From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 16:59:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BAC116A4B3 for ; Sun, 28 Sep 2003 16:59:43 -0700 (PDT) Received: from astra.telenet-ops.be (astra.telenet-ops.be [195.130.132.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id D601444031 for ; Sun, 28 Sep 2003 16:59:41 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by astra.telenet-ops.be (Postfix) with SMTP id 54EDE37EE1 for ; Mon, 29 Sep 2003 01:59:40 +0200 (MEST) Received: from fortuna.home.paeps.cx (D576865A.kabel.telenet.be [213.118.134.90]) by astra.telenet-ops.be (Postfix) with ESMTP id 4290337EB5 for ; Mon, 29 Sep 2003 01:59:40 +0200 (MEST) Received: from hermes.home.paeps.cx (hermes.home.paeps.cx [10.0.0.4]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 179BD20EE for ; Mon, 29 Sep 2003 01:59:40 +0200 (CEST) Received: by hermes.home.paeps.cx (Postfix, from userid 1001) id 77D0456; Mon, 29 Sep 2003 01:59:39 +0200 (CEST) Date: Mon, 29 Sep 2003 01:59:39 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030928235939.GH629@hermes.home.paeps.cx> Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Date-in-Rome: ante diem V Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Sep 2003 23:59:43 -0000 This might be more related to an Apache-security list, but as the machine is running FreeBSD, I thought I'd ask here first. In the last two weeks, I've been seeing some very strange errors in my logs a few times daily around the same times. While this happens, load averages go through the roof (I've seen 36+, which is outragous), and the machine becomes very unresponsive. First there's a few million of these: httpd in free(): warning: recursive call Many megs of logfiles, in fact, then, suddenly, I get some that yell: httpd in malloc(): warning: recursive call Those are followed closely by: [Mon Sep 29 01:10:57 2003] [notice] child pid 88809 exit signal Segmentation fault (11) And then it repeats, frequently saying these as well: httpd in free(): warning: page is already free FATAL: emalloc(): Unable to allocate 40 bytes Allowed memory size of 8388608 bytes exhausted (tried to allocate 10 bytes) httpd in free(): warning: chunk is already free My logs are filling up with these, and I'm not sure where to look. Crossreferencing the times with vhost error logs and access logs isn't turning up anything spectacular. The loads around the times when this occurs aren't staggering either, so I'm thinking perhaps someone is DoS'ing my machine :-/ Has anyone else seen this problem recently? I found some posts in Google and other archives mentioning Apache going berzerk like this, but no real solutions. I have MaxClients set to 175, and Apache never complains about that being too low. I don't have any particular ulimits set, as the defaults always worked well. In fact, this is the first time I've ever seen a FreeBSD scream for resources without me sitting at it and torturing it myself. Any ideas? Thanks! - Philip [worried] -- Philip Paeps Please don't CC me, I am subscribed to the list. A real diplomat is one who can cut his neighbor's throat without having his neighbor notice it. -- Trygve Lie From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 19:27:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09CF916A4B3 for ; Sun, 28 Sep 2003 19:27:55 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4516F43FE9 for ; Sun, 28 Sep 2003 19:27:54 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.22) id 1A3nlR-000Hmz-S5 for security@freebsd.org; Sun, 28 Sep 2003 19:27:53 -0700 Date: Sun, 28 Sep 2003 19:27:53 -0700 From: Avleen Vig To: security@freebsd.org Message-ID: <20030929022753.GC334@silverwraith.com> References: <20030928235939.GH629@hermes.home.paeps.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030928235939.GH629@hermes.home.paeps.cx> User-Agent: Mutt/1.5.4i Sender: Avleen Vig Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 02:27:55 -0000 On Mon, Sep 29, 2003 at 01:59:39AM +0200, Philip Paeps wrote: > This might be more related to an Apache-security list, but as the machine is > running FreeBSD, I thought I'd ask here first. > > In the last two weeks, I've been seeing some very strange errors in my logs a > few times daily around the same times. While this happens, load averages go > through the roof (I've seen 36+, which is outragous), and the machine becomes > very unresponsive. > > First there's a few million of these: [snip] Are you running any CGI's, or other server-side scripts? Bugs in your scripts could cause things like this, and make it look like it's apache which is at fault. From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 22:57:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77B6A16A4B3 for ; Sun, 28 Sep 2003 22:57:46 -0700 (PDT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 044B144030 for ; Sun, 28 Sep 2003 22:57:45 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep14-int.chello.nl ESMTP <20030929055743.LAWF27480.amsfep14-int.chello.nl@sitetronics.com>; Mon, 29 Sep 2003 07:57:43 +0200 Message-ID: <3F77C97F.9020506@sitetronics.com> Date: Mon, 29 Sep 2003 07:56:15 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <20030926190215.3525416A4C3@hub.freebsd.org> <20030926203137.GA87408@wjv.com> In-Reply-To: <20030926203137.GA87408@wjv.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 05:57:46 -0000 >>The handbook recommends that one drop into single user mode to >>build the world. While this is certainly best practice, it is >>by no means absolutely necessary. >> >> > >Can you point this out - I've just looke at the handbook >and I do NOT find anything like that in there. I see installworld >in single, but not buildworld. This is from the handbook - note >that it >recomends< installworld in single - though on my remote >machines I've not had that luxury. > > Thanks for the correction. This is, indeed, what I meant to say; my choice of wording was rather poor. --Devon From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 23:29:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C02A916A4BF for ; Sun, 28 Sep 2003 23:29:23 -0700 (PDT) Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5702C44035 for ; Sun, 28 Sep 2003 23:29:22 -0700 (PDT) (envelope-from philip@nixsys.be) Received: from hermes.nixsys.be (hermes.nixsys.be [195.144.77.45]) by gateway.nixsys.be (Postfix) with ESMTP id 9716CC12A for ; Mon, 29 Sep 2003 08:29:20 +0200 (CEST) Received: by hermes.nixsys.be (Postfix, from userid 1001) id 2D3B156; Mon, 29 Sep 2003 08:29:20 +0200 (CEST) Date: Mon, 29 Sep 2003 08:29:20 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030929062920.GB760@hermes.nixsys.be> Mail-Followup-To: security@freebsd.org References: <20030928235939.GH629@hermes.home.paeps.cx> <20030929022753.GC334@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030929022753.GC334@silverwraith.com> X-Date-in-Rome: ante diem III Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 06:29:23 -0000 On 2003-09-28 19:27:53 (-0700), Avleen Vig wrote: > On Mon, Sep 29, 2003 at 01:59:39AM +0200, Philip Paeps wrote: > > This might be more related to an Apache-security list, but as the machine > > is running FreeBSD, I thought I'd ask here first. > > > > In the last two weeks, I've been seeing some very strange errors in my > > logs a few times daily around the same times. While this happens, load > > averages go through the roof (I've seen 36+, which is outragous), and the > > machine becomes very unresponsive. > > > > First there's a few million of these: > > [snip] > > Are you running any CGI's, or other server-side scripts? Bugs in your > scripts could cause things like this, and make it look like it's apache > which is at fault. I forgot to mention I was running mod_php4 from the ports. I don't think any scripts changed in the last few weeks, but I'll have a look into it. Any idea what kind of script bugs could cause PHP to tear things down like this, other than the classic loop from hell? Thanks! - Philip -- Philip Paeps Please don't CC me, I am subscribed to the list. BOFH Excuse #34: (l)user error From owner-freebsd-security@FreeBSD.ORG Sun Sep 28 23:36:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAF6D16A4B3 for ; Sun, 28 Sep 2003 23:36:57 -0700 (PDT) Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74BDA43F85 for ; Sun, 28 Sep 2003 23:36:56 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep11-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030929063655.NFLI3404.amsfep11-int.chello.nl@sitetronics.com>; Mon, 29 Sep 2003 08:36:55 +0200 Message-ID: <3F77D2A8.10409@sitetronics.com> Date: Mon, 29 Sep 2003 08:35:20 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Philip Paeps References: <20030928235939.GH629@hermes.home.paeps.cx> <20030929022753.GC334@silverwraith.com> <20030929062920.GB760@hermes.nixsys.be> In-Reply-To: <20030929062920.GB760@hermes.nixsys.be> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 06:36:58 -0000 >I forgot to mention I was running mod_php4 from the ports. I don't think any >scripts changed in the last few weeks, but I'll have a look into it. Any idea >what kind of script bugs could cause PHP to tear things down like this, other >than the classic loop from hell? > >Thanks! > > - Philip > > PHP does a pretty good job from protecting against this. Installing mod_php4 from ports will also turn on the --enable-memory-limit switch, which causes PHP to terminate if more than x MB RAM are taken (this shouldn't segfault Apache). The "classic loop from hell" should also be undoable, since PHP has a 60 second execution time limit. You might want to run your httpd process in gdb to see what's going on when stuff segfaults. If this is indeed a problem with PHP, I'm sure the developers would like to hear about it ASAP! --Devon From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 00:05:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F94416A4B3 for ; Mon, 29 Sep 2003 00:05:44 -0700 (PDT) Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5112643FB1 for ; Mon, 29 Sep 2003 00:05:43 -0700 (PDT) (envelope-from philip@nixsys.be) Received: from hermes.nixsys.be (hermes.nixsys.be [195.144.77.45]) by gateway.nixsys.be (Postfix) with ESMTP id A345EC145 for ; Mon, 29 Sep 2003 09:05:42 +0200 (CEST) Received: by hermes.nixsys.be (Postfix, from userid 1001) id 3622356; Mon, 29 Sep 2003 09:05:42 +0200 (CEST) Date: Mon, 29 Sep 2003 09:05:42 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030929070542.GE760@hermes.nixsys.be> Mail-Followup-To: security@freebsd.org References: <20030928235939.GH629@hermes.home.paeps.cx> <20030929022753.GC334@silverwraith.com> <20030929062920.GB760@hermes.nixsys.be> <3F77D2A8.10409@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F77D2A8.10409@sitetronics.com> X-Date-in-Rome: ante diem III Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 07:05:44 -0000 On 2003-09-29 08:35:20 (+0200), Devon H. O'Dell wrote: > > I forgot to mention I was running mod_php4 from the ports. I don't think > > any scripts changed in the last few weeks, but I'll have a look into it. > > Any idea what kind of script bugs could cause PHP to tear things down like > > this, other than the classic loop from hell? > > PHP does a pretty good job from protecting against this. That's what I thought too, and I've never had this sort of issues before even on development systems where wasteful and dangerous coding is a rule rather than an exception. > Installing mod_php4 from ports will also turn on the --enable-memory-limit > switch, which causes PHP to terminate if more than x MB RAM are taken (this > shouldn't segfault Apache). In case I was misinterpreted: it's only a child or a number of children which segfault, not the parent process. Grepping the massive logfile some more, shows that it's not always a segfault either. Last night, one child also died with an 'abort trap' and two days ago there was a 'bus error'. Curiouser and curiouser... > The "classic loop from hell" should also be undoable, since PHP has a 60 > second execution time limit. I set it slightly higher for some scripts (none of which run at the times Apache goes nuts). I've stresstested those like a madman though, and they just won't damage anything. > You might want to run your httpd process in gdb to see what's going on when > stuff segfaults. If this is indeed a problem with PHP, I'm sure the > developers would like to hear about it ASAP! I'll look into that, thanks. Problem is that it's a production server and debugging symbols and debuggers might be a bit of a hard sell. I'll see what I can do though. First there's finding out if it's really PHP causing problems and not something like the phase of the moon or the relative proximities of Mars and Venus to the Earth... Thanks! - Philip -- Philip Paeps Please don't CC me, I am subscribed to the list. History repeats itself. that's one of the things wrong with history. From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 00:12:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9959616A4B3 for ; Mon, 29 Sep 2003 00:12:32 -0700 (PDT) Received: from amsfep15-int.chello.nl (amsfep15-int.chello.nl [213.46.243.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16EDD44032 for ; Mon, 29 Sep 2003 00:12:31 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep15-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030929071229.SNSB8709.amsfep15-int.chello.nl@sitetronics.com>; Mon, 29 Sep 2003 09:12:29 +0200 Message-ID: <3F77DB06.7020902@sitetronics.com> Date: Mon, 29 Sep 2003 09:11:02 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Philip Paeps References: <20030928235939.GH629@hermes.home.paeps.cx> <20030929022753.GC334@silverwraith.com> <20030929062920.GB760@hermes.nixsys.be> <3F77D2A8.10409@sitetronics.com> <20030929070542.GE760@hermes.nixsys.be> In-Reply-To: <20030929070542.GE760@hermes.nixsys.be> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 07:12:32 -0000 >I'll look into that, thanks. Problem is that it's a production server and >debugging symbols and debuggers might be a bit of a hard sell. I'll see what >I can do though. > > If it's really impossible to do (get debugging and such approvied) and these problems are happening with any frequency, you could ktrace some processes. You're bound to have some luck there. --Devon From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 10:28:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99FCC16A4B3 for ; Fri, 26 Sep 2003 10:28:58 -0700 (PDT) Received: from mail.komquats.com (h24-108-145-252.gv.shawcable.net [24.108.145.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 738FD43FF7 for ; Fri, 26 Sep 2003 10:28:57 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by mail.komquats.com (Postfix) with ESMTP id 8DF1C824D9; Fri, 26 Sep 2003 10:28:55 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.10/8.12.8) with ESMTP id h8QHSsX3025038; Fri, 26 Sep 2003 10:28:54 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200309261728.h8QHSsX3025038@cwsys.cwsent.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Tillman Hodgson In-Reply-To: Message from Tillman Hodgson <20030925130356.S18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 26 Sep 2003 10:28:54 -0700 Sender: Cy.Schubert@komquats.com X-Mailman-Approved-At: Mon, 29 Sep 2003 02:32:02 -0700 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 17:28:58 -0000 In message <20030925130356.S18252@seekingfire.com>, Tillman Hodgson writes: > On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > > On Thu, 25 Sep 2003, Robert Watson wrote: > > > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > > access) between a set of trusted hosts, with no modifications to the > > > privileged port set, should be fairly safe against unprivileged users > > > logged into the machines. The same goes for NFS. If you break any of > > > these assumptions, then the security properties go out the window. > > > > It should probably also be noted that when using NIS in a multi-platform > > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > > FreeBSD machines only, the passwd maps are generated without password > > fields, the master.passwd maps are generated with them, and only requests > > from privileged ports (superuser requests) will be given the master.passwd > > maps (hence the comment above about modifying the privileged port set). > > Other operating systems' NIS implementations require the password fields > > to be in the passwd maps, which are available to unprivileged users. > > Or one could put something like "*" or "krb5" in the password field and > use Kerberos with NIS to obtain extra security in a cross-platform > environnment. I've been doing that for years on Solaris using MIT KRB5 and NIS+. Works like a charm. Cheers, -- Cy Schubert http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/ From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 12:51:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A35DF16A4B3 for ; Mon, 29 Sep 2003 12:51:23 -0700 (PDT) Received: from admin.samurai.com (admin.samurai.com [205.207.28.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0611943FF5 for ; Mon, 29 Sep 2003 12:51:23 -0700 (PDT) (envelope-from bjf@admin.samurai.com) Received: by admin.samurai.com (Postfix, from userid 1000) id 1B4E83E3C; Mon, 29 Sep 2003 15:51:22 -0400 (EDT) Date: Mon, 29 Sep 2003 15:51:22 -0400 From: Bryan Fullerton To: security@freebsd.org Message-ID: <20030929195121.GG36931@bryanfullerton.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: FreeBSD-SA-03:15.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 19:51:23 -0000 In RELENG_4_8 /usr/src/UPDATING, I see: 20030924: p9 FreeBSD-SA-03:15.openssh Fix PAM-related bugs in OpenSSH's challenge/response code. But there's no mention of FreeBSD-SA-03:15.openssh on this list, the security-notifications list, the web site, the ftp site, etc. Is this advisory still pending? or is UPDATING just mislabled? Thanks, Bryan From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 17:12:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A4FB16A4B3 for ; Mon, 29 Sep 2003 17:12:40 -0700 (PDT) Received: from sixshooter.v6.thrupoint.net (sixshooter.v6.thrupoint.net [65.242.152.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F99143F3F for ; Mon, 29 Sep 2003 17:12:39 -0700 (PDT) (envelope-from jpb@sixshooter.v6.thrupoint.net) Received: from sixshooter.v6.thrupoint.net (localhost.v6.thrupoint.net [127.0.0.1]) by sixshooter.v6.thrupoint.net (Postfix) with ESMTP id 5DDAB4E36 for ; Mon, 29 Sep 2003 20:12:38 -0400 (EDT) Received: (from jpb@localhost)h8U0CbT8073336 for freebsd-security@freebsd.org; Mon, 29 Sep 2003 20:12:37 -0400 (EDT) Date: Mon, 29 Sep 2003 20:12:37 -0400 From: Jim Brown To: freebsd-security@freebsd.org Message-ID: <20030930001237.GA73281@sixshooter.v6.thrupoint.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Apache 'attack' etc. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 00:12:40 -0000 I had this happen yesterday on my laptop running 4.8-RELEASE. I have Apache and mod_perl running, but not PHP. At the time I was doing Mason development using both Konqueror and Linux Netscape. In my case it was a script bug which I fixed and the problem did not reoccur. My laptop is NATted behind a firewall and I have Apache listening on 127.0.0.1 port 80. Chances of it being a real network attack are very remote. Best Regards, jpb === From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 17:26:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C78616A4B3; Mon, 29 Sep 2003 17:26:41 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5945143FCB; Mon, 29 Sep 2003 17:26:40 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id EC3C1654E3; Tue, 30 Sep 2003 01:26:38 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 53011-01-7; Tue, 30 Sep 2003 01:26:38 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 074C3654DD; Tue, 30 Sep 2003 01:26:37 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 5A45639; Tue, 30 Sep 2003 01:26:24 +0100 (BST) Date: Tue, 30 Sep 2003 01:26:24 +0100 From: Bruce M Simpson To: Ruslan Ermilov Message-ID: <20030930002624.GB17597@saboteur.dek.spc.org> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <20030924173900.GK650@saboteur.dek.spc.org> <20030924174632.GB31618@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924174632.GB31618@sunbay.com> cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 00:26:41 -0000 Hi Ruslan, On Wed, Sep 24, 2003 at 08:46:32PM +0300, Ruslan Ermilov wrote: > > > I still have not committed the code that supports static ARP > > > on an interface -- there's currently no way to do static ARP > > > only, if you disable ARP on an interface it will be disabled > > > in its whole. > > > > I'd like to review and potentially test this patch before it goes in, as it > > sounds interesting and useful to us. > > > Attached. I've had a chance to give this a quick test and it operates as expected. I don't see a problem with this going in, but be aware of the changes which might be needed if we go with NetBSD's arp code in future (which is a lot cleaner than the code we have at present). BMS From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 20:27:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD25516A509 for ; Mon, 29 Sep 2003 20:27:38 -0700 (PDT) Received: from web41204.mail.yahoo.com (web41204.mail.yahoo.com [66.218.93.37]) by mx1.FreeBSD.org (Postfix) with SMTP id C57FB43FF3 for ; Mon, 29 Sep 2003 20:27:35 -0700 (PDT) (envelope-from e_chelon@yahoo.com) Message-ID: <20030930032735.73176.qmail@web41204.mail.yahoo.com> Received: from [218.102.23.28] by web41204.mail.yahoo.com via HTTP; Mon, 29 Sep 2003 20:27:35 PDT Date: Mon, 29 Sep 2003 20:27:35 -0700 (PDT) From: echelon To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 03:27:39 -0000 Hi, After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. In addition, the machine cannot ping itself. ping localhost (or 127.0.0.1) -> no route to host ping itself with its own ip address -> no route to host The freebsd box, with an external pppoe connection, is configured as a gateway with nat. Interestingly, all machines on the lan can access the internet via the freebsd box normally even though the freebsd box cannot be ping'd from these machines. The routing table is fine. All these problems go away if I remove the option IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel. Thank you. e_chelon __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 21:10:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57DF416A4B3 for ; Mon, 29 Sep 2003 21:10:09 -0700 (PDT) Received: from shadowspawn.unix.org.au (unix.org.au [202.22.160.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9C5D44032 for ; Mon, 29 Sep 2003 21:10:07 -0700 (PDT) (envelope-from talon@unix.org.au) Received: from forsaken.unix.org.au (shadowspawn.unix.org.au [10.0.0.20]) by shadowspawn.unix.org.au (Postfix) with SMTP id C86A57457B for ; Tue, 30 Sep 2003 14:14:22 +1000 (EST) Date: Tue, 30 Sep 2003 14:14:12 +1000 From: Jason To: freebsd-security@freebsd.org Message-Id: <20030930141412.0443f6b4.talon@unix.org.au> In-Reply-To: <20030930032735.73176.qmail@web41204.mail.yahoo.com> References: <20030930032735.73176.qmail@web41204.mail.yahoo.com> Organization: Data Storm X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) X-Operating-System: Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="L0+3vfn3=.5R8LvD" Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 04:10:09 -0000 --L0+3vfn3=.5R8LvD Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 29 Sep 2003 20:27:35 -0700 (PDT) echelon wrote: > Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd > with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. > > Thank you. > e_chelon > This is IPF's proper behavior You will need to add some rules to your ipf.rules file. try adding the rules, pass in quick on lo0 all pass out quick on lo0 all pass in log quick on (some nic) all pass out log quick on (some nic) all run /sbin/ipf -Fa -f /etc/ipf.rules when your done :) -- Talon --L0+3vfn3=.5R8LvD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/eQMeklIE3tOD8U8RArLtAKCOrFoYENcuFugmdC5Gia+3j6H5+gCfZa2h u4FRcq5k3DtDVvFAfa+SZUc= =nvQz -----END PGP SIGNATURE----- --L0+3vfn3=.5R8LvD-- From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 23:09:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C86E16A4B3 for ; Mon, 29 Sep 2003 23:09:27 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id 37DE643FAF for ; Mon, 29 Sep 2003 23:09:20 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 70413 invoked by uid 1005); 30 Sep 2003 06:03:57 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 30 Sep 2003 06:03:55 -0000 Message-ID: <009201c38729$085430d0$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: "echelon" , References: <20030930032735.73176.qmail@web41204.mail.yahoo.com> Date: Tue, 30 Sep 2003 09:01:13 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 06:09:27 -0000 You should enable ICMP protocol to your server from You are want - LAN or outside. ICMP protocol is used by ping utility. When You add IPFILTER_DEFAULT_BLOCK Your firewall stop all, that is not allowed, including ICMP packets and You can't ping server. ----- Original Message ----- From: "echelon" To: ; Sent: Tuesday, September 30, 2003 4:27 AM Subject: IPFILTER_DEFAULT_BLOCK & No route to host > Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd > with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. > > In addition, the machine cannot ping itself. > > ping localhost (or 127.0.0.1) -> no route to host > ping itself with its own ip address -> no route to host > > The freebsd box, with an external pppoe connection, is configured as a gateway with nat. > Interestingly, all machines on the lan can access the internet via the freebsd box normally even > though the freebsd box cannot be ping'd from these machines. > > The routing table is fine. All these problems go away if I remove the option > IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel. > > > Thank you. > e_chelon > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 04:23:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B172216A4BF for ; Tue, 30 Sep 2003 04:23:26 -0700 (PDT) Received: from web41204.mail.yahoo.com (web41204.mail.yahoo.com [66.218.93.37]) by mx1.FreeBSD.org (Postfix) with SMTP id B93D044005 for ; Tue, 30 Sep 2003 04:23:25 -0700 (PDT) (envelope-from e_chelon@yahoo.com) Message-ID: <20030930112325.48361.qmail@web41204.mail.yahoo.com> Received: from [218.102.23.28] by web41204.mail.yahoo.com via HTTP; Tue, 30 Sep 2003 04:23:25 PDT Date: Tue, 30 Sep 2003 04:23:25 -0700 (PDT) From: echelon To: Darren Reed In-Reply-To: <200309300349.h8U3nosJ005713@caligula.anu.edu.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 11:23:26 -0000 Ok, may be this is fine to get "No route to host" when ping 127.0.0.1/ localhost if IPFILTER_DEFAULT_BLOCK option is set. However, I use the following rules for the internal network interface (xl1) # Group 9000 (internal network interface) block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 group 9000 block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 group 9000 pass in quick on xl1 all group 9000 With these rules, I believe I should able to ping and SSH the freebsd box from my internal network no matter the option IPFILTER_DEFAULT_BLOCK is set or not. However, this is true only if the IPFILTER_DEFAULT_BLOCK option is removed. The same rules were used with IPFilter 3.4.18 on FreeBSD 4.2 and no such problem was encountered. Thanks. e_chelon --- Darren Reed wrote: > > That's how it is meant to work. > > Good to know it's working as intended. > > Cheers, > Darren > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 07:51:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C71616A4B3 for ; Tue, 30 Sep 2003 07:51:20 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 157E644022 for ; Tue, 30 Sep 2003 07:51:19 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id E0E2078AD4; Tue, 30 Sep 2003 16:51:17 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id A0D2D9B32B; Tue, 30 Sep 2003 16:51:17 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 1950796158; Tue, 30 Sep 2003 16:51:13 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id D8B3EB84A; Tue, 30 Sep 2003 16:51:12 +0200 (CEST) To: Bryan Fullerton References: <20030929195121.GG36931@bryanfullerton.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Tue, 30 Sep 2003 16:51:12 +0200 In-Reply-To: <20030929195121.GG36931@bryanfullerton.com> (Bryan Fullerton's message of "Mon, 29 Sep 2003 15:51:22 -0400") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: FreeBSD-SA-03:15.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 14:51:20 -0000 Bryan Fullerton writes: > In RELENG_4_8 /usr/src/UPDATING, I see: > > 20030924: p9 FreeBSD-SA-03:15.openssh > Fix PAM-related bugs in OpenSSH's challenge/response code. > > But there's no mention of FreeBSD-SA-03:15.openssh on this list, > the security-notifications list, the web site, the ftp site, etc. > Is this advisory still pending? or is UPDATING just mislabled? The advisory is still being written. It will be released RSN. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 07:54:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C63A916A4BF; Tue, 30 Sep 2003 07:54:47 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F04FD43F75; Tue, 30 Sep 2003 07:54:45 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 20EE578794; Tue, 30 Sep 2003 16:54:45 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 8CD1D9BABC; Tue, 30 Sep 2003 16:54:44 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id D9D0A9B525; Tue, 30 Sep 2003 16:54:40 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id BD54EB84A; Tue, 30 Sep 2003 16:54:40 +0200 (CEST) To: echelon References: <20030930112325.48361.qmail@web41204.mail.yahoo.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Tue, 30 Sep 2003 16:54:40 +0200 In-Reply-To: <20030930112325.48361.qmail@web41204.mail.yahoo.com> (e_chelon@yahoo.com's message of "Tue, 30 Sep 2003 04:23:25 -0700 (PDT)") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org cc: Darren Reed Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 14:54:47 -0000 echelon writes: > However, I use the following rules for the internal network interface (xl= 1) > > # Group 9000 (internal network interface)=20 > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32= port =3D 23 group 9000 > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32= port =3D 21 group 9000 > pass in quick on xl1 all group 9000 > > With these rules, I believe I should able to ping and SSH the > freebsd box from my internal network no matter the option > IPFILTER_DEFAULT_BLOCK is set or not. You're only letting traffic *in*. You're not letting anything *out*. TCP, like love, is a two-way street. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 08:12:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23B2016A4B3; Tue, 30 Sep 2003 08:12:42 -0700 (PDT) Received: from ike.othius.com (24-90-215-123.nyc.rr.com [24.90.215.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03E1F43FE3; Tue, 30 Sep 2003 08:12:41 -0700 (PDT) (envelope-from justin@othius.com) Received: from localhost (justin@localhost [127.0.0.1]) by ike.othius.com (8.12.8p2/8.12.8) with ESMTP id h8UF9kQq050760; Tue, 30 Sep 2003 11:09:46 -0400 (EDT) (envelope-from justin@othius.com) Date: Tue, 30 Sep 2003 11:09:39 -0400 (EDT) From: Justin To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= In-Reply-To: Message-ID: <20030930110647.P45405@ike.othius.com> References: <20030930112325.48361.qmail@web41204.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Scanned-By: MIMEDefang 2.37 cc: freebsd-security@freebsd.org cc: echelon cc: freebsd-stable@freebsd.org cc: Darren Reed Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 15:12:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 30 Sep 2003, Dag-Erling [iso-8859-1] Sm=F8rgrav wrote: > echelon writes: > > However, I use the following rules for the internal network interface (= xl1) > > > > # Group 9000 (internal network interface) > > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/= 32 port =3D 23 group 9000 > > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/= 32 port =3D 21 group 9000 > > pass in quick on xl1 all group 9000 > > > > With these rules, I believe I should able to ping and SSH the > > freebsd box from my internal network no matter the option > > IPFILTER_DEFAULT_BLOCK is set or not. > > You're only letting traffic *in*. You're not letting anything *out*. > TCP, like love, is a two-way street. And if you want to keep it that way from a connection, rather than packet, point of view, use the "keep state" option on your pass in rule. - -Justin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/eZy5dYQBw9Ox1VgRAkU/AJwNwMUIP5A+H/+T0+jkh1y1CSncjQCgrrn9 n6nmL3eMWM7NgW2pp6DhkCs=3D =3DLOX9 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 13:31:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F228A16A4B3 for ; Tue, 30 Sep 2003 13:31:51 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06A5243FF3 for ; Tue, 30 Sep 2003 13:31:51 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 932D854840 for ; Tue, 30 Sep 2003 15:31:50 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 2B8816D476; Tue, 30 Sep 2003 15:31:50 -0500 (CDT) Date: Tue, 30 Sep 2003 15:31:50 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030930203150.GC1996@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: OpenSSL heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 20:31:52 -0000 Hello Everyone, You may have seen the recent announcement regarding new OpenSSL vulnerabilities. Just thought I'd drop a line to head off the usual questions. :-) Don't panic. The vulnerability is denial-of-service. OpenSSL 0.9.7c will be imported into -CURRENT and -STABLE over the next couple of days, and included in 4.9-RELEASE. Fixes for the security branches will be backported and incorporated over the next week. Don't expect to see a security advisory until most or all of the commits have been made. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 14:45:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BFF416A4B3; Tue, 30 Sep 2003 14:45:23 -0700 (PDT) Received: from post.kyx.net (mail.kyx.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3650E43FF3; Tue, 30 Sep 2003 14:45:22 -0700 (PDT) (envelope-from dr@kyx.net) Received: from zylinator.zorg (unknown [216.232.31.80]) by post.kyx.net (Postfix) with ESMTP id CB26FD09F5; Tue, 30 Sep 2003 14:47:58 -0700 (PDT) From: Dragos Ruiu Organization: All Terrain Ninjas To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Date: Tue, 30 Sep 2003 14:43:37 -0700 User-Agent: KYX-CP/M-FNORD5602 References: <20030930203150.GC1996@madman.celabo.org> In-Reply-To: <20030930203150.GC1996@madman.celabo.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309301443.37090.dr@kyx.net> Subject: Re: OpenSSL heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 21:45:23 -0000 On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote: > Don't panic. The vulnerability is denial-of-service. On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch: > Three specific vulnerabilities have been discovered in the OpenSSL > libraries. Two of these could allow a Denial of Service attack, the third > may result in an attacker being able to execute malicious code under > certain conditions. Please clarify. Conflicting information. thanks, --dr -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp pgpkey http://dragos.com/ kyxpgp From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 14:50:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E620316A4B3 for ; Tue, 30 Sep 2003 14:50:01 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FC8043F85 for ; Tue, 30 Sep 2003 14:49:59 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id AF5B454861; Tue, 30 Sep 2003 16:49:58 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 4FCB86D476; Tue, 30 Sep 2003 16:49:58 -0500 (CDT) Date: Tue, 30 Sep 2003 16:49:58 -0500 From: "Jacques A. Vidrine" To: Dragos Ruiu Message-ID: <20030930214958.GA2762@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dragos Ruiu , freebsd-security@FreeBSD.org References: <20030930203150.GC1996@madman.celabo.org> <200309301443.37090.dr@kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309301443.37090.dr@kyx.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2003 21:50:02 -0000 On Tue, Sep 30, 2003 at 02:43:37PM -0700, Dragos Ruiu wrote: > On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote: > > Don't panic. The vulnerability is denial-of-service. > > On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch: > > Three specific vulnerabilities have been discovered in the OpenSSL > > libraries. Two of these could allow a Denial of Service attack, the third > > may result in an attacker being able to execute malicious code under > > certain conditions. > > Please clarify. Conflicting information. 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 08:46:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F7CC16A4B3 for ; Wed, 1 Oct 2003 08:46:13 -0700 (PDT) Received: from kruger.drs-sss.com (kruger.drs-sss.com [12.153.72.219]) by mx1.FreeBSD.org (Postfix) with SMTP id C54AF43F75 for ; Wed, 1 Oct 2003 08:46:12 -0700 (PDT) (envelope-from david.hutchens@drs-sss.com) Received: (qmail 12665 invoked from network); 1 Oct 2003 15:40:13 -0000 Received: from unknown (HELO rads61) (192.168.115.233) by kruger.drs-sss.com with SMTP; 1 Oct 2003 15:40:13 -0000 From: "hutchens" To: Date: Wed, 1 Oct 2003 11:45:43 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2003 15:46:14 -0000 Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument expected " messages. If someone out there is familiar with this please clue me in! Thanks you y'all's time. Sincerely; David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. (727) 541-6681 ext.3313 david.hutchens@drs-sss.com From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 09:01:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E8EC16A4BF for ; Wed, 1 Oct 2003 09:01:52 -0700 (PDT) Received: from mail.LF.net (mail.LF.net [212.9.160.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 590B243F85 for ; Wed, 1 Oct 2003 09:01:33 -0700 (PDT) (envelope-from nk@viteno.net) Received: from p508316ae.dip.t-dialin.net ([80.131.22.174] helo=redqueen.bytechase.cx) by mail.LF.net with esmtp (Exim 4.22) id 1A4jPw-000OTL-11; Wed, 01 Oct 2003 18:01:32 +0200 Received: from nk by redqueen.bytechase.cx with local (Exim 4.22) id 1A4jRg-000B8i-Jq; Wed, 01 Oct 2003 18:03:20 +0200 To: "hutchens" References: From: Norbert Koch X-Face: 9,{UOz`879Gt1t?~vOo"iN!BBRwO, Date: Wed, 01 Oct 2003 18:03:20 +0200 In-Reply-To: (hutchens's message of "Wed, 1 Oct 2003 11:45:43 -0400") Message-ID: User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.4 (Reasonable Discussion, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2003 16:01:52 -0000 "hutchens" writes: > I've been unable to locate any information ref. the " ]: not found " and " > [: -ne: argument expected " messages. If someone out there is familiar with > this please clue me in! [...] chkrootkit is a sh-script. These messages are errors in the script itself, most of the time unset or empty variables. norbert. From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 12:06:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2479816A4B3 for ; Wed, 1 Oct 2003 12:06:11 -0700 (PDT) Received: from kruger.drs-sss.com (kruger.drs-sss.com [12.153.72.219]) by mx1.FreeBSD.org (Postfix) with SMTP id 68C7E43FBF for ; Wed, 1 Oct 2003 12:06:09 -0700 (PDT) (envelope-from david.hutchens@drs-sss.com) Received: (qmail 15158 invoked from network); 1 Oct 2003 19:00:09 -0000 Received: from unknown (HELO rads61) (192.168.115.233) by 192.168.115.237 with SMTP; 1 Oct 2003 19:00:09 -0000 From: "hutchens" To: "'Norbert Koch'" Date: Wed, 1 Oct 2003 15:05:38 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: cc: freebsd-security@freebsd.org Subject: RE: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2003 19:06:11 -0000 Thanks for the info - greatly appreciated. Sincerely; David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. (727) 541-6681 ext.3313 david.hutchens@drs-sss.com > -----Original Message----- > From: Norbert Koch [mailto:nk@viteno.net] > Sent: Wednesday, October 01, 2003 12:03 PM > To: Hutchens, David > Cc: freebsd-security@freebsd.org > Subject: Re: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument > expected".... huh? > > > "hutchens" writes: > > > I've been unable to locate any information ref. the " ]: > not found " and " > > [: -ne: argument expected " messages. If someone out there > is familiar with > > this please clue me in! > [...] > > chkrootkit is a sh-script. These messages are errors in the script > itself, most of the time unset or empty variables. > > norbert. > > > From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 12:52:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B01816A4B3 for ; Wed, 1 Oct 2003 12:52:39 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CEFA43FF7 for ; Wed, 1 Oct 2003 12:52:38 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h91Js42m038752; Wed, 1 Oct 2003 15:54:04 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h91Js4kA038751; Wed, 1 Oct 2003 15:54:04 -0400 (EDT) Date: Wed, 1 Oct 2003 15:54:04 -0400 From: Anthony Schneider To: hutchens , freebsd-security@freebsd.org Message-ID: <20031001195403.GA38711@x-anthony.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Subject: Re: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2003 19:52:39 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 01, 2003 at 06:03:20PM +0200, Norbert Koch wrote: =20 > chkrootkit is a sh-script. These messages are errors in the script > itself, most of the time unset or empty variables. or un-quoted... =20 > norbert. -Anthony. =20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/ezDbKUeW47UGY2kRAiffAJ9lmXbTx364Kf23OvrkSXEL2H35MgCbBcdd dr/E7aUzNBi1+zGq9phJvW0= =BTZh -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 04:37:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 364A316A4B3 for ; Thu, 2 Oct 2003 04:37:29 -0700 (PDT) Received: from luinil.nic.br (luinil.nic.br [143.106.32.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13BEB43FE9 for ; Thu, 2 Oct 2003 04:37:28 -0700 (PDT) (envelope-from cordeiro@nic.br) Received: by luinil.nic.br (Postfix, from userid 1004) id AB8F439182; Thu, 2 Oct 2003 08:37:19 -0300 (BRT) From: Luiz Eduardo Roncato Cordeiro Organization: NBSO To: freebsd-security@freebsd.org Date: Thu, 2 Oct 2003 08:37:18 -0300 References: In-Reply-To: X-URL: http://www.nbso.nic.br/ MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200310020837.18074.cordeiro@luini.nic.br> Subject: Re: chkrootkit 0.42 & 4.7-REL... "[: -ne: argument expected".... huh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cordeiro@luinil.nic.br List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 11:37:29 -0000 Sorry, the new version (0.42b) of chkrookit fixes theses errors. Regards, Cordeiro On Wednesday 01 October 2003 12:45, hutchens <"hutchens" > wrote: > Good morning all; > > Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : > > > > Checking 'biff'...not infected > ]: not found > [: -ne: argument expected > Checking 'chfn'...not infected > ]: not found > [: -ne: argument expected > > > > > I've been unable to locate any information ref. the " ]: not found " and " > [: -ne: argument expected " messages. If someone out there is familiar with > this please clue me in! > > Thanks you y'all's time. > > > Sincerely; > > David Hutchens III > Network Technician > DRS Surveillance Support Systems - A division of DRS Technologies. > (727) 541-6681 ext.3313 > david.hutchens@drs-sss.com > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 10:08:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1A7E16A4B3 for ; Thu, 2 Oct 2003 10:08:48 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C21643FE1 for ; Thu, 2 Oct 2003 10:08:45 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id B10075482B for ; Thu, 2 Oct 2003 12:08:44 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 47CDF6D476; Thu, 2 Oct 2003 12:08:44 -0500 (CDT) Date: Thu, 2 Oct 2003 12:08:44 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20031002170844.GA66592@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: HEADS UP: upcoming security advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 17:08:48 -0000 Hello Folks, Just a status on upcoming advisories. FreeBSD-SA-03:15.openssh This is in final review and should be released today. Fixes for this issue entered the tree on September 24. I apologize for the delay in getting this one out. FreeBSD-SA-03:16.filedesc A reference counting bug was discovered that could lead to kernel memory disclosure or a system panic. Fixes for this issue were committed to -CURRENT, -STABLE, and the security branches earlier today. This bug was reported to us by Joost Pol of Pine Digital Security, and their advisory just went onto the web: FreeBSD-SA-03:17.procfs Several similar bugs involving integer arithmetic underflows or overflows were identified, again by Joost Pol. These bugs could also lead to kernel memory disclosure or system panic. Fixes for this issue are in -CURRENT and -STABLE. The security branches will be addressed during the rest of the day. FreeBSD-SA-03:18.openssl The issue reported at affects the version of OpenSSL included with previous versions of FreeBSD. The impact is limited to denial-of-service. Because of the relative severity of the above issues, this openssl issue will likely not be completely dealt with until tomorrow or even Saturday. The official fixed version, OpenSSL 0.9.7c, was imported into -CURRENT yesterday, and will be MFC'd to -STABLE today, but it will be a bit longer to backport fixes for the security branches. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 10:37:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A331B16A4BF; Thu, 2 Oct 2003 10:37:40 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A91243FE9; Thu, 2 Oct 2003 10:37:38 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h92HbcFY029091; Thu, 2 Oct 2003 10:37:38 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h92HbcxS029089; Thu, 2 Oct 2003 10:37:38 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Thu, 2 Oct 2003 10:37:38 -0700 (PDT) Message-Id: <200310021737.h92HbcxS029089@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:16.filedesc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 17:37:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:16.filedesc Security Advisory The FreeBSD Project Topic: file descriptor leak in readv Category: core Module: kernel Announced: 2003-10-02 Credits: Joost Pol Affects: FreeBSD 4.3-RELEASE through 4.8-RELEASE 4-STABLE prior to the correction date Corrected: 2003-10-02 15:08:01 UTC (RELENG_4, 4.9-RC) 2003-10-02 15:54:48 UTC (RELENG_4_8, 4.8-RELEASE-p11) 2003-10-02 15:55:54 UTC (RELENG_4_7, 4.7-RELEASE-p21) 2003-10-02 15:56:56 UTC (RELENG_4_6, 4.6-RELEASE-p24) 2003-10-02 15:57:48 UTC (RELENG_4_5, 4.5-RELEASE-p35) 2003-10-02 15:58:53 UTC (RELENG_4_4, 4.4-RELEASE-p45) 2003-10-02 16:05:44 UTC (RELENG_4_3, 4.3-RELEASE-p41) FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The readv(2) system call performs a scatter read: it reads from the input file descriptor and stores the data into multiple buffers as instructed by the caller. II. Problem Description A programming error in the readv system call can result in the given file descriptor's reference count being erroneously incremented. III. Impact A local attacker may cause the operating system to crash by repeatedly calling readv on a file descriptor until the reference count wraps to a negative value, and then calling close on that file descriptor. Similarly, it may be possible to cause a file descriptor to reference unallocated kernel memory, but remain valid. If a new file is later opened and the kernel allocates the new file structure at the same memory location, then an attacker may be able to gain read or write access to that file. This may in turn lead to privilege escalation. IV. Workaround There is no workaround. V. Solution The following patch has been verified to apply to FreeBSD 4.3, 4.4, 4.5, 4.6, 4.7, and 4.8 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:16/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:16/filedesc.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/kern/sys_generic.c 1.55.2.11 RELENG_4_8 src/UPDATING 1.73.2.80.2.13 src/sys/conf/newvers.sh 1.44.2.29.2.12 src/sys/kern/sys_generic.c 1.55.2.10.12.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.24 src/sys/conf/newvers.sh 1.44.2.26.2.23 src/sys/kern/sys_generic.c 1.55.2.10.10.1 RELENG_4_6 src/UPDATING 1.73.2.68.2.53 src/sys/conf/newvers.sh 1.44.2.23.2.41 src/sys/kern/sys_generic.c 1.55.2.10.8.1 RELENG_4_5 src/UPDATING 1.73.2.50.2.52 src/sys/conf/newvers.sh 1.44.2.20.2.36 src/sys/kern/sys_generic.c 1.55.2.10.6.1 RELENG_4_4 src/UPDATING 1.73.2.43.2.53 src/sys/conf/newvers.sh 1.44.2.17.2.44 src/sys/kern/sys_generic.c 1.55.2.10.4.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.40 src/sys/conf/newvers.sh 1.44.2.14.2.30 src/sys/kern/sys_generic.c 1.55.2.10.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/fGDRFdaIBMps37IRAnkpAKCFM8MrujjJN1tc4lZwii573usNvgCfdBeP APcFpW5FsH+sLkWczgjj6eE= =6zO7 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 10:45:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 367E716A4B3 for ; Thu, 2 Oct 2003 10:45:33 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5104644030 for ; Thu, 2 Oct 2003 10:45:08 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 97D085485D for ; Thu, 2 Oct 2003 12:45:05 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 2A9B46D476; Thu, 2 Oct 2003 12:45:05 -0500 (CDT) Date: Thu, 2 Oct 2003 12:45:05 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20031002174505.GA66829@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <20031002170844.GA66592@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031002170844.GA66592@madman.celabo.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Workaround for procfs (was Re: HEADS UP: upcoming security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 17:45:33 -0000 On Thu, Oct 02, 2003 at 12:08:44PM -0500, Jacques A. Vidrine wrote: > FreeBSD-SA-03:17.procfs > Several similar bugs involving integer arithmetic underflows > or overflows were identified, again by Joost Pol. These bugs > could also lead to kernel memory disclosure or system panic. > Fixes for this issue are in -CURRENT and -STABLE. The security > branches will be addressed during the rest of the day. > Regarding this issue: A simple workaround is to unmount /proc. Execute the following command as root: umount -a -t procfs Also, remove or comment out any lines in fstab(5) that reference `procfs', so that it will not be re-mounted at next reboot. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Fri Oct 3 07:30:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A645C16A4B3; Fri, 3 Oct 2003 07:30:43 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7956C43F3F; Fri, 3 Oct 2003 07:30:36 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h93EUaFY045204; Fri, 3 Oct 2003 07:30:36 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h93EUaGd045203; Fri, 3 Oct 2003 07:30:36 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Fri, 3 Oct 2003 07:30:36 -0700 (PDT) Message-Id: <200310031430.h93EUaGd045203@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2003 14:30:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:17.procfs Security Advisory The FreeBSD Project Topic: kernel memory disclosure via procfs Category: core Module: sys Announced: 2003-10-03 Credits: Joost Pol Affects: All FreeBSD releases Corrected: 2003-10-03 12:03:50 UTC (RELENG_4, 4.9-RC) 2003-10-03 13:02:17 UTC (RELENG_5_1, 5.1-RELEASE-p9) 2003-10-03 13:02:49 UTC (RELENG_5_0, 5.0-RELEASE-p17) 2003-10-03 13:03:44 UTC (RELENG_4_8, 4.8-RELEASE-p12) 2003-10-03 13:04:19 UTC (RELENG_4_7, 4.7-RELEASE-p22) 2003-10-03 13:05:05 UTC (RELENG_4_6, 4.6-RELEASE-p25) 2003-10-03 13:05:44 UTC (RELENG_4_5, 4.5-RELEASE-p36) 2003-10-03 13:06:32 UTC (RELENG_4_4, 4.4-RELEASE-p46) 2003-10-03 13:07:37 UTC (RELENG_4_3, 4.3-RELEASE-p42) FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The process file system, procfs(5), implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). The Linux process file system, linprocfs(5), emulates a subset of Linux's process file system and is required for the complete operation of some Linux binaries. II. Problem Description The procfs and linprocfs implementations use uiomove(9) and the related `struct uio' in order to fulfill read and write requests. Several cases were identified where members of `struct uio' were not properly validated before being used. In particular, the `uio_offset' member may be negative or extremely large, and was used to compute the region of kernel memory to be returned to the user. III. Impact A malicious local user could arrange to use a negative or extremely large offset when reading from a procfs ``file'', causing a system crash, or causing the kernel to return a large portion of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround Unmount the procfs and linprocfs filesystems if they are mounted. Execute the following command as root: umount -a -t procfs,linprocfs Also, remove or comment out any lines in fstab(5) that reference `procfs' or `linprocfs', so that they will not be re-mounted at next reboot. V. Solution 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs43.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs43.patch.asc [FreeBSD 4.4 and later 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs4x.patch.asc [FreeBSD 5.0] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs50.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs50.patch.asc [FreeBSD 5.1] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs51.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:17/procfs51.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.9 src/sys/kern/kern_subr.c 1.31.2.3 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.4 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.4 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.4 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.2.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.5 src/sys/sys/uio.h 1.11.2.2 RELENG_5_1 src/UPDATING 1.251.2.11 src/sys/conf/newvers.sh 1.50.2.11 src/sys/fs/procfs/procfs_dbregs.c 1.22.2.1 src/sys/fs/procfs/procfs_fpregs.c 1.28.2.1 src/sys/fs/procfs/procfs_regs.c 1.27.2.1 src/sys/fs/pseudofs/pseudofs_vnops.c 1.35.2.1 src/sys/kern/kern_subr.c 1.74.2.1 src/sys/sys/uio.h 1.27.2.1 RELENG_5_0 src/UPDATING 1.229.2.23 src/sys/conf/newvers.sh 1.48.2.18 src/sys/fs/procfs/procfs_dbregs.c 1.21.2.1 src/sys/fs/procfs/procfs_fpregs.c 1.27.2.1 src/sys/fs/procfs/procfs_regs.c 1.26.2.1 src/sys/fs/pseudofs/pseudofs_vnops.c 1.32.2.1 src/sys/kern/kern_subr.c 1.63.2.1 src/sys/sys/uio.h 1.23.2.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.14 src/sys/conf/newvers.sh 1.44.2.29.2.13 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.8.10.1 src/sys/kern/kern_subr.c 1.31.2.2.6.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.3.8.1 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.3.8.1 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.3.8.1 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.14.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.8.1 src/sys/sys/uio.h 1.11.2.1.8.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.25 src/sys/conf/newvers.sh 1.44.2.26.2.24 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.8.8.1 src/sys/kern/kern_subr.c 1.31.2.2.4.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.3.6.1 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.3.6.1 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.3.6.1 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.12.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.6.1 src/sys/sys/uio.h 1.11.2.1.6.1 RELENG_4_6 src/UPDATING 1.73.2.68.2.54 src/sys/conf/newvers.sh 1.44.2.23.2.42 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.8.6.1 src/sys/kern/kern_subr.c 1.31.2.2.2.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.3.4.1 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.3.4.1 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.3.4.1 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.10.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.4.1 src/sys/sys/uio.h 1.11.2.1.4.1 RELENG_4_5 src/UPDATING 1.73.2.50.2.53 src/sys/conf/newvers.sh 1.44.2.20.2.37 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.8.4.1 src/sys/kern/kern_subr.c 1.31.2.1.2.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.3.2.1 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.3.2.1 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.3.2.1 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.8.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.2.1 src/sys/sys/uio.h 1.11.2.1.2.1 RELENG_4_4 src/UPDATING 1.73.2.43.2.54 src/sys/conf/newvers.sh 1.44.2.17.2.45 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.8.2.1 src/sys/kern/kern_subr.c 1.31.6.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.2.2.2 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.2.2.2 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.2.2.2 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.6.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.3.4.2 src/sys/sys/uio.h 1.11.6.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.41 src/sys/conf/newvers.sh 1.44.2.14.2.31 src/sys/i386/linux/linprocfs/linprocfs_misc.c 1.3.2.5.2.1 src/sys/kern/kern_subr.c 1.31.4.1 src/sys/miscfs/procfs/procfs_dbregs.c 1.4.2.1.2.2 src/sys/miscfs/procfs/procfs_fpregs.c 1.11.2.1.2.2 src/sys/miscfs/procfs/procfs_regs.c 1.10.2.1.2.2 src/sys/miscfs/procfs/procfs_rlimit.c 1.5.4.1 src/sys/miscfs/procfs/procfs_status.c 1.20.2.3.2.2 src/sys/sys/uio.h 1.11.4.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/fYXyFdaIBMps37IRArbkAJ4qv/N215x61BW2NTyl6e4WY/DGLACgirQd evgz6IOFh0L8fLRBHjbKO4A= =Np7P -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Oct 3 15:49:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 411ED16A4B3; Fri, 3 Oct 2003 15:49:37 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F8BD4400D; Fri, 3 Oct 2003 15:49:34 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h93MnXFY047859; Fri, 3 Oct 2003 15:49:33 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h93MnXS8047857; Fri, 3 Oct 2003 15:49:33 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Fri, 3 Oct 2003 15:49:33 -0700 (PDT) Message-Id: <200310032249.h93MnXS8047857@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2003 22:49:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:18.openssl Security Advisory The FreeBSD Project Topic: OpenSSL vulnerabilities in ASN.1 parsing Category: crypto Module: openssl Announced: 2003-10-03 Credits: NISCC Dr. Stephen Henson Affects: FreeBSD versions 4.0-RELEASE through 4.8-RELEASE, 5.0-RELEASE, and 5.1-RELEASE 4-STABLE prior to the correction date Corrected: 2003-10-03 01:32:13 UTC (RELENG_4, 4.9-RC) 2003-10-03 18:13:19 UTC (RELENG_5_1, 5.1-RELEASE-p10) 2003-10-03 20:22:27 UTC (RELENG_5_0, 5.0-RELEASE-p18) 2003-10-03 18:14:26 UTC (RELENG_4_8, 4.8-RELEASE-p13) 2003-10-03 20:24:31 UTC (RELENG_4_7, 4.7-RELEASE-p23) 2003-10-03 20:24:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p26) FreeBSD only: NO I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial- grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description This advisory addresses four separate flaws recently fixed in OpenSSL. The flaws are described in the following excerpt from the OpenSSL.org advisory (see references): 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability. 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. III. Impact A remote attacker may create a malicious ASN.1 encoded message that will cause an OpenSSL-using application to crash, or even perhaps execute arbitrary code with the privileges of the application. Only applications that use OpenSSL's ASN.1 or X.509 handling code are affected. Applications that use other portions of OpenSSL are unaffected (e.g. Apache+mod_ssl is affected, while OpenSSH is unaffected). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.6, 4.7, 4.8, 5.0, and 5.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.6, 4.7, 5.0 -- be sure you have previously applied the patches for advisories FreeBSD-SA-03:02 and FreeBSD-SA-03:06 before applying this patch.] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:18/openssl96.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:18/openssl96.patch.asc [FreeBSD 4.8, 5.1] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:18/openssl97.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:18/openssl97.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in . Note that any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5_1 src/UPDATING 1.251.2.12 src/crypto/openssl/crypto/asn1/asn1_lib.c 1.1.1.8.2.1 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.4.1 src/crypto/openssl/crypto/x509/x509_vfy.c 1.1.1.5.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.11.2.1 src/sys/conf/newvers.sh 1.50.2.12 RELENG_5_0 src/UPDATING 1.229.2.24 src/crypto/openssl/crypto/asn1/asn1_lib.c 1.1.1.7.2.1 src/crypto/openssl/crypto/x509/x509_vfy.c 1.1.1.4.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.9.2.3 src/sys/conf/newvers.sh 1.48.2.19 RELENG_4_8 src/UPDATING 1.73.2.80.2.15 src/crypto/openssl/crypto/asn1/asn1_lib.c 1.1.1.1.2.7.2.1 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.1.2.1 src/crypto/openssl/crypto/x509/x509_vfy.c 1.1.1.1.2.4.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.7.2.1 src/sys/conf/newvers.sh 1.44.2.29.2.14 RELENG_4_7 src/UPDATING 1.73.2.74.2.26 src/crypto/openssl/crypto/asn1/asn1_lib.c 1.1.1.1.2.6.2.1 src/crypto/openssl/crypto/x509/x509_vfy.c 1.1.1.1.2.3.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.5.2.3 src/sys/conf/newvers.sh 1.44.2.26.2.25 RELENG_4_6 src/UPDATING 1.73.2.68.2.55 src/crypto/openssl/crypto/asn1/asn1_lib.c 1.1.1.1.2.3.6.4 src/crypto/openssl/crypto/x509/x509_vfy.c 1.1.1.1.2.2.8.3 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.3.6.4 src/sys/conf/newvers.sh 1.44.2.23.2.43 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD4DBQE/fe+bFdaIBMps37IRAmp8AKCDqpNf+MCJ6K1eFyWPul/cnjSzTgCY8hd6 IIOxA/5Hl4quuh64va5/5A== =1DI+ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Oct 3 17:06:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC0616A4B3 for ; Fri, 3 Oct 2003 17:06:19 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id E427B43FEC for ; Fri, 3 Oct 2003 17:06:17 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 0EC151FF8FA for ; Sat, 4 Oct 2003 02:06:16 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id D929E1FF8FE; Sat, 4 Oct 2003 02:06:14 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 01B97153CA; Sat, 4 Oct 2003 00:06:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id F326E15380 for ; Sat, 4 Oct 2003 00:06:05 +0000 (UTC) Date: Sat, 4 Oct 2003 00:06:05 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: freebsd-security@freebsd.org In-Reply-To: <200310032249.h93MnXS8047857@freefall.freebsd.org> Message-ID: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 00:06:19 -0000 On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: Hi, > V. Solution > > Perform one of the following: ... > 2) To patch your present system: ... > c) Recompile the operating system as described in > . > > Note that any statically linked applications that are not part of the > base system (i.e. from the Ports Collection or other 3rd-party sources) > must be recompiled. this seems to be a default disclaimer for the openssl advisories but at this point I am asking myself if there are any applications statically linked against librypto or libssl in the base system ? from what I can see no API is changed with this patch so wouldn't it be possible to recompile libssl/libcrypto and install only them instead of rebuilding the complete base system as suggested (assuming nothing in the base system is statically linked against one of the two) ? -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Fri Oct 3 17:14:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F87A16A4B3 for ; Fri, 3 Oct 2003 17:14:12 -0700 (PDT) Received: from tx2.oucs.ox.ac.uk (tx2.oucs.ox.ac.uk [163.1.2.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DA8243FFD for ; Fri, 3 Oct 2003 17:14:10 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan2.oucs.ox.ac.uk ([163.1.2.162] helo=localhost) by tx2.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1A5a3l-0003dE-KI for freebsd-security@freebsd.org; Sat, 04 Oct 2003 01:14:09 +0100 Received: from rx2.oucs.ox.ac.uk ([163.1.2.161]) by localhost (scan2.oucs.ox.ac.uk [163.1.2.162]) (amavisd-new, port 25) with ESMTP id 13500-10 for ; Sat, 4 Oct 2003 01:14:09 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx2.oucs.ox.ac.uk with smtp (Exim 4.20) id 1A5a3l-0003dB-6v for freebsd-security@freebsd.org; Sat, 04 Oct 2003 01:14:09 +0100 Received: (qmail 24023 invoked by uid 0); 4 Oct 2003 00:14:09 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.123968 secs); 04 Oct 2003 00:14:09 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.123968 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 4 Oct 2003 00:14:07 -0000 Message-Id: <5.0.2.1.1.20031004011023.02ffd7b0@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 04 Oct 2003 01:14:05 +0100 To: "Bjoern A. Zeeb" , freebsd-security@freebsd.org From: Colin Percival In-Reply-To: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> <200310032249.h93MnXS8047857@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 00:14:12 -0000 At 00:06 04/10/2003 +0000, Bjoern A. Zeeb wrote: >On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: > > c) Recompile the operating system as described in > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >. > >from what I can see no API is changed with this patch so wouldn't it be >possible to recompile libssl/libcrypto and install only them instead of >rebuilding the complete base system as suggested (assuming nothing in >the base system is statically linked against one of the two) ? I think that's probably enough, but I'm not sure; a couple hours from now I should be able to say for certain (at least for RELENG_4_7) as the latest FreeBSD Update build finishes. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Oct 3 18:33:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D1CA16A4B3 for ; Fri, 3 Oct 2003 18:33:43 -0700 (PDT) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA2C44005 for ; Fri, 3 Oct 2003 18:33:40 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1A5bIh-00079k-FH for freebsd-security@freebsd.org; Sat, 04 Oct 2003 02:33:39 +0100 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 27338-03 for ; Sat, 4 Oct 2003 02:33:39 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.20) id 1A5bIh-00079h-1u for freebsd-security@freebsd.org; Sat, 04 Oct 2003 02:33:39 +0100 Received: (qmail 5765 invoked by uid 0); 4 Oct 2003 01:33:39 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.06552 secs); 04 Oct 2003 01:33:39 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.06552 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 4 Oct 2003 01:33:38 -0000 Message-Id: <5.0.2.1.1.20031004022801.03018158@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 04 Oct 2003 02:33:31 +0100 To: "Bjoern A. Zeeb" , freebsd-security@freebsd.org From: Colin Percival In-Reply-To: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> <200310032249.h93MnXS8047857@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 01:33:43 -0000 At 00:06 04/10/2003 +0000, Bjoern A. Zeeb wrote: >On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: > > c) Recompile the operating system as described in > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >. > >wouldn't it be >possible to recompile libssl/libcrypto and install only them instead of >rebuilding the complete base system as suggested Just to confirm the contents of my earlier email: The only binaries affected by this in RELENG_4_7 are /usr/lib/lib(ssl|crypto)(.a|.so.2|_p.a) -- so rebuilding those two libraries (and any statically linked ports software) should be enough. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 08:23:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C7D16A4B3 for ; Sat, 4 Oct 2003 08:23:08 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B6A043FE1 for ; Sat, 4 Oct 2003 08:23:07 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id D1FC51FF922 for ; Sat, 4 Oct 2003 17:23:04 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id A9E7C1FF91E; Sat, 4 Oct 2003 17:23:03 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 5B78F155A7; Sat, 4 Oct 2003 15:22:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 514AC153E9 for ; Sat, 4 Oct 2003 15:22:42 +0000 (UTC) Date: Sat, 4 Oct 2003 15:22:42 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: freebsd-security@freebsd.org In-Reply-To: <200310032249.h93MnXS8047857@freefall.freebsd.org> Message-ID: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 15:23:08 -0000 On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: Hi, thanks for previous help/clarification that only the libs need rebuilding. > III. Impact > > A remote attacker may create a malicious ASN.1 encoded message that > will cause an OpenSSL-using application to crash, or even perhaps > execute arbitrary code with the privileges of the application. > > Only applications that use OpenSSL's ASN.1 or X.509 handling code > are affected. Applications that use other portions of OpenSSL > are unaffected (e.g. Apache+mod_ssl is affected, while OpenSSH is > unaffected). Another question: can someone please confirm that mod_ssl.so from apache 2.0.47 port is _not_ affected ? I have rebuilt libssl, libcrypto and installed them (they all differ from the old libs after make install) and done a rebuild of mod_ssl. But the new mod_ssl.so doesn't differ from the one built late August: [ports]apache2/work/httpd-2.0.47/modules/ssl/.libs> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 /usr/local/libexec/apache2> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 Also diff does not say that the binary files would differ. Thanks in advance. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 09:00:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E4816A4B3 for ; Sat, 4 Oct 2003 09:00:12 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B33643FE3 for ; Sat, 4 Oct 2003 09:00:11 -0700 (PDT) (envelope-from nectar@celabo.org) Received: by gw.celabo.org (Postfix, from userid 1001) id E55655485D; Sat, 4 Oct 2003 11:00:10 -0500 (CDT) Date: Sat, 4 Oct 2003 11:00:10 -0500 From: "Jacques A. Vidrine" To: "Bjoern A. Zeeb" Message-ID: <20031004160010.GA96970@hellblazer.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Bjoern A. Zeeb" , freebsd-security@freebsd.org References: <200310032249.h93MnXS8047857@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 16:00:12 -0000 On Sat, Oct 04, 2003 at 03:22:42PM +0000, Bjoern A. Zeeb wrote: > Another question: can someone please confirm that mod_ssl.so from > apache 2.0.47 port is _not_ affected ? It _is_ affected, because it uses the affected portions of OpenSSL. > I have rebuilt libssl, libcrypto and installed them (they all differ > from the old libs after make install) and done a rebuild of > mod_ssl. But the new mod_ssl.so doesn't differ from the one > built late August: > > [ports]apache2/work/httpd-2.0.47/modules/ssl/.libs> md5 mod_ssl.so > MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 > > /usr/local/libexec/apache2> md5 mod_ssl.so > MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 > > Also diff does not say that the binary files would differ. mod_ssl.so uses dynamic linking. It would not require a rebuild nor would the compiler output necessarily change after a rebuild. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 09:08:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5915B16A4B3; Sat, 4 Oct 2003 09:08:17 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D06443FE3; Sat, 4 Oct 2003 09:08:13 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 44CE11FF91F; Sat, 4 Oct 2003 18:08:12 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 113941FF91E; Sat, 4 Oct 2003 18:08:11 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 8D624155A7; Sat, 4 Oct 2003 16:08:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 833AC153E9; Sat, 4 Oct 2003 16:08:01 +0000 (UTC) Date: Sat, 4 Oct 2003 16:08:01 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: "Jacques A. Vidrine" In-Reply-To: <20031004160010.GA96970@hellblazer.celabo.org> Message-ID: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> <20031004160010.GA96970@hellblazer.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 16:08:17 -0000 On Sat, 4 Oct 2003, Jacques A. Vidrine wrote: > On Sat, Oct 04, 2003 at 03:22:42PM +0000, Bjoern A. Zeeb wrote: > > Another question: can someone please confirm that mod_ssl.so from > > apache 2.0.47 port is _not_ affected ? > > It _is_ affected, because it uses the affected portions of OpenSSL. ... > mod_ssl.so uses dynamic linking. It would not require a rebuild nor > would the compiler output necessarily change after a rebuild. thanks. my fault. mixed the imapct part with ... : Note that any statically linked applications that are not part of the : base system (i.e. from the Ports Collection or other 3rd-party sources) : must be recompiled. while mod_ssl comes form ports and is not part of the base system it still uses (as you said) dynamic linking. So replacing the libs is enough. Thanks and happy weekend. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 13:27:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8163716A4B3 for ; Sat, 4 Oct 2003 13:27:17 -0700 (PDT) Received: from lanmail.ucsm.ac.uk (lanmail.ucsm.ac.uk [194.81.188.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AE3843FE9 for ; Sat, 4 Oct 2003 13:27:14 -0700 (PDT) (envelope-from s.greenshaw@ucsm.ac.uk) Received: by lanmail.ucsm.ac.uk with Internet Mail Service (5.5.2656.59) id <4H60DSMB>; Sat, 4 Oct 2003 21:27:30 +0100 Message-ID: <911E4B4A51A3D3119DD600508B44B4A40840C4@ammail.ucsm.ac.uk> From: "Greenshaw, Steve" To: "'freebsd-security@freebsd.org'" Date: Sat, 4 Oct 2003 21:27:59 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Subject: Security Fix Confusion X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 20:27:17 -0000 Hi, I'm wondering if anybody could enlighten me about the effect of tracking RELENG? When the Openssh advisory came out (SA-03:12) I allowed a few days for all issues to get ironed out and then used CVSUP to rebuild my boxes with RELENG_4_7 or RELENG_4_8 (as appropriate). The advisory says that the problem with OpenSSH is fixed by 4.7-RELEASE-p16 and a 'uname -a' of one of my 4.7 boxes shows it as being 4.7-RELEASE-p21 However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as being OpenSSH_3.4p1. Scanning the box with Nessus warns of the security hole associated with versions of OpenSSH prior to 3.7.1p2 and warned about in SA-03:12 So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is giving a false positive, or am I still potentially vulnerable? Regards, Steve. ***** CONFIDENTIALITY & SECURITY DISCLAIMER ***** Please note the contents of this e-mail do not necessarily represent the policies or views of St Martins College. This e-mail message and any attachments may contain confidential information and should only be accessed by the intended recipient. If they have come to you in error please advise the sender by replying to this email and copy your reply to postmaster@ucsm.ac.uk. In this circumstance you must not disclose, copy, distribute, use or rely on this email and you should permanently delete it. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. It is advised that you understand and observe this lack of security when emailing us. Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we cannot accept responsibility for email once it has left us. You should ensure that you have a suitable anti virus system in place and check the email upon receipt. From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 14:04:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59A7616A4B3 for ; Sat, 4 Oct 2003 14:04:20 -0700 (PDT) Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1732D4400D for ; Sat, 4 Oct 2003 14:04:19 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost) by tx3.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1A5tZa-0008IT-Mv for freebsd-security@freebsd.org; Sat, 04 Oct 2003 22:04:18 +0100 Received: from rx3.oucs.ox.ac.uk ([163.1.2.165]) by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25) with ESMTP id 31863-01 for ; Sat, 4 Oct 2003 22:04:17 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx3.oucs.ox.ac.uk with smtp (Exim 4.20) id 1A5tZX-0008IE-Bw for freebsd-security@freebsd.org; Sat, 04 Oct 2003 22:04:15 +0100 Received: (qmail 27098 invoked by uid 0); 4 Oct 2003 21:04:15 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 2.235774 secs); 04 Oct 2003 21:04:15 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 2.235774 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 4 Oct 2003 21:04:13 -0000 Message-Id: <5.0.2.1.1.20031004215727.0301e590@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 04 Oct 2003 22:04:11 +0100 To: "Greenshaw, Steve" From: Colin Percival In-Reply-To: <911E4B4A51A3D3119DD600508B44B4A40840C4@ammail.ucsm.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Security Fix Confusion X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 21:04:20 -0000 At 21:27 04/10/2003 +0100, you wrote: >I'm wondering if anybody could enlighten me about the effect of tracking >RELENG? Assuming you mean RELENG_x_y: You'll get critical security fixes for that release, for as long as that release is supported. >However, a '/usr/sbin/sshd -\?' shows the version of OpenSSH running as >being OpenSSH_3.4p1. If it reports "sshd version OpenSSH_3.4p1 FreeBSD-20030924", you're safe. The "FreeBSD-20030924" means that it includes the latest fixes (incorporated by des@ on September 24th, part of SA-03:15). > Scanning the box with Nessus warns of the security hole >associated with versions of OpenSSH prior to 3.7.1p2 and warned about in >SA-03:12 > >So, ms question is, am I actually covered by 4.7-RELEASE-p21 and Nessus is >giving a false positive, or am I still potentially vulnerable? Looks like a false positive to me. Colin Percival