From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 02:18:23 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BFE816A401 for ; Tue, 6 Feb 2007 02:18:20 +0000 (UTC) (envelope-from aronesimi@yahoo.com) Received: from web58603.mail.re3.yahoo.com (web58603.mail.re3.yahoo.com [68.142.236.201]) by mx1.freebsd.org (Postfix) with SMTP id EC85113C478 for ; Tue, 6 Feb 2007 02:18:19 +0000 (UTC) (envelope-from aronesimi@yahoo.com) Received: (qmail 63742 invoked by uid 60001); 6 Feb 2007 01:51:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=4lm2VT0EC2eFZUw86h9RnOF0TtvWvgNH7YPCZIy5XnOYgzpi2QSMz1VJYY0ZeJjDKE+In38JJJiJ3W+tAuI2K01UAmhQhHdeErMU+akPCNDxzK6JaBBd88zwoKUAAd7yawJ2RssETql57yiSXPJ8tdtyC022ZcTKqv993FgvRp0=; X-YMail-OSG: grBA6jIVM1m_fTnEdhLy_sC69tbzdmAJhUts9Z_vpuLJufXPnIyaMrkbn2PtA9MHvQ-- Received: from [75.72.230.91] by web58603.mail.re3.yahoo.com via HTTP; Mon, 05 Feb 2007 17:51:38 PST Date: Mon, 5 Feb 2007 17:51:38 -0800 (PST) From: Arone Silimantia To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <14020.63738.qm@web58603.mail.re3.yahoo.com> X-Mailman-Approved-At: Tue, 06 Feb 2007 03:20:02 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: post-reload SSH server key transfer ... comments ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 02:18:23 -0000 I am going to be replacing system X with system Y (which is much faster, newer). I will load up the new system from scratch, and then just copy over the user data from the old system. Then I will turn off the old system for good, and set the IP and hostname of the new system to match the old one. Easy. Except everyones ssh connections will complain loudly about potential MITM attacks, etc. ... So, am I correct that I can just tar up /etc/ssh on the old system and use it to overwrite /etc/ssh on the new system, and that's that ? No warning message or other problems ? ALSO, am I correct that if I copy over their home directories that contain their ~/.ssh/authorized_keys that those will continue to work just fine even though they are on a new server ? I guess as far as remote users are concerned, it _won't_ be a new system - since hostname, IP, and host ssh keys will be the same ... but I like to be careful and that is why I am asking for a sanity check here... All comments appreciated. Thanks. --------------------------------- Don't get soaked. Take a quick peak at the forecast with theYahoo! Search weather shortcut. From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 03:55:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 771BB16A400 for ; Tue, 6 Feb 2007 03:55:04 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (grnl-static-02-0046.dsl.iowatelecom.net [69.66.56.110]) by mx1.freebsd.org (Postfix) with ESMTP id 26D1F13C461 for ; Tue, 6 Feb 2007 03:55:04 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.8/8.13.8) with ESMTP id l163TRFe055730; Mon, 5 Feb 2007 21:29:28 -0600 (CST) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.8/8.13.8/Submit) id l163TRaL055729; Mon, 5 Feb 2007 21:29:27 -0600 (CST) (envelope-from brooks) Date: Mon, 5 Feb 2007 21:29:27 -0600 From: Brooks Davis To: Arone Silimantia Message-ID: <20070206032927.GB55215@lor.one-eyed-alien.net> References: <14020.63738.qm@web58603.mail.re3.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline In-Reply-To: <14020.63738.qm@web58603.mail.re3.yahoo.com> User-Agent: Mutt/1.5.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Mon, 05 Feb 2007 21:29:28 -0600 (CST) X-Mailman-Approved-At: Tue, 06 Feb 2007 03:58:25 +0000 Cc: freebsd-security@freebsd.org Subject: Re: post-reload SSH server key transfer ... comments ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 03:55:04 -0000 --bCsyhTFzCvuiizWE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 05, 2007 at 05:51:38PM -0800, Arone Silimantia wrote: >=20 > I am going to be replacing system X with system Y (which is much > faster, newer). > > I will load up the new system from scratch, and then just copy over > the user data from the old system. Then I will turn off the old > system for good, and set the IP and hostname of the new system to > match the old one. > > Easy. Except everyones ssh connections will complain loudly about > potential MITM attacks, etc. ... > > So, am I correct that I can just tar up /etc/ssh on the old system and > use it to overwrite /etc/ssh on the new system, and that's that ? No > warning message or other problems ? Yes. Actually, the files you need are "/etc/ssh/*_key /etc/ssh/*_key.pub". The others may contain settings you want to move, but don't effect the machine's ssh identity. > ALSO, am I correct that if I copy over their home directories that > contain their ~/.ssh/authorized_keys that those will continue to work > just fine even though they are on a new server ? Yes, they contain no knowledge of the server they are on. -- Brooks --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFx/YXXY6L6fI4GtQRApq2AJ4msQbrAm4oO7US3lJ67qESn1J6XACg1rQm ts5atpXP0ZvPPXIf9R/01HM= =eI2s -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE-- From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 07:21:11 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B93616A400 for ; Tue, 6 Feb 2007 07:21:11 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-3-125.belrs4.nsw.optusnet.com.au [220.239.3.125]) by mx1.freebsd.org (Postfix) with ESMTP id 0B26A13C4B4 for ; Tue, 6 Feb 2007 07:21:10 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.8/8.13.8) with ESMTP id l167L90A001188; Tue, 6 Feb 2007 18:21:09 +1100 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.8/8.13.8/Submit) id l167L9WE001187; Tue, 6 Feb 2007 18:21:09 +1100 (EST) (envelope-from peter) Date: Tue, 6 Feb 2007 18:21:09 +1100 From: Peter Jeremy To: Arone Silimantia Message-ID: <20070206072108.GC831@turion.vk2pj.dyndns.org> References: <14020.63738.qm@web58603.mail.re3.yahoo.com> <20070206032927.GB55215@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <20070206032927.GB55215@lor.one-eyed-alien.net> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org Subject: Re: post-reload SSH server key transfer ... comments ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 07:21:11 -0000 --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007-Feb-05 21:29:27 -0600, Brooks Davis wrote: >On Mon, Feb 05, 2007 at 05:51:38PM -0800, Arone Silimantia wrote: >> So, am I correct that I can just tar up /etc/ssh on the old system and >> use it to overwrite /etc/ssh on the new system, and that's that ? No >> warning message or other problems ? > >Yes. Actually, the files you need are "/etc/ssh/*_key /etc/ssh/*_key.pub". >The others may contain settings you want to move, but don't effect the >machine's ssh identity. I'll go further and say that you are unlikely to want to copy the remaining files. In particular, you should merge your local changes to /etc/ssh/ssh{,d}_config because just copying those files across is quite likely to give the newer ssh a degree of indigestion. --=20 Peter Jeremy --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFyCxk/opHv/APuIcRApLQAJ0QsnWlebfxO3nDo0Mpq+EJUcG6EgCglVbl fav01GFD9Tu9x8LOxfIkLm4= =6ouq -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 13:49:59 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 777FE16A400 for ; Tue, 6 Feb 2007 13:49:59 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id CFF5513C4A8 for ; Tue, 6 Feb 2007 13:49:58 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so158855nfc for ; Tue, 06 Feb 2007 05:49:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YaB/iDwK+PgDfy8dpvs4343xa+mifBNAb2zORSZKp38xmPr4rOiOsIs05m8wczraqGjSSDM14cmAVecdUzrF1ng4mPMrHRRQnXVCoRFDxEjgIbPS3OqSV6sS2zGBbXXbeBSmBrcA9x0lp4Xej/AQCEtmMsjlvlek/mA4WCoQ3YY= Received: by 10.82.163.13 with SMTP id l13mr4383452bue.1170768104947; Tue, 06 Feb 2007 05:21:44 -0800 (PST) Received: by 10.82.134.15 with HTTP; Tue, 6 Feb 2007 05:21:44 -0800 (PST) Message-ID: <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> Date: Tue, 6 Feb 2007 13:21:44 +0000 From: Chris To: "Julian H. Stacey" In-Reply-To: <200702031801.l13I1w2p096068@fire.jhs.private> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> Cc: Dan Lukes , freebsd-security@freebsd.org, Deb Goodkin Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 13:49:59 -0000 On 03/02/07, Julian H. Stacey wrote: > > It seems to me, the one reason for limited resources is - project has > > no resources to accept resources. I can't tell why the project lack > > volunteers processing community inputs. May be, there are no such > > > As I don't know what's wrong nor how to correct it, this message is not > > complaint in any way. It's just a note related to Doug's notice ... > > [ I wonder if for the thread, per > http://docs.freebsd.org/mail/archive/2007/ > bugs@ or bugbusters@ might be better ? Not on those though .. ] > > Nice definition: "No resources to accept resources" :-) > > Handling other people's send-pr bug input would be boring > compared with writing own code, or debugging. Hence unactioned send-prs. > > I've filed some send-pr diffs years back & not seen action, others > have been actioned occasionaly & I've been guilty of not responding > in time (Mea Culpa, even own bug reports are boring, especially > since once my auto diff applier works for me, there's less incentive > to persuade send-pr team to apply diff). Probably a common phenomena. > > Dealing with boring bugs surely approaches paid work in needing > motivation, so if the FreeBSD Foundation (a member cc'd) ever has spare > money, it may be wise to have a few people paid something to action the > oldest=most boring send-prs ? > > Oldest often would mean "So boring no one has touched it, (Or so > intractable/ insoluble/ major dev. effort required)". If we used > any other criteria than oldest first, it would need someone to spend > time judging what should be paid as most boring & what not, & then > we'd be in a recursive "Woulndn't that be a boring job too?" so who > would do That ? So oldest bug first, unless reason to skip, eg > intractables. > > If companies ever want to sponsor a little, we could suggest to > companies: please sponsor one of you own staff members (or some > freelance FreeBSD commiter), perhaps eg one day a week or just > Friday afternoons or whenever panic requirements are lesss likely), > to work the oldest = most boring send-prs that have been _so_ boring > for years no one has processed them. > > The method of oldest most boring first would not destroy the incentive > of the code bug-a-thon people to periodically attack the parts of > the send-pr backlog they consider newer & interesting enough to > work on unpaid. > > Disclaimer: Yes I'm a freelance. But no commit privs, so not eligable. > -- > Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com > Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz. > Vista of a Bill from Redmond ? http://berklix.com/free-talk-on-free-software/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > think you hit the nail bang on the head, I am one such person who tried to submit a bug causing crashes and have found a lack of enthusiasm to get the bug fixed. One thing I have noticed about 6.x is there is many features that 5.x doesnt have, so it looks clear there is lots of activity in working on new code but little activity in fixing bugs and working on stability. Example I can give is I noticed freebsd 5.4 has limited support for nforce 4 ide, this is year 2005 code, and there was a patch to complete the support so sata was supported. Checking the same src file on freebsd 6.2 has all references to nforce 4 removed, the patch was apperently close to been commited to 6-current at the time so I can only guess that they got bored of trying to make it stable so simply removed the code to not delay 6.0 release and this explains why my hardware works better in 5.x then 6.x on this particular server using nforce4. In general I have noticed a decline in robustness and stability as freebsd release numbers go up, freebsd 4.x was very stable and its not hard to see why people refuse to move from it, 5.x was somewhat less robust but I think 5.x is more stable then 6.x, 6.x appears to have some compatbility problems with hardware and is more picky with what hardware it works well with. If support is planning to be dropped to 5.x early in its life (only at .5 release) then it is dissapointing and a sign that there is no motivation to work on old code and old bugs. I wonder if a paypal slush fund where people who use freebsd can donate to and this slush fund is then used to pay devs who fix pr's oldest first of course would be effective. Chris From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 14:47:52 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E026816A403 for ; Tue, 6 Feb 2007 14:47:51 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.freebsd.org (Postfix) with ESMTP id 8A0F613C471 for ; Tue, 6 Feb 2007 14:47:51 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 7B5C692FD3A; Tue, 6 Feb 2007 15:47:50 +0100 (CET) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 76120-10; Tue, 6 Feb 2007 15:47:38 +0100 (CET) Received: from redqueen.evilcoder-services.org (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 6A53C92FD1F; Tue, 6 Feb 2007 15:47:38 +0100 (CET) Received: by redqueen.evilcoder-services.org (Postfix, from userid 1001) id 567966403; Tue, 6 Feb 2007 15:47:38 +0100 (CET) Date: Tue, 6 Feb 2007 15:47:38 +0100 From: Remko Lodder To: Chris Message-ID: <20070206144738.GW11375@elvandar.org> References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: Maia Mailguard 1.0.1 at elvandar.org Cc: Dan Lukes , freebsd-security@freebsd.org, "Julian H. Stacey" , Deb Goodkin Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 14:47:52 -0000 On Tue, Feb 06, 2007 at 01:21:44PM +0000, Chris wrote: > On 03/02/07, Julian H. Stacey wrote: > think you hit the nail bang on the head, I am one such person who > tried to submit a bug causing crashes and have found a lack of > enthusiasm to get the bug fixed. One thing I have noticed about 6.x > is there is many features that 5.x doesnt have, so it looks clear > there is lots of activity in working on new code but little activity > in fixing bugs and working on stability. Hello, I feel poked by this, and it saddens me that this is the reply we get. I know that we aren't really up to date with feedback on PR tickets, and that a lot of tickets are stale and never looked at (I have several of those on my name as well). The sad reason is though that we are all busy, some of us cannot do more then we can and some of us (the bugbusting teams) try to house keep the tickets as much as possible, but that is not always possible with the limited resources we have. If this bugs you enough; you are always invited to help us making sure the ticking flow can be handled. > > Example I can give is I noticed freebsd 5.4 has limited support for > nforce 4 ide, this is year 2005 code, and there was a patch to > complete the support so sata was supported. Checking the same src > file on freebsd 6.2 has all references to nforce 4 removed, the patch > was apperently close to been commited to 6-current at the time so I > can only guess that they got bored of trying to make it stable so > simply removed the code to not delay 6.0 release and this explains why > my hardware works better in 5.x then 6.x on this particular server > using nforce4. Releng_5 is a different working base then 6_x, things that are in 6 are not always in 5 and visa versa. Can you give me a clear example of what was removed and what should be there so that I can have a look at this and perhaps even implement it? If you have a ticket number that would be even more great so that I can see the audit-trial. > > In general I have noticed a decline in robustness and stability as > freebsd release numbers go up, freebsd 4.x was very stable and its not > hard to see why people refuse to move from it, 5.x was somewhat less > robust but I think 5.x is more stable then 6.x, 6.x appears to have > some compatbility problems with hardware and is more picky with what > hardware it works well with. > > If support is planning to be dropped to 5.x early in its life (only at > .5 release) then it is dissapointing and a sign that there is no > motivation to work on old code and old bugs. I wonder if a paypal > slush fund where people who use freebsd can donate to and this slush > fund is then used to pay devs who fix pr's oldest first of course > would be effective. Obviously you can claim you can do better, please show us, we will punish you after time with a commit bit and then you can help us out all the time! Seriously though; the various development paths make the RELENG_5 branch a development branch and 6 a stable branch. No one ever said that 5.x was going to live long because of the transition phase between 4.x and 6.x. Given your feedback I expect to see you on freebsd-bugbusters pretty soon (the mailinglist) to help clear the old PR's and make sure everything is OK. Yes I understand that my tone is a bit harsh, but I think the statements above are emotional, not based on the reality though, the teams work very hard to please everyone, but we have limited resources and cannot do everything. It is rather easy to go pick on the teams, but that is not somethign that will help solve the problem. Actually helping out will, so I'd request Chris and others to help the bugbusting teams and if possible other teams as well, then and only then we can try to be a brave schoolkid. Thanks. > > Chris > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 15:07:25 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1819816A405 for ; Tue, 6 Feb 2007 15:07:25 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 9D09813C471 for ; Tue, 6 Feb 2007 15:07:24 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so179879nfc for ; Tue, 06 Feb 2007 07:07:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rKo3Z628UE2OBQjM6MTQcIZ+n6+gnwc+f/3sBJM0I9GeWMSip6D3ZXuGYtp70O6/5yFz0Ov74k/A3ij/m9X3Di/Wjqm9Es/r2ACNVjUQz0TG8T4g83DxsWVRz/XN6vDmyQSSrymiklckWODaeLOMXs/w9aLk/cwZxH9EcwZP4+o= Received: by 10.82.105.13 with SMTP id d13mr1848736buc.1170774441658; Tue, 06 Feb 2007 07:07:21 -0800 (PST) Received: by 10.82.134.15 with HTTP; Tue, 6 Feb 2007 07:07:21 -0800 (PST) Message-ID: <3aaaa3a0702060707s4b90dd0agef214698a5613e6b@mail.gmail.com> Date: Tue, 6 Feb 2007 15:07:21 +0000 From: Chris To: "Remko Lodder" In-Reply-To: <20070206144738.GW11375@elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> <20070206144738.GW11375@elvandar.org> Cc: Dan Lukes , freebsd-security@freebsd.org, "Julian H. Stacey" , Deb Goodkin Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 15:07:25 -0000 On 06/02/07, Remko Lodder wrote: > On Tue, Feb 06, 2007 at 01:21:44PM +0000, Chris wrote: > > On 03/02/07, Julian H. Stacey wrote: > > think you hit the nail bang on the head, I am one such person who > > tried to submit a bug causing crashes and have found a lack of > > enthusiasm to get the bug fixed. One thing I have noticed about 6.x > > is there is many features that 5.x doesnt have, so it looks clear > > there is lots of activity in working on new code but little activity > > in fixing bugs and working on stability. > > Hello, > > I feel poked by this, and it saddens me that this is the reply we > get. I know that we aren't really up to date with feedback on PR > tickets, and that a lot of tickets are stale and never looked at > (I have several of those on my name as well). The sad reason is though > that we are all busy, some of us cannot do more then we can and some > of us (the bugbusting teams) try to house keep the tickets as much > as possible, but that is not always possible with the limited resources > we have. If this bugs you enough; you are always invited to help us > making sure the ticking flow can be handled. > > > > > Example I can give is I noticed freebsd 5.4 has limited support for > > nforce 4 ide, this is year 2005 code, and there was a patch to > > complete the support so sata was supported. Checking the same src > > file on freebsd 6.2 has all references to nforce 4 removed, the patch > > was apperently close to been commited to 6-current at the time so I > > can only guess that they got bored of trying to make it stable so > > simply removed the code to not delay 6.0 release and this explains why > > my hardware works better in 5.x then 6.x on this particular server > > using nforce4. > > Releng_5 is a different working base then 6_x, things that are in 6 > are not always in 5 and visa versa. Can you give me a clear example > of what was removed and what should be there so that I can have a > look at this and perhaps even implement it? If you have a ticket number > that would be even more great so that I can see the audit-trial. > > > > > > In general I have noticed a decline in robustness and stability as > > freebsd release numbers go up, freebsd 4.x was very stable and its not > > hard to see why people refuse to move from it, 5.x was somewhat less > > robust but I think 5.x is more stable then 6.x, 6.x appears to have > > some compatbility problems with hardware and is more picky with what > > hardware it works well with. > > > > If support is planning to be dropped to 5.x early in its life (only at > > .5 release) then it is dissapointing and a sign that there is no > > motivation to work on old code and old bugs. I wonder if a paypal > > slush fund where people who use freebsd can donate to and this slush > > fund is then used to pay devs who fix pr's oldest first of course > > would be effective. > > Obviously you can claim you can do better, please show us, we will > punish you after time with a commit bit and then you can help us out > all the time! Seriously though; the various development paths make > the RELENG_5 branch a development branch and 6 a stable branch. > No one ever said that 5.x was going to live long because of the > transition phase between 4.x and 6.x. > > Given your feedback I expect to see you on freebsd-bugbusters > pretty soon (the mailinglist) to help clear the old PR's and > make sure everything is OK. > > Yes I understand that my tone is a bit harsh, but I think the > statements above are emotional, not based on the reality though, > the teams work very hard to please everyone, but we have limited > resources and cannot do everything. It is rather easy to go pick > on the teams, but that is not somethign that will help solve the > problem. Actually helping out will, so I'd request Chris and > others to help the bugbusting teams and if possible other teams > as well, then and only then we can try to be a brave schoolkid. > > Thanks. > > > > > Chris > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Kind regards, > > Remko Lodder ** remko@elvandar.org > FreeBSD ** remko@FreeBSD.org > > /* Quis custodiet ipsos custodes */ > I would if I could code unfortenatly I cant, I only found out about the nforce 4 been present in freebsd 5.x yesterday after someone found the old post and link to the patch when we were discussing it. I have just submitted a post the hardware mail list about it and it has a link to the patch and post from 2004. I do feel a bit upset that freebsd 6.x is been pushed so much as 5.x seems to be a burden on the developers when I have about half a dozen machines in production using 5.x and another half a dozen using 6.x and the 5.x machines are causing the least problems, this is from my own experience, the only benefits I am seeing from 6.x is the extra features and performance. I have 1 freebsd 4.x machine in production and that blows both 5.x and 6.x away for performance and stability but is of course missing many new features. Back on topic with bind I would have thought it would go in both 5.x and 6.x but I do agree that maybe just the security fixes is enough and if someone wants the entire new version they can install from ports. Chris From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 15:08:30 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9032E16A405; Tue, 6 Feb 2007 15:08:30 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from thin.berklix.org (thin.berklix.org [194.246.123.68]) by mx1.freebsd.org (Postfix) with ESMTP id 0A8AA13C4A7; Tue, 6 Feb 2007 15:08:29 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from js.berklix.net (p549A5A2E.dip.t-dialin.net [84.154.90.46]) (authenticated bits=128) by thin.berklix.org (8.12.11/8.12.11) with ESMTP id l16F8Jxk051693; Tue, 6 Feb 2007 16:08:25 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (fire.jhs.private [192.168.91.41]) by js.berklix.net (8.13.6/8.13.6) with ESMTP id l16F8Bdc036611; Tue, 6 Feb 2007 16:08:12 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (localhost.jhs.private [127.0.0.1]) by fire.jhs.private (8.13.6/8.13.6) with ESMTP id l16F8BQh063421; Tue, 6 Feb 2007 16:08:11 +0100 (CET) (envelope-from jhs@fire.jhs.private) Message-Id: <200702061508.l16F8BQh063421@fire.jhs.private> To: Remko Lodder In-reply-to: <20070206144738.GW11375@elvandar.org> References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> <20070206144738.GW11375@elvandar.org> Comments: In-reply-to Remko Lodder message dated "Tue, 06 Feb 2007 15:47:38 +0100." Date: Tue, 06 Feb 2007 16:08:11 +0100 From: "Julian H. Stacey" Cc: Chris , Dan Lukes , Deb Goodkin , freebsd-security@freebsd.org Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 15:08:30 -0000 Remko Lodder wrote: > On Tue, Feb 06, 2007 at 01:21:44PM +0000, Chris wrote: > > On 03/02/07, Julian H. Stacey wrote: > > think you hit the nail bang on the head, I am one such person who > > tried to submit a bug causing crashes and have found a lack of > > enthusiasm to get the bug fixed. One thing I have noticed about 6.x > > is there is many features that 5.x doesnt have, so it looks clear > > there is lots of activity in working on new code but little activity > > in fixing bugs and working on stability. > > Hello, > > I feel poked by this, and it saddens me that this is the reply we > get. No criticism intended of the folk who sacrifice their free time dealing with other people's bug reports & diffs, it's very kind of them to do it :-) I guess lots of us paused a moment to admire the courage of the last bug-a-thon assault team (a weekend about a month back I recall). I just suggest the oldest bug reports (most boring/ intractable/ tedious, unappealing to unpaid volunteers) could be worked by paid/sponsored help, if there's every any money or sponsored hours available, leaving the newer bugs to interest the unpaid volunteers. -- Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz. Vista of viral Bills ? Escape ! http://berklix.com/free-talk-on-free-software/ From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 15:25:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9B7916A4D7; Tue, 6 Feb 2007 15:25:42 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.freebsd.org (Postfix) with ESMTP id 03DAD13C4B3; Tue, 6 Feb 2007 15:25:41 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 44CB592FD3A; Tue, 6 Feb 2007 16:25:41 +0100 (CET) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 80513-09; Tue, 6 Feb 2007 16:25:37 +0100 (CET) Received: from redqueen.evilcoder-services.org (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 46EEA92FCAC; Tue, 6 Feb 2007 16:25:37 +0100 (CET) Received: by redqueen.evilcoder-services.org (Postfix, from userid 1001) id 2F6886403; Tue, 6 Feb 2007 16:25:37 +0100 (CET) Date: Tue, 6 Feb 2007 16:25:37 +0100 From: Remko Lodder To: "Julian H. Stacey" Message-ID: <20070206152536.GX11375@elvandar.org> References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> <20070206144738.GW11375@elvandar.org> <200702061508.l16F8BQh063421@fire.jhs.private> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200702061508.l16F8BQh063421@fire.jhs.private> User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: Maia Mailguard 1.0.1 at elvandar.org Cc: Chris , Dan Lukes , Deb Goodkin , freebsd-security@freebsd.org Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 15:25:43 -0000 On Tue, Feb 06, 2007 at 04:08:11PM +0100, Julian H. Stacey wrote: > Remko Lodder wrote: > > On Tue, Feb 06, 2007 at 01:21:44PM +0000, Chris wrote: > > > On 03/02/07, Julian H. Stacey wrote: > > > think you hit the nail bang on the head, I am one such person who > > > tried to submit a bug causing crashes and have found a lack of > > > enthusiasm to get the bug fixed. One thing I have noticed about 6.x > > > is there is many features that 5.x doesnt have, so it looks clear > > > there is lots of activity in working on new code but little activity > > > in fixing bugs and working on stability. > > > > Hello, > > > > I feel poked by this, and it saddens me that this is the reply we > > get. > > No criticism intended of the folk who sacrifice their free time > dealing with other people's bug reports & diffs, it's very kind of > them to do it :-) I guess lots of us paused a moment to admire the > courage of the last bug-a-thon assault team (a weekend about a month > back I recall). > > I just suggest the oldest bug reports (most boring/ intractable/ > tedious, unappealing to unpaid volunteers) could be worked by > paid/sponsored help, if there's every any money or sponsored hours > available, leaving the newer bugs to interest the unpaid volunteers. > Well, given my "track-record" for the bugs, you can see that I and some other committers try to wreak-havoc under the old PR's. This isn't always simple and trivial to do, getting feedback takes ages from time to time (logical because the submitter feels annoyed that it took so long to get a reply at all) and then you need to find someone to fix this. It will go, steadily, but will always take time, which is crucial, even for paid people. I hope that the incoming current flow is also seen and that new tickets are handled better then the old ones (we do in my eyes). Currently all the new PR's are analyzed by one of the bugmeisters (as far as I know that is) and obscure ones and support questions are discarded immediatly; we try to get more feedback on unclear tickets, and try to assign new tickets that are not grabbed by someone within X time to a committer working in that region. Improvements are there; paid support would help; but it remains a question of time (even money cannot make up most of the things since one needs to be very allround to work through all the tickets that are ancient^Wstale^Wstill there, oh well you get the idea). Thanks for the feedback though! Remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Tue Feb 6 16:20:25 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C847E16A401 for ; Tue, 6 Feb 2007 16:20:25 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5C6B513C494 for ; Tue, 6 Feb 2007 16:20:25 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id l16GKMKH046520 for ; Tue, 6 Feb 2007 17:20:24 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <45C8AAC5.3060608@obluda.cz> Date: Tue, 06 Feb 2007 17:20:21 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.9) Gecko/20070203 SeaMonkey/1.0.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> <200702031801.l13I1w2p096068@fire.jhs.private> <3aaaa3a0702060521t6586d67ag9352d81b8efe6f21@mail.gmail.com> <20070206144738.GW11375@elvandar.org> <200702061508.l16F8BQh063421@fire.jhs.private> <20070206152536.GX11375@elvandar.org> In-Reply-To: <20070206152536.GX11375@elvandar.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 16:20:25 -0000 Remko Lodder napsal/wrote, On 02/06/07 16:25: > Well, given my "track-record" for the bugs, you can see that I and > some other committers try to wreak-havoc under the old PR's. This isn't > always simple and trivial to do, getting feedback takes ages from time > to time (logical because the submitter feels annoyed that it took so > long to get a reply at all) IMHO, the "annoyed" is not main problem. Submitter may not remeber the details after several months. In the fact, request for feedback may require almost complete re-analysis. Especially when submitter upgraded to new release in the meantime... Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Thu Feb 8 14:20:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BC13716A402 for ; Thu, 8 Feb 2007 14:20:50 +0000 (UTC) (envelope-from nicolas@i.0x5.de) Received: from n.0x5.de (n.0x5.de [217.197.85.144]) by mx1.freebsd.org (Postfix) with ESMTP id 67F2E13C442 for ; Thu, 8 Feb 2007 14:20:50 +0000 (UTC) (envelope-from nicolas@i.0x5.de) Received: by pc5.i.0x5.de (Postfix, from userid 1003) id EAA9A61C1D; Thu, 8 Feb 2007 15:01:36 +0100 (CET) Date: Thu, 8 Feb 2007 15:01:36 +0100 From: Nicolas Rachinsky To: freebsd-security@freebsd.org Message-ID: <20070208140136.GA97987@mid.pc5.i.0x5.de> Mail-Followup-To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: 887BAE72 X-PGP-Fingerprint: 039E 9433 115F BC5F F88D 4524 5092 45C4 887B AE72 X-PGP-Keys: http://www.rachinsky.de/nicolas/gpg/nicolas_rachinsky.asc User-Agent: Mutt/1.5.13 (2006-08-11) Subject: security issues of aio X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 14:20:53 -0000 Hallo, in /sys/conf/NOTES there is a comment | # Use real implementations of the aio_* system calls. There are numerous | # stability and security issues in the current aio code that make it | # unsuitable for inclusion on machines with untrusted local users. | options VFS_AIO Are there still problems with aio? I only found http://xforce.iss.net/xforce/xfdb/7693, but no advisory or other hint that this was fixed (I think I must have missed that somehow). And some closed PRs about fixed problems. Do these affect aio.ko as well? Thanks, Nicolas -- http://www.rachinsky.de/nicolas From owner-freebsd-security@FreeBSD.ORG Thu Feb 8 17:15:18 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A77A16A402; Thu, 8 Feb 2007 17:15:18 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from com1.ht-systems.ru (com1.ht-systems.ru [83.97.104.204]) by mx1.freebsd.org (Postfix) with ESMTP id 53BF413C474; Thu, 8 Feb 2007 17:15:18 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [83.97.106.68] (helo=phonon.SpringDaemons.com ident=postfix) by com1.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1HFCJS-0002Zz-JB; Thu, 08 Feb 2007 19:39:59 +0300 Received: from localhost (localhost [IPv6:::1]) by phonon.SpringDaemons.com (Postfix) with SMTP id 46C47114D1; Thu, 8 Feb 2007 19:48:56 +0300 (MSK) Date: Thu, 8 Feb 2007 19:48:55 +0300 From: Stanislav Sedov To: freebsd-security@FreeBSD.org Message-Id: <20070208194855.692300fa.stas@FreeBSD.org> Organization: The FreeBSD Project X-Mailer: carrier-pigeon X-Voice: +7 916 849 20 23 X-XMPP: ssedov@jabber.ru X-ICQ: 208105021 X-Yahoo: stanislav_sedov X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-University: MEPhI Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Thu__8_Feb_2007_19_48_55_+0300_GjJwIEr1V0w+HAdW" X-Spam-Flag: SKIP Cc: rwatson@FreeBSD.org Subject: audit problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 17:15:20 -0000 --Signature=_Thu__8_Feb_2007_19_48_55_+0300_GjJwIEr1V0w+HAdW Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Hi! I'm experiencing some problems configuring audit on 6.2-RELEASE system. It doesn't seem to log anything except login messages. The only thing I've modified in config is the root user specification in audit_users. Now it looks like this: root:lo,ex,fw,fc:no However nor ex, non fw or fc messages doesn't get into the log. Furthermore, deleting lo from audit_users and audit_control doesn't stop login messages logging. Is it possible that some other kernel options interfere with AUDIT (e.g. MAC)? Thanks! -- Stanislav Sedov ST4096-RIPE --Signature=_Thu__8_Feb_2007_19_48_55_+0300_GjJwIEr1V0w+HAdW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFy1R3K/VZk+smlYERAkCHAJ0RZxXXYWefND/YVd4Gl9nH4eISGgCfSnL1 Fo9oZIR2VDH5wgTn0nSOn20= =s4Ju -----END PGP SIGNATURE----- --Signature=_Thu__8_Feb_2007_19_48_55_+0300_GjJwIEr1V0w+HAdW-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 9 14:08:56 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 46A6A16A401; Fri, 9 Feb 2007 14:08:56 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by mx1.freebsd.org (Postfix) with ESMTP id EBF8913C481; Fri, 9 Feb 2007 14:08:53 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from circe ([134.130.3.36]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JD7001CS5USUS00@mta-1.ms.rz.RWTH-Aachen.de>; Fri, 09 Feb 2007 14:08:52 +0100 (CET) Received: from talos.rz.RWTH-Aachen.DE ([134.130.3.22]) by circe (MailMonitor for SMTP v1.2.2 ) ; Fri, 09 Feb 2007 14:08:44 +0100 (MET) Received: from bigboss.hitnet.rwth-aachen.de (bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2]) by smarthost.rwth-aachen.de (8.13.8/8.13.1/1) with ESMTP id l19D8aaB023384; Fri, 09 Feb 2007 14:08:43 +0100 Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92]) by bigboss.hitnet.rwth-aachen.de with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1HFTDp-0003va-SL; Fri, 09 Feb 2007 11:43:17 +0100 Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001) id E51643F41B; Fri, 09 Feb 2007 11:43:16 +0100 (CET) Date: Fri, 09 Feb 2007 11:43:16 +0100 From: Christian Brueffer In-reply-to: <20070208194855.692300fa.stas@FreeBSD.org> To: Stanislav Sedov Message-id: <20070209104316.GA1686@haakonia.hitnet.RWTH-Aachen.DE> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=Q68bSM7Ycu6FN28Q Content-disposition: inline X-Operating-System: FreeBSD 6.2-STABLE X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D References: <20070208194855.692300fa.stas@FreeBSD.org> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Fri, 09 Feb 2007 14:57:54 +0000 Cc: freebsd-security@FreeBSD.org, rwatson@FreeBSD.org Subject: Re: audit problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 14:08:56 -0000 --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 08, 2007 at 07:48:55PM +0300, Stanislav Sedov wrote: > Hi! >=20 > I'm experiencing some problems configuring audit on 6.2-RELEASE system. > It doesn't seem to log anything except login messages. The only thing > I've modified in config is the root user specification in audit_users. > Now it looks like this: > root:lo,ex,fw,fc:no >=20 > However nor ex, non fw or fc messages doesn't get into the log. > Furthermore, deleting lo from audit_users and audit_control doesn't stop > login messages logging. >=20 > Is it possible that some other kernel options interfere with AUDIT > (e.g. MAC)? >=20 Are you running something else then FreeBSD/i386? If yes, the necessary changes to the machine dependent trap.c weren't merged. This was only noticed one or two weeks ago and the necessary changes are in RELENG_6. - Christian --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFzFBEbHYXjKDtmC0RAmPrAJwNGTa9gPZSiUyz8SIaNAr+yQ3BegCfccaj WaDHrFJ2W/wuI/uBvYjrDs4= =cgnJ -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 9 16:57:03 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D8B916A408; Fri, 9 Feb 2007 16:57:03 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from com1.ht-systems.ru (com1.ht-systems.ru [83.97.104.204]) by mx1.freebsd.org (Postfix) with ESMTP id 1977D13C4BF; Fri, 9 Feb 2007 16:57:03 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=phonon.SpringDaemons.com) by com1.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1HFYuY-0005aG-OY; Fri, 09 Feb 2007 19:47:47 +0300 Received: from localhost (localhost [IPv6:::1]) by phonon.SpringDaemons.com (Postfix) with SMTP id 5C49511FB0; Fri, 9 Feb 2007 19:56:45 +0300 (MSK) Date: Fri, 9 Feb 2007 19:56:39 +0300 From: Stanislav Sedov To: Christian Brueffer Message-Id: <20070209195639.0c0c2319.stas@FreeBSD.org> In-Reply-To: <20070209104316.GA1686@haakonia.hitnet.RWTH-Aachen.DE> References: <20070208194855.692300fa.stas@FreeBSD.org> <20070209104316.GA1686@haakonia.hitnet.RWTH-Aachen.DE> Organization: The FreeBSD Project X-Mailer: carrier-pigeon X-Voice: +7 916 849 20 23 X-XMPP: ssedov@jabber.ru X-ICQ: 208105021 X-Yahoo: stanislav_sedov X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-University: MEPhI Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Fri__9_Feb_2007_19_56_39_+0300_X0sP.Zq.VYJeaGmA" X-Spam-Flag: SKIP X-Spam-Yversion: Spamooborona 1.6.0 Cc: freebsd-security@FreeBSD.org, rwatson@FreeBSD.org Subject: Re: audit problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 16:57:03 -0000 --Signature=_Fri__9_Feb_2007_19_56_39_+0300_X0sP.Zq.VYJeaGmA Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Fri, 09 Feb 2007 11:43:16 +0100 Christian Brueffer mentioned: > > Are you running something else then FreeBSD/i386? If yes, the necessary > changes to the machine dependent trap.c weren't merged. This was only > noticed one or two weeks ago and the necessary changes are in RELENG_6. > That helped, thanks! -- Stanislav Sedov ST4096-RIPE --Signature=_Fri__9_Feb_2007_19_56_39_+0300_X0sP.Zq.VYJeaGmA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFzKfMK/VZk+smlYERAlu3AJ9iihw6sebLNnQtGZX6b3b/tnTL/ACeNamH XNueTPePQqKz+EFctc6RVv4= =zTuP -----END PGP SIGNATURE----- --Signature=_Fri__9_Feb_2007_19_56_39_+0300_X0sP.Zq.VYJeaGmA-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 9 20:42:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3DA5016A410; Fri, 9 Feb 2007 20:42:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1E3FC13C4C7; Fri, 9 Feb 2007 20:42:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l19Kg1jX023238; Fri, 9 Feb 2007 20:42:01 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l19Kg1UV023236; Fri, 9 Feb 2007 20:42:01 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 9 Feb 2007 20:42:01 GMT Message-Id: <200702092042.l19Kg1UV023236@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:02.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 20:42:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:02.bind Security Advisory The FreeBSD Project Topic: Multiple Denial of Service vulnerabilities in named(8) Category: contrib Module: bind Announced: 2007-02-09 Affects: FreeBSD 5.3 and later. Corrected: 2007-02-07 00:42:09 UTC (RELENG_6, 6.2-STABLE) 2007-02-09 20:24:15 UTC (RELENG_6_2, 6.2-RELEASE-p1) 2007-02-09 20:23:29 UTC (RELENG_6_1, 6.1-RELEASE-p13) 2007-02-07 00:46:35 UTC (RELENG_5, 5.5-STABLE) 2007-02-09 20:22:44 UTC (RELENG_5_5, 5.5-RELEASE-p11) CVE Name: CVE-2007-0493, CVE-2007-0494 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet domain name server. DNS Security Extensions (DNSSEC) are additional protocol options that add authentication and integrity to the DNS protocols. II. Problem Description A type * (ANY) query response containing multiple RRsets can trigger an assertion failure. Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. III. Impact A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service. A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service. IV. Workaround There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users). V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5, FreeBSD 6.1] # fetch http://security.FreeBSD.org/patches/SA-07:02/bind61.patch # fetch http://security.FreeBSD.org/patches/SA-07:02/bind61.patch.asc [FreeBSD 6.2] # fetch http://security.FreeBSD.org/patches/SA-07:02/bind62.patch # fetch http://security.FreeBSD.org/patches/SA-07:02/bind62.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install c) Restart the named application: # /etc/rc.d/named restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.8 src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.5 src/contrib/bind9/lib/dns/include/dns/validator.h 1.1.1.1.2.4 RELENG_5_5 src/UPDATING 1.342.2.35.2.11 src/sys/conf/newvers.sh 1.62.2.21.2.13 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.4.2.2 src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.3.2.1 src/contrib/bind9/lib/dns/include/dns/validator.h 1.1.1.1.2.2.2.1 RELENG_6 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3 src/contrib/bind9/lib/dns/include/dns/validator.h 1.1.1.1.4.3 RELENG_6_2 src/UPDATING 1.416.2.29.2.4 src/sys/conf/newvers.sh 1.69.2.13.2.4 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.4.2.2 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.1.4.2 src/contrib/bind9/lib/dns/include/dns/validator.h 1.1.1.1.4.1.4.2 RELENG_6_1 src/UPDATING 1.416.2.22.2.15 src/sys/conf/newvers.sh 1.69.2.11.2.15 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.2.2.2 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.1.2.1 src/contrib/bind9/lib/dns/include/dns/validator.h 1.1.1.1.4.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:02.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFzNnpFdaIBMps37IRAsCVAJ9qvyFe04YWnkvYkFQPsSTIP+SLYgCfUhO8 alXiQEsy1iSwSI66d/e7gSk= =HmF6 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Feb 10 04:25:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 527E116A403 for ; Sat, 10 Feb 2007 04:25:43 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from mx.isc.org (mx.isc.org [204.152.184.167]) by mx1.freebsd.org (Postfix) with ESMTP id 3CE0E13C49D for ; Sat, 10 Feb 2007 04:25:43 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id 64CEB114025 for ; Sat, 10 Feb 2007 04:25:42 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id C95F0E601F for ; Sat, 10 Feb 2007 04:25:41 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.8/8.13.8) with ESMTP id l1A4Pab2073080 for ; Sat, 10 Feb 2007 15:25:38 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> To: freebsd-security@freebsd.org From: Mark Andrews In-reply-to: Your message of "Fri, 09 Feb 2007 20:42:01 GMT." <200702092042.l19Kg1UV023236@freefall.freebsd.org> Date: Sat, 10 Feb 2007 15:25:36 +1100 Sender: Mark_Andrews@isc.org X-Mailman-Approved-At: Sat, 10 Feb 2007 04:28:01 +0000 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 04:25:43 -0000 > IV. Workaround > > There is no workaround available, but systems which are not authoritative > servers for DNSSEC signed zones are not affected by the first issue; and > systems which do not permit untrusted users to perform recursive DNS > resolution are not affected by the second issue. Note that the default > configuration for named(8) in FreeBSD allows local access only (which on > many systems is equivalent to refusing access to untrusted users). More precisely, systems which do not *validate* anwers are not vulnerable to the first. All nameservers which offer recursion are vulnerable to the second. From ISC's advisary (which I authored). Workaround: Disable / restrict recursion (to limit exposure). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Sat Feb 10 07:09:21 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1707716A409 for ; Sat, 10 Feb 2007 07:09:21 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id E0C5813C46B for ; Sat, 10 Feb 2007 07:09:20 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JD800CL1JVL6F60@l-daemon> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:21 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd3mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JD8000SXJVJZPT0@pd3mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:20 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JD8002JKJVFDB42@l-daemon> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:20 -0700 (MST) Received: (qmail 30350 invoked from network); Sat, 10 Feb 2007 07:09:08 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Sat, 10 Feb 2007 07:09:08 +0000 Date: Fri, 09 Feb 2007 23:09:08 -0800 From: Colin Percival In-reply-to: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> To: Mark Andrews Message-id: <45CD6F94.5040409@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 07:09:21 -0000 Mark Andrews wrote: >> There is no workaround available, but systems which are not authoritative >> servers for DNSSEC signed zones are not affected by the first issue; and >> systems which do not permit untrusted users to perform recursive DNS >> resolution are not affected by the second issue. Note that the default >> configuration for named(8) in FreeBSD allows local access only (which on >> many systems is equivalent to refusing access to untrusted users). > > From ISC's advisary (which I authored). > > Workaround: > > Disable / restrict recursion (to limit exposure). Considering that the only FreeBSD systems which permit recursive queries are those which have been specifically configured to do so, I don't consider this to be a workaround. DoS by administrator is no better than DoS by attacker. Colin Percival