From owner-freebsd-security@FreeBSD.ORG Wed Mar 14 08:04:34 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 565F016A403; Wed, 14 Mar 2007 08:04:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 1848C13C455; Wed, 14 Mar 2007 08:04:33 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HROAd-0001Ut-Iq; Wed, 14 Mar 2007 10:45:15 +0300 Date: Wed, 14 Mar 2007 10:45:11 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: <20070314074510.GH99047@codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50 Cc: rwatson@freebsd.org Subject: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 08:04:34 -0000 Good day. Just spotted the new advisory from CORE: http://www.securityfocus.com/archive/1/462728/30/0/threaded Not an expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very simular code. Robert, anyone, could you please check? Thank you. -- Eygene From owner-freebsd-security@FreeBSD.ORG Wed Mar 14 09:32:37 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA59616A402 for ; Wed, 14 Mar 2007 09:32:37 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id CBADE13C455 for ; Wed, 14 Mar 2007 09:32:37 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mr3so.prod.shaw.ca (pd2mr3so-qfe3.prod.shaw.ca [10.0.141.108]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JEV00A86ZRO0WC0@l-daemon> for freebsd-security@freebsd.org; Wed, 14 Mar 2007 03:31:00 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd2mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JEV00HZQZRLI132@pd2mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 14 Mar 2007 03:31:01 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JEV0011QZRKYSF1@l-daemon> for freebsd-security@freebsd.org; Wed, 14 Mar 2007 03:30:57 -0600 (MDT) Received: (qmail 14686 invoked from network); Wed, 14 Mar 2007 09:30:55 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 14 Mar 2007 09:30:55 +0000 Date: Wed, 14 Mar 2007 02:30:55 -0700 From: Colin Percival In-reply-to: <20070314074510.GH99047@codelabs.ru> To: Eygene Ryabinkin Message-id: <45F7C0CF.7020906@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=KOI8-R Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20070314074510.GH99047@codelabs.ru> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 09:32:38 -0000 Eygene Ryabinkin wrote: > Just spotted the new advisory from CORE: > http://www.securityfocus.com/archive/1/462728/30/0/threaded > Not an expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very > simular code. I really hope that we're not affected, especially since we didn't get any advance notice of this; but I've asked several of our IPv6 / network stack experts to investigate this. Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Wed Mar 14 09:38:36 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CE4EA16A400; Wed, 14 Mar 2007 09:38:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8301B13C448; Wed, 14 Mar 2007 09:38:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HRPwJ-0001fq-DB; Wed, 14 Mar 2007 12:38:35 +0300 Date: Wed, 14 Mar 2007 12:38:30 +0300 From: Eygene Ryabinkin To: Colin Percival Message-ID: <20070314093830.GL99047@codelabs.ru> References: <20070314074510.GH99047@codelabs.ru> <45F7C0CF.7020906@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <45F7C0CF.7020906@freebsd.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 09:38:36 -0000 Colin, good day. > I really hope that we're not affected, especially since we didn't get > any advance notice of this; but I've asked several of our IPv6 / network > stack experts to investigate this. Thank you! -- Eygene From owner-freebsd-security@FreeBSD.ORG Wed Mar 14 13:17:35 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 957AD16A403 for ; Wed, 14 Mar 2007 13:17:35 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 328CD13C45A for ; Wed, 14 Mar 2007 13:17:34 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 5AAE5487F2; Wed, 14 Mar 2007 13:59:25 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id C2A5E45685 for ; Wed, 14 Mar 2007 13:59:19 +0100 (CET) Date: Wed, 14 Mar 2007 13:59:18 +0100 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20070314125918.GF7847@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tmoQ0UElFV5VgXgH" Content-Disposition: inline X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: Subject: Check PRIV_VFS_MOUNT when jailed. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 13:17:35 -0000 --tmoQ0UElFV5VgXgH Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I'd like to commit this patch: http://people.freebsd.org/~pjd/patches/vfs_mount.c.9.patch It currently should change nothing, but will be needed once we allow to grant privileges for jails. I'd like to commit it now, so I can experiment easier with my ZFS improvements. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --tmoQ0UElFV5VgXgH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD4DBQFF9/GmForvXbEpPzQRAjE1AJd98agsL47OwXY7HSKdR/XRTtMMAJ0RFL1s dXZjSneQZqESY730PWyp8w== =AzoL -----END PGP SIGNATURE----- --tmoQ0UElFV5VgXgH-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 14 19:07:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8877F16A40D for ; Wed, 14 Mar 2007 19:07:16 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 45E8713C48C for ; Wed, 14 Mar 2007 19:07:15 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l2EK6DQO023584; Wed, 14 Mar 2007 14:06:38 -0600 (CST) Date: Wed, 14 Mar 2007 14:06:45 -0500 (CDT) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: VANHULLEBUS Yvan In-Reply-To: <20070307212442.GA1384@jayce.zen.inc> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 19:07:16 -0000 On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). > > If your redirection only works for port 500, it won't be enough, as it > will only allow IKE negociations, not encrypted traffic. > > You'll have to add forwarding for ESP protocol, or use NAT-T patch and > also forward UDP 4500 port. > > >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel >> you are suggesting below would help, since NAT is happening on the dsl >> routers. I am guessing my problem is between the vpn server and the dsl >> router's NAT capability. I have done a tcpdump on the gif interface, and >> I can see the ping requests being made across it, but there's no response. >> I don't even know if the traffic is making it beyond the vpn box, let >> alone beyond the dsl modem. > > The NAT-T patch I was talking about adds the kernel part of an *IPSec* > feature: support for NAT-Traversal extension (RFCs 3947 and 3948), > which allows IPSec tunnels to be established if there is some NAT > between IPSec gates. > > This is exactly your setup. Ok, I have done quite a bit of work since my last email, but I still don't see visible progress. I did rebuild world and the kernel with the NAT-T patches/support that you recommended. I have been playing around with ipsec e.t.c. I have created an esp tunnel between my two sites, and I am sending some ping traffic to the remote end, but the packets don't seem to get through. Here's a snippet of what I see on tcpdump: 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ length 64 (ipip-proto-4) 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ length 64 (ipip-proto-4) >From what I can tell, the kernel knows that it is to send the ping request from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 and 201.240.165.191. But, there's no request from the other end. Doing a tcpdump on the other side (192.168.0.254), nothing is coming in. I have also done a ping from the latter machine to the former, but with exactly the same problem. Nothing seems to get to the other end. The tunnel is not using racoon yet. I figure that I should be able to see some traffic going back and forth before I use racoon to manage keys. The tunnel was created by the following lines on one host, and reversed on the other: spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/190.41.95.135-201.240.151.15/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/201.240.151.15-190.41.95.135/require; If any one can shed some more light on this, I would appreciate it. thanks robert From owner-freebsd-security@FreeBSD.ORG Thu Mar 15 02:29:11 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0243E16A400 for ; Thu, 15 Mar 2007 02:29:11 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp811.mail.ird.yahoo.com (smtp811.mail.ird.yahoo.com [217.146.188.71]) by mx1.freebsd.org (Postfix) with SMTP id 8377913C480 for ; Thu, 15 Mar 2007 02:29:10 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 48403 invoked from network); 15 Mar 2007 02:29:09 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp811.mail.ird.yahoo.com with SMTP; 15 Mar 2007 02:29:09 -0000 X-YMail-OSG: UuV4H6cVM1lZfTadBsk.N4i9a4D6m__twptz9BFZuRcrk86Emrbo9B1PNyKMnS22ObiLwiEbnOhKTPKDHb1fxdtiVnpXW.X1j2kOxAllfIMxMzmXVuzR3dY5DOkakUY3yRQnJYfY3XmNtIwfN8Hc8aKEZvn137zP577MYfjajYqv3_ISaNg- Message-ID: <45F8B01A.50106@tomjudge.com> Date: Thu, 15 Mar 2007 02:31:54 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Robert Johannes References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, VANHULLEBUS Yvan Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 02:29:11 -0000 Robert Johannes wrote: > > On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > > > Ok, I have done quite a bit of work since my last email, but I still > don't see visible progress. I did rebuild world and the kernel with the > NAT-T patches/support that you recommended. I have been playing around > with ipsec e.t.c. > > I have created an esp tunnel between my two sites, and I am sending some > ping traffic to the remote end, but the packets don't seem to get > through. Here's a snippet of what I see on tcpdump: > > 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ > length 64 (ipip-proto-4) > 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ > length 64 (ipip-proto-4) Firstly have you set your DSL routers up to nat the ipencap protocol back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP payload, so you will probably need a prity advanced router to do this). The packets you see here are not protected by IPSEC they are just plain old IPENCAP packets. If they where IPSEC packets I would expect to see ESP as the protocol and not see the encapsulated packet header (Again when you get IPSEC working you are going to need to NAT these packets to your freebsd boxes.) > >> From what I can tell, the kernel knows that it is to send the ping >> request > from 192.168.1.254 to 192.168.0.254 through the tunnel mouths > 190.41.95.135 and 201.240.165.191. But, there's no request from the > other end. Doing a tcpdump on the other side (192.168.0.254), nothing > is coming in. I have also done a ping from the latter machine to the > former, but with exactly the same problem. Nothing seems to get to the > other end. > > The tunnel is not using racoon yet. I figure that I should be able to > see some traffic going back and forth before I use racoon to manage > keys. The tunnel was created by the following lines on one host, and > reversed on the other: > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > If any one can shed some more light on this, I would appreciate it. > From what I can see your /etc/ipsec.conf should look like this: spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec esp/tunnel/190.41.95.135-201.240.151.15/require; spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec esp/tunnel/201.240.151.15-190.41.95.135/require; These rules may be wrong but your tunnel seems to be an IP protocol 4 payload which is ipencap (see /etc/protocols). Hope this helps. Tom From owner-freebsd-security@FreeBSD.ORG Thu Mar 15 04:12:02 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8DB7616A401 for ; Thu, 15 Mar 2007 04:12:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 33D4313C45A for ; Thu, 15 Mar 2007 04:12:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 3064345B26; Thu, 15 Mar 2007 05:12:01 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 05CCA456AB for ; Thu, 15 Mar 2007 05:11:56 +0100 (CET) Date: Thu, 15 Mar 2007 05:11:50 +0100 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20070315041149.GM7847@garage.freebsd.pl> References: <20070314125918.GF7847@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f0PSjARDFl/vfYT5" Content-Disposition: inline In-Reply-To: <20070314125918.GF7847@garage.freebsd.pl> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: Subject: Re: Check PRIV_VFS_MOUNT when jailed. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 04:12:02 -0000 --f0PSjARDFl/vfYT5 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 14, 2007 at 01:59:18PM +0100, Pawel Jakub Dawidek wrote: > Hi. >=20 > I'd like to commit this patch: >=20 > http://people.freebsd.org/~pjd/patches/vfs_mount.c.9.patch >=20 > It currently should change nothing, but will be needed once we allow to > grant privileges for jails. I'd like to commit it now, so I can > experiment easier with my ZFS improvements. Reviewed by rwatson@ and committed. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --f0PSjARDFl/vfYT5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF+MeFForvXbEpPzQRAsS5AJ9qqW7x8KqdKSQ7uss0rLF3y+P9owCcDfQD ygrXwL5PnUT+L3PLuwCXs8Y= =ezlP -----END PGP SIGNATURE----- --f0PSjARDFl/vfYT5-- From owner-freebsd-security@FreeBSD.ORG Thu Mar 15 11:32:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F88A16A401 for ; Thu, 15 Mar 2007 11:32:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 47B0813C45D for ; Thu, 15 Mar 2007 11:32:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 416E647390; Thu, 15 Mar 2007 06:02:25 -0500 (EST) Date: Thu, 15 Mar 2007 12:02:24 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Eygene Ryabinkin In-Reply-To: <20070314074510.GH99047@codelabs.ru> Message-ID: <20070315120009.A60010@fledge.watson.org> References: <20070314074510.GH99047@codelabs.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 11:32:26 -0000 On Wed, 14 Mar 2007, Eygene Ryabinkin wrote: > Just spotted the new advisory from CORE: > http://www.securityfocus.com/archive/1/462728/30/0/threaded Not an > expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very simular code. > > Robert, anyone, could you please check? Eygene, Sorry for the delayed response on this -- I've only just returned from Tokyo in the last day and am significantly behind in e-mail from the trip. According to a source analysis by Jinmei, we are not vulnerable, but I will continue tracking the thread. Apparently this vulnerability involved an issue in the handling of M_EXT, and our implementation of clusters differs significantly from OpenBSD, so it seems likely we are not affected. If we discover any information to the contrary, you can be sure that we will get it fixed and release an advisory! Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Thu Mar 15 12:10:51 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE97416A40A for ; Thu, 15 Mar 2007 12:10:51 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 690D613C4B8 for ; Thu, 15 Mar 2007 12:10:51 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HRon9-00030E-KN; Thu, 15 Mar 2007 15:10:47 +0300 Date: Thu, 15 Mar 2007 15:10:43 +0300 From: Eygene Ryabinkin To: Robert Watson Message-ID: <20070315121042.GB97072@codelabs.ru> References: <20070314074510.GH99047@codelabs.ru> <20070315120009.A60010@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070315120009.A60010@fledge.watson.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 12:10:51 -0000 Robert, good day. > Sorry for the delayed response on this -- I've only just returned from Tokyo in > the last day and am significantly behind in e-mail from the trip. > > According to a source analysis by Jinmei, we are not vulnerable, but I will > continue tracking the thread. Apparently this vulnerability involved an issue > in the handling of M_EXT, and our implementation of clusters differs > significantly from OpenBSD, so it seems likely we are not affected. OK, thanks for the analysis and sorry for the noise. > If we > discover any information to the contrary, you can be sure that we will get it > fixed and release an advisory! Very good, thank you. -- Eygene From owner-freebsd-security@FreeBSD.ORG Thu Mar 15 12:11:28 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C02716A401 for ; Thu, 15 Mar 2007 12:11:28 +0000 (UTC) (envelope-from info@plot.uz) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 435FB13C469 for ; Thu, 15 Mar 2007 12:11:28 +0000 (UTC) (envelope-from info@plot.uz) Received: by an-out-0708.google.com with SMTP id c24so127389ana for ; Thu, 15 Mar 2007 05:11:27 -0700 (PDT) Received: by 10.100.45.10 with SMTP id s10mr329156ans.1173960687444; Thu, 15 Mar 2007 05:11:27 -0700 (PDT) Received: from plot.uz ( [83.221.182.63]) by mx.google.com with ESMTP id c29sm1017445anc.2007.03.15.05.11.26; Thu, 15 Mar 2007 05:11:27 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000000598.msg for ; Thu, 15 Mar 2007 17:11:09 +0500 Delivered-To: info@plot.uz Received: by 10.100.92.15 with SMTP id p15cs247063anb; Thu, 15 Mar 2007 05:10:53 -0700 (PDT) Received: by 10.100.121.12 with SMTP id t12mr336752anc.1173960653185; Thu, 15 Mar 2007 05:10:53 -0700 (PDT) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx.google.com with ESMTP id a1si2286469ugf.2007.03.15.05.10.50; Thu, 15 Mar 2007 05:10:53 -0700 (PDT) Received-SPF: pass (google.com: domain of rea-fbsd@codelabs.ru designates 144.206.177.45 as permitted sender) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HRon9-00030E-KN; Thu, 15 Mar 2007 15:10:47 +0300 Date: Thu, 15 Mar 2007 15:10:43 +0300 To: Robert Watson Message-ID: <20070315121042.GB97072@codelabs.ru> References: <20070314074510.GH99047@codelabs.ru> <20070315120009.A60010@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070315120009.A60010@fledge.watson.org> X-Return-Path: rea-fbsd@codelabs.ru X-Envelope-From: rea-fbsd@codelabs.ru X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Spam-Processed: plot.uz, Thu, 15 Mar 2007 17:11:10 +0500 From: Eygene Ryabinkin X-Mailman-Approved-At: Thu, 15 Mar 2007 12:21:25 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 12:11:28 -0000 Robert, good day. > Sorry for the delayed response on this -- I've only just returned from Tokyo in > the last day and am significantly behind in e-mail from the trip. > > According to a source analysis by Jinmei, we are not vulnerable, but I will > continue tracking the thread. Apparently this vulnerability involved an issue > in the handling of M_EXT, and our implementation of clusters differs > significantly from OpenBSD, so it seems likely we are not affected. OK, thanks for the analysis and sorry for the noise. > If we > discover any information to the contrary, you can be sure that we will get it > fixed and release an advisory! Very good, thank you. -- Eygene From owner-freebsd-security@FreeBSD.ORG Fri Mar 16 02:51:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7838416A405 for ; Fri, 16 Mar 2007 02:51:16 +0000 (UTC) (envelope-from linuxinfoplus@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 00D8A13C45A for ; Fri, 16 Mar 2007 02:51:15 +0000 (UTC) (envelope-from linuxinfoplus@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so561863ugh for ; Thu, 15 Mar 2007 19:51:15 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=EljrG3BvGxC4L+SAI2OBaP9hEsD5NKxSRy0lDCe7nlW2x3kGhgqepJtRoxi5Vlzw5GIRAVoJbGa4MSdtaTF0kjn7GSd0bSTd0GvYib+Q56DzdLNgy8+u5l6fwH7oXqPqN45QOb5MydAtOWcg9CRLWJFuDpSu0yNYRcoTof+fXok= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=ZL6+ayAzIErZfemzC6lXDM/eANP4NOYwcn9ohKKcFDFdCSlZKiwZarvEWRdZNLlP14Pfup81CkPd6rI8KEc9Jd/ZXLyvfQtbD49e0UucoUy2NEaHE98Yd8KTbaOC9jsvDfvYrqJpDiep3eehuCgSdc4m5jxScP/DCP7LWwEDnTc= Received: by 10.114.180.1 with SMTP id c1mr526031waf.1174012006517; Thu, 15 Mar 2007 19:26:46 -0700 (PDT) Received: from ?192.168.3.215? ( [210.13.108.117]) by mx.google.com with ESMTP id z15sm3679401pod.2007.03.15.19.26.44; Thu, 15 Mar 2007 19:26:45 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <20070315120026.D7B2916A411@hub.freebsd.org> References: <20070315120026.D7B2916A411@hub.freebsd.org> Content-Type: text/plain; charset=GB2312; delsp=yes; format=flowed Message-Id: <3DF5B330-90FD-4268-A3D7-874A7566E855@gmail.com> Content-Transfer-Encoding: quoted-printable From: rhinux Date: Fri, 16 Mar 2007 10:26:27 +0800 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Re: freebsd-security Digest, Vol 201, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2007 02:51:16 -0000 =D4=DA 2007-3-15=A3=AC=CF=C2=CE=E78:00=A3=ACfreebsd-security-request@freeb= sd.org =D0=B4=B5=C0=A3=BA > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. Check PRIV_VFS_MOUNT when jailed. (Pawel Jakub Dawidek) > 2. Re: freebsd vpn server behind nat dsl router (Robert Johannes) > 3. Re: freebsd vpn server behind nat dsl router (Tom Judge) > 4. Re: Check PRIV_VFS_MOUNT when jailed. (Pawel Jakub Dawidek) > 5. Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has > this too? (Robert Watson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 14 Mar 2007 13:59:18 +0100 > From: Pawel Jakub Dawidek > Subject: Check PRIV_VFS_MOUNT when jailed. > To: freebsd-security@FreeBSD.org > Message-ID: <20070314125918.GF7847@garage.freebsd.pl> > Content-Type: text/plain; charset=3D"iso-8859-2" > > Hi. > > I'd like to commit this patch: > > http://people.freebsd.org/~pjd/patches/vfs_mount.c.9.patch > > It currently should change nothing, but will be needed once we =20 > allow to > grant privileges for jails. I'd like to commit it now, so I can > experiment easier with my ZFS improvements. > > --=20 > Pawel Jakub Dawidek http://www.wheel.pl > pjd@FreeBSD.org http://www.FreeBSD.org > FreeBSD committer Am I Evil? Yes, I Am! > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 187 bytes > Desc: not available > Url : http://lists.freebsd.org/pipermail/freebsd-security/=20 > attachments/20070314/28c8fdd2/attachment-0001.pgp > > ------------------------------ > > Message: 2 > Date: Wed, 14 Mar 2007 14:06:45 -0500 (CDT) > From: Robert Johannes > Subject: Re: freebsd vpn server behind nat dsl router > To: VANHULLEBUS Yvan > Cc: freebsd-security@freebsd.org > Message-ID: > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII; format=3Dflowed > > > On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > >> On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: >>> Thanks for your response. My freebsd vpn servers are behind the dsl >>> routers at each site which. The modems have firewall and NAT =20 >>> turned on. >>> The vpn servers are part of the local LANs, and I have port-=20 >>> forwarding >>> setup between the dsl modems and the vpn servers. E.g, when =20 >>> traffic comes >>> from the internet destined for port 500, I forward that traffic =20 >>> to the vpn >>> servers (192.168.x.254 on the diagram). >> >> If your redirection only works for port 500, it won't be enough, =20 >> as it >> will only allow IKE negociations, not encrypted traffic. >> >> You'll have to add forwarding for ESP protocol, or use NAT-T patch =20= >> and >> also forward UDP 4500 port. >> >> >>> The freebsd servers are not running a firewall or NAT at this =20 >>> point. I >>> don't think they need to run NAT, but I haven't decided on the =20 >>> firewall >>> yet. >>> >>> So, given that situation, I don't know if the NAT changes to the =20 >>> kernel >>> you are suggesting below would help, since NAT is happening on =20 >>> the dsl >>> routers. I am guessing my problem is between the vpn server and =20 >>> the dsl >>> router's NAT capability. I have done a tcpdump on the gif =20 >>> interface, and >>> I can see the ping requests being made across it, but there's no =20 >>> response. >>> I don't even know if the traffic is making it beyond the vpn box, =20= >>> let >>> alone beyond the dsl modem. >> >> The NAT-T patch I was talking about adds the kernel part of an =20 >> *IPSec* >> feature: support for NAT-Traversal extension (RFCs 3947 and 3948), >> which allows IPSec tunnels to be established if there is some NAT >> between IPSec gates. >> >> This is exactly your setup. > > Ok, I have done quite a bit of work since my last email, but I =20 > still don't > see visible progress. I did rebuild world and the kernel with the =20 > NAT-T > patches/support that you recommended. I have been playing around with > ipsec e.t.c. > > I have created an esp tunnel between my two sites, and I am sending =20= > some > ping traffic to the remote end, but the packets don't seem to get =20 > through. > Here's a snippet of what I see on tcpdump: > > 14:06:53.594241 IP 190.41.95.135 > =20 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq =20 > 1519, \ > length 64 (ipip-proto-4) > 14:06:54.595071 IP 190.41.95.135 > =20 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq =20 > 1520, \ > length 64 (ipip-proto-4) > >> =46rom what I can tell, the kernel knows that it is to send the ping =20= >> request > from 192.168.1.254 to 192.168.0.254 through the tunnel mouths > 190.41.95.135 and 201.240.165.191. But, there's no request from =20 > the other > end. Doing a tcpdump on the other side (192.168.0.254), nothing is =20= > coming > in. I have also done a ping from the latter machine to the former, =20= > but > with exactly the same problem. Nothing seems to get to the other end. > > The tunnel is not using racoon yet. I figure that I should be able =20= > to see > some traffic going back and forth before I use racoon to manage =20 > keys. The > tunnel was created by the following lines on one host, and reversed on > the other: > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > If any one can shed some more light on this, I would appreciate it. > > thanks > robert > > > ------------------------------ > > Message: 3 > Date: Thu, 15 Mar 2007 02:31:54 +0000 > From: Tom Judge > Subject: Re: freebsd vpn server behind nat dsl router > To: Robert Johannes > Cc: freebsd-security@freebsd.org, VANHULLEBUS Yvan > > Message-ID: <45F8B01A.50106@tomjudge.com> > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > Robert Johannes wrote: >> >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >> >> Ok, I have done quite a bit of work since my last email, but I still >> don't see visible progress. I did rebuild world and the kernel =20 >> with the >> NAT-T patches/support that you recommended. I have been playing =20 >> around >> with ipsec e.t.c. >> >> I have created an esp tunnel between my two sites, and I am =20 >> sending some >> ping traffic to the remote end, but the packets don't seem to get >> through. Here's a snippet of what I see on tcpdump: >> >> 14:06:53.594241 IP 190.41.95.135 > =20 >> client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq =20 >> 1519, \ >> length 64 (ipip-proto-4) >> 14:06:54.595071 IP 190.41.95.135 > =20 >> client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq =20 >> 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol > back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP > or UDP payload, so you will probably need a prity advanced router =20 > to do > this). The packets you see here are not protected by IPSEC they are > just plain old IPENCAP packets. If they where IPSEC packets I would > expect to see ESP as the protocol and not see the encapsulated packet > header (Again when you get IPSEC working you are going to need to NAT > these packets to your freebsd boxes.) > >> >>> =46rom what I can tell, the kernel knows that it is to send the ping >>> request >> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths >> 190.41.95.135 and 201.240.165.191. But, there's no request from the >> other end. Doing a tcpdump on the other side (192.168.0.254), =20 >> nothing >> is coming in. I have also done a ping from the latter machine to the >> former, but with exactly the same problem. Nothing seems to get =20 >> to the >> other end. >> >> The tunnel is not using racoon yet. I figure that I should be =20 >> able to >> see some traffic going back and forth before I use racoon to manage >> keys. The tunnel was created by the following lines on one host, and >> reversed on the other: >> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec >> esp/tunnel/190.41.95.135-201.240.151.15/require; >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec >> esp/tunnel/201.240.151.15-190.41.95.135/require; >> >> If any one can shed some more light on this, I would appreciate it. >> > > =46rom what I can see your /etc/ipsec.conf should look like this: > > spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > These rules may be wrong but your tunnel seems to be an IP protocol 4 > payload which is ipencap (see /etc/protocols). > > Hope this helps. > > Tom > > > > > ------------------------------ > > Message: 4 > Date: Thu, 15 Mar 2007 05:11:50 +0100 > From: Pawel Jakub Dawidek > Subject: Re: Check PRIV_VFS_MOUNT when jailed. > To: freebsd-security@FreeBSD.org > Message-ID: <20070315041149.GM7847@garage.freebsd.pl> > Content-Type: text/plain; charset=3D"iso-8859-2" > > On Wed, Mar 14, 2007 at 01:59:18PM +0100, Pawel Jakub Dawidek wrote: >> Hi. >> >> I'd like to commit this patch: >> >> http://people.freebsd.org/~pjd/patches/vfs_mount.c.9.patch >> >> It currently should change nothing, but will be needed once we =20 >> allow to >> grant privileges for jails. I'd like to commit it now, so I can >> experiment easier with my ZFS improvements. > > Reviewed by rwatson@ and committed. > > --=20 > Pawel Jakub Dawidek http://www.wheel.pl > pjd@FreeBSD.org http://www.FreeBSD.org > FreeBSD committer Am I Evil? Yes, I Am! > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 187 bytes > Desc: not available > Url : http://lists.freebsd.org/pipermail/freebsd-security/=20 > attachments/20070315/a6be0eb3/attachment-0001.pgp > > ------------------------------ > > Message: 5 > Date: Thu, 15 Mar 2007 12:02:24 +0100 (BST) > From: Robert Watson > Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has > this too? > To: Eygene Ryabinkin > Cc: freebsd-security@freebsd.org > Message-ID: <20070315120009.A60010@fledge.watson.org> > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII; format=3Dflowed > > > On Wed, 14 Mar 2007, Eygene Ryabinkin wrote: > >> Just spotted the new advisory from CORE: >> http://www.securityfocus.com/archive/1/462728/30/0/threaded Not = an >> expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very =20 >> simular code. >> >> Robert, anyone, could you please check? > > Eygene, > > Sorry for the delayed response on this -- I've only just returned =20 > from Tokyo > in the last day and am significantly behind in e-mail from the trip. > > According to a source analysis by Jinmei, we are not vulnerable, =20 > but I will > continue tracking the thread. Apparently this vulnerability =20 > involved an issue > in the handling of M_EXT, and our implementation of clusters differs > significantly from OpenBSD, so it seems likely we are not =20 > affected. If we > discover any information to the contrary, you can be sure that we =20 > will get it > fixed and release an advisory! > > Robert N M Watson > Computer Laboratory > University of Cambridge > > > ------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-=20 > unsubscribe@freebsd.org" > > End of freebsd-security Digest, Vol 201, Issue 2 > ************************************************ From owner-freebsd-security@FreeBSD.ORG Fri Mar 16 16:28:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 647B116A409 for ; Fri, 16 Mar 2007 16:28:16 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 412A013C4AE for ; Fri, 16 Mar 2007 16:28:16 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-qfe3.prod.shaw.ca [10.0.141.107]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JF000ED78EFE870@l-daemon> for freebsd-security@freebsd.org; Fri, 16 Mar 2007 10:27:51 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd2mr4so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JF0001B08EFLAJ1@pd2mr4so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 16 Mar 2007 10:27:52 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JF000DDH8EEL380@l-daemon> for freebsd-security@freebsd.org; Fri, 16 Mar 2007 10:27:51 -0600 (MDT) Received: (qmail 1122 invoked from network); Fri, 16 Mar 2007 16:27:43 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Fri, 16 Mar 2007 16:27:43 +0000 Date: Fri, 16 Mar 2007 09:27:42 -0700 From: Colin Percival In-reply-to: <45F7C0CF.7020906@freebsd.org> To: Colin Percival Message-id: <45FAC57E.6050200@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=KOI8-R Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20070314074510.GH99047@codelabs.ru> <45F7C0CF.7020906@freebsd.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2007 16:28:16 -0000 I wrote: > Eygene Ryabinkin wrote: >> Just spotted the new advisory from CORE: >> http://www.securityfocus.com/archive/1/462728/30/0/threaded >> Not an expert, but FreeBSD's src/sys/kern/uipc_mbuf2.c has the very >> simular code. > > I really hope that we're not affected, especially since we didn't get > any advance notice of this; but I've asked several of our IPv6 / network > stack experts to investigate this. After hearing from a KAME developers who investigated this issue, I'm satisfied that FreeBSD is not affected. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Mar 17 10:06:31 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A469116A402; Sat, 17 Mar 2007 10:06:31 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 448F313C458; Sat, 17 Mar 2007 10:06:31 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HSVnx-000KsS-Dk; Sat, 17 Mar 2007 13:06:29 +0300 Date: Sat, 17 Mar 2007 13:06:25 +0300 From: Eygene Ryabinkin To: Colin Percival Message-ID: <20070317100624.GB80225@codelabs.ru> References: <20070314074510.GH99047@codelabs.ru> <45F7C0CF.7020906@freebsd.org> <45FAC57E.6050200@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <45FAC57E.6050200@freebsd.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD IPv6 remote kernel buffer overflow. FreeBSD has this too? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2007 10:06:31 -0000 Colin, > > I really hope that we're not affected, especially since we didn't get > > any advance notice of this; but I've asked several of our IPv6 / network > > stack experts to investigate this. > > After hearing from a KAME developers who investigated this issue, > I'm satisfied that FreeBSD is not affected. Glad to hear it and sorry for the noise. -- Eygene