From owner-freebsd-security@FreeBSD.ORG  Tue Jun 21 18:24:43 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0ED2916A437;
	Tue, 21 Jun 2005 18:24:43 +0000 (GMT)
	(envelope-from rcoleman@criticalmagic.com)
Received: from saturn.criticalmagic.com (saturn.criticalmagic.com
	[69.61.68.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1A9743D48;
	Tue, 21 Jun 2005 18:24:42 +0000 (GMT)
	(envelope-from rcoleman@criticalmagic.com)
Received: from [10.40.30.162] (delta.ciphertrust.com [216.235.158.34])
	by saturn.criticalmagic.com (Postfix) with ESMTP id A8D493BD2A;
	Tue, 21 Jun 2005 14:24:39 -0400 (EDT)
Message-ID: <42B85BA9.6060905@criticalmagic.com>
Date: Tue, 21 Jun 2005 14:25:45 -0400
From: Richard Coleman <rcoleman@criticalmagic.com>
Organization: Critical Magic
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jacques Vidrine <nectar@FreeBSD.org>
References: <20050519105313.GC2724@unixpages.org>
	<97D5BFC7-D07D-4DB5-A6C2-D4C71C679CA4@FreeBSD.org>
In-Reply-To: <97D5BFC7-D07D-4DB5-A6C2-D4C71C679CA4@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: TCP timestamp vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2005 18:24:43 -0000

Jacques Vidrine wrote:
> 
> On May 19, 2005, at 5:53 AM, Christian Brueffer wrote:
> 
>> fixes for the vulnerability described in http://www.kb.cert.org/ 
>> vuls/id/637934
>> were checked in to CURRENT and RELENG_5 by ps in April.
>>
>> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c
>>
>> Revisions 1.270 and 1.252.2.16
>>
>> He didn't commit it to RELENG_5_4 for some reason, so 5.4 shipped with
>> it.
>>
>> My guess is that he didn't notify you guys either.
>>
>> I stumbled upon this through a Heise News article at
>> http://www.heise.de/newsticker/meldung/59672.  Sent them an update  about
>> the fixed branches, but they'd like to know why this wasn't  communicated
>> back to US-CERT yadda yadda yadda.
> 
> Thanks, Christian.  No, ps@ didn't point it out.  It gets a little  
> confusing too, since I see that the work was submitted by multiple  
> folks, one of which reported another related vulnerability to us on  May 
> 18 (7 days after that commit).   Now to try to untangle what is  what ...

My boss asked me to check on whether this problem was fixed for FreeBSD 
4.10.  I didn't see any advisories related to this, and FreeBSD is still 
showing as vulnerable on the CERT web site.  It doesn't look like a fix 
for this has been committed to any of the 4.X branches.  Any word on this?

Thanks for the help.

Richard Coleman
rcoleman@criticalmagic.com

From owner-freebsd-security@FreeBSD.ORG  Fri Jun 24 18:25:28 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1DFAA16A41C
	for <freebsd-security@freebsd.org>;
	Fri, 24 Jun 2005 18:25:28 +0000 (GMT)
	(envelope-from rcoleman@criticalmagic.com)
Received: from saturn.criticalmagic.com (saturn.criticalmagic.com
	[69.61.68.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED85B43D1F
	for <freebsd-security@freebsd.org>;
	Fri, 24 Jun 2005 18:25:27 +0000 (GMT)
	(envelope-from rcoleman@criticalmagic.com)
Received: from [10.40.30.162] (delta.ciphertrust.com [216.235.158.34])
	by saturn.criticalmagic.com (Postfix) with ESMTP id C3C483BD10
	for <freebsd-security@freebsd.org>;
	Fri, 24 Jun 2005 14:25:26 -0400 (EDT)
Message-ID: <42BC5054.908@criticalmagic.com>
Date: Fri, 24 Jun 2005 14:26:28 -0400
From: Richard Coleman <rcoleman@criticalmagic.com>
Organization: Critical Magic
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Any status on timestamp vulnerability fix for 4.X?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2005 18:25:28 -0000

Any information on when (or if) the following timestamp vulnerability 
will be fixed for 4.X?  Any information would be appreciated.

http://www.kb.cert.org/vuls/id/637934

Thanks.

Richard Coleman
rcoleman@criticalmagic.com

From owner-freebsd-security@FreeBSD.ORG  Sat Jun 25 11:06:32 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BAE0D16A41C
	for <freebsd-security@freebsd.org>;
	Sat, 25 Jun 2005 11:06:32 +0000 (GMT)
	(envelope-from gemini@geminix.org)
Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net
	[213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7E6CB43D49
	for <freebsd-security@freebsd.org>;
	Sat, 25 Jun 2005 11:06:32 +0000 (GMT)
	(envelope-from gemini@geminix.org)
Message-ID: <42BD3AB4.2030209@geminix.org>
Date: Sat, 25 Jun 2005 13:06:28 +0200
From: Uwe Doering <gemini@geminix.org>
Organization: Private UNIX Site
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050526
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Richard Coleman <rcoleman@criticalmagic.com>
References: <42BC5054.908@criticalmagic.com>
In-Reply-To: <42BC5054.908@criticalmagic.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.51 (FreeBSD))
	id 1Dm8UY-0002Vd-Am; Sat, 25 Jun 2005 13:06:30 +0200
Cc: freebsd-security@freebsd.org
Subject: Re: Any status on timestamp vulnerability fix for 4.X?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2005 11:06:32 -0000

Richard Coleman wrote:
> Any information on when (or if) the following timestamp vulnerability 
> will be fixed for 4.X?  Any information would be appreciated.
> 
> http://www.kb.cert.org/vuls/id/637934

FYI, the fix for RELENG_5 applies to RELENG_4 as is (apart from the CVS 
version header, of course):

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=u

After verifying its semantic correctness for RELENG_4 we've been running 
the patch for a couple of weeks now with no ill effects.

I'm posting this also as an encouragement for committers to go ahead and 
do the MFC.  It's low hanging fruit.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net