From owner-freebsd-security Mon Apr 29 8: 0:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id BA35C37B41B for ; Mon, 29 Apr 2002 08:00:13 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020429150013.JAEY9799.rwcrmhc51.attbi.com@InterJet.elischer.org>; Mon, 29 Apr 2002 15:00:13 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id HAA62251; Mon, 29 Apr 2002 07:53:23 -0700 (PDT) Date: Mon, 29 Apr 2002 07:53:21 -0700 (PDT) From: Julian Elischer To: Drew Tomlinson Cc: security@freebsd.org Subject: Re: RELENG_4_4 In-Reply-To: <002d01c1ed3d$32272a20$6e2a6ba5@lc.ca.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org they aren't so naive.. they follow BSD SAs tremselves (and everything else they have in-house.) I'm basically just sayng.. "for as long as it's practical, keep teh 4.4 tree going as you've got custommers for it" When it bewcomes inpractical. then fine, but 'til then.... inthe end I may even take on adding hte patches to the 4..4 tree as I'd have to do it in house anyway... On Fri, 26 Apr 2002, Drew Tomlinson wrote: > ----- Original Message ----- > From: "Julian Elischer" > Sent: Thursday, April 25, 2002 7:32 PM > > > [snip] > > > We will be moving those on 4.1.1 to 4.4 so that they are all at the > same > > level, but we cannot move them up to 4.5 or 4.8 or whatever for > > at least another 18 months as they don't upgrade production systems > more > > than once on 2 years in general. > > Instead of calling it an "upgrade", call it a system "patch". It just > so happens that the RELENG_4_5 "patch" will ensure that the OS is up to > date on security issues and more! :) > > Cheers, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 8:34:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail2.hd.intel.com (hdfdns02.hd.intel.com [192.52.58.11]) by hub.freebsd.org (Postfix) with ESMTP id AD0FA37B405 for ; Mon, 29 Apr 2002 08:34:28 -0700 (PDT) Received: from pysmsxvs01.py.intel.com (pysmsxvs01.py.intel.com [146.152.3.51]) by mail2.hd.intel.com (8.11.6/8.11.6/d: solo.mc,v 1.35 2002/04/27 00:24:14 root Exp $) with SMTP id g3TFYR220266 for ; Mon, 29 Apr 2002 15:34:27 GMT Received: from pysmsx030.py.intel.com ([146.152.3.52]) by pysmsxvs01.py.intel.com (NAVGW 2.5.1.16) with SMTP id M2002042911342212990 for ; Mon, 29 Apr 2002 11:34:22 -0400 Received: by pysmsx030.py.intel.com with Internet Mail Service (5.5.2653.19) id ; Mon, 29 Apr 2002 11:34:22 -0400 Message-ID: <59F55CE047A6D51196360002A534A4AC37043A@pysmsx102.py.intel.com> From: "Galella, Anthony" To: "'freebsd-security@freebsd.org'" Subject: How to find out which patches are in a "patchlevel" Date: Mon, 29 Apr 2002 11:34:19 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please forgive me if I am ignorant, but I have searched the docs and can't seem to find a clear answer, perhaps someone can point me in the right direction. I am running a 4.5-Release production server, and due to company firewall restrictions, I cannot cvsup or ctm to have the latest critical patches. (i.e RELENG_4_5 tag in the supfile) I need to manually install the patches. Not a problem, except I want to know which exactly are the critical patches. What I am trying to determine is the following: I want the machine to be on the same patch level as lets say 4.5 RELEASE-p3, where can I look (docs, code, whatever) to see WHICH patches are installed in patchlevel 3. (This way I can install just those patches on my system.) Thanks for any help in this matter. Anthony J. Galella anthony.galella@intel.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 8:41:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from exodus.ait.co.za (exodus.ait.co.za [66.8.26.2]) by hub.freebsd.org (Postfix) with SMTP id 82C0237B417 for ; Mon, 29 Apr 2002 08:41:21 -0700 (PDT) Received: from aragon [66.8.86.210] by exodus.ait.co.za (SMTPD32-4.06) id A83BEC010134; Mon, 29 Apr 2002 17:41:31 0200 Message-ID: <00a401c1ef94$875e0a50$01000001@aragon> From: "Aragon Gouveia" To: "Galella, Anthony" , References: <59F55CE047A6D51196360002A534A4AC37043A@pysmsx102.py.intel.com> Subject: Re: How to find out which patches are in a "patchlevel" Date: Mon, 29 Apr 2002 17:42:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Heya, > What I am trying to determine is the following: I want the machine to be > on the same patch level as lets say 4.5 RELEASE-p3, where can I look (docs, > code, whatever) to see WHICH patches are installed in patchlevel 3. (This > way I can install just those patches on my system.) With regards to security, this is a good place to start: http://www.freebsd.org/security/index.html The advisories on that page should help you patch/workaround any vulnerabilities you might have. As for non security related patches, I'm not sure myself :). Regards, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 8:48:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id CC0EB37B404 for ; Mon, 29 Apr 2002 08:48:31 -0700 (PDT) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020429154831.KRXM4412.rwcrmhc52.attbi.com@bmah.dyndns.org>; Mon, 29 Apr 2002 15:48:31 +0000 Received: from intruder.bmah.org (localhost [127.0.0.1]) by bmah.dyndns.org (8.12.3/8.12.3) with ESMTP id g3TFmUcB024676; Mon, 29 Apr 2002 08:48:30 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.3/8.12.3/Submit) id g3TFmUIm024675; Mon, 29 Apr 2002 08:48:30 -0700 (PDT) Message-Id: <200204291548.g3TFmUIm024675@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020416 with nmh-1.0.4 To: "Galella, Anthony" Cc: "'freebsd-security@freebsd.org'" Subject: Re: How to find out which patches are in a "patchlevel" In-reply-to: <59F55CE047A6D51196360002A534A4AC37043A@pysmsx102.py.intel.com> References: <59F55CE047A6D51196360002A534A4AC37043A@pysmsx102.py.intel.com> Comments: In-reply-to "Galella, Anthony" message dated "Mon, 29 Apr 2002 11:34:19 -0400." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 29 Apr 2002 08:48:30 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, "Galella, Anthony" wrote: > What I am trying to determine is the following: I want the machine to be > on the same patch level as lets say 4.5 RELEASE-p3, where can I look (docs, > code, whatever) to see WHICH patches are installed in patchlevel 3. (This > way I can install just those patches on my system.) If you just need to see at a high level what changes were made, you can look at src/UPDATING for the appropriate security branch (in your example above, this would be RELENG_4_5). One way to do this without actually checking out said file is to explore this: http://www.freebsd.org/cgi/cvsweb.cgi/src/UPDATING?only_with_tag=RELENG_4_5 This doesn't tell you exactly what diffs were applied to the other files in src/, but it'll tell you what their effects were. Good luck! Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 9:18:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id D771637B405 for ; Mon, 29 Apr 2002 09:18:55 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g3TGIt821629 for security@freebsd.org; Mon, 29 Apr 2002 12:18:55 -0400 (EDT) (envelope-from str) Date: Mon, 29 Apr 2002 12:18:55 -0400 (EDT) From: Igor Roshchin Message-Id: <200204291618.g3TGIt821629@giganda.komkon.org> To: security@freebsd.org Subject: Webalizer - is FreeBSD port vulnerable ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Webalizer is found to have a buffer overflow that is reportedly remotely exploitable. http://online.securityfocus.com/archive/1/267551 http://online.securityfocus.com/bid/4504 http://www.mrunix.net/webalizer/news.html The second link above contains a list of vulnerable versions / OSes. The only BSD-ish system mentioned is MacOS-X. Is any of the versions of FreeBSD port vulnerable ? Best, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 9:40:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from vaemail.bankofamerica.com (vaemail.bankofamerica.com [171.159.192.14]) by hub.freebsd.org (Postfix) with ESMTP id AF11237B417 for ; Mon, 29 Apr 2002 09:40:27 -0700 (PDT) Received: from vaimail.bankofamerica.com (vaimail.bankofamerica.com [171.182.200.13]) by vaemail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id g3TGePA19025 for ; Mon, 29 Apr 2002 12:40:25 -0400 (EDT) Received: from smtpsw04 (smtpsw04.bankofamerica.com [171.172.129.20]) by vaimail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id g3TGeOH15124 for ; Mon, 29 Apr 2002 12:40:25 -0400 (EDT) Date: Mon, 29 Apr 2002 11:32:50 -0500 From: Rick.Robinson@bankofamerica.com Subject: Sudo Vulnerability To: security@FreeBSD.org Message-id: <86256BAA.005AE587.00@notes.bankofamerica.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT X-Lotus-FromDomain: BANKOFAMERICA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Last week an advisory was put out for Sudo specifying a potential local root compromise in Sudo versions 1.5.7 - 1.6.5p2. I saw that the Sudo 1.6.6 packages are available for FreeBSD, but does the lack of a SA or SN from FreeBSD mean that previous versions are not vulnerable? Thanks for the help. Rick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 9:47:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 696F437B417; Mon, 29 Apr 2002 09:46:51 -0700 (PDT) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g3TGknU03557; Mon, 29 Apr 2002 12:46:49 -0400 (EDT) Date: Mon, 29 Apr 2002 12:46:49 -0400 (EDT) From: Trevor Johnson To: security-officer@freebsd.org Cc: security@freebsd.org Subject: Re: [SECURITY] [DSA-113-1] New ncurses packages available (fwd) In-Reply-To: <20020228081318.E12519-100000@blues.jpj.net> Message-ID: <20020429123756.O28880-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The new ncurses has not yet been imported into FreeBSD. The latest ncurses sources may be obtained by taking a patch from ftp://invisible-island.net/ncurses/5.2/ and applying it to the contents of ftp://invisible-island.net/ncurses/ncurses-5.2.tar.gz . On Thu, 28 Feb 2002, Trevor Johnson wrote: > I notice that advisory FreeBSD-SA-00:68 was last revised in November of > 2000 and that the ncurses in FreeBSD is still at version 5.0 990821. > -- > Trevor Johnson > > ---------- Forwarded message ---------- > Date: Mon, 18 Feb 2002 19:36:38 -0500 > From: Daniel Jacobowitz > Reply-To: security@debian.org > To: debian-security-announce@lists.debian.org > Subject: [SECURITY] [DSA-113-1] New ncurses packages available > Resent-Date: 19 Feb 2002 00:36:44 -0000 > Resent-From: debian-security-announce@lists.debian.org > Resent-cc: recipient list not shown: ; > > -----BEGIN PGP SIGNED MESSAGE----- > > - --------------------------------------------------------------------------- > Debian Security Advisory DSA 113-1 security@debian.org > http://www.debian.org/security/ Daniel Jacobowitz > February 18th, 2002 > - --------------------------------------------------------------------------- > > Package : ncurses > Vulnerability : buffer overflow > Problem-Type : local > Debian-specific: no > > Several buffer overflows were fixed in the "ncurses" library in November > 2000. Unfortunately, one was missed. This can lead to crashes when using > ncurses applications in large windows. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2002-0062 to this issue. > > This problem has been fixed for the stable release of Debian in version > 5.0-6.0potato2. The testing and unstable releases contain ncurses 5.2, > which is not affected by this problem. > > There are no known exploits for this problem, but we recommend that all > users upgrade ncurses immediately. > > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 2.2 alias potato > - ------------------------------------- > > Source archives: > http://security.debian.org/dists/potato/updates/main/source/ncurses_5.0-6.0potato2.diff.gz > MD5 checksum: 2c0c40c35de8b07b7649574ce308611a > http://security.debian.org/dists/potato/updates/main/source/ncurses_5.0-6.0potato2.dsc > MD5 checksum: caf2a7ccfc67675263f55100793f0cad > http://security.debian.org/dists/potato/updates/main/source/ncurses_5.0.orig.tar.gz > MD5 checksum: 0fa25059bc5e1e947f3109a3a168e976 > > Architecture independent archives: > http://security.debian.org/dists/potato/updates/main/binary-all/ncurses-base_5.0-6.0potato2_all.deb > MD5 checksum: 0ca630424256eb2940728a6728f01a3c > http://security.debian.org/dists/potato/updates/main/binary-all/ncurses-term_5.0-6.0potato2_all.deb > MD5 checksum: 4bc592757f97d4569fac57a0ccbd7588 > > Alpha architecture: > http://security.debian.org/dists/potato/updates/main/binary-alpha/libncurses5-dbg_5.0-6.0potato2_alpha.deb > MD5 checksum: 08c293eeeedbdd93277fbe6994c52225 > http://security.debian.org/dists/potato/updates/main/binary-alpha/libncurses5-dev_5.0-6.0potato2_alpha.deb > MD5 checksum: e9e3a19ac97ac68209fc276db2063bec > http://security.debian.org/dists/potato/updates/main/binary-alpha/libncurses5_5.0-6.0potato2_alpha.deb > MD5 checksum: c4bed7dc7d38816a522fe9967c474b35 > http://security.debian.org/dists/potato/updates/main/binary-alpha/ncurses-bin_5.0-6.0potato2_alpha.deb > MD5 checksum: 457492010fcce2cea5443cafd94ceace > > ARM architecture: > http://security.debian.org/dists/potato/updates/main/binary-arm/libncurses5-dbg_5.0-6.0potato2_arm.deb > MD5 checksum: 6b89760ebaef6f627a25f243abd40699 > http://security.debian.org/dists/potato/updates/main/binary-arm/libncurses5-dev_5.0-6.0potato2_arm.deb > MD5 checksum: 8340e7bf13a1c1ae6fe14306e630da46 > http://security.debian.org/dists/potato/updates/main/binary-arm/libncurses5_5.0-6.0potato2_arm.deb > MD5 checksum: 67774c92c2297c97ad014a1cbec541c8 > http://security.debian.org/dists/potato/updates/main/binary-arm/ncurses-bin_5.0-6.0potato2_arm.deb > MD5 checksum: 82aacabc17d3229604bf85c0406bef43 > > Intel ia32 architecture: > http://security.debian.org/dists/potato/updates/main/binary-i386/libncurses5-dbg_5.0-6.0potato2_i386.deb > MD5 checksum: 5c43981090144c8c19d37f455056dac9 > http://security.debian.org/dists/potato/updates/main/binary-i386/libncurses5-dev_5.0-6.0potato2_i386.deb > MD5 checksum: 476bd2329a991423df2fadf7097c710a > http://security.debian.org/dists/potato/updates/main/binary-i386/libncurses5_5.0-6.0potato2_i386.deb > MD5 checksum: ca7e31dc8bb7b2132732749a08ef520b > http://security.debian.org/dists/potato/updates/main/binary-i386/ncurses-bin_5.0-6.0potato2_i386.deb > MD5 checksum: 2029230b29eab7e755b0a533eff7fe10 > > Motorola 680x0 architecture: > http://security.debian.org/dists/potato/updates/main/binary-m68k/libncurses5-dbg_5.0-6.0potato2_m68k.deb > MD5 checksum: 37ea741f71e3362de572ac55d357c36f > http://security.debian.org/dists/potato/updates/main/binary-m68k/libncurses5-dev_5.0-6.0potato2_m68k.deb > MD5 checksum: 02277c7a29dcfd1eae01c8ee99487349 > http://security.debian.org/dists/potato/updates/main/binary-m68k/libncurses5_5.0-6.0potato2_m68k.deb > MD5 checksum: 410c3aafee6114db71fefa4b0e8d9336 > http://security.debian.org/dists/potato/updates/main/binary-m68k/ncurses-bin_5.0-6.0potato2_m68k.deb > MD5 checksum: 0c29eb0df9813e96ee1af762814c60ff > > PowerPC architecture: > http://security.debian.org/dists/potato/updates/main/binary-powerpc/libncurses5-dbg_5.0-6.0potato2_powerpc.deb > MD5 checksum: 5ae0e15e15934c4d99478bcf8daf4ab4 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/libncurses5-dev_5.0-6.0potato2_powerpc.deb > MD5 checksum: bb1c6f8484483cf51d37e433a394efb3 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/libncurses5_5.0-6.0potato2_powerpc.deb > MD5 checksum: aa35b395dc84b64deea5ce950104f0bd > http://security.debian.org/dists/potato/updates/main/binary-powerpc/ncurses-bin_5.0-6.0potato2_powerpc.deb > MD5 checksum: c4256989a725e4d0afec510e1564ef8d > > Sun Sparc architecture: > http://security.debian.org/dists/potato/updates/main/binary-sparc/libncurses5-dbg_5.0-6.0potato2_sparc.deb > MD5 checksum: 95059d9006f27b8ad479ffd5f2495a90 > http://security.debian.org/dists/potato/updates/main/binary-sparc/libncurses5-dev_5.0-6.0potato2_sparc.deb > MD5 checksum: beda2b108219a348ae8330916bebd6de > http://security.debian.org/dists/potato/updates/main/binary-sparc/libncurses5_5.0-6.0potato2_sparc.deb > MD5 checksum: 69979bab9a9b2716ea833221a7003a28 > http://security.debian.org/dists/potato/updates/main/binary-sparc/ncurses-bin_5.0-6.0potato2_sparc.deb > MD5 checksum: 2b516705006d27b0808a0aea77f4b724 > > - ---------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iQCVAwUBPHGd9z5fjwqn/34JAQFp7gP/aanLFr70Fttn/kETgEV67MBR68B1sgQv > 5p2G4iM9DO5SlVGWPz+VS2q92eNZmrwl2WKI7+hu2v3X/23fStRzKJRkCijQKYTM > C0p5R76mIuDqZR0uwsJVwPwDvDL8gaeoul8p8r8PuwWDQj/6Skwq8UbBuMHDp1uL > DgMswLMUQt8= > =GYGr > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 10: 4:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.texas-shooters.com (bdsl.66.12.242.27.gte.net [66.12.242.27]) by hub.freebsd.org (Postfix) with ESMTP id 7324737B428 for ; Mon, 29 Apr 2002 10:04:00 -0700 (PDT) Received: (from root@localhost) by mail.texas-shooters.com (8.12.1/8.12.1) id g3TGtMdd018037 for freebsd-security@freebsd.org; Mon, 29 Apr 2002 11:55:22 -0500 (CDT)?g (envelope-from el_kab0ng@mail.texas-shooters.com)œ Received: from mail.texas-shooters.com (localhost [127.0.0.1]) by mail.texas-shooters.com (8.12.1/8.12.1av) with ESMTP id g3TGtI0f018030 for ; Mon, 29 Apr 2002 11:55:19 -0500 (CDT)?g (envelope-from el_kab0ng@mail.texas-shooters.com) Received: (from el_kab0ng@localhost) by mail.texas-shooters.com (8.12.1/8.12.1/Submit) id g3TGtIbT018029 for freebsd-security@freebsd.org; Mon, 29 Apr 2002 11:55:18 -0500 (CDT)?g (envelope-from el_kab0ng) Date: Mon, 29 Apr 2002 11:55:18 -0500 From: pr0ject To: freebsd-security@freebsd.org Subject: Re: Webalizer - is FreeBSD port vulnerable ? Message-ID: <20020429115518.A17943@mail.texas-shooters.com> References: <200204291618.g3TGIt821629@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200204291618.g3TGIt821629@giganda.komkon.org>; from str@giganda.komkon.org on Mon, Apr 29, 2002 at 12:18:55PM -0400 X-righteous-weapon: AK-47, of course. X-planation: Happiness is a warm gun. X-bitch: I miss my ex-wife... but with this new laser sight... X-website: http://www.texas-shooters.com X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it's only exploitable if you let the world see your stats. IMHO, info like this should always be htaccessed. Today str@giganda.komkon.org spoke in tongue: ** ** Hello! ** ** Webalizer is found to have a buffer overflow that is reportedly ** remotely exploitable. ** http://online.securityfocus.com/archive/1/267551 ** http://online.securityfocus.com/bid/4504 ** http://www.mrunix.net/webalizer/news.html ** ** ** The second link above contains a list of vulnerable versions / OSes. ** The only BSD-ish system mentioned is MacOS-X. ** Is any of the versions of FreeBSD port vulnerable ? ** ** Best, ** ** Igor ** ** ** ** To Unsubscribe: send mail to majordomo@FreeBSD.org ** with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 11: 0:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts10-srv.bellnexxia.net (tomts10.bellnexxia.net [209.226.175.54]) by hub.freebsd.org (Postfix) with ESMTP id 860A237B423 for ; Mon, 29 Apr 2002 11:00:11 -0700 (PDT) Received: from shall.anarcat.dyndns.org ([65.94.190.137]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020429180010.IMTA5561.tomts10-srv.bellnexxia.net@shall.anarcat.dyndns.org>; Mon, 29 Apr 2002 14:00:10 -0400 Received: from lenny.anarcat.dyndns.org (lenny.anarcat.dyndns.org [192.168.0.4]) by shall.anarcat.dyndns.org (Postfix) with SMTP id EC10F7A; Mon, 29 Apr 2002 13:59:36 -0400 (EDT) Received: by lenny.anarcat.dyndns.org (sSMTP sendmail emulation); Mon, 29 Apr 2002 13:59:01 -0400 Date: Mon, 29 Apr 2002 13:59:01 -0400 From: The Anarcat To: Igor Roshchin Cc: security@freebsd.org Subject: Re: Webalizer - is FreeBSD port vulnerable ? Message-ID: <20020429175901.GC321@lenny.anarcat.dyndns.org> References: <200204291618.g3TGIt821629@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Sr1nOIr3CvdE5hEN" Content-Disposition: inline In-Reply-To: <200204291618.g3TGIt821629@giganda.komkon.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Sr1nOIr3CvdE5hEN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable IIRC, the port was fixed not long ago. Please see the security advisory. A. On Mon Apr 29, 2002 at 12:18:55PM -0400, Igor Roshchin wrote: >=20 > Hello! >=20 > Webalizer is found to have a buffer overflow that is reportedly > remotely exploitable. > http://online.securityfocus.com/archive/1/267551 > http://online.securityfocus.com/bid/4504 > http://www.mrunix.net/webalizer/news.html >=20 >=20 > The second link above contains a list of vulnerable versions / OSes. > The only BSD-ish system mentioned is MacOS-X. > Is any of the versions of FreeBSD port vulnerable ? >=20 > Best, >=20 > Igor >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Imagination is more important than knowledge - Albert Einstein --Sr1nOIr3CvdE5hEN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzNieQACgkQttcWHAnWiGfeMACdFOY5LxXckTpBX5zGgQeZaHup FxgAn3JYIWxQdfHpe2NFZOueHJSTS+X6 =Xhgw -----END PGP SIGNATURE----- --Sr1nOIr3CvdE5hEN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 11: 8:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8F61B37B67E for ; Mon, 29 Apr 2002 11:05:05 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3TI55B44195 for security@freebsd.org; Mon, 29 Apr 2002 11:05:05 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Apr 2002 11:05:05 -0700 (PDT) Message-Id: <200204291805.g3TI55B44195@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 12:21: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id 81AF037B405; Mon, 29 Apr 2002 12:20:55 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g3TJIOF26248; Mon, 29 Apr 2002 15:18:24 -0400 (EDT) (envelope-from str) Date: Mon, 29 Apr 2002 15:18:24 -0400 (EDT) From: Igor Roshchin Message-Id: <200204291918.g3TJIOF26248@giganda.komkon.org> To: anarcat@anarcat.dyndns.org, str@giganda.komkon.org Subject: Re: Webalizer - is FreeBSD port vulnerable ? Cc: security-officer@freebsd.org, security@freebsd.org In-Reply-To: <20020429175901.GC321@lenny.anarcat.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I see that the cvs-tree for the webalizer port contains a record about the overflow fix (Apr 18-19), together with the version upgrade right after that. However, I couldn't find FreeBSD security advisory on this topic. Hopefully it's being worked on. Igor PS. Thanks to `pr0ject' for his response, probably helpful, but answering a completely different question. `prOject' wrote: > > it's only exploitable if you let the world see your stats. > > IMHO, info like this should always be htaccessed. > [Besides, I am not sure how not showing the stat results would prevent you from being hit by a malicious DNS owner. I haven't seen the internals of the overflow, but since it's in the webalizer itself, it doesn't seem to be related to whether the stats are displayed or not. The overflow should be happening when the webalizer is ran. The only scenario I see is that it doesn't reveal that you run webalizer. That would be just "security by obscurity".. A malicious person can "inseminate" all big servers anyway, and then just sit and wait until the bell rings.] > From anarcat@anarcat.dyndns.org Mon Apr 29 14:00:12 2002 > Date: Mon, 29 Apr 2002 13:59:01 -0400 > From: The Anarcat > To: Igor Roshchin > Cc: security@freebsd.org > Subject: Re: Webalizer - is FreeBSD port vulnerable ? > > > --Sr1nOIr3CvdE5hEN > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > IIRC, the port was fixed not long ago. Please see the security > advisory. > > A. > > On Mon Apr 29, 2002 at 12:18:55PM -0400, Igor Roshchin wrote: > >=20 > > Hello! > >=20 > > Webalizer is found to have a buffer overflow that is reportedly > > remotely exploitable. > > http://online.securityfocus.com/archive/1/267551 > > http://online.securityfocus.com/bid/4504 > > http://www.mrunix.net/webalizer/news.html > >=20 > >=20 > > The second link above contains a list of vulnerable versions / OSes. > > The only BSD-ish system mentioned is MacOS-X. > > Is any of the versions of FreeBSD port vulnerable ? > >=20 > > Best, > >=20 > > Igor > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > --=20 > Imagination is more important than knowledge > - Albert Einstein > > --Sr1nOIr3CvdE5hEN > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjzNieQACgkQttcWHAnWiGfeMACdFOY5LxXckTpBX5zGgQeZaHup > FxgAn3JYIWxQdfHpe2NFZOueHJSTS+X6 > =Xhgw > -----END PGP SIGNATURE----- > > --Sr1nOIr3CvdE5hEN-- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 14:44:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from microsoft.com (pa145.opole.cvx.ppp.tpnet.pl [213.76.4.145]) by hub.freebsd.org (Postfix) with SMTP id 6F0BF37B400 for ; Mon, 29 Apr 2002 14:44:03 -0700 (PDT) Received: (qmail 245 invoked by uid 1000); 29 Apr 2002 21:39:44 -0000 Date: Mon, 29 Apr 2002 23:39:44 +0200 From: Piotr Wiejaczka To: freebsd-security@FreeBSD.ORG Subject: syslogd security bug? Message-ID: <20020429233943.A213@microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GEEKCODE-1: GCS d- s:- a19 C++++ UB+++>++++ P++++ L- E--- W- N++ o? K w-- X-GEEKCODE-2: O? M- V? PS+ PE++ Y PGP- t+ 5 X- R++ !tv b++@ DI- D+ X-GEEKCODE-3: G++ e* h! !r !y+ X-Echelon-Rulez: terrorism, uranium, kill the president, TNT, C4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all. %uname -a FreeBSD localhost 4.5-STABLE FreeBSD 4.5-STABLE #1: Tue Mar 12 08:20:11 CET 2002 root@:/usr/src/sys/compile/OKO2 i386 %cat syslog.c #include #include int main(int argc, char *argv[]) { syslog(LOG_EMERG, argv[1]); } %./syslog "blah %x %x %x %x" Message from syslogd@localhost at Mon Apr 29 23:27:35 2002 ... localhost syslog: blah 2807aebe 2 bfbffc5c bfbffd26 Looks like we have a format string bug inside syslogd :) -- wiejak FidoNet: 2:484/2.76 mailto: wiejak alpha.net.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 14:49:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 2FA2A37B400 for ; Mon, 29 Apr 2002 14:49:30 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 678E5AE165; Mon, 29 Apr 2002 14:49:29 -0700 (PDT) Date: Mon, 29 Apr 2002 14:49:29 -0700 From: Alfred Perlstein To: Piotr Wiejaczka Cc: freebsd-security@FreeBSD.ORG Subject: Re: syslogd security bug? Message-ID: <20020429214929.GK1530@elvis.mu.org> References: <20020429233943.A213@microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020429233943.A213@microsoft.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Piotr Wiejaczka [020429 14:44] wrote: > Hi all. > > %uname -a > FreeBSD localhost 4.5-STABLE FreeBSD 4.5-STABLE #1: Tue Mar 12 08:20:11 CET > 2002 root@:/usr/src/sys/compile/OKO2 i386 > > %cat syslog.c > #include > #include > > int main(int argc, char *argv[]) > { > syslog(LOG_EMERG, argv[1]); > } > > %./syslog "blah %x %x %x %x" > > Message from syslogd@localhost at Mon Apr 29 23:27:35 2002 ... > localhost syslog: blah 2807aebe 2 bfbffc5c bfbffd26 > > > Looks like we have a format string bug inside syslogd :) You're kidding right? Please read the syslog(3) manpage. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductible donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 15: 0:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-92.citlink.net [207.173.226.92]) by hub.freebsd.org (Postfix) with ESMTP id 97BC437B41D; Mon, 29 Apr 2002 14:59:51 -0700 (PDT) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id E11D6EE690; Mon, 29 Apr 2002 14:59:49 -0700 (PDT) Message-ID: <010901c1efc9$2f1dc670$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Crist J. Clark" Cc: References: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov> <20020427163041.A37618@blossom.cjclark.org> Subject: Re: Stateful IPFW Firewall Assistance Date: Mon, 29 Apr 2002 14:59:49 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Crist J. Clark" Sent: Saturday, April 27, 2002 4:30 PM > On Thu, Apr 25, 2002 at 04:52:47PM -0700, Drew Tomlinson wrote: > > I'm trying to fine-tune my firewall and am hoping for a little advice > > regarding stateful behavior. I built this rule set based upon an > > example by Peter Brezny I found on the web so it may look familar. > > > > Here's my current network setup: > > > > ISP > > | > > | Public DHCP address > > | > > 3Com ADSL Modem/Router > > (Router performs NAT and passes packets to 10.2 by default) > > | (192.168.10.1) > > | > > | > > | (ed1 192.168.10.2) > > FBSD Gateway > > | (ed0 192.168.1.2) > > | > > | > > Internal LAN > > > > And here are my current firewall rules: > > > > 00100 allow ip from any to any via lo0 > > 00200 deny log ip from any to 127.0.0.0/8 > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > 00500 allow tcp from any to any established > > 00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993 setup > > This seems odd. How can anyone ever get packets to your various nets > in the 192.168.0.0/16 range from the outside? Maybe these are masked > examples? Anyway, you probably want the above to read as, These are actual examples. If I understand the reasons for these rules correctly, I'm not allowing packets arrive on the outside interface (192.168.10.2) from the inside (192.168.1.0/24) network and visa-versa to prevent spoofing. > 00500 allow tcp from 192.168.1.0/24 21,22,25,80,143,389,443,993 to any established > 00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993 > > > 00700 allow tcp from any to 192.168.10.2 21,22 setup > > And this as, > > 00700 allow tcp from 192.168.10.2 21,22 to any established > 00750 allow tcp from any to 192.168.10.2 21,22 > > This way, you get rid of that 'pass tcp from any to any established' > rule that will mess up, I think I understand. These rules allow traffic in and out for ports where services are running. However, are rules 500 and 700 necessary? I've tested this and rules 2000 and 2100 appear to allow the outgoing traffic? Is this OK or is it poor firewall design? What are the ad/disadvantages? > > 01900 check-state > > 02000 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > 02100 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > The keep-state rules by passing packets that they have state on. Also > note that the 'check-state' rule here is completely redudant and can > be removed. I've moved the check-state and made the modifications you suggested. My current ruleset looks like this: (Please note these rule numbers will not correspond exactly to the rule numbers in the previous thread.) blacksheep# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny log ip from any to 127.0.0.0/8 00300 0 0 deny log ip from 192.168.1.0/24 to any in recv ed1 00400 0 0 deny log ip from not 192.168.1.0/24 to any in recv ed0 00500 0 0 check-state 00600 14 696 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993,5405,10001 00700 77 3464 allow tcp from any to 192.168.10.2 21,22 00800 0 0 allow icmp from any to any icmptype 3,4,11,12 00900 0 0 allow icmp from any to any out icmptype 8 01000 0 0 allow icmp from any to any in icmptype 0 01100 0 0 reset log tcp from any to any 113 01200 0 0 allow udp from 206.13.19.133 123 to 192.168.10.2 123 01300 0 0 allow udp from 165.227.1.1 123 to 192.168.10.2 123 01400 0 0 allow udp from 63.192.96.2 123 to 192.168.10.2 123 01500 0 0 allow udp from 63.192.96.3 123 to 192.168.10.2 123 01600 0 0 allow udp from 132.239.254.49 123 to 192.168.10.2 123 01700 42 4614 allow udp from 192.168.10.1 to any 01800 42 2928 allow udp from any to 192.168.10.1 01900 144 12816 allow ip from 192.168.10.2 to any keep-state out xmit ed1 02000 195 62903 allow ip from 192.168.1.0/24 to any keep-state via ed0 65400 0 0 allow log ip from any to any 65500 0 0 deny log ip from any to any 65535 203 17016 allow ip from any to any I am curious as to why the check-state (500) rule is not incrementing. As I understand it, a box on my internal network (192.168.1.0/24) requests a page from Yahoo! for example. The outgoing request is allowed by rule 2000 which then sets up the dynamic rule. Why wouldn't the packets coming back from Yahoo! match the check-state rule (500)? Instead they are being allowed back in via rule 600. Anyway, thank for your help. I am trying to *understand* how my firewall actually works instead of just being satisfied that it seems to work. Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 15:28:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id AE2A037B400 for ; Mon, 29 Apr 2002 15:28:46 -0700 (PDT) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <24K4Z1VY>; Mon, 29 Apr 2002 15:28:45 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF565@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Piotr Wiejaczka' , freebsd-security@FreeBSD.ORG Subject: RE: syslogd security bug? Date: Mon, 29 Apr 2002 15:28:37 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cat syslog.c | sed 's/LOG_EMERG, argv\[1\]/LOG_EMERG, "%s", argv\[1\]/' Cheers, - -JD- - -----Original Message----- From: Piotr Wiejaczka [mailto:wiejak@alpha.net.pl] Sent: Monday, April 29, 2002 2:40 PM To: freebsd-security@FreeBSD.ORG Subject: syslogd security bug? Hi all. %uname -a FreeBSD localhost 4.5-STABLE FreeBSD 4.5-STABLE #1: Tue Mar 12 08:20:11 CET 2002 root@:/usr/src/sys/compile/OKO2 i386 %cat syslog.c #include #include int main(int argc, char *argv[]) { syslog(LOG_EMERG, argv[1]); } %./syslog "blah %x %x %x %x" Message from syslogd@localhost at Mon Apr 29 23:27:35 2002 ... localhost syslog: blah 2807aebe 2 bfbffc5c bfbffd26 Looks like we have a format string bug inside syslogd :) - -- wiejak FidoNet: 2:484/2.76 mailto: wiejak alpha.net.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPM3LYb8+wXo6G32BEQLQpgCeNjxupRIWRaShPU4Nf+K4HVDyN7cAoOHY 41sdBbuM+pzQPUkVAy37ZSpb =kpEb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 15:47:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts21-srv.bellnexxia.net (tomts21.bellnexxia.net [209.226.175.183]) by hub.freebsd.org (Postfix) with ESMTP id 5E43237B400 for ; Mon, 29 Apr 2002 15:47:33 -0700 (PDT) Received: from sympatico.ca ([64.230.43.83]) by tomts21-srv.bellnexxia.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020429224731.SCNL13801.tomts21-srv.bellnexxia.net@sympatico.ca> for ; Mon, 29 Apr 2002 18:47:31 -0400 Message-ID: <3CCD953A.77F47B22@sympatico.ca> Date: Mon, 29 Apr 2002 14:47:23 -0400 From: mike X-Mailer: Mozilla 4.78 [en] (X11; U; OpenBSD 3.0 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: mailing list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 15:48:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts22-srv.bellnexxia.net (tomts22.bellnexxia.net [209.226.175.184]) by hub.freebsd.org (Postfix) with ESMTP id 4A89937B419 for ; Mon, 29 Apr 2002 15:48:34 -0700 (PDT) Received: from sympatico.ca ([64.230.43.83]) by tomts22-srv.bellnexxia.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020429224833.SHCN17922.tomts22-srv.bellnexxia.net@sympatico.ca> for ; Mon, 29 Apr 2002 18:48:33 -0400 Message-ID: <3CCD9578.6674F123@sympatico.ca> Date: Mon, 29 Apr 2002 14:48:24 -0400 From: mike X-Mailer: Mozilla 4.78 [en] (X11; U; OpenBSD 3.0 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: mailing list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 17:41:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20]) by hub.freebsd.org (Postfix) with ESMTP id 8B95637B419 for ; Mon, 29 Apr 2002 17:41:28 -0700 (PDT) Received: from fwd01.sul.t-online.de by mailout08.sul.t-online.com with smtp id 172J1A-0006CV-0A; Mon, 29 Apr 2002 23:49:08 +0200 Received: from pc5.abc (520067998749-0001@[217.233.97.188]) by fmrl01.sul.t-online.com with esmtp id 172J14-08YzRIC; Mon, 29 Apr 2002 23:49:02 +0200 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g3TLn0P36526 for freebsd-security@FreeBSD.ORG; Mon, 29 Apr 2002 23:49:00 +0200 (CEST) (envelope-from list@rachinsky.de) Date: Mon, 29 Apr 2002 23:49:00 +0200 From: Nicolas Rachinsky To: freebsd-security@FreeBSD.ORG Subject: Re: syslogd security bug? Message-ID: <20020429214859.GD36316@pc5.abc> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020429233943.A213@microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020429233943.A213@microsoft.com> User-Agent: Mutt/1.3.28i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Piotr Wiejaczka [2002-04-29 23:39:44 +0200]: > Hi all. > > %uname -a > FreeBSD localhost 4.5-STABLE FreeBSD 4.5-STABLE #1: Tue Mar 12 08:20:11 CET > 2002 root@:/usr/src/sys/compile/OKO2 i386 > > %cat syslog.c > #include > #include > > int main(int argc, char *argv[]) > { > syslog(LOG_EMERG, argv[1]); > } > > %./syslog "blah %x %x %x %x" > > Message from syslogd@localhost at Mon Apr 29 23:27:35 2002 ... > localhost syslog: blah 2807aebe 2 bfbffc5c bfbffd26 > > > Looks like we have a format string bug inside syslogd :) man 3 syslog I think this is the intended behaviour, the format string bug is in your program. Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 29 20:23:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 5773437B41B for ; Mon, 29 Apr 2002 20:23:39 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020430032338.WLZF4412.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 30 Apr 2002 03:23:38 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3U3Nbj53886; Mon, 29 Apr 2002 20:23:37 -0700 (PDT) (envelope-from cjc) Date: Mon, 29 Apr 2002 20:23:37 -0700 From: "Crist J. Clark" To: Drew Tomlinson Cc: security@FreeBSD.ORG Subject: Re: Stateful IPFW Firewall Assistance Message-ID: <20020429202337.A53784@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov> <20020427163041.A37618@blossom.cjclark.org> <010901c1efc9$2f1dc670$6e2a6ba5@lc.ca.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <010901c1efc9$2f1dc670$6e2a6ba5@lc.ca.gov>; from drew@mykitchentable.net on Mon, Apr 29, 2002 at 02:59:49PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Apr 29, 2002 at 02:59:49PM -0700, Drew Tomlinson wrote: > ----- Original Message ----- > From: "Crist J. Clark" > Sent: Saturday, April 27, 2002 4:30 PM > > > On Thu, Apr 25, 2002 at 04:52:47PM -0700, Drew Tomlinson wrote: > > > I'm trying to fine-tune my firewall and am hoping for a little > advice > > > regarding stateful behavior. I built this rule set based upon an > > > example by Peter Brezny I found on the web so it may look familar. > > > > > > Here's my current network setup: > > > > > > ISP > > > | > > > | Public DHCP address > > > | > > > 3Com ADSL Modem/Router > > > (Router performs NAT and passes packets to 10.2 by default) > > > | (192.168.10.1) > > > | > > > | > > > | (ed1 192.168.10.2) > > > FBSD Gateway > > > | (ed0 192.168.1.2) > > > | > > > | > > > Internal LAN > > > > > > And here are my current firewall rules: > > > > > > 00100 allow ip from any to any via lo0 > > > 00200 deny log ip from any to 127.0.0.0/8 > > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > > 00500 allow tcp from any to any established > > > 00600 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993 setup > > > > This seems odd. How can anyone ever get packets to your various nets > > in the 192.168.0.0/16 range from the outside? Maybe these are masked > > examples? Anyway, you probably want the above to read as, > > These are actual examples. If I understand the reasons for these rules > correctly, I'm not allowing packets arrive on the outside interface > (192.168.10.2) from the inside (192.168.1.0/24) network and visa-versa > to prevent spoofing. That's what 200, 300, and 400 do, anti-spoofing. > > 00500 allow tcp from 192.168.1.0/24 21,22,25,80,143,389,443,993 to > any established > > 00600 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993 > > > > > 00700 allow tcp from any to 192.168.10.2 21,22 setup > > > > And this as, > > > > 00700 allow tcp from 192.168.10.2 21,22 to any established > > 00750 allow tcp from any to 192.168.10.2 21,22 > > > > This way, you get rid of that 'pass tcp from any to any established' > > rule that will mess up, > > I think I understand. These rules allow traffic in and out for ports > where services are running. However, are rules 500 and 700 necessary? If you want to allow external access to ftp (21/tcp), ssh (22/tcp), smtp (25/tcp), http (80/tcp), imap (143/tcp), ldap (389/tcp), https (443/tcp), and imaps (993/tcp), you want these rules. It will actually work with just the keep-state rules for the outgoing stuff, but allowing external machines to create dynamic rules is not a really good idea. There is no security benefit, and it is actually less secure since it's an easier DoS. If you don't need to allow the outside world access to any of these servers running on your network, close 'em up. My previous question was how the external world could possibly reach these services from the Internet if you are using RFC1918 addresses. > I've tested this and rules 2000 and 2100 appear to allow the outgoing > traffic? Is this OK or is it poor firewall design? What are the > ad/disadvantages? Those does allow _outgoing_ the previous rules allow incoming. > > > 01900 check-state > > > 02000 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > > 02100 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > > > The keep-state rules by passing packets that they have state on. Also > > note that the 'check-state' rule here is completely redudant and can > > be removed. > > I've moved the check-state and made the modifications you suggested. My > current ruleset looks like this: (Please note these rule numbers will > not correspond exactly to the rule numbers in the previous thread.) > > blacksheep# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny log ip from any to 127.0.0.0/8 > 00300 0 0 deny log ip from 192.168.1.0/24 to any in recv ed1 > 00400 0 0 deny log ip from not 192.168.1.0/24 to any in recv ed0 > 00500 0 0 check-state > 00600 14 696 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 > 00700 77 3464 allow tcp from any to 192.168.10.2 21,22 > 00800 0 0 allow icmp from any to any icmptype 3,4,11,12 > 00900 0 0 allow icmp from any to any out icmptype 8 > 01000 0 0 allow icmp from any to any in icmptype 0 > 01100 0 0 reset log tcp from any to any 113 > 01200 0 0 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > 01300 0 0 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > 01400 0 0 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > 01500 0 0 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > 01600 0 0 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > 01700 42 4614 allow udp from 192.168.10.1 to any > 01800 42 2928 allow udp from any to 192.168.10.1 > 01900 144 12816 allow ip from 192.168.10.2 to any keep-state out xmit > ed1 > 02000 195 62903 allow ip from 192.168.1.0/24 to any keep-state via ed0 > 65400 0 0 allow log ip from any to any > 65500 0 0 deny log ip from any to any > 65535 203 17016 allow ip from any to any > > I am curious as to why the check-state (500) rule is not incrementing. 'Cause that's not how it works. The "parent rule" gets incremented. > As I understand it, a box on my internal network (192.168.1.0/24) > requests a page from Yahoo! for example. The outgoing request is > allowed by rule 2000 which then sets up the dynamic rule. Why wouldn't > the packets coming back from Yahoo! match the check-state rule > (500)? It does, and rule 2000 gets incremented each time a packet maches the dynamic rule created from it. > Instead they are being allowed back in via rule 600. No, other stuff is coming in that way. > Anyway, thank for your help. I am trying to *understand* how my > firewall actually works instead of just being satisfied that it seems to > work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 0:19:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from microsoft.com (pc6.opole.cvx.ppp.tpnet.pl [213.76.6.6]) by hub.freebsd.org (Postfix) with SMTP id B51BF37B419 for ; Tue, 30 Apr 2002 00:19:36 -0700 (PDT) Received: (qmail 460 invoked by uid 1000); 30 Apr 2002 06:23:16 -0000 Date: Tue, 30 Apr 2002 08:23:16 +0200 From: Piotr Wiejaczka To: freebsd-security@FreeBSD.ORG Subject: Re: syslogd security bug? Message-ID: <20020430082316.A372@microsoft.com> References: <20020429233943.A213@microsoft.com> <20020429214929.GK1530@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020429214929.GK1530@elvis.mu.org>; from bright@mu.org on Mon, Apr 29, 2002 at 02:49:29PM -0700 X-GEEKCODE-1: GCS d- s:- a19 C++++ UB+++>++++ P++++ L- E--- W- N++ o? K w-- X-GEEKCODE-2: O? M- V? PS+ PE++ Y PGP- t+ 5 X- R++ !tv b++@ DI- D+ X-GEEKCODE-3: G++ e* h! !r !y+ X-Echelon-Rulez: terrorism, uranium, kill the president, TNT, C4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alfred Perlstein wrote: [..] > You're kidding right? > Please read the syslog(3) manpage. Oops! That was my mistake. I'm sorry for that dumb post. Next time I'll be more careful. -- wiejak FidoNet: 2:484/2.76 mailto: wiejak alpha.net.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 8:16:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-92.citlink.net [207.173.226.92]) by hub.freebsd.org (Postfix) with ESMTP id 88F8E37B41E for ; Tue, 30 Apr 2002 08:16:31 -0700 (PDT) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 77BA2EE5A1; Tue, 30 Apr 2002 08:16:29 -0700 (PDT) Message-ID: <013001c1f05a$00eba290$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: Cc: References: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov> <20020427163041.A37618@blossom.cjclark.org> <010901c1efc9$2f1dc670$6e2a6ba5@lc.ca.gov> <20020429202337.A53784@blossom.cjclark.org> Subject: Re: Stateful IPFW Firewall Assistance Date: Tue, 30 Apr 2002 08:16:29 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Crist J. Clark" Sent: Monday, April 29, 2002 8:23 PM > On Mon, Apr 29, 2002 at 02:59:49PM -0700, Drew Tomlinson wrote: > > ----- Original Message ----- > > From: "Crist J. Clark" > > Sent: Saturday, April 27, 2002 4:30 PM > > > > > On Thu, Apr 25, 2002 at 04:52:47PM -0700, Drew Tomlinson wrote: > > > > I'm trying to fine-tune my firewall and am hoping for a little > > advice > > > > regarding stateful behavior. I built this rule set based upon an > > > > example by Peter Brezny I found on the web so it may look familar. > > > > > > > > Here's my current network setup: > > > > > > > > ISP > > > > | > > > > | Public DHCP address > > > > | > > > > 3Com ADSL Modem/Router > > > > (Router performs NAT and passes packets to 10.2 by default) > > > > | (192.168.10.1) > > > > | > > > > | > > > > | (ed1 192.168.10.2) > > > > FBSD Gateway > > > > | (ed0 192.168.1.2) > > > > | > > > > | > > > > Internal LAN > > > > > > > > And here are my current firewall rules: > > > > > > > > 00100 allow ip from any to any via lo0 > > > > 00200 deny log ip from any to 127.0.0.0/8 > > > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > > > 00500 allow tcp from any to any established > > > > 00600 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993 setup > > > > > > This seems odd. How can anyone ever get packets to your various nets > > > in the 192.168.0.0/16 range from the outside? Maybe these are masked > > > examples? Anyway, you probably want the above to read as, > > > > These are actual examples. If I understand the reasons for these rules > > correctly, I'm not allowing packets arrive on the outside interface > > (192.168.10.2) from the inside (192.168.1.0/24) network and visa-versa > > to prevent spoofing. > > That's what 200, 300, and 400 do, anti-spoofing. > > > > 00500 allow tcp from 192.168.1.0/24 21,22,25,80,143,389,443,993 to > > any established > > > 00600 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993 > > > > > > > 00700 allow tcp from any to 192.168.10.2 21,22 setup > > > > > > And this as, > > > > > > 00700 allow tcp from 192.168.10.2 21,22 to any established > > > 00750 allow tcp from any to 192.168.10.2 21,22 > > > > > > This way, you get rid of that 'pass tcp from any to any established' > > > rule that will mess up, > > > > I think I understand. These rules allow traffic in and out for ports > > where services are running. However, are rules 500 and 700 necessary? > > If you want to allow external access to ftp (21/tcp), ssh (22/tcp), > smtp (25/tcp), http (80/tcp), imap (143/tcp), ldap (389/tcp), https > (443/tcp), and imaps (993/tcp), you want these rules. It will actually > work with just the keep-state rules for the outgoing stuff, but > allowing external machines to create dynamic rules is not a really > good idea. There is no security benefit, and it is actually less > secure since it's an easier DoS. > > If you don't need to allow the outside world access to any of these > servers running on your network, close 'em up. My previous question > was how the external world could possibly reach these services from > the Internet if you are using RFC1918 addresses. Ah... because my 3Com ADSL Modem/Router performs NAT as indicated in the diagram of my network. I would really like to set up the 3Com as a bridge so it would be "transparent" to my FBSD gateway but I can't seem to make that happen. I think my ISP's config won't allow it to be a bridge but their help desk doesn't have a clue and thus, can't confirm my suspicion. They just want to know what version of Windows I'm runnin g... :) > > I've tested this and rules 2000 and 2100 appear to allow the outgoing > > traffic? Is this OK or is it poor firewall design? What are the > > ad/disadvantages? > > Those does allow _outgoing_ the previous rules allow incoming. > > > > > 01900 check-state > > > > 02000 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > > > 02100 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > > > > > The keep-state rules by passing packets that they have state on. Also > > > note that the 'check-state' rule here is completely redudant and can > > > be removed. > > > > I've moved the check-state and made the modifications you suggested. My > > current ruleset looks like this: (Please note these rule numbers will > > not correspond exactly to the rule numbers in the previous thread.) > > > > blacksheep# ipfw show > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny log ip from any to 127.0.0.0/8 > > 00300 0 0 deny log ip from 192.168.1.0/24 to any in recv ed1 > > 00400 0 0 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > 00500 0 0 check-state > > 00600 14 696 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 > > 00700 77 3464 allow tcp from any to 192.168.10.2 21,22 > > 00800 0 0 allow icmp from any to any icmptype 3,4,11,12 > > 00900 0 0 allow icmp from any to any out icmptype 8 > > 01000 0 0 allow icmp from any to any in icmptype 0 > > 01100 0 0 reset log tcp from any to any 113 > > 01200 0 0 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > > 01300 0 0 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > > 01400 0 0 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > > 01500 0 0 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > > 01600 0 0 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > > 01700 42 4614 allow udp from 192.168.10.1 to any > > 01800 42 2928 allow udp from any to 192.168.10.1 > > 01900 144 12816 allow ip from 192.168.10.2 to any keep-state out xmit > > ed1 > > 02000 195 62903 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > 65400 0 0 allow log ip from any to any > > 65500 0 0 deny log ip from any to any > > 65535 203 17016 allow ip from any to any > > > > I am curious as to why the check-state (500) rule is not incrementing. > > 'Cause that's not how it works. The "parent rule" gets incremented. OK, thanks for clearing that up. > > As I understand it, a box on my internal network (192.168.1.0/24) > > requests a page from Yahoo! for example. The outgoing request is > > allowed by rule 2000 which then sets up the dynamic rule. Why wouldn't > > the packets coming back from Yahoo! match the check-state rule > > (500)? > > It does, and rule 2000 gets incremented each time a packet maches the > dynamic rule created from it. > > > Instead they are being allowed back in via rule 600. > > No, other stuff is coming in that way. OK, I've got it. Thank you for your help. I appreciate it very much and am happy to understand what's going on here instead of just copying a file from the Net and assuming it works. Thanks again, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 10:27:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id C774137B416 for ; Tue, 30 Apr 2002 10:27:46 -0700 (PDT) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (Postfix) with SMTP id E7624BA57 for ; Tue, 30 Apr 2002 14:27:39 -0300 (BRT) Message-ID: <014001c1f06c$88f1b280$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Transparent proxy rules Date: Tue, 30 Apr 2002 14:29:08 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, I have tryed to install transparent proxy but I didn´t understand the correct funcionality of the ipfw rules to squid transparent proxy. I installed transparent proxy like a tutorial that says to include the follow rules in ipfw: allow tcp from any to any fwd 127.0.0.1,3128 tcp from any to any 80 Well, how ipfw read line by line, I think it´ll leave the server without firewall, once the first rule allow everything. But, if I test the proxy, it really works, that is to say, the tcp frame pass to the second rule (fwd). How is this possible? []´s Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 15:49:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id 2B58337B404 for ; Tue, 30 Apr 2002 15:48:22 -0700 (PDT) Received: from 10.1.0.20 (EHLO 10.1.0.20 10.1.0.20 [10.1.0.20] (may be forged)) by 10.1.0.20 with ESMTP id for ; 30 Apr 2002 15:48:06 -0700 (PDT) Message-ID: Date: Tue, 30 Apr 2002 15:48:06 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: freebsd-security@freebsd.org Subject: Re: Upgrading default OpenSSL Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would this question be more appropriate for freebsd-ports, if not here? I figured the ability (or lack of) to upgrade the default OpenSSL is more of a security issue first, then a ports issue second. I don't want to install OpenSSL manually using the source and have two different versions on my system. I want to replace the default version 0.9.6a with 0.9.6b (0.9.6c would be really nice). Could someone please comment on how this can (or cannot, and why) be done? >Normally, yes, that's what it is for, but not in this case. >From /usr/ports/security/openssl/Makefile: >#FORBIDDEN= "OpenSSL is already in the base system" >-S > -----Original Message----- > From: Jeff Palmer [mailto:scorpio@drkshdw.org] > Sent: Thursday, April 18, 2002, 12:39 AM > To: solarflux@ziplip.com > Subject: Re: Upgrading default OpenSSL > > Do you happen to know what the forbidden= is for? > Typically its due to a security related issue. It seems to me that you > want the latest/greatest OpenSSL/OpenSSH for security purposes.. so I'd > think this whole idea of commenting out the line, would be > counter-productive.. >> ----- Original Message ----- > From: "SolarfluX" > To: > Sent: Thursday, April 18, 2002 3:33 AM > Subject: Upgrading default OpenSSL >> > > Hi, > > > > I'd like to upgrade the default version of OpenSSL (0.9.6a) on 4.5-STABLE > to the latest available in ports (0.9.6b). I upgraded the default OpenSSH > to 3.1p using an entry in /etc/make.conf: > > > > OPENSSH_OVERWRITE_BASE=YES > > > > Can the same thing be done with OpenSSL (i.e. OPENSSL_OVERWRITE_BASE=YES), > after commenting out the FORBIDDEN lines in the Makefile? > > > > When will 0.9.6c (released Dec. 21, 2001) be incorporated? > > > > TIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 18:45:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id C56A037B41A for ; Tue, 30 Apr 2002 18:45:37 -0700 (PDT) Received: (qmail 21910 invoked by uid 1001); 1 May 2002 01:45:31 -0000 Date: Tue, 30 Apr 2002 21:45:31 -0400 From: "Peter C. Lai" To: SolarfluX Cc: freebsd-security@freebsd.org Subject: Re: Upgrading default OpenSSL Message-ID: <20020430214531.A21901@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from solarflux@ziplip.com on Tue, Apr 30, 2002 at 03:48:06PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cvsup and make world? On Tue, Apr 30, 2002 at 03:48:06PM -0700, SolarfluX wrote: > Would this question be more appropriate for freebsd-ports, if not here? > > I figured the ability (or lack of) to upgrade the default OpenSSL is more of a > security issue first, then a ports issue second. I don't want to install OpenSSL > manually using the source and have two different versions on my system. I > want to replace the default version 0.9.6a with 0.9.6b (0.9.6c would be really > nice). Could someone please comment on how this can (or cannot, and why) be > done? > > >Normally, yes, that's what it is for, but not in this case. >From /usr/ports/security/openssl/Makefile: > > >#FORBIDDEN= "OpenSSL is already in the base system" > > >-S > > -----Original Message----- > > From: Jeff Palmer [mailto:scorpio@drkshdw.org] > > Sent: Thursday, April 18, 2002, 12:39 AM > > To: solarflux@ziplip.com > > Subject: Re: Upgrading default OpenSSL > > > > Do you happen to know what the forbidden= is for? > > Typically its due to a security related issue. It seems to me that you > > want the latest/greatest OpenSSL/OpenSSH for security purposes.. so I'd > > think this whole idea of commenting out the line, would be > > counter-productive.. > >> ----- Original Message ----- > > From: "SolarfluX" > > To: > > Sent: Thursday, April 18, 2002 3:33 AM > > Subject: Upgrading default OpenSSL > >> > > > Hi, > > > > > > I'd like to upgrade the default version of OpenSSL (0.9.6a) on 4.5-STABLE > > to the latest available in ports (0.9.6b). I upgraded the default OpenSSH > > to 3.1p using an entry in /etc/make.conf: > > > > > > OPENSSH_OVERWRITE_BASE=YES > > > > > > Can the same thing be done with OpenSSL (i.e. OPENSSL_OVERWRITE_BASE=YES), > > after commenting out the FORBIDDEN lines in the Makefile? > > > > > > When will 0.9.6c (released Dec. 21, 2001) be incorporated? > > > > > > TIA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 21:18: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f26.pav0.hotmail.com [64.4.32.210]) by hub.freebsd.org (Postfix) with ESMTP id 233D937B419 for ; Tue, 30 Apr 2002 21:18:03 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 30 Apr 2002 21:18:03 -0700 Received: from 24.217.8.73 by pv0fd.pav0.hotmail.msn.com with HTTP; Wed, 01 May 2002 04:18:02 GMT X-Originating-IP: [24.217.8.73] From: "Chest Rockwell" To: security@freebsd.org Subject: newbie. possibly got hacked. need help. Date: Tue, 30 Apr 2002 23:18:02 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 01 May 2002 04:18:03.0009 (UTC) FILETIME=[2F8E2F10:01C1F0C7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have everything pretty much turned off except for ftp. anon ftp is off tho. i tried to add a user and it said that the partition was full. i do have a cron job stats program running. /dev/ad0s1e 257998 257822 -20462 109% /var i found a /var/games/phantasia and a couple other dirs in there. i can't seem to locate the files that are filling that partition. as i try to locate anything to tell me if i was really hacked or not, i do 'df' again and my var dir is down to 10%. any idea why? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 21:39: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.texas-shooters.com (bdsl.66.12.242.27.gte.net [66.12.242.27]) by hub.freebsd.org (Postfix) with ESMTP id DDD9937B41C for ; Tue, 30 Apr 2002 21:38:34 -0700 (PDT) Received: (from root@localhost) by mail.texas-shooters.com (8.12.1/8.12.1) id g414TvgW072363 for freebsd-security@freebsd.org; Tue, 30 Apr 2002 23:29:57 -0500 (CDT)?g (envelope-from el_kab0ng@mail.texas-shooters.com)œ Received: from mail.texas-shooters.com (localhost [127.0.0.1]) by mail.texas-shooters.com (8.12.1/8.12.1av) with ESMTP id g414Tr0f072352 for ; Tue, 30 Apr 2002 23:29:53 -0500 (CDT)?g (envelope-from el_kab0ng@mail.texas-shooters.com) Received: (from el_kab0ng@localhost) by mail.texas-shooters.com (8.12.1/8.12.1/Submit) id g414Trjr072351 for freebsd-security@freebsd.org; Tue, 30 Apr 2002 23:29:53 -0500 (CDT)?g (envelope-from el_kab0ng) Date: Tue, 30 Apr 2002 23:29:53 -0500 From: pr0ject To: freebsd-security@freebsd.org Subject: Re: newbie. possibly got hacked. need help. Message-ID: <20020430232953.A72277@mail.texas-shooters.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from cdgaming@msn.com on Tue, Apr 30, 2002 at 11:18:02PM -0500 X-righteous-weapon: AK-47, of course. X-planation: Happiness is a warm gun. X-bitch: I miss my ex-wife... but with this new laser sight... X-website: http://www.texas-shooters.com X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hate to say it, but if you've removed something huge or you have a runaway process holding the memory space, you might try rebooting. if this doesn't clear the problem, investigate the dir's by du /path/to/dir to see what is taking the space.. just my .02 Today cdgaming@msn.com spoke in tongue: ** ** ** i have everything pretty much turned off except for ftp. anon ftp is off ** tho. i tried to add a user and it said that the partition was full. i do ** have a cron job stats program running. ** ** /dev/ad0s1e 257998 257822 -20462 109% /var ** ** i found a /var/games/phantasia and a couple other dirs in there. i can't ** seem to locate the files that are filling that partition. as i try to ** locate anything to tell me if i was really hacked or not, i do 'df' again ** and my var dir is down to 10%. ** ** any idea why? ** ** _________________________________________________________________ ** Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ** ** ** To Unsubscribe: send mail to majordomo@FreeBSD.org ** with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 30 21:45:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 49D4137B405 for ; Tue, 30 Apr 2002 21:45:17 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 1BAE1AE147; Tue, 30 Apr 2002 21:45:17 -0700 (PDT) Date: Tue, 30 Apr 2002 21:45:17 -0700 From: Bill Fumerola To: pr0ject Cc: freebsd-security@freebsd.org Subject: Re: newbie. possibly got hacked. need help. Message-ID: <20020501044517.GF688@elvis.mu.org> Reply-To: Bill Fumerola References: <20020430232953.A72277@mail.texas-shooters.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020430232953.A72277@mail.texas-shooters.com> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020423 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 30, 2002 at 11:29:53PM -0500, pr0ject wrote: > hate to say it, but if you've removed something huge or you have a runaway > process holding the memory space, you might try rebooting. rebooting? stay away from my systems. try just installing 'lsof' (in a ports collection near your) and see whats holding open the file. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org ps. the original question belongs on -questions, the message i'm replying to belongs in a bit bucket somewhere. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 0:31:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from pooh.noc.u-net.net (pooh.noc.u-net.net [195.102.252.112]) by hub.freebsd.org (Postfix) with ESMTP id 51C0C37B405 for ; Wed, 1 May 2002 00:31:43 -0700 (PDT) Received: from pooh.noc.u-net.net ([195.102.252.112] helo=there) by pooh.noc.u-net.net with smtp (Exim 3.22 #1) id 172oa7-000AaY-00; Wed, 01 May 2002 08:31:19 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Peter McGarvey Reply-To: pmcgarvey@vianetworks.co.uk Organization: VIA NETdotWORKS To: Bill Fumerola , Bill Fumerola , pr0ject Subject: Re: newbie. possibly got hacked. need help. Date: Wed, 1 May 2002 08:31:18 +0100 X-Mailer: KMail [version 1.3] Cc: freebsd-security@freebsd.org References: <20020430232953.A72277@mail.texas-shooters.com> <20020501044517.GF688@elvis.mu.org> In-Reply-To: <20020501044517.GF688@elvis.mu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: X-Scanner: EQUS 136290b73cd1c3aea95e8b676f54204b (Personal POOH - SMTP Gateway) X-EXIM-FILTER: PASS-s02 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday 01 May 2002 05:45 am, Bill Fumerola wrote: > On Tue, Apr 30, 2002 at 11:29:53PM -0500, pr0ject wrote: > > hate to say it, but if you've removed something huge or you have a > > runaway process holding the memory space, you might try rebooting. > > rebooting? stay away from my systems. try just installing 'lsof' (in a > ports collection near your) and see whats holding open the file. Hmm, installing a port whem /var is full does not strike me as a good idea. I've seen a similar thing twice, turns out qmail goes haywire if you've got softupdates turned on. The only way to fix it is to reboot into single-user mode and fsck the disk. Remembering to turn softupdates off when it's finished. Another fun way to fill a volume is to delete a log file. Syslog will happily backfill your volume without complaint until you HUP or restart it. -- TTFN, FNORD Peter McGarvey System Administrator Network Operations, VIA Networks UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 0:55:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id BB40D37B400 for ; Wed, 1 May 2002 00:55:56 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 89C8EAE027; Wed, 1 May 2002 00:55:56 -0700 (PDT) Date: Wed, 1 May 2002 00:55:56 -0700 From: Bill Fumerola To: Peter McGarvey Cc: freebsd-security@freebsd.org Subject: Re: newbie. possibly got hacked. need help. Message-ID: <20020501075556.GG688@elvis.mu.org> Reply-To: Bill Fumerola References: <20020430232953.A72277@mail.texas-shooters.com> <20020501044517.GF688@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020423 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 01, 2002 at 08:31:18AM +0100, Peter McGarvey wrote: > Hmm, installing a port whem /var is full does not strike me as a good idea. oh for christs sake, my suggestion wasn't meant to be a step-by-step on how to fix a system, i was pointing out the utility that could be used to figure out whats going on. so install the package and ignore the registration complaints. so compile and run it by hand in your home directory. so compile it on another system and copy it over. so just use fstat and get less sexy output. so be a sysadmin and apply an iota of thought to the problem. > I've seen a similar thing twice, turns out qmail goes haywire if you've > got softupdates turned on. The only way to fix it is to reboot into > single-user mode and fsck the disk. Remembering to turn softupdates off > when it's finished. no, not really. filling up a disk with softupdates used to cause problems, it no longer does. it is possible to unmount a fs and run tunefs without rebooting your system (or dropping to single-user mode). there is (was?) nothing qmail specific about this problem. > Another fun way to fill a volume is to delete a log file. Syslog will > happily backfill your volume without complaint until you HUP or restart it. your "problem" is with unix semantics, not syslog. this is the exact "problem" the original poster was having (running processes holding open a file handle on a large, deleted file), but thanks for repeating it. please kill this thread, it is all -questions fodder. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 2:29:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.imp.ch (mail.imp.ch [157.161.1.2]) by hub.freebsd.org (Postfix) with ESMTP id C3FFB37B417; Wed, 1 May 2002 02:29:26 -0700 (PDT) Received: from levais.imp.ch (levais.imp.ch [157.161.4.66]) by mail.imp.ch (8.11.6/8.11.6) with ESMTP id g419TPC53604; Wed, 1 May 2002 11:29:25 +0200 (CEST) Date: Wed, 1 May 2002 11:33:00 +0200 (CEST) From: Martin Blapp To: Cc: , Subject: Mozilla and NS6 security problem Message-ID: <20020501112902.X451-100000@levais.imp.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, seee: http://www.heise.de/newsticker/data/ju-30.04.02-000/ http://sec.greymagic.com/adv/gm001-ns/ Our ports are vulnerable too. It seems that there is no fix yet available. Martin Martin Blapp, ------------------------------------------------------------------ ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH Phone: +41 061 826 93 00: +41 61 826 93 01 PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 6:21:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id CC6B137B416 for ; Wed, 1 May 2002 06:21:30 -0700 (PDT) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 172u2r-0001h0-00; Wed, 01 May 2002 06:21:21 -0700 Received: from mlevy.flncs.com (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with ESMTP id 5F185557E; Wed, 1 May 2002 09:24:38 -0400 (EDT) Message-Id: <5.1.0.14.2.20020501092030.00a983e8@imap.flncs.com> X-Sender: mlevy@imap.flncs.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 01 May 2002 09:22:45 -0400 To: pmcgarvey@vianetworks.co.uk From: Moti Subject: Re: newbie. possibly got hacked. need help. Cc: freebsd-security@freebsd.org In-Reply-To: References: <20020501044517.GF688@elvis.mu.org> <20020430232953.A72277@mail.texas-shooters.com> <20020501044517.GF688@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:31 AM 5/1/2002 +0100, Peter McGarvey wrote: >On Wednesday 01 May 2002 05:45 am, Bill Fumerola wrote: >> On Tue, Apr 30, 2002 at 11:29:53PM -0500, pr0ject wrote: >> > hate to say it, but if you've removed something huge or you have a >> > runaway process holding the memory space, you might try rebooting. >> >> rebooting? stay away from my systems. try just installing 'lsof' (in a >> ports collection near your) and see whats holding open the file. > >Hmm, installing a port whem /var is full does not strike me as a good idea. > >I've seen a similar thing twice, turns out qmail goes haywire if you've >got softupdates turned on. The only way to fix it is to reboot into >single-user mode and fsck the disk. Remembering to turn softupdates off >when it's finished. > >Another fun way to fill a volume is to delete a log file. Syslog will >happily backfill your volume without complaint until you HUP or restart it. > >-- >TTFN, FNORD > >Peter McGarvey >System Administrator >Network Operations, VIA Networks UK > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message looks like you've been pub scanned and someone uploaded warez to your ftp directory .... are you sure anonymous access is disabled ? i would check anyone delete the files under /var/ftp and run fsck if df still reports file systems full ! if you dont have to , dont use ftp , use ssh and scp for file copy and http to share them . ( in my opinion of course ) Moti To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 6:33:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [216.150.202.147]) by hub.freebsd.org (Postfix) with SMTP id 8946B37B405 for ; Wed, 1 May 2002 06:33:36 -0700 (PDT) Received: (qmail 36126 invoked by uid 1000); 1 May 2002 13:32:20 -0000 Date: Wed, 1 May 2002 09:32:20 -0400 From: Jamie Norwood To: freebsd-security@freebsd.org Subject: Re: newbie. possibly got hacked. need help. Message-ID: <20020501133220.GA36059@mushhaven.net> References: <20020430232953.A72277@mail.texas-shooters.com> <20020501044517.GF688@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 01, 2002 at 08:31:18AM +0100, Peter McGarvey wrote: > On Wednesday 01 May 2002 05:45 am, Bill Fumerola wrote: > > On Tue, Apr 30, 2002 at 11:29:53PM -0500, pr0ject wrote: > > > hate to say it, but if you've removed something huge or you have a > > > runaway process holding the memory space, you might try rebooting. > > > > rebooting? stay away from my systems. try just installing 'lsof' (in a > > ports collection near your) and see whats holding open the file. > > Hmm, installing a port whem /var is full does not strike me as a good idea. > > I've seen a similar thing twice, turns out qmail goes haywire if you've > got softupdates turned on. The only way to fix it is to reboot into > single-user mode and fsck the disk. Remembering to turn softupdates off > when it's finished. Eh? I run qmail on a machine using softupdates with no problems... Granted, it processes maybe a thousand or two messages a day, but... > Another fun way to fill a volume is to delete a log file. Syslog will > happily backfill your volume without complaint until you HUP or restart it. Heh, yeah. :) Jamie > -- > TTFN, FNORD > > Peter McGarvey > System Administrator > Network Operations, VIA Networks UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 7:20: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.158]) by hub.freebsd.org (Postfix) with ESMTP id 36C9637B404 for ; Wed, 1 May 2002 07:19:55 -0700 (PDT) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.158]) by be-well.ilk.org (8.12.3/8.12.3) with ESMTP id g41EJs8A012990 for ; Wed, 1 May 2002 10:19:54 -0400 (EDT) (envelope-from lowell@world.std.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.3/8.12.3/Submit) id g41EJruh012987; Wed, 1 May 2002 10:19:53 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to lowell@world.std.com using -f To: freebsd-security@freebsd.org Subject: Re: Upgrading default OpenSSL References: From: Lowell Gilbert Date: 01 May 2002 10:19:53 -0400 In-Reply-To: Message-ID: <44pu0grlva.fsf@be-well.ilk.org> Lines: 36 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SolarfluX writes: > Would this question be more appropriate for freebsd-ports, if not here? Only if you want to install from ports. > I figured the ability (or lack of) to upgrade the default OpenSSL is more of a > security issue first, then a ports issue second. That depends on your particular needs, of course. You probably wouldn't be hurting your security profile much by bringing in a different version of OpenSSL than the one in the FreeBSD base system, but there's always the risk of your screwing something up. If you're assuming that a later version of OpenSSL will be more secure than the patched earlier verson that FreeBSD includes, then you are jumping to unwarranted (and, as I already implied, likely incorrect) conclusions. > I don't want to install OpenSSL > manually using the source and have two different versions on my system. That's your choice; there's no strong objective argument either way on the point. > I > want to replace the default version 0.9.6a with 0.9.6b (0.9.6c would be really > nice). Could someone please comment on how this can (or cannot, and why) be > done? You can always build from source and install right over the top of the system versions. There is a make.conf(5) knob to tell "make world" not to build or install its version. The odds of your reducing your system's security by doing so are probably higher than your odds of improving your security, but (barring installation errors on your part) neither possibility is very likely in the big picture. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 7:34:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id A07E837B41A for ; Wed, 1 May 2002 07:34:15 -0700 (PDT) Received: from 10.1.0.20 (EHLO 10.1.0.20 10.1.0.20 [10.1.0.20] (may be forged)) by 10.1.0.20 with ESMTP id <4RNNROPZ2AD5GUD011DZYAWWVNPY0XVLBID3MB2E@ziplip.com> for ; 01 May 2002 07:33:59 -0700 (PDT) Message-ID: <4RNNROPZ2AD5GUD011DZYAWWVNPY0XVLBID3MB2E@ziplip.com> Date: Wed, 1 May 2002 07:33:59 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: Re: newbie. possibly got hacked. need help. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To see what's eating up space in your /var, try this as root (in /var, of course): du -Ha or du -Hah Run it several times to see if any numbers are increasing (maybe output the results to different files and then 'diff' them). Then use 'lsof' to see what's writing to the suspect location(s). You'll have to 'man lsof' to figure out the best output for your needs. This may not be an optimal method, but should get you headed in the right direction. BTW, phantasia is usually installed by default (depending on what type of nstallation you did), look in /usr/games for the rest. There is no 'pretty much turned off'... Either it's on or off. Don't run FTP, use SCP or SFTP. Use a portscanner to see what ports your system is advertising. > -----Original Message----- > From: Chest Rockwell [mailto:cdgaming@msn.com] > Sent: Tuesday, April 30, 2002, 9:18 PM > To: security@freebsd.org > Subject: newbie. possibly got hacked. need help. >> > i have everything pretty much turned off except for ftp. anon ftp is off > tho. i tried to add a user and it said that the partition was full. i do > have a cron job stats program running. > > /dev/ad0s1e 257998 257822 -20462 109% /var > > i found a /var/games/phantasia and a couple other dirs in there. i can't > seem to locate the files that are filling that partition. as i try to > locate anything to tell me if i was really hacked or not, i do 'df' again > and my var dir is down to 10%. > > any idea why? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 12:32:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id D5FD237B400; Wed, 1 May 2002 12:32:42 -0700 (PDT) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g41JWb003540; Wed, 1 May 2002 15:32:38 -0400 (EDT) Date: Wed, 1 May 2002 15:32:37 -0400 (EDT) From: Trevor Johnson To: Martin Blapp Cc: freebsd-security@freebsd.org, , , Subject: Re: Mozilla and NS6 security problem In-Reply-To: <20020501112902.X451-100000@levais.imp.ch> Message-ID: <20020501152156.X2876-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Martin Blapp wrote: > > Hi, seee: > > http://www.heise.de/newsticker/data/ju-30.04.02-000/ > http://sec.greymagic.com/adv/gm001-ns/ > > Our ports are vulnerable too. It seems that there is > no fix yet available. Thank you, Martin. I tested the linux-mozilla port yesterday and found it had the bug. I've just marked it forbidden (sorry about the delay). The Netscape 6 ports were already marked forbidden because of my suspicion that they had the zlib double free() bug (I've seen a rumor that it was corrected in Netscape 6.22). -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 1 13:11:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta1-3.us4.outblaze.com (205-158-62-44.outblaze.com [205.158.62.44]) by hub.freebsd.org (Postfix) with ESMTP id 4BB5637B417 for ; Wed, 1 May 2002 13:11:15 -0700 (PDT) Received: from ws4-4.us4.outblaze.com (205-158-62-105.outblaze.com [205.158.62.105]) by mta1-3.us4.outblaze.com (8.11.6/8.11.6-srs) with SMTP id g41KBFq29879 for ; Wed, 1 May 2002 20:11:15 GMT Received: (qmail 9754 invoked by uid 1001); 1 May 2002 16:02:49 -0000 Message-ID: <20020501160249.9753.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [206.104.144.96] by ws4-4.us4.outblaze.com with http for sysgeek@linuxmail.org; Wed, 01 May 2002 10:02:48 -0600 From: "James Williams" To: freebsd-security@freebsd.org Date: Wed, 01 May 2002 10:02:48 -0600 X-Originating-Ip: 206.104.144.96 X-Originating-Server: ws4-4.us4.outblaze.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -- Get your free email from www.linuxmail.org Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 2:11:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by hub.freebsd.org (Postfix) with ESMTP id 1679A37B404 for ; Thu, 2 May 2002 02:11:19 -0700 (PDT) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id LAA00882 for ; Thu, 2 May 2002 11:11:17 +0200 (MET DST) Date: Thu, 2 May 2002 11:11:17 +0200 (MET DST) From: Mario Pranjic To: Subject: sslwrap and imap Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! How can I run imaps with sslwrap on FreeBSD? I use inetd on Solaris: imaps stream tcp nowait root /usr/local/sbin/tcpd /usr/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem -exec /usr/local/sbin/imapd But, FreeBSD has a bit different ined.conf synatx. It does not have that /usr/local/sbin/tcpd part. I tried with just removing that part from the line in inetd.conf, but it doesn't work. Can anyone give me a hint how to do it properly? Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 2:35:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 15BB537B416 for ; Thu, 2 May 2002 02:35:18 -0700 (PDT) Received: (qmail 78119 invoked by uid 1000); 2 May 2002 09:35:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 May 2002 09:35:08 -0000 Date: Thu, 2 May 2002 02:35:08 -0700 (PDT) From: Jason Stone X-X-Sender: To: Mario Pranjic Cc: Subject: Re: sslwrap and imap In-Reply-To: Message-ID: <20020502022940.Y9319-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > How can I run imaps with sslwrap on FreeBSD? I use inetd on Solaris: > > imaps stream tcp nowait root /usr/local/sbin/tcpd > /usr/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem > -exec /usr/local/sbin/imapd Syntax is the same - everything after the "root" is the command to run - on solaris, it happens to run the service imap daemon via tcpd which probablly implements tcp wrappers and otherwise just passes data across transparently. On freebsd, the config is essentially the same, you just have to get the command right. A possibly much better solution is to just use courier-imap in /usr/ports/mail. Courier-imap is a more robust, more secure, more featureful imap daemon, and it speaks ssl natively - no need to use sslwrap. The only barrier to using courier-imap is that the mailspools must be maildirs instead of traditional mbox's. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE80QhMswXMWWtptckRAuzRAKDa1wmQ0G8WKlSZB2WNPMAqS1JCjwCdH72N tkcFcrXXlgV3ObJzkOajzdQ= =LyCZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 3:50: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by hub.freebsd.org (Postfix) with ESMTP id 3F5AD37B417 for ; Thu, 2 May 2002 03:49:59 -0700 (PDT) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id MAA01094 for ; Thu, 2 May 2002 12:49:53 +0200 (MET DST) Date: Thu, 2 May 2002 12:49:53 +0200 (MET DST) From: Mario Pranjic To: Subject: Re: sslwrap and imap Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2 May 2002, Jason Stone wrote: > Date: Thu, 2 May 2002 02:35:08 -0700 (PDT) > From: Jason Stone > To: Mario Pranjic > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: sslwrap and imap > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > How can I run imaps with sslwrap on FreeBSD? I use inetd on Solaris: > > > > imaps stream tcp nowait root /usr/local/sbin/tcpd > > /usr/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem > > -exec /usr/local/sbin/imapd > > Syntax is the same - everything after the "root" is the command to run - > on solaris, it happens to run the service imap daemon via tcpd which > probablly implements tcp wrappers and otherwise just passes data across > transparently. On freebsd, the config is essentially the same, you just > have to get the command right. That's the problem. FreeBSD doesn't have tcpd as a separate binary which I can run. So, I don't really know what to put there instead. Any idea? > A possibly much better solution is to just use courier-imap in > /usr/ports/mail. Courier-imap is a more robust, more secure, more > featureful imap daemon, and it speaks ssl natively - no need to use > sslwrap. The only barrier to using courier-imap is that the mailspools > must be maildirs instead of traditional mbox's. Yes, the maildir concept doesn't suit me. So I gave up from Courier-imap. Too bad, because I think it's a great imapd. Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 4:14:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15]) by hub.freebsd.org (Postfix) with ESMTP id 12B1737B417 for ; Thu, 2 May 2002 04:14:08 -0700 (PDT) Received: from localhost (localhost [::1]) by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id g42BDwf86454; Thu, 2 May 2002 20:13:58 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) In-Reply-To: References: X-User-Agent: Mew/1.94.2 XEmacs/21.5 (bamboo) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 16 From: Makoto Matsushita To: mario.pranjic@irb.hr, security@FreeBSD.org Subject: Re: sslwrap and imap Date: Thu, 02 May 2002 20:13:55 +0900 Message-Id: <20020502201355Y.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org mario.pranjic> That's the problem. FreeBSD doesn't have tcpd as a mario.pranjic> separate binary which I can run. So, I don't really mario.pranjic> know what to put there instead. Any idea? You don't need to use tcpd, since inetd has same feature. Following lines should work for you: imaps stream tcp nowait root /usr/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem -exec /usr/local/sbin/imapd Don't forget to add -w option to inetd (this is the default). P.S.: tcpd is already in 5-current. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 4:19:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from daemonz.org (TK212017094177.teleweb.at [212.17.94.177]) by hub.freebsd.org (Postfix) with SMTP id 7B96937B400 for ; Thu, 2 May 2002 04:19:16 -0700 (PDT) Received: (qmail 57415 invoked by uid 1001); 2 May 2002 11:23:30 -0000 Date: Thu, 2 May 2002 13:23:30 +0200 From: Stanislav Grozev To: Mario Pranjic Cc: freebsd-security@FreeBSD.ORG Subject: Re: sslwrap and imap Message-ID: <20020502112330.GB56220@meerkat.dungeon> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 02, 2002 at 12:49:53PM +0200, Mario Pranjic wrote: > > > imaps stream tcp nowait root /usr/local/sbin/tcpd > > > /usr/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem > > > -exec /usr/local/sbin/imapd > > > That's the problem. FreeBSD doesn't have tcpd as a separate binary which I > can run. So, I don't really know what to put there instead. > Any idea? you do not need it - freebsd'w inetd, when started with -w (which is the default) supports tcp wrappers by itself. so, remove the /usr/local/sbin/tc= pd from above, adjust your /etc/hosts.allow, kill -HUP `cat /var/run/inetd.pid` and you should be set. -tacho --=20 [a lie is my shield] | [http://daemonz.org/ || tacho@daemonz.org] 0x44fc3339 || [02b5 798b 4bd1 97fb f8db 72e4 dca4 be03 44fc 3339] --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE80SGy3KS+A0T8MzkRAjDeAJ9UfN9BAydhkb0LwAI2Us0Vq9Xo5wCfcJap B2RwbVK274qqzspg7g/8wmo= =Gk1Z -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 4:30:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from exodus.ait.co.za (exodus.ait.co.za [66.8.26.2]) by hub.freebsd.org (Postfix) with SMTP id C941737B41B for ; Thu, 2 May 2002 04:30:12 -0700 (PDT) Received: from aragon [66.8.86.210] by exodus.ait.co.za (SMTPD32-4.06) id A1A06B200C2; Thu, 02 May 2002 13:29:20 0200 Message-ID: <002d01c1f1cc$e93bd740$01000001@aragon> From: "Aragon Gouveia" To: "Mario Pranjic" , References: Subject: Re: sslwrap and imap Date: Thu, 2 May 2002 13:31:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, > > A possibly much better solution is to just use courier-imap in > > /usr/ports/mail. Courier-imap is a more robust, more secure, more > > featureful imap daemon, and it speaks ssl natively - no need to use > > sslwrap. The only barrier to using courier-imap is that the mailspools > > must be maildirs instead of traditional mbox's. > > Yes, the maildir concept doesn't suit me. So I gave up from Courier-imap. > Too bad, because I think it's a great imapd. I'm assuming you're using uw-imap. If so, I can highly recommend compiling your cclient with SSL support (and possibly any other mods like home Mailboxes?) before installing uw-imap. Like this, it gets called from inetd as follows: imaps stream tcp nowait root /usr/local/libexec/imapd imapd And you have a nice neat uw-imaps daemon :). Calling it using just "imap" as the service name will still allow you a clear text imapd. Haven't tried sslwrap, but I used to do the same thing with stunnel and a non SSL'd uw-imap and found it problematic at times. This works flawlessly! Regards, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 7:22:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 72E2137B400 for ; Thu, 2 May 2002 07:22:40 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 3E9CA514D; Thu, 2 May 2002 09:22:39 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g42EMcY17201; Thu, 2 May 2002 09:22:38 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 2 May 2002 09:22:38 -0500 (CDT) Message-Id: <200205021422.g42EMcY17201@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020501112902.X451-100000_levais.imp.ch@ns.sol.net> <20020501152156.X2876-100000_blues.jpj.net@ns.sol.net> In-Reply-To: <20020501152156.X2876-100000_blues.jpj.net@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Mozilla and NS6 security problem X-Original-Newsgroups: sol.lists.freebsd.security To: trevor@jpj.net, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20020501152156.X2876-100000_blues.jpj.net@ns.sol.net>, trevor@jpj.net writes: > Martin Blapp wrote: > >> http://www.heise.de/newsticker/data/ju-30.04.02-000/ >> http://sec.greymagic.com/adv/gm001-ns/ >> >> Our ports are vulnerable too. It seems that there is >> no fix yet available. > > Thank you, Martin. I tested the linux-mozilla port yesterday and found it > had the bug. I've just marked it forbidden (sorry about the delay). The > Netscape 6 ports were already marked forbidden because of my suspicion > that they had the zlib double free() bug (I've seen a rumor that it was > corrected in Netscape 6.22). What of the "native" FreeBSD Mozilla port/package, whether it be 0.9.9 or 1.0-RC? Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 7:56:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe71.pav1.hotmail.com [64.4.30.206]) by hub.freebsd.org (Postfix) with ESMTP id 981DB37B405 for ; Thu, 2 May 2002 07:56:51 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 2 May 2002 07:56:51 -0700 X-Originating-IP: [207.112.2.1] From: "jack xiao" To: References: <20020502022940.Y9319-100000@walter> Subject: Key length of AES(Rijndael)? Date: Thu, 2 May 2002 10:55:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 02 May 2002 14:56:51.0449 (UTC) FILETIME=[977FBE90:01C1F1E9] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, As I know, Rijndael's key length is defined to be either 128, 192, or 256 bits in accordance with the requirements of the AES. Is it alternative under FreeBSD? I am using Rijndael encryption in isakmpd, how can I know what the key length is and whether I can change the key length. Thanks. Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 8:23: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16]) by hub.freebsd.org (Postfix) with ESMTP id 6A53537B405 for ; Thu, 2 May 2002 08:23:00 -0700 (PDT) Received: from Xtanbul ([216.94.147.34]) by mail1.qc.uunet.ca (8.10.2/8.10.2) with ESMTP id g42FMtj01849; Thu, 2 May 2002 11:22:55 -0400 Date: Thu, 2 May 2002 11:15:18 -0400 Subject: Re: Mozilla and NS6 security problem Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v481) Cc: trevor@jpj.net, freebsd-security@freebsd.org To: hawkeyd@visi.com From: Antoine Beaupre In-Reply-To: <200205021422.g42EMcY17201@sheol.localdomain> Message-Id: <6988EC2C-5DDF-11D6-B5E1-0050E4A0BB3F@anarcat.ath.cx> Content-Transfer-Encoding: quoted-printable X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Le Jeudi 2 mai 2002, =E0 10:22 , D J Hawkey Jr a =E9crit : > In article <20020501152156.X2876-100000_blues.jpj.net@ns.sol.net>, > trevor@jpj.net writes: >> Martin Blapp wrote: >> >>> http://www.heise.de/newsticker/data/ju-30.04.02-000/ >>> http://sec.greymagic.com/adv/gm001-ns/ >>> >>> Our ports are vulnerable too. It seems that there is >>> no fix yet available. >> >> Thank you, Martin. I tested the linux-mozilla port yesterday and=20 >> found it >> had the bug. I've just marked it forbidden (sorry about the delay). =20= >> The >> Netscape 6 ports were already marked forbidden because of my = suspicion >> that they had the zlib double free() bug (I've seen a rumor that it = was >> corrected in Netscape 6.22). > > What of the "native" FreeBSD Mozilla port/package, whether it be 0.9.9 > or 1.0-RC? Well http://sec.greymagic.com/adv/gm001-ns/ sure says it's vulnerable: "Tested on: Mozilla 0.9.6, Linux (Debian). Mozilla 0.9.7, NT4. Mozilla 0.9.8, Linux (Red Hat 7.1). Mozilla 0.9.9, Win2000. Mozilla 0.9.9, NT4. Mozilla 0.9.9, Linux (Red Hat 7.2). Mozilla 1.0 RC1, FreeBSD. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, Win2000. Netscape 6.2.2, NT4. Netscape 6.2.2, Linux (Debian)." A. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 8:34: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 5BF0E37B404 for ; Thu, 2 May 2002 08:33:56 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 4E1F551AA; Thu, 2 May 2002 10:33:52 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g42FXpi17559; Thu, 2 May 2002 10:33:51 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 2 May 2002 10:33:51 -0500 From: D J Hawkey Jr To: Antoine Beaupre Cc: trevor@jpj.net, freebsd-security@freebsd.org Subject: Re: Mozilla and NS6 security problem Message-ID: <20020502103351.B17524@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200205021422.g42EMcY17201@sheol.localdomain> <6988EC2C-5DDF-11D6-B5E1-0050E4A0BB3F@anarcat.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <6988EC2C-5DDF-11D6-B5E1-0050E4A0BB3F@anarcat.ath.cx>; from anarcat@anarcat.ath.cx on Thu, May 02, 2002 at 11:15:18AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 02, at 11:15 AM, Antoine Beaupre wrote: > > Le Jeudi 2 mai 2002, à 10:22 , D J Hawkey Jr a écrit : > > >> Netscape 6 ports were already marked forbidden because of my suspicion > >> that they had the zlib double free() bug (I've seen a rumor that it was > >> corrected in Netscape 6.22). > > > > What of the "native" FreeBSD Mozilla port/package, whether it be 0.9.9 > > or 1.0-RC? > > Well http://sec.greymagic.com/adv/gm001-ns/ sure says it's vulnerable: > > "Tested on: > > Mozilla 0.9.6, Linux (Debian). > Mozilla 0.9.7, NT4. > Mozilla 0.9.8, Linux (Red Hat 7.1). > Mozilla 0.9.9, Win2000. > Mozilla 0.9.9, NT4. > Mozilla 0.9.9, Linux (Red Hat 7.2). > Mozilla 1.0 RC1, FreeBSD. > Netscape 6.1, NT4. > Netscape 6.2.1, Win2000. > Netscape 6.2.2, Win2000. > Netscape 6.2.2, NT4. > Netscape 6.2.2, Linux (Debian)." Yeah, I saw that, too. I was rather meaning, "Has the "native" port and package been marked "forbidden", too?", as well as wondering if the FreeBSD system listed was running the Linux app, or the "native" app? I should have been more explicit in my post. > A. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 11:39:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 0D36837B404; Thu, 2 May 2002 11:39:51 -0700 (PDT) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 173LUZ-00033N-00; Thu, 02 May 2002 11:39:47 -0700 Received: from mlevy.flncs.com (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with ESMTP id 5FA48557E; Thu, 2 May 2002 14:43:11 -0400 (EDT) Message-Id: <5.1.0.14.2.20020502144030.00a91868@imap.flncs.com> X-Sender: mlevy@imap.flncs.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 02 May 2002 14:42:02 -0400 To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org From: Moti Subject: Netscreen 100 lan to lan vpn connection using freebsd and racoon ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi , has anyone tried this setup before ? if so please share. thanks Moti To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 2 19:14:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.evohost.com (ns1.evohost.com [66.33.25.40]) by hub.freebsd.org (Postfix) with ESMTP id BBE2D37B41E for ; Thu, 2 May 2002 19:14:07 -0700 (PDT) Received: from 66.33.41.244 (none@adsl-32-223-27.bct.bellsouth.net [67.32.223.27]) by silvermanchiropractic.com (8.10.2/8.10.2) with SMTP id g432Vvi28442 for ; Thu, 2 May 2002 22:31:58 -0400 Message-Id: <1020392012.352@33.41.244> Date: Thu, 02 May 2002 22:13:32 2000 To: freebsd-security@freebsd.org From: "brian14@angelfire.com" Subject: Congratulations you can now get DSL (broadband) and Satellite TV in your area. MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Congratulations you can now get DSL (broadband) and Satellite TV in your area. Get fantastic deals on these two items at http://www.angelfire.com/biz/brian14. This is a one time offer. You will only get this email once! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 12:54:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail5.ec.rr.com (fe5.southeast.rr.com [24.93.67.52]) by hub.freebsd.org (Postfix) with ESMTP id D6C5037B404 for ; Sat, 4 May 2002 12:54:38 -0700 (PDT) Received: from jennie ([66.26.7.34]) by mail5.ec.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Sat, 4 May 2002 14:37:16 -0400 Message-ID: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> From: "Michael Sharp" To: Subject: Jail() in 4.6-pre* Date: Sat, 4 May 2002 14:31:00 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0038_01C1F378.4FE33540" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C1F378.4FE33540 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I used jail in 4.5-STABLE ( following man jail ), but today I went ahead = and cvsup'ed to 4.6-pre*, made world, etc... no errors... followed man = jail... no errors until: cd /path/to/jail/dev; sh MAKEDEV jail gave me : MAKEDEV unknown = file or directory. MAKEDEV isnt even on the system. Is Jail not working in 4.6* yet, or has something changed with MAKEDEV? Michael ------=_NextPart_000_0038_01C1F378.4FE33540 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I used jail in 4.5-STABLE ( following = man jail ),=20 but today I went ahead and cvsup'ed to 4.6-pre*, made world, etc... no = errors...=20 followed man jail... no errors until:
 
cd /path/to/jail/dev; sh MAKEDEV=20 jail       gave me : MAKEDEV unknown = file or=20 directory.
 
MAKEDEV isnt even on the = system.
 
Is Jail not working in 4.6* yet, or has = something=20 changed with MAKEDEV?
 
 
Michael
------=_NextPart_000_0038_01C1F378.4FE33540-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 12:59:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id BE67C37B400 for ; Sat, 4 May 2002 12:59:17 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5E08A66BE6; Sat, 4 May 2002 12:59:17 -0700 (PDT) Date: Sat, 4 May 2002 12:59:17 -0700 From: Kris Kennaway To: Michael Sharp Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail() in 4.6-pre* Message-ID: <20020504125917.A95733@xor.obsecurity.org> References: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com>; from bsd@ec.rr.com on Sat, May 04, 2002 at 02:31:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 04, 2002 at 02:31:00PM -0400, Michael Sharp wrote: > I used jail in 4.5-STABLE ( following man jail ), but today I went ahead = and cvsup'ed to 4.6-pre*, made world, etc... no errors... followed man jail= ... no errors until: >=20 > cd /path/to/jail/dev; sh MAKEDEV jail gave me : MAKEDEV unknown fil= e or directory. >=20 > MAKEDEV isnt even on the system. That's your fault, then. Kris --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE81D2UWry0BWjoQKURAnqxAKC0i9E+riNYjImPRtpqpQjpqY20jwCgpCnI 4QwpAyt/voeAdy2FCjSBsZE= =bEOO -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 13: 2:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id C67A337B419 for ; Sat, 4 May 2002 13:02:23 -0700 (PDT) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 55B6210789F; Sun, 5 May 2002 00:02:21 +0400 (MSD) Date: Sun, 5 May 2002 00:02:21 +0400 From: zhuravlev alexander To: freebsd-security@FreeBSD.ORG Subject: Re: Jail() in 4.6-pre* Message-ID: <20020505000221.A71774@ns.ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com>; from bsd@ec.rr.com on Sat, May 04, 2002 at 02:31:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 04, 2002 at 02:31:00PM -0400, Michael Sharp wrote: > I used jail in 4.5-STABLE ( following man jail ), but today I went ahead and cvsup'ed to 4.6-pre*, made world, etc... no errors... followed man jail... no errors until: have you run mergemaster ? > > cd /path/to/jail/dev; sh MAKEDEV jail gave me : MAKEDEV unknown file or directory. > > MAKEDEV isnt even on the system. > > Is Jail not working in 4.6* yet, or has something changed with MAKEDEV? > > > Michael -- zhuravlev alexander u l s t u n o c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 16: 0:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (svr-ganmtc-appserv-mgmt.ncf.coxexpress.com [24.136.46.5]) by hub.freebsd.org (Postfix) with ESMTP id AB3E537B400; Sat, 4 May 2002 16:00:26 -0700 (PDT) Received: from darkstar.doublethink.cx (cpe-oca-24-136-59-202-cmcpe.ncf.coxexpress.com [24.136.59.202]) by svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (8.11.4/8.11.4) with ESMTP id g44N0O717087; Sat, 4 May 2002 19:00:25 -0400 Received: by darkstar.doublethink.cx (Postfix, from userid 1000) id AA665CB; Sat, 4 May 2002 19:00:24 -0400 (EDT) Date: Sat, 4 May 2002 19:00:24 -0400 From: Chris Faulhaber To: Michael Sharp Cc: freebsd-security@FreeBSD.org, asmodai@FreeBSD.org Subject: Re: Jail() in 4.6-pre* Message-ID: <20020504230024.GA46653@darkstar.doublethink.cx> Mail-Followup-To: Chris Faulhaber , Michael Sharp , freebsd-security@FreeBSD.ORG, asmodai@FreeBSD.org References: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 04, 2002 at 02:31:00PM -0400, Michael Sharp wrote: > I used jail in 4.5-STABLE ( following man jail ), but today I went > ahead and cvsup'ed to 4.6-pre*, made world, etc... no errors... > followed man jail... no errors until: >=20 > cd /path/to/jail/dev; sh MAKEDEV jail gave me : > MAKEDEV unknown file or directory. >=20 > MAKEDEV isnt even on the system. >=20 > Is Jail not working in 4.6* yet, or has something changed with MAKEDEV? >=20 This appears to be related to changes made in etc/Makefile revs. 1.219.2.27/1.247 where NO_MAKEDEV does not install MAKEDEV anymore instead of only not running 'sh MAKEDEV all'. It appears we need to MFC src/usr.sbin/jail/jail.8 rev. 1.24 to reflect this. For the present time, use: # make distribution DESTDIR=3D$D -DNO_MAKEDEV_RUN to get ${jaildir}/dev/MAKEDEV installed (or install it manually) then rerun: # cd $D/dev # sh MAKEDEV jail --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjzUaAgACgkQObaG4P6BelAXEwCgnEKtUv4vPqJjpdEGijWtt01m 8lUAnj68VzD6RBih7mgGJhAjzjxEErT8 =c+FT -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 16:46:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail4.ec.rr.com (fe4.southeast.rr.com [24.93.67.51]) by hub.freebsd.org (Postfix) with ESMTP id 8A1EF37B41B for ; Sat, 4 May 2002 16:46:38 -0700 (PDT) Received: from jennie ([66.26.7.34]) by mail4.ec.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Sat, 4 May 2002 19:30:00 -0400 Message-ID: <002b01c1f3c2$bb5688a0$0301a8c0@ec.rr.com> From: "Michael Sharp" To: Subject: RE: jail() Date: Sat, 4 May 2002 19:23:43 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0028_01C1F3A1.34128E00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0028_01C1F3A1.34128E00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thx to all the responces regarding jail(). The problem is resolved. Oh btw, could someone send Kris Kennaway a life. :) Get a better = attitude, damn ------=_NextPart_000_0028_01C1F3A1.34128E00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Thx to all the responces regarding = jail(). The=20 problem is resolved.
 
Oh btw, could someone send Kris = Kennaway a=20 life.  :)  Get a better attitude, = damn
------=_NextPart_000_0028_01C1F3A1.34128E00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 20:36:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f93.law14.hotmail.com [64.4.21.93]) by hub.freebsd.org (Postfix) with ESMTP id 7B4FA37B416 for ; Sat, 4 May 2002 20:36:52 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 4 May 2002 20:36:52 -0700 Received: from 209.124.233.47 by lw14fd.law14.hotmail.msn.com with HTTP; Sun, 05 May 2002 03:36:52 GMT X-Originating-IP: [209.124.233.47] From: "William J. Borskey" To: security@freebsd.org Subject: ipfw Date: Sat, 04 May 2002 20:36:52 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 May 2002 03:36:52.0381 (UTC) FILETIME=[189944D0:01C1F3E6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is it possible to write rules for ipfw using ethernet addresses instead of ip addresses? ipfw -q -f flush ipfw -q add 00100 allow ip from any to any via lo0 ipfw -q add 00220 deny log ip to me 22 from any in ipfw -q add 00100 allow ip from any to any ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin ipfw -q add 00230 check-state ipfw -q add 00235 deny tcp from any to any in established ipfw -q add 00240 allow ip from any to any out keep-state ipfw -q add 00250 deny tcp from any to any 6000 ipfw -q add 00900 deny log ip from any to any and is this ok to block everything except ssh? _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 20:59:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 525F437B419 for ; Sat, 4 May 2002 20:59:39 -0700 (PDT) Received: (qmail 1431 invoked by uid 1001); 5 May 2002 03:59:33 -0000 Date: Sat, 4 May 2002 23:59:33 -0400 From: "Peter C. Lai" To: "William J. Borskey" Cc: security@freebsd.org Subject: Re: ipfw Message-ID: <20020504235933.A1382@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wborskey@hotmail.com on Sat, May 04, 2002 at 08:36:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote: > > > is it possible to write rules for ipfw using ethernet addresses instead of > ip addresses? i don't think so (although i might be wrong). I think people use static arp to prevent arp poisoning so IP <-> MAC translations stay the same. > > ipfw -q -f flush > ipfw -q add 00100 allow ip from any to any via lo0 > ipfw -q add 00220 deny log ip to me 22 from any in > ipfw -q add 00100 allow ip from any to any > ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin > ipfw -q add 00230 check-state > ipfw -q add 00235 deny tcp from any to any in established > ipfw -q add 00240 allow ip from any to any out keep-state > ipfw -q add 00250 deny tcp from any to any 6000 > ipfw -q add 00900 deny log ip from any to any > > and is this ok to block everything except ssh? > uh check your rule numbering. you have 2 rule 100s. 220 will *block* port 22 on your machine. and the 2nd rule 100 allows everything so this effectively will *allow* everything *except* ssh. > > _________________________________________________________________ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 4 22:58: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86]) by hub.freebsd.org (Postfix) with ESMTP id 19EC737B41B for ; Sat, 4 May 2002 22:58:03 -0700 (PDT) Received: from D00015.dialonly.kemerovo.su (eugen@localhost [127.0.0.1]) by D00015.dialonly.kemerovo.su (8.12.3/8.12.2) with ESMTP id g455uvnv000411; Sun, 5 May 2002 13:56:57 +0800 (KRAST) (envelope-from eugen@D00015.dialonly.kemerovo.su) Received: (from eugen@localhost) by D00015.dialonly.kemerovo.su (8.12.3/8.12.3/Submit) id g455uton000410; Sun, 5 May 2002 13:56:55 +0800 (KRAST) Date: Sun, 5 May 2002 13:56:55 +0800 From: Eugene Grosbein To: "William J. Borskey" Cc: security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <20020505135655.A320@grosbein.pp.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wborskey@hotmail.com on Sat, May 04, 2002 at 08:36:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote: > is it possible to write rules for ipfw using ethernet addresses instead of > ip addresses? You can have frozen ARP table and use ip addresses for ipfw to achieve the same effect. Check this out: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/36373 We use sort of that in production. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message