From owner-freebsd-security Sun Feb 23 10:18:50 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE76537B405 for ; Sun, 23 Feb 2003 10:18:48 -0800 (PST) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6264343FA3 for ; Sun, 23 Feb 2003 10:18:47 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146]) by fep3.cogeco.net (Postfix) with ESMTP id 626B02B1F for ; Sun, 23 Feb 2003 13:18:45 -0500 (EST) Date: Sun, 23 Feb 2003 13:22:41 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: security@freebsd.org Subject: md5 checksum on ports.tar.gz Message-ID: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I admit it's been a while since I downloaded ports.tar.gz as I usually build from trusted media. I was demonstrating to a student the other day how to verify an MD5 checksum on a downloaded file and went to use ports.tar.gz as an example and was dismayed when I couldn't find the checksum. Is it just well hidden or is there a reason why this file does not have one? I realize that this file changes often, but isn't it worth calculating a checksum on? Especially after the high profile cases we saw last year of open source ftp sites getting trojaned? Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 23 17:48:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0EC537B401 for ; Sun, 23 Feb 2003 17:48:13 -0800 (PST) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE7E43FB1 for ; Sun, 23 Feb 2003 17:48:13 -0800 (PST) (envelope-from klaus@kobold.compt.com) Date: Sun, 23 Feb 2003 20:48:04 -0500 From: Klaus Steden To: Dru Cc: security@FreeBSD.ORG Subject: Re: md5 checksum on ports.tar.gz Message-ID: <20030223204804.T623@cthulu.compt.com> References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Sun, Feb 23, 2003 at 01:22:41PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I admit it's been a while since I downloaded ports.tar.gz as I usually > build from trusted media. I was demonstrating to a student the other day > how to verify an MD5 checksum on a downloaded file and went to use > ports.tar.gz as an example and was dismayed when I couldn't find the > checksum. Is it just well hidden or is there a reason why this file does > not have one? > > I realize that this file changes often, but isn't it worth calculating a > checksum on? Especially after the high profile cases we saw last year of > open source ftp sites getting trojaned? > Isn't it the responsibility of the maintainer of an individual port to provide proper checksums of the software in question? Keeping an MD5 sum of the entire ports tree would prove rather difficult, in my opinion, since it's such a fast-moving target to track. Much easier to let that responsibility rest with those immediately concerned with individual packages. You could use one of the packages in the ports tree in your example, though, since the build process checks the integrity of the existing sum, and will abort unless directed otherwise if there is a mismatch. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 23 17:52:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D079137B401 for ; Sun, 23 Feb 2003 17:52:48 -0800 (PST) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36AF243F85 for ; Sun, 23 Feb 2003 17:52:48 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146]) by fep2.cogeco.net (Postfix) with ESMTP id 11D727C85; Sun, 23 Feb 2003 20:55:00 -0500 (EST) Date: Sun, 23 Feb 2003 20:56:42 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: Klaus Steden Cc: security@FreeBSD.ORG Subject: Re: md5 checksum on ports.tar.gz In-Reply-To: <20030223204804.T623@cthulu.compt.com> Message-ID: <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> <20030223204804.T623@cthulu.compt.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Feb 2003, Klaus Steden wrote: > > > > I admit it's been a while since I downloaded ports.tar.gz as I usually > > build from trusted media. I was demonstrating to a student the other day > > how to verify an MD5 checksum on a downloaded file and went to use > > ports.tar.gz as an example and was dismayed when I couldn't find the > > checksum. Is it just well hidden or is there a reason why this file does > > not have one? > > > > I realize that this file changes often, but isn't it worth calculating a > > checksum on? Especially after the high profile cases we saw last year of > > open source ftp sites getting trojaned? > > > Isn't it the responsibility of the maintainer of an individual port to provide > proper checksums of the software in question? Keeping an MD5 sum of the entire > ports tree would prove rather difficult, in my opinion, since it's such a > fast-moving target to track. Much easier to let that responsibility rest with > those immediately concerned with individual packages. > > You could use one of the packages in the ports tree in your example, though, > since the build process checks the integrity of the existing sum, and will > abort unless directed otherwise if there is a mismatch. Thanks. I have done just that in the past which is why I was so surprised that ports.tar.gz did not have one as well :-) Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 23 20:36:28 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 145EC37B401 for ; Sun, 23 Feb 2003 20:36:26 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37B4543FBF for ; Sun, 23 Feb 2003 20:36:18 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a023.otenet.gr [212.205.215.23]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h1O4aD2O012128; Mon, 24 Feb 2003 06:36:14 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.7/8.12.7) with ESMTP id h1O4aBH5001979; Mon, 24 Feb 2003 06:36:11 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.7/8.12.7/Submit) id h1NJa5hY014418; Sun, 23 Feb 2003 21:36:05 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 23 Feb 2003 21:36:05 +0200 From: Giorgos Keramidas To: Alexander Anderson Cc: freebsd-security@FreeBSD.org Subject: Re: FireDNS and net.inet.udp.log_in_vain Message-ID: <20030223193605.GD3812@gothmog.gr> References: <873cmmpc16.wl@bemidji.meridian-enviro.com> <1045544795.19726.3.camel@sambo.fud.org.nz> <20030222171054.GA97944@dusty.upful.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030222171054.GA97944@dusty.upful.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-02-22 12:10, Alexander Anderson wrote: > > > Connection attempt to UDP : from > > > :53 > > > > I believe this is caused when the dns server is slow/overloaded, the > > resolver queries the server but the packet arrives back after the local > > port is closed. > > Is there any way to set up a rule in IPFW to drop such packets? > > Or, as a workaround, if there a way to set up syslog to ignore these > "connection attempts"? IIRC, this is a connection attempt to a port that doesn't have a listener. By default, they're not logged: $ sysctl -a | grep vain net.inet.tcp.log_in_vain: 0 net.inet.udp.log_in_vain: 0 $ You must have enabled log_in_vain in your rc.conf, right? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 8: 9:44 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81C6137B401 for ; Mon, 24 Feb 2003 08:09:40 -0800 (PST) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3881543F75 for ; Mon, 24 Feb 2003 08:09:00 -0800 (PST) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id h1OG8iM9098724 for ; Mon, 24 Feb 2003 18:08:44 +0200 (EET) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id h1OG8ilT098723 for freebsd-security@freebsd.org; Mon, 24 Feb 2003 18:08:44 +0200 (EET) Date: Mon, 24 Feb 2003 18:08:44 +0200 From: Alexandr Kovalenko To: freebsd-security@freebsd.org Subject: Fwd: buffer overrun in zlib 1.1.4 Message-ID: <20030224160844.GE82145@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Forwarded message from Richard Kettlewell ----- Date: Sat, 22 Feb 2003 00:05:47 +0000 From: Richard Kettlewell X-Mailer: Norman To: bugtraq@securityfocus.com Subject: buffer overrun in zlib 1.1.4 X-Mailer: VM 7.03 under 21.4 (patch 6) "Common Lisp" XEmacs Lucid zlib contains a function called gzprintf(). This is similar in behaviour to fprintf() except that by default, this function will smash the stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (=4096 by default) bytes. There is an internal #define (HAS_vsnprintf) that causes it to use vsnprintf() instead of vsprintf(), but this is not enabled by default, not tested for by the configure script, and not documented. Even if it was documented, tested for, or whatever, it is unclear what platforms without vsnprintf() are supposed to do. Put up with the security hole, perhaps. Finally, with HAS_vsnprintf defined, long strings will be silently truncated (and this isn't documented anywhere). Unexpected truncation of strings can have security implications too; I seem to recall that a popular MTA had trouble with over-long HELO strings for instance. I contacted zlib@gzip.org, and they say they're happy for me to post about this. ttfn/rjk $ cat crashzlib.c #include #include #include int main(void) { gzFile f; int ret; if(!(f = gzopen("/dev/null", "w"))) { perror("/dev/null"); exit(1); } ret = gzprintf(f, "%10240s", ""); printf("gzprintf -> %d\n", ret); ret = gzclose(f); printf("gzclose -> %d [%d]\n", ret, errno); exit(0); } $ gcc -g -o crashzlib crashzlib.c -lz $ ./crashzlib Segmentation fault (core dumped) $ $ dpkg -l zlib\* | grep ^i ii zlib1g 1.1.4-1 compression library - runtime ii zlib1g-dev 1.1.4-1 compression library - development $ gdb crashzlib core GNU gdb 2002-04-01-cvs Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"... Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x400944b2 in _IO_default_xsputn () from /lib/libc.so.6 (gdb) bt #0 0x400944b2 in _IO_default_xsputn () from /lib/libc.so.6 #1 0x4008b52a in _IO_padn () from /lib/libc.so.6 #2 0x40075128 in vfprintf () from /lib/libc.so.6 #3 0x4008c0c3 in vsprintf () from /lib/libc.so.6 #4 0x4001c923 in gzprintf () from /usr/lib/libz.so.1 #5 0x20202020 in ?? () Cannot access memory at address 0x20202020 (gdb) $ ----- End forwarded message ----- -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 8:27:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEC3937B401 for ; Mon, 24 Feb 2003 08:27:48 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9DD243FE9 for ; Mon, 24 Feb 2003 08:27:47 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 6AE366E; Mon, 24 Feb 2003 10:27:47 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 5867578C3E; Mon, 24 Feb 2003 10:27:47 -0600 (CST) Date: Mon, 24 Feb 2003 10:27:47 -0600 From: "Jacques A. Vidrine" To: Alexandr Kovalenko Cc: freebsd-security@freebsd.org Subject: Re: Fwd: buffer overrun in zlib 1.1.4 Message-ID: <20030224162747.GB87372@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Alexandr Kovalenko , freebsd-security@freebsd.org References: <20030224160844.GE82145@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030224160844.GE82145@nevermind.kiev.ua> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 24, 2003 at 06:08:44PM +0200, Alexandr Kovalenko wrote: > ----- Forwarded message from Richard Kettlewell ----- > > Date: Sat, 22 Feb 2003 00:05:47 +0000 > From: Richard Kettlewell > X-Mailer: Norman > To: bugtraq@securityfocus.com > Subject: buffer overrun in zlib 1.1.4 > X-Mailer: VM 7.03 under 21.4 (patch 6) "Common Lisp" XEmacs Lucid > > zlib contains a function called gzprintf(). This is similar in > behaviour to fprintf() except that by default, this function will > smash the stack if called with arguments that expand to more than > Z_PRINTF_BUFSIZE (=4096 by default) bytes. Nothing in the base system uses gzprintf, AFAIK. If applications are found that use it (and do not check Z_PRINTF_BUFSIZE), then please let us know. When an official zlib patch or new version is available, we'll import it. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 8:48:34 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 973BE37B401 for ; Mon, 24 Feb 2003 08:48:32 -0800 (PST) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 866E043FB1 for ; Mon, 24 Feb 2003 08:48:31 -0800 (PST) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h1OGnSU9093777 for ; Mon, 24 Feb 2003 11:49:28 -0500 (EST) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h1OGnSEc093776 for freebsd-security@freebsd.org; Mon, 24 Feb 2003 11:49:28 -0500 (EST) Date: Mon, 24 Feb 2003 11:49:28 -0500 From: Anthony Schneider To: freebsd-security@freebsd.org Subject: syncookies advisory Message-ID: <20030224164928.GA93673@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD-SA-03:03.syncookies is on bugtraq, but not on www.freebsd.org/security/index.html#adv, nor posted to this list. The patch referenced by the advisory http://www.securityfocus.com/advisories/5013 does exist on ftp.freebsd.org. am i missing something, or is there just a delay? thanks. -Anthony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 9:35: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9295237B401 for ; Mon, 24 Feb 2003 09:34:59 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FD6843FA3 for ; Mon, 24 Feb 2003 09:34:58 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 29A5842; Mon, 24 Feb 2003 11:34:58 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 147CA78C3E; Mon, 24 Feb 2003 11:34:58 -0600 (CST) Date: Mon, 24 Feb 2003 11:34:58 -0600 From: "Jacques A. Vidrine" To: Anthony Schneider Cc: freebsd-security@freebsd.org Subject: Re: syncookies advisory Message-ID: <20030224173457.GB1513@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Anthony Schneider , freebsd-security@freebsd.org References: <20030224164928.GA93673@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030224164928.GA93673@x-anthony.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 24, 2003 at 11:49:28AM -0500, Anthony Schneider wrote: > FreeBSD-SA-03:03.syncookies is on bugtraq, but not > on www.freebsd.org/security/index.html#adv, nor posted > to this list. The patch referenced by the advisory > http://www.securityfocus.com/advisories/5013 > does exist on ftp.freebsd.org. > am i missing something, or is there just a delay? Just a delay. -- www.freebsd.org: I guess the web site has not been regenerated since I added the advisories to the repository this morning. -- mailing list: Advisories get sent out to four mailing lists simultaneously. It always surprises me how much time can lapse between when it hits one list and another. -- ftp.freebsd.org: I put the patches on the master FTP server this weekend, so they would have been replicated by the time the advisory was mailed out. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 12: 0:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA13537B401 for ; Mon, 24 Feb 2003 12:00:40 -0800 (PST) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8A4143F75 for ; Mon, 24 Feb 2003 12:00:35 -0800 (PST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.7/8.12.6) with ESMTP id h1OK0Z4l014940 for ; Mon, 24 Feb 2003 15:00:35 -0500 (EST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.7/8.12.6/Submit) id h1OK0Y4W014937; Mon, 24 Feb 2003 15:00:34 -0500 (EST) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f To: freebsd-security@freebsd.org Subject: Re: md5 checksum on ports.tar.gz References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> <20030223204804.T623@cthulu.compt.com> <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> From: Lowell Gilbert Date: 24 Feb 2003 15:00:34 -0500 In-Reply-To: <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> Message-ID: <44smud1mal.fsf@be-well.ilk.org> Lines: 13 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > You could use one of the packages in the ports tree in your example, though, > > since the build process checks the integrity of the existing sum, and will > > abort unless directed otherwise if there is a mismatch. > > > Thanks. I have done just that in the past which is why I was so surprised > that ports.tar.gz did not have one as well :-) But that doesn't help for security, because you'd be getting the checksum from the same place as the file it was checking. I've occasionally considered adding a checksum anyway as a check against accidental corruption, but it wouldn't change your exposure to *intentional* file changes at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 16: 2:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AD4C37B401 for ; Mon, 24 Feb 2003 16:02:08 -0800 (PST) Received: from mck.cc.yamaguchi-u.ac.jp (mck2.cc.yamaguchi-u.ac.jp [133.62.16.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79FF743F93 for ; Mon, 24 Feb 2003 16:02:05 -0800 (PST) (envelope-from nagasaka@yamaguchi-u.ac.jp) Received: from smtp2p.cc.yamaguchi-u.ac.jp (mck [127.0.0.1]) by mck.cc.yamaguchi-u.ac.jp (8.9.3/3.7W 01041714) with ESMTP id JAA18189 for ; Tue, 25 Feb 2003 09:03:32 +0900 Received: from kogushi.kb.cc.yamaguchi-u.ac.jp (kogushi.kb.cc.yamaguchi-u.ac.jp [133.62.64.58]) by smtp2p.cc.yamaguchi-u.ac.jp (Postfix) with ESMTP id 4C2D214F8A2 for ; Tue, 25 Feb 2003 09:02:01 +0900 (JST) Date: Tue, 25 Feb 2003 09:02:09 +0900 Message-ID: From: Kosaku Nagasaka To: freebsd-security@FreeBSD.ORG Subject: openssl advisory User-Agent: Wanderlust/2.8.1 MIME-Version: 1.0 (generated by SEMI 1.14.3 - =?ISO-2022-JP?B?IhskQjVtGyhC?= =?ISO-2022-JP?B?GyRCJU5DKxsoQiI=?=) Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The advisory SA-03:02 has the following instruction: > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 4.7 systems] > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.asc > [FreeBSD 4.6 systems] > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.asc I think that openssl50 should be openssl47 and openssl46, respectively. ------- Text by Kosaku Nagasaka. [E-mail: nagasaka@yamaguchi-u.ac.jp] *****Note that I may read E-mails in the Text format only.***** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 17: 0:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4940837B401 for ; Mon, 24 Feb 2003 17:00:37 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A78643F85 for ; Mon, 24 Feb 2003 17:00:36 -0800 (PST) (envelope-from yasu@home.utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id F0911C for ; Tue, 25 Feb 2003 10:00:34 +0900 (JST) Received: from 127.0.0.1 (localhost.home.utahime.org [127.0.0.1]) by eastasia.home.utahime.org (Postfix) with SMTP id CD70F54EF; Tue, 25 Feb 2003 10:00:34 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id A6B8054EE; Tue, 25 Feb 2003 10:00:34 +0900 (JST) Date: Tue, 25 Feb 2003 10:00:21 +0900 (JST) Message-Id: <20030225.100021.27473189.yasu@utahime.org> To: freebsd-security@FreeBSD.ORG Subject: Re: openssl advisory From: KIMURA Yasuhiro In-Reply-To: References: Organization: Utahime no Mori X-Mailer: Mew version 3.1.53 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> Kosaku Nagasaka wrote: > The advisory SA-03:02 has the following instruction: >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> [FreeBSD 4.7 systems] >> # fetch >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch >> # fetch >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.asc >> [FreeBSD 4.6 systems] >> # fetch >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch >> # fetch >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.asc > I think that openssl50 should be openssl47 and openssl46, respectively. I applied openssl47.patch to my 4.7R source tree, but some parts of the patch were rejected as following. sugar# patch -s < /tmp/security-fixes/openssl47.patch 1 out of 1 hunks failed--saving rejects to UPDATING.rej 1 out of 1 hunks failed--saving rejects to crypto/openssl/apps/openssl.cnf.rej 1 out of 3 hunks failed--saving rejects to crypto/openssl/apps/speed.c.rej Reversed (or previously applied) patch detected! Assume -R? [y] ^Csugar# Does anybody suceed? --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 18: 5:13 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C24037B401 for ; Mon, 24 Feb 2003 18:05:11 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EB1243FAF for ; Mon, 24 Feb 2003 18:05:10 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B9CCC42; Mon, 24 Feb 2003 20:05:09 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 9671778C3E; Mon, 24 Feb 2003 20:05:09 -0600 (CST) Date: Mon, 24 Feb 2003 20:05:09 -0600 From: "Jacques A. Vidrine" To: Kosaku Nagasaka Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssl advisory Message-ID: <20030225020509.GA90128@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Kosaku Nagasaka , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 25, 2003 at 09:02:09AM +0900, Kosaku Nagasaka wrote: > I think that openssl50 should be openssl47 and openssl46, respectively. Heh, of course. Thanks! Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 18:21:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA7CE37B401 for ; Mon, 24 Feb 2003 18:21:11 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3612143FBD for ; Mon, 24 Feb 2003 18:21:11 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 9047245; Mon, 24 Feb 2003 20:21:10 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 70F1878C3E; Mon, 24 Feb 2003 20:21:10 -0600 (CST) Date: Mon, 24 Feb 2003 20:21:10 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssl advisory Message-ID: <20030225022110.GA92307@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@FreeBSD.ORG References: <20030225.100021.27473189.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225.100021.27473189.yasu@utahime.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 25, 2003 at 10:00:21AM +0900, KIMURA Yasuhiro wrote: > I applied openssl47.patch to my 4.7R source tree, but some parts of > the patch were rejected as following. > > sugar# patch -s < /tmp/security-fixes/openssl47.patch > 1 out of 1 hunks failed--saving rejects to UPDATING.rej > 1 out of 1 hunks failed--saving rejects to crypto/openssl/apps/openssl.cnf.rej > 1 out of 3 hunks failed--saving rejects to crypto/openssl/apps/speed.c.rej > Reversed (or previously applied) patch detected! Assume -R? [y] ^Csugar# > > Does anybody suceed? I'm afraid there's something amiss with the patch set I generated with CVS :-( I will have to redo them. Meanwhile, please use CVSup. I'm sorry for the inconvenience. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 18:22:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81CF437B401 for ; Mon, 24 Feb 2003 18:22:22 -0800 (PST) Received: from dusty.upful.org (CPE000476ee7bea-CM014380008745.cpe.net.cable.rogers.com [24.157.229.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86F1E43FD7 for ; Mon, 24 Feb 2003 18:22:17 -0800 (PST) (envelope-from alex@dusty.upful.org) Received: (from alex@localhost) by dusty.upful.org (8.11.6/8.11.6) id h1P2OHW77889 for freebsd-security@FreeBSD.ORG; Mon, 24 Feb 2003 21:24:17 -0500 (EST) (envelope-from alex) Date: Mon, 24 Feb 2003 21:23:56 -0500 From: Alexander Anderson To: freebsd-security@FreeBSD.ORG Subject: Re: FireDNS and net.inet.udp.log_in_vain Message-ID: <20030225022356.GA77462@dusty.upful.org> References: <873cmmpc16.wl@bemidji.meridian-enviro.com> <1045544795.19726.3.camel@sambo.fud.org.nz> <20030222171054.GA97944@dusty.upful.org> <20030223193605.GD3812@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030223193605.GD3812@gothmog.gr> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > > Connection attempt to UDP : from > > > > :53 > > You must have enabled log_in_vain in your rc.conf, right? Yes, right. And I want to have it enabled because I do want to log all connection attempts to ports that have no listening socket on them. The only exception is when my ISP's name servers are slow or overloaded, and when they reply, the local port is already closed, then I don't want to log their replies in vain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 18:35:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D40F37B401 for ; Mon, 24 Feb 2003 18:35:24 -0800 (PST) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 0EF7E43FB1 for ; Mon, 24 Feb 2003 18:35:23 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 74439 invoked by uid 1001); 25 Feb 2003 02:35:22 -0000 Date: Mon, 24 Feb 2003 21:35:22 -0500 From: "Peter C. Lai" To: Alexander Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: FireDNS and net.inet.udp.log_in_vain Message-ID: <20030225023522.GC280@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <873cmmpc16.wl@bemidji.meridian-enviro.com> <1045544795.19726.3.camel@sambo.fud.org.nz> <20030222171054.GA97944@dusty.upful.org> <20030223193605.GD3812@gothmog.gr> <20030225022356.GA77462@dusty.upful.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225022356.GA77462@dusty.upful.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One way to do this is to stop using log_in_vain, and switch to a packet filter. There, you can selectively log for connections to everything except 53. (i.e. in ipfw, have the deny from any to any rule logged, so that everythign that isn't allowed would get logged, which would effectively be everything closed). The other way would be to postprocess your syslog and strip out attempted connections to port 53. On Mon, Feb 24, 2003 at 09:23:56PM -0500, Alexander Anderson wrote: > > > > > Connection attempt to UDP : from > > > > > :53 > > > > You must have enabled log_in_vain in your rc.conf, right? > > Yes, right. > > And I want to have it enabled because I do want to log all connection > attempts to ports that have no listening socket on them. The only exception > is when my ISP's name servers are slow or overloaded, and when they reply, > the local port is already closed, then I don't want to log their replies in > vain. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 24 19:45:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED0B437B405; Mon, 24 Feb 2003 19:45:06 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75FBB43FA3; Mon, 24 Feb 2003 19:45:05 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 0D52E42; Mon, 24 Feb 2003 21:45:05 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id E66F678C3E; Mon, 24 Feb 2003 21:45:04 -0600 (CST) Date: Mon, 24 Feb 2003 21:45:04 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.ORG Subject: Updated OpenSSL patches (was Re: openssl advisory) Message-ID: <20030225034504.GA92642@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@FreeBSD.ORG References: <20030225.100021.27473189.yasu@utahime.org> <20030225022110.GA92307@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225022110.GA92307@madman.celabo.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [If you had trouble with the OpenSSL patches that were published this morning, please read this. If you are using CVS or CVSup to follow the security branches, then this will not interest you. ] On Mon, Feb 24, 2003 at 08:21:10PM -0600, Jacques A. Vidrine wrote: > On Tue, Feb 25, 2003 at 10:00:21AM +0900, KIMURA Yasuhiro wrote: > > I applied openssl47.patch to my 4.7R source tree, but some parts of > > the patch were rejected as following. > > > > sugar# patch -s < /tmp/security-fixes/openssl47.patch > > 1 out of 1 hunks failed--saving rejects to UPDATING.rej > > 1 out of 1 hunks failed--saving rejects to crypto/openssl/apps/openssl.cnf.rej > > 1 out of 3 hunks failed--saving rejects to crypto/openssl/apps/speed.c.rej > > Reversed (or previously applied) patch detected! Assume -R? [y] ^Csugar# > > > > Does anybody suceed? > I'm afraid there's something amiss with the patch set I generated with > CVS :-( > I will have to redo them. > Meanwhile, please use CVSup. I'm sorry for the inconvenience. I've put updated patches on ftp-master -- they should reach mirrors in a few hours. I've also pushed them out to ftp2.freebsd.org, so they are available there immediately. A revised advisory with corrected URLs will be published tomorrow with new patch instructions. The excerpt is here: ---- updated patch instructions ---- 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.6.2, 4.7, and 5.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.7-STABLE systems after 2003/02/14 and 4.8-PRERELEASE systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl4s.patch.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl4s.patch.gz.asc [FreeBSD 5.0 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl50.patch.gz.asc [FreeBSD 4.7 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz.asc [FreeBSD 4.6.2 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl462.patch.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl462.patch.gz.asc b) Execute the following commands as root: # cd /usr/src # gunzip -c /path/to/patch | patch -E c) Recompile the operating system as described in . ---- end updated patch instructions ---- Please let me know of any trouble you encounter. Sorry for the goof. These were quite large and unwieldy patch sets. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 2: 6:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 166B237B401 for ; Tue, 25 Feb 2003 02:06:46 -0800 (PST) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26F3143FBF for ; Tue, 25 Feb 2003 02:06:45 -0800 (PST) (envelope-from gemini@geminix.org) Received: from pd9e10453.dip.t-dialin.net ([217.225.4.83] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 18nbz1-000Ka9-00; Tue, 25 Feb 2003 11:06:43 +0100 Message-ID: <3E5B4025.60509@geminix.org> Date: Tue, 25 Feb 2003 11:06:29 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: mlists.freebsd.security To: freebsd-security@freebsd.org Subject: Re: Fwd: buffer overrun in zlib 1.1.4 References: <20030224160844.GE82145@nevermind.kiev.ua> <20030224162747.GB87372@madman.celabo.org> In-Reply-To: <20030224162747.GB87372@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jacques A. Vidrine wrote: > On Mon, Feb 24, 2003 at 06:08:44PM +0200, Alexandr Kovalenko wrote: > >>----- Forwarded message from Richard Kettlewell ----- >> >>Date: Sat, 22 Feb 2003 00:05:47 +0000 >>From: Richard Kettlewell >>X-Mailer: Norman >>To: bugtraq@securityfocus.com >>Subject: buffer overrun in zlib 1.1.4 >>X-Mailer: VM 7.03 under 21.4 (patch 6) "Common Lisp" XEmacs Lucid >> >>zlib contains a function called gzprintf(). This is similar in >>behaviour to fprintf() except that by default, this function will >>smash the stack if called with arguments that expand to more than >>Z_PRINTF_BUFSIZE (=4096 by default) bytes. > > Nothing in the base system uses gzprintf, AFAIK. > If applications are found that use it (and do not check Z_PRINTF_BUFSIZE), > then please let us know. > > When an official zlib patch or new version is available, we'll > import it. Also, there is an explicit -DHAS_snprintf -DHAS_vsnprintf added to CFLAGS in the Makefile. So, as far as I understand the situation, the version in the base system should be immune against this buffer overrun, anyway. Uwe -- Uwe Doering Berlin, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 5:13:23 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB04437B401 for ; Tue, 25 Feb 2003 05:13:20 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED66243FBF for ; Tue, 25 Feb 2003 05:13:19 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 6738654; Tue, 25 Feb 2003 07:13:19 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 508C278C44; Tue, 25 Feb 2003 07:13:19 -0600 (CST) Date: Tue, 25 Feb 2003 07:13:19 -0600 From: "Jacques A. Vidrine" To: Uwe Doering Cc: freebsd-security@freebsd.org Subject: Re: Fwd: buffer overrun in zlib 1.1.4 Message-ID: <20030225131319.GA95282@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Uwe Doering , freebsd-security@freebsd.org References: <20030224160844.GE82145@nevermind.kiev.ua> <20030224162747.GB87372@madman.celabo.org> <3E5B4025.60509@geminix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E5B4025.60509@geminix.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 25, 2003 at 11:06:29AM +0100, Uwe Doering wrote: > Also, there is an explicit > > -DHAS_snprintf -DHAS_vsnprintf > > added to CFLAGS in the Makefile. So, as far as I understand the > situation, the version in the base system should be immune against this > buffer overrun, anyway. Yes, you're right about the overrun. The caveats about truncation may apply to those applications that do not check Z_PRINTF_BUFSIZE. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 6:28: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DEFF37B401 for ; Tue, 25 Feb 2003 06:27:59 -0800 (PST) Received: from web14912.mail.yahoo.com (web14912.mail.yahoo.com [216.136.225.248]) by mx1.FreeBSD.org (Postfix) with SMTP id 13BDC43FBF for ; Tue, 25 Feb 2003 06:27:58 -0800 (PST) (envelope-from nirv199@yahoo.com) Message-ID: <20030225142757.75690.qmail@web14912.mail.yahoo.com> Received: from [200.146.22.156] by web14912.mail.yahoo.com via HTTP; Tue, 25 Feb 2003 06:27:57 PST Date: Tue, 25 Feb 2003 06:27:57 -0800 (PST) From: Paulo Roberto Subject: log_in_vain To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I have enabled net.inet.tcp.log_in_vain in sysctl but somehow it is not recognizing my proxy server, and preventing any connections to that port. It is strange because the firewall rules permit the connection, and just turning log_in_vain=0 it accepts the connections right away. Isn't this option to *only* log instead of denying an existing daemon listening on that port? > kernel: Connection attempt to TCP server:3128 from client:1167 TIA Paulo Roberto __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 6:46:49 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C83637B408 for ; Tue, 25 Feb 2003 06:46:45 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C46543FE0 for ; Tue, 25 Feb 2003 06:46:39 -0800 (PST) (envelope-from yasu@home.utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id DEC34C for ; Tue, 25 Feb 2003 23:46:36 +0900 (JST) Received: from 127.0.0.1 (localhost.home.utahime.org [127.0.0.1]) by eastasia.home.utahime.org (Postfix) with SMTP id 4F35F54ED; Tue, 25 Feb 2003 23:31:31 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id 387B454E7; Tue, 25 Feb 2003 23:31:31 +0900 (JST) Date: Tue, 25 Feb 2003 23:30:42 +0900 (JST) Message-Id: <20030225.233042.48202256.yasu@utahime.org> To: freebsd-security@FreeBSD.ORG Subject: Re: Updated OpenSSL patches From: KIMURA Yasuhiro In-Reply-To: <20030225034504.GA92642@madman.celabo.org> References: <20030225.100021.27473189.yasu@utahime.org> <20030225022110.GA92307@madman.celabo.org> <20030225034504.GA92642@madman.celabo.org> Organization: Utahime no Mori X-Mailer: Mew version 3.1.53 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Jacques A. Vidrine" wrote: > I've put updated patches on ftp-master -- they should reach mirrors in > a few hours. > [FreeBSD 4.7 systems] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz I applied this new patch to the new 4.7R source tree (which means, removed old tree, extraced from install median and applied all preceding patches) and 2 rejections still happend. sugar# pwd /usr/src sugar# zcat /tmp/security-fixes/openssl47.patch.gz | patch -s 1 out of 1 hunks failed--saving rejects to README.rej 1 out of 1 hunks failed--saving rejects to Makefile.rej sugar# But these rejections are strange because new patch doesn't modify either /usr/src/README or /usr/src/Makefile at all. sugar# cat README.rej *************** *** 1,7 **** ! OpenSSL 0.9.6g 9 August 2002 ! Copyright (c) 1998-2002 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. --- 1,7 ---- ! OpenSSL 0.9.6i Feb 19 2003 ! Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. sugar# It seems this modification should be applied to /usr/src/crypto/openssl/README and sugar# cat Makefile.rej *************** *** 35,42 **** MAINTAINER= kris # base sources ! SRCS+= cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_dbg.c \ ! tmdiff.c uid.c # asn1 --- 35,42 ---- MAINTAINER= kris # base sources ! SRCS+= cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_clr.c \ ! mem_dbg.c tmdiff.c uid.c # asn1 sugar# this should be applied to /usr/src/secure/lib/libcrypto/Makefile. So I'm afraid the bug of "patch" command might be revealed by this patch. Does anybody succeed to apply new patch? --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 7:54:20 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B3C137B401 for ; Tue, 25 Feb 2003 07:54:18 -0800 (PST) Received: from otvk.pl (otvk.pl [195.116.208.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A0DB43F3F for ; Tue, 25 Feb 2003 07:54:17 -0800 (PST) (envelope-from m@otvk.pl) Received: by otvk.pl (Postfix, from userid 1000) id B1EBE6152E; Tue, 25 Feb 2003 16:54:07 +0100 (CET) Date: Tue, 25 Feb 2003 16:54:07 +0100 From: Krzysztof Ptaszek To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.ORG Subject: Re: Updated OpenSSL patches Message-ID: <20030225155407.GB65970@otvk.pl> References: <20030225.100021.27473189.yasu@utahime.org> <20030225022110.GA92307@madman.celabo.org> <20030225034504.GA92642@madman.celabo.org> <20030225.233042.48202256.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20030225.233042.48202256.yasu@utahime.org> User-Agent: Mutt/1.4i X-PGP-Key-URL: http://mpriest.exc.org/mpriest-pgp.asc X-OS: FreeBSD 4.7-STABLE X-Hint: Pokaz mi swoj dres, powiem Ci co kradniesz. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You, KIMURA, using yasu@utahime.org wrote: => But these rejections are strange because new patch doesn't modify => either /usr/src/README or /usr/src/Makefile at all. As far as i know, you can see changes in UPDATING file: [root@otvk|/]# cat /usr/src/UPDATING|grep 20030214 -A 2 20030214: OpenSSL 0.97 has been imported, and the libcrypto/libssl library versions have been bumped. => Does anybody succeed to apply new patch? Yes. -- Pozdrawiam, Krzysztof Ptaszek, mpriest(at)otvk.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 7:56:28 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58FD837B401; Tue, 25 Feb 2003 07:56:23 -0800 (PST) Received: from h00609772adf0.ne.client2.attbi.com (h00609772adf0.ne.client2.attbi.com [24.61.43.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BC7343FAF; Tue, 25 Feb 2003 07:56:22 -0800 (PST) (envelope-from rodrigc@h00609772adf0.ne.client2.attbi.com) Received: from h00609772adf0.ne.client2.attbi.com (localhost.ne.attbi.com [127.0.0.1]) by h00609772adf0.ne.client2.attbi.com (8.12.7/8.12.7) with ESMTP id h1PFvPUE009514; Tue, 25 Feb 2003 10:57:25 -0500 (EST) (envelope-from rodrigc@h00609772adf0.ne.client2.attbi.com) Received: (from rodrigc@localhost) by h00609772adf0.ne.client2.attbi.com (8.12.7/8.12.7/Submit) id h1PFvOYZ009513; Tue, 25 Feb 2003 10:57:24 -0500 (EST) Date: Tue, 25 Feb 2003 10:57:24 -0500 From: Craig Rodrigues To: freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org Subject: OpenSSL question for id_function() Message-ID: <20030225155724.GB9400@attbi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have a question about OpenSSL 0.9.7. On the following web page: http://www.openssl.org/docs/crypto/threads.html "void CRYPTO_set_id_callback(unsigned long (*id_function)(void)); id_function(void) is a function that returns a thread ID. It is not needed on Windows nor on platforms where getpid() returns a different ID for each thread (most notably Linux)." I have some third party C++ code which tries to implement this id_function as: return static_cast(pthread_self()); pthread_self() returns something of type pthread_t. This code works under Linux, because pthread_t is mapped to an integer value. However, on FreeBSD, pthread_t is a pointer to struct pthread, so this code does not compile: OpenSSLPluginI.cpp: In function `long unsigned int IceSSL::idFunction()': OpenSSLPluginI.cpp:153: invalid static_cast from type `pthread*' to type `long unsigned int' Is there a way to implement the id_function() for OpenSSL so that it works portably across FreeBSD and Linux? Thanks. -- Craig Rodrigues http://home.attbi.com/~rodrigc rodrigc@attbi.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 12:19:38 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F5AD37B420 for ; Tue, 25 Feb 2003 12:19:31 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53D98440BC for ; Tue, 25 Feb 2003 12:12:59 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 76A6C54; Tue, 25 Feb 2003 14:12:25 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 6296B78C44; Tue, 25 Feb 2003 14:12:25 -0600 (CST) Date: Tue, 25 Feb 2003 14:12:25 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.ORG Subject: Re: Updated OpenSSL patches Message-ID: <20030225201225.GA6001@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@FreeBSD.ORG References: <20030225.100021.27473189.yasu@utahime.org> <20030225022110.GA92307@madman.celabo.org> <20030225034504.GA92642@madman.celabo.org> <20030225.233042.48202256.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225.233042.48202256.yasu@utahime.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 25, 2003 at 11:30:42PM +0900, KIMURA Yasuhiro wrote: > >>>>> "Jacques A. Vidrine" wrote: > > > I've put updated patches on ftp-master -- they should reach mirrors in > > a few hours. > > > [FreeBSD 4.7 systems] > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz > > I applied this new patch to the new 4.7R source tree (which means, > removed old tree, extraced from install median and applied all > preceding patches) and 2 rejections still happend. [...] Hmm, maybe a previous patch removed these files? But none of the patches released since 4.7-RELEASE touch openssl ... What patches exactly did you apply, and it what order? Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 25 14: 8:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AC9937B401 for ; Tue, 25 Feb 2003 14:08:31 -0800 (PST) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 825A743F75 for ; Tue, 25 Feb 2003 14:08:30 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <20030225220830051003mamve>; Tue, 25 Feb 2003 22:08:30 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h1PM8Teq022280; Tue, 25 Feb 2003 14:08:29 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h1PM8Rrs022279; Tue, 25 Feb 2003 14:08:27 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 25 Feb 2003 14:08:27 -0800 From: "Crist J. Clark" To: Paulo Roberto Cc: freebsd-security@FreeBSD.ORG Subject: Re: log_in_vain Message-ID: <20030225220827.GA21469@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20030225142757.75690.qmail@web14912.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225142757.75690.qmail@web14912.mail.yahoo.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 25, 2003 at 06:27:57AM -0800, Paulo Roberto wrote: > Hello, > > I have enabled net.inet.tcp.log_in_vain in sysctl but somehow it is not > recognizing my proxy server, and preventing any connections to that > port. It is strange because the firewall rules permit the connection, > and just turning log_in_vain=0 it accepts the connections right away. > Isn't this option to *only* log instead of denying an existing daemon > listening on that port? > > > kernel: Connection attempt to TCP server:3128 from client:1167 All it does is log. It has no effect on the way a packet is processed. The code is in src/sys/netinet/tcp_input.c. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 26 16: 9: 7 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 148A237B401; Wed, 26 Feb 2003 16:09:04 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3837F43F93; Wed, 26 Feb 2003 16:09:02 -0800 (PST) (envelope-from yasu@home.utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id 1AA1533; Thu, 27 Feb 2003 09:09:00 +0900 (JST) Received: from 127.0.0.1 (localhost.home.utahime.org [127.0.0.1]) by eastasia.home.utahime.org (Postfix) with SMTP id E8F2354E7; Thu, 27 Feb 2003 09:08:59 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id BA04654DF; Thu, 27 Feb 2003 09:08:59 +0900 (JST) Date: Thu, 27 Feb 2003 09:08:33 +0900 (JST) Message-Id: <20030227.090833.90424319.yasu@utahime.org> To: nectar@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches From: KIMURA Yasuhiro In-Reply-To: <20030225201225.GA6001@madman.celabo.org> References: <20030225034504.GA92642@madman.celabo.org> <20030225.233042.48202256.yasu@utahime.org> <20030225201225.GA6001@madman.celabo.org> Organization: Utahime no Mori X-Mailer: Mew version 3.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Jacques A. Vidrine" wrote: > Hmm, maybe a previous patch removed these files? > But none of the patches released since 4.7-RELEASE touch openssl ... > What patches exactly did you apply, and it what order? Following is what I do to reproduce this situation from scratch. 1. sugar# su - 2. sugar# cd /usr/src/ 3. sugar# rm -rf * 4. sugar# /stand/sysinstall 5. select "Configure" 6. select "Distributions" 7. select "src" 9. select "All" 9. select "Exit" twice 10. choose "CD/DVD" (CD-R made from 4.7-disc1.iso is used) 11. exit from /stand/sysinstall 12. sugar# cd /tmp 13. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch 14. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch 15. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:01/cvs.patch 16. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz 17. sugar# cd /usr/src/ 18. sugar# patch -s < /tmp/kadmin.patch 19. sugar# patch -s < /tmp/bind.patch 20. sugar# patch -s < /tmp/filedesc.patch 21. sugar# patch -s < /tmp/cvs.patch and then, sugar# gunzip -c /tmp/openssl47.patch.gz | patch -s 1 out of 1 hunks failed--saving rejects to README.rej 1 out of 1 hunks failed--saving rejects to Makefile.rej OS information: sugar# uname -a FreeBSD sugar.home.utahime.org 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sun Feb 2 17:22:22 JST 2003 yasu@sugar.home.utahime.org:/usr/src/sys/compile/SUGAR i386 patch command information: sugar# which patch /usr/bin/patch sugar# patch --version Patch version 2.1 --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 26 16:50:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBD1937B401 for ; Wed, 26 Feb 2003 16:50:36 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1AB243F85 for ; Wed, 26 Feb 2003 16:50:35 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 55E494C; Wed, 26 Feb 2003 18:50:35 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 33C3C78C3E; Wed, 26 Feb 2003 18:50:35 -0600 (CST) Date: Wed, 26 Feb 2003 18:50:35 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches Message-ID: <20030227005035.GA99420@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@FreeBSD.org References: <20030225034504.GA92642@madman.celabo.org> <20030225.233042.48202256.yasu@utahime.org> <20030225201225.GA6001@madman.celabo.org> <20030227.090833.90424319.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030227.090833.90424319.yasu@utahime.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 27, 2003 at 09:08:33AM +0900, KIMURA Yasuhiro wrote: > >>>>> "Jacques A. Vidrine" wrote: > > > Hmm, maybe a previous patch removed these files? > > But none of the patches released since 4.7-RELEASE touch openssl ... > > What patches exactly did you apply, and it what order? > > Following is what I do to reproduce this situation from scratch. > > 1. sugar# su - > 2. sugar# cd /usr/src/ > 3. sugar# rm -rf * > 4. sugar# /stand/sysinstall > 5. select "Configure" > 6. select "Distributions" > 7. select "src" > 9. select "All" > 9. select "Exit" twice > 10. choose "CD/DVD" (CD-R made from 4.7-disc1.iso is used) > 11. exit from /stand/sysinstall > 12. sugar# cd /tmp > 13. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch > 14. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch > 15. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:01/cvs.patch > 16. sugar# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz > 17. sugar# cd /usr/src/ > 18. sugar# patch -s < /tmp/kadmin.patch > 19. sugar# patch -s < /tmp/bind.patch > 20. sugar# patch -s < /tmp/filedesc.patch > 21. sugar# patch -s < /tmp/cvs.patch > > and then, > > sugar# gunzip -c /tmp/openssl47.patch.gz | patch -s > 1 out of 1 hunks failed--saving rejects to README.rej > 1 out of 1 hunks failed--saving rejects to Makefile.rej I have to assume that for some reason the scrypto distribution isn't being installed. With a checked out 4.7-RELEASE tree, using your procedure above works as expected. Do you even have a /usr/src/crypto/openssl directory after your installation? Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 26 23:31:20 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DA6837B405 for ; Wed, 26 Feb 2003 23:31:16 -0800 (PST) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C9F843FAF for ; Wed, 26 Feb 2003 23:31:15 -0800 (PST) (envelope-from vlm@netli.com) Received: (qmail 31340 invoked by uid 84); 27 Feb 2003 07:31:15 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.123263 secs); 27 Feb 2003 07:31:15 -0000 Received: from unknown (HELO netli.com) (192.168.238.32) by mx01-pal-lan.netli.lan with SMTP; 27 Feb 2003 07:31:14 -0000 Message-ID: <3E5DBE9E.7060302@netli.com> Date: Wed, 26 Feb 2003 23:30:38 -0800 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030125 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Craig Rodrigues Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSL question for id_function() References: <20030225155724.GB9400@attbi.com> In-Reply-To: <20030225155724.GB9400@attbi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Craig Rodrigues wrote: > return static_cast(pthread_self()); > > pthread_self() returns something of type pthread_t. > This code works under Linux, because pthread_t is mapped to an integer value. > > However, on FreeBSD, pthread_t is a pointer to struct pthread, so this > code does not compile: > > OpenSSLPluginI.cpp: In function `long unsigned int IceSSL::idFunction()': > OpenSSLPluginI.cpp:153: invalid static_cast from type `pthread*' to type `long > unsigned int' > > > Is there a way to implement the id_function() for OpenSSL so that > it works portably across FreeBSD and Linux? return (unsigned long)(void *)(pthread_self()); -- Lev Walkin vlm@netli.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 0:57: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA91B37B401 for ; Thu, 27 Feb 2003 00:57:04 -0800 (PST) Received: from mx01.uunet.co.za (mx01.ops.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FE9C43FBF for ; Thu, 27 Feb 2003 00:57:02 -0800 (PST) (envelope-from gareth@za.uu.net) Received: from pixproxy.so.cpt1.za.uu.net ([196.30.72.11]) by mx01.uunet.co.za with esmtp (Exim 3.36 #1) id 18oJqe-000LF5-00; Thu, 27 Feb 2003 10:57:00 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 204D71B5EB; Thu, 27 Feb 2003 10:56:58 +0200 (SAST) Received: from localhost (localhost [127.0.0.1]) by gabba.so.cpt1.za.uu.net (8.11.6/8.11.6) with ESMTP id h1R8ulr12006; Thu, 27 Feb 2003 10:56:50 +0200 (SAST) (envelope-from gareth@za.uu.net) Date: Thu, 27 Feb 2003 10:56:47 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@gabba.so.cpt1.za.uu.net To: Krzysztof Ptaszek Cc: KIMURA Yasuhiro , Subject: Re: Updated OpenSSL patches In-Reply-To: <20030225155407.GB65970@otvk.pl> Message-ID: <20030227105013.Y5071-100000@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Feb 2003, Krzysztof Ptaszek wrote: KP>You, KIMURA, using yasu@utahime.org wrote: KP>=3D> But these rejections are strange because new patch doesn't modify KP>=3D> either /usr/src/README or /usr/src/Makefile at all. KP> KP>As far as i know, you can see changes in UPDATING file: KP> KP>[root@otvk|/]# cat /usr/src/UPDATING|grep 20030214 -A 2 KP>20030214: KP> OpenSSL 0.97 has been imported, and the libcrypto/libssl KP> library versions have been bumped. KP> KP> KP>=3D> Does anybody succeed to apply new patch? KP> KP>Yes. Howdie, =09I have applied the openssl47.patch patch to a 4.7-STABLE machine built in January 2003. Should mention that the following reject happened during the patch ~ less /usr/src/Makefile.rej *************** *** 35,42 **** MAINTAINER=3D kris # base sources ! SRCS+=3D cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c = mem_dbg.c \ ! tmdiff.c uid.c # asn1 --- 35,42 ---- MAINTAINER=3D kris # base sources ! SRCS+=3D cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c = mem_clr.c \ ! mem_dbg.c tmdiff.c uid.c # asn1 =09During the make buildworld I get the following error. cc -O -pipe -I/usr/src/kerberos5/libexec/ipropd-master/../../../crypto/heim= dal/include -I/usr/src/kerberos5/libexec/ipropd-master/../../../crypto/heim= dal/lib/kadm5 -I/usr/src/kerb eros5/libexec/ipropd-master/../../../crypto/h= eimdal/lib/krb5 -I/usr/src/kerberos5/libexec/ipropd-master/../../../crypto/= heimdal/lib/asn1 -I/usr/src/kerberos5/libexec/ipropd-master/ ../../../crypt= o/heimdal/lib/hdb -I/usr/src/kerberos5/libexec/ipropd-master/../../../crypt= o/heimdal/lib/roken -I/usr/src/kerberos5/libexec/ipropd-master/../../../cry= pto/heimdal/kuse r -I/usr/obj/usr/src/kerberos5/libexec/ipropd-master/../.= =2E/lib/libasn1 -I/usr/obj/usr/src/kerberos5/libexec/ipropd-master/../../li= b/libhdb -I/usr/obj/usr/src/kerberos5/libexec/ipr opd-master -Wall -I/usr/s= rc/kerberos5/libexec/ipropd-master/../../include -DHAVE_CONFIG_H -DINET6 = -o ipropd-master ipropd_master.o -L/usr/obj/usr/src/kerberos5/libexec/ipr= opd-mas ter/../../lib/libkadm5srv -lkadm5srv -L/usr/obj/usr/src/kerberos5/l= ibexec/ipropd-master/../../lib/libkrb5 -lkrb5 -L/usr/obj/usr/src/kerberos5/= libexec/ipropd-master/../../lib/libhdb -lhdb -L/usr/obj/usr/src/kerberos5/l= ibexec/ipropd-master/../../lib/libroken -lroken -L/usr/obj/usr/src/kerberos= 5/libexec/ipropd-master/../../lib/libvers -lvers -L/usr/obj/usr/sr c/ker= beros5/libexec/ipropd-master/../../lib/libasn1 -lasn1 -lcrypto -lmd -lcrypt -lcom_err /usr/obj/usr/src/i386/usr/lib/libcrypto.so: undefined reference to `cleanse= _ctr' /usr/obj/usr/src/i386/usr/lib/libcrypto.so: undefined reference to `OPENSSL= _cleanse' *** Error code 1 1 error *** Error code 2 1 error *** Error code 2 1 error make.conf is as follows USA_RESIDENT=3DNO MASTER_SITE_OVERRIDE=3Dftp://ftp3.za.freebsd.org/pub/FreeBSD/distfiles/${DI= ST_SUBDIR}/ NO_SENDMAIL=3D true MAKE_KERBEROS5=3D yes ENABLE_SUID_K5SU=3D yes NOGAMES=3D true Is there something else that needs to be added or is the only option cvsup to latest releng_4? --- Gareth Hopkins Server Operations UUNET South Africa (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.929.6668 http://www.uunet.co.za 08600 UUNET (08600 88638) "The contents of this e-mail and any accompanying documentation is confidential and any use thereof, in whatever form, by anyone other than the addressee for whom it is intended, is strictly prohibited." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 8: 7:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 379C837B401; Thu, 27 Feb 2003 08:07:20 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id E39B443FBF; Thu, 27 Feb 2003 08:07:18 -0800 (PST) (envelope-from yasu@home.utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id 02D5433; Fri, 28 Feb 2003 01:07:16 +0900 (JST) Received: from 127.0.0.1 (localhost.home.utahime.org [127.0.0.1]) by eastasia.home.utahime.org (Postfix) with SMTP id D098654E7; Fri, 28 Feb 2003 01:07:16 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id 89CFE54DF; Fri, 28 Feb 2003 01:07:16 +0900 (JST) Date: Fri, 28 Feb 2003 01:06:21 +0900 (JST) Message-Id: <20030228.010621.58864322.yasu@utahime.org> To: nectar@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches From: KIMURA Yasuhiro In-Reply-To: <20030227005035.GA99420@madman.celabo.org> References: <20030225201225.GA6001@madman.celabo.org> <20030227.090833.90424319.yasu@utahime.org> <20030227005035.GA99420@madman.celabo.org> Organization: Utahime no Mori X-Mailer: Mew version 3.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Multipart/Mixed; boundary="--Next_Part(Fri_Feb_28_01:06:21_2003_675)--" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----Next_Part(Fri_Feb_28_01:06:21_2003_675)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit >>>>> "Jacques A. Vidrine" wrote: > Do you even have a /usr/src/crypto/openssl directory after your > installation? Yes. sugar# ls /usr/src/crypto/openssl/ CHANGES Makefile.org bugs e_os2.h times CHANGES.SSLeay Makefile.ssl certs openssl.doxy tools Configure NEWS config openssl.spec util FAQ PROBLEMS crypto perl FREEBSD-Xlist README demos shlib INSTALL README.ENGINE doc ssl LICENSE apps e_os.h test sugar# > With a checked out 4.7-RELEASE tree, using your > procedure above works as expected. Works well? But it fails on my PC. yasu@sugar[46]% patch -s < /tmp/kadmin.patch yasu@sugar[47]% patch -s < /tmp/bind.patch yasu@sugar[48]% patch -s < /tmp/filedesc.patch yasu@sugar[49]% patch -s < /tmp/cvs.patch yasu@sugar[50]% gunzip -c /tmp/openssl47.patch.gz| patch -s 1 out of 1 hunks failed--saving rejects to README.rej 1 out of 1 hunks failed--saving rejects to Makefile.rej yasu@sugar[51]% ls COPYRIGHT contrib/ mem_clr.c.orig Makefile crypto/ release/ Makefile.inc1 etc/ sbin/ Makefile.orig games/ secure/ Makefile.rej gnu/ share/ Makefile.upgrade include/ sys/ README kerberos5/ tools/ README.orig kerberosIV/ usr.bin/ README.rej lib/ usr.sbin/ UPDATING libexec/ bin/ mem_clr.c yasu@sugar[52]% Supfile appended is used to cvsup. --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ ----Next_Part(Fri_Feb_28_01:06:21_2003_675)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="4.7r-supfile" # $FreeBSD: src/share/examples/cvsup/stable-supfile,v 1.19.2.6 2002/08/06 08:24:46 blackend Exp $ # # This file contains all of the "CVSup collections" that make up the # FreeBSD-stable source tree. # # CVSup (CVS Update Protocol) allows you to download the latest CVS # tree (or any branch of development therefrom) to your system easily # and efficiently (far more so than with sup, which CVSup is aimed # at replacing). If you're running CVSup interactively, and are # currently using an X display server, you should run CVSup as follows # to keep your CVS tree up-to-date: # # cvsup stable-supfile # # If not running X, or invoking cvsup from a non-interactive script, then # run it as follows: # # cvsup -g -L 2 stable-supfile # # You may wish to change some of the settings in this file to better # suit your system: # # host=CHANGE_THIS.FreeBSD.org # This specifies the server host which will supply the # file updates. You must change it to one of the CVSup # mirror sites listed in the FreeBSD Handbook at # http://www.freebsd.org/doc/handbook/mirrors.html. # You can override this setting on the command line # with cvsup's "-h host" option. # # base=/usr # This specifies the root where CVSup will store information # about the collections you have transferred to your system. # A setting of "/usr" will generate this information in # /usr/sup. Even if you are CVSupping a large number of # collections, you will be hard pressed to generate more than # ~1MB of data in this directory. You can override the # "base" setting on the command line with cvsup's "-b base" # option. This directory must exist in order to run CVSup. # # prefix=/usr # This specifies where to place the requested files. A # setting of "/usr" will place all of the files requested # in "/usr/src" (e.g., "/usr/src/bin", "/usr/src/lib"). # The prefix directory must exist in order to run CVSup. # ############################################################################### # # DANGER! WARNING! LOOK OUT! VORSICHT! # # If you add any of the ports or doc collections to this file, be sure to # specify them with a "tag" value set to ".", like this: # # ports-all tag=. # doc-all tag=. # # If you leave out the "tag=." portion, CVSup will delete all of # the files in your ports or doc tree. That is because the ports and doc # collections do not use the same tags as the main part of the FreeBSD # source tree. # ############################################################################### # Defaults that apply to all the collections # # IMPORTANT: Change the next line to use one of the CVSup mirror sites # listed at http://www.freebsd.org/doc/handbook/mirrors.html. *default host=cvsup.jp.FreeBSD.org *default base=/usr0/tmp/cvsup-4.7r *default prefix=/usr0/tmp/cvsup-4.7r # The following line is for 4-stable. If you want 3-stable or 2.2-stable, # change "RELENG_4" to "RELENG_3" or "RELENG_2_2" respectively. *default release=cvs tag=RELENG_4_7_0_RELEASE *default delete use-rel-suffix # If your network link is a T1 or faster, comment out the following line. #*default compress ## Main Source Tree. # # The easiest way to get the main source tree is to use the "src-all" # mega-collection. It includes all of the individual "src-*" collections. # Please note: If you want to track -STABLE, leave this uncommented. src-all # These are the individual collections that make up "src-all". If you # use these, be sure to comment out "src-all" above. #src-base #src-bin #src-contrib #src-etc #src-games #src-gnu #src-include #src-kerberos5 #src-kerberosIV #src-lib #src-libexec #src-release #src-sbin #src-share #src-sys #src-tools #src-usrbin #src-usrsbin # These are the individual collections that make up FreeBSD's crypto # collection. They are no longer export-restricted and are a part of # src-all #src-crypto #src-eBones #src-secure #src-sys-crypto ----Next_Part(Fri_Feb_28_01:06:21_2003_675)---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 8: 9:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5439837B401 for ; Thu, 27 Feb 2003 08:09:46 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A30EE43F75 for ; Thu, 27 Feb 2003 08:09:45 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 3CD2A2C; Thu, 27 Feb 2003 10:09:45 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 206AE78C3E; Thu, 27 Feb 2003 10:09:45 -0600 (CST) Date: Thu, 27 Feb 2003 10:09:45 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches Message-ID: <20030227160944.GA3238@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@FreeBSD.org References: <20030225201225.GA6001@madman.celabo.org> <20030227.090833.90424319.yasu@utahime.org> <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030228.010621.58864322.yasu@utahime.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 28, 2003 at 01:06:21AM +0900, KIMURA Yasuhiro wrote: > > With a checked out 4.7-RELEASE tree, using your > > procedure above works as expected. > > Works well? But it fails on my PC. I'm sorry, but I cannot reproduce the failure. :-( -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 8:49: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DADD37B401; Thu, 27 Feb 2003 08:49:06 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id A174E43FBF; Thu, 27 Feb 2003 08:49:05 -0800 (PST) (envelope-from yasu@home.utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id CB7E933; Fri, 28 Feb 2003 01:49:04 +0900 (JST) Received: from 127.0.0.1 (localhost.home.utahime.org [127.0.0.1]) by eastasia.home.utahime.org (Postfix) with SMTP id 9F55454E7; Fri, 28 Feb 2003 01:49:04 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id 70A5354DF; Fri, 28 Feb 2003 01:49:04 +0900 (JST) Date: Fri, 28 Feb 2003 01:49:01 +0900 (JST) Message-Id: <20030228.014901.81279435.yasu@utahime.org> To: nectar@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches From: KIMURA Yasuhiro In-Reply-To: <20030227160944.GA3238@madman.celabo.org> References: <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> <20030227160944.GA3238@madman.celabo.org> Organization: Utahime no Mori X-Mailer: Mew version 3.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Jacques A. Vidrine" wrote: > I'm sorry, but I cannot reproduce the failure. :-( Since nobody else seems to be in trouble, I can't help concluding that something is wrong with my environment. So I'm going to re-install OS this weekend, to check what will happen on the vanilla 4.7R environment, and to report it here. --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 8:58:19 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7563A37B401; Thu, 27 Feb 2003 08:58:14 -0800 (PST) Received: from h00609772adf0.ne.client2.attbi.com (h00609772adf0.ne.client2.attbi.com [24.61.43.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57B1A43FAF; Thu, 27 Feb 2003 08:58:13 -0800 (PST) (envelope-from rodrigc@h00609772adf0.ne.client2.attbi.com) Received: from h00609772adf0.ne.client2.attbi.com (localhost.ne.attbi.com [127.0.0.1]) by h00609772adf0.ne.client2.attbi.com (8.12.7/8.12.7) with ESMTP id h1RGxGUE022007; Thu, 27 Feb 2003 11:59:16 -0500 (EST) (envelope-from rodrigc@h00609772adf0.ne.client2.attbi.com) Received: (from rodrigc@localhost) by h00609772adf0.ne.client2.attbi.com (8.12.7/8.12.7/Submit) id h1RGxGRH022006; Thu, 27 Feb 2003 11:59:16 -0500 (EST) Date: Thu, 27 Feb 2003 11:59:15 -0500 From: Craig Rodrigues To: John Polstra Cc: current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSL question for id_function() Message-ID: <20030227165915.GA21958@attbi.com> References: <20030225155724.GB9400@attbi.com> <200302271640.h1RGeMx2029701@vashon.polstra.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200302271640.h1RGeMx2029701@vashon.polstra.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 27, 2003 at 08:40:22AM -0800, John Polstra wrote: > FreeBSD violates POSIX in this respect. Doh! I just looked at: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libpthread/include/pthread.h and it looks like OpenBSD does the same thing. Just wondering, is the FreeBSD KSE project implementing a POSIX compliant pthread_t? > thread-related types: > > pthread_attr_t > pthread_mutex_t > pthread_mutexattr_t > pthread_cond_t > pthread_condattr_t > pthread_once_t > > We got it right for pthread_key_t, though. :-) Cool. Sometimes standards are a pain in the neck, but my main interest in FreeBSD's POSIX compliance for threads is to be more and more of a drop-in replacement for Linux. :) So is OpenSSL stuff which requires id_function() broken on FreeBSD then? The C++-style work-around for my code is to do: return reinterpret_cast(pthread_self()); which is similar to Lev Walkin's suggestion for a C style cast. This gets things to compile, but seems like trying to fit a square peg in a round hole.... Thanks. -- Craig Rodrigues http://home.attbi.com/~rodrigc rodrigc@attbi.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 9:36:34 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B5DD37B401 for ; Thu, 27 Feb 2003 09:36:30 -0800 (PST) Received: from mx-out.daemonmail.net (mx-out.daemonmail.net [216.104.160.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A80943FAF for ; Thu, 27 Feb 2003 09:36:29 -0800 (PST) (envelope-from chris@tierra.net) Received: from mx0.emailqueue.net (localhost.daemonmail.net [127.0.0.1]) by mx-out.daemonmail.net (8.9.3/8.9.3) with SMTP id JAA27530 for ; Thu, 27 Feb 2003 09:36:29 -0800 (PST) (envelope-from chris@tierra.net) Received: from (216.104.164.101 [216.104.164.101]) by mail.tierra.net with ESMTP id ob91iLZ5 Thu, 27 Feb 2003 09:36:28 -0700 (PST) Message-Id: <5.2.0.9.0.20030227093629.02a4e928@mail.tierra.net> X-Sender: chris@mail.tierra.net X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 27 Feb 2003 09:37:18 -0800 To: freebsd-security@FreeBSD.org From: Chris Samaritoni Subject: Re: Updated OpenSSL patches Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm running into the same problem. I'm getting the same rejects that you are. I even did a fresh install of 4.7R and only applied the openssl patch and still got the same errors. ??? I'm kinda confused as to why patch is placing .rej files in the /usr/src directory instead of the location of the files it's patching. I'm wonder if the problem has something to do with this mem_clr.c file being placed in the /usr/src directory. Here's a copy of my /usr/src directory after running the patch -rw-r--r-- 1 root wheel 4735 Sep 5 1999 COPYRIGHT -rw-r--r-- 1 root wheel 8449 Feb 25 17:38 Makefile -rw-r--r-- 1 root wheel 23350 Aug 30 11:26 Makefile.inc1 -rw-r--r-- 1 root wheel 8449 Jul 25 2002 Makefile.orig -rw-r--r-- 1 root wheel 356 Feb 25 17:38 Makefile.rej -rw-r--r-- 1 root wheel 9761 Aug 27 1999 Makefile.upgrade -rw-r--r-- 1 root wheel 2699 Feb 25 17:38 README -rw-r--r-- 1 root wheel 2699 Apr 26 2002 README.orig -rw-r--r-- 1 root wheel 376 Feb 25 17:38 README.rej -rw-r--r-- 1 root wheel 41409 Aug 7 2002 UPDATING drwxr-xr-x 32 root wheel 512 Feb 25 09:21 bin drwxr-xr-x 46 root wheel 1024 Feb 25 09:21 contrib drwxr-xr-x 7 root wheel 512 Feb 25 09:22 crypto drwxr-xr-x 14 root wheel 2048 Feb 25 09:21 etc drwxr-xr-x 41 root wheel 1024 Feb 25 09:21 games drwxr-xr-x 6 root wheel 512 Feb 25 09:21 gnu drwxr-xr-x 6 root wheel 1536 Feb 25 09:21 include drwxr-xr-x 7 root wheel 512 Feb 25 09:22 kerberos5 drwxr-xr-x 8 root wheel 512 Feb 25 09:22 kerberosIV drwxr-xr-x 56 root wheel 1024 Feb 25 09:21 lib drwxr-xr-x 35 root wheel 1024 Feb 25 09:21 libexec -rw-r--r-- 1 root wheel 3111 Feb 25 17:38 mem_clr.c -rw-r--r-- 1 root wheel 0 Feb 25 17:38 mem_clr.c.orig drwxr-xr-x 2 root wheel 512 Feb 25 17:40 patches drwxr-xr-x 10 root wheel 512 Feb 25 09:21 release drwxr-xr-x 81 root wheel 1536 Feb 25 09:21 sbin drwxr-xr-x 6 root wheel 512 Feb 25 09:21 secure drwxr-xr-x 23 root wheel 512 Feb 25 09:21 share drwxr-xr-x 47 root wheel 1024 Feb 25 09:21 sys drwxr-xr-x 8 root wheel 512 Feb 25 09:21 tools drwxr-xr-x 216 root wheel 3584 Feb 25 09:21 usr.bin drwxr-xr-x 155 root wheel 3072 Feb 25 09:21 usr.sbin Hope this helps, you're not the only one. Not sure if this may have anything to do with it, but I'm also using a CD that was created from the .iso file. I'm wondering how Jacques is testing it and not getting a failure. chris. >>>>>> "Jacques A. Vidrine" wrote: > >> I'm sorry, but I cannot reproduce the failure. :-( > >Since nobody else seems to be in trouble, I can't help concluding that >something is wrong with my environment. So I'm going to re-install OS >this weekend, to check what will happen on the vanilla 4.7R >environment, and to report it here. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 9:47:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C061637B401 for ; Thu, 27 Feb 2003 09:47:45 -0800 (PST) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id E672943FA3 for ; Thu, 27 Feb 2003 09:47:35 -0800 (PST) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id h1RHHTM9014235 for ; Thu, 27 Feb 2003 19:17:30 +0200 (EET) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id h1RHHTfN014234 for freebsd-security@freebsd.org; Thu, 27 Feb 2003 19:17:29 +0200 (EET) Date: Thu, 27 Feb 2003 19:17:29 +0200 From: Alexandr Kovalenko To: freebsd-security@freebsd.org Subject: Fwd: (patch for zlib) Re: poc zlib sploit just for fun :) Message-ID: <20030227171729.GC5081@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Forwarded message from "Ralf S. Engelschall" ----- Date: Thu, 27 Feb 2003 15:41:49 +0100 From: "Ralf S. Engelschall" To: bugtraq@securityfocus.com Subject: Re: poc zlib sploit just for fun :) Reply-To: rse@engelschall.com In article <200302241751.25591.kelledin+BTQ@skarpsey.dyndns.org> you wrote: > [...] > Attached below is a patch RK and I whipped up yesterday, after I > caught wind of this problem sometime in the afternoon. > [...] Thanks for your efforts. We've reviewed your patch for inclusion into our OpenPKG "zlib" package and discovered that your configure checks are not quite correct. For instance, you're incorrectly putting a va_list variable into a snprintf call in one check, etc. Additionally we've stripped down in size the patch to gzio.c (you re-formatted existing code, etc). See http://cvs.openpkg.org/openpkg-src/zlib/zlib.patch for our derived version of your patch in case you're interested. Ralf S. Engelschall rse@engelschall.com www.engelschall.com ----- End forwarded message ----- -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 27 15:59:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A33DE37B401; Thu, 27 Feb 2003 15:59:11 -0800 (PST) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD2543FB1; Thu, 27 Feb 2003 15:59:10 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <2003022723590900300ahmlje>; Thu, 27 Feb 2003 23:59:09 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h1RNx8eq085298; Thu, 27 Feb 2003 15:59:08 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h1RNx1hC085297; Thu, 27 Feb 2003 15:59:01 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 27 Feb 2003 15:59:01 -0800 From: "Crist J. Clark" To: KIMURA Yasuhiro Cc: nectar@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches Message-ID: <20030227235901.GA84362@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> <20030227160944.GA3238@madman.celabo.org> <20030228.014901.81279435.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030228.014901.81279435.yasu@utahime.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 28, 2003 at 01:49:01AM +0900, KIMURA Yasuhiro wrote: > >>>>> "Jacques A. Vidrine" wrote: > > > I'm sorry, but I cannot reproduce the failure. :-( > > Since nobody else seems to be in trouble, I can't help concluding that > something is wrong with my environment. So I'm going to re-install OS > this weekend, to check what will happen on the vanilla 4.7R > environment, and to report it here. I can reproduce the error. Something weird is going on with patch(1). First, this DOES NOT produce the error, $ uname -r 4.7-RELEASE-p2 $ cd /var/tmp $ [ -d src ] && rm -rf src $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto $ cd src $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz $ zcat openssl47.patch.gz | patch -s However, try, $ cd /var/tmp $ [ -d src ] && rm -rf src $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto $ cvs -Q co -rRELENG_4_7_0_RELEASE src/Makefile $ cd src $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz $ zcat openssl47.patch.gz | patch -s 1 out of 1 hunks failed--saving rejects to Makefile.rej It looks like patch(1) is confused where to look for "Makefile." It tries to patch the one in pwd. However, if I do, $ cd /var/tmp $ [ -d src ] && rm -rf src $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto $ cvs -Q co -rRELENG_4_7_0_RELEASE src/Makefile $ cd src $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz $ zcat openssl47.patch.gz | sed 's-../RELENG_4_7/--' | patch -s -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 28 5:43:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7596437B401 for ; Fri, 28 Feb 2003 05:43:48 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id A049043FAF for ; Fri, 28 Feb 2003 05:43:47 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h1SDhlje075458 for ; Fri, 28 Feb 2003 07:43:47 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200302281343.h1SDhlje075458@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: FreeBSD port of Bind9.2.2 Date: Fri, 28 Feb 2003 07:43:46 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't know if I have somehow missed something or if bind9.2.2 has a FreeBSD port. Bind9.2.1 has a problem that can be turned in to a denial of service attack. This is corrected in the next release. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 28 6: 0:54 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5837F37B401 for ; Fri, 28 Feb 2003 06:00:52 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 75CA543F3F for ; Fri, 28 Feb 2003 06:00:50 -0800 (PST) (envelope-from roam@straylight.ringlet.net) Received: (qmail 30212 invoked from network); 28 Feb 2003 13:56:45 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 28 Feb 2003 13:56:44 -0000 Received: (qmail 14517 invoked by uid 1000); 28 Feb 2003 13:59:27 -0000 Date: Fri, 28 Feb 2003 15:59:27 +0200 From: Peter Pentchev To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD port of Bind9.2.2 Message-ID: <20030228135927.GA518@straylight.oblivion.bg> Mail-Followup-To: Martin McCormick , freebsd-security@FreeBSD.ORG References: <200302281343.h1SDhlje075458@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline In-Reply-To: <200302281343.h1SDhlje075458@dc.cis.okstate.edu> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 28, 2003 at 07:43:46AM -0600, Martin McCormick wrote: > I don't know if I have somehow missed something or if > bind9.2.2 has a FreeBSD port. Bind9.2.1 has a problem that can > be turned in to a denial of service attack. This is corrected in > the next release. AFAICS, the net/bind9 port is at version 9.2.2rc1 as of four weeks ago; is that version also vulnerable to the denial of service attack that you mention? G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+X2s/7Ri2jRYZRVMRAgZ/AJ9M9YOCcYAh2LEtlHd+sfiv+DqKogCeK8F/ 1Mci1NWuVcWu+sDSLXW/3Io= =Xx8+ -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 28 6: 2: 9 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D7E637B405; Fri, 28 Feb 2003 06:02:05 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B257043FBF; Fri, 28 Feb 2003 06:02:02 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id F2C1B44; Fri, 28 Feb 2003 08:02:01 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id D674E78C3E; Fri, 28 Feb 2003 08:02:01 -0600 (CST) Date: Fri, 28 Feb 2003 08:02:01 -0600 From: "Jacques A. Vidrine" To: "Crist J. Clark" Cc: KIMURA Yasuhiro , freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches Message-ID: <20030228140201.GA61833@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Crist J. Clark" , KIMURA Yasuhiro , freebsd-security@FreeBSD.org References: <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> <20030227160944.GA3238@madman.celabo.org> <20030228.014901.81279435.yasu@utahime.org> <20030227235901.GA84362@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030227235901.GA84362@blossom.cjclark.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 27, 2003 at 03:59:01PM -0800, Crist J. Clark wrote: > On Fri, Feb 28, 2003 at 01:49:01AM +0900, KIMURA Yasuhiro wrote: > > >>>>> "Jacques A. Vidrine" wrote: > > > > > I'm sorry, but I cannot reproduce the failure. :-( > > > > Since nobody else seems to be in trouble, I can't help concluding that > > something is wrong with my environment. So I'm going to re-install OS > > this weekend, to check what will happen on the vanilla 4.7R > > environment, and to report it here. > > I can reproduce the error. Something weird is going on with patch(1). > > First, this DOES NOT produce the error, > > $ uname -r > 4.7-RELEASE-p2 > $ cd /var/tmp > $ [ -d src ] && rm -rf src > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto > $ cd src > $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz > $ zcat openssl47.patch.gz | patch -s > > However, try, > > $ cd /var/tmp > $ [ -d src ] && rm -rf src > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/Makefile > $ cd src > $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz > $ zcat openssl47.patch.gz | patch -s > 1 out of 1 hunks failed--saving rejects to Makefile.rej > > It looks like patch(1) is confused where to look for "Makefile." It > tries to patch the one in pwd. However, if I do, > > $ cd /var/tmp > $ [ -d src ] && rm -rf src > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/crypto/openssl > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/secure/lib/libcrypto > $ cvs -Q co -rRELENG_4_7_0_RELEASE src/Makefile > $ cd src > $ fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:02/openssl47.patch.gz > $ zcat openssl47.patch.gz | sed 's-../RELENG_4_7/--' | patch -s Huh. *boggle* Applying the patch to an entire source tree succeeds as well. e.g. cvs -Q co -rRELENG_4_7_0_RELEASE src You didn't write anything after that last `zcat ...' line, but I'm led to believe that getting rid of the relative path in the patch file resolved the problem? If that is the case, I will remove that path from the existing patches and re-sign the patches. Thanks for narrowing down the problem! Now, I don't suppose you want to find and fix the issue in patch(1), do you? :-) Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 28 17: 7: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B227237B401 for ; Fri, 28 Feb 2003 17:07:03 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BF4D43F75 for ; Fri, 28 Feb 2003 17:07:02 -0800 (PST) (envelope-from campbell@localhost.neotext.ca) Received: from localhost.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.7/8.12.5) with ESMTP id h2119ZeK003102 for ; Fri, 28 Feb 2003 18:09:35 -0700 (MST) (envelope-from campbell@localhost.neotext.ca) Received: (from campbell@localhost) by localhost.neotext.ca (8.12.7/8.12.5/Submit) id h2119ZGa003101; Fri, 28 Feb 2003 18:09:35 -0700 (MST) Date: Fri, 28 Feb 2003 18:09:34 -0700 From: Duncan Patton a Campbell To: freebsd-security@FreeBSD.ORG Subject: Security and FreeBSD Message-Id: <20030228180934.2ee9429c.campbell@neotext.ca> In-Reply-To: <20030228140201.GA61833@madman.celabo.org> References: <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> <20030227160944.GA3238@madman.celabo.org> <20030228.014901.81279435.yasu@utahime.org> <20030227235901.GA84362@blossom.cjclark.org> <20030228140201.GA61833@madman.celabo.org> Organization: Index Express Ltd. X-Mailer: Sylpheed version 0.8.6 (GTK+ 1.2.10; i386-unknown-freebsd4.7) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="=.(YxwgPv+H:i'2R" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.(YxwgPv+H:i'2R Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit We regularly get cyber attacks directed against our service. These have only had some success: while DOS attacks have been successful in limiting our service bandwidth we have not been taken down. This has more to do with FreeBSD than our systems skills. Because of this it appears that attacks directed against the infrastructure between us and the net are becoming more common and effective. Most recently, our dsl modem was given some serious amnesia. Electrically, the thing checked out fine, just no memory no settings. Might have been lightning but there was none. Dhu --=.(YxwgPv+H:i'2R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+YAhPXgQtJ7uBra8RArY6AKCQpA98JtDbV7sh3SU5nAwkLncfogCaA1lx m28WLU6qQu94xDCxRiW1NG8= =fIjD -----END PGP SIGNATURE----- --=.(YxwgPv+H:i'2R-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 1 6:18:42 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA27337B401 for ; Sat, 1 Mar 2003 06:18:38 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4FA343F93 for ; Sat, 1 Mar 2003 06:18:37 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 1234B2E; Sat, 1 Mar 2003 08:18:35 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id DE96F78C3E; Sat, 1 Mar 2003 08:18:34 -0600 (CST) Date: Sat, 1 Mar 2003 08:18:34 -0600 From: "Jacques A. Vidrine" To: cjclark@alum.mit.edu Cc: KIMURA Yasuhiro , freebsd-security@FreeBSD.org Subject: Re: Updated OpenSSL patches Message-ID: <20030301141834.GA75133@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , cjclark@alum.mit.edu, KIMURA Yasuhiro , freebsd-security@FreeBSD.org References: <20030227005035.GA99420@madman.celabo.org> <20030228.010621.58864322.yasu@utahime.org> <20030227160944.GA3238@madman.celabo.org> <20030228.014901.81279435.yasu@utahime.org> <20030227235901.GA84362@blossom.cjclark.org> <20030228140201.GA61833@madman.celabo.org> <20030301011427.GA66850@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030301011427.GA66850@blossom.cjclark.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 28, 2003 at 05:14:27PM -0800, Crist J. Clark wrote: > On Fri, Feb 28, 2003 at 08:02:01AM -0600, Jacques A. Vidrine wrote: > > Huh. *boggle* > > Applying the patch to an entire source tree succeeds as well. > > e.g. > > > > cvs -Q co -rRELENG_4_7_0_RELEASE src > > I still get the errors when I apply against a whole, freshly > checked-out tree. README and Makefile do not get patched and I end up > with README.rej and Makefile.rej in src. In addition, mem_clr.c ends > up in src, although the patch succeeds, and no copy resides in > src/crypto/openssl/crypto... Although mem.c and mem_dbg.c in the same > directory get patched fine. This is really weird. > > $ patch -v > Patch version 2.1 Maddening. Hmm, I can't remember now whether or not I used `-P' when checking out, but I likely did ... I wonder if that makes a difference in this case. > > You didn't write anything after that last `zcat ...' line, but I'm led > > to believe that getting rid of the relative path in the patch file > > resolved the problem? If that is the case, I will remove that path > > from the existing patches and re-sign the patches. > > Yeah. Clearing that path worked. I've done that and re-uploaded the patches. > > Thanks for narrowing down the problem! Now, I don't suppose you want > > to find and fix the issue in patch(1), do you? :-) > > Patch(1) is not pretty. I definately am not going to have time this > weekend. :-) Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 1 13:33: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A387B37B401 for ; Sat, 1 Mar 2003 13:32:57 -0800 (PST) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id F409B43FBD for ; Sat, 1 Mar 2003 13:32:56 -0800 (PST) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.5/8.12.5) with ESMTP id h21LWuqP001030 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Sat, 1 Mar 2003 16:32:57 -0500 (EST) Received: from localhost (agoodloe@localhost) by saul.cis.upenn.edu (8.12.5/8.12.5/Submit) with ESMTP id h21LWuFZ001027 for ; Sat, 1 Mar 2003 16:32:56 -0500 (EST) Date: Sat, 1 Mar 2003 16:32:55 -0500 (EST) From: Alwyn Goodloe To: freebsd-security@FreeBSD.ORG Subject: IPSEC port filtering Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In performing the setup for an experiment I have the following command: setkey -c <