From owner-freebsd-security Sun Apr 8 0:59:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from lorenza.abulafia.com (dsl081-080-168.lax1.dsl.speakeasy.net [64.81.80.168]) by hub.freebsd.org (Postfix) with ESMTP id 61CB237B42C for ; Sun, 8 Apr 2001 00:59:16 -0700 (PDT) (envelope-from jal@lorenza.abulafia.com) Received: (from jal@localhost) by lorenza.abulafia.com (8.11.3/8.10.0) id f387wi702930 for freebsd-security@FreeBSD.ORG; Sun, 8 Apr 2001 00:58:44 -0700 (PDT) Date: Sun, 8 Apr 2001 00:58:44 -0700 From: jal To: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010408005844.A2857@lorenza.abulafia.com> References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <05b901c0bfb8$d79a1160$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 04:16:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 04:16:55PM -0700, John Howie wrote: > > [...] If I force would-be > intruders to have to defeat/circumvent individual measures such as > firewalls/NAT boxes just to determine my topologies before they can even > make an attempt at an attack on servers, then most will give up and go away. Without (dis)agreeing with John or anyone else, I feel like this is the time to point out that security is a cost, to be evaluated like any other. At a certain point, the average business needs to ask itself whether paranoia[1] makes any sense in spent resources, compared with the measures taken to secure weaker links, not to mention the cost of losing whatever is being protected in the first place. So you have the most kick ass network of IDS boxes watching your heirarchical firewalls, and have deployed the right protocols, LLE, etc. in all the right places. How's your phone system? How hard is it to trick someone's assistant, or the Extremely Important Person themself? What does it mean if that works? If you reply that that isn't a techincal problem, you don't get security, which is only ever approaches being half technical in nature. WRT the original problem, my suggestion is to ideally treat the IDS as an island, cut the TX pair, assume it can be flooded/compromised, and write logs in a way that makes it difficult to alter them without being noticed. If the box has to transmit data, you begin making different trade-offs involving the network security of your security network. Look at those closely, but keep an eye on the value of what you're protecting. In general, I'd say that if you have legitimate reason to be paranoid enough to build this sort of thing, you have legitimate reason to not trust private networks, etc. to hide you. Again, policy matters a lot - did some random admin leave a laptop connected to the "secure" network when they ran off to fix some email problem? If you worry about things on this level, the network structure is not your biggest problem. -j [1] Intel "only the paranoid survive" Corp. was given a nice demonstration of internal security issues by Randall Schwartz. Leaving aside your view of what he did, it makes a nice object lesson on the limitations of a mostly technical (followed by legal, unfortunately) approach to security problems, some of which they apparently didn't know they had. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 8 2:18: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa03.msn.com (cpimssmtpoa03.msn.com [207.46.181.113]) by hub.freebsd.org (Postfix) with ESMTP id 6F82537B422 for ; Sun, 8 Apr 2001 02:18:00 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa03.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:17:58 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:17:58 -0700 Message-ID: <05dd01c0c00d$657a8510$0101a8c0@development.local> From: "John Howie" To: "James Wyatt" , References: Subject: Re: Theory Question Date: Sun, 8 Apr 2001 02:22:12 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 08 Apr 2001 09:17:58.0436 (UTC) FILETIME=[CD636E40:01C0C00C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "James Wyatt" To: "John Howie" Cc: "Jacques A. Vidrine" ; "Crist Clark" ; ; Sent: Saturday, April 07, 2001 8:16 PM Subject: Re: Theory Question > If you have a large network to protect, maintaining a separate monitoring > network for out-of-band control (of the main network which is subject to > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > but that can be attacked at the switch level. You can use voice channels > and PPP over serial, but filter the heck out of it and don't set a default > route. At some point you will have to network to your IDS box if you want > much functionality from it. If you simply have the box set to log out the > serial port, it can be easily overrun (DoSed) if you have a good net > connection. > James, I have had so many people suggest VLANs as an acceptable security solution that it makes me wonder... Is there someone out there (presumably a hacker) pushing them? I agree with you, they are not secure. That is why I always push for a separate physical network. And I always say that if it should ever be compromised you just blow it away and reconstruct it. In fact, I use the term "Victim Network" to describe an IDS/monitoring network. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 8 2:26: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa04.msn.com (cpimssmtpoa04.msn.com [207.46.181.114]) by hub.freebsd.org (Postfix) with ESMTP id 263DB37B422 for ; Sun, 8 Apr 2001 02:25:58 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa04.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:25:57 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:25:57 -0700 Message-ID: <05f601c0c00e$8331fba0$0101a8c0@development.local> From: "John Howie" To: "jal" , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local> <20010408005844.A2857@lorenza.abulafia.com> Subject: Re: Theory Question Date: Sun, 8 Apr 2001 02:30:11 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 08 Apr 2001 09:25:57.0780 (UTC) FILETIME=[EB198540:01C0C00D] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jal, You hit the nail on the head. You mitigate the risks you can, and insure against the rest. john... ----- Original Message ----- From: "jal" To: Sent: Sunday, April 08, 2001 12:58 AM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 04:16:55PM -0700, John Howie wrote: > > > > [...] If I force would-be > > intruders to have to defeat/circumvent individual measures such as > > firewalls/NAT boxes just to determine my topologies before they can even > > make an attempt at an attack on servers, then most will give up and go away. > > Without (dis)agreeing with John or anyone else, I feel like > this is the time to point out that security is a cost, to > be evaluated like any other. At a certain point, the average > business needs to ask itself whether paranoia[1] makes any sense > in spent resources, compared with the measures taken to secure > weaker links, not to mention the cost of losing whatever is being > protected in the first place. > > So you have the most kick ass network of IDS boxes watching your > heirarchical firewalls, and have deployed the right protocols, > LLE, etc. in all the right places. How's your phone system? > How hard is it to trick someone's assistant, or the Extremely > Important Person themself? What does it mean if that works? If you > reply that that isn't a techincal problem, you don't get security, > which is only ever approaches being half technical in nature. > > WRT the original problem, my suggestion is to ideally treat the IDS > as an island, cut the TX pair, assume it can be flooded/compromised, > and write logs in a way that makes it difficult to alter them without > being noticed. If the box has to transmit data, you begin making > different trade-offs involving the network security of your security > network. Look at those closely, but keep an eye on the value > of what you're protecting. In general, I'd say that if you have > legitimate reason to be paranoid enough to build this sort of thing, you > have legitimate reason to not trust private networks, etc. to hide > you. Again, policy matters a lot - did some random admin leave a > laptop connected to the "secure" network when they ran off to fix some > email problem? If you worry about things on this level, the network > structure is not your biggest problem. > > -j > > [1] Intel "only the paranoid survive" Corp. was given a nice > demonstration of internal security issues by Randall Schwartz. > Leaving aside your view of what he did, it makes a nice object > lesson on the limitations of a mostly technical (followed by > legal, unfortunately) approach to security problems, some of which > they apparently didn't know they had. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 8 2:45:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id D13A537B424 for ; Sun, 8 Apr 2001 02:45:52 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id LAA20775; Sun, 8 Apr 2001 11:58:55 +0100 Message-Id: <200104081058.LAA20775@mailgate.kechara.net> Date: Sun, 08 Apr 2001 10:48:38 +0100 To: "Jacques A. Vidrine" , John Howie Cc: Crist Clark , freebsd-security@FreeBSD.ORG From: Lee Smallbone Subject: Re: Theory Question Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to everyone who has replied thus far. It has been very enlightening! 07/04/2001 14:00:40, "Jacques A. Vidrine" wrote: >If the `key' to your security is obscurity of your internal network >configuration, expect to be comprimised. This information is not hard >to obtain by a determined attacker, and technology is probably not >even an issue. Of course, there is an element of StO that is beneficial. There are (on last estimation), 1-4,000 blackhats and 200,000 script kiddies. The chances are that if you do not posses anything vaguely interesting (such as credit cards transactions, medical records or whatever) blackhat attention will be somewhat lower (but non-zero). It is *far* more likely script kiddies will be the thorn in your foot, thus StO will probably ward of 40-60% of kiddies, as they cannot easily obtain what they need. "Just enter a different subnet and try again..." Proactive security will nab a further 30%, leaving just 10% to be of concern. Just my two cents anyway. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 8 2:57:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 6E7AD37B423 for ; Sun, 8 Apr 2001 02:57:23 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id MAA20820; Sun, 8 Apr 2001 12:10:24 +0100 Message-Id: <200104081110.MAA20820@mailgate.kechara.net> Date: Sun, 08 Apr 2001 11:00:07 +0100 To: John Howie , James Wyatt , freebsd-security@FreeBSD.ORG From: Lee Smallbone Subject: Re: Theory Question Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I have had so many people suggest VLANs as an acceptable security solution >that it makes me wonder... Is there someone out there (presumably a hacker) >pushing them? I agree with you, they are not secure. That is why I always >push for a separate physical network. I'll drink to that. While VLANs are an easier solution, the trade-off is somewhat unacceptable. And I always say that if it should >ever be compromised you just blow it away and reconstruct it. In fact, I use >the term "Victim Network" to describe an IDS/monitoring network. While we're heading down this route then, what is everyone's take on honeypot/nets? -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 8 3:44:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 622DB37B423 for ; Sun, 8 Apr 2001 03:44:14 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.154.6]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBGZ5500.88T; Sun, 8 Apr 2001 03:43:53 -0700 Message-ID: <3AD05D51.B2B739BC@alum.mit.edu> Date: Sun, 08 Apr 2001 05:45:06 -0700 From: "Crist J. Clark" X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: John Howie Cc: "Jacques A. Vidrine" , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Howie wrote: [snip] > If I force would-be > intruders to have to defeat/circumvent individual measures such as > firewalls/NAT boxes just to determine my topologies before they can even > make an attempt at an attack on servers, then most will give up and go away. > With the correct supporting measures in place, obscuring network topology is > a valid step to take. NAT is not a security tool. NAT is a means to conserve network addresses. It is not particularly difficult to guess at the number of machines behind a NAT box or to devise the network topology (provided you can get someone on the inside to try to communicate with you). Obscuring network topology is not something most people should spend a lot of time worrying about. If a machine has IP connectivity, it has IP connectivity. The topology of a network only is a security issue once an attacker has already compromised a box and you are worried about what he can sniff. If the attacker has that kind of access to the box, he knows your net topology. Yes, you do not need to advertise your network arch on a web page or with ICMP netmask replies, but there is no need to spend any sweat trying to hide it either. Again, IMHO. We have decended far into the theoretical here, well past the realm of a script kiddie. But just as the script kiddie would not gather intel on your net to figure out how to get around an interface with no IP stack attached, a script kiddie would be defeated by an IDS _with_ an IP on the interface, but sane firewall rules on it. Generally speaking, what makes machines vulnerable is not the kernel's IP stack bound to an interface, but having vulnerable services listening on it. I do not think it unreasonable to give that external interface of the IDS an IP address, but put some seriously stringent firewall (ipf, ipfw) rules on it (running minimal services is a given of course). Accept only incoming connections from your secure net and just allow the log traffic in the firewall. The external attacker is going to have a really hard time finding this IDS. Your firewall still gives you some protection from the machine if it were to be subverted. For the zillionth time, there are no absolutes in security, only trades. For most of us, making the IDS easy to use makes our network as a whole more secure than locking the thing down so hard that we have a really tough time using it. An IDS that you do not use does not enhance security. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 2:36:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id E705F37B43C for ; Mon, 9 Apr 2001 02:36:17 -0700 (PDT) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 1437 invoked from network); 9 Apr 2001 09:38:56 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 9 Apr 2001 09:38:56 -0000 Received: from localhost (riki@localhost) by maiser.unila.ac.id (8.9.3/8.9.3) with ESMTP id QAA02720 for ; Mon, 9 Apr 2001 16:34:22 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Mon, 9 Apr 2001 16:34:22 +0700 (JAVT) From: Q Yai QQ To: freebsd-security@FreeBSD.org Subject: local exploit In-Reply-To: <3AD05D51.B2B739BC@alum.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hai guys.,. i wanna ask about Security of FreeBSD 3.4 and 4.x on FreeBSD-3.4 there are local exploit that hack chpass i am ever hacked by my user with local-exploit tha can setiud root.,. then i try to chmod o-x chpass IT WORK !!! others cannot exploit on my machines again but i never find local exploit for FreeBSD-4.1 version are there big different that 4.1 more secure for exploit ?? thank's >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 6:13:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server1.tampabay.rr.com (smtp-server1.tampabay.rr.com [65.32.1.34]) by hub.freebsd.org (Postfix) with ESMTP id 0D59037B424 for ; Mon, 9 Apr 2001 06:13:47 -0700 (PDT) (envelope-from habeeb@cfl.rr.com) Received: from descrypt.com (IDENT:root@ubr-33.101.76.melbourne.cfl.rr.com [65.33.101.76]) by smtp-server1.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f39CpAS20045 for ; Mon, 9 Apr 2001 08:51:11 -0400 (EDT) From: David Organization: Serpant Technologies To: freebsd-security@freebsd.org Subject: Re: local exploit Date: Mon, 9 Apr 2001 08:02:55 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="US-ASCII" References: In-Reply-To: MIME-Version: 1.0 Message-Id: <01040908025501.11342@descrypt.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please learn to speak english better, or have someone help you write emails. Your hacked up english barely makes sense, and one can only guess what you mean. Also 3.4 is not supported anymore (unless I missed something), so unless you wish to upgrade to a version which is, you're on your own. On Monday 09 April 2001 04:34, you wrote: > hai guys.,. > > i wanna ask about Security of FreeBSD 3.4 and 4.x > > on FreeBSD-3.4 there are local exploit that hack chpass > > i am ever hacked by my user with local-exploit tha can setiud root.,. > > then i try to chmod o-x chpass > > IT WORK !!! > others cannot exploit on my machines again > > but i never find local exploit for FreeBSD-4.1 version > > are there big different that 4.1 more secure for exploit ?? > thank's > > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< > > riki@unila.ac.id > visit my homepage and sign my guestbook > http://unilanet.unila.ac.id/~qq > --------------------------------------- > --------------------------------------- > & > __& &__ > // \\ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 6:37:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from test.kens.com (kens.com [129.250.30.40]) by hub.freebsd.org (Postfix) with ESMTP id 34D9237B422 for ; Mon, 9 Apr 2001 06:37:44 -0700 (PDT) (envelope-from robin@socha.net) Received: (qmail 78721 invoked by uid 1002); 9 Apr 2001 13:37:45 -0000 Date: Mon, 9 Apr 2001 09:37:45 -0400 From: "Robin S. Socha" To: freebsd-security@freebsd.org Subject: Re: local exploit Message-ID: <20010409093744.C76067@kens.com> References: <01040908025501.11342@descrypt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <01040908025501.11342@descrypt.com>; from habeeb@cfl.rr.com on Mon, Apr 09, 2001 at 08:02:55AM -0500 X-Mailer: Mutt http://www.mutt.org/ X-URL: https://socha.net/ X-Editor: Vim-600 http://www.vim.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * David [010409 09:15]: > Please learn to speak english better, or have someone help you write emails. > Your hacked up english barely makes sense, and one can only guess what you > mean. David, for an induhvidual baraly able to use his mailtoy, you display an astounding lack of politeness. He is a 21year-old Indian. Not everyone speaks English as well as do, particularly in India. OTOH, chances are that even a lobotomized sewer rat knows FreeBSD better than you. So would you mind sodding off RSN? > Also 3.4 is not supported anymore (unless I missed something), so > unless you wish to upgrade to a version which is, you're on your own. Yeah, right. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 6:41:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from snsonline.net (snsonline.net [210.9.53.32]) by hub.freebsd.org (Postfix) with ESMTP id 30B3637B423 for ; Mon, 9 Apr 2001 06:41:13 -0700 (PDT) (envelope-from sarge@snsonline.net) Received: from snsonline.net (nobody@localhost.snsonline.net [127.0.0.1]) by snsonline.net (8.11.1/8.11.1) with SMTP id f39DfEa20392; Mon, 9 Apr 2001 23:41:18 +1000 (EST) (envelope-from sarge@snsonline.net) Received: from 61.9.167.155 (SquirrelMail authenticated user sarge) by webmail.snsonline.net with HTTP; Mon, 9 Apr 2001 23:41:18 +1000 (EST) Message-ID: <3503.61.9.167.155.986823678.squirrel@webmail.snsonline.net> Date: Mon, 9 Apr 2001 23:41:18 +1000 (EST) Subject: Re: local exploit From: "Mark Sergeant" To: rsocha@kens.com In-Reply-To: <20010409093744.C76067@kens.com> References: <20010409093744.C76067@kens.com> Cc: freebsd-security@FreeBSD.ORG X-Mailer: SquirrelMail (version 1.0.2) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here, here. And on that note off to bed I wander. > * David [010409 09:15]: >> Please learn to speak english better, or have someone help you write >> emails. Your hacked up english barely makes sense, and one can only >> guess what you mean. > > David, for an induhvidual baraly able to use his mailtoy, you display > an astounding lack of politeness. He is a 21year-old Indian. Not > everyone speaks English as well as do, particularly in India. OTOH, > chances are that even a lobotomized sewer rat knows FreeBSD better than > you. So would you mind sodding off RSN? > >> Also 3.4 is not supported anymore (unless I missed something), so >> unless you wish to upgrade to a version which is, you're on your own. > > Yeah, right. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 6:48:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 9203737B422 for ; Mon, 9 Apr 2001 06:48:32 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id JAA19494; Mon, 9 Apr 2001 09:48:23 -0400 (EDT) (envelope-from str) From: Igor Roshchin Message-Id: <200104091348.JAA19494@giganda.komkon.org> Subject: Re: local exploit In-Reply-To: <01040908025501.11342@descrypt.com> from "David" at "Apr 9, 2001 08:02:55 am" To: David Date: Mon, 9 Apr 2001 09:48:22 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG, riki@maiser.unila.ac.id X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David @ Serpant Technologies: Please, learn to be polite and less snobby. Not everybody speaks your native language well, but do you speak other people's native languages at all ? Despite being written in broken English, the text is clear enough, and if you don't understand, it might be you who needs to learn English. Yai: Yes, chpass in FreeBSD-3.4 is vulnerable. You can find the description of the vulnerability at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A58.chpass.asc It was corrected as of: Corrected: 2000/07/20 (FreeBSD 4.0-STABLE) 2000/10/04 (FreeBSD 3.5.1-STABLE) Security advisories for other vulnerabilities can be found at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ Hope, that helps. Igor > Please learn to speak english better, or have someone help you write emails. > Your hacked up english barely makes sense, and one can only guess what you > mean. Also 3.4 is not supported anymore (unless I missed something), so > unless you wish to upgrade to a version which is, you're on your own. > > > On Monday 09 April 2001 04:34, you wrote: > > hai guys.,. > > > > i wanna ask about Security of FreeBSD 3.4 and 4.x > > > > on FreeBSD-3.4 there are local exploit that hack chpass > > > > i am ever hacked by my user with local-exploit tha can setiud root.,. > > > > then i try to chmod o-x chpass > > > > IT WORK !!! > > others cannot exploit on my machines again > > > > but i never find local exploit for FreeBSD-4.1 version > > > > are there big different that 4.1 more secure for exploit ?? > > thank's > > > > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< > > > > riki@unila.ac.id > > visit my homepage and sign my guestbook > > http://unilanet.unila.ac.id/~qq > > --------------------------------------- > > --------------------------------------- > > & > > __& &__ > > // \\ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 6:57:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 50C3937B422 for ; Mon, 9 Apr 2001 06:57:14 -0700 (PDT) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f39DuTZ50788; Mon, 9 Apr 2001 09:56:29 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3AD1C188.F34164C7@ocsinternet.com> Date: Mon, 09 Apr 2001 10:04:56 -0400 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: John Howie Cc: James Wyatt , freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <05dd01c0c00d$657a8510$0101a8c0@development.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've heard this as well; and seem to remember hearing it while attending some cisco training or something. I fully agree, that they aren't very good for security, and truthfully I don't think they're very good for a busy network either... Ok that's my $0.01. Thanks to all for a very thought provoking thread... Cheers, Mikel John Howie wrote: > ----- Original Message ----- > From: "James Wyatt" > To: "John Howie" > Cc: "Jacques A. Vidrine" ; "Crist Clark" > ; ; > > Sent: Saturday, April 07, 2001 8:16 PM > Subject: Re: Theory Question > > > If you have a large network to protect, maintaining a separate monitoring > > network for out-of-band control (of the main network which is subject to > > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > > but that can be attacked at the switch level. You can use voice channels > > and PPP over serial, but filter the heck out of it and don't set a default > > route. At some point you will have to network to your IDS box if you want > > much functionality from it. If you simply have the box set to log out the > > serial port, it can be easily overrun (DoSed) if you have a good net > > connection. > > > > James, > > I have had so many people suggest VLANs as an acceptable security solution > that it makes me wonder... Is there someone out there (presumably a hacker) > pushing them? I agree with you, they are not secure. That is why I always > push for a separate physical network. And I always say that if it should > ever be compromised you just blow it away and reconstruct it. In fact, I use > the term "Victim Network" to describe an IDS/monitoring network. > > john... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 8:51:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 9C5BF37B422 for ; Mon, 9 Apr 2001 08:51:30 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2995 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 9 Apr 2001 10:50:49 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Mon, 9 Apr 2001 10:50:49 -0500 (CDT) From: James Wyatt To: freebsd-security@freebsd.org Subject: Re: local exploit In-Reply-To: <01040908025501.11342@descrypt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At least david's response will pretty well ensure you receive some help. While the "current" branch of FreeBSD is 4.x, there are usually security fixes available for older releases. Check http://www.freebsd.org/security/ for advisories and you will find enough to encourage you to either upgrade to 4.2 now, upgrade to 4.3 when it arrives soon. If you have disk space and want to stay at 3.x for a while, look at "cvsup" and "make world" support - it lets you apply security patches to the older OS versions. There is a fair amount of constant overhead rather than complete upgrades. It can be *great* if you build many ports as it lets you keep up with their security patches as well. You can live without "chpass" for a while, but there are other very serious advisories from 3.4 that warrant upgrade if your machine is exposed to the internet or you have more than a few, trusted users. There are some great links to helpful information on the left side of http://www.freebsd.org that should explain things better. I hope this helps somehow. Good luck - Jy@ On Mon, 9 Apr 2001, David wrote: > Please learn to speak english better, or have someone help you write emails. > Your hacked up english barely makes sense, and one can only guess what you > mean. Also 3.4 is not supported anymore (unless I missed something), so > unless you wish to upgrade to a version which is, you're on your own. > > > On Monday 09 April 2001 04:34, you wrote: > > hai guys.,. > > > > i wanna ask about Security of FreeBSD 3.4 and 4.x > > > > on FreeBSD-3.4 there are local exploit that hack chpass > > > > i am ever hacked by my user with local-exploit tha can setiud root.,. > > > > then i try to chmod o-x chpass > > > > IT WORK !!! > > others cannot exploit on my machines again > > > > but i never find local exploit for FreeBSD-4.1 version > > > > are there big different that 4.1 more secure for exploit ?? > > thank's > > > > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< > > > > riki@unila.ac.id > > visit my homepage and sign my guestbook > > http://unilanet.unila.ac.id/~qq > > --------------------------------------- > > --------------------------------------- > > & > > __& &__ > > // \\ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 9:37:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from dualcpus.com (dualcpus.com [65.160.20.195]) by hub.freebsd.org (Postfix) with SMTP id 812F737B424 for ; Mon, 9 Apr 2001 09:37:48 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 40049 invoked from network); 9 Apr 2001 16:37:30 -0000 Received: from server.sherline.net (HELO server2) (216.120.87.3) by dualcpus.com with SMTP; 9 Apr 2001 16:37:30 -0000 Message-ID: <001d01c0c113$654a2030$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "David" , References: <01040908025501.11342@descrypt.com> Subject: Re: local exploit Date: Mon, 9 Apr 2001 09:37:40 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "David" To: Sent: Monday, April 09, 2001 6:02 AM Subject: Re: local exploit > Please learn to speak english better, or have someone help you write emails. > Your hacked up english barely makes sense, and one can only guess what you > mean. No need to be a dick. > Also 3.4 is not supported anymore (unless I missed something), so > unless you wish to upgrade to a version which is, you're on your own. Umm, I believe his question was: > > are there big different that 4.1 more secure for exploit ?? > > thank's In other words, is there a big difference in the security of 4.1 versus 3.4. That's not a request for 3.4 support. Give people a break. You are the kind of person that makes the FreeBSD community look like a bunch of arrogant elitist a-holes. Not to mention how ignorant and arrogant it makes Americans look when you say "Learn my language !". Although I support English only laws *in my state* and *in my country*, FreeBSD is obviously an international/multi-lingual project (/usr/ports/ - german - hebrew - french - chinese - japanese - korean - vietnamese). If you don't like reading emails with broken English, don't respond to them, or remove yourself from the mailing lists. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 10: 8:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 72D7E37B423 for ; Mon, 9 Apr 2001 10:08:09 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f39H7BM71365; Mon, 9 Apr 2001 10:07:11 -0700 (PDT) (envelope-from dillon) Date: Mon, 9 Apr 2001 10:07:11 -0700 (PDT) From: Matt Dillon Message-Id: <200104091707.f39H7BM71365@earth.backplane.com> To: Q Yai QQ Cc: freebsd-security@FreeBSD.ORG Subject: Re: local exploit References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :hai guys.,. : :i wanna ask about Security of FreeBSD 3.4 and 4.x : :on FreeBSD-3.4 there are local exploit that hack chpass : :i am ever hacked by my user with local-exploit tha can setiud root.,. : :then i try to chmod o-x chpass : :IT WORK !!! :others cannot exploit on my machines again : :but i never find local exploit for FreeBSD-4.1 version : :are there big different that 4.1 more secure for exploit ?? :thank's :... I think the original question got lost here. Was there a security hole in chpass? The answer is: Yes, there was! A quick google search locates a copy of the advisory on www.google.com I searched for: 'chpass advisory freebsd' and came up with: http://cert.uni-stuttgart.de/archive/bugtraq/2000/10/msg00448.html There was a root exploit found in July 2000 which was fixed in FreeBSD-4.0 in July 2000 and fixed in FreeBSD-3.5.1 in October 2000. So the answer is that by the time FreeBSD-4.1, this bug was long since fixed. My suggestion would be to upgrade the boxes to RELENG_4 (FreeBSD-4.x), or if you do not want to make that bug a leap at the very least upgrade them to the latest RELENG_3 codebase (FreeBSD-3.5.1). In general, bug fixes always go into what we call the 'stable' release, which at the moment is RELENG_4 (FreeBSD-4.x). FreeBSD-3.x is older and does not always get all the bug fixes, but it usually still gets all the security fixes. You still have to keep your codebase up to date, though. There have been other root exploits since 3.4. Root exploits have been found in 'named', 'sshd', 'ntpd'. Filesystem read-any-file bugs have been found in crontab, and I'm probably forgetting a few. To be absolutely safe it is best to always track the latest -stable release, which at the moment is FreeBSD-4.x (4.3 is about to come out). The easiest way to track -stable is to learn how to use 'cvsup'. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 11: 8:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from office.admaster.pl (office.admaster.pl [212.160.251.44]) by hub.freebsd.org (Postfix) with ESMTP id 7955D37B422 for ; Mon, 9 Apr 2001 11:08:28 -0700 (PDT) (envelope-from s.zak@admaster.pl) Received: by office.admaster.pl (Postfix, from userid 1001) id 55C6985B13; Mon, 9 Apr 2001 20:08:17 +0200 (CEST) From: Slawek Zak To: freebsd-security@freebsd.org Subject: [Luke Mewburn ] LD_CHROOT idea Date: 09 Apr 2001 20:08:17 +0200 Message-ID: <867l0uhrou.fsf@office.admaster.pl> Lines: 53 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.1 (GTK) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I post it in case you don't follow the NetBSD security list... What do you think about the following idea? It would greatly simplify building chrooted environments but are there any negative implications? --------------------[ Forwarded message ]----------------------------- Date: Fri, 6 Apr 2001 15:57:07 +1000 From: Luke Mewburn To: tech-security@netbsd.org Subject: LD_CHROOT idea Hi people. Matt Green told me about a proposal that Julian Assange made a few years ago, and the more I consider it, the more I think it might be useful. The idea is to add a few more environment variables to ld.so; LD_CHROOT directory to chdir(2) then chroot(2) to LD_CHROOT_UID uid to run as (optional) LD_CHROOT_GID gid to run as (optional) LD_CHROOT_GIDS comma separated list of secondary gids (optional) If LD_CHROOT is set and the process isn't setuid or setgid, then before the actual entry into the process, ld.so chroot(2)s to $LD_CHROOT, sets up the secondary groups, gid, and uid (if requested). All of the LD_CHROOT* variables are cleared from the environment, even if they're not used. The benefits of this approach is that you: * don't need to have the shared libraries inside the chroot jail, which improves maintainability of N chroot jails. * don't need to have the binary inside the chroot jail, which means it can't be modified if the binary is attacked Of course, this assumes that the VM system protects shared library pages mapped in read-only. And you still need to put your config files and a syslog socket in the cage, but that's trivial to maintain. I've got a sample implementation of this and it seems to work as expected. Comments? PS: I'll add support into the rc.d stuff to take advantage of this if we go ahead, for run_rc_command to detect whether to use LD_CHROOT or chroot(8) depending on options passed in and if the program is static or dynamic. ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 21:57:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 6D26537B422 for ; Mon, 9 Apr 2001 21:57:34 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id LAA10569; Tue, 10 Apr 2001 11:56:08 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id LAA10040; Tue, 10 Apr 2001 11:57:24 +0700 (ICT) Date: Tue, 10 Apr 2001 11:57:24 +0700 (ICT) Message-Id: <200104100457.LAA10040@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: mikel@ocsinternet.com Cc: JHowie@msn.com, jwyatt@rwsystems.net, freebsd-security@FreeBSD.ORG In-reply-to: <3AD1C188.F34164C7@ocsinternet.com> (message from Mikel on Mon, 09 Apr 2001 10:04:56 -0400) Subject: Re: Theory Question References: <05dd01c0c00d$657a8510$0101a8c0@development.local> <3AD1C188.F34164C7@ocsinternet.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I've heard this as well; and seem to remember hearing it while attending some >cisco training or something. I fully agree, that they aren't very good for >security, and truthfully I don't think they're very good for a busy network >either... As a Cisco guru once said in a security seminar (must have been apricot few years back), one and only design of Vlan is contention of broadcast. Anything beyond that is pushing security risk. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 9 22:40:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from harmony.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 5B63E37B422 for ; Mon, 9 Apr 2001 22:40:34 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f3A5ePV08611; Mon, 9 Apr 2001 23:40:25 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200104100540.f3A5ePV08611@harmony.village.org> To: David Subject: Re: local exploit Cc: freebsd-security@FreeBSD.ORG, Q Yai QQ Date: Mon, 09 Apr 2001 23:39:10 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Please learn to speak english better, or have someone help you write > emails. Your hacked up english barely makes sense, and one can only > guess what you mean. I suggest that you might want to try posting to a mailing list using a language that isn't your native one before going off on Q Yai QQ. Done properly, you will win friends in a foreign land. Most lists where English isn't the main language this will gain you respect for at least trying to write in their native and many helpful mail messages[**]. We should try to give the same courtesy for foreign posters to our lists. I suggest putting yourself in this persons shoes before going so balistic. It really is hard to do what he's done. I know. It is the second hardest thing I can think of (the first being public speaking in a foreign language). The original post certainly passes is understandable enough for my native ear. I knew what he was trying to say, even if it isn't what I'd write. That's good enough for me. Let us not discourage him by flaming him[*] needlessly, ok? Warner [*] I do not know what gender Q Yai QQ is, so I've made a statistical assumption. Please excuse me if I'm wrong. [**] The Japanese have made me feel very welcome on their lists when I've taken the effort to learn Japanese to post to the lists. I want to thank them since the chance presents itself. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 2:45:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from io.ekahuna.com (io.ekahuna.com [198.144.200.202]) by hub.freebsd.org (Postfix) with ESMTP id C584137B422 for ; Tue, 10 Apr 2001 02:42:00 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Date: Tue, 10 Apr 2001 02:43:30 -0700 (PDT) Message-Id: From: Philip@FreeBSD.ORG, J.Koenig@FreeBSD.ORG To: security@freebsd.org Subject: Test message Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm having trouble sending to the list - sorry to bother but I'm doing this for debugging purposes.. please ignore. Phil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 3: 9:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id C92D837B423 for ; Tue, 10 Apr 2001 03:09:33 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id MAA27594 for ; Tue, 10 Apr 2001 12:22:57 +0100 Message-Id: <200104101122.MAA27594@mailgate.kechara.net> Date: Tue, 10 Apr 2001 11:12:24 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: bind hack? Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, This is a little puzzling. I'm running the latest in the 'series 8' BIND, but every 24-48 hours, it dies, with this on the console: (latest example) Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 10 (core dumped) A few seconds prior the the above, the IDS logged this: #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 UDP The odd thing is, according to Whitehats, this attack only works on pre 8.1.2 / 4.9.8? Any input would be appreciated. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 3:31:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 962A337B423 for ; Tue, 10 Apr 2001 03:31:37 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f3AAVKT88479; Tue, 10 Apr 2001 20:31:22 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104101031.f3AAVKT88479@drugs.dv.isc.org> To: lee@kechara.net Cc: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: bind hack? In-reply-to: Your message of "Tue, 10 Apr 2001 11:12:24 +0100." <200104101122.MAA27594@mailgate.kechara.net> Date: Tue, 10 Apr 2001 20:31:20 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > > This is a little puzzling. I'm running the latest in the 'series 8' BIND, bu > t every 24-48 hours, it dies, with this on the console: > (latest example) I alway hate people saying they are running "the latest". Quite often they arn't. Precise error reports are important. What version are you running? > > Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 10 ( > core dumped) > > A few seconds prior the the above, the IDS logged this: > > #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 P> UDP > > The odd thing is, according to Whitehats, this attack only works on pre 8.1. > 2 / 4.9.8? See infoleak at http://www.isc.org/products/BIND/bind-security.html > > Any input would be appreciated. > > -- > > Lee Smallbone > Kechara Internet > > lee@kechara.net > www.kechara.net > > Tel: (01243) 869 969 > Fax: (01243) 866 685 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 3:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 0B86F37B424 for ; Tue, 10 Apr 2001 03:37:55 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id MAA27699; Tue, 10 Apr 2001 12:51:17 +0100 Message-Id: <200104101151.MAA27699@mailgate.kechara.net> Date: Tue, 10 Apr 2001 11:40:43 +0100 To: Mark.Andrews@nominum.com Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: bind hack? Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On inspection it would appear it has been upgraded since I installed it. The machine is now running 9.0.0r1, which may in part explain the problem. Why oh why do people not fill in maintenance logs.. 11/04/2001 07:31:20, Mark.Andrews@nominum.com wrote: >> Hi, >> >> This is a little puzzling. I'm running the latest in the 'series 8' BIND, bu >> t every 24-48 hours, it dies, with this on the console: >> (latest example) > > I alway hate people saying they are running "the latest". Quite often > they arn't. Precise error reports are important. What version are > you running? > >> >> Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 10 ( >> core dumped) >> >> A few seconds prior the the above, the IDS logged this: >> >> #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 > P> UDP >> >> The odd thing is, according to Whitehats, this attack only works on pre 8.1. >> 2 / 4.9.8? > > See infoleak at http://www.isc.org/products/BIND/bind-security.html > >> >> Any input would be appreciated. >> >> -- >> >> Lee Smallbone >> Kechara Internet >> >> lee@kechara.net >> www.kechara.net >> >> Tel: (01243) 869 969 >> Fax: (01243) 866 685 >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >-- >Mark Andrews, Nominum Inc. >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 4:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 40BE237B422 for ; Tue, 10 Apr 2001 04:21:34 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f3ABLPT88536; Tue, 10 Apr 2001 21:21:25 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104101121.f3ABLPT88536@drugs.dv.isc.org> To: lee@kechara.net Cc: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: bind hack? In-reply-to: Your message of "Tue, 10 Apr 2001 11:40:43 +0100." <200104101151.MAA27699@mailgate.kechara.net> Date: Tue, 10 Apr 2001 21:21:25 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On inspection it would appear it has been upgraded since I installed it. The > machine > is now running 9.0.0r1, which may in part explain the problem. > > Why oh why do people not fill in maintenance logs.. If it's running 9.0.0rc1 then I suggest that you upgrade to 9.1.1. Mark > > 11/04/2001 07:31:20, Mark.Andrews@nominum.com wrote: > > >> Hi, > >> > >> This is a little puzzling. I'm running the latest in the 'series 8' BIND, > bu > >> t every 24-48 hours, it dies, with this on the console: > >> (latest example) > > > > I alway hate people saying they are running "the latest". Quite often > > they arn't. Precise error reports are important. What version are > > you running? > > > >> > >> Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 1 > 0 ( > >> core dumped) > >> > >> A few seconds prior the the above, the IDS logged this: > >> > >> #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 < > source I > >> P> UDP > >> > >> The odd thing is, according to Whitehats, this attack only works on pre 8 > .1. > >> 2 / 4.9.8? > > > > See infoleak at http://www.isc.org/products/BIND/bind-security.html > > > >> > >> Any input would be appreciated. > >> > >> -- > >> > >> Lee Smallbone > >> Kechara Internet > >> > >> lee@kechara.net > >> www.kechara.net > >> > >> Tel: (01243) 869 969 > >> Fax: (01243) 866 685 > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > >-- > >Mark Andrews, Nominum Inc. > >1 Seymour St., Dundas Valley, NSW 2117, Australia > >PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > > > -- > > Lee Smallbone > Kechara Internet > > lee@kechara.net > www.kechara.net > > Tel: (01243) 869 969 > Fax: (01243) 866 685 > > -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 5:37:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx2.itb.ac.id (mx2.itb.ac.id [202.249.47.37]) by hub.freebsd.org (Postfix) with SMTP id 5E68737B423 for ; Tue, 10 Apr 2001 05:37:13 -0700 (PDT) (envelope-from cecep@tf.itb.ac.id) Received: (qmail 3740 invoked by uid 1003); 10 Apr 2001 12:36:55 -0000 Received: from unknown (HELO tf.itb.ac.id) (167.205.26.30) by mx2.itb.ac.id with SMTP; 10 Apr 2001 12:36:55 -0000 Received: (qmail 40791 invoked by uid 19704); 10 Apr 2001 12:36:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Apr 2001 12:36:00 -0000 Date: Tue, 10 Apr 2001 19:36:00 +0700 (JAVT) From: Cecep Mahbub To: freebsd-security@freebsd.org Subject: Re: local exploit In-Reply-To: <01040908025501.11342@descrypt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org udah Rik, loe nanya di sysop-l aja daripada malu-maluin unila =) hehehe On Mon, 9 Apr 2001, David wrote: > Please learn to speak english better, or have someone help you write emails. > Your hacked up english barely makes sense, and one can only guess what you > mean. Also 3.4 is not supported anymore (unless I missed something), so > unless you wish to upgrade to a version which is, you're on your own. > > > On Monday 09 April 2001 04:34, you wrote: > > hai guys.,. > > > > i wanna ask about Security of FreeBSD 3.4 and 4.x > > > > on FreeBSD-3.4 there are local exploit that hack chpass > > > > i am ever hacked by my user with local-exploit tha can setiud root.,. > > > > then i try to chmod o-x chpass > > > > IT WORK !!! > > others cannot exploit on my machines again > > > > but i never find local exploit for FreeBSD-4.1 version > > > > are there big different that 4.1 more secure for exploit ?? > > thank's > > > > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< > > > > riki@unila.ac.id > > visit my homepage and sign my guestbook > > http://unilanet.unila.ac.id/~qq > > --------------------------------------- > > --------------------------------------- > > & > > __& &__ > > // \\ _ cecep@tf _ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 5:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas1-62.gre.club-internet.fr [195.36.211.62]) by hub.freebsd.org (Postfix) with ESMTP id 2D40637B422 for ; Tue, 10 Apr 2001 05:55:31 -0700 (PDT) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f3ACtS428075 for ; Tue, 10 Apr 2001 14:55:29 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010410145230.01ae9010@pop.partsonline.fr> X-Sender: pop9405@pop.partsonline.fr X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 10 Apr 2001 14:53:39 +0200 To: freebsd-security@FreeBSD.ORG From: Guy Poizat Subject: Re: local exploit In-Reply-To: References: <01040908025501.11342@descrypt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Je suis tout =E0 fait d'accord avec vous, d'ailleurs, j'allais le dire :-) huhuhu At 14:36 10/04/2001, you wrote: >udah Rik, loe nanya di sysop-l aja daripada malu-maluin unila >=3D) > >hehehe > > >On Mon, 9 Apr 2001, David wrote: > > > Please learn to speak english better, or have someone help you write=20 > emails. > > Your hacked up english barely makes sense, and one can only guess what= you > > mean. Also 3.4 is not supported anymore (unless I missed something), so > > unless you wish to upgrade to a version which is, you're on your own. -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 7:51:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 0B96737B423 for ; Tue, 10 Apr 2001 07:51:43 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3AEpnD94714 for ; Tue, 10 Apr 2001 10:51:49 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 10 Apr 2001 10:51:45 -0400 (EDT) From: Rob Simmons To: Subject: ftp vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 What was the corrected date for this problem? I checked the freebsd advisories, and didn't see an one about this yet. - ----------- CERT Advisory CA-2001-07 File Globbing Vulnerabilities in Various FTP Servers Original release date: April 10, 2001 Last revised: -- Source: CERT/CC FreeBSD, Inc. FreeBSD is vulnerable to the glob-related bugs. We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE. - ----------- Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE60x4Fv8Bofna59hYRAzmaAJoDbJZY5wskbDrCaPrKctmRJfV+HQCeMCa4 jcBq1Wb56/Ihf/OTcLUibkw= =hJS3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 8:12: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from dualcpus.com (dualcpus.com [65.160.20.195]) by hub.freebsd.org (Postfix) with SMTP id 898B237B423 for ; Tue, 10 Apr 2001 08:12:02 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 47881 invoked from network); 10 Apr 2001 15:12:01 -0000 Received: from server.sherline.net (HELO server2) (216.120.87.3) by dualcpus.com with SMTP; 10 Apr 2001 15:12:01 -0000 Message-ID: <003401c0c1d0$9df177e0$035778d8@sherline.net> From: "Jeremiah Gowdy" To: , "Guy Poizat" References: <01040908025501.11342@descrypt.com> <5.0.2.1.0.20010410145230.01ae9010@pop.partsonline.fr> Subject: Re: local exploit Date: Tue, 10 Apr 2001 08:12:10 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Iay ikelay eefray ESDbay ----- Original Message ----- From: "Guy Poizat" To: Sent: Tuesday, April 10, 2001 5:53 AM Subject: Re: local exploit > Je suis tout à fait d'accord avec vous, d'ailleurs, j'allais le dire :-) > > huhuhu > > At 14:36 10/04/2001, you wrote: > > >udah Rik, loe nanya di sysop-l aja daripada malu-maluin unila > >=) > > > >hehehe > > > > > >On Mon, 9 Apr 2001, David wrote: > > > > > Please learn to speak english better, or have someone help you write > > emails. > > > Your hacked up english barely makes sense, and one can only guess what you > > > mean. Also 3.4 is not supported anymore (unless I missed something), so > > > unless you wish to upgrade to a version which is, you're on your own. > > > -- > Guy Poizat > poizat@partsonline.fr > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 8:23:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 7DF5B37B423 for ; Tue, 10 Apr 2001 08:23:37 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2114 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 10 Apr 2001 10:22:50 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 10 Apr 2001 10:22:40 -0500 (CDT) From: James Wyatt To: Jeremiah Gowdy Cc: freebsd-security@FreeBSD.ORG, Guy Poizat Subject: Re: local exploit In-Reply-To: <003401c0c1d0$9df177e0$035778d8@sherline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we declare this "rock bottom" and end the thread before we dive into hex dumps and encrypted chunklets? (^_^) - Jy@ btw: Iguana Laguna Indigo Kite Ergo Frog Ran Ego Egg Bull Snot Detector... On Tue, 10 Apr 2001, Jeremiah Gowdy wrote: > Iay ikelay eefray ESDbay >=20 > ----- Original Message ----- > From: "Guy Poizat" > To: > Sent: Tuesday, April 10, 2001 5:53 AM > Subject: Re: local exploit >=20 >=20 > > Je suis tout =E0 fait d'accord avec vous, d'ailleurs, j'allais le dire = :-) > > > > huhuhu > > > > At 14:36 10/04/2001, you wrote: > > > > >udah Rik, loe nanya di sysop-l aja daripada malu-maluin unila > > >=3D) > > > > > >hehehe > > > > > > > > >On Mon, 9 Apr 2001, David wrote: > > > > > > > Please learn to speak english better, or have someone help you writ= e > > > emails. > > > > Your hacked up english barely makes sense, and one can only guess w= hat > you > > > > mean. Also 3.4 is not supported anymore (unless I missed something= ), > so > > > > unless you wish to upgrade to a version which is, you're on your ow= n. > > > > > > -- > > Guy Poizat > > poizat@partsonline.fr > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:17:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 078EE37B422 for ; Tue, 10 Apr 2001 09:17:39 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3AGHST78619 for ; Tue, 10 Apr 2001 09:17:28 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AD33218.FE8D7ACD@ursine.com> Date: Tue, 10 Apr 2001 09:17:28 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Security Announcements? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What's up (or not up) with security announcements these days? It's been some time since the NTP vulnerability came to light, and many other affected systems/products have made their announcements, but nothing official from FreeBSD yet. Now we have an FTP vulnerability hitting the streets too. [And the published list of advisories jumps from FreeBSD-SA-01:25 to FreeBSD-SA-01:30, so it looks like 26-29 are in the pipeline?] I know it's a thankless and time-consuming job, but it seems to me that FreeBSD security announcements are taking longer to come out than perhaps they should. (Not meant as a slam against anybody, especially since I'm not able to step up to the plate and offer any help, but it is a growing concern I've had lately. If everyone thinks I'm just crazy, I'll go back under the rock I woke up under this morning...) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:22: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id B508937B424 for ; Tue, 10 Apr 2001 09:22:00 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: ftp problem To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Tue, 10 Apr 2001 11:21:50 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 04/10/2001 11:12:41 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How can I set ftpd to work through the ipfw when I do not know the data connection port ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:31:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A1F1837B422 for ; Tue, 10 Apr 2001 09:31:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA10733 for ; Tue, 10 Apr 2001 10:31:20 -0600 (MDT) Message-Id: <4.3.2.7.2.20010410102556.04595560@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Apr 2001 10:31:15 -0600 To: freebsd-security@freebsd.org From: Brett Glass Subject: Will fixes for these FTP holes be MFC'ed in before release? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.pgp.com/research/covert/advisories/048.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:46: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id C214837B422 for ; Tue, 10 Apr 2001 09:46:06 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f3AGjfW15819; Tue, 10 Apr 2001 09:45:41 -0700 Date: Tue, 10 Apr 2001 09:45:41 -0700 From: Brooks Davis To: Olivier Nicole Cc: mikel@ocsinternet.com, JHowie@msn.com, jwyatt@rwsystems.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010410094541.A13808@Odin.AC.HMC.Edu> References: <05dd01c0c00d$657a8510$0101a8c0@development.local> <3AD1C188.F34164C7@ocsinternet.com> <200104100457.LAA10040@banyan.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104100457.LAA10040@banyan.cs.ait.ac.th>; from on@cs.ait.ac.th on Tue, Apr 10, 2001 at 11:57:24AM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 10, 2001 at 11:57:24AM +0700, Olivier Nicole wrote: > >I've heard this as well; and seem to remember hearing it while attending= some > >cisco training or something. I fully agree, that they aren't very good f= or > >security, and truthfully I don't think they're very good for a busy netw= ork > >either... >=20 > As a Cisco guru once said in a security seminar (must have been > apricot few years back), one and only design of Vlan is contention of > broadcast. Anything beyond that is pushing security risk. It's true that older Vlan implementations have this problem, but modern ones are implemented in hardward and do no leak packets. Cisco intends its current VLAN implementations to be used for security partitioning. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE60zi0XY6L6fI4GtQRAmETAJ0bJSIaVoak1eischJvj6EynhvGMgCgx2FT 5oYd1O6V0aobtbCrMNeNhrY= =g7Gv -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:52:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpe.casema.net (smtpe.casema.net [195.96.96.172]) by hub.freebsd.org (Postfix) with SMTP id E3F0E37B423 for ; Tue, 10 Apr 2001 09:52:22 -0700 (PDT) (envelope-from walter@binity.com) Received: (qmail 30397 invoked from network); 10 Apr 2001 16:52:21 -0000 Received: from unknown (HELO slash.b118.binity.net) (195.96.105.161) by smtpe.casema.net with SMTP; 10 Apr 2001 16:52:21 -0000 Received: from 172.18.3.10 (tsunami.b118.binity.net [172.18.3.10]) by slash.b118.binity.net (Postfix) with ESMTP id BD212129; Tue, 10 Apr 2001 18:51:22 +0200 (CEST) Date: Tue, 10 Apr 2001 18:54:28 +0200 From: Walter Hop X-Mailer: The Bat! (v1.51) Educational X-Priority: 3 (Normal) Message-ID: <15983947780.20010410185428@binity.com> To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: Will fixes for these FTP holes be MFC'ed in before release? In-Reply-To: <4.3.2.7.2.20010410102556.04595560@localhost> References: <4.3.2.7.2.20010410102556.04595560@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [in reply to brett@lariat.org, 10-04-2001] > http://www.pgp.com/research/covert/advisories/048.asp Yes. http://www.cert.org/advisories/CA-2001-07.html says, "FreeBSD, Inc. FreeBSD is vulnerable to the glob-related bugs. We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE." -- Walter Hop | +31 6 24290808 | PGP key ID: 0x84813998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 9:53: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 36FF537B42C for ; Tue, 10 Apr 2001 09:52:58 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id SAA11286; Tue, 10 Apr 2001 18:52:56 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14n1Nw-00014O-00 for ; Tue, 10 Apr 2001 18:52:56 +0200 Date: Tue, 10 Apr 2001 18:52:56 +0200 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010410185256.A20479@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: <3AD33218.FE8D7ACD@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AD33218.FE8D7ACD@ursine.com>; from fbsd-secure@ursine.com on Tue, Apr 10, 2001 at 09:17:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 10, 2001 at 09:17:28AM -0700, Michael Bryan wrote: > > What's up (or not up) with security announcements these days? <...> Many advisories are delayed even after appropriate fixes have made it to -CURRENT and 4.x because 3.x still needs to be fixed and that one takes more time these days (and this will not improve I guess.) This is so that even those running older versions still receive the security fixes. If you follow -STABLE, you are fine long before the advisory comes out... you can always find out from the mails on cvs-all. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 10:14:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 3F03D37B422; Tue, 10 Apr 2001 10:14:09 -0700 (PDT) (envelope-from b.candler@pobox.com) Received: from gate.lon.uk.worldonline.com ([212.74.96.2] helo=bloodhound.uk.worldonline.com) by internal.mail.telinco.net with esmtp (Exim 3.02 #1) id 14n1iS-0005fL-00; Tue, 10 Apr 2001 18:14:08 +0100 Received: from brian by bloodhound.uk.worldonline.com with local (Exim 3.22 #1) id 14n1iR-0000Gq-00; Tue, 10 Apr 2001 18:14:07 +0100 Date: Tue, 10 Apr 2001 18:14:07 +0100 From: Brian Candler To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Interaction between ipfw, IPSEC and natd Message-ID: <20010410181407.A1011@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any documentation on how ipfw, natd and IPSEC interact with each other? In particular, - what is the order of processing of inbound and outbound packets? - when packets are re-injected by natd, where in the whole system are they re-injected? - do packets reinjected by natd still match 'in via ' or 'out via '? (OK, I could determine this one experimentally, but I'd still like to see it documented :-) I see that by default FreeBSD puts its natd divert rule right at the very top of the ruleset, but I have found that this stops IPSEC processing working. I can make it work by putting natd lower down: e.g. add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs add 02000 divert 8668 ip from any to any via xl0 # external i/face Here, subnets of 10.0.0.0/8 are behind the 'private' interface and also the remote endpoints of IPSEC tunnels; there are IPSEC SA's which define them exactly. However in this case I find it difficult to add anti-spoofing rules on external interfaces without breaking either IPSEC or NAT. Note that even in the presence of IPSEC, anti-spoofing rules _are_ still required. For example, I have an SA which says spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any -P out none; spdadd 10.0.0.0/20[any] 10.0.0.0/20[any] any -P in none; (where 10.0.1.0/24 is the locally-attached subnet and other downstream subnets are within the /20). This is in order to allow local, non-encrypted traffic to be routed via this box. However the presence of this SA means that I really need an anti-spoofing filter on the public interface to prevent packets matching this null SA being injected from outside. In the end, I want to build a firewall with: - antispoofing on all interfaces - various IPSEC tunnels to distant subnets of private network - natd for sessions going out of "public" interface - the ability to add other ipfw policy controls and not only should it work, but I should also have some confidence that it is actually secure and doing what I intend - which means I really need to understand how all these bits fit together :-) Thanks, Brian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 10:19:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id B033B37B424 for ; Tue, 10 Apr 2001 10:19:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA11294; Tue, 10 Apr 2001 11:19:37 -0600 (MDT) Message-Id: <4.3.2.7.2.20010410111026.045afcc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Apr 2001 11:19:33 -0600 To: Walter Hop From: Brett Glass Subject: Re: Will fixes for these FTP holes be MFC'ed in before release? Cc: freebsd-security@freebsd.org In-Reply-To: <15983947780.20010410185428@binity.com> References: <4.3.2.7.2.20010410102556.04595560@localhost> <4.3.2.7.2.20010410102556.04595560@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:54 AM 4/10/2001, Walter Hop wrote: >Yes. http://www.cert.org/advisories/CA-2001-07.html says, > >"FreeBSD, Inc. > > FreeBSD is vulnerable to the glob-related bugs. We have corrected > these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they > will not be present in FreeBSD 4.3-RELEASE." I did notice this. However, when I look back at the CVS respository, I see that the most recently changed file is popen.c, which was changed 3 weeks ago. The change was related to globbing, but doesn't seem to cover all of the routines mentioned in http://www.pgp.com/research/covert/advisories/048.asp All of the other mods are significantly older. So it probably pays to double-check and make sure that there are not still holes. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 10:21:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 3A85137B424 for ; Tue, 10 Apr 2001 10:21:40 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org ([64.183.199.40]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f3AHLbIr075804; Tue, 10 Apr 2001 12:21:38 -0500 (CDT) Message-Id: <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 10 Apr 2001 12:21:10 -0500 To: Szilveszter Adam , freebsd-security@FreeBSD.ORG From: Christopher Schulte Subject: Re: Security Announcements? In-Reply-To: <20010410185256.A20479@petra.hos.u-szeged.hu> References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:52 PM 4/10/2001 +0200, Szilveszter Adam wrote: >If you follow -STABLE, you are fine long before the advisory comes out... >you can >always find out from the mails on cvs-all. I imagine many production servers do not follow -STABLE religiously, but will upgrade as needed when heads-up of specific issues are unearthed. It's that unearthing process that needs work; one can track list after list after list, or look to their vendor. I'd prefer to see 'hey here's a new issue... we don't have it fixed yet, but workarounds may include...' rather than silence from the security officer. Perhaps a security-heads-up list of sorts. It'd be the crossroad between security and security-advisories. Moderated, but with a less formal feel than advisories. >-- >Regards: > >Szilveszter ADAM >Szeged University >Szeged Hungary --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 10:48: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id A642337B422 for ; Tue, 10 Apr 2001 10:48:04 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3AHm3T79342 for ; Tue, 10 Apr 2001 10:48:04 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AD34753.E405CD6F@ursine.com> Date: Tue, 10 Apr 2001 10:48:03 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Schulte wrote: > > I imagine many production servers do not follow -STABLE religiously, but > will upgrade as needed when heads-up of specific issues are unearthed. Previous discussions on the list have made it clear that this is true for quite a few sites. It's certainly true for the one I manage. > It's that unearthing process that needs work; one can track list after list > after list, or look to their vendor. I'd prefer to see 'hey here's a new > issue... we don't have it fixed yet, but workarounds may include...' rather > than silence from the security officer. Exactly. > Perhaps a security-heads-up list of sorts. It'd be the crossroad between > security and security-advisories. Moderated, but with a less formal feel > than advisories. Actually, I think the existing security advisory format and mailing list works fine. I personally see nothing wrong with releasing an early version of an advisory that just says "Here's the issue and some potential workarounds, a fix will be forthcoming," and then release an updated version of the advisory when the fix is available. FreeBSD has done updated advisories in the past, I believe, and certainly other vendors have as well. IIRC, the procedure for advisories and older versions of FreeBSD follows that pattern as well, with updated advisories coming out when older versions get the fix some time after the current releases. It's a common enough procedure that's fairly easy to understand (as long as the updates make it clear what's different from the first advisory), and it avoids having to subscribe to yet another list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 11: 7:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 44E5F37B422 for ; Tue, 10 Apr 2001 11:07:45 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA14958; Tue, 10 Apr 2001 20:07:35 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14n2YB-00035P-00; Tue, 10 Apr 2001 20:07:35 +0200 Date: Tue, 10 Apr 2001 20:07:35 +0200 From: Szilveszter Adam To: Christopher Schulte Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010410200735.A11098@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , Christopher Schulte , freebsd-security@FreeBSD.ORG References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <20010410185256.A20479@petra.hos.u-szeged.hu> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>; from christopher@schulte.org on Tue, Apr 10, 2001 at 12:21:10PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 10, 2001 at 12:21:10PM -0500, Christopher Schulte wrote: > > I imagine many production servers do not follow -STABLE religiously, but > will upgrade as needed when heads-up of specific issues are unearthed. Certainly. It was just that this is the only way to find out as of now. > It's that unearthing process that needs work; one can track list after list > after list, or look to their vendor. I'd prefer to see 'hey here's a new > issue... we don't have it fixed yet, but workarounds may include...' rather > than silence from the security officer. > > Perhaps a security-heads-up list of sorts. It'd be the crossroad between > security and security-advisories. Moderated, but with a less formal feel > than advisories. I agree with you and did not say what I said as some sort of critique on you or anything. This is the role the -security list was supposed to serve, but as we all know, it fails in this role lately rather spectacularly. Which is a pity. I am not sure moderation would help a lot, because when discussion of upcoming problems is what you want, even the time it takes to do the moderation may be too much sometimes. Of course, it serves well to exclude the off-topic chatter that seems to be so prevalent on -security today... I don't know a good solution. Also, at certain times it is coordination with other vendors who have the same problem that might hold off an SA and in this case it would not be possible to jump the gun on a heads-up list either by announcing the thing earlier, even if only informally. Also, there is the problem that the same systems that cannot afford to follow -STABLE regularly won't want to do this for SAs either but choose to apply a patch instead, which on the other hand needs more careful testing than just saying: "Upgrade to the latest and greatest". Maybe the best idea would be to make the -security list on-topic again... yeah, I am dreaming:-) Just my HUF 0.02 (which won't buy you anything here, BTW:-) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 11:49:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from sgi04-e.std.COM (sgi04-e.std.com [199.172.62.134]) by hub.freebsd.org (Postfix) with ESMTP id DFA1F37B422 for ; Tue, 10 Apr 2001 11:49:19 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com (world-f.std.com [199.172.62.5]) by sgi04-e.std.COM (8.9.3/8.9.3) with ESMTP id OAA4509183 for ; Tue, 10 Apr 2001 14:49:17 -0400 (EDT) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id OAA18045; Tue, 10 Apr 2001 14:49:16 -0400 (EDT) To: freebsd-security@freebsd.org Subject: Re: Theory Question References: <20010410094541.A13808@Odin.AC.HMC.Edu> From: Lowell Gilbert Date: 10 Apr 2001 14:49:16 -0400 In-Reply-To: brooks@one-eyed-alien.net's message of "10 Apr 2001 18:46:25 +0200" Message-ID: Lines: 70 X-Mailer: Gnus v5.7/Emacs 20.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I apologize for the length this message has reached... brooks@one-eyed-alien.net (Brooks Davis) writes: > It's true that older Vlan implementations have this problem, but modern > ones are implemented in hardward and do no leak packets. Cisco intends > its current VLAN implementations to be used for security partitioning. The term "VLAN" means different things to different people, and I don't think there's any way around the semantic confusion. There are a number of essentially unrelated concepts for which no better term exists than "virtual LAN". Some of these concepts are incompatible with security partitioning. Thus, in this sort of discussion, you always have to be careful that everybody is using the same definition of term, or else the discussion is useless. [I don't think this discussion is having this problem, but I'm not sure. Which serves, in its own way, to demonstrate the problem.] A short and non-exhaustive list of things that can reasonably be called VLANs (some of these are arguable, but I think at least a reasonable case can be made for each): - IPSEC tunnels - IP-over-(some other kind of encrypted tunnel) - nested MPLS paths - Ethernet VLAN tags - Ethernet switches with port-based broadcast (and, optionally, forwarding) domains - Ethernet switches with dynamically learned port- or MAC address- based broadcast (and, optionally, forwarding) domains I believe the discussion is centering on the last two. Even within those, there are reasons you'd want to use dynamic learning to reduce the load on the end stations, but you wouldn't necessarily want to do it in a way that enables security partitioning. The usual example is that setting up the broadcast domains completely dynamically requires less configuration than secure ways of containing broadcasts. Obviously, you can't use those easier approaches if you *need* the security, but in *many* environments, you don't. There are, to get back to Brooks Davis' point, implementations of VLANs on some Ethernet switches that can be used securely. There are even some which can let you run your "secure" VLAN on some ports, and do insecure dynamic address-based VLANs on other ports. [Well, actually, I'm not sure that such things exist today. I did one a few years ago, but that company bit the dust, and I don't know for a fact that anyone is shipping a similar switch today. However, I'd be surprised if there weren't a handful of such models.] That gives you a theoretically secure back-channel for network management, using your existing infrastructure (a truly separate back- channel would be even more secure from network-based attack, but might be less dependable in other ways). You still have to worry a bit about attacks on the switches themselves, and (as several other messages have discussed), the exposure of the "public-facing" interfaces of machines that also have interfaces onto your back- channel. However, your exposure is fairly limited at this point in that (to the best of your knowledge) any attacks on your monitoring capability have to be more sophisticated than they would be if the management traffic mingled with other traffic. This dovetails well with Crist Clark's point about security being something you improve through tradeoffs rather than absolutes. The place where FreeBSD can help you is in setting up your public- facing side of the devices that see both networks. That's a whole other topic, though, because there is a *huge* variety of things you might actually want to monitor or protect that way... Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 13:23:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 536E237B422 for ; Tue, 10 Apr 2001 13:23:45 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: (qmail 14558 invoked by uid 0); 10 Apr 2001 20:23:43 -0000 Received: from pd950a1c0.dip.t-dialin.net (HELO lofizwei) (217.80.161.192) by mail.gmx.net (mp008-rz3) with SMTP; 10 Apr 2001 20:23:43 -0000 Message-ID: <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> From: "Michael Nottebrock" To: "Michael Bryan" , References: <3AD33218.FE8D7ACD@ursine.com> Subject: Re: Security Announcements? Date: Tue, 10 Apr 2001 22:23:43 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Michael Bryan" To: Sent: Tuesday, April 10, 2001 6:17 PM Subject: Security Announcements? > > What's up (or not up) with security announcements these days? > It's been some time since the NTP vulnerability came to light, > and many other affected systems/products have made their > announcements, but nothing official from FreeBSD yet. Now we > have an FTP vulnerability hitting the streets too. > > [And the published list of advisories jumps from FreeBSD-SA-01:25 > to FreeBSD-SA-01:30, so it looks like 26-29 are in the pipeline?] > [...] I agree that there is need for improvement. Let's just see what the other OS's security people are doing about the recent ftpd-issue: NetBSD: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000 -018.txt.asc OpenBSD: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/025_glob.patch FreeBSD: Absolutely nothing, not even an official statement or some kind of notification anywhere on the website. The fix is apparently done, but nobody (well, okay, at least my very dumb own self) seems to know where to get it or how to apply it. Is this due to 4.3-Release stress? It certainly is starting to irritate people running 4.2-Release. I really do not want to piss on anybody's legs here, but, there _are_ quite a few sites running FreeBSD ftp-servers, aren't they? Greetings, Michael Nottebrock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 13:50:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 75EAA37B422 for ; Tue, 10 Apr 2001 13:50:23 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14n55b-0007xW-00; Tue, 10 Apr 2001 21:50:15 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f3AKoEr71958; Tue, 10 Apr 2001 21:50:14 +0100 (BST) (envelope-from ben) Date: Tue, 10 Apr 2001 21:50:14 +0100 From: Ben Smithurst To: Michael Nottebrock Cc: Michael Bryan , freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010410215014.A8173@scientia.demon.co.uk> References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Nottebrock wrote: > I agree that there is need for improvement. Let's just see what the > other OS's security people are doing about the recent ftpd-issue: > > NetBSD: > ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000 > -018.txt.asc > OpenBSD: > ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/025_glob.patch > FreeBSD: Absolutely nothing I'm pretty sure that's complete and utter bollocks, unless I'm misunderstanding the issue, or thinking of another ftpd-issue. Go visit and see for yourself. As far as I can see this issue has been fixed in -current, 4-stable, *AND* 3-stable. > It certainly is starting to irritate people running > 4.2-Release. Well if you want the latest security fixes you shouldn't be running a -release anyway, that's that the -stable branch is for. -- Ben Smithurst / ben@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 13:58:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 5F9DE37B422; Tue, 10 Apr 2001 13:58:30 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id BBC8F1BD71; Tue, 10 Apr 2001 15:57:14 -0500 (EST) Date: Tue, 10 Apr 2001 15:57:14 -0500 From: Will Andrews To: Ben Smithurst Cc: Michael Nottebrock , Michael Bryan , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010410155714.V1396@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UCMxzF9Df56H8ZXx" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <20010410215014.A8173@scientia.demon.co.uk>; from ben@FreeBSD.ORG on Tue, Apr 10, 2001 at 09:50:14PM +0100 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --UCMxzF9Df56H8ZXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 10, 2001 at 09:50:14PM +0100, Ben Smithurst wrote: > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. Err, actually, that policy is scheduled to change for 4.3R, at least to my knowledge. --=20 wca --UCMxzF9Df56H8ZXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE603OqF47idPgWcsURArZeAJ4rcrZO6tR2KDZVJWy/6oY6lZCuTwCbBBiI nKuhzCvbx63I9P/na+9GD2s= =21fm -----END PGP SIGNATURE----- --UCMxzF9Df56H8ZXx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 14: 9:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id C9FF937B423 for ; Tue, 10 Apr 2001 14:09:47 -0700 (PDT) (envelope-from meshko@daedalus.cs.brandeis.edu) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id RAA07917; Tue, 10 Apr 2001 17:09:40 -0400 Date: Tue, 10 Apr 2001 17:09:40 -0400 (EDT) From: Mikhail Kruk To: Will Andrews Cc: Subject: Re: Security Announcements? In-Reply-To: <20010410155714.V1396@casimir.physics.purdue.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, Apr 10, 2001 at 09:50:14PM +0100, Ben Smithurst wrote: > > Well if you want the latest security fixes you shouldn't be running a > > -release anyway, that's that the -stable branch is for. > > Err, actually, that policy is scheduled to change for 4.3R, at least to > my knowledge. how is it going to change?? There will be no bugs in 4.3R? Cool! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 14:12:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 497C737B422 for ; Tue, 10 Apr 2001 14:12:53 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id C636C1BD71; Tue, 10 Apr 2001 16:11:37 -0500 (EST) Date: Tue, 10 Apr 2001 16:11:37 -0500 From: Will Andrews To: Mikhail Kruk Cc: Will Andrews , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010410161137.W1396@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <20010410155714.V1396@casimir.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gqnFeFffwzJsAwh7" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from meshko@cs.brandeis.edu on Tue, Apr 10, 2001 at 05:09:40PM -0400 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --gqnFeFffwzJsAwh7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 10, 2001 at 05:09:40PM -0400, Mikhail Kruk wrote: > how is it going to change?? There will be no bugs in 4.3R? Cool! No. From what I understand, 4.3R will have this: 1) RELENG_4_3_0_RELEASE symbolic tag to mark date as usual. 2) RELENG_4_3_0_BP branch point tag created. 3) RELENG_4_3_0 branch, to be maintained only for security fixes. Future releases will probably be done in this way, to allow easy updating of releases on production servers for security fixes. --=20 wca --gqnFeFffwzJsAwh7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE603cJF47idPgWcsURAq0lAJ9DmNUHxVO/e0FCi36LwJVbHQsd0QCfbzPj rO5vothDFeYZGfHiLQTv6lg= =/7N1 -----END PGP SIGNATURE----- --gqnFeFffwzJsAwh7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 14:25:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 42F7537B42C for ; Tue, 10 Apr 2001 14:25:12 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: (qmail 12728 invoked by uid 0); 10 Apr 2001 21:25:10 -0000 Received: from pd950a1c0.dip.t-dialin.net (HELO lofizwei) (217.80.161.192) by mail.gmx.net (mp020-rz3) with SMTP; 10 Apr 2001 21:25:10 -0000 Message-ID: <00fb01c0c204$b97cde80$0508a8c0@lofi.dyndns.org> From: "Michael Nottebrock" To: "Ben Smithurst" Cc: "Michael Bryan" , References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> Subject: Re: Security Announcements? Date: Tue, 10 Apr 2001 23:25:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Ben Smithurst" To: "Michael Nottebrock" Cc: "Michael Bryan" ; Sent: Tuesday, April 10, 2001 10:50 PM Subject: Re: Security Announcements? > Michael Nottebrock wrote: > > > I agree that there is need for improvement. Let's just see what the > > other OS's security people are doing about the recent ftpd-issue: > > > > NetBSD: > > ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000 > > -018.txt.asc > > OpenBSD: > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/025_glob.patch > > FreeBSD: Absolutely nothing > > I'm pretty sure that's complete and utter bollocks, unless I'm > misunderstanding the issue, or thinking of another ftpd-issue. The way you are quoting me, indeed it would be. But, as can be clearly seen by looking at the topic of this thread, I was talking about the missing _announcements_, not about the fixes itself. And before you tell me to, yes, I did read the actual CERT-advisory, which also contained the 'official' statement from FreeBSD, which does not mention ANY correction dates. > > It certainly is starting to irritate people running > > 4.2-Release. > > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. To quote http://www.freebsd.org/security/#adv: "The FreeBSD Security Officers provide security advisories for the following releases of FreeBSD: - The most recent official release of FreeBSD." and: "At this time, security advisories are being released for: - FreeBSD 3.5.1-STABLE - FreeBSD 4.2-RELEASE - FreeBSD 4.2-STABLE " Again, I am not saying that nothing is done, just that the others are obviously doing it (a lot) quicker. Greetings, Michael Nottebrock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 14:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-3.cisco.com (sj-msg-core-3.cisco.com [171.70.157.152]) by hub.freebsd.org (Postfix) with ESMTP id 6B7CC37B424 for ; Tue, 10 Apr 2001 14:27:13 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-3.cisco.com (8.9.3/8.9.1) with ESMTP id OAA20476; Tue, 10 Apr 2001 14:25:53 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3ALRBa22337; Tue, 10 Apr 2001 14:27:11 -0700 (PDT) (envelope-from bmah) Message-Id: <200104102127.f3ALRBa22337@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? In-Reply-To: <3AD33218.FE8D7ACD@ursine.com> References: <3AD33218.FE8D7ACD@ursine.com> Comments: In-reply-to Michael Bryan message dated "Tue, 10 Apr 2001 09:17:28 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_287251111P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 10 Apr 2001 14:27:11 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_287251111P Content-Type: text/plain; charset=us-ascii If memory serves me right, Michael Bryan wrote: > [And the published list of advisories jumps from FreeBSD-SA-01:25 > to FreeBSD-SA-01:30, so it looks like 26-29 are in the pipeline?] Unless I'm truly hallucinating, 01:28 deals with timed(8) and 01:29 deals with rwhod(8). These advisories were published in mid-March. Not sure about the others. Bruce. --==_Exmh_287251111P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE603qv2MoxcVugUsMRAiAoAJ95Khi/hTW10tDRWgPNIXEGjf8n6wCbBP5G Et5+52KDtd9FZZBgwURLP+I= =Bdmf -----END PGP SIGNATURE----- --==_Exmh_287251111P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 14:40:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9AC0737B42C for ; Tue, 10 Apr 2001 14:40:41 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: (qmail 29837 invoked by uid 0); 10 Apr 2001 21:40:39 -0000 Received: from pd950a1c0.dip.t-dialin.net (HELO lofizwei) (217.80.161.192) by mail.gmx.net (mp018-rz3) with SMTP; 10 Apr 2001 21:40:39 -0000 Message-ID: <013301c0c206$e327c2c0$0508a8c0@lofi.dyndns.org> From: "Michael Nottebrock" To: , "Michael Bryan" Cc: References: <3AD33218.FE8D7ACD@ursine.com> <200104102127.f3ALRBa22337@bmah-freebsd-0.cisco.com> Subject: Re: Security Announcements? Date: Tue, 10 Apr 2001 23:40:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Bruce A. Mah" To: "Michael Bryan" Cc: Sent: Tuesday, April 10, 2001 11:27 PM Subject: Re: Security Announcements? >Unless I'm truly hallucinating, 01:28 deals with timed(8) and 01:29 >deals with rwhod(8). These advisories were published in mid-March. >Not sure about the others. Yikes, right. There are patches available in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/ but no corresponding advisories in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ . Greetings, Michael Nottebrock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 15: 0:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by hub.freebsd.org (Postfix) with ESMTP id 870A637B423; Tue, 10 Apr 2001 15:00:49 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id PAA07039; Tue, 10 Apr 2001 15:00:53 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3AM0nZ22921; Tue, 10 Apr 2001 15:00:49 -0700 (PDT) (envelope-from bmah) Message-Id: <200104102200.f3AM0nZ22921@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: "Michael Nottebrock" Cc: bmah@FreeBSD.ORG, "Michael Bryan" , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? In-Reply-To: <013301c0c206$e327c2c0$0508a8c0@lofi.dyndns.org> References: <3AD33218.FE8D7ACD@ursine.com> <200104102127.f3ALRBa22337@bmah-freebsd-0.cisco.com> <013301c0c206$e327c2c0$0508a8c0@lofi.dyndns.org> Comments: In-reply-to "Michael Nottebrock" message dated "Tue, 10 Apr 2001 23:40:39 +0200." From: bmah@FreeBSD.ORG (Bruce A. Mah) Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_442824049P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 10 Apr 2001 15:00:49 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_442824049P Content-Type: text/plain; charset=us-ascii If memory serves me right, "Michael Nottebrock" wrote: > >Unless I'm truly hallucinating, 01:28 deals with timed(8) and 01:29 > >deals with rwhod(8). These advisories were published in mid-March. > >Not sure about the others. > > Yikes, right. There are patches available in > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/ but no corresponding > advisories in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ . You can probably find these in the mailing list archives for -announce or -security. Yes, I know they should be on the FTP site too; hopefully things will be more caught up once the head security-officer-type person gets back from his travels. I try to make the release notes list the applicable issues and advisories, but I read the advisories at the same time everyone else does. Bruce. --==_Exmh_442824049P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD4DBQE604KR2MoxcVugUsMRAqiUAKCKWOdzWJ61Ff3Fbxrf5XOp8L6mrACXb9Wp gc31rUyCTYKX/AZ+5PalIQ== =4s1A -----END PGP SIGNATURE----- --==_Exmh_442824049P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 15:28:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id D52C437B422; Tue, 10 Apr 2001 15:28:35 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f3AMYQC15129; Tue, 10 Apr 2001 15:34:26 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Tue, 10 Apr 2001 15:34:26 -0700 (PDT) From: mudman To: Ben Smithurst Cc: Subject: Re: Security Announcements? In-Reply-To: <20010410215014.A8173@scientia.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. This may be a new attitude in security. I should think *any* system released for common use should have the greatest amount of security possible. If one system is (in terms of security) inferior to another, the inferior one should be dropped all together. I guess I'm being naive here, but not intetionally. I really don't know. What would be the fundamental difference between the release and stable branches? Why would one branch run less secure than another, especially if both are used in server systems world wide? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 15:41:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg002.cms.usa.net (urdvg002.cms.usa.net [165.212.11.2]) by hub.freebsd.org (Postfix) with SMTP id 3C4C337B422 for ; Tue, 10 Apr 2001 15:41:56 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 22221 invoked from network); 10 Apr 2001 22:41:55 -0000 Received: from uadvg137.cms.usa.net (165.212.11.137) by corprelay.cms.usa.net with SMTP; 10 Apr 2001 22:41:55 -0000 Received: (qmail 2640 invoked by uid 0); 10 Apr 2001 22:41:55 -0000 Received: USA.NET MXFirewall, messaging filters applied; Tue, 10 Apr 2001 22:41:54 GMT Received: from packeteer.com [207.78.98.2] by ca37 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.1200.1.06) with ESMTP id 019FDJwpY0486M37; Tue, 10 Apr 2001 22:41:50 GMT Message-ID: <3AD38C4C.FA07640C@packeteer.com> Date: Tue, 10 Apr 2001 15:42:20 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Security Announcements? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Apr 2001, mudman wrote: > > Well if you want the latest security fixes you shouldn't be running a > > -release anyway, that's that the -stable branch is for. > > This may be a new attitude in security. I should think *any* system > released for common use should have the greatest amount of security > possible. I use 4.2-RELEASE on a production server. I also track 4-STABLE. I don't track it because I intend to do biweekly make worlds. I track it because I expect to see security bulletins posted here in a timely manner, along with the necessary patch instructions which generally involve nothing more than going to the appropriate point in /usr/src and doing a make all install. I shouldn't have to be subscribed to the freebsd-stable mailing list (which I've been on before, and its traffic seems useful primarily for those who do regular make worlds) in order to be able to keep my 4.2-RELEASE system patched-- which I believe is the safest, stablest, and most secure approach for a production server, whatever the OS. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 15:43:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from beast.daemontech.com (beast.daemontech.com [208.135.51.45]) by hub.freebsd.org (Postfix) with SMTP id DB44737B424 for ; Tue, 10 Apr 2001 15:43:47 -0700 (PDT) (envelope-from nmh@daemontech.com) Received: (qmail 37685 invoked for bounce); 10 Apr 2001 22:43:47 -0000 Received: from xwin.daemontech.net (208.135.51.161) by beast.daemontech.com with SMTP; 10 Apr 2001 22:43:47 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010410215014.A8173@scientia.demon.co.uk> Date: Tue, 10 Apr 2001 15:43:47 -0700 (PDT) From: Nicole Harrington To: Ben Smithurst Subject: Re: Security Announcements? Cc: freebsd-security@freebsd.org, Michael Bryan , Michael Nottebrock Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10-Apr-01 Ben Smithurst wrote: > Michael Nottebrock wrote: > > >> It certainly is starting to irritate people running >> 4.2-Release. > > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. > Thats the most stupid thing I have every heard. I never knew that simply by running -STABLE I would not have any security problems and would not need patches or updates. As someone who runs many production level servers here is what I would want In order: 1) A notice that there is problem - So I can tcpwrap or shutdown said service until a patch is available. 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. Just download and run. No compiles no installs. 3) A patch that everyone agrees works in an email or other notification that says, here's were you can get the patch, this works, here's what to do with it. From my perspective it took days for people to stop discussing what patch was best for ntpd and I still never heard a full resolution on the mailing list. No official blessing of a patch other than what I would get via CVSUP. I have production servers, I can't run a CVsup everyday, let alone a make world. Yes I may have missed a few mails or something. But expecting people to spend their days tracking down patches and notices abt problems kinda negates the whole idea of a security mailing and notification. The process seemed much better in the past, but lately, it has been much less than optimal. Just my 2C Nicole > -- > Ben Smithurst / ben@FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- E-Mail: Nicole Date: 10-Apr-01 Time: 15:26:44 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16: 2:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.tampabay.rr.com [65.32.1.39]) by hub.freebsd.org (Postfix) with ESMTP id 2AFA037B422 for ; Tue, 10 Apr 2001 16:02:43 -0700 (PDT) (envelope-from habeeb@cfl.rr.com) Received: from descrypt.com (IDENT:root@ubr-33.101.76.melbourne.cfl.rr.com [65.33.101.76]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f3AMeWC12123 for ; Tue, 10 Apr 2001 18:40:32 -0400 (EDT) From: David Organization: Serpant Technologies To: freebsd-security@freebsd.org Subject: FTPD vulnerability question Date: Tue, 10 Apr 2001 17:53:05 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01041017530502.11342@descrypt.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just read the CERT advisory, and noticed it mentioned FreeBSD FTPD vulnerable. I took a quick check at the source code for the stock FTPD on my system, and did not notice any possible overflows for glob().. atleast none that jumped out at me (yet?). FreeBSD 4.2-STABLE #0: Sun Jan 21 11:43:43 EST 2001 root@fortress:/usr/obj/usr/src/sys/FORTRESS # telnet 0 21 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 [server name] FTP server (Version 6.00LS) ready. I am just making sure that the CERT advisory meant ALL 4.2 -stable versions (I am a bit paranoid right now :). If it does that's great. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:11:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 27E0637B423 for ; Tue, 10 Apr 2001 16:11:27 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 22921 invoked from network); 10 Apr 2001 23:11:29 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 10 Apr 2001 23:11:29 -0000 Message-ID: <004401c0c213$9323fbb0$9865fea9@book> From: "alexus" To: "David" , References: <01041017530502.11342@descrypt.com> Subject: Re: FTPD vulnerability question Date: Tue, 10 Apr 2001 19:10:20 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org how can I check my ftpd? i don't run ftpd the one it came with distributive.. ----- Original Message ----- From: "David" To: Sent: Tuesday, April 10, 2001 6:53 PM Subject: FTPD vulnerability question > I just read the CERT advisory, and noticed it mentioned FreeBSD FTPD > vulnerable. I took a quick check at the source code for the stock FTPD on my > system, and did not notice any possible overflows for glob().. atleast none > that jumped out at me (yet?). > > FreeBSD 4.2-STABLE #0: Sun Jan 21 11:43:43 EST 2001 > root@fortress:/usr/obj/usr/src/sys/FORTRESS > > # telnet 0 21 > Trying 0.0.0.0... > Connected to 0. > Escape character is '^]'. > 220 [server name] FTP server (Version 6.00LS) ready. > > I am just making sure that the CERT advisory meant ALL 4.2 -stable versions > (I am a bit paranoid right now :). If it does that's great. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:20: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 955BF37B424; Tue, 10 Apr 2001 16:19:54 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBLNGF00.UL4; Tue, 10 Apr 2001 16:19:27 -0700 Message-ID: <3AD39518.CFE8CB46@globalstar.com> Date: Tue, 10 Apr 2001 16:19:52 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Nicole Harrington Cc: Ben Smithurst , freebsd-security@FreeBSD.ORG, Michael Bryan , Michael Nottebrock Subject: Re: Security Announcements? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington wrote: [snip] > As someone who runs many production level servers here is what I would want > In order: > > 1) A notice that there is problem - So I can tcpwrap or shutdown said service > until a patch is available. A classic debate/flamewar, should the vendor notify before the fix is available? Been discussed to death a zillion times, and I will not start it again, but most vendors (Sun, Cisco, Microsoft) do not release notices until a solution is available. In extreme cases, a notice /may/ be put out if the vulnerability is publically disclosed, very serious, and some workaround is available. > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. The FreeBSD team would love to do this, but has said many times that they simply do not have the resources to produce binary patches. > 3) A patch that everyone agrees works in an email or other notification that > says, here's were you can get the patch, this works, here's what to do with > it. When the official FreeBSD advisories do come out, that's in there. > From my perspective it took days for people to stop discussing what patch > was best for ntpd and I still never heard a full resolution on the mailing > list. No official blessing of a patch other than what I would get via CVSUP. I > have production servers, I can't run a CVsup everyday, let alone a make world. I am not sure what is holding up an official notice on that one, but it would be nice if the maintainers of ntpd itself would make an official patch which could be merged back into -STABLE and -CURRENT. > Yes I may have missed a few mails or something. But expecting people to spend > their days tracking down patches and notices abt problems kinda negates the > whole idea of a security mailing and notification. > The process seemed much better in the past, but lately, it has been much less > than optimal. I think the issue lately has mainly been that a string of security problems were publically released before vendors had a chance to respond. Take a look back at security notifications you were happy with. Frequently, a security bug no one (or very few) had ever heard about had been patched in the code weeks before the release of the notice, but since there was no uproar on -security with people lamenting the slowness of patches, things seemed just great. For ntpd, the entire world was introduced to the bug at once (I guess someone at security-officer told me they got a whole half-hour or so warning) from Bugtraq and chaos ensued. (You think FreeBSD secrurity is rough? On Bugtraq, I was first to point out that aiming the exploit at a Solaris xntpd crashed it, so now I am getting emails from around the globe, like I'm an xntpd expert, asking how to fix it since no one will hear a single peep from Sun until they have a patch for every single supported OS, platform, and have gone through all of their regression testing.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:25: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id D486137B423; Tue, 10 Apr 2001 16:24:53 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f3ANOqN04504; Tue, 10 Apr 2001 19:24:52 -0400 (EDT) Date: Tue, 10 Apr 2001 19:24:52 -0400 (EDT) From: Trevor Johnson To: , Subject: Netscape 4.76 gif comment flaw (fwd) Message-ID: <20010410192130.X3987-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20010410192132.W3987@blues.jpj.net> Content-Disposition: INLINE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried this with the 4.75 BSD/OS version, and found it has the bug. -- Trevor Johnson ---------- Forwarded message ---------- Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f39LbDa19977; Mon, 9 Apr 2001 17:37:13 -0400 (EDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by lists.securityfocus.com (Postfix) with ESMTP id 84B7E24C9AD; Mon, 9 Apr 2001 15:32:36 -0600 (MDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 32328086 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 9 Apr 2001 15:32:01 -0600 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by lists.securityfocus.com (Postfix) with SMTP id 9B7D124C476 for ; Mon, 9 Apr 2001 05:48:19 -0600 (MDT) Received: (qmail 6555 invoked by alias); 9 Apr 2001 11:48:18 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 6534 invoked from network); 9 Apr 2001 11:48:17 -0000 Received: from mail-ffm-p.arcor-ip.de (HELO mail.arcor-ip.de) (145.253.2.10) by mail.securityfocus.com with SMTP; 9 Apr 2001 11:48:17 -0000 Received: from parallax.dividuum.com (145.253.171.27) by mail.arcor-ip.de; 9 Apr 2001 13:48:15 +0200 Received: by parallax.dividuum.com (Postfix, from userid 500) id 3F3F23AD60; Mon, 9 Apr 2001 13:48:26 +0200 (CEST) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline User-Agent: Mutt/1.2.5i Message-ID: <20010409134826.A2541@dividuum.de> Date: Mon, 9 Apr 2001 13:48:26 +0200 Reply-To: Florian Wesch Sender: Bugtraq List From: Florian Wesch Subject: Netscape 4.76 gif comment flaw To: BUGTRAQ@SECURITYFOCUS.COM Product: Netscape Navigator/Communicator Tested on: 4.76 (on Linux and Win98/NT) Vendor Contact: Reported 2001-03-22 { Problem }-------------------------------------------------------- - Overview: The Netscape browser does not escape the gif file comment in the image information page. This allows javascript execution in the "about:" protocol and can for example be used to upload the History (about:global) to a webserver. - Detail: Netscape does not allow javascript to access documents from a different domain. This stops a javascript from one domain that tries to mess around with login forms/private data from other domain. The following error message is shown "access disallowed from scripts at to documents at another domain." Now there is the protocol "about:" that is used for some special tasks. about: - shows Netscape version and copyrights about:blank - shows a blank document about:config - shows Browser configuration. about:global - shows Information about the Netscape global history about: - shows Information about the specified url .. There are some other about: documents (try grepping the netscape binary). about:global is very interesting since all visited documents are listed there. So I tried to find a way to access this information. I created a frameset with 2 frames. The first Frame (called foo) contains about:global. Using , or document.location.href="about.global"; for setting this url did not work. So I used the following trick to make it work:
My intention is that the second frame (called bar) grabs 10 urls in the first frame using javascript and sends them to the server. Accessing parent.frames["foo"].document.links does not work since foo is displaying an about: document and bar is a normal http document: "access disallowed from scripts at blah to documents..." So I tried to find a way to start a javascript within an about: document. about: comes into mind since there are a lot server specified values. First I tried to inject javascript using the url of the script. But since this url is encoded (space => %20 etc.) there is no way in. Modifying the Content-Type (File MIME Type) did not work either because Netscape opens a "Save as..." window when supplying an unknown mimetype. Then I remembered that Netscape shows the comment included in gif files. A quick test showed that the comment is not escaped. So Javascript in gif comments is executed in the about: realm. This means that this script can then access the content of about:global. nice. The following script included in the comment reads 10 urls in the about:global frame (foo), stores them in the form and finally submits this form.
The server has 10 urls of about:global urls now. Accessing about:config should be possible too, but I did not try it. { Solution }-------------------------------------------------------- Disable Javascript or Upgrade to 4.77 { Exploit }--------------------------------------------------------- attached or http://dividuum.de/security/netscape/ -------------------------------------------------------------------- Regards, Florian Wesch http://dividuum.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:26:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.tampabay.rr.com [65.32.1.39]) by hub.freebsd.org (Postfix) with ESMTP id 8DEFD37B423 for ; Tue, 10 Apr 2001 16:26:55 -0700 (PDT) (envelope-from habeeb@cfl.rr.com) Received: from descrypt.com (IDENT:root@ubr-33.101.76.melbourne.cfl.rr.com [65.33.101.76]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f3ANQsC05770 for ; Tue, 10 Apr 2001 19:26:54 -0400 (EDT) From: David Organization: Serpant Technologies To: freebsd-security@freebsd.org Subject: Re: FTPD ... (to: alexus) Date: Tue, 10 Apr 2001 18:39:26 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01041018392603.11342@descrypt.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Easiest way is a simple "telnet 127.0.0.1 21" read the banner... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:30:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id C514A37B42C for ; Tue, 10 Apr 2001 16:30:31 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 23083 invoked from network); 10 Apr 2001 23:30:34 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 10 Apr 2001 23:30:34 -0000 Message-ID: <007201c0c216$3d8be020$9865fea9@book> From: "alexus" To: "David" , References: <01041018392603.11342@descrypt.com> Subject: Re: FTPD ... (to: alexus) Date: Tue, 10 Apr 2001 19:30:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org what should i see? i see ftp (host) and that's it.. ----- Original Message ----- From: "David" To: Sent: Tuesday, April 10, 2001 7:39 PM Subject: Re: FTPD ... (to: alexus) > Easiest way is a simple "telnet 127.0.0.1 21" > read the banner... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:33:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 42B9F37B423 for ; Tue, 10 Apr 2001 16:33:44 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14n7N6-0001jK-00; Wed, 11 Apr 2001 00:16:28 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f3ANGRY65005; Wed, 11 Apr 2001 00:16:27 +0100 (BST) (envelope-from ben) Date: Wed, 11 Apr 2001 00:16:27 +0100 From: Ben Smithurst To: Nicole Harrington Cc: freebsd-security@freebsd.org, Michael Bryan , Michael Nottebrock Subject: Re: Security Announcements? Message-ID: <20010411001627.I8173@scientia.demon.co.uk> References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington wrote: > Thats the most stupid thing I have every heard. I never knew that simply by > running -STABLE I would not have any security problems and would not need > patches or updates. By running -stable (or by tracking -stable which is what I meant and perhaps should have said) you *do* get all the security fixes whenever you cvsup. That's my point, I probably didn't express it very clearly, sorry. -- Ben Smithurst / ben@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:33:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 7D7D537B424 for ; Tue, 10 Apr 2001 16:33:45 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14n7K4-0000n8-00; Wed, 11 Apr 2001 00:13:20 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f3ANDKt58200; Wed, 11 Apr 2001 00:13:20 +0100 (BST) (envelope-from ben) Date: Wed, 11 Apr 2001 00:13:19 +0100 From: Ben Smithurst To: mudman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010411001319.H8173@scientia.demon.co.uk> References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mudman wrote: > What would be the fundamental difference between the release and stable > branches? Why would one branch run less secure than another, especially > if both are used in server systems world wide? releases aren't branches, they're snapshots of a single point in time along the stable branch. If you cvsup -stable you'll get all the security (and other) fixes applied to it, if you just use a release you have to go out and find the security fixes yourself (not hard, given that they're all clearly mentioned in the advisories). Maybe some people prefer that. I just prefer the cvsup && make world combination. -- Ben Smithurst / ben@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:36: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 2EE5E37B422; Tue, 10 Apr 2001 16:35:56 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id E5F851BD71; Tue, 10 Apr 2001 18:34:39 -0500 (EST) Date: Tue, 10 Apr 2001 18:34:39 -0500 From: Will Andrews To: Ben Smithurst Cc: mudman , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010410183439.C1396@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <20010410215014.A8173@scientia.demon.co.uk> <20010411001319.H8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bXLrh1gl3UpYNtAG" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <20010411001319.H8173@scientia.demon.co.uk>; from ben@FreeBSD.ORG on Wed, Apr 11, 2001 at 12:13:19AM +0100 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bXLrh1gl3UpYNtAG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 11, 2001 at 12:13:19AM +0100, Ben Smithurst wrote: > releases aren't branches, they're snapshots of a single point in time As I said earlier, this will likely change in the future. But that's just what I heard. --=20 wca --bXLrh1gl3UpYNtAG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE605iPF47idPgWcsURArYyAJ99Nbwbnj8LeeXZoWD3KKo62UHEhQCeJ3XH qHKocMIOdntUssJ7bgxqS7U= =Iwoz -----END PGP SIGNATURE----- --bXLrh1gl3UpYNtAG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from beast.daemontech.com (beast.daemontech.com [208.135.51.45]) by hub.freebsd.org (Postfix) with SMTP id E5AB737B422 for ; Tue, 10 Apr 2001 16:38:58 -0700 (PDT) (envelope-from nmh@daemontech.com) Received: (qmail 39173 invoked for bounce); 10 Apr 2001 23:38:59 -0000 Received: from xwin.daemontech.net (208.135.51.161) by beast.daemontech.com with SMTP; 10 Apr 2001 23:38:59 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <01041018392603.11342@descrypt.com> Date: Tue, 10 Apr 2001 16:38:59 -0700 (PDT) From: Nicole Harrington To: David Subject: Re: FTPD ... (to: alexus) Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10-Apr-01 David wrote: > Easiest way is a simple "telnet 127.0.0.1 21" > read the banner... > Read the banner for what? I sure wish I could find out or have in the Cert advisory that FTP daemon version XX to XX is vulnerable. Does anyone know this information?? "We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE" Current and Stable are a moving targets. How can people just say these things. I can assume, but we all know what that means. Stable as of When has the patches. I can get the ftpd patch were if I don't want to do a full cvsup?? From Cert Advisory: "FREEBSD is vulnerable to the glob-related bugs. We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE." Nicole > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:40:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id D51F537B422 for ; Tue, 10 Apr 2001 16:40:25 -0700 (PDT) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.1/8.11.1) id f3ANeOB79498 for ; Wed, 11 Apr 2001 09:40:24 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from disc-3-110.aipo.gov.au(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.0) id xma079474; Wed, 11 Apr 01 09:40:14 +1000 Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.11.1/8.11.1) id f3ANeQP80282 for freebsd-security@freebsd.org; Wed, 11 Apr 2001 09:40:26 +1000 (EST) (envelope-from anwsmh) Date: Wed, 11 Apr 2001 09:40:26 +1000 From: Stanley Hopcroft To: freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010411094026.B80253@IPAustralia.Gov.AU> References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nmh@daemontech.com on Tue, Apr 10, 2001 at 03:43:47PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to endorse Ms Harringtons remarks (vi) and ask that her requests be treated seriously. They are mine too, and I don't think unrealistic for a working joe who is neither an ace - even an average - programmer or network technologist. I use FreeBSD because it is easy to use compared to other things (NT, OS/2, AIX, probably Solaris) and safe. If it is no longer safe, and I have to take hours to install a port - because I am slow and stupid - then the attractiveness is reduced. On Tue, Apr 10, 2001 at 03:43:47PM -0700, Nicole Harrington wrote: > > As someone who runs many production level servers here is what I would want > In order: > > 1) A notice that there is problem - So I can tcpwrap or shutdown said service > until a patch is available. > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. > > 3) A patch that everyone agrees works in an email or other notification that > says, here's were you can get the patch, this works, here's what to do with > it. > From my perspective it took days for people to stop discussing what patch > was best for ntpd and I still never heard a full resolution on the mailing > list. No official blessing of a patch other than what I would get via CVSUP. I > have production servers, I can't run a CVsup everyday, let alone a make world. > Here here. I have shut down ntpd. I can't determine from the debate about the ntp patch what I should use. There is no SA .... > > Yes I may have missed a few mails or something. But expecting people to spend > their days tracking down patches and notices abt problems kinda negates the > whole idea of a security mailing and notification. Yes. > The process seemed much better in the past, but lately, it has been much less > than optimal. > Can't say. Although I miss Mr Kenneways letters (and Mr Losh for that matter). > > Nicole > > > Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ One is not superior merely because one sees the world as odious. -- Chateaubriand (1768-1848) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 16:54:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id EC54E37B422 for ; Tue, 10 Apr 2001 16:54:40 -0700 (PDT) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.1/8.11.1) id f3ANscA80622; Wed, 11 Apr 2001 09:54:38 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from disc-3-110.aipo.gov.au(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.0) id xma080584; Wed, 11 Apr 01 09:54:24 +1000 Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.11.1/8.11.1) id f3ANsbA80291; Wed, 11 Apr 2001 09:54:37 +1000 (EST) (envelope-from anwsmh) Date: Wed, 11 Apr 2001 09:54:37 +1000 From: Stanley Hopcroft To: Crist Clark Cc: security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010411095436.C80253@IPAustralia.Gov.AU> References: <3AD39518.CFE8CB46@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AD39518.CFE8CB46@globalstar.com>; from crist.clark@globalstar.com on Tue, Apr 10, 2001 at 04:19:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir, I am writing to thank you for your contribution about this matter. You have I think answered the questions seriously and helpfully. I don't think my letter was useful and I apologise for it. Yours sincerely -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ One can't proceed from the informal to the formal by formal means. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 17: 1:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id BD4FA37B423 for ; Tue, 10 Apr 2001 17:01:43 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id RAA04240; Tue, 10 Apr 2001 17:01:46 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3B01gD24599; Tue, 10 Apr 2001 17:01:42 -0700 (PDT) (envelope-from bmah) Message-Id: <200104110001.f3B01gD24599@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Nicole Harrington Cc: David , freebsd-security@FreeBSD.ORG Subject: Re: FTPD ... (to: alexus) In-Reply-To: References: Comments: In-reply-to Nicole Harrington message dated "Tue, 10 Apr 2001 16:38:59 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_405469367P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 10 Apr 2001 17:01:42 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_405469367P Content-Type: text/plain; charset=us-ascii If memory serves me right, Nicole Harrington wrote: > Read the banner for what? > I sure wish I could find out or have in the Cert advisory that FTP daemon > version XX to XX is vulnerable. > > Does anyone know this information?? > > "We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE" > > Current and Stable are a moving targets. How can people just say these thing > s. The statement means the fixes were committed to the relevant CVS branches as of the time the CERT advisory was written. It does not say anything about when exactly the fixes were committed. > I can assume, but we all know what that means. Stable as of When has the > patches. I can get the ftpd patch were if I don't want to do a full cvsup?? Looking through the CVS logs, ftpd.c got the globbing patches on 19 March 2001 for HEAD and 21 March 2001 for RELENG_4. (There were some changes to libc involved as well.) At this point, since the security-officer team hasn't released an advisory, there isn't an official patch. I'm not a part of that team, so don't ask. :-) Hope this helps, Bruce. --==_Exmh_405469367P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6057l2MoxcVugUsMRAqMzAKCtTCXD0gQ1fjI8f7gjsr46Tr3qxQCeLz32 ISr8m/r1H3JYiGVyRv3Z4eI= =iJzJ -----END PGP SIGNATURE----- --==_Exmh_405469367P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 17: 6: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from midway.uchicago.edu (midway.uchicago.edu [128.135.12.12]) by hub.freebsd.org (Postfix) with ESMTP id 5093637B423 for ; Tue, 10 Apr 2001 17:05:58 -0700 (PDT) (envelope-from dbsypher@uchicago.edu) Received: from C40948-B.uchicago.edu (broad-173-147.rh.uchicago.edu [128.135.173.147]) by midway.uchicago.edu (8.10.1/8.10.1) with ESMTP id f3B05qB11760 for ; Tue, 10 Apr 2001 19:05:52 -0500 (CDT) Message-Id: <4.3.2.7.2.20010410190358.00c50100@nsit-popmail.uchicago.edu> X-Sender: dbsypher@nsit-popmail.uchicago.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Apr 2001 19:05:43 -0500 To: freebsd-security@FreeBSD.ORG From: David Syphers Subject: Re: Security Announcements? In-Reply-To: <20010410185256.A20479@petra.hos.u-szeged.hu> References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:52 PM 4/10/01 +0200, Szilveszter Adam wrote: >Many advisories are delayed even after appropriate fixes have made it to >-CURRENT and 4.x because 3.x still needs to be fixed http://www.freebsd.org/cgi/getmsg.cgi?fetch=0+3361+/usr/local/www/db/text/2000/freebsd-announce/20001126.freebsd-announce -David Syphers Charon@freethought.org http://www.seektruth.org/ "I sound my barbaric yawp over the roofs of the world." -Whitman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 19:56:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 7AEF237B422 for ; Tue, 10 Apr 2001 19:56:06 -0700 (PDT) (envelope-from keith.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id E8192155A; Tue, 10 Apr 2001 22:55:25 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 2D73818613; Tue, 10 Apr 2001 22:55:28 -0400 (EDT) Date: Tue, 10 Apr 2001 22:55:28 -0400 From: Keith Stevenson To: Nicole Harrington Cc: freebsd-security@freebsd.org Subject: Re: FTPD ... (to: alexus) Message-ID: <20010410225527.A18857@osaka.louisville.edu> References: <01041018392603.11342@descrypt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nmh@daemontech.com on Tue, Apr 10, 2001 at 04:38:59PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I gleaned the following from looking through the commit logs in my local copy of the source repository: Two files in src/libexec/ftpd appear to have been changed to address the globbing bug, ftpd.c and popen.c. The solution also appears to rely upon some changes made to libc. open.c ------- revision 1.20 (CURRENT) date: 2001/03/19 19:11:00; author: jlemon; state: Exp; lines: +3 -1 Teach ftpd about the new GLOB_MAXPATH flag. revision 1.18.2.2 (RELENG_4) date: 2001/03/21 14:40:37; author: jlemon; state: Exp; lines: +3 -1 MFC: globbing limits for ftpd. revision 1.15.2.2 (RELENG_3) date: 2001/04/08 00:15:00; author: jedgar; state: Exp; lines: +3 -1 MFC: globbing limits for ftpd ftpd.c ------ revision 1.74 (CURRENT) date: 2001/03/19 19:11:00; author: jlemon; state: Exp; lines: +10 -1 Teach ftpd about the new GLOB_MAXPATH flag. revision 1.62.2.9 (RELENG_4) date: 2001/03/21 14:40:36; author: jlemon; state: Exp; lines: +11 -1 MFC: globbing limits for ftpd. This indicates that the problem was addressed in CURRENT on 3/19, in 4.2-STABLE on 3/21, and was partially implemented in 3.5-STABLE on 4/8. (The ftpd.c portion of the fix does not seem to have been committed to the 3.5 branch.) Personally, I'd do a full cvsup to address this. I'm sure that lots of people will let me know if I've mis-stated anything. :) Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE On Tue, Apr 10, 2001 at 04:38:59PM -0700, Nicole Harrington wrote: > > Does anyone know this information?? > > "We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE" > > Current and Stable are a moving targets. How can people just say these things. > I can assume, but we all know what that means. Stable as of When has the > patches. I can get the ftpd patch were if I don't want to do a full cvsup?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 20: 4:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id AE7B737B423 for ; Tue, 10 Apr 2001 20:04:22 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3B34LT82743 for ; Tue, 10 Apr 2001 20:04:22 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AD3C9B5.1DC86C19@ursine.com> Date: Tue, 10 Apr 2001 20:04:21 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington wrote: > > As someone who runs many production level servers here is what I would want > In order: > > [...] > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. I fully agree. In my opinion, it would be the single most helpful improvement to the FreeBSD bug fix process. It is much, much, much easier to rollout (install/test/approve) a binary patch of just the affected software, rather than making systems track -STABLE, or even doing what I do now, which is to do "spot builds" of the affected software and create my own crude-but-effective installs to send out to all the affected servers. [And some things like kernel fixes would obviously not be doable without a manual compile/install of a new kernel, but that doesn't nullify the effectiveness in cases where you can do binary patches.] It also helps solve another problem that comes up everytime BIND or some other software goes through this process --- the fact that one of the easiest ways to currently upgrade is to use the version in the ports tree, but the pieces get installed in different/conflicting locations than the same components in the base system install, unless you tweak the prefixes (and sometimes other things) when you build the port. I know that there are ways to get around those issues using -STABLE, knowing the "make prefix=" magic, and other things, but there are so many times that something like this comes up, and we get another round of questions and confusion about the update process. That tells me that the current process is not really good enough, and needs improving. And yeah, I know --- it takes time, money, people, systems, etc to be able to provide those services to the community, and somebody will need to provide those resources in order to make it happen. I don't know... maybe I can work out something and do some measure of this myself, but I'd have to talk with my employer, and then maybe discuss things with Kris, and I'm not particularly hopeful that I can personally spare enough of myself to do an effective job of it. But I am going to think about it... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 10 21:33:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id B108637B422; Tue, 10 Apr 2001 21:33:35 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from TARMAP.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f3B4XXIr001152; Tue, 10 Apr 2001 23:33:34 -0500 (CDT) Message-Id: <5.1.0.12.0.20010410232348.00ac7870@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.0.12 (Beta) Date: Tue, 10 Apr 2001 23:32:53 -0500 To: "Crist Clark" , Nicole Harrington From: Christopher Schulte Subject: Re: Security Announcements? Cc: Ben Smithurst , freebsd-security@FreeBSD.ORG, Michael Bryan , Michael Nottebrock In-Reply-To: <3AD39518.CFE8CB46@globalstar.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:19 PM 4/10/2001 -0700, Crist Clark wrote: >A classic debate/flamewar, should the vendor notify before the fix >is available? Been discussed to death a zillion times, and I will not >start it again, but most vendors (Sun, Cisco, Microsoft) do not release >notices until a solution is available. In extreme cases, a notice /may/ >be put out if the vulnerability is publically disclosed, very serious, >and some workaround is available. In the case of an internal audit finding a new vulnerability or bug for which a fix is not available and knowledge of bug not believed to be 'in the wild', full public disclosure can be both inappropriate and harmful. In the case of a publicly available bug (ftpd, ntpd, bind, foo), timely notification is critical. Even if no workarounds or fixes are included. My posts here are directed solely toward publicly aware bugs. >-- >Crist J. Clark Network Security Engineer >crist.clark@globalstar.com Globalstar, L.P. >(408) 933-4387 FAX: (408) 933-4926 --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 1:24: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id D7CE537B423 for ; Wed, 11 Apr 2001 01:24:01 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id DAA12742; Wed, 11 Apr 2001 03:23:59 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-41.tnt1.rac.cyberlynk.net(209.224.182.41) by peak.mountin.net via smap (V1.3) id sma012737; Wed Apr 11 03:23:40 2001 Message-Id: <4.3.2.20010410211055.02ce8470@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 10 Apr 2001 21:25:20 -0500 To: Nicole Harrington From: "Jeffrey J. Mountin" Subject: Re: Security Announcements? Cc: security@FreeBSD.ORG In-Reply-To: References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:43 PM 4/10/01 -0700, Nicole Harrington wrote: >On 10-Apr-01 Ben Smithurst wrote: > > Michael Nottebrock wrote: > > > > > >> It certainly is starting to irritate people running > >> 4.2-Release. > > > > Well if you want the latest security fixes you shouldn't be running a > > -release anyway, that's that the -stable branch is for. > > > > Thats the most stupid thing I have every heard. I never knew that simply by >running -STABLE I would not have any security problems and would not need >patches or updates. It certainly doesn't address *when* you should update, but in many cases the fix was long before the advisory. Both sides here have merit. However, relying on blind updates would be foolish. The advisory can also mean avoiding a complete build. > As someone who runs many production level servers here is what I would want > In order: > > 1) A notice that there is problem - So I can tcpwrap or shutdown said > service >until a patch is available. > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. > > 3) A patch that everyone agrees works in an email or other notification that >says, here's were you can get the patch, this works, here's what to do with >it. Assessment should be first. Do you use it and in some cases is it configured in such a way as to be vulnerable. There are times when checking the latter takes longer than applying the fix would have. Would also fixing only systems that use a service has a downside should the configuration change. Documentation is helpful. > From my perspective it took days for people to stop discussing what patch >was best for ntpd and I still never heard a full resolution on the mailing >list. No official blessing of a patch other than what I would get via >CVSUP. I >have production servers, I can't run a CVsup everyday, let alone a make >world. > > > Yes I may have missed a few mails or something. But expecting people to > spend >their days tracking down patches and notices abt problems kinda negates the >whole idea of a security mailing and notification. > The process seemed much better in the past, but lately, it has been much > less >than optimal. The NTP was a bit messy, but don't think it's changed much. Other than more often and the port specific one. In a few cases it did take a while for the fix and/or advisory. Hard to say with all the traffic. All I *do* know is that a higher number are likely to affect more systems. Or its just that the past year has exceeded the prior 5 for the number that concerned me. It might be the recent confusion with the typical advisory delay make things seem worse than they are or it is a case load issue, which in most cases this list covers it and most times becomes the official fix. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 1:53:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id 090B237B422 for ; Wed, 11 Apr 2001 01:53:30 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14nGNU-0001R5-00; Wed, 11 Apr 2001 09:53:28 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3B8rSk63440; Wed, 11 Apr 2001 09:53:28 +0100 (BST) (envelope-from rasputin) Date: Wed, 11 Apr 2001 09:53:28 +0100 From: Rasputin To: Nicole Harrington Cc: security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010411095328.A63302@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from nmh@daemontech.com on Tue, Apr 10, 2001 at 03:43:47PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Nicole Harrington [010410 23:45]: > > On 10-Apr-01 Ben Smithurst wrote: > > Michael Nottebrock wrote: > > Well if you want the latest security fixes you shouldn't be running a > > -release anyway, that's that the -stable branch is for. > > Thats the most stupid thing I have every heard. Don't speak to soon. You haven't heard what I've got to say yet :) > I never knew that simply by > running -STABLE I would not have any security problems and would not need > patches or updates. By *tracking* STABLE you do. That's the whole point of it, surely. > 1) A notice that there is problem - So I can tcpwrap or shutdown said service > until a patch is available. > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. > > 3) A patch that everyone agrees works in an email or other notification that > says, here's were you can get the patch, this works, here's what to do with > it. Isn't that what gets patched into STABLE? If it's a userpsace problem, a make world often isn't necessary. After a sup, you just go into the releavant directories and make install. Kernel bugs are going to need a reboot anyway. I agree with you on the notification issue; we need some kind of batphone - particularly for the new guys, a URL in the default /etc/motd would help. (leaving aside the issue of whether we have a workable batphone yet) Cheers. -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 2: 0:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id A11CB37B422 for ; Wed, 11 Apr 2001 02:00:38 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14nGUP-0004MN-00 for security@freebsd.org; Wed, 11 Apr 2001 10:00:37 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3B90aa63545 for security@freebsd.org; Wed, 11 Apr 2001 10:00:36 +0100 (BST) (envelope-from rasputin) Date: Wed, 11 Apr 2001 10:00:36 +0100 From: Rasputin To: security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010411100036.B63302@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010410181407.A1011@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010410181407.A1011@linnet.org>; from B.Candler@pobox.com on Tue, Apr 10, 2001 at 06:14:07PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Brian Candler [010410 18:15]: > Is there any documentation on how ipfw, natd and IPSEC interact with each > other? In particular, > - what is the order of processing of inbound and outbound packets? > - when packets are re-injected by natd, where in the whole system are they > re-injected? > - do packets reinjected by natd still match 'in via ' or > 'out via '? (OK, I could determine this one experimentally, > but I'd still like to see it documented :-) > > I see that by default FreeBSD puts its natd divert rule right at the very > top of the ruleset, but I have found that this stops IPSEC processing > working. I can make it work by putting natd lower down: e.g. > > add 01000 permit ip from 10.0.0.0/8 to 10.0.0.0/8 # private addrs > add 02000 divert 8668 ip from any to any via xl0 # external i/face Does anybody know if ipfilter has similar problems with IPSec? I saw a thread in the NetBSD mail archives that indicated this, but it was around a year old. And if anyone knows where I can get free IPSec clients for Mac (OS9.x) I'll send them a packet of chocolate HobNobs. Chocolate- Mmm.... (URL would be good. There's supposed to be one somewhere in the rat's nest that is http://www.nai.com, but a friend of mine went looking last week and we never saw him again.) -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 2:11:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 22F0237B423 for ; Wed, 11 Apr 2001 02:11:15 -0700 (PDT) (envelope-from admin128@mail.ru) Received: from ts16-a439.dial.sovam.com ([195.239.4.185]:1966 "EHLO ts16-a439.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Wed, 11 Apr 2001 13:11:05 +0400 Date: Wed, 11 Apr 2001 13:10:04 +0400 From: Anton Vladimirov X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Anton Vladimirov Organization: FBSD Administration Center X-Priority: 3 (Normal) Message-ID: <15739596567.20010411131004@mail.ru> To: security@freebsd.org Subject: ftp vulnerability Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello security, I run FreeBSD 4.0-RELEASE with all security patches applied. Could anyone clearly explain how to fix the recent ftpd hole for this version? I downloaded the sources of ftpd from the 4.2-CURRENT release, but how to install it? I do the following: ============================================= bash-2.03# make depend yacc -o ftpcmd.c ftpcmd.y yacc: w - the symbol ext_arg is undefined rm -f .depend mkdep -f .depend -a -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/c cd /usr/src/libexec/ftpd; make _EXTRADEPEND echo ftpd: /usr/lib/libc.a /usr/lib/libskey.a /usr/lib/libmd.a /usr/lib/libcrypt.a /usr/lib/libutil.a /usr/lib/libpam.a >> .depend bash-2.03# make Warning: Object directory not changed from original /usr/src/libexec/ftpd cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/ftpd/c ftpd.c: In function `send_file_list': ftpd.c:2673: `GLOB_MAXPATH' undeclared (first use in this function) ftpd.c:2673: (Each undeclared identifier is reported only once ftpd.c:2673: for each function it appears in.) ftpd.c:2662: warning: variable `dout' might be clobbered by `longjmp' or `vfork' ftpd.c:2663: warning: variable `dirlist' might be clobbered by `longjmp' or `vfork' ftpd.c:2664: warning: variable `simple' might be clobbered by `longjmp' or `vfork' ftpd.c:2665: warning: variable `freeglob' might be clobbered by `longjmp' or `vfork' *** Error code 1 Stop in /usr/src/libexec/ftpd. ================================================== Where am I mistaken? -- Best regards, Anton mailto:admin128@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 2:19: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id DE95B37B424 for ; Wed, 11 Apr 2001 02:18:55 -0700 (PDT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.9.3/8.9.3) id RAA79266; Wed, 11 Apr 2001 17:18:43 +0800 (KRAST) (envelope-from eugen) Date: Wed, 11 Apr 2001 17:18:43 +0800 From: Eugene Grosbein To: Anton Vladimirov Cc: security@FreeBSD.ORG Subject: Re: ftp vulnerability Message-ID: <20010411171843.A78034@svzserv.kemerovo.su> References: <15739596567.20010411131004@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15739596567.20010411131004@mail.ru>; from admin128@mail.ru on Wed, Apr 11, 2001 at 01:10:04PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 11, 2001 at 01:10:04PM +0400, Anton Vladimirov wrote: > I run FreeBSD 4.0-RELEASE with all security patches applied. > Could anyone clearly explain how to fix the recent > ftpd hole for this version? You can use workaround: put a record into /etc/login.conf: anonftp:\ :datasize=16M:\ :stacksize=8M:\ :memoryuse=16M:\ :priority=5:\ :tc=default: Choose values suitable for you. Then do cap_mkdb /etc/login.conf and set login class of user 'ftp' to anonftp. This will prevent exloiting this hole. Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 2:36:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 7D7F737B422 for ; Wed, 11 Apr 2001 02:36:33 -0700 (PDT) (envelope-from admin128@mail.ru) Received: from ts16-a439.dial.sovam.com ([195.239.4.185]:1973 "EHLO ts16-a439.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Wed, 11 Apr 2001 13:36:20 +0400 Date: Wed, 11 Apr 2001 13:35:20 +0400 From: Anton Vladimirov X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Anton Vladimirov Organization: FBSD Administration Center X-Priority: 3 (Normal) Message-ID: <941113000.20010411133520@mail.ru> To: Eugene Grosbein Cc: security@FreeBSD.ORG Subject: Re[2]: ftp vulnerability In-reply-To: <20010411171843.A78034@svzserv.kemerovo.su> References: <15739596567.20010411131004@mail.ru> <20010411171843.A78034@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Eugene, Wednesday, April 11, 2001, 1:18:43 PM, you wrote: EG> On Wed, Apr 11, 2001 at 01:10:04PM +0400, Anton Vladimirov wrote: >> I run FreeBSD 4.0-RELEASE with all security patches applied. >> Could anyone clearly explain how to fix the recent >> ftpd hole for this version? EG> You can use workaround: put a record into /etc/login.conf: EG> anonftp:\ EG> :datasize=16M:\ EG> :stacksize=8M:\ EG> :memoryuse=16M:\ EG> :priority=5:\ EG> :tc=default: EG> Choose values suitable for you. Then do EG> cap_mkdb /etc/login.conf EG> and set login class of user 'ftp' to anonftp. EG> This will prevent exloiting this hole. Is this vulnerability concerned only to anonymous ftp? Can it be exploited by non-anonymous users? -- Best regards, Anton mailto:admin128@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 2:49:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 53E6A37B424 for ; Wed, 11 Apr 2001 02:49:35 -0700 (PDT) (envelope-from avn@any.ru) Received: from ts9-a156.dial.sovam.com ([195.239.70.156]:1071 "EHLO ts9-a156.dial.sovam.com" ident: "avn" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Wed, 11 Apr 2001 13:49:19 +0400 Date: Wed, 11 Apr 2001 13:48:31 +0400 (MSD) From: "Alexey V. Neyman" X-X-Sender: To: Anton Vladimirov Cc: Subject: Re: ftp vulnerability In-Reply-To: <15739596567.20010411131004@mail.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Good day, Anton! When this hole was patched, libc was also corrected, so you'll need to update it too. The least painful way will be CVSup, IMHO. # Alexey On Wed, 11 Apr 2001, Anton Vladimirov wrote: >Hello security, > > I run FreeBSD 4.0-RELEASE with all security patches applied. > Could anyone clearly explain how to fix the recent > ftpd hole for this version? > > I downloaded the sources of ftpd from the 4.2-CURRENT > release, but how to install it? > > I do the following: >============================================= >bash-2.03# make depend >yacc -o ftpcmd.c ftpcmd.y >yacc: w - the symbol ext_arg is undefined >rm -f .depend >mkdep -f .depend -a -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/c >cd /usr/src/libexec/ftpd; make _EXTRADEPEND >echo ftpd: /usr/lib/libc.a /usr/lib/libskey.a /usr/lib/libmd.a /usr/lib/libcrypt.a /usr/lib/libutil.a /usr/lib/libpam.a >> .depend >bash-2.03# make >Warning: Object directory not changed from original /usr/src/libexec/ftpd >cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/ftpd/c >ftpd.c: In function `send_file_list': >ftpd.c:2673: `GLOB_MAXPATH' undeclared (first use in this function) >ftpd.c:2673: (Each undeclared identifier is reported only once >ftpd.c:2673: for each function it appears in.) >ftpd.c:2662: warning: variable `dout' might be clobbered by `longjmp' or `vfork' >ftpd.c:2663: warning: variable `dirlist' might be clobbered by `longjmp' or `vfork' >ftpd.c:2664: warning: variable `simple' might be clobbered by `longjmp' or `vfork' >ftpd.c:2665: warning: variable `freeglob' might be clobbered by `longjmp' or `vfork' >*** Error code 1 > >Stop in /usr/src/libexec/ftpd. >================================================== > >Where am I mistaken? > > >-- >Best regards, > Anton mailto:admin128@mail.ru > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 3:28: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id B8C8937B424 for ; Wed, 11 Apr 2001 03:28:03 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id SAA86059; Wed, 11 Apr 2001 18:27:56 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3AD43FB9.7D28DC8B@svzserv.kemerovo.su> Date: Wed, 11 Apr 2001 18:27:53 +0700 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Anton Vladimirov Cc: Eugene Grosbein , security@FreeBSD.ORG Subject: Re: ftp vulnerability References: <15739596567.20010411131004@mail.ru> <20010411171843.A78034@svzserv.kemerovo.su> <941113000.20010411133520@mail.ru> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anton Vladimirov wrote: > >> I run FreeBSD 4.0-RELEASE with all security patches applied. > >> Could anyone clearly explain how to fix the recent > >> ftpd hole for this version? > > EG> You can use workaround: put a record into /etc/login.conf: > > EG> anonftp:\ > EG> :datasize=16M:\ > EG> :stacksize=8M:\ > EG> :memoryuse=16M:\ > EG> :priority=5:\ > EG> :tc=default: > > EG> Choose values suitable for you. Then do > EG> cap_mkdb /etc/login.conf > EG> and set login class of user 'ftp' to anonftp. > EG> This will prevent exloiting this hole. > > Is this vulnerability concerned only to anonymous ftp? > Can it be exploited by non-anonymous users? Yes, it can. You should either set login class of users to 'anonftp' or modify their login classes. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 3:29:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 5448C37B422 for ; Wed, 11 Apr 2001 03:29:13 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 14nGww-0004rO-00 for security@freebsd.org; Wed, 11 Apr 2001 12:30:06 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Wed, 11 Apr 2001 13:28:52 +0300 Message-ID: From: Yonatan Bokovza To: "'security@freebsd.org'" Subject: insecure tmp file creation in ksh93 port Date: Wed, 11 Apr 2001 13:28:51 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="windows-1255" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm was looking at hardening the rksh for a client when I saw the following lines in src/cmd/ksh93/features/options.sh: --- cat > /tmp/file$$ < /dev/null then echo "#define SHELLMAGIC 1" fi rm -f /tmp/file$$ --- what gives? J. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 3:44:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 0B24837B424 for ; Wed, 11 Apr 2001 03:44:24 -0700 (PDT) (envelope-from software@kew.com) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 173C78C1D for ; Wed, 11 Apr 2001 06:44:13 -0400 (EDT) Message-ID: <007d01c0c274$58ff11c0$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> Subject: Re: Security Announcements? Date: Wed, 11 Apr 2001 06:44:12 -0400 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ben Smithurst wrote ... > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. One should not expect production servers to be running pre-beta code. Running -stable means you get *everything*, and that's not what a production server owner wants or needs. (FreeBSD needs a reasonable patch utility (ala Redhat Linux's up2date) for semi-automated patch management -- but this ground has been covered before. I'm not trying to open that can of worms here.) -ahd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 5: 4:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from stsws5.die.supsi.ch (stsws5.die.supsi.ch [193.5.154.5]) by hub.freebsd.org (Postfix) with ESMTP id CB31F37B422 for ; Wed, 11 Apr 2001 05:04:23 -0700 (PDT) (envelope-from nunnari@die.supsi.ch) Received: from die.supsi.ch (pcm2022.die.supsi.ch [193.5.152.22]) by stsws5.die.supsi.ch (8.9.1a/8.9.1) with ESMTP id NAA28749; Wed, 11 Apr 2001 13:49:59 +0200 (MET DST) Message-ID: <3AD4475A.4050104@die.supsi.ch> Date: Wed, 11 Apr 2001 14:00:26 +0200 From: Roberto Nunnari User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20010131 Netscape6/6.01 X-Accept-Language: en MIME-Version: 1.0 To: Drew Derbyshire Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements? References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> <007d01c0c274$58ff11c0$94cba8c0@hh.kew.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org stable is not pre-beta. http://www.freebsd.org/handbook/current-stable.html ...cut and paste from the above: 19.2.2. Staying Stable with FreeBSD If you are using FreeBSD in a production environment and want to make sure you have the latest fixes from the -CURRENT branch, you want to be running -STABLE. This is the tree that -RELEASEs are branched from when we are putting together a new release. For example, if you have a copy of 3.4-RELEASE, that is really just a ``snapshot'' from the -STABLE branch that we put on CDROM. In order to get any changes merged into -STABLE after the -RELEASE, you need to ``track'' the -STABLE branch. 19.2.2.1. What is FreeBSD-STABLE? FreeBSD-STABLE is our development branch for a more low-key and conservative set of changes intended for our next mainstream release. Changes of an experimental or untested nature do not go into this branch (see FreeBSD-CURRENT). Drew Derbyshire wrote: > Ben Smithurst wrote ... > > >> Well if you want the latest security fixes you shouldn't be running a >> -release anyway, that's that the -stable branch is for. > > > One should not expect production servers to be running pre-beta code. > Running -stable means you get *everything*, and that's not what a production > server owner wants or needs. > > (FreeBSD needs a reasonable patch utility (ala Redhat Linux's up2date) for > semi-automated patch management -- but this ground has been covered before. > I'm not trying to open that can of worms here.) > > -ahd- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Roberto Nunnari -software engineer- mailto:nunnari@die.supsi.ch Scuola Universitaria Professionale della Svizzera Italiana Dipartimento di Informatica e Elettronica http://www.die.supsi.ch SUPSI-DIE Via Cantonale tel: +41-91-6108557 6928 Manno """ Switzerland (o o) =======================oOO==(_)==OOo======================== MY OPINIONS ARE NOT NECESSARILY THOSE OF MY EMPLOYER To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 6: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe4.law7.hotmail.com [216.33.236.108]) by hub.freebsd.org (Postfix) with ESMTP id 220F937B422 for ; Wed, 11 Apr 2001 06:06:37 -0700 (PDT) (envelope-from default013@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 11 Apr 2001 06:06:37 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013" From: "default013" To: Subject: Open-SSH Setup Questions Date: Wed, 11 Apr 2001 08:06:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 11 Apr 2001 13:06:37.0017 (UTC) FILETIME=[3D8A0490:01C0C288] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to get open-ssh working on my FreeBSD machine and had a few questions on how to get it working: How can I tell of open-ssl is installed, and if so, what would be the path to it for an application that wants to use it, such as apache? (I did install the crypto library at install, so I am sure I have it... just don't know where it is) How do i make/get the /etc/ssh/ssh_host_key file? I only want to use regular password authentication so that it is easy to use. Are there any special configurations I need to make to do this? I appreciate the help, thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 6:37:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.fineos.com (gatekeeper.msc.ie [194.125.128.202]) by hub.freebsd.org (Postfix) with ESMTP id 1EBB637B422 for ; Wed, 11 Apr 2001 06:37:36 -0700 (PDT) (envelope-from Martin.Pegman@fineos.com) Received: (from smap@localhost) by gatekeeper.fineos.com (8.11.0/8.8.5) id f3BDg2r16579 for ; Wed, 11 Apr 2001 14:42:02 +0100 X-Authentication-Warning: gatekeeper.msc.ie: smap set sender to using -f Received: from oasis003.msc.ie( 192.168.125.248) by gatekeeper.msc.ie via smap (V2.1) id xma016568; Wed, 11 Apr 01 14:42:01 +0100 Received: from oasis010.msc.ie (oasis010.msc.ie) by oasis003.msc.ie (Content Technologies SMTPRS 4.1.5) with ESMTP id for ; Wed, 11 Apr 2001 14:45:27 +0100 Received: from oasis006.msc.ie (oasis006.msc.ie [192.168.125.245]) by oasis010.msc.ie (8.11.0/8.9.1) with ESMTP id f3BDRGn10036 for ; Wed, 11 Apr 2001 14:27:16 +0100 Received: by oasis006.msc.ie with Internet Mail Service (5.5.2653.19) id <1H2PX4F7>; Wed, 11 Apr 2001 14:40:57 +0100 Message-ID: From: Martin Pegman To: freebsd-security@freebsd.org Subject: unsubscribe Date: Wed, 11 Apr 2001 14:40:56 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The information contained in this e-mail is confidential, may be privileged and is intended only for the use of the recipient named above. If you are not the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents of this email to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. This email has been swept for computer viruses. However, you should carry out your own virus checks. Registered in Ireland, No. 205721. http://www.FINEOS.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 6:47:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 4A14037B422 for ; Wed, 11 Apr 2001 06:47:20 -0700 (PDT) (envelope-from mikel@ra.upan.org) Received: (from mikel@localhost) by ra.upan.org (8.11.1/8.11.1) id f3BDk9l65143; Wed, 11 Apr 2001 09:46:09 -0400 (EDT) (envelope-from mikel) Date: Wed, 11 Apr 2001 09:46:09 -0400 From: Mikel King To: Michael Bryan Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010411094609.A64571@ra.upan.org> References: <3AD33218.FE8D7ACD@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AD33218.FE8D7ACD@ursine.com>; from fbsd-secure@ursine.com on Tue, Apr 10, 2001 at 09:17:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 10, 2001 at 09:17:28AM -0700, Michael Bryan wrote: > > What's up (or not up) with security announcements these days? > It's been some time since the NTP vulnerability came to light, > and many other affected systems/products have made their > announcements, but nothing official from FreeBSD yet. Now we > have an FTP vulnerability hitting the streets too. {SNIP} Wow this has turned into a rather long thread...Ok so I've read quite a bit of it, and what seems to be repeated over several times is that people feel like they are getting informed. I liken it to whenI get a notice from the monitor that one of my clients' T1s goes down and I start working on it pronto but fail to call the client until it's done, or worse they call me. I can't tell you how mych better they feel being called imediately just to let them know that we're on top of things. Of course this leads the question, would it be a good idea to ask the security team, to publish a list on a periodic basis that identifies each update they are working on/needs work to be done etc...I know on the one hand that I would like the extra notification and yet on the other I really don't want the script-kiddies on this list to pick up on things that the fBSD crew fix internally before anyone normally ever knows about them... Sure it would be nice to have a bin system but stable seems easy enough so until some one actually developes a better system I'll wage stable is the way to go. well that's my $0.01 cheers, mikel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:21:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id DA0C337B422 for ; Wed, 11 Apr 2001 08:21:14 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org ([64.183.199.40]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f3BFLCIr024475; Wed, 11 Apr 2001 10:21:13 -0500 (CDT) Message-Id: <5.0.2.1.0.20010411101636.00b08650@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 11 Apr 2001 10:20:45 -0500 To: "Drew Derbyshire" , From: Christopher Schulte Subject: Re: Security Announcements? In-Reply-To: <007d01c0c274$58ff11c0$94cba8c0@hh.kew.com> References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:44 AM 4/11/2001 -0400, Drew Derbyshire wrote: >Running -stable means you get *everything*, and that's not what a production >server owner wants or needs. You don't have to get *everything* when following -STABLE. Take a look at /etc/defaults/make.conf and look for: # To avoid building various parts of the base system: Edit /etc/make.conf to suite your desires. >-ahd- --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:23:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from aes.thinksec.com (aes.thinksec.com [193.212.248.16]) by hub.freebsd.org (Postfix) with ESMTP id F06FE37B422 for ; Wed, 11 Apr 2001 08:23:17 -0700 (PDT) (envelope-from des@thinksec.com) Received: (from des@localhost) by aes.thinksec.com (8.11.3/8.11.3) id f3BFMuN43565; Wed, 11 Apr 2001 17:22:56 +0200 (CEST) (envelope-from des@thinksec.com) X-Authentication-Warning: aes.thinksec.com: des set sender to des@thinksec.com using -f X-URL: http://www.ofug.org/~des/ To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: ftp problem References: From: Dag-Erling Smorgrav Date: 11 Apr 2001 17:22:55 +0200 In-Reply-To: George.Giles@mcmail.vanderbilt.edu's message of "Tue, 10 Apr 2001 11:21:50 -0500" Message-ID: Lines: 10 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu writes: > How can I set ftpd to work through the ipfw when I do not know the data > connection port ? The data port will always be in the 49152-65535 range, or whatever you set the high port range to. See ftpd(4) and ip(4). DES --=20 Dag-Erling Sm=F8rgrav - des@thinksec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:23:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from dzet.kmost.express.ru (dzet.kmost.express.ru [212.24.37.102]) by hub.freebsd.org (Postfix) with ESMTP id C95CE37B424 for ; Wed, 11 Apr 2001 08:23:50 -0700 (PDT) (envelope-from gem@dzet.kmost.express.ru) Received: from gem (helo=localhost) by dzet.kmost.express.ru with local-esmtp (Exim 3.22 #2) id 14nMRd-0001Av-00; Wed, 11 Apr 2001 19:22:09 +0400 Date: Wed, 11 Apr 2001 19:22:09 +0400 (MSD) From: Maxim Giryaev X-Sender: gem@dzet.kmost.express.ru To: Anton Vladimirov Cc: security@freebsd.org Subject: Re: ftp vulnerability In-Reply-To: <15739596567.20010411131004@mail.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001, Anton Vladimirov wrote: > I run FreeBSD 4.0-RELEASE with all security patches applied. > Could anyone clearly explain how to fix the recent > ftpd hole for this version? You can download all sourcess needed to make ftpd including libc part ftp://ftp.dev.express.ru/pub/FreeBSD/utils/ftpd.tgz cd libexec/ftpd && make Maxim Giryaev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:25:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id 26AE137B422 for ; Wed, 11 Apr 2001 08:25:33 -0700 (PDT) (envelope-from lowell@be-well.ilk.org) Received: (from lowell@localhost) by be-well.ilk.org (8.11.3/8.11.3) id f3BFPVf75799; Wed, 11 Apr 2001 11:25:31 -0400 (EDT) (envelope-from lowell) To: Rasputin , freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> From: Lowell Gilbert Date: 11 Apr 2001 11:25:31 -0400 In-Reply-To: rara.rasputin@virgin.net's message of "11 Apr 2001 11:00:50 +0200" Message-ID: <44bsq331ck.fsf@lowellg.ne.mediaone.net> Lines: 24 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org rara.rasputin@virgin.net (Rasputin) writes: > Does anybody know if ipfilter has similar problems with IPSec? Some forms of IPSEC have fundamental problems with packet rewriting, which means that NAT is extremely hard to use in an IPSEC environment. Notably, end-to-end IPSEC modes are broken, although router-based tunnels can be a problem depending on whether the NAT rewriting occurs before or after the IPSEC headers are applied. Even without NAT, though, firewalls are a little tricky to configure for IPSEC packets. This is because the firewall can't see the protocol ports (or even the protocol, for that matter) in the packet, so you have to make pass/drop decisions for IPSEC packets without that information. Both ipfilter and ipfw have some ability to deal with IP options, but it's a little limited in both cases and I'm too far out of my depth to speculate on what the right approach to firewalling IPSEC would be. Be well. Lowell Gilbert -- Everybody is ignorant, only on different subjects. -- Will Rogers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:31:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E5A5F37B422 for ; Wed, 11 Apr 2001 08:31:52 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id KAA08072; Wed, 11 Apr 2001 10:31:34 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma008070; Wed, 11 Apr 01 10:31:10 -0500 Received: from centtech.com (shiva [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id KAA06903; Wed, 11 Apr 2001 10:31:10 -0500 (CDT) Message-ID: <3AD478BE.E19A16F@centtech.com> Date: Wed, 11 Apr 2001 10:31:10 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Lowell Gilbert Cc: Rasputin , freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was having a hard time getting NATD to work with ipfw and IPSEC, so I tried IPFILTER (ipf) and ipnat, and they work fairly well together.. The firewall rules are still a pain to get working however, but I'm much farther along than I was with ipfw and NATD. Eric Lowell Gilbert wrote: > > rara.rasputin@virgin.net (Rasputin) writes: > > > Does anybody know if ipfilter has similar problems with IPSec? > > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. > > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. Both ipfilter and ipfw have some ability to deal with IP > options, but it's a little limited in both cases and I'm too far out > of my depth to speculate on what the right approach to firewalling > IPSEC would be. > > Be well. > Lowell Gilbert > -- > Everybody is ignorant, only on different subjects. > -- Will Rogers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 To see a need and wait to be asked, is to already refuse. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 8:59:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 160ED37B422 for ; Wed, 11 Apr 2001 08:59:25 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14nN1g-000B7J-00; Wed, 11 Apr 2001 16:59:24 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3BFxNj70562; Wed, 11 Apr 2001 16:59:23 +0100 (BST) (envelope-from rasputin) Date: Wed, 11 Apr 2001 16:59:23 +0100 From: Rasputin To: freebsd-security@freebsd.org Cc: lowell@world.std.com Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010411165923.A70350@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010410181407.A1011@linnet.org> <20010411100036.B63302@dogma.freebsd-uk.eu.org> <44bsq331ck.fsf@lowellg.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <44bsq331ck.fsf@lowellg.ne.mediaone.net>; from lowell@world.std.com on Wed, Apr 11, 2001 at 11:25:31AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Lowell Gilbert [010411 16:29]: > rara.rasputin@virgin.net (Rasputin) writes: > > Does anybody know if ipfilter has similar problems with IPSec? > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. Sorry, should have made it clearer. I'm not running a VPN or anything, I just need to secure a wireless network. So I need transport mode IPSec on top of IPv4 from iBook clients to the BSD gateway/firewall. NAT would take place *after* the packets reach the gateway, on the outbound interface. Cheers anyway, I'm an ipf fan so I'll grit my teeth through that. > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, > so you have to make pass/drop decisions for IPSEC packets without that > information. > Everybody is ignorant, only on different subjects. > -- Will Rogers Amen to that :) -- "No problem is so formidable that you can't just walk away from it." Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 9:34:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242]) by hub.freebsd.org (Postfix) with ESMTP id 498AD37B422 for ; Wed, 11 Apr 2001 09:34:32 -0700 (PDT) (envelope-from rjm@Wilshire.Net) Received: from emilyd (emilyd.wilshire.net [10.100.123.20]) by aji.wilshire.net (8.11.1/8.11.1) with SMTP id f3BGRmW87067 for ; Wed, 11 Apr 2001 09:27:48 -0700 (PDT) From: "Riley J. McIntire" To: "FreeBSD Security" Subject: How to interpret Security Check Date: Wed, 11 Apr 2001 09:34:30 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings: This machine, a small mail server doing nat and (caching only) bind (8.2.3-REL) cored dumped signal 11 twice--I thought it was a nic at first, and removed it. It happened again and I'm guessing it's memory or a motherboard issue now(?). The second time it dumped, it was powered off, then on, went into single user. The onsite operator did a fsck, and brought it back to multiuser. She reported lots of file errors. Which I'm assuming caused the following in the security check output. But sometimes I assume too much! I'd like to make sure I'm not missing a security issue. Comments are welcome. Thanks, Riley To: undisclosed-recipients: Subject: mail.somebiz.com security check output checking setuid files and devices: USER=root host=mail.somebiz.com c=? HOME=/root rc=0 PS1=# OPTIND=1 PS2=> LOGNAME=root PATH=/sbin:/bin:/usr/bin ignore= MP= sflag=FALSE TMP=/var/run/_secure.7644 SHELL=/bin/sh IFS= LC_ALL=C yesterday=Apr 10 LOG=/var/log cmp: EOF on /var/run/_secure.7644 mail.somebiz.com setuid diffs: 1,71d0 < 14989 -r-xr-sr-x 1 root operator 57076 Nov 20 03:59:17 2000 /bin/df < 15002 -r-sr-xr-x 1 root wheel 319548 Nov 20 04:06:07 2000 /bin/rcp < 15051 -r-xr-sr-x 1 root kmem 62944 Nov 20 04:00:57 2000 /sbin/ccdconfig < 15057 -r-xr-sr-x 1 root kmem 69604 Nov 20 04:00:58 2000 /sbin/dmesg < 15121 -r-xr-sr-x 2 root tty 331452 Nov 20 04:06:51 2000 /sbin/dump < 15096 -r-sr-xr-x 1 root wheel 195812 Nov 20 04:01:09 2000 /sbin/ping < 15097 -r-sr-xr-x 1 root bin 191012 Nov 20 04:01:09 2000 /sbin/ping6 < 15121 -r-xr-sr-x 2 root tty 331452 Nov 20 04:06:51 2000 /sbin/rdump < 15119 -r-xr-sr-x 2 root tty 358284 Nov 20 04:06:55 2000 /sbin/restore < 15101 -r-sr-xr-x 1 root wheel 191924 Nov 20 04:01:10 2000 /sbin/route < 15119 -r-xr-sr-x 2 root tty 358284 Nov 20 04:06:55 2000 /sbin/rrestore < 15106 -r-sr-x--- 1 root operator 164668 Nov 20 04:01:11 2000 /sbin/shutdown < 8035 -r-sr-xr-x 4 root wheel 19540 Nov 20 04:01:51 2000 /usr/bin/at < 8035 -r-sr-xr-x 4 root wheel 19540 Nov 20 04:01:51 2000 /usr/bin/atq < 8035 -r-sr-xr-x 4 root wheel 19540 Nov 20 04:01:51 2000 /usr/bin/atrm < 8035 -r-sr-xr-x 4 root wheel 19540 Nov 20 04:01:51 2000 /usr/bin/batch < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/chfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/chpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/chsh < 8241 -r-sr-xr-x 1 root wheel 24508 Nov 20 04:02:26 2000 /usr/bin/crontab < 7937 -r-sr-sr-x 1 uucp dialer 123824 Nov 20 03:59:39 2000 /usr/bin/cu < 8075 -r-xr-sr-x 1 root kmem 13108 Nov 20 04:01:56 2000 /usr/bin/fstat < 8090 -r-xr-sr-x 1 root kmem 9832 Nov 20 04:01:57 2000 /usr/bin/ipcs < 8096 -r-sr-xr-x 1 root wheel 510 Nov 20 04:01:58 2000 /usr/bin/keyinfo < 8097 -r-sr-xr-x 1 root wheel 7444 Nov 20 04:01:58 2000 /usr/bin/keyinit < 8114 -r-sr-xr-x 1 root wheel 7004 Nov 20 04:02:00 2000 /usr/bin/lock < 8117 -r-sr-xr-x 1 root wheel 19764 Nov 20 04:06:42 2000 /usr/bin/login < 8246 -r-sr-sr-x 1 root daemon 20008 Nov 20 04:02:48 2000 /usr/bin/lpq < 8247 -r-sr-sr-x 1 root daemon 23368 Nov 20 04:02:48 2000 /usr/bin/lpr < 8248 -r-sr-sr-x 1 root daemon 19372 Nov 20 04:02:48 2000 /usr/bin/lprm < 7989 -r-sr-xr-x 1 man wheel 28512 Nov 20 04:00:02 2000 /usr/bin/man < 8136 -r-xr-sr-x 1 root kmem 85104 Nov 20 04:02:07 2000 /usr/bin/netstat < 8138 -r-xr-sr-x 1 root kmem 9904 Nov 20 04:02:07 2000 /usr/bin/nfsstat < 8269 -r-sr-xr-x 2 root wheel 30540 Nov 20 04:06:44 2000 /usr/bin/passwd < 8151 -r-sr-xr-x 1 root wheel 10440 Nov 20 04:02:08 2000 /usr/bin/quota < 8146 -r-sr-xr-x 1 root wheel 17244 Nov 20 04:06:45 2000 /usr/bin/rlogin < 8155 -r-sr-xr-x 1 root wheel 14460 Nov 20 04:06:48 2000 /usr/bin/rsh < 8268 -r-sr-xr-x 2 root wheel 170136 Nov 20 04:11:20 2000 /usr/bin/slogin < 8268 -r-sr-xr-x 2 root wheel 170136 Nov 20 04:11:20 2000 /usr/bin/ssh < 8159 -r-sr-xr-x 1 root wheel 11560 Nov 20 04:06:49 2000 /usr/bin/su < 8174 -r-xr-sr-x 1 root kmem 56112 Nov 20 04:02:11 2000 /usr/bin/systat < 8182 -r-xr-sr-x 1 root kmem 32312 Nov 20 04:02:12 2000 /usr/bin/top < 7938 -r-sr-xr-x 1 uucp wheel 88228 Nov 20 03:59:40 2000 /usr/bin/uucp < 7940 -r-sr-xr-x 1 uucp wheel 37312 Nov 20 03:59:40 2000 /usr/bin/uuname < 7943 -r-sr-sr-x 1 uucp dialer 96752 Nov 20 03:59:41 2000 /usr/bin/uustat < 7945 -r-sr-xr-x 1 uucp wheel 88844 Nov 20 03:59:41 2000 /usr/bin/uux < 8207 -r-xr-sr-x 1 root kmem 15920 Nov 20 04:02:15 2000 /usr/bin/vmstat < 8209 -r-xr-sr-x 1 root tty 9072 Nov 20 04:02:16 2000 /usr/bin/wall < 8217 -r-xr-sr-x 1 root tty 7500 Nov 20 04:02:17 2000 /usr/bin/write < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/ypchfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/ypchpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 04:01:52 2000 /usr/bin/ypchsh < 8269 -r-sr-xr-x 2 root wheel 30540 Nov 20 04:06:44 2000 /usr/bin/yppasswd < 405663 -r-sr-xr-x 1 root wheel 396564 Nov 20 04:02:50 2000 /usr/libexec/sendmail/sendmail < 420614 -r-sr-sr-x 1 uucp dialer 220672 Nov 20 03:59:40 2000 /usr/libexec/uucp/uucico < 420615 -r-sr-s--- 1 uucp uucp 99552 Nov 20 03:59:41 2000 /usr/libexec/uucp/uuxqt < 373981 -rwsr-xr-x 1 root wheel 10172 Feb 5 14:57:28 2001 /usr/local/libexec/pinger < 428598 -r-xr-sr-x 1 root kmem 4664 Nov 20 04:02:28 2000 /usr/sbin/ifmcstat < 428600 -r-xr-sr-x 1 root kmem 9608 Nov 20 04:02:28 2000 /usr/sbin/iostat < 428712 -r-xr-sr-x 1 root daemon 27028 Nov 20 04:02:48 2000 /usr/sbin/lpc < 428618 -r-sr-xr-x 1 root wheel 16348 Nov 20 04:02:30 2000 /usr/sbin/mrinfo < 428620 -r-sr-xr-x 1 root wheel 29896 Nov 20 04:02:33 2000 /usr/sbin/mtrace < 428755 -r-sr-xr-- 1 root network 283624 Nov 20 04:02:39 2000 /usr/sbin/ppp < 428756 -r-sr-xr-x 1 root wheel 95580 Nov 20 04:02:39 2000 /usr/sbin/pppd < 428654 -r-xr-sr-x 2 root kmem 14584 Nov 20 04:02:39 2000 /usr/sbin/pstat < 428676 -r-sr-x--- 1 root network 10984 Nov 20 04:02:42 2000 /usr/sbin/sliplogin < 428654 -r-xr-sr-x 2 root kmem 14584 Nov 20 04:02:39 2000 /usr/sbin/swapinfo < 428684 -r-sr-xr-x 1 root wheel 15112 Nov 20 04:02:43 2000 /usr/sbin/timedc < 428685 -r-sr-xr-x 1 root wheel 13168 Nov 20 04:02:44 2000 /usr/sbin/traceroute < 428686 -r-sr-xr-x 1 root bin 14952 Nov 20 04:02:44 2000 /usr/sbin/traceroute6 < 428687 -r-xr-sr-x 1 root kmem 8040 Nov 20 04:02:44 2000 /usr/sbin/trpt Segmentation fault - core dumped mail.somebiz.com changes in mounted filesystems: 1,4d0 < /dev/ad0s1a / ufs rw 1 1 < /dev/ad0s1e /usr ufs rw 2 2 < /dev/ad0s1f /var ufs rw 2 2 < procfs /proc procfs rw 0 0 checking for uids of 0: root 0 toor 0 checking for passwordless accounts: mail.somebiz.com denied packets: mail.somebiz.com kernel log messages: > pid 7665 (mount), uid 0: exited on signal 11 (core dumped) mail.somebiz.com login failures: mail.somebiz.com refused connections: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 9:40:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2E37B422 for ; Wed, 11 Apr 2001 09:40:14 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f3BGeDu57156; Wed, 11 Apr 2001 09:40:13 -0700 (PDT) (envelope-from emechler) Date: Wed, 11 Apr 2001 09:40:13 -0700 From: Erick Mechler To: default013 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Open-SSH Setup Questions Message-ID: <20010411094013.C56673@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013 on Wed, Apr 11, 2001 at 08:06:40AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :: How can I tell of open-ssl is installed, and if so, what would be the path :: to it for an application that wants to use it, such as apache? (I did :: install the crypto library at install, so I am sure I have it... just don't :: know where it is) If you're running FreeBSD-4.x then you have OpenSSL installed in the base system. By default, the libraries are in /usr/lib, and the include files are in /usr/include/openssl. If you use the ports version of Apache, or any other programs that use OpenSSL, they should be able to find it automagically. If you're using 3.x, then use the port (security/openssl). :: How do i make/get the /etc/ssh/ssh_host_key file? ssh-keygen -f /etc/ssh/ssh_host_key -N '' :: I only want to use regular password authentication so that it is easy to :: use. Are there any special configurations I need to make to do this? The default sshd_config supports password authentication, so you shouldn't need to change anything to get that working. Also, be sure to read /usr/src/UPDATING for information about the recent changes to the way OpenSSH interfaces with PAM. :: I appreciate the help, thanks. Welcome. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 10:46:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id CEEFD37B424 for ; Wed, 11 Apr 2001 10:46:09 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: (qmail 12537 invoked by uid 501); 11 Apr 2001 17:46:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Apr 2001 17:46:05 -0000 Date: Wed, 11 Apr 2001 14:46:05 -0300 (EST) From: Paulo Fragoso To: "Alexey V. Neyman" Cc: Anton Vladimirov , Subject: Re: ftp vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, How to patch FBSD 3.x and FBSD 4.x (for this DOS) withou make all in /usr/src? Are there any simple patch to ftpd used in FBSD 3.x and FBSD 4.x? Thanks, Paulo. On Wed, 11 Apr 2001, Alexey V. Neyman wrote: > Good day, Anton! > > When this hole was patched, libc was also corrected, so you'll need to > update it too. The least painful way will be CVSup, IMHO. > > # Alexey > > On Wed, 11 Apr 2001, Anton Vladimirov wrote: > > >Hello security, > > > > I run FreeBSD 4.0-RELEASE with all security patches applied. > > Could anyone clearly explain how to fix the recent > > ftpd hole for this version? > > > > I downloaded the sources of ftpd from the 4.2-CURRENT > > release, but how to install it? > > > > I do the following: > >============================================= > >bash-2.03# make depend > >yacc -o ftpcmd.c ftpcmd.y > >yacc: w - the symbol ext_arg is undefined > >rm -f .depend > >mkdep -f .depend -a -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/c > >cd /usr/src/libexec/ftpd; make _EXTRADEPEND > >echo ftpd: /usr/lib/libc.a /usr/lib/libskey.a /usr/lib/libmd.a /usr/lib/libcrypt.a /usr/lib/libutil.a /usr/lib/libpam.a >> .depend > >bash-2.03# make > >Warning: Object directory not changed from original /usr/src/libexec/ftpd > >cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -DINET6 -I/usr/src/libexec/ftpd -Dmain=ls_main -I/usr/src/libexec/ftpd/c > >ftpd.c: In function `send_file_list': > >ftpd.c:2673: `GLOB_MAXPATH' undeclared (first use in this function) > >ftpd.c:2673: (Each undeclared identifier is reported only once > >ftpd.c:2673: for each function it appears in.) > >ftpd.c:2662: warning: variable `dout' might be clobbered by `longjmp' or `vfork' > >ftpd.c:2663: warning: variable `dirlist' might be clobbered by `longjmp' or `vfork' > >ftpd.c:2664: warning: variable `simple' might be clobbered by `longjmp' or `vfork' > >ftpd.c:2665: warning: variable `freeglob' might be clobbered by `longjmp' or `vfork' > >*** Error code 1 > > > >Stop in /usr/src/libexec/ftpd. > >================================================== > > > >Where am I mistaken? > > > > > >-- > >Best regards, > > Anton mailto:admin128@mail.ru > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 10:52:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id CF63937B422 for ; Wed, 11 Apr 2001 10:52:17 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by mailhub.airlinksys.com (Postfix) with ESMTP id 2973053501 for ; Wed, 11 Apr 2001 12:52:08 -0500 (CDT) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id CF53E5DD8; Wed, 11 Apr 2001 12:52:07 -0500 (CDT) Date: Wed, 11 Apr 2001 12:52:07 -0500 From: Scott Johnson To: freebsd-security@freebsd.org Subject: Re: Security Announcements Message-ID: <20010411125207.A95503@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is a difference between security fixes and a 'more low-key and conservative set of changes intended for our next mainstream release'. I maintain a single source tree for all of my machines. That source tree is 4.2-RELEASE + security patches. Things break in -STABLE despite the care taken in merging from -CURRENT; if I don't need features found only in -STABLE, my preference is to trust more the long testing period of a -RELEASE. While I could test stable on a spare box, that would be time-consuming and error-prone, since that box would have to emulate the designated tasks of all my machines. On the other hand, maintaining a -STABLE source tree in addition to -RELEASE and selectively installing certain things like bind and ntp when the need arises may have problems because the -STABLE software is out of sync with the rest of the system. This also creates problems when building world with the -RELEASE tree, since some software should come from -STABLE. And when it comes down to it, I'd rather build just a kernel, or just a userspace program, and only when I have to, then rebuild everything on a semi-regular basis. I just want to add my voice as to how I use FreeBSD. Simply saying 'use -STABLE' to those of us running -RELEASE on production systems isn't appropriate, since I believe we have valid reasons for running -RELEASE on our systems. These security issues are not so frequent that providing patches for -RELEASE should be too burdensome. In fact, if -STABLE was fixed, the fix is already available and could be applied to -RELEASE with little or no modification. I've been pleased, actually, with how patches have been made available for -RELEASE until only recently, when both the bind and ntp vulnerabilities went by without patches. I thought, up till this discussion, that it was assumed that many run a -RELEASE, and that patches were supplied for that reason. I for one (and judging by the posts to this thread I'm not alone) use FreeBSD this way, and I ask that it be considered important to make security patches available for the latest -RELEASE. Quoth Roberto Nunnari on Wed, Apr 11, 2001 at 02:00:26PM +0200: > stable is not pre-beta. > http://www.freebsd.org/handbook/current-stable.html > > ...cut and paste from the above: > > 19.2.2. Staying Stable with FreeBSD > > If you are using FreeBSD in a production environment and want to make > sure you have the latest fixes from the -CURRENT branch, you want to be > running -STABLE. This is the tree that -RELEASEs are branched from when > we are putting together a new release. For example, if you have a copy > of 3.4-RELEASE, that is really just a ``snapshot'' from the -STABLE > branch that we put on CDROM. In order to get any changes merged into > -STABLE after the -RELEASE, you need to ``track'' the -STABLE branch. > 19.2.2.1. What is FreeBSD-STABLE? > > FreeBSD-STABLE is our development branch for a more low-key and > conservative set of changes intended for our next mainstream release. > Changes of an experimental or untested nature do not go into this branch > (see FreeBSD-CURRENT). -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11: 6:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3A12637B422 for ; Wed, 11 Apr 2001 11:06:10 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3BI6Mf91980; Wed, 11 Apr 2001 14:06:22 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 11 Apr 2001 14:06:22 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Scott Johnson Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements In-Reply-To: <20010411125207.A95503@ns2.airlinksys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001, Scott Johnson wrote: > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > -STABLE' to those of us running -RELEASE on production systems isn't > appropriate, since I believe we have valid reasons for running -RELEASE > on our systems. These security issues are not so frequent that providing > patches for -RELEASE should be too burdensome. In fact, if -STABLE was > fixed, the fix is already available and could be applied to -RELEASE > with little or no modification. I've been pleased, actually, with how > patches have been made available for -RELEASE until only recently, when > both the bind and ntp vulnerabilities went by without patches. I > thought, up till this discussion, that it was assumed that many run a > -RELEASE, and that patches were supplied for that reason. I for one (and > judging by the posts to this thread I'm not alone) use FreeBSD this way, > and I ask that it be considered important to make security patches > available for the latest -RELEASE. This has been a recognized problem with the current release practices for a while, and for at least the past few months, it has been decided that the practice will change for FreeBSD 4.3-RELEASE. Rather than simply creating a release tag on the RELENG_4 branch, we'll actually be generatin a new RELENG_4_3 branch. This will permit us to deploy security patches on the branch and generate new patchlevel point tags as needed. The main goal in this was actually to make the life of the security-officer easier: right now CVS allows us to manage patches and changes in branches, but when we generate patches for releases, there's not automated and reproduceable way to do this. Currently, the charter of the RELENG_4_3 branch will be that it simply carries security fixes, although it might eventually also carry mission-critical functionality fixes or work-arounds. It will also allow users to cvs update/cvsup along that branch to pick up all available critical release fixes, without picking up new features, and permit easier generation of binary updates to the release. So the quick answer here is that the problem is already solved, we just haven't had a release since the solution was agreed to by all the relevant parties, so haven't seen any results yet. When Jordan cuts 4.3-RELEASE in a week or two, we'll get to see how well this works in practice. It will certainly make my life easier, both as a producer and consumer of security fixes :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11:13:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id D041B37B422 for ; Wed, 11 Apr 2001 11:13:38 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <2W45AMY0>; Wed, 11 Apr 2001 11:13:37 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D77F@goofy.epylon.lan> From: Jason DiCioccio To: 'Scott Johnson' , freebsd-security@freebsd.org Subject: RE: Security Announcements Date: Wed, 11 Apr 2001 11:13:35 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Scott, While I don't take your approach to maintaining my machines (I actually use -STABLE), I completely agree with you. I have encountered problems in -STABLE due to the given period of time that I simply cvsupped to it (getting -STABLE on a 'bad day').. Mind you, - -CURRENT has many more bad days than -STABLE does, but -STABLE definitely has them. And if every single machine on your network has to be up at all times, I would agree with your patching -RELEASE method. I'm sure many others take this path as well, and it seems a logical one. It's nice to have a choice. Perhaps patches to -RELEASE wouldn't come out as quickly as they would be commited to -STABLE (obviously) but I still think they should be released within a reasonable time-frame. For instance with NTP, I've seen about every other vendor release advisories/patches for xntpd except for us. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com - ----Original Message----- From: Scott Johnson [mailto:sjohn@airlinksys.com] Sent: Wednesday, April 11, 2001 10:52 AM To: freebsd-security@freebsd.org Subject: Re: Security Announcements There is a difference between security fixes and a 'more low-key and conservative set of changes intended for our next mainstream release'. I maintain a single source tree for all of my machines. That source tree is 4.2-RELEASE + security patches. Things break in -STABLE despite the care taken in merging from -CURRENT; if I don't need features found only in - -STABLE, my preference is to trust more the long testing period of a - -RELEASE. While I could test stable on a spare box, that would be time-consuming and error-prone, since that box would have to emulate the designated tasks of all my machines. On the other hand, maintaining a - -STABLE source tree in addition to -RELEASE and selectively installing certain things like bind and ntp when the need arises may have problems because the -STABLE software is out of sync with the rest of the system. This also creates problems when building world with the -RELEASE tree, since some software should come from -STABLE. And when it comes down to it, I'd rather build just a kernel, or just a userspace program, and only when I have to, then rebuild everything on a semi-regular basis. I just want to add my voice as to how I use FreeBSD. Simply saying 'use - -STABLE' to those of us running -RELEASE on production systems isn't appropriate, since I believe we have valid reasons for running - -RELEASE on our systems. These security issues are not so frequent that providing patches for -RELEASE should be too burdensome. In fact, if -STABLE was fixed, the fix is already available and could be applied to -RELEASE with little or no modification. I've been pleased, actually, with how patches have been made available for -RELEASE until only recently, when both the bind and ntp vulnerabilities went by without patches. I thought, up till this discussion, that it was assumed that many run a -RELEASE, and that patches were supplied for that reason. I for one (and judging by the posts to this thread I'm not alone) use FreeBSD this way, and I ask that it be considered important to make security patches available for the latest - -RELEASE. Quoth Roberto Nunnari on Wed, Apr 11, 2001 at 02:00:26PM +0200: > stable is not pre-beta. > http://www.freebsd.org/handbook/current-stable.html > > ...cut and paste from the above: > > 19.2.2. Staying Stable with FreeBSD > > If you are using FreeBSD in a production environment and want to > make sure you have the latest fixes from the -CURRENT branch, you > want to be running -STABLE. This is the tree that -RELEASEs are > branched from when we are putting together a new release. For > example, if you have a copy of 3.4-RELEASE, that is really just a > ``snapshot'' from the -STABLE branch that we put on CDROM. In > order to get any changes merged into -STABLE after the -RELEASE, > you need to ``track'' the -STABLE branch. 19.2.2.1. What is > FreeBSD-STABLE? > > FreeBSD-STABLE is our development branch for a more low-key and > conservative set of changes intended for our next mainstream > release. Changes of an experimental or untested nature do not go > into this branch (see FreeBSD-CURRENT). - -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOtSfeFCmU62pemyaEQIR6wCdHs0sQHk9embF6L/OJCvNcT+ROEcAnjzO VHCIoZYuo/e9tAqasm1wB2bp =qwCa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11:20:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id CA29337B423; Wed, 11 Apr 2001 11:20:53 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id 57FBA1363D; Wed, 11 Apr 2001 11:22:02 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: rwatson@freebsd.org From: Jason DiCioccio Cc: freebsd-security@freebsd.org, sjohn@airlinksys.com X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Wed, 11 Apr 2001 10:21:56 PST X-Mailer: EMUmail 4.5 Subject: Re: Security Announcements X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010411182202.57FBA1363D@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001 14:06:22 -0400 (EDT) Robert Watson wrote: [snip] > Currently, the charter of the RELENG_4_3 > branch will be that it simply carries security fixes, although it might > eventually also carry mission-critical functionality fixes or > work-arounds. It will also allow users to cvs update/cvsup along that > branch to pick up all available critical release fixes, without picking up > new features, and permit easier generation of binary updates to the > release. [snip] Fantastic, just one question. I might be asking the obvious but I didn't see it mentioned. Will there be ctm/ftp snapshot tracking available too for those of us that have machines behind restrictive firewalls? Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11:27: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 76CCA37B422 for ; Wed, 11 Apr 2001 11:26:57 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id EE8831363D; Wed, 11 Apr 2001 11:28:16 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: rjm@Wilshire.Net From: Jason DiCioccio Cc: freebsd-security@freebsd.org X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Wed, 11 Apr 2001 10:28:16 PST X-Mailer: EMUmail 4.5 Subject: Re: How to interpret Security Check X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010411182816.EE8831363D@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001 09:34:30 -0700 "Riley J. McIntire" wrote: > Greetings: Hello! > > The second time it dumped, it was powered off, then on, went into single > user. The onsite operator did a fsck, and brought it back to multiuser. > She reported lots of file errors. Which I'm assuming caused the > following in the security check output. But sometimes I assume too > much! I'd like to make sure I'm not missing a security issue. > > Comments are welcome. [snip] > > checking setuid files and devices: > USER=root > host=mail.somebiz.com > c=? > HOME=/root > rc=0 > PS1=# > OPTIND=1 > PS2=> > LOGNAME=root > PATH=/sbin:/bin:/usr/bin > ignore= > MP= > sflag=FALSE > TMP=/var/run/_secure.7644 > SHELL=/bin/sh > IFS= > > LC_ALL=C > yesterday=Apr 10 > LOG=/var/log > cmp: EOF on /var/run/_secure.7644 > My guess here is that the fsck damaged /etc/security? > > mail.somebiz.com setuid diffs: > 1,71d0 > < 14989 -r-xr-sr-x 1 root operator 57076 Nov 20 03:59:17 2000 > /bin/df > < 15002 -r-sr-xr-x 1 root wheel 319548 Nov 20 04:06:07 2000 > /bin/rcp > < 15051 -r-xr-sr-x 1 root kmem 62944 Nov 20 04:00:57 2000 > /sbin/ccdconfig [...] > Segmentation fault - core dumped > It looks here as if you lost /var/*/setuid.today/yesterday (forget which one).. Did you have to do a fsck -y? I'm assuming yes.. Also, were softupdates enabled? If not, that could've prevented this data loss (assuming it's not a bad drive.) > > mail.somebiz.com changes in mounted filesystems: > 1,4d0 > < /dev/ad0s1a / ufs rw 1 1 > < /dev/ad0s1e /usr ufs rw 2 2 > < /dev/ad0s1f /var ufs rw 2 2 > < procfs /proc procfs rw 0 0 > again, something lost in /var (perhaps /var/backups) > > checking for uids of 0: > root 0 > toor 0 > > > checking for passwordless accounts: > > > mail.somebiz.com denied packets: > > > mail.somebiz.com kernel log messages: > > pid 7665 (mount), uid 0: exited on signal 11 (core dumped) > > > mail.somebiz.com login failures: > > > mail.somebiz.com refused connections: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11:34:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by hub.freebsd.org (Postfix) with ESMTP id 4501C37B422 for ; Wed, 11 Apr 2001 11:34:35 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id LAA24287; Wed, 11 Apr 2001 11:34:32 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3BIYS634015; Wed, 11 Apr 2001 11:34:28 -0700 (PDT) (envelope-from bmah) Message-Id: <200104111834.f3BIYS634015@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Jason DiCioccio Cc: "'Scott Johnson'" , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA0166D77F@goofy.epylon.lan> References: <657B20E93E93D4118F9700D0B73CE3EA0166D77F@goofy.epylon.lan> Comments: In-reply-to Jason DiCioccio message dated "Wed, 11 Apr 2001 11:13:35 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_878091516P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 11 Apr 2001 11:34:28 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_878091516P Content-Type: text/plain; charset=us-ascii If memory serves me right, Jason DiCioccio wrote: > While I don't take your approach to maintaining my machines (I > actually use -STABLE), I completely agree with you. I have > encountered problems in -STABLE due to the given period of time that > I simply cvsupped to it (getting -STABLE on a 'bad day').. Mind you, > - -CURRENT has many more bad days than -STABLE does, but -STABLE > definitely has them. And if every single machine on your network has > to be up at all times, I would agree with your patching -RELEASE > method. I'm sure many others take this path as well, and it seems a > logical one. It's nice to have a choice. Another choice is to not grab the latest 4-STABLE, but use a 4-STABLE from some time in the recent past that was reasonably bug-free. See the date= keyword to cvsup(8). Bruce. --==_Exmh_878091516P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE61KO02MoxcVugUsMRAne1AKD/MhgQPua1vunGIpuNFAVgy9V4LwCg/Zdw ceAy5Ry3bUWxyk1RatZvsAc= =MyoP -----END PGP SIGNATURE----- --==_Exmh_878091516P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 11:48:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id AA73037B422; Wed, 11 Apr 2001 11:48:45 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id A68F213642; Wed, 11 Apr 2001 11:50:04 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: bmah@FreeBSD.ORG From: Jason DiCioccio Cc: sjohn@airlinksys.com, freebsd-security@FreeBSD.ORG, Jason.DiCioccio@Epylon.com X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Wed, 11 Apr 2001 10:50:04 PST X-Mailer: EMUmail 4.5 Subject: Re: Security Announcements X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010411185004.A68F213642@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001 11:34:28 -0700 "Bruce A. Mah" wrote: [snip] > > Another choice is to not grab the latest 4-STABLE, but use a 4-STABLE > from some time in the recent past that was reasonably bug-free. See the > date= keyword to cvsup(8). > > Bruce. > > And how would I know which day/time was considered reasonably bug-free. I do not know of any webpages or anything that tell you this, nor does any given time in the -STABLE branch get as much testing as a -RELEASE.. Like I said earlier, I actually do track -STABLE, but unless they're using 4.0, etc. I can see why one would stick with the -RELEASE.. (although I would never stick with a ?.0-RELEASE :)) Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 12: 2:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7198837B423 for ; Wed, 11 Apr 2001 12:02:47 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3BJ3If92710; Wed, 11 Apr 2001 15:03:18 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 11 Apr 2001 15:03:18 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jason DiCioccio Cc: freebsd-security@freebsd.org, sjohn@airlinksys.com Subject: Re: Security Announcements In-Reply-To: <20010411182202.57FBA1363D@bluenugget.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001, Jason DiCioccio wrote: > On Wed, 11 Apr 2001 14:06:22 -0400 (EDT) Robert Watson wrote: > > [snip] > > Currently, the charter of the RELENG_4_3 > > branch will be that it simply carries security fixes, although it might > > eventually also carry mission-critical functionality fixes or > > work-arounds. It will also allow users to cvs update/cvsup along that > > branch to pick up all available critical release fixes, without picking up > > new features, and permit easier generation of binary updates to the > > release. > [snip] > > Fantastic, just one question. I might be asking the obvious but I > didn't see it mentioned. Will there be ctm/ftp snapshot tracking > available too for those of us that have machines behind restrictive > firewalls? Sounds like a great idea to me -- I'd certainly anticipated that providing binary snapshots off the branch is something we'd want to do, but I'm not familiar with the CTM mechanisms or maintenance processes. Given that this is "just another branch" from a CVS perspective, all the automated services offered on existing branches could easily be offered on the most recent release branch. Some of the practice here will evolve as needs arise. In any case, I think this will allow us to greatly improve the level of security support we provide to our consumers who follow the normal release cycle but don't track -STABLE -- presumably this is the (silent) majority. My understanding is that BSDi has been hard at work on binary updating tools, so it may be that when that becomes available, we'll have the ingredients necessary to efficiently produce and maintain binary updates. We'll see how that works out. :-) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 12: 7: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-3.cisco.com (sj-msg-core-3.cisco.com [171.70.157.152]) by hub.freebsd.org (Postfix) with ESMTP id D7AFA37B422; Wed, 11 Apr 2001 12:06:54 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-3.cisco.com (8.9.3/8.9.1) with ESMTP id MAA23658; Wed, 11 Apr 2001 12:05:35 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3BJ6rn34644; Wed, 11 Apr 2001 12:06:53 -0700 (PDT) (envelope-from bmah) Message-Id: <200104111906.f3BJ6rn34644@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Jason DiCioccio Cc: bmah@FreeBSD.ORG, sjohn@airlinksys.com, freebsd-security@FreeBSD.ORG, Jason.DiCioccio@Epylon.com Subject: Re: Security Announcements In-Reply-To: <20010411185004.A68F213642@bluenugget.net> References: <20010411185004.A68F213642@bluenugget.net> Comments: In-reply-to Jason DiCioccio message dated "Wed, 11 Apr 2001 10:50:04 -0800." From: bmah@FreeBSD.ORG (Bruce A. Mah) Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1046195591P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 11 Apr 2001 12:06:53 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1046195591P Content-Type: text/plain; charset=us-ascii If memory serves me right, Jason DiCioccio wrote: > And how would I know which day/time was considered reasonably bug-free. > I do not know of any webpages or anything that tell you this, Read -stable (you are doing that right?). I care more about how machines work in my own environment that what some Web page says. You mentioned the hypothetical case of someone running -STABLE on boxes that needed to be "up at all times". Tell me that this someone would be willing to drop a new version of *any* operating system on mission-critical machines without testing on their own scratch machines first. > nor does > any given time in the -STABLE branch get as much testing as a -RELEASE.. For people who need version of FreeBSD that's been though testing (and there is nothing whatsoever wrong with that), well, they should be running -RELEASE. There's been a lot of discussion as to how to deal with the issue of security updates to -RELEASEs, and the message that rwatson recently posted outlines the result of that discussion. I think this is going to solve a lot of problems, even though it's going to create more work for those who make advisories and patches. Bruce. --==_Exmh_1046195591P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE61KtN2MoxcVugUsMRAi6dAKCmFj9vFDcRStpCGphH+bjwcwsRJACg1A4g KnGQSoYDCm+ZU5DTbPZGvKs= =4NM5 -----END PGP SIGNATURE----- --==_Exmh_1046195591P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 12: 9:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe26.law7.hotmail.com [216.33.236.246]) by hub.freebsd.org (Postfix) with ESMTP id 26FDD37B423 for ; Wed, 11 Apr 2001 12:09:09 -0700 (PDT) (envelope-from default013@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 11 Apr 2001 12:09:08 -0700 X-Originating-IP: [63.249.129.10] Reply-To: "default013" From: "default013" To: "Erick Mechler" Cc: References: <20010411094013.C56673@techometer.net> Subject: Re: Open-SSH Setup Questions Date: Wed, 11 Apr 2001 14:14:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 11 Apr 2001 19:09:08.0994 (UTC) FILETIME=[E2BA4E20:01C0C2BA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Erick, Hi, thanks for the help, but I get this error whenever I try to start sshd with the keys I made using that command... I am probably just unaware of something simple but... error: Could not load host key: /etc/ssh/ssh_host_key: Bad file descriptor Disabling protocol version 1 error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 2 sshd: no hostkeys available -- exiting. sshd: no hostkeys available -- exiting. Thanks again ----- Original Message ----- From: "Erick Mechler" To: "default013" Cc: Sent: Wednesday, April 11, 2001 11:40 AM Subject: Re: Open-SSH Setup Questions > :: How can I tell of open-ssl is installed, and if so, what would be the path > :: to it for an application that wants to use it, such as apache? (I did > :: install the crypto library at install, so I am sure I have it... just don't > :: know where it is) > > If you're running FreeBSD-4.x then you have OpenSSL installed in the base > system. By default, the libraries are in /usr/lib, and the include files > are in /usr/include/openssl. If you use the ports version of Apache, or > any other programs that use OpenSSL, they should be able to find it > automagically. If you're using 3.x, then use the port (security/openssl). > > :: How do i make/get the /etc/ssh/ssh_host_key file? > > ssh-keygen -f /etc/ssh/ssh_host_key -N '' > > :: I only want to use regular password authentication so that it is easy to > :: use. Are there any special configurations I need to make to do this? > > The default sshd_config supports password authentication, so you shouldn't > need to change anything to get that working. Also, be sure to read > /usr/src/UPDATING for information about the recent changes to the way > OpenSSH interfaces with PAM. > > :: I appreciate the help, thanks. > > Welcome. > > --Erick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 12:15:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 9DB6737B422; Wed, 11 Apr 2001 12:15:09 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id 27C3213642; Wed, 11 Apr 2001 12:16:29 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: bmah@FreeBSD.ORG From: Jason DiCioccio Cc: sjohn@airlinksys.com, freebsd-security@FreeBSD.ORG, Jason.DiCioccio@Epylon.com X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Wed, 11 Apr 2001 11:16:29 PST X-Mailer: EMUmail 4.5 Subject: Re: Security Announcements X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010411191629.27C3213642@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001 12:06:53 -0700 bmah@FreeBSD.ORG wrote: > If memory serves me right, Jason DiCioccio wrote: > > > And how would I know which day/time was considered reasonably > bug-free. > > I do not know of any webpages or anything that tell you this, > > Read -stable (you are doing that right?). I care more about how > machines work in my own environment that what some Web page says. > Yes. But of course the -STABLE/CURRENT branches change by the second. However you clear this up below. > You mentioned the hypothetical case of someone running -STABLE on boxes > that needed to be "up at all times". Tell me that this someone would be > willing to drop a new version of *any* operating system on > mission-critical machines without testing on their own scratch machines > first. ~20 lines of code (for example) in a patch is a lot easier to go through (and to trust as a result) than the many more lines involved in a diff between 2 snapshots (moving targets) of a branch that are, say, 1 month apart. > > > nor does > > any given time in the -STABLE branch get as much testing as a -RELEASE.. > > For people who need version of FreeBSD that's been though testing > (and there is nothing whatsoever wrong with that), well, they should be > running -RELEASE. There's been a lot of discussion as to how to deal > with the issue of security updates to -RELEASEs, and the message that > rwatson recently posted outlines the result of that discussion. I > think this is going to solve a lot of problems, even though it's going > to create more work for those who make advisories and patches. Yes, I definitely like the new branch tag idea in 4.3. :-) It definitely clears up a lot of my concerns.. Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 12:36:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 361BB37B422 for ; Wed, 11 Apr 2001 12:36:57 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f3BJavs53574 for ; Wed, 11 Apr 2001 12:36:57 -0700 (PDT) Date: Wed, 11 Apr 2001 12:36:57 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott Johnson wrote: > There is a difference between security fixes and a 'more low-key and > conservative set of changes intended for our next mainstream release'. I think this is a point many posters are missing. Production systems administration has to be conservative. A good systems administrator would *NEVER* run cvsup or -STABLE on a revenue generating production server for example. Change deltas must be kept to a minimum to minimize the risk of downtime or application problems. > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > - -STABLE' to those of us running -RELEASE on production systems isn't > appropriate, Agreed. It might be worthwhile to point out that Linux is gaining market share by leaps and bounds while FreeBSD's user base remains relatively stagnant for *exactly* this reason. This is all IMHO. Perhaps I'm just spoiled by Solaris' patch process. Yet we have seen a significant increase in Sun purchases thanks to their Blade 100 and it's $1000 price (headless). The FreeBSD community has to make the choice: do you want to FreeBSD to be a great developer's OS and an also-ran production platform (Dag-Erling Smorgrav's "submit patches or shut up") or would it be better in the long term to shift some resources (like incremental security patches) in order to boost market share? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 14:34:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe47.law7.hotmail.com [216.33.236.83]) by hub.freebsd.org (Postfix) with ESMTP id 12E0337B422 for ; Wed, 11 Apr 2001 14:34:47 -0700 (PDT) (envelope-from default013@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 11 Apr 2001 14:34:46 -0700 X-Originating-IP: [63.249.129.10] Reply-To: "default013" From: "default013" To: Cc: References: <20010411094013.C56673@techometer.net> Subject: Re: Open-SSH Setup Questions Date: Wed, 11 Apr 2001 16:40:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 11 Apr 2001 21:34:46.0984 (UTC) FILETIME=[3AF9C480:01C0C2CF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doh! I thought the '' was a typo :) I tried that and it worked, thanks ----- Original Message ----- From: "default013" To: "Erick Mechler" Cc: Sent: Wednesday, April 11, 2001 2:14 PM Subject: Re: Open-SSH Setup Questions > Erick, > > Hi, thanks for the help, but I get this error whenever I try to start sshd > with the keys I made using that command... I am probably just unaware of > something simple but... > > error: Could not load host key: /etc/ssh/ssh_host_key: Bad file descriptor > Disabling protocol version 1 > error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key > Disabling protocol version 2 > sshd: no hostkeys available -- exiting. > sshd: no hostkeys available -- exiting. > > Thanks again > > ----- Original Message ----- > From: "Erick Mechler" > To: "default013" > Cc: > Sent: Wednesday, April 11, 2001 11:40 AM > Subject: Re: Open-SSH Setup Questions > > > > :: How can I tell of open-ssl is installed, and if so, what would be the > path > > :: to it for an application that wants to use it, such as apache? (I did > > :: install the crypto library at install, so I am sure I have it... just > don't > > :: know where it is) > > > > If you're running FreeBSD-4.x then you have OpenSSL installed in the base > > system. By default, the libraries are in /usr/lib, and the include files > > are in /usr/include/openssl. If you use the ports version of Apache, or > > any other programs that use OpenSSL, they should be able to find it > > automagically. If you're using 3.x, then use the port (security/openssl). > > > > :: How do i make/get the /etc/ssh/ssh_host_key file? > > > > ssh-keygen -f /etc/ssh/ssh_host_key -N '' > > > > :: I only want to use regular password authentication so that it is easy > to > > :: use. Are there any special configurations I need to make to do this? > > > > The default sshd_config supports password authentication, so you shouldn't > > need to change anything to get that working. Also, be sure to read > > /usr/src/UPDATING for information about the recent changes to the way > > OpenSSH interfaces with PAM. > > > > :: I appreciate the help, thanks. > > > > Welcome. > > > > --Erick > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 21:46:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail01.san.yahoo.com (mail01.san.yahoo.com [209.132.1.35]) by hub.freebsd.org (Postfix) with ESMTP id 5244537B50C for ; Wed, 11 Apr 2001 21:46:24 -0700 (PDT) (envelope-from newsletter@marktroberts.com) Received: from nsohotel5 (206.253.226.210) by mail01.san.yahoo.com (5.1.062) id 3ACA395D00810CF8 for freebsd-security@FreeBSD.ORG; Wed, 11 Apr 2001 21:39:53 -0700 Message-ID: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> Reply-To: "Mark T Roberts" From: "Mark T Roberts" To: Subject: non-random IP IDs Date: Thu, 12 Apr 2001 00:46:12 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The other night I did a nessus security scan on my freeBSD box and I got the following warning. I am hopping someone on this mailing list can give me a better idea what this warning means. Thanks Mark NESSUS Warning... The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 22:40:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 02B9E37B496 for ; Wed, 11 Apr 2001 22:40:34 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 2255 invoked by uid 1000); 12 Apr 2001 05:40:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Apr 2001 05:40:32 -0000 Date: Thu, 12 Apr 2001 00:40:32 -0500 (CDT) From: Mike Silbersack To: Mark T Roberts Cc: Subject: Re: non-random IP IDs In-Reply-To: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Apr 2001, Mark T Roberts wrote: > The other night I did a nessus security scan on my freeBSD box and I got the > following warning. I am hopping someone on this mailing list can give me a > better idea what this warning means. > > Thanks > Mark > > NESSUS Warning... > The remote host uses non-random IP IDs, that is, it is > possible to predict the next value of the ip_id field of > the ip packets sent by this host. Each IP packet sent has with it a 16-bit ID. The numbers must remain unique over a short period of time so fragmentation can work properly. As such, everything except recent openbsds simple increments the id by 1 for each packet sent out. As a result, you can tell the number of packets sent on an idle host by seeing the difference in id numbers for the packets it sends back to you. It's not really that important of an issue, don't worry about it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 23: 0: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84]) by hub.freebsd.org (Postfix) with ESMTP id 8BA1B37B443 for ; Wed, 11 Apr 2001 22:59:56 -0700 (PDT) (envelope-from mikeallen99@home.com) Received: from home.com ([24.10.183.89]) by femail4.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010412055710.YNLF29484.femail4.sdc1.sfba.home.com@home.com>; Wed, 11 Apr 2001 22:57:10 -0700 Message-ID: <3AD54669.EEF91A5C@home.com> Date: Wed, 11 Apr 2001 23:08:41 -0700 From: Mike Allen Organization: @Home Network X-Mailer: Mozilla 4.74 [en]C-AtHome0405 (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Predictible IP ID numbers can be used by an attacker to hijack your session causing the following effects: 1. The successful attacker can 'take over' your session and do anything he/she wants to do with your files. No log will show anything unusual. The user only sees a momentary 'glitch' or retransmission error and may have to log in again but will usually ignore such errors. 2. Security measures are generally ineffective against this attack. Whatever you may do regarding passwords is effectively bypassed because the attack begins after you have already been authenticated. Encrypted sessions can be a successful counter-measure along with encrypted files. As a Unix System Admin, I discovered this attack on a user's files by comparing login times and durations and the user's unusual work schedule. Mike Allen Independent Consultant Mike Silbersack wrote: > > On Thu, 12 Apr 2001, Mark T Roberts wrote: > > > The other night I did a nessus security scan on my freeBSD box and I got the > > following warning. I am hopping someone on this mailing list can give me a > > better idea what this warning means. > > > > Thanks > > Mark > > > > NESSUS Warning... > > The remote host uses non-random IP IDs, that is, it is > > possible to predict the next value of the ip_id field of > > the ip packets sent by this host. > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > unique over a short period of time so fragmentation can work properly. As > such, everything except recent openbsds simple increments the id by 1 for > each packet sent out. > > As a result, you can tell the number of packets sent on an idle host by > seeing the difference in id numbers for the packets it sends back to you. > It's not really that important of an issue, don't worry about it. > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 11 23: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 6F07337B506 for ; Wed, 11 Apr 2001 23:04:37 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 2289 invoked by uid 1000); 12 Apr 2001 06:04:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Apr 2001 06:04:36 -0000 Date: Thu, 12 Apr 2001 01:04:36 -0500 (CDT) From: Mike Silbersack To: Mike Allen Cc: Mark T Roberts , Subject: Re: non-random IP IDs In-Reply-To: <3AD54669.EEF91A5C@home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001, Mike Allen wrote: > Predictible IP ID numbers can be used by an attacker to hijack your > session causing the following effects: > > 1. The successful attacker can 'take over' your session and > do anything he/she wants to do with your files. No log You're confusing ip ids with tcp sequence numbers. ip ids have no such importance. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 0:42:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from stsws5.die.supsi.ch (stsws5.die.supsi.ch [193.5.154.5]) by hub.freebsd.org (Postfix) with ESMTP id 7E60137B5AF for ; Thu, 12 Apr 2001 00:42:35 -0700 (PDT) (envelope-from nunnari@die.supsi.ch) Received: from die.supsi.ch (pcm2022.die.supsi.ch [193.5.152.22]) by stsws5.die.supsi.ch (8.9.1a/8.9.1) with ESMTP id JAA28917; Thu, 12 Apr 2001 09:33:13 +0200 (MET DST) Message-ID: <3AD55CA7.80101@die.supsi.ch> Date: Thu, 12 Apr 2001 09:43:35 +0200 From: Roberto Nunnari User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20010131 Netscape6/6.01 X-Accept-Language: en MIME-Version: 1.0 To: Scott Johnson Cc: freebsd-security Subject: Re: Security Announcements? References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> <20010410215014.A8173@scientia.demon.co.uk> <007d01c0c274$58ff11c0$94cba8c0@hh.kew.com> <3AD4475A.4050104@die.supsi.ch> <20010411122832.A91506@ns2.airlinksys.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott, run '-release' (like many others out there) is your choice and I respect it. I don't discuss that you have or not a valid point to do so. In your email you express your ideas well and politely and most likely speak for a lot of people. I respect it. I fully agree on some of the points that this thread has brought up. But it gets me upset to read that '-stable' is pre-beta. We all know that's not true. That simply is not fair, thanksless and offensive. Best regards. Scott Johnson wrote: > There is a difference between security fixes and a 'more low-key and > conservative set of changes intended for our next mainstream release'. I > maintain a single source tree for all of my machines. That source tree is > 4.2-RELEASE + security patches. Things break in -STABLE despite the care > taken in merging from -CURRENT; if I don't need features found only in > -STABLE, my preference is to trust more the long testing period of a > -RELEASE. While I could test stable on a spare box, that would be > time-consuming and error-prone, since that box would have to emulate the > designated tasks of all my machines. On the other hand, maintaining a > -STABLE source tree in addition to -RELEASE and selectively installing > certain things like bind and ntp when the need arises may have problems > because the -STABLE software is out of sync with the rest of the system. > This also creates problems when building world with the -RELEASE tree, > since some software should come from -STABLE. And when it comes down to > it, I'd rather build just a kernel, or just a userspace program, and only > when I have to, then rebuild everything on a semi-regular basis. > > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > -STABLE' to those of us running -RELEASE on production systems isn't > appropriate, since I believe we have valid reasons for running -RELEASE on > our systems. These security issues are not so frequent that providing > patches for -RELEASE should be too burdensome. In fact, if -STABLE was > fixed, the fix is already available and could be applied to -RELEASE with > little or no modification. I've been pleased, actually, with how patches > have been made available for -RELEASE until only recently, when both the > bind and ntp vulnerabilities went by without patches. I thought, up till > this discussion, that it was assumed that many run a -RELEASE, and that > patches were supplied for that reason. I for one (and judging by the posts > to this thread I'm not alone) use FreeBSD this way, and I ask that it be > considered important to make security patches available for the latest > -RELEASE. > > > Quoth Roberto Nunnari on Wed, Apr 11, 2001 at 02:00:26PM +0200: > >> stable is not pre-beta. >> http://www.freebsd.org/handbook/current-stable.html >> >> ...cut and paste from the above: >> >> 19.2.2. Staying Stable with FreeBSD >> >> If you are using FreeBSD in a production environment and want to make >> sure you have the latest fixes from the -CURRENT branch, you want to be >> running -STABLE. This is the tree that -RELEASEs are branched from when >> we are putting together a new release. For example, if you have a copy >> of 3.4-RELEASE, that is really just a ``snapshot'' from the -STABLE >> branch that we put on CDROM. In order to get any changes merged into >> -STABLE after the -RELEASE, you need to ``track'' the -STABLE branch. >> 19.2.2.1. What is FreeBSD-STABLE? >> >> FreeBSD-STABLE is our development branch for a more low-key and >> conservative set of changes intended for our next mainstream release. >> Changes of an experimental or untested nature do not go into this branch >> (see FreeBSD-CURRENT). -- Roberto Nunnari -software engineer- mailto:nunnari@die.supsi.ch Scuola Universitaria Professionale della Svizzera Italiana Dipartimento di Informatica e Elettronica http://www.die.supsi.ch SUPSI-DIE Via Cantonale tel: +41-91-6108557 6928 Manno """ Switzerland (o o) =======================oOO==(_)==OOo======================== MY OPINIONS ARE NOT NECESSARILY THOSE OF MY EMPLOYER To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 1:17:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 9970737B53A for ; Thu, 12 Apr 2001 01:17:02 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id SAA09404; Thu, 12 Apr 2001 18:16:48 +1000 (EST) From: Darren Reed Message-Id: <200104120816.SAA09404@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: silby@silby.com (Mike Silbersack) Date: Thu, 12 Apr 2001 18:16:48 +1000 (Australia/ACT) Cc: newsletter@marktroberts.com (Mark T Roberts), freebsd-security@FreeBSD.ORG In-Reply-To: from "Mike Silbersack" at Apr 12, 2001 12:40:32 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Mike Silbersack, sie said: > > > On Thu, 12 Apr 2001, Mark T Roberts wrote: > > > The other night I did a nessus security scan on my freeBSD box and I got the > > following warning. I am hopping someone on this mailing list can give me a > > better idea what this warning means. > > > > Thanks > > Mark > > > > NESSUS Warning... > > The remote host uses non-random IP IDs, that is, it is > > possible to predict the next value of the ip_id field of > > the ip packets sent by this host. > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > unique over a short period of time so fragmentation can work properly. As > such, everything except recent openbsds simple increments the id by 1 for > each packet sent out. > > As a result, you can tell the number of packets sent on an idle host by > seeing the difference in id numbers for the packets it sends back to you. > It's not really that important of an issue, don't worry about it. Except when said idle host is behind a firewall, you can gauge, with a better amount of surety, if the firewall is dropping packets vs packets just being lost on the 'net. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 2:54: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 8D79E37B424 for ; Thu, 12 Apr 2001 02:53:58 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14ndnZ-000NMP-00; Thu, 12 Apr 2001 10:53:57 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3C9ruE88367; Thu, 12 Apr 2001 10:53:56 +0100 (BST) (envelope-from rasputin) Date: Thu, 12 Apr 2001 10:53:56 +0100 From: Rasputin To: Roger Marquis Cc: security@freebsd.org Subject: Re: Security Announcements & Incremental Patches Message-ID: <20010412105356.A88231@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from marquis@roble.com on Wed, Apr 11, 2001 at 12:36:57PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Roger Marquis [010411 20:38]: > Scott Johnson wrote: > > There is a difference between security fixes and a 'more low-key and > > conservative set of changes intended for our next mainstream release'. > > I think this is a point many posters are missing. Production > systems administration has to be conservative. A good systems > administrator would *NEVER* run cvsup or -STABLE on a revenue > generating production server for example. Change deltas must be > kept to a minimum to minimize the risk of downtime or application > problems. I agree with you here. I've seen the performance and reliability of my box increase from tracking STABLE, but it's a home system. Remotely upgrading enterprise boxes is a differnet ball game entirely, but there are always going to be risks doing that, and I don't know of any way to eliminate them. A kernel bug fix tends to need a reboot. > > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > > - -STABLE' to those of us running -RELEASE on production systems isn't > > appropriate, > > Agreed. It might be worthwhile to point out that Linux is gaining > market share by leaps and bounds while FreeBSD's user base remains > relatively stagnant for *exactly* this reason. Why? Because RedHat only provide updates as individual RPMS, so updating a system from one version to another was always a complete nightmare? (Exhibit A being shipping the new version of RPM as an RPM. In the new package format.) A central source tree form kernel and userland is BSDs crtowning glory, IMO. But that's not to say that patches aren't an option. > This is all IMHO. Perhaps I'm just spoiled by Solaris' patch > process. Yet we have seen a significant increase in Sun purchases > thanks to their Blade 100 and it's $1000 price (headless). The > FreeBSD community has to make the choice: do you want to FreeBSD > to be a great developer's OS and an also-ran production platform > (Dag-Erling Smorgrav's "submit patches or shut up") or would it be > better in the long term to shift some resources (like incremental > security patches) in order to boost market share? IMO, all contact I've had with the FreeBSd team has been motivated out of a genuine need to create a good product. Saying they do this to 'increase market share' does them a disservice. Their motivation to me has always seemed to be to make an OS that sucks less than any other, whether or not that's commercially attractive. -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 4:15:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from bear.defcomp.com.pl (bear.defcomp.com.pl [217.96.68.5]) by hub.freebsd.org (Postfix) with ESMTP id 5B20037B423 for ; Thu, 12 Apr 2001 04:15:21 -0700 (PDT) (envelope-from janusz.orlowski@defcomp.com.pl) Received: from kjanusz (wolf.defcomp.com.pl [217.96.68.62]) by bear.defcomp.com.pl (8.10.1/8.10.1) with SMTP id f3CBIM427341 for ; Thu, 12 Apr 2001 13:18:32 +0200 (CEST) Message-ID: <048701c0c342$5f2015d0$020aa8c0@kjanusz> From: =?iso-8859-2?Q?Janusz_Or=B3owski?= To: Subject: Date: Thu, 12 Apr 2001 13:18:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 5:53:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 9722037B505 for ; Thu, 12 Apr 2001 05:53:33 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 92944 invoked by uid 1000); 12 Apr 2001 12:53:53 -0000 Date: Thu, 12 Apr 2001 14:53:53 +0200 From: "Karsten W. Rohrbach" To: Mark.Andrews@nominum.com Cc: lee@kechara.net, freebsd-security@freebsd.org Subject: Re: bind hack? Message-ID: <20010412145353.E90025@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mark.Andrews@nominum.com, lee@kechara.net, freebsd-security@freebsd.org References: <200104101151.MAA27699@mailgate.kechara.net> <200104101121.f3ABLPT88536@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104101121.f3ABLPT88536@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Tue, Apr 10, 2001 at 09:21:25PM +1000 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org why not upgrade to djbdns and get rid of all that "whats scriptkiddie's favourite bind exploit of the day" problems? http://cr.yp.to/djbdns.html http://www.djbdns.org/ the learning curve seems steep but if you understand the concept and have your first configuration running, it works like a charm (and is performant, too) /k Mark.Andrews@nominum.com(Mark.Andrews@nominum.com)@2001.04.10 21:21:25 +0000: > > > On inspection it would appear it has been upgraded since I installed it. The > > machine > > is now running 9.0.0r1, which may in part explain the problem. > > > > Why oh why do people not fill in maintenance logs.. > > If it's running 9.0.0rc1 then I suggest that you upgrade to > 9.1.1. > > Mark > > > > 11/04/2001 07:31:20, Mark.Andrews@nominum.com wrote: > > > > >> Hi, > > >> > > >> This is a little puzzling. I'm running the latest in the 'series 8' BIND, > > bu > > >> t every 24-48 hours, it dies, with this on the console: > > >> (latest example) > > > > > > I alway hate people saying they are running "the latest". Quite often > > > they arn't. Precise error reports are important. What version are > > > you running? > > > > > >> > > >> Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 1 > > 0 ( > > >> core dumped) > > >> > > >> A few seconds prior the the above, the IDS logged this: > > >> > > >> #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 < > > source I > > >> P> UDP > > >> > > >> The odd thing is, according to Whitehats, this attack only works on pre 8 > > .1. > > >> 2 / 4.9.8? > > > > > > See infoleak at http://www.isc.org/products/BIND/bind-security.html > > > > > >> > > >> Any input would be appreciated. > > >> > > >> -- > > >> > > >> Lee Smallbone > > >> Kechara Internet > > >> > > >> lee@kechara.net > > >> www.kechara.net > > >> > > >> Tel: (01243) 869 969 > > >> Fax: (01243) 866 685 > > >> > > >> > > >> > > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > > >> with "unsubscribe freebsd-security" in the body of the message > > >-- > > >Mark Andrews, Nominum Inc. > > >1 Seymour St., Dundas Valley, NSW 2117, Australia > > >PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > > > > > > -- > > > > Lee Smallbone > > Kechara Internet > > > > lee@kechara.net > > www.kechara.net > > > > Tel: (01243) 869 969 > > Fax: (01243) 866 685 > > > > > -- > Mark Andrews, Nominum Inc. > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- > If it ain't broke, overclock it! KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 5:58:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0485237B43F for ; Thu, 12 Apr 2001 05:58:12 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 3898 invoked by uid 1001); 12 Apr 2001 12:57:08 +0000 (GMT) To: karsten@rohrbach.de Cc: Mark.Andrews@nominum.com, lee@kechara.net, freebsd-security@freebsd.org Subject: Re: bind hack? From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 12 Apr 2001 14:53:53 +0200" References: <20010412145353.E90025@mail.webmonster.de> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 12 Apr 2001 14:57:07 +0200 Message-ID: <3894.987080227@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > why not upgrade to djbdns and get rid of all that "whats scriptkiddie's > favourite bind exploit of the day" problems? Telling *Mark Andrews* to "upgrade to djbdns"? That's one of the best laughs I've had this Easter... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 6:12:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C94DC37B422 for ; Thu, 12 Apr 2001 06:12:15 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3CDCNA63587; Thu, 12 Apr 2001 09:12:24 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 12 Apr 2001 09:12:19 -0400 (EDT) From: Rob Simmons To: Mike Silbersack Cc: Mark T Roberts , Subject: Re: non-random IP IDs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Thu, 12 Apr 2001, Mike Silbersack wrote: > Each IP packet sent has with it a 16-bit ID. The numbers must remain > unique over a short period of time so fragmentation can work properly. As > such, everything except recent openbsds simple increments the id by 1 for > each packet sent out. What is the behavior of OpenBSD for this? If its not important, why would they change it? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE61am3v8Bofna59hYRA3DJAKCfCpvpwhiE9D7d1P+Vm8tr4HXpJACgxVfG wH9Q0Lz8yMB/9u7slM92UEo= =ZKgl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 6:14:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 372DC37B496 for ; Thu, 12 Apr 2001 06:14:35 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 94083 invoked by uid 1000); 12 Apr 2001 13:14:56 -0000 Date: Thu, 12 Apr 2001 15:14:56 +0200 From: "Karsten W. Rohrbach" To: sthaug@nethelp.no Cc: Mark.Andrews@nominum.com, lee@kechara.net, freebsd-security@freebsd.org Subject: Re: bind hack? Message-ID: <20010412151456.H90025@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , sthaug@nethelp.no, Mark.Andrews@nominum.com, lee@kechara.net, freebsd-security@freebsd.org References: <20010412145353.E90025@mail.webmonster.de> <3894.987080227@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3894.987080227@verdi.nethelp.no>; from sthaug@nethelp.no on Thu, Apr 12, 2001 at 02:57:07PM +0200 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no(sthaug@nethelp.no)@2001.04.12 14:57:07 +0000: > Telling *Mark Andrews* to "upgrade to djbdns"? That's one of the best laughs > I've had this Easter... > i do not discuss the sense or nonsense switching from one whatever server to another. principle of server operations are simple: if it runs, don't touch it. if it screws all the time, try to upgrade to a newer version. if newer versions suck all time, replace subsystem with a different one. the "then write one yourself" section is ommited here, since dns is way awkward (ref: RFC1035) to implement to be interoperable and stable. happy easter ;-) /k -- > 130 Jahre Staubsauger. > Vorher hatte der Hamster quasi keine natuerlichen Feinde... KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 6:21: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0066737B422 for ; Thu, 12 Apr 2001 06:21:02 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id XAA02344; Thu, 12 Apr 2001 23:20:41 +1000 (EST) From: Darren Reed Message-Id: <200104121320.XAA02344@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: rsimmons@wlcg.com (Rob Simmons) Date: Thu, 12 Apr 2001 23:20:41 +1000 (Australia/ACT) Cc: silby@silby.com (Mike Silbersack), newsletter@marktroberts.com (Mark T Roberts), freebsd-security@FreeBSD.ORG In-Reply-To: from "Rob Simmons" at Apr 12, 2001 09:12:19 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > On Thu, 12 Apr 2001, Mike Silbersack wrote: > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > unique over a short period of time so fragmentation can work properly. As > > such, everything except recent openbsds simple increments the id by 1 for > > each packet sent out. > > What is the behavior of OpenBSD for this? If its not important, why would > they change it? They're more paranoid than others are. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 7: 0:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84]) by hub.freebsd.org (Postfix) with ESMTP id 0319037B423 for ; Thu, 12 Apr 2001 07:00:10 -0700 (PDT) (envelope-from mikeallen99@home.com) Received: from home.com ([24.10.183.89]) by femail4.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010412135723.JHQR29484.femail4.sdc1.sfba.home.com@home.com>; Thu, 12 Apr 2001 06:57:23 -0700 Message-ID: <3AD5B6F9.64837442@home.com> Date: Thu, 12 Apr 2001 07:08:57 -0700 From: Mike Allen Organization: @Home Network X-Mailer: Mozilla 4.74 [en]C-AtHome0405 (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You are right. Sorry for the confusion. I must be sleepy. :) Mike Allen Mike Silbersack wrote: > > On Wed, 11 Apr 2001, Mike Allen wrote: > > > Predictible IP ID numbers can be used by an attacker to hijack your > > session causing the following effects: > > > > 1. The successful attacker can 'take over' your session and > > do anything he/she wants to do with your files. No log > > You're confusing ip ids with tcp sequence numbers. ip ids have no such > importance. > > Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 8:53:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 1048537B422 for ; Thu, 12 Apr 2001 08:53:14 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 3358 invoked by uid 1000); 12 Apr 2001 15:53:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Apr 2001 15:53:11 -0000 Date: Thu, 12 Apr 2001 10:53:11 -0500 (CDT) From: Mike Silbersack To: Rob Simmons Cc: Mark T Roberts , Subject: Re: non-random IP IDs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Apr 2001, Rob Simmons wrote: > On Thu, 12 Apr 2001, Mike Silbersack wrote: > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > unique over a short period of time so fragmentation can work properly. As > > such, everything except recent openbsds simple increments the id by 1 for > > each packet sent out. > > What is the behavior of OpenBSD for this? If its not important, why would > they change it? They generate pseudo-random, nonrepeating ids. For the actual algorithm, see: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd Although it's nice in theory, the amount of work required to generate the ids seems too great to justify for each packet sent. (Note that I said "seems", I'm not sure if anyone has done actual benchmarks to determine the actual impact.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 11:34: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 7747237B423 for ; Thu, 12 Apr 2001 11:33:54 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=952ea59baff6d70c65a9c19200e6278a) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14nljw-0000JJ-00; Thu, 12 Apr 2001 12:22:44 -0600 Message-ID: <3AD5F274.547D0350@softweyr.com> Date: Thu, 12 Apr 2001 12:22:44 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: Rob Simmons , Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Silbersack wrote: > > On Thu, 12 Apr 2001, Rob Simmons wrote: > > > On Thu, 12 Apr 2001, Mike Silbersack wrote: > > > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > > unique over a short period of time so fragmentation can work properly. As > > > such, everything except recent openbsds simple increments the id by 1 for > > > each packet sent out. > > > > What is the behavior of OpenBSD for this? If its not important, why would > > they change it? > > They generate pseudo-random, nonrepeating ids. For the actual algorithm, > see: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd > > Although it's nice in theory, the amount of work required to generate the > ids seems too great to justify for each packet sent. (Note that I said > "seems", I'm not sure if anyone has done actual benchmarks to determine > the actual impact.) Just like TCP sequence numbers, non-predictable IP IDs are *supposed to* make it somewhat harder to insert bogus fragments into a packet stream. If you are a router, this won't make a bit of difference in your ability to frag a packet and stick whatever data you want into it; if you are not a router your ability to see a fragmented packet go by and inject other frags into it is almost non-existant anyhow, so I don't see much value in this. It's mostly just in fitting with the OpenBSD "deny them everything" approach. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 12:58:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E02BE37B423 for ; Thu, 12 Apr 2001 12:58:51 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBP3HK00.JTP; Thu, 12 Apr 2001 12:58:32 -0700 Message-ID: <3AD60902.D6134503@globalstar.com> Date: Thu, 12 Apr 2001 12:58:58 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: Mike Silbersack , Rob Simmons , Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: <3AD5F274.547D0350@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > Mike Silbersack wrote: > > > > On Thu, 12 Apr 2001, Rob Simmons wrote: > > > > > On Thu, 12 Apr 2001, Mike Silbersack wrote: > > > > > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > > > unique over a short period of time so fragmentation can work properly. As > > > > such, everything except recent openbsds simple increments the id by 1 for > > > > each packet sent out. > > > > > > What is the behavior of OpenBSD for this? If its not important, why would > > > they change it? > > > > They generate pseudo-random, nonrepeating ids. For the actual algorithm, > > see: > > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd > > > > Although it's nice in theory, the amount of work required to generate the > > ids seems too great to justify for each packet sent. (Note that I said > > "seems", I'm not sure if anyone has done actual benchmarks to determine > > the actual impact.) > > Just like TCP sequence numbers, non-predictable IP IDs are *supposed to* > make it somewhat harder to insert bogus fragments into a packet stream. > If you are a router, this won't make a bit of difference in your ability > to frag a packet and stick whatever data you want into it; if you are > not a router your ability to see a fragmented packet go by and inject > other frags into it is almost non-existant anyhow, so I don't see much > value in this. It's mostly just in fitting with the OpenBSD "deny them > everything" approach. If you can see the stream, you can presumably read the IP ID on the actual packets and forge them without knowing the IP ID ahead of time. Using incrementing ones _maybe_ just buys the attacker a few microseconds of time since he has to analyze the stream anyway to inject data where he wants. There are much easier attacks when you can see the whole stream and inject packets. Actually, I think the vunlnerability most people think of first is doing stealthy port scans. For example, if you have a low volume host with one port open, you can access the port and read the IP ID. You can then spoof a packet to another port on the host. You never see the response, or lack thereof, to the spoofed scan. However, you hit the open port again and check the IP ID. If it has not incremented, the host or a firewall in between probably dropped the scan packet. If the IP ID has incremented, the host likely generated a response (either a SYN-ACK, RST, ICMP unreach, etc.) which went off to the spoofed address. Depending on what kind of scan you are spoofing, you can make a pretty good guess at what a response or lack of a response implies about the port's status. The attacker hides his activity by doing something not at all hostile looking (e.g. HTTP requests) as he does the scan. Of course if this is a _really_ low traffic host, the administrator of the box might note that the HTTP access corresponded to these scans coming from another host (if no one is looking at the logs for scans in the first place, why bother being stealthy). But in the case where the firewall administrator and the HTTP daemon administrator are different people, or perhaps even when the HTTP host is not busy, but the firewall is, this activity might be better obfuscated. But yes, the question of whether the effort, the complexity added to the kernel, and the CPU cycles needed for randomization are worth the reduced risk of attack, IMHO, does not have a clear cut answer. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 13:58:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 24D8037B443; Thu, 12 Apr 2001 13:58:18 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3CKwIU45338; Thu, 12 Apr 2001 13:58:18 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 12 Apr 2001 13:58:18 -0700 (PDT) Message-Id: <200104122058.f3CKwIU45338@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:31 Security Advisory FreeBSD, Inc. Topic: ntpd contains potential remote compromise Category: core/ports Module: ntpd Announced: 2001-04-06 Credits: Przemyslaw Frasunek Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date. Ports collection prior to the correction date. Corrected: 2001-04-06 (FreeBSD 4.2-STABLE, 3.5-STABLE, and ports) Vendor status: Vendor notified. FreeBSD only: NO I. Background The ntpd daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Older versions of ntpd, such as those in FreeBSD 3.x, were named xntpd. II. Problem Description An overflowable buffer exists in the ntpd daemon related to the building of a response for a query with a large readvar argument. Due to insufficient bounds checking, a remote attacker may be able to cause arbitrary code to be executed as the user running the ntpd daemon, usually root. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, and versions of the ntpd port prior to ntp-4.0.99k_2 contain this problem. The base system and ports collections that will ship with FreeBSD 4.3 do not contain this problem since it was corrected before the release. III. Impact Malicious remote users may be able to execute arbitrary code on an ntpd server as the user running the ntpd daemon, usually root. The ntpd daemon is not enabled by default. If you have not enabled ntpd, your system is not vulnerable. IV. Workaround Disable the ntpd daemon using the following command: # kill -KILL `cat /var/run/ntpd.pid` Additionally, the ntpd daemon should be disabled in the system's startup configuration file /etc/rc.conf, normally accomplished by changing "xntpd_enable=YES" to "xntpd_enable=NO". Since NTP is a stateless UDP-based protocol, source addresses can be spoofed rendering firewalling ineffective for stopping this vulnerability. V. Solution [Base system] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch.asc The folllowing patch applies to FreeBSD 3.x. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: [FreeBSD 4.x] # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/ntp # make all install [FreeBSD 3.x] # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/xntpd # make all install Finally, if ntpd is already running then kill and restart the ntpd daemon: perform the following command as root: # kill -KILL `cat /var/run/ntpd.pid` && /usr/sbin/ntpd [Ports collection] Use one of the following options to upgrade the ntpd software, then kill and restart the ntpd daemon if it is already running. To kill and restart the ntpd daemon, perform the following command as root: # kill -KILL `cat /var/run/ntpd.pid` && /usr/local/sbin/ntpd 1) Upgrade your entire ports collection and rebuild the ntpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntp-4.0.99k_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntp-4.0.99k_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntp-4.0.99k_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the ntpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOs5Oi1UuHi5z0oilAQGb+QP+MqTyEGJBziGnw2gHwAnK3lAaMFyKurBc cgpm61uWpOBsTnJGJ9t5uI3IGPjxsjjmyZR2ONYMIUCRC2b6MA21oEsenD3F8Jeu UphzKdv9IswnSkZFRI5v0PoFtUOKihDU1SLfp2DKjJel8HralhYuDiCOQ/pIpGCj emIKnwcGVu4= =FTKv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 15:20:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f75.law3.hotmail.com [209.185.241.75]) by hub.freebsd.org (Postfix) with ESMTP id 5682237B43F for ; Thu, 12 Apr 2001 15:20:34 -0700 (PDT) (envelope-from merkury55@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 12 Apr 2001 15:20:34 -0700 Received: from 207.71.213.73 by lw3fd.law3.hotmail.msn.com with HTTP; Thu, 12 Apr 2001 22:20:34 GMT X-Originating-IP: [207.71.213.73] From: "Nick Mazza" To: freebsd-security@freebsd.org Subject: SUBSCRIBE Date: Thu, 12 Apr 2001 15:20:34 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Apr 2001 22:20:34.0329 (UTC) FILETIME=[CAEF1890:01C0C39E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello can you subscribe me to your newsletter? Thanks [merkury] www.68e.com/~merkury EFFECTS SECURITY TEAM www.68e.com/effects _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 17:24:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 26F6137B507 for ; Thu, 12 Apr 2001 17:24:26 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 21080 invoked by uid 1000); 13 Apr 2001 00:24:46 -0000 Date: Fri, 13 Apr 2001 02:24:46 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: sthaug@nethelp.no, Mark.Andrews@nominum.com, freebsd-security@freebsd.org Subject: Re: bind hack? Message-ID: <20010413022446.B18721@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , sthaug@nethelp.no, Mark.Andrews@nominum.com, freebsd-security@freebsd.org References: <20010412145353.E90025@mail.webmonster.de> <3894.987080227@verdi.nethelp.no> <20010412151456.H90025@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@thinksec.com on Thu, Apr 12, 2001 at 04:53:16PM +0200 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav(des@thinksec.com)@2001.04.12 16:53:16 +0000: > "Karsten W. Rohrbach" writes: > > sthaug@nethelp.no(sthaug@nethelp.no)@2001.04.12 14:57:07 +0000: > > > Telling *Mark Andrews* to "upgrade to djbdns"? That's one of the best laughs > > > I've had this Easter... > > [...] if it runs, don't touch it. if it screws all the time, try to > > upgrade to a newer version. if newer versions suck all time, replace > > subsystem with a different one. the "then write one yourself" > > section is ommited here [...] > > Oh, but you *shouldn't* omit the "then write one yourself" section. > That's what Mark does. He writes BIND 9. Happy Easter! the "then write one yourself" section is meant totally reflexive. as i said, due to the "standardization process" for dns, the related rfcs as documentation and therefor basis for design it is a shitload of work to get a running (in means of operational _and_ interoperable) dns server software developed, tested and finally deployed. i got no problem at all with people designing their daemon stuff the way they think it would become a stable and useable piece of software that fits for heavy duty server systems. but as there are more and more alternatives to bind, every administrator has the choice. the design behind bind is very complex and so is the software. the more complex you get, the more likely become all the little bugs in there. that's the way i think about software design in general. i like lightweight implementations which are easily extendable - that's all. i must admit that i did not have the time to look into the sources of 9.x, but 8.younameit is a pretty pain to read and understand. therefor this is not a prank - or how you call it - against bind9. i already read some of the papers and reports about 9.x and it sounds promising. to get one thing straight - my post was a bit harsh, but buffer overflows and other flora and fauna a sysadmin has to cope with all day also originate from a distribution-centric monoculture of preinstalled and bundled software. it is not much different from the microsoft security dilemma since this monoculture defines the standard. this does not mean that deviation from standards is good or bad, but with more variety in server software implementations in general the internet will just be a little bit happier. different design approaches lead to a phase where people try and gather experience. these experiences could be and most times actually _are_ thrown together to build a better piece of software, more stable, more secure. and this is the point that differentiates the open source community from big os companies. one thing i can not understand about the opensource os community is, why there are tight bindings between several packages and a distribution. why not let the users/admins choose (well some admins do, i hope) before or while installing/upgrading what server subsytems to install? why is sendmail the standard mta on *bsd, why is bind the standard dns server on *bsd, why are they in the main distribution? they could be packages. the part of bind that is needed for operation of a simple unix box is the resolver. email-wise ther could be a dumbfire local delivery mta. in my opinion an os distribution should be a solid basis to deploy server subsystems on, be it a bind or djbdns, be it sendmail or qmail or even smail, be it a fully blown apache server or just a boa or publicfile httpd. the choice should be the one of the admin installing the box, and i think that it is a bad thing to remove the remnants of the software installed by default to get rid od suid binaries or rogue dotfiles and so on. one last word concerning djb... he might lack social competence and he might act strange sometimes, but what he has to say is often true. i can not understand why many of his concerns are not taken seriously since they could be taken as valuable input to improve existent implementations of server software. (no i do not want to start a djb thread out of this now, these are just my $.02). further discussion via pm. i would not like this thread to become a dennis@etinc.com one. happy easter /k -- > What do you want to re-install today? KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 12 22:44:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from zorg.agsmedia.pl (zorg.agsmedia.pl [212.76.39.5]) by hub.freebsd.org (Postfix) with ESMTP id 8F3B437B440 for ; Thu, 12 Apr 2001 22:44:12 -0700 (PDT) (envelope-from wtp@agsmedia.pl) Received: from pooh.panska.agsmedia.pl (pooh.panska.agsmedia.pl [169.254.253.6]) by zorg.agsmedia.pl (Postfix) with ESMTP id C01877C019; Fri, 13 Apr 2001 07:44:09 +0200 (CEST) Date: Fri, 13 Apr 2001 06:42:38 +0200 (CEST) From: Krzysztof Stryjek X-Sender: Reply-To: Krzysztof Stryjek To: Nick Mazza Cc: Subject: Re: SUBSCRIBE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello On Thu, 12 Apr 2001, Nick Mazza wrote: > Hello can you subscribe me to your newsletter? Thanks > See below link. You can do it yourself http://www.FreeBSD.org/handbook/eresources.html#ERESOURCES-MAIL Regards -- Krzysztof Stryjek email: wtp@agsmedia.pl ICQ: 79525071 court, n.: A place where they dispense with justice. -- Arthur Train To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 0: 7: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id B236737B42C for ; Fri, 13 Apr 2001 00:07:00 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 1A2AC21334A; Fri, 13 Apr 2001 00:07:00 -0700 (PDT) Date: Fri, 13 Apr 2001 00:06:59 -0700 From: Steve Reid To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Message-ID: <20010413000659.A88148@grok.bc.hsia.telus.net> References: <200104122058.f3CKwLe45352@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200104122058.f3CKwLe45352@freefall.freebsd.org>; from FreeBSD Security Advisories on Thu, Apr 12, 2001 at 01:58:21PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 12, 2001 at 01:58:21PM -0700, FreeBSD Security Advisories wrote: > IV. Workaround > Disable the ntpd daemon using the following command: None of the advisories I've seen released (FreeBSD or otherwise) have listed "restrict" directives in ntp.conf as a workaround. Is this because it is not sufficient, or are the people writing the advisories not aware of it, or other? Restricting by address is subject to spoofing of course, but is there any reason "restrict default noquery nomodify notrap nopeer" would not be sufficient to protect a typical NTP client while still allowing it to receive time service? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 3: 9:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id 2911D37B506 for ; Fri, 13 Apr 2001 03:09:31 -0700 (PDT) (envelope-from lionnel.chaptal@IPricot.com) Received: from IPricot.com (pc172.fr.ipricot.com [192.168.31.172]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id KAA25987 for ; Fri, 13 Apr 2001 10:09:30 GMT X-To: Message-ID: <3AD6D047.91F3F843@IPricot.com> Date: Fri, 13 Apr 2001 12:09:11 +0200 From: Lionnel CHAPTAL Organization: IPricot European Headquarters (Formerly DotCom SA) X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: French/France, fr-FR, French, fr, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSEC/Racoon/local adress when initiator Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have a IPSec tunnnel between 2 nets : FBSD(eth)--|--(eth)GW(eth)--(eth)Cisco(eth)--| | |--(eth)host host(eth)---| and it works fine in static key configuration. FBSD is the encryption/decryption machine on the LAN on the left side and is the gateway for the LAN. Cisco is doing the same job on the right side. On the FBSD side, there is only one NIC, so I have set up an alias address on the ethernet interface. So the FBSD eth iface has one address in the net-to-be-tunneled (192.168.0.1/24) and another for the tunnel-transported-lan (1.2.3.4 or whatever). Now, I would like to use IKE. Well, there is no problem with the racoon parameters. The gateway for the FBSD (GW) has only one address in the same net as the net-to-be-tunneled (for instance 192.168.0.254). So racoon is binding on the eth iface with the address 192.168.0.1 [sockmisc.c/getlocaladdr()]. The frame are beeing sent from 192.168.0.1 whereas they should come from 1.2.3.4 Question. Is there a way, in the configuration file to change the local address binding so that it will use 1.2.3.4 instead ? (like "crypto map local-address " with cisco ios ? Note: the exchange is OK when the Cisco is the initiator, and the SAD is filled. Thanks in advance, Lionnel. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 5: 7:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 5C8E137B423 for ; Fri, 13 Apr 2001 05:07:28 -0700 (PDT) (envelope-from software@kew.com) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 647C68C1D; Fri, 13 Apr 2001 08:07:27 -0400 (EDT) Message-ID: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: "Steve Reid" Cc: References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Date: Fri, 13 Apr 2001 08:07:27 -0400 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Steve Reid" > None of the advisories I've seen released (FreeBSD or otherwise) have > listed "restrict" directives in ntp.conf as a workaround. Is this > because it is not sufficient, or are the people writing the advisories > not aware of it, or other? > Restricting by address is subject to spoofing of course, IMHO ... I believe the comment in the advisory that specifically points out spoofing is a problem is why restrict is not listed as workaround. The official workarounds have to be bulletproof. > but is there > any reason "restrict default noquery nomodify notrap nopeer" would not > be sufficient to protect a typical NTP client while still allowing it > to receive time service? If you are using restrict, why not a simple ignore on the restrict? Was this a recent addition to the configuration? (It is in the version shipped with FreeBSD 4.1) -ahd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 7: 3: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id 06DD837B42C for ; Fri, 13 Apr 2001 07:02:58 -0700 (PDT) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id f3DE2vx32654 for freebsd-security@freebsd.org; Fri, 13 Apr 2001 16:02:57 +0200 (CEST) (envelope-from kuku) Date: Fri, 13 Apr 2001 16:02:57 +0200 (CEST) From: Christoph Kukulies Message-Id: <200104131402.f3DE2vx32654@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: tcpdump (tutorial?) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know how others experience this: Whenever it comes to some suspicion on net intruders or so I find me in reading tcpdump's man page and I'm scratching head about the syntax. Once learned to form a little script that filters this and that it's laid away or lost when the storm is over. Next time same procedure. Uh, oh, what was again this tcpdump syntax to watch that host for incoming and outgoing packets that do not come from our local network and are not http port. Is there a tutorial? Has someone written down some typical 'security' examples? -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 7:40:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B481F37B443 for ; Fri, 13 Apr 2001 07:40:33 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=25fbc6e9a0fc7310c999d16d192eced7) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14o4k5-0000H5-00; Fri, 13 Apr 2001 08:40:09 -0600 Message-ID: <3AD70FC9.1628DB70@softweyr.com> Date: Fri, 13 Apr 2001 08:40:09 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > Scott Johnson wrote: > > There is a difference between security fixes and a 'more low-key and > > conservative set of changes intended for our next mainstream release'. > > I think this is a point many posters are missing. Production > systems administration has to be conservative. A good systems > administrator would *NEVER* run cvsup or -STABLE on a revenue > generating production server for example. Change deltas must be > kept to a minimum to minimize the risk of downtime or application > problems. But below you seem to have an inordinate fondness for the Solaris patch mechanism, which is the same thing, but in binary form. So what's the difference? Just your lack of understanding? The usual method of handling this in a production environment is to have a "build box", where you cvsup and make world, then test your production apps off-line on copies of your real database(s). Then, once you've tested the build, you install it on your production machines as operations allow. It is also important to keep network services like DNS on separate boxes from the rest of your production environment. Servers like this can typically be rather small boxes, and you should have at least two of them anyhow, so you can reload one with the new build, verify correct function, then reload the other during off-peak demand. None of this is rocket science, it's just good operational discipline. I've even used my laptop in this role, as the build/test box for system updates, until I bought a small SMP desktop so I could fully test SMP operations with our multi-threaded application just to be sure. So what part of this makes you nervous? Spending $500 on a build box? > > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > > - -STABLE' to those of us running -RELEASE on production systems isn't > > appropriate, Of course it is, if you do it sensibly. You have to get critical security and functionality updates somehow, and this is one of the best maintenance systems I've encountered in 20 years of UNIX work. > Agreed. It might be worthwhile to point out that Linux is gaining > market share by leaps and bounds while FreeBSD's user base remains > relatively stagnant for *exactly* this reason. Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are unknown and unknowable, so whatever you think they are is probably just as WRONG as what Linus and JKH think they are, and to lump this stupid-ass misunderstanding of what -stable is as the sole reason Linux has more users than FreeBSD is so far beyond naive to be an out-and-out lie. You, sir, are a scoundrel. > This is all IMHO. Perhaps I'm just spoiled by Solaris' patch > process. Yet we have seen a significant increase in Sun purchases > thanks to their Blade 100 and it's $1000 price (headless). The > FreeBSD community has to make the choice: do you want to FreeBSD > to be a great developer's OS and an also-ran production platform > (Dag-Erling Smorgrav's "submit patches or shut up") or would it be > better in the long term to shift some resources (like incremental > security patches) in order to boost market share? You apparently haven't tried benchmarking a Blade 100 vs. just about anything running FreeBSD that costs $995. I agree the Blade 100 is the best 64-bit RISC workstation you can buy for $995, but then again it's the only RISC workstation you can buy for $995. I can build an Athlon/FreeBSD system for $995 that will runs rings around the Blade 100, and have enough money left over for a good lunch. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:10:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from coloradosurf.com (c1520339-a.lakwod1.co.home.com [24.179.159.58]) by hub.freebsd.org (Postfix) with ESMTP id 366A737B449 for ; Fri, 13 Apr 2001 08:10:19 -0700 (PDT) (envelope-from mike@coloradosurf.com) Received: (from mike@localhost) by coloradosurf.com (8.9.3/8.9.3) id JAA46096 for freebsd-security@freebsd.org; Fri, 13 Apr 2001 09:04:51 -0600 (MDT) (envelope-from mike) Date: Fri, 13 Apr 2001 09:04:51 -0600 From: mike To: freebsd-security@freebsd.org Subject: a couple boxes getting hammered with ip frags Message-ID: <20010413090451.A46082@coloradosurf.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Sorry for posting yet another item on ipfw -1 (especially to Crist), but... I have two web production boxes that were hammered yesterday (from about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a very long list of "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0"). They were coming from many different ips. A brief search did not show any consistency in the ips that were hitting the two machines. I am therefore assuming (danger danger) that is was more likely a network issue that may have been causing the fragments and not some type of Dos or attempt to 'circumvent' the firewall. And, since I'm not so sure, I was hoping someone might be able to shed a little more light on this one. Thanks! mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:27:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.133.123]) by hub.freebsd.org (Postfix) with ESMTP id 97D0837B422 for ; Fri, 13 Apr 2001 08:27:42 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 2411 invoked from network); 13 Apr 2001 11:30:03 -0400 Received: from m133-122.bgsu.edu (HELO gmx.net) (129.1.133.122) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 13 Apr 2001 11:30:03 -0400 Message-ID: <3AD71BC8.4475ED65@gmx.net> Date: Fri, 13 Apr 2001 11:31:20 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security Subject: SSHD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I meticulosly closed most of the TCP ports to close all security holes, such as ftp, telnet, etc. I replaced telnet with sshd, and now I was wondering if there were any security holes in that one. If so, is there a version that corrects it? I am running 4.1 R (and will upgrade to 4.3R as soon as it comes out) Thank you Raoul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:32:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 5C2C337B43F for ; Fri, 13 Apr 2001 08:32:30 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA15158; Fri, 13 Apr 2001 11:32:27 -0400 Date: Fri, 13 Apr 2001 11:32:27 -0400 (EDT) From: Mikhail Kruk To: Raoul Schroeder Cc: security Subject: Re: SSHD In-Reply-To: <3AD71BC8.4475ED65@gmx.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SSHD in 4.1 has problems: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc > Hello, > > I meticulosly closed most of the TCP ports to close all security holes, > such as ftp, telnet, etc. > I replaced telnet with sshd, and now I was wondering if there were any > security holes in that one. > If so, is there a version that corrects it? I am running 4.1 R (and will > upgrade to 4.3R as soon as it comes out) > > Thank you > > Raoul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:40: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id DC5F537B506 for ; Fri, 13 Apr 2001 08:39:59 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3DFdiO86126 for ; Fri, 13 Apr 2001 10:39:45 -0500 (CDT) (envelope-from chris@jeah.net) Date: Fri, 13 Apr 2001 10:39:44 -0500 (CDT) From: Chris Byrnes To: Subject: Re: SSHD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I try to open PGP signed stuff from the FreeBSD Security Officer, it says Invalid key. Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) On Fri, 13 Apr 2001, Mikhail Kruk wrote: > SSHD in 4.1 has problems: > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc > > > Hello, > > > > I meticulosly closed most of the TCP ports to close all security holes, > > such as ftp, telnet, etc. > > I replaced telnet with sshd, and now I was wondering if there were any > > security holes in that one. > > If so, is there a version that corrects it? I am running 4.1 R (and will > > upgrade to 4.3R as soon as it comes out) > > > > Thank you > > > > Raoul > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:42:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 1480437B42C for ; Fri, 13 Apr 2001 08:42:21 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f3DFgKX82364 for ; Fri, 13 Apr 2001 08:42:20 -0700 (PDT) Date: Fri, 13 Apr 2001 08:42:20 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Production systems administration has to be conservative. A good systems > > administrator would *NEVER* run cvsup or -STABLE on a revenue > > generating production server for example. Change deltas must be > > kept to a minimum to minimize the risk of downtime or application > > problems. > > But below you seem to have an inordinate fondness for the Solaris patch > mechanism, which is the same thing, but in binary form. So what's the > difference? Just your lack of understanding? What isn't incremental about Solaris patches? Even the patch clusters are broken down by individual patch. They're also released with lengthy readme files allowing an admin to pick and choose. The differences are substantial (to experienced admins at least). Another difference between Solaris and FreeBSD patches is the level of QA. Even among the FreeBSD security patches published in the last few months many (most?) have had incorrect path names. > The usual method of handling this in a production environment is to > have a "build box" This is a good practice if you're doing a FreeBSD cvsup or using -STABLE. It would be overkill on a Solaris system. > you've tested the build, you install it on your production machines as > operations allow. Nice that you have the time to go through all that trouble just to apply a minor patch. Most productions environments, in my experience, do not. When your systems are in various remote datacenters such a model would be entirely unworkable. You have to do this for major upgrades of course, but an OS shouldn't force you through this hoop more often that every 18 to 24 months. > Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are > unknown and unknowable, so whatever you think they are is probably just > as WRONG as what Linus and JKH think they are Your agenda is showing Wes. The market share of production various systems is pretty obvious to those who spend any amount of time in Silicon Valley datacenters. > and to lump this stupid-ass > misunderstanding of what -stable is as the sole reason Linux has more > users than FreeBSD is so far beyond naive to be an out-and-out lie. You, > sir, are a scoundrel. I think people understand what -STABLE is, it's normally called beta. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 8:47: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6567F37B43E for ; Fri, 13 Apr 2001 08:47:01 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.3/8.11.2) id f3DFkxv48091; Fri, 13 Apr 2001 11:46:59 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.3/8.11.2av) with ESMTP id f3DFksC48083; Fri, 13 Apr 2001 11:46:54 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010413114332.01a20e10@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 13 Apr 2001 11:46:53 -0400 To: Wes Peters From: Mike Tancsa Subject: Re: Security Announcements & Incremental Patches Cc: security@freebsd.org In-Reply-To: <3AD70FC9.1628DB70@softweyr.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:40 AM 4/13/2001 -0600, Wes Peters wrote: > > Agreed. It might be worthwhile to point out that Linux is gaining > > market share by leaps and bounds while FreeBSD's user base remains > > relatively stagnant for *exactly* this reason. > >Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are >unknown and unknowable, so whatever you think they are is probably just >as WRONG as what Linus and JKH think they are, and to lump this stupid-ass >misunderstanding of what -stable is as the sole reason Linux has more >users than FreeBSD is so far beyond naive to be an out-and-out lie. You, >sir, are a scoundrel. Although I agree, its very difficult to measure, one metric that I find interesting is at http://www.netcraft.net/survey/ Yes, there are many big *s with this info, but for what its worth, I think this is a decent starting point for 'guestimating' OS market share. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 9:30:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.133.123]) by hub.freebsd.org (Postfix) with ESMTP id 024E637B422 for ; Fri, 13 Apr 2001 09:30:39 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 2943 invoked from network); 13 Apr 2001 12:32:59 -0400 Received: from m133-122.bgsu.edu (HELO gmx.net) (129.1.133.122) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 13 Apr 2001 12:32:59 -0400 Message-ID: <3AD72A8A.50B71BF@gmx.net> Date: Fri, 13 Apr 2001 12:34:18 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mikhail Kruk , security Subject: Re: SSHD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the help. However, as I downloaded the new skeleton (and after moving the pkg-* files into pkg - the skeleton is HIGHLY INCONSISTENT with ITSELF), the makefile gives these errors: ===> Building for OpenSSH-2.2.0 ===> lib "Makefile", line 18: Malformed conditional ((${KERBEROS} == "yes")) "Makefile", line 18: Missing dependency operator "Makefile", line 20: Malformed conditional ((${AFS} == "yes")) "Makefile", line 20: Missing dependency operator "Makefile", line 23: if-less endif "Makefile", line 23: Need an operator "Makefile", line 24: if-less endif "Makefile", line 24: Need an operator make: fatal errors encountered -- cannot continue Huh? Looks alright to me! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 9:41:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id AA16B37B507 for ; Fri, 13 Apr 2001 09:41:16 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id MAA15607; Fri, 13 Apr 2001 12:41:12 -0400 Date: Fri, 13 Apr 2001 12:41:12 -0400 (EDT) From: Mikhail Kruk To: Raoul Schroeder Cc: Subject: Re: SSHD In-Reply-To: <3AD72A8A.50B71BF@gmx.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The skeleton is not inconsistent, it just changed from 4.1 to 4.2 (or maybe from 4.2 to 4.3, I'm not sure) I can't give you a good advice on how to fix 4.1 You may want to try upgrading the whole ports tree, but that won't probably work. The best thing would be to just cvsup to 4.3-RC1 if you need this fixed right now or just wait for release of 4.3, I do not believe that this sshd vulnerability requires an urgent fix. > Thanks for the help. > > However, as I downloaded the new skeleton (and after moving the pkg-* files > into pkg - the skeleton is HIGHLY INCONSISTENT with ITSELF), the makefile > gives these errors: > > ===> Building for OpenSSH-2.2.0 > ===> lib > "Makefile", line 18: Malformed conditional ((${KERBEROS} == "yes")) > "Makefile", line 18: Missing dependency operator > "Makefile", line 20: Malformed conditional ((${AFS} == "yes")) > "Makefile", line 20: Missing dependency operator > "Makefile", line 23: if-less endif > "Makefile", line 23: Need an operator > "Makefile", line 24: if-less endif > "Makefile", line 24: Need an operator > make: fatal errors encountered -- cannot continue > > Huh? > Looks alright to me! > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 9:47:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4BE3B37B50E for ; Fri, 13 Apr 2001 09:47:38 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA60805; Fri, 13 Apr 2001 12:47:27 -0400 (EDT) (envelope-from wollman) Date: Fri, 13 Apr 2001 12:47:27 -0400 (EDT) From: Garrett Wollman Message-Id: <200104131647.MAA60805@khavrinen.lcs.mit.edu> To: Mikhail Kruk Cc: Subject: Re: SSHD In-Reply-To: References: <3AD72A8A.50B71BF@gmx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I can't give you a good advice on how to fix 4.1 > You may want to try upgrading the whole ports tree, but that won't > probably work. The ports system works, with some exceptions, on systems as old as 3.4. It is necessary to make a few minor changes in Mk/bsd.port.mk in order for this to work, but beyond that most stand-alone program ports work just fine, so long as the code actually supports old systems. (That's precisely what I did with sshd on one of my 3.4 systems and a couple of old 5-current systems a few months ago.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 9:54:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 851CE37B50D for ; Fri, 13 Apr 2001 09:54:17 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 749381360C; Fri, 13 Apr 2001 12:55:21 -0400 (EDT) Date: Fri, 13 Apr 2001 12:55:21 -0400 From: Chris Faulhaber To: Chris Byrnes Cc: security@freebsd.org Subject: Re: SSHD Message-ID: <20010413125521.A40153@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Fri, Apr 13, 2001 at 10:39:44AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 10:39:44AM -0500, Chris Byrnes wrote: > When I try to open PGP signed stuff from the FreeBSD Security Officer, it > says Invalid key. >=20 "stuff" =3D=3D ? (specifics please) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrXL3kACgkQObaG4P6BelBu0QCdHcpRIsYDYoyO/jNm+FiZRQG5 pmIAniJTRPz0STUjW6gR4jjmN3ptERac =eMvh -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 9:56:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 50B6E37B50C for ; Fri, 13 Apr 2001 09:56:47 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA22506; Fri, 13 Apr 2001 10:56:32 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA09688; Fri, 13 Apr 2001 10:56:31 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15063.12223.488385.402605@nomad.yogotech.com> Date: Fri, 13 Apr 2001 10:56:31 -0600 (MDT) To: Garrett Wollman Cc: Mikhail Kruk , Subject: Re: SSHD In-Reply-To: <200104131647.MAA60805@khavrinen.lcs.mit.edu> References: <3AD72A8A.50B71BF@gmx.net> <200104131647.MAA60805@khavrinen.lcs.mit.edu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I can't give you a good advice on how to fix 4.1 > > You may want to try upgrading the whole ports tree, but that won't > > probably work. > > The ports system works, with some exceptions, on systems as old as > 3.4. And as far back and 2.2.8-stable. It is necessary to make a few minor changes in Mk/bsd.port.mk in > order for this to work, but beyond that most stand-alone program ports > work just fine, so long as the code actually supports old systems. You may have to modify some ports Makefiles, but just remove the offending lines, and things progress nicely. It's not quite a 'hands-off' as in 4.x/5.x, but it works pretty well. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 10:49: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3097337B43F for ; Fri, 13 Apr 2001 10:49:02 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBQS5500.OZI; Fri, 13 Apr 2001 10:48:41 -0700 Message-ID: <3AD73C0B.6ED45D83@globalstar.com> Date: Fri, 13 Apr 2001 10:48:59 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Drew Derbyshire Cc: Steve Reid , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Drew Derbyshire wrote: > > From: "Steve Reid" > > None of the advisories I've seen released (FreeBSD or otherwise) have > > listed "restrict" directives in ntp.conf as a workaround. Is this > > because it is not sufficient, or are the people writing the advisories > > not aware of it, or other? > > > Restricting by address is subject to spoofing of course, > > IMHO ... I believe the comment in the advisory that specifically points out > spoofing is a problem is why restrict is not listed as workaround. The > official workarounds have to be bulletproof. For machines working only as an NTP "client," you can enter a 'noquery' restrict statement for all machines, restrict default ignore restrict noquery restrict noquery ... restrict 127.0.0.1 noquery Including the servers it queries and localhost. The machine can still sync to the servers (YMMV), and it is safe from this specific vulnerability. Spoofing does not enter into the picture. (Note: Putting 'noquery' on the loopback might be a problem for xntpd, but I have not noticed problems for ntpd.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 10:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 2C2C137B423 for ; Fri, 13 Apr 2001 10:55:18 -0700 (PDT) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f3DHshZ78904; Fri, 13 Apr 2001 13:54:43 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3AD73F73.FFD68B93@ocsinternet.com> Date: Fri, 13 Apr 2001 14:03:31 -0400 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > [SNIP] > > Your agenda is showing Wes. The market share of production various > systems is pretty obvious to those who spend any amount of time in > Silicon Valley datacenters. It's surey as obvious to those of use walking round Silicon Alley Datacenters (NYC). My systems alway sport the lastest in 'Darby' screen saver fashion. I'm patiently awaiting the summer line now...;) I do see quite a bit of BSD and Linux servers out there, and if one were to count F5, Nokia, and Juniper on the BSD side as the majority of these manufacturers have systems based on BSD then the numbers are greater than you can imagine. On a side note I had heard somewhere that Alteon Loadbalancers are BSD based as well, any truth to the rumor? Cheers, Mikel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 11: 0:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f120.law3.hotmail.com [209.185.241.120]) by hub.freebsd.org (Postfix) with ESMTP id 7F41D37B446 for ; Fri, 13 Apr 2001 11:00:50 -0700 (PDT) (envelope-from merkury55@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 13 Apr 2001 11:00:50 -0700 Received: from 4.40.152.46 by lw3fd.law3.hotmail.msn.com with HTTP; Fri, 13 Apr 2001 18:00:50 GMT X-Originating-IP: [4.40.152.46] From: "Nick Mazza" To: security@freebsd.org Subject: Closing TCP ports Date: Fri, 13 Apr 2001 11:00:50 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 13 Apr 2001 18:00:50.0351 (UTC) FILETIME=[AC9283F0:01C0C443] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey how would i got about closing tcp/ip prots on my system (telnet, ftp, whois)...Can someone point me in the direction of a How-To? Thanks Nick Mazza _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 11:30:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from istar.ca (d141-119-162.home.cgocable.net [24.141.119.162]) by hub.freebsd.org (Postfix) with ESMTP id 590FB37B506 for ; Fri, 13 Apr 2001 11:30:33 -0700 (PDT) (envelope-from genisis@istar.ca) Received: (from genisis@localhost) by istar.ca (8.11.1/8.11.1) id f3DIXxl07200; Fri, 13 Apr 2001 14:33:59 -0400 (EDT) (envelope-from genisis) Date: Fri, 13 Apr 2001 14:33:59 -0400 (EDT) From: Dru To: Nick Mazza Cc: security@FreeBSD.ORG Subject: Re: Closing TCP ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Nick, You might find the following useful: http://www.oreillynet.com/pub/a/bsd/2001/01/31/FreeBSD_Basics.html Cheers, Dru On Fri, 13 Apr 2001, Nick Mazza wrote: > Hey how would i got about closing tcp/ip prots on my system (telnet, ftp, > whois)...Can someone point me in the direction of a How-To? Thanks > > Nick Mazza > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 11:35: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 1E17F37B422 for ; Fri, 13 Apr 2001 11:34:58 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.2/8.11.2) with SMTP id f3DIYvW32490 for ; Fri, 13 Apr 2001 13:34:57 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: Closing TCP ports Date: Fri, 13 Apr 2001 13:34:57 -0500 Message-ID: <003001c0c448$70ad5130$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Closing ports that have daemon's running on them to certain clients, or closing ports that netstat -an show as closed or closed_wait? If it's the second, I'd like to know as well, we have some servers that have about 170 ports show in the netstat -an output as closed or closed_wait If there's no daemon or process listed in inetd listening on a port, there's no need to "close" it. Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Nick Mazza > Sent: Friday, April 13, 2001 1:01 PM > To: security@FreeBSD.ORG > Subject: Closing TCP ports > > > Hey how would i got about closing tcp/ip prots on my system (telnet, ftp, > whois)...Can someone point me in the direction of a How-To? Thanks > > Nick Mazza > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 11:57:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 0196B37B423 for ; Fri, 13 Apr 2001 11:57:38 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3DIvKI07694; Fri, 13 Apr 2001 13:57:20 -0500 (CDT) (envelope-from chris@jeah.net) Date: Fri, 13 Apr 2001 13:57:19 -0500 (CDT) From: Chris Byrnes To: Chris Faulhaber Cc: Subject: Re: SSHD In-Reply-To: <20010413125521.A40153@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > When I try to open PGP signed stuff from the FreeBSD Security Officer, it > > says Invalid key. > > > > "stuff" == ? (specifics please) Anything that's signed by the Security Officer such as the SAs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 12:49: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 0D99D37B506 for ; Fri, 13 Apr 2001 12:49:03 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1000) id 17F1A1360C; Fri, 13 Apr 2001 15:50:09 -0400 (EDT) Date: Fri, 13 Apr 2001 15:50:08 -0400 From: Chris Faulhaber To: Chris Byrnes Cc: security@FreeBSD.ORG Subject: Re: SSHD Message-ID: <20010413155008.A90861@peitho.fxp.org> References: <20010413125521.A40153@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Fri, Apr 13, 2001 at 01:57:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 01:57:19PM -0500, Chris Byrnes wrote: > > > When I try to open PGP signed stuff from the FreeBSD Security Officer= , it > > > says Invalid key. > > > > > > > "stuff" =3D=3D ? (specifics please) >=20 > Anything that's signed by the Security Officer such as the SAs. >=20 ok, let's try this again: jedgar@darkstar:~$ pkg_info | grep gnupg gnupg-1.0.4_3 The GNU Privacy Guard gnupg-idea-1.0.1 IDEA extension module for gnupg (and RSA extension modu= le f jedgar@darkstar:~$ gpg --version gpg (GnuPG) 1.0.4 Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Cipher: IDEA, 3DES, CAST5, BLOWFISH, RIJNDAEL, RIJNDAEL192, RIJNDAEL256, TW= OFISH Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Hash: MD5, SHA1, RIPEMD160 jedgar@darkstar:~$ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/= FreeBSD-SA-01:18.bind.asc Receiving FreeBSD-SA-01:18.bind.asc (9355 bytes): 100% 9355 bytes transferred in 1.4 seconds (6.67 kBps) jedgar@darkstar:~$ gpg --verify FreeBSD-SA-01:18.bind.asc gpg: Signature made Wed Jan 31 16:16:30 2001 EST using RSA key ID 73D288A5 gpg: Good signature from "FreeBSD Security Officer " jedgar@darkstar:~$=20 you are seeing something different? --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrXWHAACgkQObaG4P6BelBfTQCeN4QVEL3ppF+eIyg+bfjlMyQJ QgcAn3nhFjrSGROMOzqiTZ09Imt/s3o+ =SQyn -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 14:29: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id AC0D337B443 for ; Fri, 13 Apr 2001 14:28:56 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 25E2421334A; Fri, 13 Apr 2001 14:28:56 -0700 (PDT) Date: Fri, 13 Apr 2001 14:28:56 -0700 From: Steve Reid To: Drew Derbyshire Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Message-ID: <20010413142855.B88148@grok.bc.hsia.telus.net> References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com>; from Drew Derbyshire on Fri, Apr 13, 2001 at 08:07:27AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 13, 2001 at 08:07:27AM -0400, Drew Derbyshire wrote: > If you are using restrict, why not a simple ignore on the restrict? Because I wasn't sure it would work properly. From the ntp.conf man page: ignore Ignore all packets from hosts which match this entry. If this flag is specified neither queries nor time server polls will be responded to. This is why I don't grok ntp configuration. It says "Ignore all packets". To me that means ignore all packets - including responses to the queries that we send out. But it then explicitly lists "neither queries nor time server polls", which doesn't sound like "all packets", and so I am confused. I used "noquery nomodify notrap nopeer" because it looked like they would block off all unnecessary functionality while still allowing responses to the queries we send out. > Was this a recent addition to the configuration? (It is in the > version shipped with FreeBSD 4.1) As far as I can remember, 4.1 does not include any ntp.conf file at all. This kind of makes sense, as NTP users are supposed to pick time servers near to them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 14:45:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 03ECE37B449 for ; Fri, 13 Apr 2001 14:45:19 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBR32T00.007; Fri, 13 Apr 2001 14:44:53 -0700 Message-ID: <3AD77368.D324D9F6@globalstar.com> Date: Fri, 13 Apr 2001 14:45:12 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Steve Reid Cc: Drew Derbyshire , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> <20010413142855.B88148@grok.bc.hsia.telus.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Steve Reid wrote: > > On Fri, Apr 13, 2001 at 08:07:27AM -0400, Drew Derbyshire wrote: > > If you are using restrict, why not a simple ignore on the restrict? > > Because I wasn't sure it would work properly. From the ntp.conf man > page: > > ignore Ignore all packets from hosts which match this entry. If > this flag is specified neither queries nor time server > polls will be responded to. > > This is why I don't grok ntp configuration. It says "Ignore all > packets". To me that means ignore all packets - including responses to > the queries that we send out. But it then explicitly lists "neither > queries nor time server polls", which doesn't sound like "all packets", > and so I am confused. No, it really means all packets. I think you might be confused about the algorithm to determine restrictions. The way to go is, restrict default ignore restrict noquery nomodify ... restrict ... restrict nomodify nopeer That is, set the default to restrict and then explicitly allow access from other machines or networks. In this case, 'servers' can be queried by us, but they cannot modify or query us. Peers have full access. And a network of clients can query, but we will not peer to them or let them modify our state. I had trouble groking this at first as well. However, it was because the docs talk about how the 'default' entry is always evaluated first. It took a minute to set in that the _entire list_ is always searched from least specific to most specific (w.r.t. netmask) and the last match wins. I'm so used to match-and-out lists, I scratched my head for a while trying to figure how anything got past the default entry if it was first. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 15:45:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 896F137B423 for ; Fri, 13 Apr 2001 15:45:47 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3DMjSC23562; Fri, 13 Apr 2001 17:45:28 -0500 (CDT) (envelope-from chris@jeah.net) Date: Fri, 13 Apr 2001 17:45:27 -0500 (CDT) From: Chris Byrnes To: Chris Faulhaber Cc: Subject: Re: SSHD In-Reply-To: <20010413155008.A90861@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using the Windows PGP client, and yes. Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) > jedgar@darkstar:~$ gpg --verify FreeBSD-SA-01:18.bind.asc > gpg: Signature made Wed Jan 31 16:16:30 2001 EST using RSA key ID 73D288A5 > gpg: Good signature from "FreeBSD Security Officer " > jedgar@darkstar:~$ > > you are seeing something different? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 15:52:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 37E9437B506 for ; Fri, 13 Apr 2001 15:52:29 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 9B7211BD71; Fri, 13 Apr 2001 17:50:48 -0500 (EST) Date: Fri, 13 Apr 2001 17:50:48 -0500 From: Will Andrews To: Chris Byrnes Cc: security@FreeBSD.org Subject: Re: SSHD Message-ID: <20010413175048.I12543@casimir.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Chris Byrnes , security@FreeBSD.org References: <20010413155008.A90861@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Oiv9uiLrevHtW1RS" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from chris@jeah.net on Fri, Apr 13, 2001 at 05:45:27PM -0500 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Oiv9uiLrevHtW1RS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 05:45:27PM -0500, Chris Byrnes wrote: > I'm using the Windows PGP client, and yes. Maybe windows dinked with the EOL? That would affect verification. --=20 wca --Oiv9uiLrevHtW1RS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE614LIF47idPgWcsURAoaLAKCAYltBwWk7fOyxIxeKFwWxGvjWjACgjJu/ JMIxb8v49meP3IpC+p4NdFg= =X6z+ -----END PGP SIGNATURE----- --Oiv9uiLrevHtW1RS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 15:55:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 6EB6037B449 for ; Fri, 13 Apr 2001 15:55:50 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3DMtWM24349; Fri, 13 Apr 2001 17:55:32 -0500 (CDT) (envelope-from chris@jeah.net) Date: Fri, 13 Apr 2001 17:55:31 -0500 (CDT) From: Chris Byrnes To: Will Andrews Cc: Subject: RE: PGP signed SAs. In-Reply-To: <20010413175048.I12543@casimir.physics.purdue.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'm using the Windows PGP client, and yes. > > Maybe windows dinked with the EOL? That would affect verification. Not sure. I deleted the key I had saved, and reimported it from the key server, and still the same message. Perhaps someone has a clue? I don't. Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 16: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 1124D37B440 for ; Fri, 13 Apr 2001 16:02:01 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 67AEC1BD71; Fri, 13 Apr 2001 18:00:20 -0500 (EST) Date: Fri, 13 Apr 2001 18:00:20 -0500 From: Will Andrews To: Chris Byrnes Cc: Will Andrews , security@FreeBSD.ORG Subject: Re: PGP signed SAs. Message-ID: <20010413180020.J12543@casimir.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Chris Byrnes , security@FreeBSD.ORG References: <20010413175048.I12543@casimir.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="R6sEYoIZpp9JErk7" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from chris@jeah.net on Fri, Apr 13, 2001 at 05:55:31PM -0500 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --R6sEYoIZpp9JErk7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 05:55:31PM -0500, Chris Byrnes wrote: > > Maybe windows dinked with the EOL? That would affect verification. >=20 > Not sure. I deleted the key I had saved, and reimported it from the key > server, and still the same message. >=20 > Perhaps someone has a clue? I don't. Umm, dude.. try opening the file in a REAL text editor (i.e.: not Word or Notepad or Wordpad), and examine the EOLs. Or just use gpg on a FreeBSD box ;) --=20 wca --R6sEYoIZpp9JErk7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE614UDF47idPgWcsURAlNKAJsGmLHFTr1c4097YGiVR5vLaIN3AgCfcG86 RBYxaMIV4Wutwzkgn9orWr8= =6sF6 -----END PGP SIGNATURE----- --R6sEYoIZpp9JErk7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 17:55:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id B507B37B449 for ; Fri, 13 Apr 2001 17:55:14 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 5984 invoked by uid 1000); 14 Apr 2001 00:55:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Apr 2001 00:55:03 -0000 Date: Fri, 13 Apr 2001 19:55:03 -0500 (CDT) From: Mike Silbersack To: Chris Byrnes Cc: Chris Faulhaber , Subject: Re: SSHD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Apr 2001, Chris Byrnes wrote: > Anything that's signed by the Security Officer such as the SAs. Didn't the security officer change keys recently? Or was that Kris? Someone did, I can't remember who. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 18: 0:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id C843537B443 for ; Fri, 13 Apr 2001 18:00:08 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 579C01BD71; Fri, 13 Apr 2001 19:58:27 -0500 (EST) Date: Fri, 13 Apr 2001 19:58:27 -0500 From: Will Andrews To: Mike Silbersack Cc: Chris Byrnes , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: SSHD Message-ID: <20010413195827.L12543@casimir.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Mike Silbersack , Chris Byrnes , Chris Faulhaber , security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TBNym+cBXeFsS4Vs" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from silby@silby.com on Fri, Apr 13, 2001 at 07:55:03PM -0500 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TBNym+cBXeFsS4Vs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 07:55:03PM -0500, Mike Silbersack wrote: > Didn't the security officer change keys recently? Or was that Kris? > Someone did, I can't remember who. :) You are remembering Kris's key expiring in mid-Jan.. he renewed it. --=20 wca --TBNym+cBXeFsS4Vs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE616CyF47idPgWcsURAuFzAJ40PrgeqSBlXLlxulo5KBBRUgcSGACfYGXg VQuF9Y7p9aIVwAUoa5GSmz4= =NuHn -----END PGP SIGNATURE----- --TBNym+cBXeFsS4Vs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 20:48:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 6374D37B53A for ; Fri, 13 Apr 2001 20:48:15 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f3E3sPX21150; Fri, 13 Apr 2001 20:54:25 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Fri, 13 Apr 2001 20:54:25 -0700 (PDT) From: mudman To: Christoph Kukulies Cc: Subject: Re: tcpdump (tutorial?) In-Reply-To: <200104131402.f3DE2vx32654@gilberto.physik.rwth-aachen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Next time same procedure. Uh, oh, what was again this tcpdump syntax > to watch that host for incoming and outgoing packets that do not > come from our local network and are not http port. > > Is there a tutorial? > > > Has someone written down some typical 'security' examples? I also would like to see this. Any good resources, anyone? Especially not so much syntactical issues as is "tricks" that can be done to pin down troublemakers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 13 22: 8:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server1.tampabay.rr.com (smtp-server1.tampabay.rr.com [65.32.1.34]) by hub.freebsd.org (Postfix) with ESMTP id 85DB137B443 for ; Fri, 13 Apr 2001 22:08:15 -0700 (PDT) (envelope-from habeeb@cfl.rr.com) Received: from descrypt.com (IDENT:root@ubr-33.101.76.melbourne.cfl.rr.com [65.33.101.76]) by smtp-server1.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f3E46aS29236 for ; Sat, 14 Apr 2001 00:06:37 -0400 (EDT) From: David Organization: Serpant Technologies To: freebsd-security@freebsd.org Subject: This is freebsd-security not let-me-post-anything Date: Fri, 13 Apr 2001 23:20:57 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01041323205704.11342@descrypt.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please kill the stupid threads asking for help on how they can't read a man page and don't know how to operate tcpdump. Along with any others not pertaining to security. I have enough spam and un-needed email sent to this mailing list. No need to add on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 14 3:27: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-21.dsl.lsan03.pacbell.net [63.207.60.21]) by hub.freebsd.org (Postfix) with ESMTP id F17EA37B50F for ; Sat, 14 Apr 2001 03:27:01 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D0C4566B84; Sat, 14 Apr 2001 03:26:57 -0700 (PDT) Date: Sat, 14 Apr 2001 03:26:57 -0700 From: Kris Kennaway To: Chris Byrnes Cc: Will Andrews , security@FreeBSD.ORG Subject: Re: PGP signed SAs. Message-ID: <20010414032656.A24480@xor.obsecurity.org> References: <20010413175048.I12543@casimir.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Fri, Apr 13, 2001 at 05:55:31PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2001 at 05:55:31PM -0500, Chris Byrnes wrote: > > > I'm using the Windows PGP client, and yes. > > > > Maybe windows dinked with the EOL? That would affect verification. >=20 > Not sure. I deleted the key I had saved, and reimported it from the key > server, and still the same message. >=20 > Perhaps someone has a clue? I don't. Your file is being corrupted prior to verifying it. The most likely candidate (as already mentioned above) is some lame Windows software doing a CR/CRLF conversion which thereby invalidates the PGP signature. This isn't a Windows support list though, so you should go elsewhere with any followup support questions. I can confirm that the PGP signatures are indeed valid as published, though. Kris --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62CXwWry0BWjoQKURAiIMAKCn3NWesXS4Ma5Gfs7UUDRbV4MvRACgv5ui eJFSXqs3Zm5KazFa+4VoccA= =CZ5r -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 14 3:32: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-21.dsl.lsan03.pacbell.net [63.207.60.21]) by hub.freebsd.org (Postfix) with ESMTP id A34F937B50D for ; Sat, 14 Apr 2001 03:31:53 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7D1A366B84; Sat, 14 Apr 2001 03:31:49 -0700 (PDT) Date: Sat, 14 Apr 2001 03:31:49 -0700 From: Kris Kennaway To: Michael Nottebrock Cc: Michael Bryan , freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: <20010414033149.B24480@xor.obsecurity.org> References: <3AD33218.FE8D7ACD@ursine.com> <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001d01c0c1fc$23d73680$0508a8c0@lofi.dyndns.org>; from michaelnottebrock@gmx.net on Tue, Apr 10, 2001 at 10:23:43PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 10, 2001 at 10:23:43PM +0200, Michael Nottebrock wrote: > FreeBSD: Absolutely nothing, not even an official statement or some > kind of notification anywhere on the website. The fix is apparently > done, but nobody (well, okay, at least my very dumb own self) seems to > know where to get it or how to apply it. Is this due to 4.3-Release > stress? It certainly is starting to irritate people running > 4.2-Release. >=20 > I really do not want to piss on anybody's legs here, but, there _are_ > quite a few sites running FreeBSD ftp-servers, aren't they? I've been away at a conference for the past two weeks. The fix was put in place in a very timely manner by other committers, and there has been discussion about the issue here and on other lists (it's also noted in the CERT advisory). I expect an advisory will go out in the near future once I have caught up on my 10000+ outstanding emails, etc. Kris FreeBSD Security Officer --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62CcVWry0BWjoQKURAsPfAKDQhL9FZP43qI9kKO7n0DqvM/dYngCfS8O2 KdO9rYOOOKwK6LvFNJLHDkg= =7NC4 -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 14 4:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 6639637B507 for ; Sat, 14 Apr 2001 04:36:50 -0700 (PDT) (envelope-from software@kew.com) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 6ED0C8C1D; Sat, 14 Apr 2001 07:36:49 -0400 (EDT) Message-ID: <007d01c0c4d7$31998010$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: "Steve Reid" Cc: References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> <20010413142855.B88148@grok.bc.hsia.telus.net> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Date: Sat, 14 Apr 2001 07:36:49 -0400 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Steve Reid" > As far as I can remember, 4.1 does not include any ntp.conf file at > all. This kind of makes sense, as NTP users are supposed to pick time > servers near to them. Oooops. I meant "supported in the configuration", not actually in a shipped file. I roll my own configurations as well. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 14 4:57:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id BD4F137B43F for ; Sat, 14 Apr 2001 04:57:17 -0700 (PDT) (envelope-from erickson@mddsg.com) Received: from fairy (fairy [65.9.252.162]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id HAA57565 for ; Sat, 14 Apr 2001 07:57:17 -0400 (EDT) (envelope-from erickson@mddsg.com) Message-ID: <001a01c0c4da$40f0a040$1902a8c0@mddsg.com> From: "David Erickson" To: References: <20010321163657.D0333113CB1@netcom1.netcom.com> Subject: Re: IPSEC/VPN/NAT and filtering Date: Sat, 14 Apr 2001 07:58:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I do not know about your particular situation however. I am doing NAT'd IPSec all the time to work with a Checkpoint Firewall. You just have to configure the firewall to accept NAT'd connections in v4.1 sp1 and in sp3 the support is even better. Dave ----- Original Message ----- From: "Mike Harding" To: Sent: Wednesday, March 21, 2001 12:36 PM Subject: IPSEC/VPN/NAT and filtering > > It's possible to use IPSEC on a box with NAT, but you don't want to > NAT the ipsec tunnel. What worked for me was to create an ESP tunnel > and then route traffic to the remote net to lo0. It then gets > encapsulated and sent out the external interface. NAT is not invoked > because the traffic no longer looks like your internal network. > > IPSEC does _not_ play happy with packed filters on the same > box... here's an extract from a recent e-mail to kris... > > I would like to see all of this fixed and working, I'll write a > handbook entry and do coding as well.... > > - Mike Harding > > (extracted from a letter to kris...) > > I have seen your name on a few exchanges and you seem to be a likely > person to discuss this with. The issue is using IPSEC and ipfilter > (or ipfw) together on the same box. I think I have a relatively > simple way to deal with getting this to work properly. > > The current problem is that if you use ESP tunnel mode, or transport > mode for that matter, the KAME code rewrites the packet contents, and > then requeues the packet for further routing. See line 398 in > esp_input.c for -STABLE. It does NOT change the interface, so you > can't tell this packet from one that comes in via the hardware device. > Apparently there is a bit flipped indicating that this is a ipsec'd > packet, but the current packet filters don't appear to take advantage > of it. > > My modest proposal would be to have a sysctl variable to indicate an > alternate interface to reinject the decrypted packets (like a local > loopback, the default or maybe a new one, lo1). Then you know that > anything coming in that interface was inserted by the KAME stack and > you can apply filtering to it. This would allow firewall and IPSEC > gateway functionality to be put into the same box. > > You can use the 'gif' device for tunnelling, but we are trying to > interoperate with a cisco box (politics). There is also pipsecd, > which would work, but there is no IKE daemon for it. > > I think we will work around this by putting another packet filter in > front of the IPSEC box, but this would be very useful in general I > think... > > How does this proposal sound? I know the OpenBSD folk put some effort > into getting ipfilter and IPSEC to 'play nice'... it would be a shame > to have to use 2 boxes or switch OSes to support this. > > I am willing to write a section in the handbook on this once I have it > set up correctly, a box with NAT, VPN, and ipfilter (and alternately > IPFW). > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 14 8: 3:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sgi04-e.std.com (sgi04-e.std.com [199.172.62.134]) by hub.freebsd.org (Postfix) with ESMTP id 575D037B506 for ; Sat, 14 Apr 2001 08:03:27 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com (world-f.std.com [199.172.62.5]) by sgi04-e.std.com (8.9.3/8.9.3) with ESMTP id LAA2086900; Sat, 14 Apr 2001 11:03:25 -0400 (EDT) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id LAA11109; Sat, 14 Apr 2001 11:03:25 -0400 (EDT) To: freebsd-security@freebsd.org, mike@coloradosurf.com Subject: Re: a couple boxes getting hammered with ip frags References: <20010413090451.A46082@coloradosurf.com> From: Lowell Gilbert Date: 14 Apr 2001 11:03:24 -0400 In-Reply-To: mike@coloradosurf.com's message of "13 Apr 2001 17:11:07 +0200" Message-ID: Lines: 35 X-Mailer: Gnus v5.7/Emacs 20.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mike@coloradosurf.com (mike) writes: > Sorry for posting yet another item on ipfw -1 (especially to Crist), > but... > > I have two web production boxes that were hammered yesterday (from > about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a > very long list of > "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0"). > > They were coming from many different ips. A brief search did not show > any consistency in the ips that were hitting the two machines. I am > therefore assuming (danger danger) that is was more likely a > network issue that may have been causing the fragments and not some > type of Dos or attempt to 'circumvent' the firewall. > > And, since I'm not so sure, I was hoping someone might be able to > shed a little more light on this one. No, I'm afraid that these fragments definitely constitute some sort of attack. That '-1' rule is for a type of packet that has *no* useful purpose, and it's highly unlikely that a network problem would cause packets fragmented in that way. The fact that the IP addresses were highly varied just implies that they were spoofed anyway; you could always check by seeing who *does* own them, and trying to determine if there are even machines at all of those addresses. That said, it's unlikely that this is a particularly serious problem that you need to fix. These packets are being blocked, and even if they weren't, they'd be rejected by the web servers anyway (because the first packet wouldn't ever arrive). If it's a DOS problem, then the type of packet doesn't matter, because the damage has been done before the traffic ever gets to a node under your control. Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message