From owner-freebsd-security Mon Oct 21 18:19:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0FD37B401 for ; Mon, 21 Oct 2002 18:19:50 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 203D143E75 for ; Mon, 21 Oct 2002 18:19:50 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g9M1JfTt036822 for ; Mon, 21 Oct 2002 21:19:41 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021021211946.05c98cf8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 21 Oct 2002 21:21:08 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-3.8 required=5.0 tests=FWD_MSG,MAILTO_WITH_SUBJ,PGP_SIGNATURE,QUOTED_EMAIL_TEXT, SPAM_PHRASE_02_03 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would appear the CERT url below mentions FreeBSD as well being vulerable. ---Mike >To: full-disclosure@lists.netsys.com >From: NetBSD Security Officer >Organisation: The NetBSD Foundation, Inc. >Reply-To: NetBSD Security Officer >Subject: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient >length check in ESP authentication data >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com >X-Mailman-Version: 2.0.12 >List-Unsubscribe: , > >List-Id: Discussion of security issues >List-Post: >List-Help: >List-Subscribe: , > >List-Archive: >Date: Tue, 22 Oct 2002 09:39:32 +0900 >X-Spam-Status: No, hits=-7.9 required=5.0 >tests=COPYRIGHT_CLAIMED,PGP_SIGNATURE version=2.11 >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > >-----BEGIN PGP SIGNED MESSAGE----- > > > NetBSD Security Advisory 2002-016 > ================================= > >Topic: Insufficient length check in ESP authentication data > >Version: NetBSD-current: source prior to August 23, 2002 > NetBSD-1.6 beta: source prior to August 23, 2002 > NetBSD-1.5.3: affected > NetBSD-1.5.2: affected > NetBSD-1.5.1: affected > NetBSD-1.5: affected > NetBSD-1.4.*: not affected (no IPsec shipped with it) > >Severity: remote denial of service (kernel panic by malicious packet) > >Fixed: NetBSD-current: August 23, 2002 > NetBSD-1.6 branch: August 23, 2002 (1.6 includes the > fix) > NetBSD-1.5 branch: September 5, 2002 > >Abstract >======== > >The KAME-based IPsec implementation included in NetBSD was missing >some packet length checks, and could be tricked into passing negative >value as buffer length. By transmiting a specially-formed (very >short) ESP packet, a malicious sender can cause a cause kernel panic >on the victim node. > >For the attack to be effective the attacker has to have knowledge of >the ESP settings being used by the victim node (wiretapping traffic >would achieve this). Also victim node has to be configured with >certain ESP security-association (SA). > >The publication of this advisory is delayed to coordinate with third parties. > > >Technical Details >================= > >http://www.kb.cert.org/vuls/id/459371 > >Your system is not vulnerable if: > - you do not enable IPsec ESP in the kernel (options IPSEC_ESP), or > - you do not have IPsec ESP SA with ESP authentication data setting > active on your system. However, if you have IPSEC_ESP enabled, we > suggest upgrading your kernel to bring in the fix, even if you are > not presently using IPSec. > > >Solutions and Workarounds >========================= > >The recent NetBSD 1.6 release is not vulnerable to this issue. A full >upgrade to NetBSD 1.6 is the recommended resolution for all users able >to do so. Many security-related improvements have been made, and >indeed this release has been delayed several times in order to include >fixes for a number of recent issues. > >If you are using ESP with authentication, you must upgrade to avoid >the vulnerability, as described below for your version of NetBSD: > >* NetBSD-current: > > Systems running NetBSD-current dated from before 2002-08-23 > should be upgraded to NetBSD-current dated 2002-08-23 or later. > > The kernel code needs to be updated from the netbsd-1-6 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > on how you rebuild the kernel. > > >* NetBSD 1.6 betas: > > Systems running NetBSD 1.6 BETAs and Release Candidates should > be upgraded to the NetBSD 1.6 release. > > If a source-based point upgrade is required, sources from the > NetBSD 1.6 branch dated 2002-08-23 or later should be used. > > The kernel code needs to be updated from the netbsd-1-6 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P -r netbsd-1-6 sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > for instructions on how you rebuild the kernel. > > >* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: > > Systems running NetBSD 1.5 branch dated from before 2002-09-05 > should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later. > > The kernel code needs to be updated from the netbsd-1-5 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P -r netbsd-1-5 sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > for instructions on how you rebuild the kernel. > > >Thanks To >========= > >Todd Sabin and BindView for analysis and report. > >The NetBSD Release Engineering teams, for great patience and >assistance in dealing with repeated security issues discovered >recently. > > >Revision History >================ > > 2002-10-22 Initial release > > >More Information >================ > >An up-to-date PGP signed copy of this release will be maintained at > >ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc > >Information about NetBSD and NetBSD security can be found at >http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > >Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. > >$NetBSD: NetBSD-SA2002-016.txt,v 1.16 2002/10/22 00:27:56 itojun Exp $ > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3ia >Charset: noconv > >iQCVAwUBPbSbdD5Ru2/4N2IFAQGFwAQAlHyFjYgN3FMHu+V9SGRZVgVpUWgVYDHJ >UWBKb/wNECmFHQ+pXNFmXfnV7Ly7OZCsiUiKVRHgkWqNH9r75WyAwmK7nEoPXAn8 >w1fe7dVqpiuKL/uyDe3T/oWKGIbbGk7iU624TeJrB99aj6el2rB/jOdzu4LVIgRm >5rQdRYKniWM= >=cNIB >-----END PGP SIGNATURE----- >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 9:14:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D9DC37B401 for ; Tue, 22 Oct 2002 09:14:50 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76AC343E3B for ; Tue, 22 Oct 2002 09:14:46 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from earthlink.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H4E008VM54LI5@mtaout04.icomcast.net> for security@freebsd.org; Tue, 22 Oct 2002 12:14:46 -0400 (EDT) Date: Tue, 22 Oct 2002 12:14:46 -0400 From: Larry Sica Subject: Re: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data In-reply-to: <5.1.1.6.0.20021021211946.05c98cf8@marble.sentex.ca> To: Mike Tancsa Cc: security@freebsd.org Message-id: <61D7D206-E5D9-11D6-ABF5-000393A335A2@earthlink.net> MIME-version: 1.0 X-Mailer: Apple Mail (2.546) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, October 21, 2002, at 09:21 PM, Mike Tancsa wrote: >> >> http://www.kb.cert.org/vuls/id/459371 Read this, if you click on FreeBSD the url it goes to states it has been addressed in 4.7. http://www.kb.cert.org/vuls/id/AAMN-5DGQDT --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 9:16:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8270537B401; Tue, 22 Oct 2002 09:16:12 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 858FE43E4A; Tue, 22 Oct 2002 09:16:11 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g9MGFwTt000637; Tue, 22 Oct 2002 12:15:58 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021022121509.05663d08@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 22 Oct 2002 12:17:09 -0400 To: stable@freebsd.org From: Mike Tancsa Subject: FreeBSD IPSEC security vulnerability Cc: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=0.6 required=5.0 tests=SPAM_PHRASE_00_01 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I posted this to security last night with no response. Does anyone know on the stable list if this indeed has been fixed on or around the 15th on FreeBSD ? http://www.kb.cert.org/vuls/id/459371 ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 9:18:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72AE437B401 for ; Tue, 22 Oct 2002 09:18:54 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B5B543E88 for ; Tue, 22 Oct 2002 09:18:53 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from earthlink.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H4E007S65BG4U@mtaout04.icomcast.net> for freebsd-security@FreeBSD.ORG; Tue, 22 Oct 2002 12:18:53 -0400 (EDT) Date: Tue, 22 Oct 2002 12:18:53 -0400 From: Larry Sica Subject: Re: SSH keeps dying while box seems to be up/PC Weasel? In-reply-to: <20021017225023.18216.qmail@web10102.mail.yahoo.com> To: twig les Cc: freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: Apple Mail (2.546) Content-type: text/plain; delsp=yes; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, October 17, 2002, at 06:50 PM, twig les wrote: > Hey all, strange problem here that is probably just > bad ram but maybe someone here might see something I > missed. I have 2 identical boxes running 4.6 release > (patched & stripped down) in another state, so I can't > sit on the console and watch stuff. One box is fine, > the other is hell in beige. The box keeps becoming > unresponsive; the first crash was Saturday morning > (note to self - turn off cell phone on Friday) and > then again on Sunday and today twice. Each time I > have to call remote hands and get them to hard reboot > the thing. > Does it panic? Lock at console? What is the console spewing at the time of death? This is some limited information, how is swap? How much RAM is in the box? Anything in the log files > This box was running happily for about 2-3 months with > this config - nothing changed last week. Previously > this box ran 4.4 release for almost a year without a > single crash. > > So anyway the debug output from my ssh attempt is > below. On a related issue, can anyone recommend the > PC Weasel for console access from experience? I can't > exactly point my management to their site since it's > completely unprofessional (I actually like it, I just > can't send management there) so any experience is > welcome. > I've never used one. > =========================================== > ssh debug > =========================================== > Client% ssh -v -v -v Server > debug: > SshAppCommon/sshappcommon.c:133/ssh_app_get_global_regex_context: > Allocating global SshRegex context. > debug: SshConfig/sshconfig.c:2232/ssh2_parse_config: > Unable to open /opt/home/ktokash/.ssh2/ssh2_config > debug: Connecting to mas01, port 22... (SOCKS not > used) > debug: Ssh2/ssh2.c:1977/main: Entering event loop. > debug: Ssh2Client/sshclient.c:1403/ssh_client_wrap: > Creating transport protocol. > debug: > SshAuthMethodClient/sshauthmethodc.c:85/ > ssh_client_authentication_initialize: > Added "hostbased" to usable methods. > debug: > SshAuthMethodClient/sshauthmethodc.c:85/ > ssh_client_authentication_initialize: > Added "securid-1@ssh.com" to usable methods. > debug: > SshAuthMethodClient/sshauthmethodc.c:85/ > ssh_client_authentication_initialize: > Added "publickey" to usable methods. > debug: > SshAuthMethodClient/sshauthmethodc.c:85/ > ssh_client_authentication_initialize: > Added "password" to usable methods. > debug: Ssh2Client/sshclient.c:1444/ssh_client_wrap: > Creating userauth protocol. > debug: client supports 4 auth methods: > 'hostbased,securid-1@ssh.com,publickey,password' > debug: Ssh2Common/sshcommon.c:560/ssh_common_wrap: > local ip = 10.30.150.162, local port = 53843 > debug: Ssh2Common/sshcommon.c:562/ssh_common_wrap: > remote ip = 10.20.0.124, remote port = 22 > debug: SshConnection/sshconn.c:1930/ssh_conn_wrap: > Wrapping... > debug: Remote version: SSH-1.99-OpenSSH_2.9 FreeBSD > localisations 20020307 > debug: > Ssh2Transport/trcommon.c:1306/ssh_tr_input_version: > Remote version has rekey incompatibility bug. > debug: > Ssh2Transport/trcommon.c:1309/ssh_tr_input_version: > Remote version is OpenSSH, KEX guesses disabled. > debug: Ssh2Transport/trcommon.c:1648/ssh_tr_negotiate: > lang s to c: `', lang c to s: `' > debug: Ssh2Transport/trcommon.c:1714/ssh_tr_negotiate: > c_to_s: cipher aes128-cbc, mac hmac-sha1, compression > none > debug: Ssh2Transport/trcommon.c:1717/ssh_tr_negotiate: > s_to_c: cipher aes128-cbc, mac hmac-sha1, compression > none > debug: Remote host key found from database. > debug: Ssh2Common/sshcommon.c:318/ssh_common_special: > Received SSH_CROSS_STARTUP packet from connection > protocol. > debug: Ssh2Common/sshcommon.c:368/ssh_common_special: > Received SSH_CROSS_ALGORITHMS packet from connection > protocol. > debug: server offers auth methods > 'publickey,password,keyboard-interactive'. > debug: SshConfig/sshconfig.c:2232/ssh2_parse_config: > Unable to open /opt/home/ktokash/.ssh2/identification > debug: > Ssh2AuthClient/sshauthc.c:316/ssh_authc_completion_proc: > Method 'publickey' disabled. Do you want to use keys? Do you normally? > debug: server offers auth methods > 'publickey,password,keyboard-interactive'. > debug: > Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: > Starting password query... > ktokash's password: What does it respond when you try and use your password? IIRC there should be multiple tries allow (3 total). It looks like it accepts the password or attempts to. > debug: Ssh2Common/sshcommon.c:286/ssh_common_special: > Received SSH_CROSS_AUTHENTICATED packet from > connection protocol. > debug: > Ssh2Common/sshcommon.c:829/ssh_common_new_channel: > num_channels now 1 > debug: > Ssh2Common/sshcommon.c:155/ssh_common_disconnect: > DISCONNECT received: Connection closed --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 10: 3:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E30637B401 for ; Tue, 22 Oct 2002 10:03:45 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2AFF43E42 for ; Tue, 22 Oct 2002 10:03:01 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g9MH2kTt004065; Tue, 22 Oct 2002 13:02:46 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021022122100.042c2288@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 22 Oct 2002 13:03:55 -0400 To: Larry Sica From: Mike Tancsa Subject: Re: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data Cc: security@freebsd.org In-Reply-To: <61D7D206-E5D9-11D6-ABF5-000393A335A2@earthlink.net> References: <5.1.1.6.0.20021021211946.05c98cf8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-4.7 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_00_01 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks! I didnt look at the secondary hyperlink :-( ---Mike At 12:14 PM 22/10/2002 -0400, Larry Sica wrote: >On Monday, October 21, 2002, at 09:21 PM, Mike Tancsa wrote: > >>> >>>http://www.kb.cert.org/vuls/id/459371 > >Read this, if you click on FreeBSD the url it goes to states it has been >addressed in 4.7. > >http://www.kb.cert.org/vuls/id/AAMN-5DGQDT > >--Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 11:58:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5951037B401 for ; Tue, 22 Oct 2002 11:58:52 -0700 (PDT) Received: from web14102.mail.yahoo.com (web14102.mail.yahoo.com [216.136.172.132]) by mx1.FreeBSD.org (Postfix) with SMTP id F2F2A43E77 for ; Tue, 22 Oct 2002 11:58:51 -0700 (PDT) (envelope-from cguttesen@yahoo.dk) Message-ID: <20021022185851.85897.qmail@web14102.mail.yahoo.com> Received: from [193.217.136.125] by web14102.mail.yahoo.com via HTTP; Tue, 22 Oct 2002 20:58:51 CEST Date: Tue, 22 Oct 2002 20:58:51 +0200 (CEST) From: =?iso-8859-1?q?Claus=20Guttesen?= Subject: Re: FreeBSD IPSEC security vulnerability To: Mike Tancsa Cc: security@freebsd.org In-Reply-To: <5.1.1.6.0.20021022121509.05663d08@marble.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. > response. Does anyone know on > the stable list if this indeed has been fixed on or > around the 15th on It seems like this was addressed with the release of FreeBSD 4.7. Read more at http://www.kb.cert.org/vuls/id/AAMN-5DGQDT. Regards Claus Beskyt din computer mod virus og misbrug! Læs mere i Yahoo! Sikkerhedscenter på www.yahoo.dk/sikkerhedscenter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 22 13: 3: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8545E37B404 for ; Tue, 22 Oct 2002 13:03:01 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 4E18343E75 for ; Tue, 22 Oct 2002 13:03:00 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 59891 invoked from network); 22 Oct 2002 20:02:58 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 22 Oct 2002 20:02:58 -0000 Message-ID: <3DB5AEF1.20103@tenebras.com> Date: Tue, 22 Oct 2002 13:02:57 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Claus Guttesen Cc: Mike Tancsa , security@freebsd.org Subject: Re: FreeBSD IPSEC security vulnerability References: <20021022185851.85897.qmail@web14102.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Claus Guttesen wrote: > It seems like this was addressed with the release of > FreeBSD 4.7. Read more at > http://www.kb.cert.org/vuls/id/AAMN-5DGQDT. Needs to be merged to RELENG_4_6 ASAP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 23 12: 1:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0B2B37B401 for ; Wed, 23 Oct 2002 12:01:56 -0700 (PDT) Received: from nexusxi.com (balistraria.nexusxi.com [216.194.67.37]) by mx1.FreeBSD.org (Postfix) with SMTP id 2C60243E6E for ; Wed, 23 Oct 2002 12:01:46 -0700 (PDT) (envelope-from h410g3n@h410g3n.com) Received: (qmail 31580 invoked from network); 23 Oct 2002 19:01:26 -0000 Received: from unknown (HELO h410g3n.localnet) (207.229.32.10) by 0 with SMTP; 23 Oct 2002 19:01:26 -0000 Content-Type: text/plain; charset="us-ascii" From: h410g3n Reply-To: h410g3n@h410g3n.com Organization: h410g3n-dot-communists To: FreeBSD-security@FreeBSD.org Subject: unsubscribe Date: Wed, 23 Oct 2002 13:00:26 -0600 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210231300.26054.h410g3n@h410g3n.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 25 10:26:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA9BA37B401 for ; Fri, 25 Oct 2002 10:26:34 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0751F43E6A for ; Fri, 25 Oct 2002 10:26:34 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from DaleCoportable [12.145.236.182] by mail.gbronline.com (SMTPD32-7.13) id AE632C9C022C; Fri, 25 Oct 2002 12:24:51 -0500 Message-ID: <004101c27c4b$808cae90$fa00a8c0@DaleCoportable> From: "Kevin D. Kinsey, DaleCo, S.P." To: Subject: New (to me) apache error... Date: Fri, 25 Oct 2002 12:25:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Gentlemen, This appeared in my apache error log today. Any thoughts? Malevolent code entered by a website user, perhaps? [Fri Oct 25 08:32:16 2002] [error] [client 24.112.227.167] request failed: erroneous characters after protocol string: CONNECT mx1.mail.yahoo.com:25 / HTTP/1.0 Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 25 10:32:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A9ED37B401 for ; Fri, 25 Oct 2002 10:32:55 -0700 (PDT) Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 0907D43E42 for ; Fri, 25 Oct 2002 10:32:54 -0700 (PDT) (envelope-from da@securityfocus.com) Received: (qmail 4743 invoked by uid 118); 25 Oct 2002 17:24:22 -0000 Date: Fri, 25 Oct 2002 11:24:22 -0600 (MDT) From: Dave Ahmad To: "Kevin D. Kinsey, DaleCo, S.P." Cc: security@FreeBSD.ORG Subject: Re: New (to me) apache error... In-Reply-To: <004101c27c4b$808cae90$fa00a8c0@DaleCoportable> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kevin, 24.112.227.167 is attempting to proxy a connection to mx1.mail.yahoo.com:25 through your HTTP server. See: http://online.securityfocus.com/bid/4131 David Mirza Ahmad Symantec 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 On Fri, 25 Oct 2002, Kevin D. Kinsey, DaleCo, S.P. wrote: > Hi, Gentlemen, > > This appeared in my apache error log today. Any thoughts? > Malevolent code entered by a website user, perhaps? > > [Fri Oct 25 08:32:16 2002] [error] [client 24.112.227.167] request > failed: > erroneous characters after protocol string: > CONNECT mx1.mail.yahoo.com:25 / HTTP/1.0 > > Kevin Kinsey > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 25 12: 8:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2EDE37B401 for ; Fri, 25 Oct 2002 12:08:39 -0700 (PDT) Received: from nebula.wanadoo.fr (ca-sqy-4-114.abo.wanadoo.fr [80.8.57.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F8CB43E6E for ; Fri, 25 Oct 2002 12:08:38 -0700 (PDT) (envelope-from dak@wanadoo.fr) Received: from nebula.wanadoo.fr (localhost [127.0.0.1]) by nebula.wanadoo.fr (8.12.6/8.12.5) with ESMTP id g9PJ9vuM046556; Fri, 25 Oct 2002 21:09:57 +0200 (CEST) (envelope-from dak@nebula.wanadoo.fr) Received: (from dak@localhost) by nebula.wanadoo.fr (8.12.6/8.12.6/Submit) id g9PJ9u0o046555; Fri, 25 Oct 2002 21:09:56 +0200 (CEST) Date: Fri, 25 Oct 2002 21:09:56 +0200 From: =?iso-8859-15?Q?Aur=E9lien?= Nephtali To: "Kevin D. Kinsey, DaleCo, S.P." Cc: security@FreeBSD.ORG Subject: Re: New (to me) apache error... Message-ID: <20021025190956.GA46522@nebula.wanadoo.fr> References: <004101c27c4b$808cae90$fa00a8c0@DaleCoportable> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: <004101c27c4b$808cae90$fa00a8c0@DaleCoportable> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 25, 2002 at 12:25:22PM -0500, Kevin D. Kinsey, DaleCo, S.P. wro= te: > Hi, Gentlemen, >=20 > This appeared in my apache error log today. Any thoughts? > Malevolent code entered by a website user, perhaps? >=20 > [Fri Oct 25 08:32:16 2002] [error] [client 24.112.227.167] request > failed: > erroneous characters after protocol string: > CONNECT mx1.mail.yahoo.com:25 / HTTP/1.0 >=20 > Kevin Kinsey >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message It looks like a fucking^H^H^H^H^H^H^H^H guy is trying to send spam through = your HTTP server (by doing relay). You have the IP, send a mail at abuse@ of the domain to complain about this. We'll defeat spammerz :) -- Aur=E9lien --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9uZcEDNsbHbt8ok8RAqtKAJ96Qm9qP1AdJluR4OqVjvOt9LjX9ACglkxn 7UbqF/webPNwv6ZKLzZzDr4= =ttXi -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message