > which you won't see. > > > > 3) Pray to the hacker god Kevin Mitnick for assistance. > > > > 4) Install a more secure O(penBSD)S > > > > NOTE: FreeBSD developers are now red faced > > > > VI. Shouts > > > > Hard Lee Strange > > Mike Hunt > > Ivana Swallows > > Mike Hock > > Dick Famous > > Kathie Lee Gifford -- NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 10:59:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 250F537B65D for ; Fri, 9 Feb 2001 10:58:49 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id TAA26764; Fri, 9 Feb 2001 19:58:47 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14RIkp-0007y4-00 for ; Fri, 09 Feb 2001 19:58:47 +0100 Date: Fri, 9 Feb 2001 19:58:47 +0100 From: Szilveszter Adam To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Message-ID: <20010209195847.F27987@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@FreeBSD.ORG References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2488141552.981740685@[192.168.1.2]>; from cholet@logilune.com on Fri, Feb 09, 2001 at 05:44:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote: > I received the following, what worries me is that the PGP signature > verified, and it's not April 1st. WTF ?? AFAIK it was not at all signed... unlike previous attempts by the same "funny" person. But what got me worried (and what nobody apparently understood from my post from yesterday) that this time the prankster managed to post on both freebsd-announce and freebsd-security-announce, which are supposed to be closed and moderated lists. So does this effectively mean, that just by forging a From: header, I can already post whatever I want on -announce? (An allegedly trusted resource) If so, we (freebsd.org) have a security problem. (Hence the post on -security, since we do not have any *public* mailing list for discussing security matters wrt freebsd.org itself, before anyone asks again.) If my allegation is not true, then what happened? -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 11: 1: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id A71EC37B698; Fri, 9 Feb 2001 11:00:44 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19J0iw14545; Fri, 9 Feb 2001 11:00:44 -0800 (PST) Date: Fri, 9 Feb 2001 11:00:44 -0800 From: Alfred Perlstein To: green@freebsd.org Cc: security@freebsd.org, ports@freebsd.org Subject: OpenSSH port patch Message-ID: <20010209110044.I26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please trim CC! This removes the 'forbidden' and adds a patch to correct the hash overflow as suggested by the Bindview audit. I'm cc'ing Brian Feldman (green) because he's maintainer, -ports because I'm not really good at ports and -security so that people can look this over. May I apply this patch? Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/openssh/Makefile,v retrieving revision 1.57 diff -u -u -r1.57 Makefile --- Makefile 2001/02/09 04:58:24 1.57 +++ Makefile 2001/02/09 18:53:06 @@ -20,8 +20,6 @@ .include -FORBIDDEN= "Remote vulnerabilities" - CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir... MAKE_ENV+= DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}" Index: files/patch-az =================================================================== RCS file: patch-az diff -N patch-az --- /dev/null Fri Feb 9 10:59:20 2001 +++ patch-az Fri Feb 9 10:58:58 2001 @@ -0,0 +1,11 @@ +--- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000 ++++ deattack.c Fri Feb 9 10:58:54 2001 +@@ -84,7 +84,7 @@ + detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) + { + static u_int16_t *h = (u_int16_t *) NULL; +- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; ++ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; + register u_int32_t i, j; + u_int32_t l; + register unsigned char *c; -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 11:13:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpout.kingston-internet.net (smtpout.kingston-internet.co.uk [212.50.161.69]) by hub.freebsd.org (Postfix) with ESMTP id 6E98737B69C for ; Fri, 9 Feb 2001 11:13:36 -0800 (PST) Received: from dialup28.manuel.kingston-internet.net ([212.50.176.28] helo=pmason.karoo.co.uk) by smtpout.kingston-internet.net with smtp (Exim 2.12 #8) id 14RIz8-00061F-00 for security@FreeBSD.ORG; Fri, 9 Feb 2001 19:13:34 +0000 Date: Fri, 9 Feb 2001 19:14:11 -0000 From: **1st Vamp** Reply-To: **1st Vamp** To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE X-Mailer: AK-Mail 3.1 publicbeta2a [eng] (unregistered) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seems like the announce lists use majordomo to just check the From: header line, my best suggestion would be that the admins of the lists use a server (closed) posting solution, ergo you have to log in in order to post an announcement. - Vamp : On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote: :> I received the following, what worries me is that the PGP signature :> verified, and it's not April 1st. WTF ?? : AFAIK it was not at all signed... unlike previous attempts by the same : "funny" person. But what got me worried (and what nobody apparently : understood from my post from yesterday) that this time the prankster : managed to post on both freebsd-announce and freebsd-security-announce, : which are supposed to be closed and moderated lists. : So does this effectively mean, that just by forging a From: header, I can : already post whatever I want on -announce? (An allegedly trusted resource) : If so, we (freebsd.org) have a security problem. (Hence the post on : -security, since we do not have any *public* mailing list for discussing : security matters wrt freebsd.org itself, before anyone asks again.) : If my allegation is not true, then what happened? : -- : Regards: : Szilveszter ADAM : Szeged University : Szeged Hungary : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 11:36:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 9333337B69D for ; Fri, 9 Feb 2001 11:36:14 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f19JZxF58531; Fri, 9 Feb 2001 14:36:04 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 9 Feb 2001 14:35:59 -0500 (EST) From: Matt Piechota To: Szilveszter Adam Cc: Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE In-Reply-To: <20010209195847.F27987@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001, Szilveszter Adam wrote: > AFAIK it was not at all signed... unlike previous attempts by the same > "funny" person. But what got me worried (and what nobody apparently > understood from my post from yesterday) that this time the prankster > managed to post on both freebsd-announce and > freebsd-security-announce, which are supposed to be closed and > moderated lists. > > So does this effectively mean, that just by forging a From: header, I can > already post whatever I want on -announce? (An allegedly trusted resource) > If so, we (freebsd.org) have a security problem. (Hence the post on > -security, since we do not have any *public* mailing list for discussing > security matters wrt freebsd.org itself, before anyone asks again.) > > If my allegation is not true, then what happened? I believe you just have to forge the "Moderated By:" header or something similar. I know some news groups (alt.2600.moderated, I believe) are moderated, but have no person with moderator power. You have to be l33t enough to forge the news item to post. I would assume mailing lists have a similar hole. You can't just forge the From: header, since I would assume the mail server won't accept mail From: someone@freebsd.org from a non freebsd.org machine, but I could be wrong. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 11:49:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from lionking.org (unknown [64.40.111.102]) by hub.freebsd.org (Postfix) with ESMTP id 51D0237B503 for ; Fri, 9 Feb 2001 11:48:49 -0800 (PST) Received: from localhost (btman@localhost) by lionking.org (8.11.1/8.11.1) with ESMTP id f19JmSS34090 for ; Fri, 9 Feb 2001 11:48:38 -0800 (PST) (envelope-from btman@arclight.net) X-Authentication-Warning: lionking.org: btman owned process doing -bs Date: Fri, 9 Feb 2001 11:48:28 -0800 (PST) From: Brian Tiemann X-X-Sender: To: Subject: Re: How to rebuild ssh w/ latest sources Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi-- > cd /usr/src/secure/lib/libssh > make clean obj all > cd /usr/src/secure/usr.sbin/sshd > make clean obj all install > cd /usr/src/secure/usr.bin/ssh > make clean obj all install > > (kill your old sshd daemon, start a new one) This doesn't seem to update anything in my /etc/ssh directory. (There are deprecated directives, like "ConnectionsPerPeriod", in it.) Is there a way to update these files? Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 11:50:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from vic.cioe.com (vic.cioe.com [204.120.165.37]) by hub.freebsd.org (Postfix) with ESMTP id 245D437B6A2 for ; Fri, 9 Feb 2001 11:50:37 -0800 (PST) Received: from ny1wsh031 (blackhole.cioe.com [204.120.165.44]) by vic.cioe.com (8.11.1/8.11.1) with SMTP id f19JoId03263; Fri, 9 Feb 2001 14:50:29 -0500 (EST) (envelope-from steve@virtual-voodoo.com) Message-ID: <050801c092d1$8dbdf2f0$8a1a050a@winstar.com> From: "Steven E. Ames" To: "Brian Tiemann" , References: Subject: Re: How to rebuild ssh w/ latest sources Date: Fri, 9 Feb 2001 14:50:18 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Brian Tiemann" > This doesn't seem to update anything in my /etc/ssh directory. > (There are deprecated directives, like "ConnectionsPerPeriod", in it.) Is > there a way to update these files? mergemaster -Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:22:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 3A7B037B491; Fri, 9 Feb 2001 13:22:27 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f19LMBh08953; Fri, 9 Feb 2001 13:22:11 -0800 (PST) (envelope-from dillon) Date: Fri, 9 Feb 2001 13:22:11 -0800 (PST) From: Matt Dillon Message-Id: <200102092122.f19LMBh08953@earth.backplane.com> To: Alfred Perlstein Cc: green@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: OpenSSH port patch References: <20010209110044.I26076@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think it's a whole lot better then simply marking the package forbidden! I was actually surprised that the package was marked forbidden, when the fix is only a few minutes of work. -Matt :Please trim CC! : :This removes the 'forbidden' and adds a patch to correct the :hash overflow as suggested by the Bindview audit. : :I'm cc'ing Brian Feldman (green) because he's maintainer, -ports :because I'm not really good at ports and -security so that people :can look this over. : :May I apply this patch? : :Index: Makefile :=================================================================== :RCS file: /home/ncvs/ports/security/openssh/Makefile,v :retrieving revision 1.57 :diff -u -u -r1.57 Makefile :--- Makefile 2001/02/09 04:58:24 1.57 :+++ Makefile 2001/02/09 18:53:06 :@@ -20,8 +20,6 @@ : : .include : :-FORBIDDEN= "Remote vulnerabilities" :- : CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto : # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir... : MAKE_ENV+= DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}" :Index: files/patch-az :=================================================================== :RCS file: patch-az :diff -N patch-az :--- /dev/null Fri Feb 9 10:59:20 2001 :+++ patch-az Fri Feb 9 10:58:58 2001 :@@ -0,0 +1,11 @@ :+--- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000 :++++ deattack.c Fri Feb 9 10:58:54 2001 :+@@ -84,7 +84,7 @@ :+ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) :+ { :+ static u_int16_t *h = (u_int16_t *) NULL; :+- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; :++ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; :+ register u_int32_t i, j; :+ u_int32_t l; :+ register unsigned char *c; : :-- :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] :"I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:26:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 62BA337B491; Fri, 9 Feb 2001 13:26:05 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19LQ4a19416; Fri, 9 Feb 2001 13:26:04 -0800 (PST) Date: Fri, 9 Feb 2001 13:26:04 -0800 From: Alfred Perlstein To: Matt Dillon Cc: green@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: OpenSSH port patch Message-ID: <20010209132604.O26076@fw.wintelcom.net> References: <20010209110044.I26076@fw.wintelcom.net> <200102092122.f19LMBh08953@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102092122.f19LMBh08953@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Feb 09, 2001 at 01:22:11PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Matt Dillon [010209 13:22] wrote: > I think it's a whole lot better then simply marking the package > forbidden! I was actually surprised that the package was marked > forbidden, when the fix is only a few minutes of work. I've been hopping around on IRC froathing at the mouth about getting this patch in but no one has signed off on it and since I've got little port-fu I'm nervous about making a bad situation worse. > > -Matt > > :Please trim CC! > : > :This removes the 'forbidden' and adds a patch to correct the > :hash overflow as suggested by the Bindview audit. > : > :I'm cc'ing Brian Feldman (green) because he's maintainer, -ports > :because I'm not really good at ports and -security so that people > :can look this over. > : > :May I apply this patch? > : > :Index: Makefile > :=================================================================== > :RCS file: /home/ncvs/ports/security/openssh/Makefile,v > :retrieving revision 1.57 > :diff -u -u -r1.57 Makefile > :--- Makefile 2001/02/09 04:58:24 1.57 > :+++ Makefile 2001/02/09 18:53:06 > :@@ -20,8 +20,6 @@ > : > : .include > : > :-FORBIDDEN= "Remote vulnerabilities" > :- > : CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto > : # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir... > : MAKE_ENV+= DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}" > :Index: files/patch-az > :=================================================================== > :RCS file: patch-az > :diff -N patch-az > :--- /dev/null Fri Feb 9 10:59:20 2001 > :+++ patch-az Fri Feb 9 10:58:58 2001 > :@@ -0,0 +1,11 @@ > :+--- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000 > :++++ deattack.c Fri Feb 9 10:58:54 2001 > :+@@ -84,7 +84,7 @@ > :+ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) > :+ { > :+ static u_int16_t *h = (u_int16_t *) NULL; > :+- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; > :++ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; > :+ register u_int32_t i, j; > :+ u_int32_t l; > :+ register unsigned char *c; > : > :-- > :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > :"I have the heart of a child; I keep it in a jar on my desk." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:26:41 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3B38037B699; Fri, 9 Feb 2001 13:26:13 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: Reminder notice about FreeBSD Security Advisories Reply-To: security-advisories@freebsd.org Message-Id: <20010209212613.3B38037B699@hub.freebsd.org> Date: Fri, 9 Feb 2001 13:26:13 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- This is a reminder notice that all FreeBSD Security Advisories are signed with the PGP key of the security officer, available from the following location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc A copy of the public key containing more signatures may be retrieved from the http://keys.pgp.com key server. The PGP signature should be verified on all FreeBSD Security Advisories prior to trusting its contents -- recent events have reminded the community that e-mail may be trivially spoofed, and this is in fact the precise reason the security officer signs all official advisories. Advisories with missing or invalid signatures must be assumed to be written by third parties, and therefore unofficial and unsanctioned by the FreeBSD Project. While the recent examples of spoofed advisories were childish and easily seen to be counterfeits, the originator has done the service of reinforcing the point that signature verification is necessary. Consider the example of a spoofed advisory which appears to be fully legitimate and describes an abstruse and difficult to understand "security vulnerability", and which contains instructions which subtlely weaken or compromise the security of machines upon which the instructions are carried out. At this time, GnuPG is the PGP software recommended by the security officer for use on FreeBSD. This and other PGP software are also included in the FreeBSD ports collection and available commercially. Most modern mail software allows PGP signature verification to be done automatically at the time the message is displayed. Consult the documentation for your mail and PGP software to find out how to configure it to automatically verify signatures in e-mail. A sample configuration file for the mutt mail reader to allow automatic signature verfication (suitable for addition to the user's ~/.muttrc file) is available from: http://www.freebsd.org/~kris/muttrc-gpg This relies on the availability of the gnupg software (/usr/ports/security/gnupg). Note that the security-officer PGP key uses the IDEA algorithm for encrypted (as opposed to signed) messages you may wish to send to us, which is not included in gnupg by default. IDEA is covered by a patent, but the licensing terms permit use for non-commercial purposes. To install IDEA support, perform the following steps as root: # cd /usr/ports/security/gnupg-idea # make all install clean MAKE_IDEA=yes IDEA support is not required to verify signatures made by the security officer. Kris Kennaway FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoRf/lUuHi5z0oilAQFSegQAkkzFwV/1uGv0W6CJmsNWExCrSZlGBk7p NixT7iXXa3CF0IllKadoTPr735IO3yKUsg/ujgWU0tpwnSLh6A9C8QqAkBBO2BJQ y/rLA9qFuz+a3sbrtBVSV7GSzQm7ebzyVpef/ThMfM69C5bnmnhlPWdB6qNbYQAj 2c7MKMGIHuQ= =Ud07 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:30:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 8A1C637B6A0 for ; Fri, 9 Feb 2001 13:30:36 -0800 (PST) Received: from sarenet.es (sollube.sarenet.es [192.148.167.16]) by orhi.sarenet.es (Postfix) with SMTP id 866E44996 for ; Fri, 9 Feb 2001 22:30:30 +0100 (MET) Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Fri, 09 Feb 2001 22:30:27 +0100 Message-ID: <3A846179.DE6CD5AA@sarenet.es> Date: Fri, 09 Feb 2001 22:30:33 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: nfsd support for tcp_wrapper -> General RPC solution References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerald Pfeifer wrote: > > The trick is to use the portmapper with TCP Wrapper with a slight > > twist. You keep a set of firewall (ipfw or ipfilter) rules in a file, > > and whenever portmap receives the RPC service registration from the > > daemon, it "runs" the ipfw or ipfilter configuration > > script passing it the port number where the service has registered. > > This sounds like a *very* interesting idea. Unfortunately, we cannot > offer money, else we'd even try to fund you doing that implementation, > but I think a lot of people would benefit. I don't want money! I have a job, and I want to contribute something to my preferred operating system, which is making my life easier in my job. It is only a matter of finding some spare time ;-) Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 3D23837B6A1; Fri, 9 Feb 2001 13:35:34 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I001Y4ED5VD@mta6.snfc21.pbi.net>; Fri, 9 Feb 2001 13:29:31 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 9843066B62; Fri, 09 Feb 2001 13:32:14 -0800 (PST) Date: Fri, 09 Feb 2001 13:32:14 -0800 From: Kris Kennaway Subject: Re: OpenSSH port patch In-reply-to: <200102092122.f19LMBh08953@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Feb 09, 2001 at 01:22:11PM -0800 To: Matt Dillon Cc: Alfred Perlstein , green@FreeBSD.ORG, security@FreeBSD.ORG Message-id: <20010209133214.A65547@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010209110044.I26076@fw.wintelcom.net> <200102092122.f19LMBh08953@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 09, 2001 at 01:22:11PM -0800, Matt Dillon wrote: > I think it's a whole lot better then simply marking the package > forbidden! I was actually surprised that the package was marked > forbidden, when the fix is only a few minutes of work. That presupposes I had a few minutes of spare time. I'll get to it ASAP, if the maintainer doesn't first. Kris --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hGHeWry0BWjoQKURAtx8AKDgj9xg2QF7ZhUQT97LhOMEijWmtACeL/Bx ouTQ/S8IMxfen/O/p0jnHtU= =kmnH -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:36:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from freya.inter.net.il (freya.inter.net.il [192.114.186.14]) by hub.freebsd.org (Postfix) with ESMTP id 68F7637B6A2 for ; Fri, 9 Feb 2001 13:36:04 -0800 (PST) Received: from localhost.local.net ([213.8.240.113]) by freya.inter.net.il (Mirapoint) with ESMTP id AJN13411; Fri, 9 Feb 2001 23:35:32 +0200 (IST) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.11.1/8.11.1) with ESMTP id f19LWs155741; Fri, 9 Feb 2001 23:32:56 +0200 (IST) (envelope-from bk532@localhost.local.net) Message-ID: <3A846203.7F8026C8@iname.com> Date: Fri, 09 Feb 2001 23:32:51 +0200 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) MIME-Version: 1.0 To: Brian Tiemann Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to rebuild ssh w/ latest sources References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Tiemann wrote: > > Hi-- > > > cd /usr/src/secure/lib/libssh > > make clean obj all > > cd /usr/src/secure/usr.sbin/sshd > > make clean obj all install > > cd /usr/src/secure/usr.bin/ssh > > make clean obj all install > > > > (kill your old sshd daemon, start a new one) > > This doesn't seem to update anything in my /etc/ssh directory. > (There are deprecated directives, like "ConnectionsPerPeriod", in it.) Is > there a way to update these files? > mergemaster, I suppose. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:36:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E1A2437B491 for ; Fri, 9 Feb 2001 13:36:17 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19LaFG19754; Fri, 9 Feb 2001 13:36:15 -0800 (PST) Date: Fri, 9 Feb 2001 13:36:15 -0800 From: Alfred Perlstein To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010209133615.P26076@fw.wintelcom.net> References: <3A83C933.8F89DC69@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A83C933.8F89DC69@sarenet.es>; from borjamar@sarenet.es on Fri, Feb 09, 2001 at 11:40:51AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Borja Marcos [010209 02:41] wrote: > Gerald Pfeifer wrote: > > > > On Tue, 30 Jan 2001, Alfred Perlstein wrote: > > >> Or are we just missing something? > > > Missing the fact that nfsd is an in-kernel process and therefore > > > pretty hard to link against libwrap. > > > > Hard, or impossible? ;-) > > Well, nfsd must serve requests at high speed. Having it > call TCP Wrapper can be a big overhead, depending on how you have > configured /etc/hosts.allow and /etc/hosts.deny > > I was thinking about a different (and general) solution, but I > have had no time to implement it. Perhaps I will try to find some time. > > The trick is to use the portmapper with TCP Wrapper with a slight > twist. You keep a set of firewall (ipfw or ipfilter) rules in a file, > and whenever portmap receives the RPC service registration from the > daemon, it "runs" the ipfw or ipfilter configuration > script passing it the port number where the service has registered. > > This provides good protection for *any* RPC service, > you don't need to tinker with RPC daemons -only the portmapper- > and the overhead is minimal: only a call to the TCP Wrapper library > whenever a service registers itself to the portmapper. This is a really flawed idea. All portmap does is provide a name/version/protocol mapping of a service to a tcp/udp port. One can trivially do a portscan of a box running RPC services and figure out which are open. You don't need portmap to brute force finding out where a remote vulnerable service is located. In fact because afaik NFS always uses a well known port, you really don't need portmap to map it, you just need to use the port, portmapper for NFS is just a formality. Ok, with that out of the window, we _could_ consider mucking userland mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. This is also a bad idea, one can just brute force the NFS cookie/filehandle required to gain access, then contact the NFS port. The solution is to use a firewall. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:52: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.dvart.com (mail.dvart.com [64.79.2.12]) by hub.freebsd.org (Postfix) with ESMTP id BB3D837B503 for ; Fri, 9 Feb 2001 13:51:43 -0800 (PST) Received: from dvart.com (unknown [64.79.2.4]) by mail.dvart.com (Postfix) with ESMTP id A7D31CCE0 for ; Fri, 9 Feb 2001 13:51:52 +0000 (GMT) Message-ID: <3A84666C.124BB15@dvart.com> Date: Fri, 09 Feb 2001 13:51:40 -0800 From: bruno schwander X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: weird security log Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org today my daily security check output shows this: kernel log messages: > \^H\M^@@@\^P\^B\^B\^B\^A\^H\^H\^D\^P\^B\^H@Copyright (c) 1992-2000 The FreeBSD Project. > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 Anybody know what could produce that first line ? should I be concerned about this ? please CC me as I am not currently subscribed to the list Thanks bruno -- ########################################################################### Bruno Schwander Senior Software Engineer Worldgate Communications, Inc ############################################################################ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 13:55:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 0B41337B69C for ; Fri, 9 Feb 2001 13:55:37 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19Ltaa20547; Fri, 9 Feb 2001 13:55:36 -0800 (PST) Date: Fri, 9 Feb 2001 13:55:36 -0800 From: Alfred Perlstein To: bruno schwander Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird security log Message-ID: <20010209135536.Q26076@fw.wintelcom.net> References: <3A84666C.124BB15@dvart.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A84666C.124BB15@dvart.com>; from bschwand@dvart.com on Fri, Feb 09, 2001 at 01:51:40PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * bruno schwander [010209 13:52] wrote: > today my daily security check output shows this: > > > kernel log messages: > > \^H\M^@@@\^P\^B\^B\^B\^A\^H\^H\^D\^P\^B\^H@Copyright (c) 1992-2000 The > FreeBSD Project. > > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 > > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 > > ipfw: 1900 Deny UDP 64.13.99.12:137 255.255.255.255:137 in via fxp0 > > > Anybody know what could produce that first line ? should I be concerned > about this ? > > please CC me as I am not currently subscribed to the list twiddle most likely: /-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/ :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14: 0:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 6222937B684; Fri, 9 Feb 2001 14:00:09 -0800 (PST) Received: from deneb (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f19M07e09880; Fri, 9 Feb 2001 23:00:07 +0100 (MET) Date: Fri, 9 Feb 2001 23:00:06 +0100 (CET) From: Gerald Pfeifer To: FreeBSD Security Advisories Cc: Subject: Re: Reminder notice about FreeBSD Security Advisories In-Reply-To: <20010209214354.2FBD637B4EC@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001, FreeBSD Security Advisories wrote: > A copy of the public key containing more signatures may be retrieved > from the http://keys.pgp.com key server. There seems to be a problem with your key on (some) PGP key servers: deneb[90]:~% gpg --recv-keys 73d288a5 gpg: Warning: using insecure memory! gpg: requesting key 73D288A5 from wwwkeys.eu.pgp.net ... gpg: key 73D288A5: invalid self-signature gpg: key 73D288A5: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 keys.pgp.com worked fine, though. > Note that the security-officer PGP key uses the IDEA algorithm for > encrypted (as opposed to signed) messages you may wish to send to us, > which is not included in gnupg by default. Hmm, are you sure? We're using a version of GnuPG installed from pristine sources (not from the /ports tree) and this seems to support IDEA: deneb[91]:~% gpg --version gpg (GnuPG) 1.0.4 Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Cipher: IDEA, 3DES, CAST5, BLOWFISH, RIJNDAEL, RIJNDAEL192, RIJNDAEL256, TWOFISH gpg: skipping pubkey 1: already loaded gpg: skipping pubkey 2: already loaded gpg: skipping pubkey 3: already loaded Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Hash: MD5, SHA1, RIPEMD160 Hope this helps, Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:30:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id A217E37B401 for ; Fri, 9 Feb 2001 14:30:02 -0800 (PST) Received: by dell.dannyland.org (Postfix, from userid 1001) id 0D7525C2C; Fri, 9 Feb 2001 14:29:41 -0800 (PST) Date: Fri, 9 Feb 2001 14:29:40 -0800 From: dannyman To: freebsd-security@freebsd.org Subject: How builds OpenSSH 2.3? Message-ID: <20010209142940.F76316@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone patched 4.x OpenSSH and/or the relevant ports to deal with the CRC checksum exploit? I've got to get 2.3 working on my 3.x box, but just incrementing the number in the Makefile causes patch-aa to go rejected ... -d -- http://dannyman.toldme.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:32:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 13A8637B699 for ; Fri, 9 Feb 2001 14:32:37 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19MWZH21616; Fri, 9 Feb 2001 14:32:35 -0800 (PST) Date: Fri, 9 Feb 2001 14:32:35 -0800 From: Alfred Perlstein To: dannyman Cc: freebsd-security@FreeBSD.ORG Subject: Re: How builds OpenSSH 2.3? Message-ID: <20010209143235.R26076@fw.wintelcom.net> References: <20010209142940.F76316@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010209142940.F76316@dell.dannyland.org>; from dannyman@toldme.com on Fri, Feb 09, 2001 at 02:29:40PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * dannyman [010209 14:30] wrote: > Has anyone patched 4.x OpenSSH and/or the relevant ports to deal with the CRC > checksum exploit? I've got to get 2.3 working on my 3.x box, but just > incrementing the number in the Makefile causes patch-aa to go rejected ... Please check the list archives, I have a patch for the port that's already been posted. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:50: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id CA5FA37B67D for ; Fri, 9 Feb 2001 14:49:43 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I006EIHJ9Z4@mta5.snfc21.pbi.net> for freebsd-security@freebsd.org; Fri, 9 Feb 2001 14:37:58 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id D9E1A66B62; Fri, 09 Feb 2001 14:40:40 -0800 (PST) Date: Fri, 09 Feb 2001 14:40:40 -0800 From: Kris Kennaway Subject: Re: How builds OpenSSH 2.3? In-reply-to: <20010209142940.F76316@dell.dannyland.org>; from dannyman@toldme.com on Fri, Feb 09, 2001 at 02:29:40PM -0800 To: dannyman Cc: freebsd-security@freebsd.org Message-id: <20010209144040.A69512@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010209142940.F76316@dell.dannyland.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 09, 2001 at 02:29:40PM -0800, dannyman wrote: > Has anyone patched 4.x OpenSSH and/or the relevant ports to deal with the CRC > checksum exploit? I've got to get 2.3 working on my 3.x box, but just > incrementing the number in the Makefile causes patch-aa to go rejected ... I've just committed the security patch plus alfred's patches for building on older versions of FreeBSD. The port is still at 2.2.0, but should be secure. Kris --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hHHoWry0BWjoQKURAtNGAJ42ZPG80AO+obSKS1147/c6ol885wCg3FBN QLg5+G/4j7XNBqAS09E1FK0= =c3Sx -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:52:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 3C40437B67D for ; Fri, 9 Feb 2001 14:52:26 -0800 (PST) Received: from sarenet.es (sollube.sarenet.es [192.148.167.16]) by orhi.sarenet.es (Postfix) with SMTP id 62FA14A1F for ; Fri, 9 Feb 2001 23:52:19 +0100 (MET) Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Fri, 09 Feb 2001 23:52:15 +0100 Message-ID: <3A8474A6.D5D0DCE9@sarenet.es> Date: Fri, 09 Feb 2001 23:52:22 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: nfsd support for tcp_wrapper -> General RPC solution References: <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein wrote: > This is a really flawed idea. Humm. Yours is a flawed reading of my message? ;-) > All portmap does is provide a name/version/protocol mapping of a > service to a tcp/udp port. One can trivially do a portscan of > a box running RPC services and figure out which are open. You > don't need portmap to brute force finding out where a remote > vulnerable service is located. But if portmap can set up the right rules for ipfw, the brute force portscan will have no success. (read below) > > In fact because afaik NFS always uses a well known port, you really > don't need portmap to map it, you just need to use the port, > portmapper for NFS is just a formality. > > Ok, with that out of the window, we _could_ consider mucking userland > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > This is also a bad idea, one can just brute force the NFS > cookie/filehandle required to gain access, then contact the NFS > port. > > The solution is to use a firewall. Yes, and what about having portmap set the right firewall rules to protect RPC services? Whenever a service registers itself to portmap, it puts firewall rules to block access to the port. That is what I am proposing! Yes, NFS uses a fixed port, but not other RPC services. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:55:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id AADDD37B401 for ; Fri, 9 Feb 2001 14:55:04 -0800 (PST) Received: by dell.dannyland.org (Postfix, from userid 1001) id F04915C2B; Fri, 9 Feb 2001 14:54:42 -0800 (PST) Date: Fri, 9 Feb 2001 14:54:42 -0800 From: dannyman To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: How builds OpenSSH 2.3? Message-ID: <20010209145442.G76316@dell.dannyland.org> References: <20010209142940.F76316@dell.dannyland.org> <20010209144040.A69512@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010209144040.A69512@mollari.cthul.hu>; from kris@obsecurity.org on Fri, Feb 09, 2001 at 02:40:40PM -0800 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 02:40:40PM -0800, Kris Kennaway wrote: > On Fri, Feb 09, 2001 at 02:29:40PM -0800, dannyman wrote: > > Has anyone patched 4.x OpenSSH and/or the relevant ports to deal with the CRC > > checksum exploit? I've got to get 2.3 working on my 3.x box, but just > > incrementing the number in the Makefile causes patch-aa to go rejected ... > > I've just committed the security patch plus alfred's patches for > building on older versions of FreeBSD. The port is still at 2.2.0, but > should be secure. * Just now finds Alfred's patch and gets it working. Awesome, folks! :) Thanks! -danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:56:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 83FBE37B6AC for ; Fri, 9 Feb 2001 14:56:07 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f19Mu2w22873; Fri, 9 Feb 2001 14:56:02 -0800 (PST) Date: Fri, 9 Feb 2001 14:56:02 -0800 From: Alfred Perlstein To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010209145602.T26076@fw.wintelcom.net> References: <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> <3A8474A6.D5D0DCE9@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es>; from borjamar@sarenet.es on Fri, Feb 09, 2001 at 11:52:22PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Borja Marcos [010209 14:52] wrote: > Alfred Perlstein wrote: > > > This is a really flawed idea. > > Humm. Yours is a flawed reading of my message? ;-) You're right. :) > > > > In fact because afaik NFS always uses a well known port, you really > > don't need portmap to map it, you just need to use the port, > > portmapper for NFS is just a formality. > > > > Ok, with that out of the window, we _could_ consider mucking userland > > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > > This is also a bad idea, one can just brute force the NFS > > cookie/filehandle required to gain access, then contact the NFS > > port. > > > > The solution is to use a firewall. > > Yes, and what about having portmap set the right firewall > rules to protect RPC services? Whenever a service registers itself > to portmap, it puts firewall rules to block access to the port. > That is what I am proposing! > > Yes, NFS uses a fixed port, but not other RPC services. Well, using a firewall would work fine, but relying on obfuscation by just hiding portmap won't. That's where I misread what you said, I thought you only meant to firewall portmap, but if you can add hooks to portmap to run ipfw rules... that would interesting. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 14:58: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id F317437B698 for ; Fri, 9 Feb 2001 14:57:38 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I007JEFXV3I@mta5.snfc21.pbi.net> for freebsd-security@freebsd.org; Fri, 9 Feb 2001 14:03:35 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 5A4B666B62; Fri, 09 Feb 2001 14:06:14 -0800 (PST) Date: Fri, 09 Feb 2001 14:06:14 -0800 From: Kris Kennaway Subject: Re: Reminder notice about FreeBSD Security Advisories In-reply-to: ; from pfeifer@dbai.tuwien.ac.at on Fri, Feb 09, 2001 at 11:00:06PM +0100 To: Gerald Pfeifer Cc: freebsd-security@freebsd.org Message-id: <20010209140614.A67010@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010209214354.2FBD637B4EC@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 11:00:06PM +0100, Gerald Pfeifer wrote: > There seems to be a problem with your key on (some) PGP key servers: >=20 > deneb[90]:~% gpg --recv-keys 73d288a5 > gpg: Warning: using insecure memory! > gpg: requesting key 73D288A5 from wwwkeys.eu.pgp.net ... > gpg: key 73D288A5: invalid self-signature > gpg: key 73D288A5: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 Yes, I think a certain other member of the security-officer team screwed that up last night (on pgp.mit.edu) trying to add his signature :-( > keys.pgp.com worked fine, though. Yep, that's why I suggested it :-) > > Note that the security-officer PGP key uses the IDEA algorithm for > > encrypted (as opposed to signed) messages you may wish to send to us, > > which is not included in gnupg by default. >=20 > Hmm, are you sure? We're using a version of GnuPG installed from pristine > sources (not from the /ports tree) and this seems to support IDEA: Sure you don't have an idea module floating around? I thought the reason they didn't include it was because of the patent. Certainly our port doesn't include it, anyway. Kris --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hGnWWry0BWjoQKURAiKNAJwJg/ks7uUOeKgLZBcYI64SqcZTkACg2H+H 9/Chydlp5pWPna08Uh5lufA= =tkI6 -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 15:20:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from barabas.bitstream.net (barabas.bitstream.net [216.243.128.159]) by hub.freebsd.org (Postfix) with SMTP id 0170C37B6AE for ; Fri, 9 Feb 2001 15:20:11 -0800 (PST) Received: (qmail 79698 invoked from network); 9 Feb 2001 23:20:10 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by barabas with SMTP; 9 Feb 2001 23:20:10 -0000 Date: Fri, 9 Feb 2001 17:12:42 -0600 (CST) From: Dan Debertin To: Borja Marcos Cc: "freebsd-security@freebsd.org" Subject: Re: nfsd support for tcp_wrapper -> General RPC solution In-Reply-To: <3A8474A6.D5D0DCE9@sarenet.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Feb 2001, Borja Marcos wrote: > > Yes, and what about having portmap set the right firewall > rules to protect RPC services? Whenever a service registers itself > to portmap, it puts firewall rules to block access to the port. > That is what I am proposing! I posted on this subject last month. You can trivially update your firewall rules with the following set of pipes: (assuming your NFS server is at 10.0.0.1, and the service you're looking for is mountd) UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq` Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD: # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD Dan Debertin -- ++ Unix is the worst operating system, except for all others. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 16:15:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 1A4C937B6C7; Fri, 9 Feb 2001 16:15:03 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1A0F2t01737; Fri, 9 Feb 2001 16:15:02 -0800 (PST) Date: Fri, 9 Feb 2001 16:15:02 -0800 From: Alfred Perlstein To: dirk@freebsd.org Cc: security@freebsd.org Subject: OpenSSL shlib on 2.2.x Message-ID: <20010209161502.X26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This should make openssl work on pre-ELF machines. Along with a recent commit to 2.2-stable and the recent OpenSSH patches, this patch should make OpenSSH work on FreeBSD 2.2-stable. I'd like to apply this delta asap. thanks. Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/openssl/Makefile,v retrieving revision 1.48 diff -u -u -r1.48 Makefile --- Makefile 2000/10/08 10:22:52 1.48 +++ Makefile 2001/02/10 00:15:47 @@ -20,8 +20,11 @@ .if ${OSVERSION} >= 400014 FORBIDDEN= "OpenSSL is already in the base system" .endif + .if ${PORTOBJFORMAT} == "aout" -NOSHARED= yes +MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=-Bforcearchive +.else +MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive .endif USE_PERL5= yes Index: files/patch-ab =================================================================== RCS file: /home/ncvs/ports/security/openssl/files/patch-ab,v retrieving revision 1.9 diff -u -u -r1.9 patch-ab --- files/patch-ab 1999/11/07 22:19:48 1.9 +++ files/patch-ab 2001/02/10 00:16:13 @@ -22,7 +22,7 @@ + ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \ + ( set -x; ${CC} -shared -o lib$$i.so.${SHLIBVER} \ + -Wl,-S,-soname=lib$$i.so.${SHLIBVER} \ -+ -Wl,--whole-archive lib$$i.a ) || exit 1; \ ++ -Wl,${WHOLE_ARCHIVE_FLAG} lib$$i.a ) || exit 1; \ + rm -f lib$$i.a; (cd $$i ; ${MAKE} clean) || exit 1 ;\ + done; + @set -x; \ -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 23: 6: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h-209-91-79-2.gen.cadvision.com [209.91.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 747E237B491 for ; Fri, 9 Feb 2001 23:05:46 -0800 (PST) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id AAA00633 for ; Sat, 10 Feb 2001 00:05:42 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200102100705.AAA00633@h-209-91-79-2.gen.cadvision.com> Date: Sat, 10 Feb 2001 00:05:41 -0700 (MST) From: "Geoffrey T. Falk" Subject: Re: Read-Only Partitions Again (was Re: Hi) To: security@freebsd.org In-Reply-To: <20010208230315.R91447@rfx-216-196-73-168.users.reflex> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 Feb, Crist J. Clark wrote: > The real trick with having a read-only root partition is how to deal > with /dev. And /tmp. Isn't there some "standard" way to make it a ramdisk (a la Solaris)? g. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 9 23:51:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from hal9000.bsdonline.org (ffaxvawx3-4-047.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id 8871C37B401 for ; Fri, 9 Feb 2001 23:50:53 -0800 (PST) Received: by hal9000.bsdonline.org (Postfix, from userid 1001) id D15D31FBB; Sat, 10 Feb 2001 02:50:51 -0500 (EST) Date: Sat, 10 Feb 2001 02:50:51 -0500 From: Andrew J Caines To: "Geoffrey T. Falk" Cc: security@FreeBSD.ORG Subject: Re: Read-Only Partitions Again (was Re: Hi) Message-ID: <20010210025051.H18191@hal9000.bsdonline.org> Reply-To: Andrew J Caines Mail-Followup-To: "Geoffrey T. Falk" , security@FreeBSD.ORG References: <20010208230315.R91447@rfx-216-196-73-168.users.reflex> <200102100705.AAA00633@h-209-91-79-2.gen.cadvision.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102100705.AAA00633@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Sat, Feb 10, 2001 at 12:05:41AM -0700 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.2-STABLE Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Geoffrey, > And /tmp. Isn't there some "standard" way to make it a ramdisk (a la > Solaris)? Does.. # egrep /tmp /etc/fstab /dev/ad0s1b /tmp mfs rw,noatime,-s=32768 0 0 ..count as "standard"? It's not like standard (as in default) Solaris insofar as I don't give away all my VM to the users for file storage, but then I don't do that in Solaris either. That reminds me of an amusing exchange with a Lotus Notes expert who insisted he needed a two gigabyte filesystem on /tmp, but that's for another forum. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@altavista.net | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 1: 5:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from emmi.physik.TU-Berlin.DE (emmi.physik.TU-Berlin.DE [130.149.160.103]) by hub.freebsd.org (Postfix) with ESMTP id B7D0937B491 for ; Sat, 10 Feb 2001 01:05:01 -0800 (PST) Received: (from ibex@localhost) by emmi.physik.TU-Berlin.DE (8.11.1/8.11.1) id f1A94t976626; Sat, 10 Feb 2001 10:04:55 +0100 (CET) (envelope-from ibex) Date: Sat, 10 Feb 2001 10:04:55 +0100 From: Dirk Froemberg To: Alfred Perlstein Cc: security@freebsd.org Subject: Re: OpenSSL shlib on 2.2.x Message-ID: <20010210100455.A76497@physik.TU-Berlin.DE> References: <20010209161502.X26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010209161502.X26076@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Feb 09, 2001 at 04:15:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Alfred! On Fri, Feb 09, 2001 at 04:15:02PM -0800, Alfred Perlstein wrote: > This should make openssl work on pre-ELF machines. > > Along with a recent commit to 2.2-stable and the recent OpenSSH > patches, this patch should make OpenSSH work on FreeBSD 2.2-stable. > > I'd like to apply this delta asap. Feel free to do so... 8-) Regards Dirk -- Dirk Froemberg FreeBSD: The Power to Serve! http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 4:13:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id BF31437B67D for ; Sat, 10 Feb 2001 04:13:19 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I000UTBP5D8@mta5.snfc21.pbi.net> for security@FreeBSD.ORG; Fri, 9 Feb 2001 12:31:57 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 1B75566B62; Fri, 09 Feb 2001 12:34:37 -0800 (PST) Date: Fri, 09 Feb 2001 12:34:37 -0800 From: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE In-reply-to: <2488141552.981740685@[192.168.1.2]>; from cholet@logilune.com on Fri, Feb 09, 2001 at 05:44:45PM +0100 To: Eric Cholet Cc: security@FreeBSD.ORG Message-id: <20010209123436.A64466@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote: > I received the following, what worries me is that the PGP signature > verified, and it's not April 1st. WTF ?? Checking the mail headers shows you that it's spoofed - it's trivial to do this with email, which is why we PGP sign them. All advisories released by FreeBSD are signed with the security officer's PGP key, anything which is not is a fake. Kris --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hFRcWry0BWjoQKURArG9AJ9K4JYcIq1wSmJFfJeEKef15P50iwCgoZs9 VmapZK+inKheyvC6jP3CjUQ= =XFpX -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 4:13:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 66BED37B503 for ; Sat, 10 Feb 2001 04:13:19 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.15]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8G00CM9H8ZXU@mta5.snfc21.pbi.net> for freebsd-security@freebsd.org; Thu, 8 Feb 2001 12:36:40 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 91CD066B62; Thu, 08 Feb 2001 12:39:13 -0800 (PST) Date: Thu, 08 Feb 2001 12:39:13 -0800 From: Kris Kennaway Subject: Re: ipfw make failure In-reply-to: ; from c_deless@efn.org on Thu, Feb 08, 2001 at 11:03:15AM -0800 To: cdel Cc: freebsd-security@freebsd.org Message-id: <20010208123913.A47027@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-disposition: inline User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 08, 2001 at 11:03:15AM -0800, cdel wrote: > Please forgive me if I'm doing this wrong. I supped in new 4.2-S source a > few minutes ago and re-made /usr/src/sbin/ipfw. I got this... > > Am I doing something wrong or is this something you should be aware of? Yeah, you can't rebuild it like that. Do a 'make world', or if you were trying to follow the recent ipfw security advisory then do so, don't make up steps on your own :-) Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6gwPxWry0BWjoQKURAonhAJ9/OfrCjhdrYh50wL/nMtsL+5eWQwCeKqeY hZOu/h9+HKzaKICi0xy5J1U= =bfSG -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 5:16:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 906E737B491 for ; Sat, 10 Feb 2001 05:16:17 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id OAA19313; Sat, 10 Feb 2001 14:16:12 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A853F1C.DED59C4B@nisser.com> Date: Sat, 10 Feb 2001 14:16:12 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > ... > Sure you don't have an idea module floating around? I thought the > reason they didn't include it was because of the patent. Certainly our > port doesn't include it, anyway. A patent that only applies to the US. Same old samo . Maybe it should default to installing IDEA unless USA_RESIDENT == yes? Don't know if it would be wise in the larger scheme of things. Do know it would be handy in the smallest scheme :). Roelof -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 5:38:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 8F2C437B491 for ; Sat, 10 Feb 2001 05:38:07 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8J0056SN1TWH@mta6.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Sat, 10 Feb 2001 05:34:45 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id D879467271; Sat, 10 Feb 2001 05:37:26 -0800 (PST) Date: Sat, 10 Feb 2001 05:37:26 -0800 From: Kris Kennaway Subject: Re: Reminder notice about FreeBSD Security Advisories In-reply-to: <3A853F1C.DED59C4B@nisser.com>; from roelof@nisser.com on Sat, Feb 10, 2001 at 02:16:12PM +0100 To: Roelof Osinga Cc: freebsd-security@FreeBSD.ORG Message-id: <20010210053726.A45756@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 10, 2001 at 02:16:12PM +0100, Roelof Osinga wrote: > Kris Kennaway wrote: > >=20 > > ... > > Sure you don't have an idea module floating around? I thought the > > reason they didn't include it was because of the patent. Certainly our > > port doesn't include it, anyway. >=20 > A patent that only applies to the US. Same old samo . Maybe it And Europe, I believe. > should default to installing IDEA unless USA_RESIDENT =3D=3D yes? Perhaps you should check the makefile ;-) Kris --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hUQWWry0BWjoQKURAqhbAJ9F6ioScgVLVDGNKi4XnsSUGipYJQCeOeIh s0mFmRbyBziorTkLvTB08XY= =cIgS -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 6:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id A252F37B401 for ; Sat, 10 Feb 2001 06:12:18 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id PAA19498; Sat, 10 Feb 2001 15:12:17 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A854C41.7BA1B2A1@nisser.com> Date: Sat, 10 Feb 2001 15:12:17 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> <20010210053726.A45756@mollari.cthul.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > ... > And Europe, I believe. Nope. That's why I asked :). It was brought to the table as a proposal in order to make those laws more akin in the world. At least partly, since I believe there was no mention of business method patentability, just the patentability of software AKA mathematics. Fortunately the proposal didn't make the ballots. So, for the moment at least, software patents do not apply in the EU. Don't know about Japan. > > should default to installing IDEA unless USA_RESIDENT == yes? > > Perhaps you should check the makefile ;-) In a few hours. I was bating my breath awaiting the arrival of a 19" case. Alas. Baiting it didn't help, either :). Anyway, I need to install that machine ASAP, so I'll just insulate the parts a bit and see if Murphy's asleep. If so then I'll be looking at them makefiles ;). Roelof PS my mathematics have sometimes bugs, too! QED -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 6:19:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4some.net (CC4140-a.sneek1.fr.nl.home.com [212.120.108.75]) by hub.freebsd.org (Postfix) with ESMTP id 0AE7D37B401 for ; Sat, 10 Feb 2001 06:19:12 -0800 (PST) Received: (from fenix@localhost) by xs4some.net (8.11.2/8.11.1) id f1AEJBX10967 for freebsd-security@freebsd.org; Sat, 10 Feb 2001 15:19:11 +0100 (CET) (envelope-from fenix) Date: Sat, 10 Feb 2001 15:19:11 +0100 (CET) From: Fenix Message-Id: <200102101419.f1AEJBX10967@xs4some.net> To: freebsd-security@freebsd.org Subject: Xfree on multihomed box Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello I have managed too run 2 separate "jails" one serving as a shell server and another one as a an internet server it all runs smooth and fine but i have a little problem as i use X on the host and it binds to all avilable IP's on the host so does wdm (xdm) ... I was lookin in docs to find how i can make it listen to a single ip or not at all as i dont use X remoutly... does anyone have any suggestions or tips ? I'll be really gratefull Greets Fenix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 9:26:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from cypherpunks.ai (unknown [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 85C9337B503 for ; Sat, 10 Feb 2001 09:25:54 -0800 (PST) Received: from vangelderen.org (grolsch.ai [209.88.68.214]) by cypherpunks.ai (Postfix) with ESMTP id 3CEAD4D; Sat, 10 Feb 2001 13:25:50 -0400 (AST) Message-ID: <3A85799E.C6A3745B@vangelderen.org> Date: Sat, 10 Feb 2001 13:25:50 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roelof Osinga Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> <20010210053726.A45756@mollari.cthul.hu> <3A854C41.7BA1B2A1@nisser.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roelof Osinga wrote: > > Kris Kennaway wrote: > > > > ... > > And Europe, I believe. > > Nope. That's why I asked :). It was brought to the table as a proposal > in order to make those laws more akin in the world. At least partly, > since I believe there was no mention of business method patentability, > just the patentability of software AKA mathematics. > > Fortunately the proposal didn't make the ballots. So, for the moment > at least, software patents do not apply in the EU. Don't know about > Japan. The above is not correct. The IDEA algorithm is patented in Europe as #0482154. Noncommercial use is free, commercial use requires a paid license. This has been the case ever since PGP 2.x.x was released and will be the case until the year 2011. Fortunately there is no reason whatsoever to use IDEA these days, except for legacy purposes. http://www.media-crypt.com/pages/fidea.html Cheers, Jeroen -- Jeroen C. van Gelderen o _ _ _ jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_) _< \_ _>(_) (_)/<_ \_| \ _|/' \/ (_)>(_) (_) (_) (_) (_)' _\o_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 9:33:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsys01.intnet.net (unknown [198.252.32.143]) by hub.freebsd.org (Postfix) with ESMTP id 00FED37B4EC for ; Sat, 10 Feb 2001 09:33:16 -0800 (PST) Received: from [207.90.10.53] (HELO workstation1) by mailsys01.intnet.net (CommuniGate Pro SMTP 3.3.2) with SMTP id 3545847 for freebsd-security@freebsd.org; Sat, 10 Feb 2001 12:32:43 -0500 Message-ID: <001401c09387$8d14ea00$c9026b83@workstation1> From: "John Leonard" To: Subject: subscribe Date: Sat, 10 Feb 2001 12:32:46 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0009_01C0935D.9287F880" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C0935D.9287F880 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable subscribe ------=_NextPart_000_0009_01C0935D.9287F880 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

subscribe

------=_NextPart_000_0009_01C0935D.9287F880-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 9:36:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id D02C137B491 for ; Sat, 10 Feb 2001 09:35:51 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f1AHZJT34534; Sat, 10 Feb 2001 19:35:19 +0200 (EET) (envelope-from never) Date: Sat, 10 Feb 2001 19:35:18 +0200 From: Nevermind To: John Leonard Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe Message-ID: <20010210193518.C32187@nevermind.kiev.ua> References: <001401c09387$8d14ea00$c9026b83@workstation1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WplhKdTI2c8ulnbP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c09387$8d14ea00$c9026b83@workstation1>; from john.leonard@wwc.com on Sat, Feb 10, 2001 at 12:32:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WplhKdTI2c8ulnbP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, John Leonard! On Sat, Feb 10, 2001 at 12:32:46PM -0500, you wrote: > subscribe To subscribe send mail to majordomo@freebsd.org with "subscribe freebsd-security" in the body of message. --=20 NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. --WplhKdTI2c8ulnbP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hXvVpCk6epJSQlIRAqT5AKDXT4n6naGQW1EF8+t1GbJuRhU8sgCfUV5t 11yhjo7P6fWnLp8snOguz74= =9t94 -----END PGP SIGNATURE----- --WplhKdTI2c8ulnbP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 10: 5:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.alles.or.jp (mx.alles.or.jp [210.231.151.65]) by hub.freebsd.org (Postfix) with ESMTP id E9B0037B503 for ; Sat, 10 Feb 2001 10:04:42 -0800 (PST) Received: from zodiac (ppp01015.kashiwa.alles.or.jp [210.231.132.143]) by mx.alles.or.jp (8.9.3/3.7W-ALLESNET) with ESMTP id DAA26152 for ; Sun, 11 Feb 2001 03:04:40 +0900 (JST) Date: Sun, 11 Feb 2001 03:04:46 +0900 From: rof To: freebsd-security@FreeBSD.ORG Message-Id: <20010211030314.18B0.GROFIS@alles.or.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.03 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth bef9b3c5 subscribe freebsd-security grofis@alles.or.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 10:19:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id 6C07137B491 for ; Sat, 10 Feb 2001 10:19:04 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f1AIC3C35356; Sat, 10 Feb 2001 20:12:03 +0200 (EET) (envelope-from never) Date: Sat, 10 Feb 2001 20:12:02 +0200 From: Nevermind To: rof Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20010210201202.D32187@nevermind.kiev.ua> References: <20010211030314.18B0.GROFIS@alles.or.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VMt1DrMGOVs3KQwf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211030314.18B0.GROFIS@alles.or.jp>; from grofis@alles.or.jp on Sun, Feb 11, 2001 at 03:04:46AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VMt1DrMGOVs3KQwf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, rof! On Sun, Feb 11, 2001 at 03:04:46AM +0900, you wrote: > auth bef9b3c5 subscribe freebsd-security grofis@alles.or.jp re-send this to majordomo@freebsd.org --=20 NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. --VMt1DrMGOVs3KQwf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hYRxpCk6epJSQlIRAljYAKCy9HehMz8SswzvP38VQCizOBBMcACgqaGz z/dF3fr1Ho/nyKop+4Ko4d4= =8xal -----END PGP SIGNATURE----- --VMt1DrMGOVs3KQwf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 11: 2:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mplspop3.mpls.uswest.net (mplspop3.mpls.uswest.net [204.147.80.13]) by hub.freebsd.org (Postfix) with SMTP id 20DE237B401 for ; Sat, 10 Feb 2001 11:01:55 -0800 (PST) Received: (qmail 94929 invoked from network); 10 Feb 2001 19:01:54 -0000 Received: from pppdslf149.mpls.uswest.net (HELO CYCLONE) (216.160.24.149) by mplspop3.mpls.uswest.net with SMTP; 10 Feb 2001 19:01:54 -0000 Date: Sat, 10 Feb 2001 13:04:29 -0600 Message-ID: From: jason@zigzag.net To: freebsd-security@freebsd.org Reply-To: Subject: subscribe MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jason C. Hickman New Media Director Zigzag.net - Midwest Region 212 Third Avenue North Suite #504 Minneapolis, MN 55401 Phone 612.370.4330 Fax 612.370.4311 Email jason@zigzag.net Web http://www.zigzag.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 11:11:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id B3EB137B65D for ; Sat, 10 Feb 2001 11:10:45 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f1AJAdh35912; Sat, 10 Feb 2001 21:10:39 +0200 (EET) (envelope-from never) Date: Sat, 10 Feb 2001 21:10:38 +0200 From: Nevermind To: jason@zigzag.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe Message-ID: <20010210211038.A35894@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jason@zigzag.net on Sat, Feb 10, 2001 at 01:04:29PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, jason@zigzag.net! To subscribe: send mail to majordomo@FreeBSD.org with "subscribe freebsd-security" in the body of the message --=20 NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hZItpCk6epJSQlIRAojyAKDA5zvHBqnf7okr8z9PlvK1q7NEZgCg0ipn Pjq7wzZbdssOYjMZfj8LKMc= =cP0l -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 13:15:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 8515937B4EC for ; Sat, 10 Feb 2001 13:15:05 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id WAA21231; Sat, 10 Feb 2001 22:14:56 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A85AF50.1DF04F6F@nisser.com> Date: Sat, 10 Feb 2001 22:14:56 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> <20010210053726.A45756@mollari.cthul.hu> <3A854C41.7BA1B2A1@nisser.com> <3A85799E.C6A3745B@vangelderen.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeroen C. van Gelderen" wrote: > > The above is not correct. The IDEA algorithm is patented in > Europe as #0482154. Noncommercial use is free, commercial > use requires a paid license. This has been the case ever > since PGP 2.x.x was released and will be the case until the > year 2011. Fortunately there is no reason whatsoever to use > IDEA these days, except for legacy purposes. > > http://www.media-crypt.com/pages/fidea.html Yeah, but then again: http://www.wired.com/news/politics/0,1283,40329,00.html supports my 'idea' about the IDEA matter. To quote from the wired article: "European law specifically forbids patents on computer software, but the European Patent Office is strongly in favor of changing that." The question now becomes do we believe a vendor with a vested interest in claiming its patented (or is it patent penging?) or an independent source with no stake in the matter? Then again it wouldn't the first patent that slips through the cracks. If it did it would be a patent, but not one which would survive court action. But maybe that patent covers the IDEA hardware and not the algorithm per se. In which case the text on that page is both correct and craftily formulated. Though it talks about the European patent situation it stresses the copyright aspect. So by mixing those two issues - patents and copyrights - the impression is surely given it deals with the former. But does it indeed? IANAL Roelof PS the EC recently decided against the proposal as proposed by Frits Bolkensteyn I believe. -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 13:33:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from cypherpunks.ai (unknown [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 17C8B37B4EC for ; Sat, 10 Feb 2001 13:33:08 -0800 (PST) Received: from vangelderen.org (grolsch.ai [209.88.68.214]) by cypherpunks.ai (Postfix) with ESMTP id EA97D9; Sat, 10 Feb 2001 17:33:05 -0400 (AST) Message-ID: <3A85B391.DB3ABC2A@vangelderen.org> Date: Sat, 10 Feb 2001 17:33:05 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roelof Osinga Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> <20010210053726.A45756@mollari.cthul.hu> <3A854C41.7BA1B2A1@nisser.com> <3A85799E.C6A3745B@vangelderen.org> <3A85AF50.1DF04F6F@nisser.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roelof Osinga wrote: > > "Jeroen C. van Gelderen" wrote: > > > > The above is not correct. The IDEA algorithm is patented in > > Europe as #0482154. Noncommercial use is free, commercial > > use requires a paid license. This has been the case ever > > since PGP 2.x.x was released and will be the case until the > > year 2011. Fortunately there is no reason whatsoever to use > > IDEA these days, except for legacy purposes. > > > > http://www.media-crypt.com/pages/fidea.html > > Yeah, but then again: > > http://www.wired.com/news/politics/0,1283,40329,00.html > > supports my 'idea' about the IDEA matter. Actually, it does not. > To quote from the wired article: > > "European law specifically forbids patents on computer software, > but the European Patent Office is strongly in favor of changing > that." But IDEA is an algorithm, not software and therefore perfectly patentable. So please, don't argue to the contrary until you have consulted with a patent lawyer and can present us with some *hard* facts. > The question now becomes do we believe a vendor with a vested > interest in claiming its patented (or is it patent penging?) or an > independent source with no stake in the matter? The independent source here seems to be your incorrect reading of an article in Wired neither of which, as far as I know, have any sound expertise in field of patent law. [snip unfounded speculation] Cheers, Jeroen -- Jeroen C. van Gelderen o _ _ _ jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_) _< \_ _>(_) (_)/<_ \_| \ _|/' \/ (_)>(_) (_) (_) (_) (_)' _\o_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 14:32:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 63E9F37B401; Sat, 10 Feb 2001 14:32:29 -0800 (PST) Received: from localhost (m6uhre@localhost [127.0.0.1]) by green.dyndns.org (8.11.1/8.11.1) with ESMTP id f1A1jnr10637; Fri, 9 Feb 2001 20:45:50 -0500 (EST) (envelope-from green@FreeBSD.org) Message-Id: <200102100145.f1A1jnr10637@green.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Kris Kennaway Cc: Matt Dillon , Alfred Perlstein , green@FreeBSD.org, security@FreeBSD.org Subject: Re: OpenSSH port patch In-Reply-To: Message from Kris Kennaway of "Fri, 09 Feb 2001 13:32:14 PST." <20010209133214.A65547@mollari.cthul.hu> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Feb 2001 20:45:49 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Fri, Feb 09, 2001 at 01:22:11PM -0800, Matt Dillon wrote: > > I think it's a whole lot better then simply marking the package > > forbidden! I was actually surprised that the package was marked > > forbidden, when the fix is only a few minutes of work. > > That presupposes I had a few minutes of spare time. I'll get to it > ASAP, if the maintainer doesn't first. I do not mind if someone else takes the OpenSSH port. I called it "end of life" and I really meant it because I simply don't want to do spend so much time keeping it up to date. It's much harder to do it in a port versus the src tree, especially. I don't mind if alfred or anyone else with a good reason modifies it. That said, I also no good reason not to just use sleep instead of nanosleep, as well. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 15: 0: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id DF2F637B401 for ; Sat, 10 Feb 2001 14:59:43 -0800 (PST) Received: from pavilion (user-33qts2l.dialup.mindspring.com [199.174.240.85]) by falcon.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id OAA00160 for ; Sat, 10 Feb 2001 14:59:41 -0800 (PST) Message-ID: <004f01c093b5$27024e00$0101a8c0@pavilion> From: "Richard Ward" To: Subject: 2.3.0p1 --without-pam Date: Sat, 10 Feb 2001 17:59:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm trying to get OpenSSH 2.3.0p1 working with ./configure = --without-pam. The configure script runs fine, yet when I go to make I = get major errors. auth-pam.o: In function `pam_cleanup_proc': /usr/software/openssh-2.3.0p1/auth-pam.c(.text+0x1d7): undefined = reference to `pam_close_session' /usr/software/openssh-2.3.0p1/auth-pam.c(.text+0x1f2): undefined = reference to `pam_strerror' Is it trying to use pam even when I ran configure without it? It floods = with about 20 lines of errors from pam_* from ath-pam.c. Any ideas? Thanks. -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 15:36:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from linux.purenetfx.com (linux.purenetfx.com [207.179.24.34]) by hub.freebsd.org (Postfix) with ESMTP id D99FB37B4EC for ; Sat, 10 Feb 2001 15:36:07 -0800 (PST) Received: from picard ([207.179.24.38]) by linux.purenetfx.com (8.9.3/8.8.7) with SMTP id QAA03284 for ; Sat, 10 Feb 2001 16:36:06 -0700 Message-ID: <000801c093ba$4e564290$2618b3cf@picard> From: "Brian T. Allen" To: Subject: subscribe Date: Sat, 10 Feb 2001 16:36:34 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C0937F.A14F43B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C0937F.A14F43B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0005_01C0937F.A14F43B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_0005_01C0937F.A14F43B0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 15:46:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (3ff8f8da.dsl.flashcom.net [63.248.248.218]) by hub.freebsd.org (Postfix) with SMTP id BD3A537B401 for ; Sat, 10 Feb 2001 15:46:36 -0800 (PST) Received: (qmail 82376 invoked by uid 1000); 10 Feb 2001 23:47:10 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Feb 2001 23:47:10 -0000 Date: Sat, 10 Feb 2001 15:47:10 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Richard Ward Cc: Subject: Re: 2.3.0p1 --without-pam In-Reply-To: <004f01c093b5$27024e00$0101a8c0@pavilion> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You're building from the openssh.org-distributed "multiplatform" 2.3.0p1, right? Sounds like you hit a think-o that I hit last night as well - first you just did "./configure" and "make", realized that pam was something you really didn't want (in my case I was upgrading ssh on an old 3.4-RELEASE system that I didn't want to do a full make world on, and was getting pam errors when trying to auth), so you went back to your 2.3.0p1 directory and did a "./configure --without-pam", and a "make", without doing a "make clean". The "make clean" was something I found necessary to clean out all references to pam in the object files; I also had to add -lcrypt to the LIBS line in the Makefile, in case you get errors at link time about not being able to find crypt. Brian On Sat, 10 Feb 2001, Richard Ward wrote: > I'm trying to get OpenSSH 2.3.0p1 working with ./configure > --without-pam. The configure script runs fine, yet when I go to make I > get major errors. > > auth-pam.o: In function `pam_cleanup_proc': > /usr/software/openssh-2.3.0p1/auth-pam.c(.text+0x1d7): undefined reference to `pam_close_session' > /usr/software/openssh-2.3.0p1/auth-pam.c(.text+0x1f2): undefined reference to `pam_strerror' > > Is it trying to use pam even when I ran configure without it? It > floods with about 20 lines of errors from pam_* from ath-pam.c. Any > ideas? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 16: 9:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 2B93037B6B5 for ; Sat, 10 Feb 2001 16:09:31 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id BAA22050; Sun, 11 Feb 2001 01:09:26 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A85D836.F9D001BC@nisser.com> Date: Sun, 11 Feb 2001 01:09:26 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Reminder notice about FreeBSD Security Advisories References: <20010209214354.2FBD637B4EC@hub.freebsd.org> <20010209140614.A67010@mollari.cthul.hu> <3A853F1C.DED59C4B@nisser.com> <20010210053726.A45756@mollari.cthul.hu> <3A854C41.7BA1B2A1@nisser.com> <3A85799E.C6A3745B@vangelderen.org> <3A85AF50.1DF04F6F@nisser.com> <3A85B391.DB3ABC2A@vangelderen.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeroen C. van Gelderen" wrote: > > But IDEA is an algorithm, not software and therefore perfectly > patentable. So please, don't argue to the contrary until you > have consulted with a patent lawyer and can present us with > some *hard* facts. > ... > The independent source here seems to be your incorrect reading > of an article in Wired neither of which, as far as I know, have > any sound expertise in field of patent law. > > [snip unfounded speculation] Allrighty. Lucky for you I have got David Pressman's [a patent lawyer b.t.w.] Patent It Yourself, 8th edition standing by. Let me quote a snippet from it (from page 9/14): "If your invention involves (or actually is) a computer program or /algorithm/ [!, my stressing] - that is, a set of instructions for a computer - you must claim to indicate some practical, useful, concrete, and tangible result, and not just as a set of steps for manipulating data or numbers" which, of course, is supported by Merriam-Webster as in: " a procedure for solving a mathematical problem (as of finding the greatest common divisor) in a finite number of steps that frequently involves repetition of an operation; broadly : a step-by-step procedure for solving a problem or accomplishing some end especially by a computer " but then, you already knew that. Didn't you? Granted, there is recent proof that I've got blind spots from here to Bombay, still... My memory has an even greater notoriety of being, well, spotty I guess. Even so I would conjecture that even in the US, lenient though it might be, patenting a pure algorithm without gimmickry as indicated by Pressman would be a neat trick indeed. Still, since I am not a lawyer but merely a simple programmer turned businessman 20 years or so ago, I will gladly bow to the hard facts you did provide. After all, did not you imply to be either a (patent) lawyer or to have recently consulted one? Lest I leave you confused if not befuddled as to what it was I was just trying to say, my point here is that clearly no real distinction is being made betwixt algorithm and software. Hence if Wired *reports* the EU decided not to allow software patents, commercial pressure to the contrary notwithstanding, then it follows the same holds for algorithmic patents (or rather, patents covering algorithms). A very simple induction, but an induction nonetheless. Inductions not carrying the weight of deductions I could still easily be proven wrong. And often am. C'est la vie. Mind you, is it really an induction? We've got: WRD -> ~PATENT(SOFTWARE) M-W -> EQUALS(SOFTWARE, ALGORITHMS) from which it follows that WRD -> ~PATENT(ALGORITHMS) not even any need to drag a patent lawyer into it, now is there? Still, it hinges on Wired reporting the truth. Then again, the same 'facts' got reported by a multitude of others. The reason I do not gladly give up is because I much rather see the EU as a bulwark 'gainst the commercialization of pure mathematics than as bowing their collective head in shame and confessing they were wrong all the time: mathematics is just another invention. So I'm defending an ideal. I'll gladly confess that as a mere human I'm far from perfect. Hence I might be the next Don Quichotte. Or just a plain idiot. Still... I showed you mine (patent lawyer, that is) now show me yours! Roelof PS I *do* believe it is important. For if algorithms are indeed patentable right now... what's next? I would say prior art. Who cares about prior art anyway. If nobody important knows about it, then is it really prior art? So clearly prior art must be established by important people or sources knowing about it! Publishing in some 'never heard of' magazine/source just doesn't cut it! -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 17:17:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 922C437B684 for ; Sat, 10 Feb 2001 17:17:07 -0800 (PST) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id UAA15814; Sat, 10 Feb 2001 20:14:43 -0500 (EST) From: David La Croix Message-Id: <200102110114.UAA15814@cowpie.acm.vt.edu> Subject: Re: Xfree on multihomed box In-Reply-To: <200102101419.f1AEJBX10967@xs4some.net> from Fenix at "Feb 10, 1 03:19:11 pm" To: fenix@xs4some.net (Fenix) Date: Sat, 10 Feb 2001 19:14:42 -0600 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello > I have managed too run 2 separate "jails" one serving as a shell server and another one as a an internet server it all runs smooth and fine but i have a little problem as i use X on the host and it binds to all avilable IP's on the host > so does wdm (xdm) ... I was lookin in docs to find how i can make it listen to a single ip or not at all as i dont use X remoutly... > does anyone have any suggestions or tips ? I'll be really gratefull > Greets Fenix > add the "-nolisten tcp" option to the X invocation. It causes the Xserver not to bind to ANY ports/addresses, I disable it because anything I want on my Xserver goes through a ssh tunnel via X forwarding (forwarded to the Unix socket) If you're running xdm, find the file xdm/Xservers. The contents should look something like: :0 local /usr/X11R6/bin/X -nolisten tcp Not sure about wdm (or kdm), but I'm sure they are similar. Use "locate Xservers" to find where it is on your system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 18:17:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A5D9437B401 for ; Sat, 10 Feb 2001 18:17:12 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 10 Feb 2001 18:15:17 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1B2H5563445; Sat, 10 Feb 2001 18:17:05 -0800 (PST) (envelope-from cjc) Date: Sat, 10 Feb 2001 18:17:04 -0800 From: "Crist J. Clark" To: Dan Debertin Cc: Borja Marcos , "freebsd-security@freebsd.org" Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010210181703.A62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A8474A6.D5D0DCE9@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from airboss@bitstream.net on Fri, Feb 09, 2001 at 05:12:42PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 05:12:42PM -0600, Dan Debertin wrote: > On Fri, 9 Feb 2001, Borja Marcos wrote: > > > > Yes, and what about having portmap set the right firewall > > rules to protect RPC services? Whenever a service registers itself > > to portmap, it puts firewall rules to block access to the port. > > That is what I am proposing! > > I posted on this subject last month. You can trivially update your > firewall rules with the following set of pipes: > > (assuming your NFS server is at 10.0.0.1, and the service you're looking > for is mountd) > > UDPMOUNTD=`rpcinfo -p 10.0.0.1|awk '$5~/mountd/&&$3~/udp/{print $4}'|uniq` > > Then, build your ipfw (of ipf, whatever) rules using $UDPMOUNTD: > > # ipfw add deny udp from $EXTERNAL_NET to 10.0.0.1 $UDPMOUNTD This is, of course, backwards, you should have, # ipfw add pass udp from $INTERNAL_NET to 10.0.0.1 $UDPMOUNTD And deny by default. :) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 18:28:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 04E8337B401 for ; Sat, 10 Feb 2001 18:28:10 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 10 Feb 2001 18:26:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1B2S2m63504; Sat, 10 Feb 2001 18:28:02 -0800 (PST) (envelope-from cjc) Date: Sat, 10 Feb 2001 18:28:01 -0800 From: "Crist J. Clark" To: Alfred Perlstein Cc: Borja Marcos , freebsd-security@FreeBSD.ORG Subject: Re: nfsd support for tcp_wrapper -> General RPC solution Message-ID: <20010210182801.B62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A83C933.8F89DC69@sarenet.es> <20010209133615.P26076@fw.wintelcom.net> <3A8474A6.D5D0DCE9@sarenet.es> <20010209145602.T26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010209145602.T26076@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Feb 09, 2001 at 02:56:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 09, 2001 at 02:56:02PM -0800, Alfred Perlstein wrote: > * Borja Marcos [010209 14:52] wrote: > > Alfred Perlstein wrote: > > > > > This is a really flawed idea. > > > > Humm. Yours is a flawed reading of my message? ;-) > > You're right. :) > > > > > > > In fact because afaik NFS always uses a well known port, you really > > > don't need portmap to map it, you just need to use the port, > > > portmapper for NFS is just a formality. > > > > > > Ok, with that out of the window, we _could_ consider mucking userland > > > mountd to use tcpwrappers to graft an ACL to what's in /etc/exports. > > > This is also a bad idea, one can just brute force the NFS > > > cookie/filehandle required to gain access, then contact the NFS > > > port. > > > > > > The solution is to use a firewall. > > > > Yes, and what about having portmap set the right firewall > > rules to protect RPC services? Whenever a service registers itself > > to portmap, it puts firewall rules to block access to the port. > > That is what I am proposing! > > > > Yes, NFS uses a fixed port, but not other RPC services. > > Well, using a firewall would work fine, but relying on obfuscation > by just hiding portmap won't. That's where I misread what you said, > I thought you only meant to firewall portmap, but if you can add hooks > to portmap to run ipfw rules... that would interesting. :) The 'right' way to do it would be to look down to the session layer at the RPC header and examine the RPC program number for each packet. A rule would look something like, # ipfw add pass ip from $OK_HOST to $RPC_SERVER rpc $RPC_SERVICE Where $RPC_SERVICE is a number or a name from /etc/rpc. It actually would not be terribly hard to do... not that I am volunteering (or discounting the idea of doing it either). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 10 20:48:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 3037337B401; Sat, 10 Feb 2001 20:48:05 -0800 (PST) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 44A068C4F; Sat, 10 Feb 2001 23:48:04 -0500 (EST) Message-ID: <009c01c093e5$d1cd7230$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: References: <200102082014.PAA29877@vws3.interlog.com> Subject: FreeBSD Postfix and Majordomo security (was FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE) Date: Sat, 10 Feb 2001 23:48:04 -0500 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (Headers rigged to move follow ups to -chat ...) Since the FreeBSD site runs postfix, the fix to block external postings to the announce list is a Postfix FAQ, using a regular expression filter. This would require direct trusted posters to go through a local (or otherwise trusted IP), and cannot be beaten by forged headers. (Hint, hint!) The belief that signing advisories sorts out the good from the bad is naive. The negative impression is left on users when the reader realizes a bogus post from an official mailing list is bogus in the first place. (Nor do most mail clients support automatically decoding the key. Heck, I get global whining for using any sort of MIME at all in mail.) In general, I'm amazed that after all the SPAM on the FreeBSD mailing lists that they haven't gone to post-only-by subscribers in general -- clearly, the maintainers don't seem to care about the lists's quality as much as some of the subscribers do. Yes, yes, I've heard the "but we need to let any one post ..." argument, and refuse to believe it given hackish nature of the FreeBSD mailing lists, and general disdain for end-users. (Linux will rule the world, because organizations like RedHat support relatively clean binary patches using up2date between releases -- it makes me sad when I compare this to FreeBSD securty advisories which offer choices of source patches or "upgrade to Release 4.x-STABLE after the specified" date, given that such configurations have a prereq of reading the -stable mailing list and generally breathing FreeBSD.) -ahd- -- Drew Derbyshire UUPC/extended e-mail: software+sig@kew.com Telephone: 617-279-9812 "I've got to start listening to those quiet, nagging doubts." - Calvin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message