From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 10:31:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC7DE106567F for ; Tue, 8 Jul 2008 10:31:55 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.231]) by mx1.freebsd.org (Postfix) with ESMTP id 66B9A8FC16 for ; Tue, 8 Jul 2008 10:31:55 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by hu-out-0506.google.com with SMTP id 34so8866957hue.8 for ; Tue, 08 Jul 2008 03:31:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=yuYRwua3PqUOAiADGCaoiQtMBhqU6tJy8r/E8L43328=; b=FTE9sKwAvAPCpnK19eDe4uDw3/pgNlnGSW+YDVNgzqRtS3AeiDxt+4tJv/eBsNkQtI 0p8LcN08c+S82xsIRS4/s2FkOuxKybgmG/93XhqtgnAJ0+vY7N+Dj15aX+JFCRxVf1bO 01GIRT5XtwxoMeTpXaC7ku9uFyKdxbCs/K2NM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=A3Mu7v0LOrnNs4sOqo81EDpTiHRq3Q47jYOIlTcms+FX5THEXmdwK2sR93bnEkKGNo AoHA6fk9uzn9a5Fsgbw4XbiXOs4ry3YjIJaKY70AaYwBw2Mq4/LWz7EeKpBABBe5Cd0L jEYnqcsC1zQleT9HXZNMBLpIfCI5j0Ce1QfcY= Received: by 10.125.150.14 with SMTP id c14mr1246516mko.125.1215512198098; Tue, 08 Jul 2008 03:16:38 -0700 (PDT) Received: by 10.125.110.8 with HTTP; Tue, 8 Jul 2008 03:16:37 -0700 (PDT) Message-ID: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> Date: Tue, 8 Jul 2008 15:46:37 +0530 From: "Ivan Grover" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 10:31:55 -0000 Hi , Iam trying to choose OPIE as my OTP implementation for authenticating the clients. I have the following queries, could anyone please let me know these -- why does the challenge in OPIE are in predetermined form.. is it for determining the decryption key for the encrypted passphrase(stored in opiekeys). -- is it possible to generate random challenges using opiechallenge Any pointers/links will be very much helpful. Regards, Ivan From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 11:41:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 795E1106566C for ; Tue, 8 Jul 2008 11:41:52 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 3B43A8FC2B for ; Tue, 8 Jul 2008 11:41:52 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 567172083; Tue, 8 Jul 2008 13:22:50 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Ivan Grover" References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> Date: Tue, 08 Jul 2008 13:22:49 +0200 In-Reply-To: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> (Ivan Grover's message of "Tue\, 8 Jul 2008 15\:46\:37 +0530") Message-ID: <86abgs7h86.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 11:41:52 -0000 "Ivan Grover" writes: > Iam trying to choose OPIE as my OTP implementation for authenticating the > clients. I have the following queries, could anyone please let me know th= ese > -- why does the challenge in OPIE are in predetermined form.. > is it for determining the decryption key for the encrypted passphrase(sto= red > in opiekeys). There is no encryption involved; OPIE is based on a one-way hash function (usually MD5). I'm not sure what you mean by "predetermined form", but one of the features of OPIE is that you should be able to use it even when you don't have a key calculator, by pre-generating and printing a list of responses. > -- is it possible to generate random challenges using opiechallenge No. There is a random seed, but it remains the same until you either run out of keys or generate a new series. > Any pointers/links will be very much helpful. The opie(4) man page describes the algorithm. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 13:41:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8BAF1065675 for ; Tue, 8 Jul 2008 13:41:37 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by mx1.freebsd.org (Postfix) with ESMTP id 600078FC2E for ; Tue, 8 Jul 2008 13:41:37 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so327796gve.39 for ; Tue, 08 Jul 2008 06:41:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=nkNRLY58qVZ1Y6L5bT5SgR1pfzPIRSLvNW1ay9zDgHs=; b=f5TOobbtQJFvBofkGHDj53iPdZcD8phv72tQ7SM8WAZf0puPBLhphiFoh2TI6mvQ1f 6aLc0eWI3h87YY2GARxdYsk/KNvF6c02yUEmkUHXH3APhkZAmHXLF+s/Jy+ccii0gdqg lMkdkjnPIvCtTcJcYrk3GuZxLViTlX8+UITt8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=qF0CY9YeN1lAhvB0avJ/D48C49pFgQ0dHsjt2nXv9YVW3dcWv/WVNikhtzDswBBFJW tK0Nnd7Lcxc/xAwKXXQ8bT7RxmeaRTDaN6pxrTOoMNs0Bhzu44Da0P8TCtN2vu7pZu9a EyjEuopXoFa4D29vnrAo+49+KEV4Him82MCes= Received: by 10.125.122.19 with SMTP id z19mr1338454mkm.93.1215524495944; Tue, 08 Jul 2008 06:41:35 -0700 (PDT) Received: by 10.125.110.8 with HTTP; Tue, 8 Jul 2008 06:41:35 -0700 (PDT) Message-ID: <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> Date: Tue, 8 Jul 2008 19:11:35 +0530 From: "Ivan Grover" To: "Peter Jeremy" In-Reply-To: <20080708113030.GN62764@server.vk2pj.dyndns.org> MIME-Version: 1.0 References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 13:41:37 -0000 Thank you so much for your responses. By "predetermined ", i meant the challenges appear sequentially in decremented fashion, so are we aware of any security hole with this. I ask this because usually the challenge/response implementations consider generating random challenges( i think here they have a weakness where the passphrase need to be in clear text). My problem is to determine the best challenge/response implementation for authenticating the clients. Please correct me if i missed something. Thanks and Regards, Ivan On Tue, Jul 8, 2008 at 5:00 PM, Peter Jeremy wrote: > On 2008-Jul-08 15:46:37 +0530, Ivan Grover wrote: > >Iam trying to choose OPIE as my OTP implementation for authenticating the > >clients. I have the following queries, could anyone please let me know > these > >-- why does the challenge in OPIE are in predetermined form.. > >is it for determining the decryption key for the encrypted > passphrase(stored > >in opiekeys). > > The passphrase is not encrypted - it is hashed and cannot be "decrypted". > Basically, the passphrase and seed are concatenated and the result is > hashed (using MD5) the number of times specified by the iteration count > and the seed, count and final hash are stored in /etc/opiekeys. > > The supplied response is easily verified because when you run it thru > MD5, you should get the hash in /etc/opiekeys. You then replace that > hash with the one the user supplied. > > >-- is it possible to generate random challenges using opiechallenge > > No. The seed has to match the seed that was used to generate the > hash with opiepasswd. > > -- > Peter Jeremy > Please excuse any delays as the result of my ISP's inability to implement > an MTA that is either RFC2821-compliant or matches their claimed behaviour. > From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 15:37:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 393771065675 for ; Tue, 8 Jul 2008 15:37:28 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id E7A0A8FC17 for ; Tue, 8 Jul 2008 15:37:27 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id A56E02083; Tue, 8 Jul 2008 17:37:26 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Ivan Grover" References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> Date: Tue, 08 Jul 2008 17:37:26 +0200 In-Reply-To: <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> (Ivan Grover's message of "Tue\, 8 Jul 2008 19\:11\:35 +0530") Message-ID: <8663rg5qvd.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 15:37:28 -0000 "Ivan Grover" writes: > Thank you so much for your responses. By "predetermined ", i meant the > challenges appear sequentially in decremented fashion, so are we aware of > any security hole with this. There is no way to deduce the next challenge from the current one. This is documented in the opie(4) man page. Here's the only advisory I could find for OPIE: http://security.freebsd.org/advisories/FreeBSD-SA-06:12.opie.asc > I ask this because usually the challenge/response implementations > consider generating random challenges( i think here they have a > weakness where the passphrase need to be in clear text). OPIE cannot use random challenges, because one of the requirements is that it should be possible to print a list of pre-generated responses. The advantage of OPIE over traditional passwords is that OPIE is not vulnerable to replay attacks, but this is not as relevant these days as it was back when S/Key (on which OPIE is based) was designed. Replay attacks aren't very effective against encrypted protocols such as SSH. > My problem is to determine the best challenge/response implementation > for authenticating the clients. Systems like OPIE, where the challenge is actually issued to the user and not just to the user's software, require the user to have access to a response calculator, or to carry a sheet of precalculated responses. The former is difficult unless the users always log in from their own desktop or laptop computer, and the latter is usually a bad idea since someone might steel the sheet. On the bright side, it should be fairly easy to write an OTP calculator that run on a cell phone, such as an S60-based Nokia phones or an iPhone. I'd say that the only advantage of OPIE today is that it's free. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 18:50:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1DD3106566B for ; Tue, 8 Jul 2008 18:50:10 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from mail.ncircle.com (mail.ncircle.com [64.84.9.150]) by mx1.freebsd.org (Postfix) with ESMTP id 6BC528FC19 for ; Tue, 8 Jul 2008 18:50:10 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from CORP-MAIL.ad.ncircle.com (corpmail-02.ncircle.com [192.168.75.91]) by mail.ncircle.com (8.14.2/8.14.2) with ESMTP id m68IYFiJ017388 for ; Tue, 8 Jul 2008 11:34:15 -0700 (PDT) (envelope-from astorms@ncircle.com) Received: from 192.168.75.188 ([192.168.75.188]) by CORP-MAIL.ad.ncircle.com ([192.168.75.94]) via Exchange Front-End Server webmail-01.ad.ncircle.com ([192.168.75.93]) with Microsoft Exchange Server HTTP-DAV ; Tue, 8 Jul 2008 18:34:15 +0000 User-Agent: Microsoft-Entourage/11.4.0.080122 Date: Tue, 08 Jul 2008 11:34:13 -0700 From: Andrew Storms To: "freebsd-security@freebsd.org" Message-ID: Thread-Topic: BIND update? Thread-Index: AcjhKTgHdqeEc00cEd2ybwARJIv+sA== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Score: -4.367 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 64.84.9.150 Subject: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 18:50:10 -0000 Are going to expect a update for BIND today? http://www.isc.org/index.pl?/sw/bind/bind-security.php From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 19:54:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 462D51065674 for ; Tue, 8 Jul 2008 19:54:02 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 0DE018FC15 for ; Tue, 8 Jul 2008 19:54:01 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 47840 invoked by uid 1000); 8 Jul 2008 19:27:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jul 2008 19:27:20 -0000 Date: Tue, 8 Jul 2008 12:27:20 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: freebsd-security@freebsd.org In-Reply-To: <8663rg5qvd.fsf@ds4.des.no> Message-ID: References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> <8663rg5qvd.fsf@ds4.des.no> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 19:54:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On the bright side, it should be fairly easy to write an OTP calculator > that run on a cell phone These already exist for J2ME-enabled mobiles (which is most of them?): http://tanso.net/j2me-otp/ http://otp-j2me.sourceforge.net/ > Systems like OPIE, where the challenge is actually issued to the user > and not just to the user's software, require the user to have access to > a response calculator, or to carry a sheet of precalculated responses. There exist apps (i.e., browsers, FTP clients, mailers, etc) that integrate OPIE and can transparently respond to challenges. The user just puts in his password, and he doesn't worry about plaintext or OPIE or whatever; the app just does the right thing. Fetch, an FTP client for the Mac, is one such app. One could argue that this encourages users to just punch in their password and not understand if it's going to go over the wire in the clear or be used to answer a challenge, but it's very useful when you have users who are incapable of making such distinction in the first place and you just need to make sure their password is secure for _your_ service. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC 41JZRoD12LhIpG3QK7cfhMU= =w11K -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 21:22:14 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0F08106567B for ; Tue, 8 Jul 2008 21:22:14 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from mail.ncircle.com (mail.ncircle.com [64.84.9.150]) by mx1.freebsd.org (Postfix) with ESMTP id 969678FC16 for ; Tue, 8 Jul 2008 21:22:14 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from CORP-MAIL.ad.ncircle.com (corpmail-02.ncircle.com [192.168.75.91]) by mail.ncircle.com (8.14.2/8.14.2) with ESMTP id m68LM8ST007212 for ; Tue, 8 Jul 2008 14:22:08 -0700 (PDT) (envelope-from astorms@ncircle.com) Received: from 192.168.75.188 ([192.168.75.188]) by CORP-MAIL.ad.ncircle.com ([192.168.75.94]) via Exchange Front-End Server webmail-01.ad.ncircle.com ([192.168.75.93]) with Microsoft Exchange Server HTTP-DAV ; Tue, 8 Jul 2008 21:22:09 +0000 User-Agent: Microsoft-Entourage/11.4.0.080122 Date: Tue, 08 Jul 2008 14:22:07 -0700 From: Andrew Storms To: Message-ID: Thread-Topic: BIND update? Thread-Index: AcjhQKya610nYk0zEd2ybwARJIv+sA== In-Reply-To: <520b058cebc3f1931fc0b1f66f89c0e0.squirrel@galain.elvandar.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Score: -4.399 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 64.84.9.150 Cc: "freebsd-security@freebsd.org" Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 21:22:14 -0000 I agree Remko. I meant this more as of a timing and planning question than a "the sky is falling!". Was curious to know if/when an update might be available so schedules could be set. Thanks. On 7/8/08 2:19 PM, "Remko Lodder" wrote: > > On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >> Are going to expect a update for BIND today? >> >> http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> _______________________________________________ > > Hello, > > I think it's important that we do not overstretch things instantly. The > FreeBSD Security Team is aware of this situation and will investigate how > to do plan and act upon this. > > Thanks, > Remko From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 21:31:31 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31B141065675 for ; Tue, 8 Jul 2008 21:31:31 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id E545F8FC0C for ; Tue, 8 Jul 2008 21:31:30 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([::1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGKmW-0003LU-FA; Tue, 08 Jul 2008 23:31:28 +0200 Received: from 195.64.94.120 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Tue, 8 Jul 2008 23:31:28 +0200 (CEST) Message-ID: <386291aa73945a1cc3559aab7c0a6bb3.squirrel@galain.elvandar.org> In-Reply-To: References: Date: Tue, 8 Jul 2008 23:31:28 +0200 (CEST) From: "Remko Lodder" To: "Andrew Storms" User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: "freebsd-security@freebsd.org" Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 21:31:31 -0000 On Tue, July 8, 2008 11:22 pm, Andrew Storms wrote: > I agree Remko. I meant this more as of a timing and planning question > than > a "the sky is falling!". Was curious to know if/when an update might be > available so schedules could be set. > > Thanks. > I cannot tell anything yet about a schedule or a plan for updates yet. We (Security Team) first need to investigate what actions are required before we can get to this step. I am sure we will try to resolve this as soon as possible (and send out the word, if needed by an advisory). Thanks, Remko (hat: Secteam) -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 22:00:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C3301065675 for ; Tue, 8 Jul 2008 22:00:03 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 34EF68FC1B for ; Tue, 8 Jul 2008 22:00:03 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([::1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGKax-0003BQ-4I; Tue, 08 Jul 2008 23:19:31 +0200 Received: from 195.64.94.120 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Tue, 8 Jul 2008 23:19:31 +0200 (CEST) Message-ID: <520b058cebc3f1931fc0b1f66f89c0e0.squirrel@galain.elvandar.org> In-Reply-To: References: Date: Tue, 8 Jul 2008 23:19:31 +0200 (CEST) From: "Remko Lodder" To: "Andrew Storms" User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: "freebsd-security@freebsd.org" Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 22:00:03 -0000 On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: > Are going to expect a update for BIND today? > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > > _______________________________________________ Hello, I think it's important that we do not overstretch things instantly. The FreeBSD Security Team is aware of this situation and will investigate how to do plan and act upon this. Thanks, Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 23:42:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8D77106564A for ; Tue, 8 Jul 2008 23:42:55 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id B2A908FC13 for ; Tue, 8 Jul 2008 23:42:55 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id AB1075C2E; Tue, 8 Jul 2008 19:29:46 -0400 (EDT) Date: Tue, 8 Jul 2008 19:29:46 -0400 From: Wesley Shields To: Remko Lodder Message-ID: <20080708232946.GB74886@atarininja.org> References: <386291aa73945a1cc3559aab7c0a6bb3.squirrel@galain.elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <386291aa73945a1cc3559aab7c0a6bb3.squirrel@galain.elvandar.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, Andrew Storms Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 23:42:55 -0000 On Tue, Jul 08, 2008 at 11:31:28PM +0200, Remko Lodder wrote: > > On Tue, July 8, 2008 11:22 pm, Andrew Storms wrote: > > I agree Remko. I meant this more as of a timing and planning question > > than > > a "the sky is falling!". Was curious to know if/when an update might be > > available so schedules could be set. > > > > Thanks. > > > > I cannot tell anything yet about a schedule or a plan for updates yet. We > (Security Team) first need to investigate what actions are required before > we can get to this step. I am sure we will try to resolve this as soon as > possible (and send out the word, if needed by an advisory). It's worth noting the measures mentioned in the advisory. Specifically, restrict recursive queries to only hosts you control. That will help cut down your exposure while work goes forward on addressing this however the security team sees fit. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 06:55:43 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A2601065689 for ; Wed, 9 Jul 2008 06:55:43 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 1399A8FC1C for ; Wed, 9 Jul 2008 06:55:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so33163uge.37 for ; Tue, 08 Jul 2008 23:55:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=9TyCOFo7Ieut+mwbJkNomWmpmwFUPB7azOmuqw71af0=; b=hIb3yFitrxVqVH1LNp/TAjmCxE84ThtCmD0bNJJsmNCRDJDTW2pNWGFmTcXfJsPvA4 4SHbepalUS4/i/iGx2rIldec3VacWTeuwvKPfMWBccAYq3kgciDqJky7+cyxvmPRXxaa 7TFKRyJsKvWYzgBdnDNkMD2hcJCR25vsBQOHs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=HmaBh4Gnu4VGlzQF9CAwsphRMX2hMcHZZNbRs44wPyLH9uNbOaY/bOBxiGf9pNFh0P snqLht+SmKAG0CMjZhjMTZ29WT9Q4jj9PACy1Eljd8Cg32mn85HNfShl0PDZroQpeKDT LRaaV0JuSGMg2mRn/mHreTUrmH+Wy3I+bdZCA= Received: by 10.125.146.5 with SMTP id y5mr1755381mkn.112.1215586540433; Tue, 08 Jul 2008 23:55:40 -0700 (PDT) Received: by 10.125.110.8 with HTTP; Tue, 8 Jul 2008 23:55:40 -0700 (PDT) Message-ID: <670f29e20807082355j590a23aax6335ee3d6480d96b@mail.gmail.com> Date: Wed, 9 Jul 2008 12:25:40 +0530 From: "Ivan Grover" To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <8663rg5qvd.fsf@ds4.des.no> MIME-Version: 1.0 References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> <8663rg5qvd.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 06:55:43 -0000 On Tue, Jul 8, 2008 at 9:07 PM, Dag-Erling Sm=F8rgrav wrote: > "Ivan Grover" writes: > > Thank you so much for your responses. By "predetermined ", i meant the > > challenges appear sequentially in decremented fashion, so are we aware = of > > any security hole with this. > > There is no way to deduce the next challenge from the current one. This > is documented in the opie(4) man page. Just to clarify, I think you are trying to say the next response from the current one, since the challenges are generated somehting like otp-md5 60 lo0245 ext, otp-md5 59 lo0245 ext, otp-md5 58 lo0245 ext,... so on. > > Here's the only advisory I could find for OPIE: > > http://security.freebsd.org/advisories/FreeBSD-SA-06:12.opie.asc > > > I ask this because usually the challenge/response implementations > > consider generating random challenges( i think here they have a > > weakness where the passphrase need to be in clear text). > > OPIE cannot use random challenges, because one of the requirements is > that it should be possible to print a list of pre-generated responses. > > The advantage of OPIE over traditional passwords is that OPIE is not > vulnerable to replay attacks, but this is not as relevant these days as > it was back when S/Key (on which OPIE is based) was designed. Replay > attacks aren't very effective against encrypted protocols such as SSH. > > > My problem is to determine the best challenge/response implementation > > for authenticating the clients. > > Systems like OPIE, where the challenge is actually issued to the user > and not just to the user's software, require the user to have access to > a response calculator, or to carry a sheet of precalculated responses. > The former is difficult unless the users always log in from their own > desktop or laptop computer, and the latter is usually a bad idea since > someone might steel the sheet. On the bright side, it should be fairly > easy to write an OTP calculator that run on a cell phone, such as an > S60-based Nokia phones or an iPhone. > > I'd say that the only advantage of OPIE today is that it's free. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 08:18:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B71821065684 for ; Wed, 9 Jul 2008 08:18:38 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3848B8FC36 for ; Wed, 9 Jul 2008 08:18:37 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so407197gve.39 for ; Wed, 09 Jul 2008 01:18:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=iefFB9pyd20tInKnCYK4OFrF13FInY+00RoTs5QNsWg=; b=Fc6rhY8Uu7OJiEAt7FzV2GbYtT/HZ4IZckbNnn+Hsit1iB+E4MhxUaGadBgblGuajH a/CgEtaNtK7gZpCY+wxxP0qdOscAV8QIwHeVjRVSWMFB0xd2qLpDgzMhf57DocDc/gIp srA88CmA+1ZyWaC92CNi3vej4rkpHxCT7SPAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=gA4CQDB+bnZ5ASNWQAwN6J7z9yp2mTwBgKrnctjUdO/roR2WuTwQavNLIW00AdWvxu 6MgkajUvDgA3rH0KRV1iya6WiHWpDkrP+iOp7HXf/uTNM0JgzEvUHgxW0nAU4Pl1Tonb 9m1ZcvhcbYYEeoJu0IQFVnxfmBSrE8o648Dso= Received: by 10.125.15.13 with SMTP id s13mr1773321mki.51.1215591516107; Wed, 09 Jul 2008 01:18:36 -0700 (PDT) Received: by 10.125.110.8 with HTTP; Wed, 9 Jul 2008 01:18:36 -0700 (PDT) Message-ID: <670f29e20807090118x1f7c4f65v74373fb43b8fe799@mail.gmail.com> Date: Wed, 9 Jul 2008 13:48:36 +0530 From: "Ivan Grover" To: "Jason Stone" In-Reply-To: MIME-Version: 1.0 References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> <8663rg5qvd.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 08:18:38 -0000 Thanks all for your valuable response. Regards, Ivan On Wed, Jul 9, 2008 at 12:57 AM, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On the bright side, it should be fairly easy to write an OTP calculator >> that run on a cell phone >> > > These already exist for J2ME-enabled mobiles (which is most of them?): > > http://tanso.net/j2me-otp/ > http://otp-j2me.sourceforge.net/ > > > Systems like OPIE, where the challenge is actually issued to the user >> and not just to the user's software, require the user to have access to >> a response calculator, or to carry a sheet of precalculated responses. >> > > There exist apps (i.e., browsers, FTP clients, mailers, etc) that integrate > OPIE and can transparently respond to challenges. The user just puts in his > password, and he doesn't worry about plaintext or OPIE or whatever; the app > just does the right thing. Fetch, an FTP client for the Mac, is one such > app. > > One could argue that this encourages users to just punch in their password > and not understand if it's going to go over the wire in the clear or be used > to answer a challenge, but it's very useful when you have users who are > incapable of making such distinction in the first place and you just need to > make sure their password is secure for _your_ service. > > > -Jason > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC > 41JZRoD12LhIpG3QK7cfhMU= > =w11K > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 08:29:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D2F1065670 for ; Wed, 9 Jul 2008 08:29:18 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 599BD8FC26 for ; Wed, 9 Jul 2008 08:29:18 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 7DC5D2083; Wed, 9 Jul 2008 10:29:16 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Ivan Grover" References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> <8663rg5qvd.fsf@ds4.des.no> <670f29e20807082355j590a23aax6335ee3d6480d96b@mail.gmail.com> Date: Wed, 09 Jul 2008 10:29:16 +0200 In-Reply-To: <670f29e20807082355j590a23aax6335ee3d6480d96b@mail.gmail.com> (Ivan Grover's message of "Wed\, 9 Jul 2008 12\:25\:40 +0530") Message-ID: <86od574g0z.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 08:29:18 -0000 "Ivan Grover" writes: > Dag-Erling Sm=C3=B8rgrav writes: > > There is no way to deduce the next challenge from the current one. > > This is documented in the opie(4) man page. > Just to clarify, I think you are trying to say the next response from > the current one, since the challenges are generated somehting like > otp-md5 60 lo0245 ext, otp-md5 59 lo0245 ext, otp-md5 58 lo0245 > ext,... so on. Yes. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 10:54:06 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D02951065677 for ; Wed, 9 Jul 2008 10:54:06 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4B95D8FC1B for ; Wed, 9 Jul 2008 10:54:06 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m69As4vI065392; Wed, 9 Jul 2008 12:54:04 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m69As4eH065391; Wed, 9 Jul 2008 12:54:04 +0200 (CEST) (envelope-from olli) Date: Wed, 9 Jul 2008 12:54:04 +0200 (CEST) Message-Id: <200807091054.m69As4eH065391@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 09 Jul 2008 12:54:05 +0200 (CEST) X-Mailman-Approved-At: Wed, 09 Jul 2008 11:35:59 +0000 Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 10:54:06 -0000 Andrew Storms wrote: > http://www.isc.org/index.pl?/sw/bind/bind-security.php I'm just wondering ... ISC's patches cause source ports to be randomized, thus making it more difficult to spoof response packets. But doesn't FreeBSD already randomize source ports by default? So, do FreeBSD systems require to be patched at all? Best regards Oliver PS: $ sysctl net.inet.ip.portrange.randomized net.inet.ip.portrange.randomized: 1 $ sysctl -d net.inet.ip.portrange.randomized net.inet.ip.portrange.randomized: Enable random port allocation -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd It's trivial to make fun of Microsoft products, but it takes a real man to make them work, and a God to make them do anything useful. From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 12:27:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EECED1065686 for ; Wed, 9 Jul 2008 12:27:08 +0000 (UTC) (envelope-from kimkof@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id B00428FC13 for ; Wed, 9 Jul 2008 12:27:08 +0000 (UTC) (envelope-from kimkof@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so711699yxb.13 for ; Wed, 09 Jul 2008 05:27:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=b2TfaAPemC938GakT4upTqrWYwqEKzKqA8PG2F/9JMc=; b=OIQjVzG2kt1CuEpqmh9PtDCYYlcBmdebKipoH5ackvMKTfVyP3Zs89DpWQqX4q9Og5 nV3OHh7MeQSJIPWGiZ7fHkxyrMa7C2+J3BUHLHmldGIKIOypiBDnbxjv2JWeL3F3BvUy QDPPJbf7Ku2jt60ENMmEviAj2FRK9wTZEXSxA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=gFnmfJm0lhIoA7ddx2M35URuQZfpT79qdzcyNQ8UzdIWrl1iB6t2U6YSXfnY7XiHeG 3i4upUyFDVFh5BXiljqZSXKNQHn6NZB3YiZ425gzr91XEkYF/GpnL4jwpC05J2kzxoTu G80DM0e82mgRvRgGOTsMehHDvMQRJjvNRCanA= Received: by 10.142.174.18 with SMTP id w18mr2239321wfe.290.1215604948921; Wed, 09 Jul 2008 05:02:28 -0700 (PDT) Received: by 10.142.193.6 with HTTP; Wed, 9 Jul 2008 05:02:28 -0700 (PDT) Message-ID: <61857c840807090502l4fdcfc93gf4f7470eb0a388d9@mail.gmail.com> Date: Wed, 9 Jul 2008 14:02:28 +0200 From: "Thomas Beugin" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: subsribe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 12:27:09 -0000 -- Cordialement, Beugin Thomas From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 12:16:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 244851065671 for ; Wed, 9 Jul 2008 12:16:17 +0000 (UTC) (envelope-from jille@hexon.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id A12088FC0C for ; Wed, 9 Jul 2008 12:16:16 +0000 (UTC) (envelope-from jille@hexon.cx) Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0) by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id m69C0Egu023236; Wed, 9 Jul 2008 14:00:15 +0200 Message-ID: <4874A864.3080909@hexon.cx> Date: Wed, 09 Jul 2008 14:00:36 +0200 From: Jille Timmmermans User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Oliver Fromme References: <200807091054.m69As4eH065391@lurza.secnetix.de> In-Reply-To: <200807091054.m69As4eH065391@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@hexon.cx X-Mailman-Approved-At: Wed, 09 Jul 2008 12:28:29 +0000 Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 12:16:17 -0000 Those sysctl apply to sockets that don't get bind(2), or bind(2) to port 0. (Wild guess ahead!) BIND probably always binds to the same port, or uses the same socket, etc -- Jille Oliver Fromme wrote: > Andrew Storms wrote: > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > > I'm just wondering ... > > ISC's patches cause source ports to be randomized, thus > making it more difficult to spoof response packets. > > But doesn't FreeBSD already randomize source ports by > default? So, do FreeBSD systems require to be patched > at all? > > Best regards > Oliver > > PS: > $ sysctl net.inet.ip.portrange.randomized > net.inet.ip.portrange.randomized: 1 > $ sysctl -d net.inet.ip.portrange.randomized > net.inet.ip.portrange.randomized: Enable random port allocation > > From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 12:38:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B76B61065682 for ; Wed, 9 Jul 2008 12:38:51 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 68ABF8FC17 for ; Wed, 9 Jul 2008 12:38:51 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m69C9I45055940; Wed, 9 Jul 2008 08:09:18 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m69C9Gsl030319 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Jul 2008 08:09:17 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200807091209.m69C9Gsl030319@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 09 Jul 2008 08:09:14 -0400 To: Oliver Fromme , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200807091054.m69As4eH065391@lurza.secnetix.de> References: <200807091054.m69As4eH065391@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 12:38:51 -0000 At 06:54 AM 7/9/2008, Oliver Fromme wrote: >Andrew Storms wrote: > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > >I'm just wondering ... > >ISC's patches cause source ports to be randomized, thus >making it more difficult to spoof response packets. > >But doesn't FreeBSD already randomize source ports by >default? So, do FreeBSD systems require to be patched >at all? It doesnt seem to do a very good job of it with=20 bind for some reason... Perhaps because it picks a port and reuses it ? Doing the following % cat s host 1iatest.yahoo.com host 1iatest2.yahoo.co.uk host 1iatest3.yahoo.com host 1iatest4.yahoo.com host 1iatest4.yahoo.com shows the same source port being used 08:05:44.269507 IP 64.7.134.1.51761 >=20 203.84.197.239.53: 814% [1au] A? 1iatest.yahoo.com. (46) 08:05:44.595674 IP 203.84.197.239.53 >=20 64.7.134.1.51761: 814 NXDomain*- 0/1/1 (107) 08:05:44.596251 IP 64.7.134.1.51761 >=20 199.212.134.1.53: 38272% [1au] A? 1iatest.yahoo.com.sentex.ca. (56) 08:05:44.649672 IP 199.212.134.1.53 >=20 64.7.134.1.51761: 38272 NXDomain* 0/1/1 (116) 08:05:44.654444 IP 64.7.134.1.51761 >=20 68.142.196.63.53: 20277% [1au] A? 1iatest2.yahoo.co.uk. (49) 08:05:44.743687 IP 68.142.196.63.53 >=20 64.7.134.1.51761: 20277*- 1/13/1 CNAME[|domain] 08:05:44.749325 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 32407% [1au] A? 1iatest3.yahoo.com. (47) 08:05:44.825666 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 32407 NXDomain*- 0/1/1 (108) 08:05:44.826291 IP 64.7.134.1.51761 >=20 199.212.134.2.53: 59918% [1au] A? 1iatest3.yahoo.com.sentex.ca. (57) 08:05:44.881667 IP 199.212.134.2.53 >=20 64.7.134.1.51761: 59918 NXDomain* 0/1/1 (117) 08:05:44.886352 IP 64.7.134.1.51761 >=20 217.12.4.104.53: 56112% [1au] A? 1iatest4.yahoo.com. (47) 08:05:45.021655 IP 217.12.4.104.53 >=20 64.7.134.1.51761: 56112 NXDomain*- 0/1/1 (108) 08:05:45.022213 IP 64.7.134.1.51761 >=20 64.7.153.49.53: 14304% [1au] A? 1iatest4.yahoo.com.sentex.ca. (57) 08:05:45.075656 IP 64.7.153.49.53 >=20 64.7.134.1.51761: 14304 NXDomain* 0/1/1 (117) and a few min later with new requests, # tcpdump -ni tun0 port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes 08:08:00.273502 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 37470% [1au] A? 21iatest.yahoo.com. (47) 08:08:00.350026 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 37470 NXDomain*- 0/1/1 (108) 08:08:00.350565 IP 64.7.134.1.51761 >=20 199.212.134.1.53: 31976% [1au] A? 21iatest.yahoo.com.sentex.ca. (57) 08:08:00.406013 IP 199.212.134.1.53 >=20 64.7.134.1.51761: 31976 NXDomain* 0/1/1 (117) 08:08:00.410993 IP 64.7.134.1.51761 >=20 68.142.196.63.53: 2704% [1au] A? 21iatest2.yahoo.co.uk. (50) 08:08:00.500032 IP 68.142.196.63.53 >=20 64.7.134.1.51761: 2704*- 1/13/1 CNAME[|domain] 08:08:00.505356 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 33992% [1au] A? 21iatest3.yahoo.com. (48) 08:08:00.582006 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 33992 NXDomain*- 0/1/1 (109) 08:08:00.582565 IP 64.7.134.1.51761 >=20 199.212.134.2.53: 18776% [1au] A? 21iatest3.yahoo.com.sentex.ca. (58) 08:08:00.638004 IP 199.212.134.2.53 >=20 64.7.134.1.51761: 18776 NXDomain* 0/1/1 (118) 08:08:00.642684 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 54964% [1au] A? 21iatest4.yahoo.com. (48) 08:08:00.720000 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 54964 NXDomain*- 0/1/1 (109) 08:08:00.720529 IP 64.7.134.1.51761 >=20 64.7.153.49.53: 11657% [1au] A? 21iatest4.yahoo.com.sentex.ca. (58) 08:08:00.773998 IP 64.7.153.49.53 >=20 64.7.134.1.51761: 11657 NXDomain* 0/1/1 (118) # sysctl -a net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 ---Mike >Best regards > Oliver > >PS: >$ sysctl net.inet.ip.portrange.randomized >net.inet.ip.portrange.randomized: 1 >$ sysctl -d net.inet.ip.portrange.randomized >net.inet.ip.portrange.randomized: Enable random port allocation > >-- >Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. >Handelsregister: Registergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrung: >secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FCn- >chen, HRB 125758, Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf= Gebhart > >FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > >It's trivial to make fun of Microsoft products, >but it takes a real man to make them work, >and a God to make them do anything useful. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 15:27:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 723431065676 for ; Wed, 9 Jul 2008 15:27:45 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 323AF8FC18 for ; Wed, 9 Jul 2008 15:27:45 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([::1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGba2-000ExX-LZ; Wed, 09 Jul 2008 17:27:42 +0200 Received: from 145.7.91.133 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Wed, 9 Jul 2008 17:27:42 +0200 (CEST) Message-ID: <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> In-Reply-To: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> Date: Wed, 9 Jul 2008 17:27:42 +0200 (CEST) From: "Remko Lodder" To: "Josh Mason" User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 15:27:45 -0000 On Wed, July 9, 2008 5:19 pm, Josh Mason wrote: > Remko Lodder wrote: >> On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >>> Are going to expect a update for BIND today? >>> >>> http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> _______________________________________________ >> >> Hello, >> >> I think it's important that we do not overstretch things instantly. The >> FreeBSD Security Team is aware of this situation and will investigate >> how >> to do plan and act upon this. >> >> Thanks, >> Remko >> Hello Josh, > Right, lets not act swiftly. That would be too much to ask. Is there any > reason why FreeBSD is one of the last vendors to release patches for the > vulnerability? Thanks for taking the time to reply to the thread. Sadly the tone you are using makes me feel a bit sad. There is a deeper reply in the reply you send, and I do not like it. We as the Security Team do our best to act as soon as possible on things. Items like these tend to take up a lot of time and resources, we need to test things properly, make sure all the bits and bytes are OK, so that we don't make people grumpy about things we overlook. I am sure you can understand that and leave away the attitude. > > I apologize, perhaps I should simply do it myself as has been the common > response as of late, or perhaps install from source retrieved from > isc.orgshould be the expected answer? If you want to do that, no one will be stopping you. We as the security team will be working as hard as possible to try and understand the problem, wrap up the correct response and make sure it gets fixed where needed, these things just take time. > > Most other vendors seem to have taken this seriously, yet FreeBSD seems to > be sitting on their hands for some unknown reason while its users remain > vulnerable. We also take this seriously, I think you are short-visioned by telling something like this. There is a mitigation strategy for the BIND issue as already reported on the list. Given your response you must be clever enough to find it. > > Thanks for all the hard work, Thanks for the deeper attitude and the email. I hope you can understand that we are a volunteer organisation which does not have paid people working on items 24/7 which other vendors might have. If you want to have that, I am sure we can get some people so far for getting payed for their normal wages so that we can do that as well. Till that time you should understand volunteer organisations better, or come up with a better proposal you simply don't know how much is involved here. > > Your incredibly loyal follower > Sarcastic. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 15:33:09 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFD2A106567B for ; Wed, 9 Jul 2008 15:33:09 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.238]) by mx1.freebsd.org (Postfix) with ESMTP id 7927C8FC19 for ; Wed, 9 Jul 2008 15:33:09 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by qb-out-0506.google.com with SMTP id f30so6777057qba.7 for ; Wed, 09 Jul 2008 08:33:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:mime-version:content-type; bh=YXUdTaF3KSC/djGyGVQb1LAbB6GcS+xQnm8BvU2PbXc=; b=kAytEtM4ww4FkjHNMmMhU+JGH4MZ0heawFv8pzdiSfsEfhEsRQm523nw4zC8Mu+8zy FqgX2+t5mNUdZbZnaSVFpCPTsLeTNOhXu3IFnBp15JHZ+kdbr0vVYm4lVKT0BMwYw3Iq ZRR0oIJVgqa1PYlMFz7o6rghqmu2F10poi8jQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=toZQDAPOevIrH42/JtzWvpktvB+x1ifCZfnASeI+BevpJmClhXfTfjEcqYUa6/Ug7G P4JEtfRXVxb35Kw9bjkBgIWcdpfOH7pjTiCfjO47ziPaZB4nMS3nUythRvJrmNeeWu3B LRK/yg9oQKh4rkYaDpKHNqV+6Qtp3OfW1VnD8= Received: by 10.141.212.5 with SMTP id o5mr4048000rvq.20.1215616777665; Wed, 09 Jul 2008 08:19:37 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 08:19:37 -0700 (PDT) Message-ID: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> Date: Wed, 9 Jul 2008 11:19:37 -0400 From: "Josh Mason" To: remko@elvandar.org, freebsd-security@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 09 Jul 2008 15:48:45 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 15:33:09 -0000 Remko Lodder wrote: > On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >> Are going to expect a update for BIND today? >> >> http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> _______________________________________________ > > Hello, > > I think it's important that we do not overstretch things instantly. The > FreeBSD Security Team is aware of this situation and will investigate how > to do plan and act upon this. > > Thanks, > Remko > Right, lets not act swiftly. That would be too much to ask. Is there any reason why FreeBSD is one of the last vendors to release patches for the vulnerability? I apologize, perhaps I should simply do it myself as has been the common response as of late, or perhaps install from source retrieved from isc.orgshould be the expected answer? Most other vendors seem to have taken this seriously, yet FreeBSD seems to be sitting on their hands for some unknown reason while its users remain vulnerable. Thanks for all the hard work, Your incredibly loyal follower From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:09:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97313106567E for ; Wed, 9 Jul 2008 16:09:58 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.234]) by mx1.freebsd.org (Postfix) with ESMTP id 6947F8FC1C for ; Wed, 9 Jul 2008 16:09:58 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so3776079rvf.43 for ; Wed, 09 Jul 2008 09:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=SXXaOHd/YJlNX7XOZrwBbCLK/grYCbtTwJ5fZ/RfH/M=; b=d4P76/sY3yRAvneKZU9AXdXogCnZqQJr07PMzAwlkqe8x0eL6TblDtbhxsr7trhHVT U/cpow5a7OB0+vqf9hz808YmGR5cMUfn/EOTKO5HAxzL4rr8z7KiKgdTBQPFFGfzY6n/ Fn5LXx8begQWq3eqWZD9fviFDEdKGhg7I3Kqk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=fzoRwdrvxQxz1zFGH7iwA2La4++qmOGMR3T8108vYBhfp3s28UpKHfcC1hKtrNHHQj ba13vHNTamiiad9WoIQGWKQoo6UdA5E7bMmiUoK8mLZ5dyoiaTHD2sOo7i/zblSvv9wa Iqvb2co1wN87D6245IlpSpJl5/f6JTt6m5ZeE= Received: by 10.141.198.9 with SMTP id a9mr4093910rvq.108.1215619797860; Wed, 09 Jul 2008 09:09:57 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 09:09:57 -0700 (PDT) Message-ID: <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> Date: Wed, 9 Jul 2008 12:09:57 -0400 From: "Josh Mason" To: remko@elvandar.org In-Reply-To: <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> X-Mailman-Approved-At: Wed, 09 Jul 2008 16:15:20 +0000 Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:09:58 -0000 On 7/9/08, Remko Lodder wrote: > > > something like this. There is a mitigation strategy for the BIND issue as > already reported on the list. Given your response you must be clever > enough to find it. Yes, because turning off my name servers is really a solution. This service is already filtered but nothing prevents the thousands of "authorized" hosts from exploiting this vulnerabilty. I'm sure this is true for many other users providing similar services. > > > > Thanks for all the hard work, > > Thanks for the deeper attitude and the email. I hope you can understand > that we are a volunteer organisation which does not have paid people > working on items 24/7 which other vendors might have. If you want to have > that, I am sure we can get some people so far for getting payed for their > normal wages so that we can do that as well. Till that time you should > understand volunteer organisations better, or come up with a better > proposal you simply don't know how much is involved here. So when all else fails claim that we should expect nothing more from volunteers. Message received and understood. We all know how the rest of the opensource operating system community has legions of paid developers. Poor FreeBSD. > > > > Your incredibly loyal follower > > > > Sarcastic. Only in recent months could that be taken sarcastically. You can thank the new direction of the project for that. Josh From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:12:59 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDAC5106567E for ; Wed, 9 Jul 2008 16:12:59 +0000 (UTC) (envelope-from peter.thoenen@yahoo.com) Received: from smtp107.prem.mail.ac4.yahoo.com (smtp107.prem.mail.ac4.yahoo.com [76.13.13.46]) by mx1.freebsd.org (Postfix) with SMTP id 4F5058FC1A for ; Wed, 9 Jul 2008 16:12:58 +0000 (UTC) (envelope-from peter.thoenen@yahoo.com) Received: (qmail 34093 invoked from network); 9 Jul 2008 15:46:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=JSZf/V0QvktxpCPsp7gDcqHFj6KKlB2m1oop3dqlUUMUIyKYQ83y0qpZRC1XSYpnnekP+VYQyH6kv1MHtGRXcnDbEWBrXU58WcKVPhpUrWcUR2kKIlxWq7HQS/16+J5BBHN69vukGorYtqnP6UpGJGk6gxP+r4gpDaW78C67W+M= ; Received: from unknown (HELO ?76.243.186.14?) (eol1@76.243.186.14 with plain) by smtp107.prem.mail.ac4.yahoo.com with SMTP; 9 Jul 2008 15:46:17 -0000 X-YMail-OSG: YhIdRuIVM1mclWBdcaPJ3UR3iiw3sJC62v25UNpVpuFsCAIwOVh7W3mSlImzUb_cxL2F.ovATI2.lFUC4QPrIGGxo6HDy0o30nWG X-Yahoo-Newman-Property: ymail-3 Message-ID: <4874DD4B.5020608@yahoo.com> Date: Wed, 09 Jul 2008 11:46:19 -0400 From: Peter Thoenen User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: remko@elvandar.org References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> In-Reply-To: <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 16:15:50 +0000 Cc: freebsd-security@freebsd.org, astorms@ncircle.com, Josh Mason Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:12:59 -0000 >> Right, lets not act swiftly. That would be too much to ask. Is there any >> reason why FreeBSD is one of the last vendors to release patches for the >> vulnerability? Actually IIRC all the press releases from the *alliance* stated 30 days and as this is a fundamental flaw that has known for the past 6 months and doesn't provide any sort of elevated privileges (or effect those smart enough to run DNSSEC like you should be IIRC) its really not a CRITICAL patch .. its more of a when you get around to it seriously. Let the Security Team do their job and quit pestering them on your now now now next day patch wants for a trivial issue. From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:26:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA65F106566B for ; Wed, 9 Jul 2008 16:26:30 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by mx1.freebsd.org (Postfix) with ESMTP id 8B3038FC17 for ; Wed, 9 Jul 2008 16:26:30 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so3783044rvf.43 for ; Wed, 09 Jul 2008 09:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=euZ8tCFlAtaorCi/e9GS4CmN2+9susbdt186W3hoFrY=; b=b7lk9aCFQIf5piZkbbwXBLyu3wTsqi9m1kWu3XeYCY4r5mfcrFPTVSImdH2gnO3ckv NwHKaTrKC3LEZe+Q7ckFva7sZTHjTQFNYw2vTIn2iIo7sBNKuEC+d51oRpqUVcnJc6CL CYiH29sDvIKwbnaUhvL9+zPCxONGBlNnzOK9o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MIb8gysJwXFtPtboleJ8wwMSfcMUkRtnpsPcN820jtTpD050+TdkuoQnBlNwH6YHWy DP5gHVPX7cnMYcB40pA1dp1qQjZ7E90zA+zjshTT/83J9p5yqJrNDRfiUc3ewsaENxhS cyLmLwHJaEIyij8lBAwUziWUbAFi5WlonI2a8= Received: by 10.141.23.7 with SMTP id a7mr4102674rvj.58.1215620789480; Wed, 09 Jul 2008 09:26:29 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 09:26:29 -0700 (PDT) Message-ID: <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> Date: Wed, 9 Jul 2008 12:26:29 -0400 From: "Josh Mason" To: "Peter Thoenen" In-Reply-To: <4874DD4B.5020608@yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> X-Mailman-Approved-At: Wed, 09 Jul 2008 16:35:22 +0000 Cc: freebsd-security@freebsd.org, remko@elvandar.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:26:30 -0000 On 7/9/08, Peter Thoenen wrote: > > > > > > Right, lets not act swiftly. That would be too much to ask. Is there any > > > reason why FreeBSD is one of the last vendors to release patches for the > > > vulnerability? > > > > > > > Actually IIRC all the press releases from the *alliance* stated 30 days and as this is a fundamental flaw that has known for the past 6 months and doesn't provide any sort of elevated privileges (or effect those smart enough to run DNSSEC like you should be IIRC) its really not a CRITICAL patch .. its more of a when you get around to it seriously. Let the Security Team do their job and quit pestering them on your now now now next day patch wants for a trivial issue. > Somehow this totally unimportant vulnerability caught the attention of all major vendors to issue a synchronized release of the fix. Yet, it's not worth our time to implement expeditiously... ? Sure. I agree, I should definitely enable DNSSEC. If for nothing other than the fact that it was vulnerable ~6 months ago - let me give myself yet another thing to wait for a fix on. Hurm,.. turn off DNSSEC while you wait for a patch,.. turn on DNSSEC while you wait for a patch. And lastly - you're absolutely correct. My servers won't be compromised directly by this bug so I shouldn't care when I implement the fix. Thanks for your input. Josh P.S. It almost seemed as though you were saying that because something has been known for months but the fix was just released means that there's little importance to implement it swiftly. I like your logic - or did I miss understand you somehow? From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:52:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB3A11065673 for ; Wed, 9 Jul 2008 16:52:47 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 7ABE28FC1E for ; Wed, 9 Jul 2008 16:52:47 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGcuK-000G0r-Qk; Wed, 09 Jul 2008 18:52:44 +0200 Message-ID: <4874ECDA.60202@elvandar.org> Date: Wed, 09 Jul 2008 18:52:42 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Josh Mason References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> In-Reply-To: <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:52:47 -0000 Josh Mason wrote: Thanks, you really showed how you are by sending these replies. I wish you goodluck with your quest, perhaps someday someone can help you. Goodbye. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:59:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAB7C106567B for ; Wed, 9 Jul 2008 16:59:29 +0000 (UTC) (envelope-from prvs=1076fd9788=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (core6.multiplay.co.uk [85.236.96.23]) by mx1.freebsd.org (Postfix) with ESMTP id 322C58FC0A for ; Wed, 9 Jul 2008 16:59:28 +0000 (UTC) (envelope-from prvs=1076fd9788=killing@multiplay.co.uk) DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=multiplay.co.uk; s=Multiplay; t=1215621750; x=1216226550; q=dns/txt; h=Received: Message-ID:From:To:Cc:References:Subject:Date:MIME-Version: Content-Type:Content-Transfer-Encoding; bh=7GHhInd0fSKHai8VLZslK YHOEXHoXaYdspQrP/F90Xw=; b=Qp3cyNELNfoe+2l068Z2mt0vQI+YR1rGCSou4 5rN92ITbcx3/BNsiaR5fyXJJLk9JGzL4yRIAW5DzIW5l35DHWJaV8CV/vzIPTpyR Pl8SkINM1r7askuhVvc4WEhxS6QiaJ4pK6mctGtM+c+f33hAq8UdQ0n7KUYPjStG GIlDDo= X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail1.multiplay.co.uk X-Spam-Level: X-Spam-Status: No, score=-14.7 required=6.0 tests=BAYES_00, FORGED_MUA_OUTLOOK, USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=ham version=3.1.8 Received: from r2d2 by mail1.multiplay.co.uk (MDaemon PRO v9.6.6) with ESMTP id md50005886329.msg for ; Wed, 09 Jul 2008 17:42:29 +0100 X-Authenticated-Sender: Killing@multiplay.co.uk X-MDRemoteIP: 85.236.96.60 X-Return-Path: prvs=1076fd9788=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk X-MDaemon-Deliver-To: freebsd-security@freebsd.org Message-ID: <10E6A49CB7E7499589E03D92390A8129@multiplay.co.uk> From: "Steven Hartland" To: "Josh Mason" , "Peter Thoenen" References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com><3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org><4874DD4B.5020608@yahoo.com> <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> Date: Wed, 9 Jul 2008 17:42:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 X-Spam-Processed: mail1.multiplay.co.uk, Wed, 09 Jul 2008 17:42:29 +0100 X-MDAV-Processed: mail1.multiplay.co.uk, Wed, 09 Jul 2008 17:42:30 +0100 Cc: freebsd-security@freebsd.org, remko@elvandar.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:59:29 -0000 ----- Original Message ----- From: "Josh Mason" > P.S. It almost seemed as though you were saying that because something > has been known for months but the fix was just released means that > there's little importance to implement it swiftly. I like your logic - > or did I miss understand you somehow? Can we stop the sniping and just let the sec team do their job without the snide comments. If you want a fix urgently you have options, if not just sit tight and wait for the announcement. Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:18:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78181106566B for ; Wed, 9 Jul 2008 17:18:55 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id EE2098FC15 for ; Wed, 9 Jul 2008 17:18:54 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: by fk-out-0910.google.com with SMTP id k31so1599711fkk.11 for ; Wed, 09 Jul 2008 10:18:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer; bh=h+ErClobennOkRcqeWAfAWn9VJi8xcsCN27g6zhWCko=; b=R03DSbh4C3uYNh++df/rpL72G1Jt50qtwgVcOxCFVHBGmFFdtA5Anj75/k9rfZstwh bluLb7gFuTkjlNs4iVnRaR3sCTgCHmfijlMxtTIHZYNA0n3nQn6EdJWUVo3zrjVvhl0t 2XJBqLsS1neEjDKU44J0r83ueWMdH3V7KwFfI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer; b=gv6tq7p2lroBZhG65N3sRHOiviQpOszBUGrdPMwnod7gCON9daICCkdwxboOHS0cf7 XIgJ8FunvLLYEfSFZo5MWFBkb43IWRTY4VMHjDJO0hHo0J9mQwa8us5B2g9EyoF8mqp5 yB2wHvu/6KDIKEK9KsVnhCW9/ccoDHxkcaxLo= Received: by 10.125.95.19 with SMTP id x19mr2030963mkl.17.1215622383893; Wed, 09 Jul 2008 09:53:03 -0700 (PDT) Received: from ?127.0.0.1? ( [217.206.187.80]) by mx.google.com with ESMTPS id 37sm5586048hua.58.2008.07.09.09.53.02 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Jul 2008 09:53:02 -0700 (PDT) From: Tom Evans To: Josh Mason In-Reply-To: <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-SZeooeFIxLpaMEJiu+hP" Date: Wed, 09 Jul 2008 17:53:00 +0100 Message-Id: <1215622380.35536.71.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:18:55 -0000 --=-SZeooeFIxLpaMEJiu+hP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2008-07-09 at 12:09 -0400, Josh Mason wrote: > So when all else fails claim that we should expect nothing more from > volunteers. Message received and understood. >=20 > We all know how the rest of the opensource operating system community > has legions of paid developers. Poor FreeBSD. Are you ignoring the large number of full time developers employed by redhat and their ilk? This means they are a company delivering a product, supported by full time developers, who are paid out of support contracts. This is why redhat is described as a 'vendor'; they sell you stuff.=20 FreeBSD is a volunteer project. This means that there is no-one at all who is paid by FreeBSD to write code for FreeBSD. If this doesn't fit your needs, perhaps you need to re-evaluate your choices. My 2 cents.. Tom Evans --=-SZeooeFIxLpaMEJiu+hP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAkh07OgACgkQlcRvFfyds/c5WACdHvca4KQW2OuWBGG1lkDba8Br C44AoJkS2YCUtUNyopmkVJXswJT+V1dA =5xgO -----END PGP SIGNATURE----- --=-SZeooeFIxLpaMEJiu+hP-- From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:41:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E15401065688 for ; Wed, 9 Jul 2008 17:41:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id B8BD58FC25 for ; Wed, 9 Jul 2008 17:41:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 300205C66; Wed, 9 Jul 2008 13:43:41 -0400 (EDT) Date: Wed, 9 Jul 2008 13:43:41 -0400 From: Wesley Shields To: Josh Mason Message-ID: <20080709174341.GF92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:41:16 -0000 On Wed, Jul 09, 2008 at 12:26:29PM -0400, Josh Mason wrote: > On 7/9/08, Peter Thoenen wrote: > > > > > > > > > Right, lets not act swiftly. That would be too much to ask. Is > > > > there any reason why FreeBSD is one of the last vendors to > > > > release patches for the vulnerability? > > > > > > > > > > > Actually IIRC all the press releases from the *alliance* stated 30 > > days and as this is a fundamental flaw that has known for the past 6 > > months and doesn't provide any sort of elevated privileges (or > > effect those smart enough to run DNSSEC like you should be IIRC) its > > really not a CRITICAL patch .. its more of a when you get around to > > it seriously. Let the Security Team do their job and quit pestering > > them on your now now now next day patch wants for a trivial issue. > > > > Somehow this totally unimportant vulnerability caught the attention of > all major vendors to issue a synchronized release of the fix. Yet, > it's not worth our time to implement expeditiously... ? Sure. Given the tone of your words, it seems you are fixated on getting people to work _against_ you rather than _with_ you on this issue. I'd like to point out the list of vendors/projects (as someone has pointed out the difference between the two later in this thread) is available at http://www.kb.cert.org/vuls/id/800113. Total entries on that list: 81 Total entries marked as "unknown": 70 That means 11 out of 81 entries were able to determine the status of their product/code before the advisory went public. Here's that list, please note I trimmed the vulnerable/not vulnerable status: Cisco Systems, Inc. Debian GNU/Linux Foundry Networks, Inc. Infoblox Internet Software Consortium Juniper Networks, Inc. Microsoft Corporation Nominum PowerDNS Red Hat, Inc. Sun Microsystems, Inc. With the (possible?) exception of Debian, every one of the 11 listed there have people who are paid to do these things. I think people have jumped on you enough about that fact so I'll leave it alone. What's more important is that we not panic, especially since _public_ details are very sparse. There are mitigations that are mentioned in that report, along with elsewhere. Putting these mitigations in place, if necessary, is your best option while those entrusted to do the work are doing said work to make sure we have a co-ordinated and accurate response. Please, find a way to contribute in a meaningful manner since the tone of your statements is only serving to harm your cause. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:27:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81868106566C for ; Wed, 9 Jul 2008 17:27:07 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.freebsd.org (Postfix) with ESMTP id 386948FC1C for ; Wed, 9 Jul 2008 17:27:07 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so1567686pyb.10 for ; Wed, 09 Jul 2008 10:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Vfi4Em6T+fa0wp7ymSxCHNukMLkR5zIdZq1u56xBk9E=; b=WhcWF5fhTTtM6ZhWx7+iirkddSDTSaUWjhx5tNmmK48e5W+R+nx+c8IC83ooqIQOt4 o2Zisl+CCwvd2IZm56Ro2eY9QGLPRcbS4F5QWhmJ6YsI3++S8Od8aYuZH/Z/H2wSD6Ze xAYHVV8M+fmgQnazhra21cq+nnawooKcuVh6E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LS+1fSPfUZY9ECRzNZRF8StD5PahORnloxCrh0pMHlP2A/1V6Qz9polDOwvaAxlB9Y f/AX0QttaWoAOmfpL1j8hOJfv/uNL+KzxTZK8Yj0TM0yAAZTjitBdnq4SHukxxN+HkRn OaqNJCqBdGYzd6YuksirEZZBFUdkwI1E3o0J0= Received: by 10.141.71.14 with SMTP id y14mr4151032rvk.24.1215624426259; Wed, 09 Jul 2008 10:27:06 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 10:27:06 -0700 (PDT) Message-ID: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> Date: Wed, 9 Jul 2008 13:27:06 -0400 From: "Josh Mason" To: "Remko Lodder" In-Reply-To: <4874F149.1040101@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> X-Mailman-Approved-At: Wed, 09 Jul 2008 17:58:41 +0000 Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:27:07 -0000 On 7/9/08, Remko Lodder wrote: > Remko Lodder wrote: > > Josh Mason wrote: > > > > Thanks, you really showed how you are by sending these replies. I wish you > goodluck with your quest, perhaps someday someone can help you. > > > > Goodbye. > > > > > > Hi, > > I am sorry for this reply, it was an expression of my frustation towards > you. The frustation is just easily generated by people demanding support > from volunteers, that are trying to service you and others in their own > spare time. Time that they can also spend on different items, yet we > crazy people decide to work on a Free Operating System, getting nothing > payed for it, only happy users (Where possible) around us. > > I think you can understand my frustration, because I think you would reply > the same if someone demanded even more free time from you. > > I hope you can understand this. > > //Remko > I completely understand and took no offence from your previous email - I know I am being confrontational. I myself have been in that position many a time before and know exactly how it feels. Unfortunately that doesn't negate the responsibility of the security team to produce patches quickly. The initial response of "the sec team is aware of the situation and will investigate" was basically just fluff. If you weren't already aware of it you aren't much of a sec team. What is needed is an expected delivery. I would say considering the nature of the exploit but honestly that shouldn't change anything at all. If the delivery isn't going to be immediate there should always be an ETA provided. If for nothing else other than so your users can plan around it (i.e. "this is too long I need to take action myself" - "or X time or date is sufficient I'll wait for the official release and apply it then"). Without that people are twiddling their thumbs wondering if there is ever going to be one. Josh From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:30:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5C27106566B for ; Wed, 9 Jul 2008 17:30:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 73A528FC13 for ; Wed, 9 Jul 2008 17:30:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGdCf-000GDx-MQ; Wed, 09 Jul 2008 19:11:41 +0200 Message-ID: <4874F149.1040101@FreeBSD.org> Date: Wed, 09 Jul 2008 19:11:37 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Josh Mason References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> In-Reply-To: <4874ECDA.60202@elvandar.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 17:58:49 +0000 Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:30:02 -0000 Remko Lodder wrote: > Josh Mason wrote: > > Thanks, you really showed how you are by sending these replies. I wish > you goodluck with your quest, perhaps someday someone can help you. > > Goodbye. > Hi, I am sorry for this reply, it was an expression of my frustation towards you. The frustation is just easily generated by people demanding support from volunteers, that are trying to service you and others in their own spare time. Time that they can also spend on different items, yet we crazy people decide to work on a Free Operating System, getting nothing payed for it, only happy users (Where possible) around us. I think you can understand my frustration, because I think you would reply the same if someone demanded even more free time from you. I hope you can understand this. //Remko From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:12:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0A861065683 for ; Wed, 9 Jul 2008 18:12:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id A6F2F8FC15 for ; Wed, 9 Jul 2008 18:12:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 6DCD15C6A; Wed, 9 Jul 2008 14:15:15 -0400 (EDT) Date: Wed, 9 Jul 2008 14:15:15 -0400 From: Wesley Shields To: Josh Mason Message-ID: <20080709181515.GG92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, Remko Lodder Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:12:50 -0000 On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: > On 7/9/08, Remko Lodder wrote: > > Remko Lodder wrote: > > > Josh Mason wrote: > > > > > > Thanks, you really showed how you are by sending these replies. I wish you > > goodluck with your quest, perhaps someday someone can help you. > > > > > > Goodbye. > > > > > > > > > > Hi, > > > > I am sorry for this reply, it was an expression of my frustation towards > > you. The frustation is just easily generated by people demanding support > > from volunteers, that are trying to service you and others in their own > > spare time. Time that they can also spend on different items, yet we > > crazy people decide to work on a Free Operating System, getting nothing > > payed for it, only happy users (Where possible) around us. > > > > I think you can understand my frustration, because I think you would reply > > the same if someone demanded even more free time from you. > > > > I hope you can understand this. > > > > //Remko > > > > I completely understand and took no offence from your previous email - > I know I am being confrontational. I myself have been in that position > many a time before and know exactly how it feels. Unfortunately that > doesn't negate the responsibility of the security team to produce > patches quickly. > > The initial response of "the sec team is aware of the situation and > will investigate" was basically just fluff. If you weren't already > aware of it you aren't much of a sec team. What is needed is an > expected delivery. I would say considering the nature of the exploit > but honestly that shouldn't change anything at all. If the delivery > isn't going to be immediate there should always be an ETA provided. If > for nothing else other than so your users can plan around it (i.e. > "this is too long I need to take action myself" - "or X time or date > is sufficient I'll wait for the official release and apply it then"). > Without that people are twiddling their thumbs wondering if there is > ever going to be one. You have a good point there. I'm not aware of any page which describes the current issues under investigation by the security team. If such a thing does not exist I think it would be a good thing to have, especially if it details rough timelines for things. By that I mean recording historic information and expected information (we received notification on this date, we expect to have a final advisory on this date). In the security world there is a balance which must be maintained between providing information to consumers so that they may plan accordingly, and not providing too much information so that the attackers can write exploits; this is the sensitive nature of the information which often leads to opaque processes by security teams around the world. There is the case where full details are released without advance notice to the vendors/projects, in which case the balance has been lost from the start. Remko, do you - or anyone else - on the security team have any thoughts on this? I'd be willing to step up and keep a wiki page (or something else) up to date with the information. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:17:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BEAE1065676 for ; Wed, 9 Jul 2008 18:17:16 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id DA0B78FC12 for ; Wed, 9 Jul 2008 18:17:15 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGeE6-000OC6-PE; Wed, 09 Jul 2008 20:17:14 +0200 Message-ID: <487500A6.2030001@FreeBSD.org> Date: Wed, 09 Jul 2008 20:17:10 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Wesley Shields References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> In-Reply-To: <20080709181515.GG92109@atarininja.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 18:20:16 +0000 Cc: freebsd-security@freebsd.org, Josh Mason Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:17:16 -0000 Wesley Shields wrote: > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: >> On 7/9/08, Remko Lodder wrote: >>> Remko Lodder wrote: >>>> Josh Mason wrote: >>>> >>>> Thanks, you really showed how you are by sending these replies. I wish you >>> goodluck with your quest, perhaps someday someone can help you. >>>> Goodbye. >>>> >>>> >>> Hi, >>> >>> I am sorry for this reply, it was an expression of my frustation towards >>> you. The frustation is just easily generated by people demanding support >>> from volunteers, that are trying to service you and others in their own >>> spare time. Time that they can also spend on different items, yet we >>> crazy people decide to work on a Free Operating System, getting nothing >>> payed for it, only happy users (Where possible) around us. >>> >>> I think you can understand my frustration, because I think you would reply >>> the same if someone demanded even more free time from you. >>> >>> I hope you can understand this. >>> >>> //Remko >>> >> I completely understand and took no offence from your previous email - >> I know I am being confrontational. I myself have been in that position >> many a time before and know exactly how it feels. Unfortunately that >> doesn't negate the responsibility of the security team to produce >> patches quickly. >> >> The initial response of "the sec team is aware of the situation and >> will investigate" was basically just fluff. If you weren't already >> aware of it you aren't much of a sec team. What is needed is an >> expected delivery. I would say considering the nature of the exploit >> but honestly that shouldn't change anything at all. If the delivery >> isn't going to be immediate there should always be an ETA provided. If >> for nothing else other than so your users can plan around it (i.e. >> "this is too long I need to take action myself" - "or X time or date >> is sufficient I'll wait for the official release and apply it then"). >> Without that people are twiddling their thumbs wondering if there is >> ever going to be one. > > You have a good point there. I'm not aware of any page which describes > the current issues under investigation by the security team. If such a > thing does not exist I think it would be a good thing to have, > especially if it details rough timelines for things. By that I mean > recording historic information and expected information (we received > notification on this date, we expect to have a final advisory on this > date). > > In the security world there is a balance which must be maintained > between providing information to consumers so that they may plan > accordingly, and not providing too much information so that the > attackers can write exploits; this is the sensitive nature of the > information which often leads to opaque processes by security teams > around the world. There is the case where full details are released > without advance notice to the vendors/projects, in which case the > balance has been lost from the start. > > Remko, do you - or anyone else - on the security team have any thoughts > on this? I'd be willing to step up and keep a wiki page (or something > else) up to date with the information. > > -- WXS There will be no such page with information about pending items. Sometimes we are bound to non-disclosures etc. We handle this internally and will continue to do so. If people cannot live with that (like Josh) then that's their challenge. Note I speak largely for myself in this case. I am not going to support a wiki page or something. I do not know what the other secteam members think about that, but I expect something like my opinion. //Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:28:25 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A91D6106566C; Wed, 9 Jul 2008 18:28:25 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 607D38FC1A; Wed, 9 Jul 2008 18:28:25 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 534735C6A; Wed, 9 Jul 2008 14:30:51 -0400 (EDT) Date: Wed, 9 Jul 2008 14:30:51 -0400 From: Wesley Shields To: Remko Lodder Message-ID: <20080709183051.GH92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <487500A6.2030001@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <487500A6.2030001@FreeBSD.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, Josh Mason Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:28:25 -0000 On Wed, Jul 09, 2008 at 08:17:10PM +0200, Remko Lodder wrote: > Wesley Shields wrote: > > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: > >> On 7/9/08, Remko Lodder wrote: > >>> Remko Lodder wrote: > >>>> Josh Mason wrote: > >>>> > >>>> Thanks, you really showed how you are by sending these replies. I wish you > >>> goodluck with your quest, perhaps someday someone can help you. > >>>> Goodbye. > >>>> > >>>> > >>> Hi, > >>> > >>> I am sorry for this reply, it was an expression of my frustation towards > >>> you. The frustation is just easily generated by people demanding support > >>> from volunteers, that are trying to service you and others in their own > >>> spare time. Time that they can also spend on different items, yet we > >>> crazy people decide to work on a Free Operating System, getting nothing > >>> payed for it, only happy users (Where possible) around us. > >>> > >>> I think you can understand my frustration, because I think you would reply > >>> the same if someone demanded even more free time from you. > >>> > >>> I hope you can understand this. > >>> > >>> //Remko > >>> > >> I completely understand and took no offence from your previous email - > >> I know I am being confrontational. I myself have been in that position > >> many a time before and know exactly how it feels. Unfortunately that > >> doesn't negate the responsibility of the security team to produce > >> patches quickly. > >> > >> The initial response of "the sec team is aware of the situation and > >> will investigate" was basically just fluff. If you weren't already > >> aware of it you aren't much of a sec team. What is needed is an > >> expected delivery. I would say considering the nature of the exploit > >> but honestly that shouldn't change anything at all. If the delivery > >> isn't going to be immediate there should always be an ETA provided. If > >> for nothing else other than so your users can plan around it (i.e. > >> "this is too long I need to take action myself" - "or X time or date > >> is sufficient I'll wait for the official release and apply it then"). > >> Without that people are twiddling their thumbs wondering if there is > >> ever going to be one. > > > > You have a good point there. I'm not aware of any page which describes > > the current issues under investigation by the security team. If such a > > thing does not exist I think it would be a good thing to have, > > especially if it details rough timelines for things. By that I mean > > recording historic information and expected information (we received > > notification on this date, we expect to have a final advisory on this > > date). > > > > In the security world there is a balance which must be maintained > > between providing information to consumers so that they may plan > > accordingly, and not providing too much information so that the > > attackers can write exploits; this is the sensitive nature of the > > information which often leads to opaque processes by security teams > > around the world. There is the case where full details are released > > without advance notice to the vendors/projects, in which case the > > balance has been lost from the start. > > > > Remko, do you - or anyone else - on the security team have any thoughts > > on this? I'd be willing to step up and keep a wiki page (or something > > else) up to date with the information. > > > > -- WXS > > There will be no such page with information about pending items. > Sometimes we are bound to non-disclosures etc. We handle this internally > and will continue to do so. If people cannot live with that (like Josh) > then that's their challenge. > > Note I speak largely for myself in this case. I am not going to support > a wiki page or something. I do not know what the other secteam members > think about that, but I expect something like my opinion. That's certainly a fair statement. I understand the non-disclosure aspect of the situation, but I also feel a more transparent process where ever possible is a good idea. I suspect more thought on the matter is necessary. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:29:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2879E1065673 for ; Wed, 9 Jul 2008 18:29:08 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id E8A628FC1E for ; Wed, 9 Jul 2008 18:29:07 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m69IT6Cx067990 for ; Wed, 9 Jul 2008 11:29:06 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m69IT6o6067989 for freebsd-security@freebsd.org; Wed, 9 Jul 2008 11:29:06 -0700 (PDT) (envelope-from booloo) Date: Wed, 9 Jul 2008 11:29:06 -0700 From: Mark Boolootian To: freebsd-security@freebsd.org Message-ID: <20080709182906.GA67970@root.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=0.8 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME,FAKE_REPLY_C autolearn=no version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:29:08 -0000 I hope I can distance myself from Josh in terms of tone. I think he's completely out of line with his snotty posts. That said, I think there is a legitimate question here. I'm interested in this issue, because it sounds as if FreeBSD folk didn't become aware of this problem until the announcement. I would have expected ISC to notify you ahead of the announcement. The patched code has been available to some for several weeks (at least). I was anticipating seeing everyone pushing patched code out on the same day. > That means 11 out of 81 entries were able to determine the status of > their product/code before the advisory went public. Here's that list, > please note I trimmed the vulnerable/not vulnerable status: Of course, any vendor running vanilla BIND would be vulnerable. > What's more important is that we not panic, especially since _public_ > details are very sparse. There are mitigations that are mentioned in > that report, along with elsewhere. Putting these mitigations in place, > if necessary, is your best option while those entrusted to do the work > are doing said work to make sure we have a co-ordinated and accurate > response. There really aren't any effective mitigations for folks running resolvers. Patched code to implement source port randomization is our only hope. Of course, that code exists and is available from ISC, and it will work fine under FreeBSD, so there is clearly a path forward. I think it might have been helpful (and still might be) if the security officer had pushed out a notification of 'work underway' with some possible indication as to when a fix might be available. I realize that providing a date might be extraordinarily difficult, but it helps inform planning for FreeBSD users (and, of course, gives us something to kvetch about when the date slips :-) I appreciate the FreeBSD security team efforts and will happily buy you guys beer (or other beverage of choice) any time we're in the same room together. mark From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:22:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D93B91065675 for ; Wed, 9 Jul 2008 18:22:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from mail.ipinc.net (mail.ipinc.net [65.75.192.11]) by mx1.freebsd.org (Postfix) with ESMTP id 8C55E8FC16 for ; Wed, 9 Jul 2008 18:22:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from tedsdesk (tedsdesk.ipinc.net [65.75.206.111]) by mail.ipinc.net (8.13.8/8.13.8) with ESMTP id m69HwYcX051964 for ; Wed, 9 Jul 2008 10:58:34 -0700 (PDT) (envelope-from tedm@ipinc.net) From: "Ted Mittelstaedt" To: Date: Wed, 9 Jul 2008 10:58:34 -0700 Organization: Internet Partners, Inc. Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6838 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: Acjh7WekkmgXzC9LTyeyreSPA+DaBQ== Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.ipinc.net [65.75.192.11]); Wed, 09 Jul 2008 10:58:34 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.2/7676/Wed Jul 9 07:56:10 2008 on mail.ipinc.net X-Virus-Status: Clean X-Spam-Status: No, score=-101.4 required=4.1 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net X-Mailman-Approved-At: Wed, 09 Jul 2008 18:29:46 +0000 Subject: Here is how to fix your nameserver - was Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:22:17 -0000 Hi All, First, knock off the goddam posturing. Second, named is statically linked, so there is NO BIG FRAGGING DEAL with upgrading your nameserver. Here is how you do it: System: FreeBSD 6.3-RELEASE used as a nameserver Login and su to root cd /usr/ports/distfiles mkdir manual-build cd manual-build fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz gunzip bind-9.3.5-P1.tar tar xf bind-9.3.5-P1.tar cd bind-9.3.5-P1 ./configure --disable-openssl-version-check (NOTE: The OpenSSL included with FreeBSD 6.3-RELEASE is vulnerable to 4 security notifications, you should have patched it already) make rndc stop cd ./bin/named chmod u-w named mv /usr/sbin/named /usr/sbin/named.original mv named /usr/sbin/named cd .. cd rndc mv /usr/sbin/rndc /usr/sbin/rndc.original mv rndc /usr/sbin/rndc /usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root tail /var/log/messages make sure messages has: starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t /var/named -u root in it nslookup www.freebsd.org (tests) your done! named and rndc are both compiled with static libraries: liblwres.a libdns.a libbind9.a libisccfg.a libisccc.a libisc.a so there is no need to go replacing all of the resolver libraries and recompiling all the applications. The bug DOES NOT affect client applications that use the resolver libraries. This will get you going until FBSD 6.4 is out. Ted Mittelstaedt Author: The FreeBSD Corporate Networker's Guide From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:30:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5C29106567E; Wed, 9 Jul 2008 18:30:40 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id 9B2138FC1A; Wed, 9 Jul 2008 18:30:40 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m69IFJvi067750; Wed, 9 Jul 2008 11:15:19 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m69IFJQw067749; Wed, 9 Jul 2008 11:15:19 -0700 (PDT) (envelope-from booloo) Date: Wed, 9 Jul 2008 11:15:19 -0700 From: Mark Boolootian To: Wesley Shields Message-ID: <20080709181519.GA67356@root.ucsc.edu> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> <20080709174341.GF92109@atarininja.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709174341.GF92109@atarininja.org> User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=-1.4 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME, DK_POLICY_SIGNSOME autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:30:40 -0000 I hope I can distance myself from Josh in terms of tone. I think he's completely out of line with his snotty posts. That said, I think there is a legitimate question here. I'm interested in this issue, because it sounds as if FreeBSD folk didn't become aware of this problem until the announcement. I would have expected ISC to notify you ahead of the announcement. The patched code has been available to some for several weeks (at least). I was anticipating seeing everyone pushing patched code out on the same day. > That means 11 out of 81 entries were able to determine the status of > their product/code before the advisory went public. Here's that list, > please note I trimmed the vulnerable/not vulnerable status: Of course, any vendor running vanilla BIND would be vulnerable. > What's more important is that we not panic, especially since _public_ > details are very sparse. There are mitigations that are mentioned in > that report, along with elsewhere. Putting these mitigations in place, > if necessary, is your best option while those entrusted to do the work > are doing said work to make sure we have a co-ordinated and accurate > response. There really aren't any effective mitigations for folks running resolvers. Patched code to implement source port randomization is our only hope. Of course, that code exists and is available from ISC, and it will work fine under FreeBSD, so there is clearly a path forward. I think it might have been helpful (and still might be) if the security officer had pushed out a notification of 'work underway' with some possible indication as to when a fix might be available. I realize that providing a date might be extraordinarily difficult, but it helps inform planning for FreeBSD users (and, of course, gives us something to kvetch about when the date slips :-) I appreciate the FreeBSD security team efforts and will happily buy you guys beer (or other beverage of choice) any time we're in the same room together. mark From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:38:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F288106564A for ; Wed, 9 Jul 2008 18:38:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 2E54F8FC21 for ; Wed, 9 Jul 2008 18:38:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id B0A8F86687D; Wed, 9 Jul 2008 11:33:25 -0700 (PDT) Date: Wed, 9 Jul 2008 11:33:25 -0700 From: Chris Palmer To: Wesley Shields , freebsd-security@freebsd.org Message-ID: <20080709183325.GE55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709181515.GG92109@atarininja.org> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:38:30 -0000 Wesley Shields writes: > In the security world there is a balance which must be maintained between > providing information to consumers so that they may plan accordingly, and > not providing too much information so that the attackers can write > exploits; this is the sensitive nature of the information which often > leads to opaque processes by security teams around the world. http://en.wikipedia.org/wiki/Kerckhoffs'_principle Malware authors create exploits based on information they gleaned by reverse engineering the binary patches released by Microsoft. They are able to get these exploits into the wild before everyone has even had a chance to apply the patches, even though the patching is (semi-)automated. Not only is there no security through obscurity, there isn't even any obscurity. :) From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:29:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 468A1106564A; Wed, 9 Jul 2008 18:29:32 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id F3A6D8FC2A; Wed, 9 Jul 2008 18:29:31 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGePz-0005iU-7T; Wed, 09 Jul 2008 20:29:31 +0200 Message-ID: <48750387.60002@FreeBSD.org> Date: Wed, 09 Jul 2008 20:29:27 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Wesley Shields References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <487500A6.2030001@FreeBSD.org> <20080709183051.GH92109@atarininja.org> In-Reply-To: <20080709183051.GH92109@atarininja.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 18:42:03 +0000 Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:29:32 -0000 Wesley Shields wrote: >> There will be no such page with information about pending items. >> Sometimes we are bound to non-disclosures etc. We handle this internally >> and will continue to do so. If people cannot live with that (like Josh) >> then that's their challenge. >> >> Note I speak largely for myself in this case. I am not going to support >> a wiki page or something. I do not know what the other secteam members >> think about that, but I expect something like my opinion. > > That's certainly a fair statement. I understand the non-disclosure > aspect of the situation, but I also feel a more transparent process > where ever possible is a good idea. I suspect more thought on the > matter is necessary. > > -- WXS I think we can better spend time on improving VuXML entries then spending more time on considerations of this topic. Please close it and move along. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:43:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 359101065685 for ; Wed, 9 Jul 2008 18:43:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 114188FC0A for ; Wed, 9 Jul 2008 18:43:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id B0FF18669B2; Wed, 9 Jul 2008 11:23:40 -0700 (PDT) Date: Wed, 9 Jul 2008 11:23:40 -0700 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20080709182340.GD55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> User-Agent: Mutt/1.4.2.3i Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:43:30 -0000 Okay everybody, take a step back, take a deep breath, and count to ten. :) DNS has never provided any security guarantees, and so a marginal increase or decrease in the difficulty of spoofing responses is not a huge issue in the grand scheme of things. Even if the 16 bits were somehow pure delicious entropy, it would still only be 16 bits. If you want to provide DNS service yet minimize the risk to the server, BIND should never have been your first choice. It has a rough history, and there are more secure alternatives. Some people like BIND anyway. Cool. They accept that risk. DNSSEC is not widely deployed; and if it were, would that matter? Would you securely resolve important.example.com, only to talk to that host via HTTP? HTTP, like DNS, has never provided any security guarantees. It's not clear that, given correct authentication of important.example.com via X509 cert and a trusted third party (or by careful examination of the known-good fingerprint), "secure" DNS would provide any additional server authentication. Granted, I say "given correct authentication of important.example.com via X509 cert" as if that were easy. ;) In any case, that is all we have in the real world today. See also: SSH host keys. So I'm not too worried about the lack of urgency from the FreeBSD security team on this particular issue. It's not news that DNS is insecure and that BIND has a bug. Nobody should have been depending on the security of DNS or on a bulletproof BIND. From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:51:39 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 923E11065689 for ; Wed, 9 Jul 2008 18:51:39 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 664938FC15 for ; Wed, 9 Jul 2008 18:51:39 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 44E755C6A; Wed, 9 Jul 2008 14:54:05 -0400 (EDT) Date: Wed, 9 Jul 2008 14:54:05 -0400 From: Wesley Shields To: Chris Palmer Message-ID: <20080709185405.GJ92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <20080709183325.GE55473@noncombatant.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709183325.GE55473@noncombatant.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:51:39 -0000 On Wed, Jul 09, 2008 at 11:33:25AM -0700, Chris Palmer wrote: > Wesley Shields writes: > > > In the security world there is a balance which must be maintained between > > providing information to consumers so that they may plan accordingly, and > > not providing too much information so that the attackers can write > > exploits; this is the sensitive nature of the information which often > > leads to opaque processes by security teams around the world. > > http://en.wikipedia.org/wiki/Kerckhoffs'_principle > > Malware authors create exploits based on information they gleaned by reverse > engineering the binary patches released by Microsoft. They are able to get > these exploits into the wild before everyone has even had a chance to apply > the patches, even though the patching is (semi-)automated. I'm well aware of that, as I have many friends who do this for a living (legitimate businesses). I'm also not sure how this applies since the project is open source - the fix is published at the time of the patch, so there's no reverse engineering to do. If anything this illustrates that patches should be applied in a timely manner in an open source project, since the window you are describing is effectively zero. > Not only is there no security through obscurity, there isn't even any > obscurity. :) The point is to not give hints about where in the code the problem lies while at least being able to give the consumers of FreeBSD a chance to plan around any potential bugs. Given the sensitive nature of the issue, and the fact that some things are under NDA, I'm not entirely sure it is a good idea. I'd like to see a more transparent process without causing any harm to it, but I'm not sure how to do that right now. Despite me wanting to see this happen I think these issues are too big to overcome without more thought. I'm considering this issue closed for now. -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:46:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F29F1065675 for ; Wed, 9 Jul 2008 18:46:10 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from mail.ipinc.net (mail.ipinc.net [65.75.192.11]) by mx1.freebsd.org (Postfix) with ESMTP id 4E8D28FC1E for ; Wed, 9 Jul 2008 18:46:10 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from tedsdesk (tedsdesk.ipinc.net [65.75.206.111]) by mail.ipinc.net (8.13.8/8.13.8) with ESMTP id m69Ik7wI076797 for ; Wed, 9 Jul 2008 11:46:07 -0700 (PDT) (envelope-from tedm@ipinc.net) From: "Ted Mittelstaedt" To: Date: Wed, 9 Jul 2008 11:46:07 -0700 Organization: Internet Partners, Inc. Message-ID: <26A784931556478F8BB9615AA6408FFA@tedsdesk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6838 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: Acjh7WekkmgXzC9LTyeyreSPA+DaBQABm3zg Importance: Normal In-Reply-To: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.ipinc.net [65.75.192.11]); Wed, 09 Jul 2008 11:46:07 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.2/7678/Wed Jul 9 10:00:05 2008 on mail.ipinc.net X-Virus-Status: Clean X-Spam-Status: No, score=-101.4 required=4.1 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net X-Mailman-Approved-At: Wed, 09 Jul 2008 18:52:18 +0000 Subject: RE: Here is how to fix your nameserver - was Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:46:10 -0000 Hi All, OK, slight addition to this: > -----Original Message----- > From: Ted Mittelstaedt [mailto:tedm@ipinc.net] > Sent: Wednesday, July 09, 2008 10:59 AM > To: 'freebsd-security@freebsd.org' > Subject: Here is how to fix your nameserver - was Re: BIND update? > > > > > System: FreeBSD 6.3-RELEASE used as a nameserver > > Login and su to root > > cd /usr/ports/distfiles > > mkdir manual-build > > cd manual-build > > fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz > > gunzip bind-9.3.5-P1.tar > > tar xf bind-9.3.5-P1.tar > > cd bind-9.3.5-P1 > > ./configure --disable-openssl-version-check (NOTE: The > OpenSSL included with FreeBSD 6.3-RELEASE is vulnerable to 4 > security notifications, you should have patched it already) > > make > > rndc stop > > cd ./bin/named > > chmod u-w named > > mv /usr/sbin/named /usr/sbin/named.original > > mv named /usr/sbin/named > > cd .. > > cd rndc > > mv /usr/sbin/rndc /usr/sbin/rndc.original > mv rndc /usr/sbin/rndc > cd /var/named/etc cp /var/named/etc/namedb/rndc.key . > /usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root > > tail /var/log/messages > > make sure messages has: > starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t > /var/named -u root in it > > nslookup www.freebsd.org > (tests) > > your done! > > named and rndc are both compiled with static libraries: > liblwres.a libdns.a libbind9.a libisccfg.a libisccc.a libisc.a > > so there is no need to go replacing all of the resolver > libraries and recompiling all the applications. The bug DOES > NOT affect client applications that use the resolver libraries. > > This will get you going until FBSD 6.4 is out. > > > Ted Mittelstaedt > Author: The FreeBSD Corporate Networker's Guide > > From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:55:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D88D1065675 for ; Wed, 9 Jul 2008 18:55:07 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id D51AA8FC16 for ; Wed, 9 Jul 2008 18:55:06 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id E944A5C68; Wed, 9 Jul 2008 14:57:32 -0400 (EDT) Date: Wed, 9 Jul 2008 14:57:32 -0400 From: Wesley Shields To: Chris Palmer Message-ID: <20080709185732.GK92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <20080709183325.GE55473@noncombatant.org> <20080709185405.GJ92109@atarininja.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709185405.GJ92109@atarininja.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:55:07 -0000 On Wed, Jul 09, 2008 at 02:54:05PM -0400, Wesley Shields wrote: > On Wed, Jul 09, 2008 at 11:33:25AM -0700, Chris Palmer wrote: > > Wesley Shields writes: > > > > > In the security world there is a balance which must be maintained between > > > providing information to consumers so that they may plan accordingly, and > > > not providing too much information so that the attackers can write > > > exploits; this is the sensitive nature of the information which often > > > leads to opaque processes by security teams around the world. > > > > http://en.wikipedia.org/wiki/Kerckhoffs'_principle > > > > Malware authors create exploits based on information they gleaned by reverse > > engineering the binary patches released by Microsoft. They are able to get > > these exploits into the wild before everyone has even had a chance to apply > > the patches, even though the patching is (semi-)automated. > > I'm well aware of that, as I have many friends who do this for a living > (legitimate businesses). I'm also not sure how this applies since the > project is open source - the fix is published at the time of the patch, > so there's no reverse engineering to do. If anything this illustrates > that patches should be applied in a timely manner in an open source > project, since the window you are describing is effectively zero. > > > Not only is there no security through obscurity, there isn't even any > > obscurity. :) > > The point is to not give hints about where in the code the problem lies > while at least being able to give the consumers of FreeBSD a chance to > plan around any potential bugs. Given the sensitive nature of the > issue, and the fact that some things are under NDA, I'm not entirely > sure it is a good idea. I'd like to see a more transparent process > without causing any harm to it, but I'm not sure how to do that right > now. > > Despite me wanting to see this happen I think these issues are too big > to overcome without more thought. I'm considering this issue closed for > now. Oh, and as I've stated to Remko privately: I think the security team is doing a good job. I, in no way, mean to suggest otherwise. I'm just trying to allow the consumers of FreeBSD a bit of wiggle room with regards to planning. ;) -- WXS From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:49:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EA851065688 for ; Wed, 9 Jul 2008 18:49:26 +0000 (UTC) (envelope-from jason@shalott.net) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 350D58FC16 for ; Wed, 9 Jul 2008 18:49:26 +0000 (UTC) (envelope-from jason@shalott.net) Received: (qmail 52828 invoked by uid 1000); 9 Jul 2008 18:29:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Jul 2008 18:29:25 -0000 Date: Wed, 9 Jul 2008 11:29:25 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Peter Thoenen In-Reply-To: <4874DD4B.5020608@yahoo.com> Message-ID: References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Wed, 09 Jul 2008 19:29:55 +0000 Cc: freebsd-security@freebsd.org, remko@elvandar.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:49:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't agree with the criticism of the security team; it takes a lot of time to test things and make sure that changes and patches work within the larger context of a complete system. And what I like about FreeBSD is that it's a complete system, not just a collection of disjoint parts like some other popular unix-like systems out there.... However, I also don't agree with this: > its really not a CRITICAL patch .. its more of a when you get around to > it seriously. CERT and others have been saying for years that protecting DNS infrastructure is a critical component in protecting the security of the entire internet, and I strongly agree. DNS spoofing and cache poisoning are an big part of how Windows boxes get rooted, and a more robust DNS infrastructure might go a long way in slowing the spread of the zombie armies. Many folks in the hosting world use BIND on FreeBSD to provide DNS resolvers for their clients, and this is _not_ a trivial issue for them. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIdQOFswXMWWtptckRAlgBAJ9fyqJomRiszRJuub6blvV+uXv4RgCg8Q3E wVqCrYVcKV7PjTHSyGuCyGY= =ZU6f -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 19:05:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 570F2106566B; Wed, 9 Jul 2008 19:05:32 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 132E58FC16; Wed, 9 Jul 2008 19:05:32 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGeyp-0008AR-AH; Wed, 09 Jul 2008 21:05:31 +0200 Message-ID: <48750BF7.5040402@FreeBSD.org> Date: Wed, 09 Jul 2008 21:05:27 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 19:42:18 +0000 Cc: Doug Barton , secteam@FreeBSD.org Subject: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 19:05:32 -0000 Dear all, Doug just updated the ports tree with the updated BIND ports. If you urgently want to upgrade and really cannot wait for the advisory. Please use the ports system to get up to speed. Thanks Doug for working on this on such short notice! Cheers, remko -------- Original Message -------- Subject: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo Date: Wed, 9 Jul 2008 19:02:01 +0000 (UTC) From: Doug Barton To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org dougb 2008-07-09 19:02:01 UTC FreeBSD ports repository Modified files: dns/bind9 Makefile distinfo dns/bind94 Makefile distinfo dns/bind95 Makefile distinfo Log: Upgrade to the -P1 versions of each port, which add stronger randomization of the UDP query-source ports. The server will still use the same query port for the life of the process, so users for whom the issue of cache poisoning is highly significant may wish to periodically restart their server using /etc/rc.d/named restart, or other suitable method. In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] option. The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information. Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries. This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time. This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience Revision Changes Path 1.82 +2 -2 ports/dns/bind9/Makefile 1.44 +6 -6 ports/dns/bind9/distinfo 1.85 +2 -3 ports/dns/bind94/Makefile 1.47 +6 -6 ports/dns/bind94/distinfo 1.87 +2 -2 ports/dns/bind95/Makefile 1.49 +6 -6 ports/dns/bind95/distinfo _______________________________________________ cvs-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-ports To unsubscribe, send any mail to "cvs-ports-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 19:54:28 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FE0A1065676 for ; Wed, 9 Jul 2008 19:54:28 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id 9BFC18FC2A for ; Wed, 9 Jul 2008 19:54:27 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail11.syd.optusnet.com.au (mail11.syd.optusnet.com.au [211.29.132.192]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m68BUX42022703 for ; Tue, 8 Jul 2008 21:30:33 +1000 Received: from server.vk2pj.dyndns.org (c122-106-215-175.belrs3.nsw.optusnet.com.au [122.106.215.175]) by mail11.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m68BUUUr022985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Jul 2008 21:30:31 +1000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.2/8.14.2) with ESMTP id m68BUU2w070901; Tue, 8 Jul 2008 21:30:30 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.2/8.14.2/Submit) id m68BUU15070900; Tue, 8 Jul 2008 21:30:30 +1000 (EST) (envelope-from peter) Date: Tue, 8 Jul 2008 21:30:30 +1000 From: Peter Jeremy To: Ivan Grover Message-ID: <20080708113030.GN62764@server.vk2pj.dyndns.org> References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rWhLK7VZz0iBluhq" Content-Disposition: inline In-Reply-To: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@FreeBSD.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 19:54:28 -0000 --rWhLK7VZz0iBluhq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2008-Jul-08 15:46:37 +0530, Ivan Grover wrote: >Iam trying to choose OPIE as my OTP implementation for authenticating the >clients. I have the following queries, could anyone please let me know the= se >-- why does the challenge in OPIE are in predetermined form.. >is it for determining the decryption key for the encrypted passphrase(stor= ed >in opiekeys). The passphrase is not encrypted - it is hashed and cannot be "decrypted". Basically, the passphrase and seed are concatenated and the result is hashed (using MD5) the number of times specified by the iteration count and the seed, count and final hash are stored in /etc/opiekeys. The supplied response is easily verified because when you run it thru MD5, you should get the hash in /etc/opiekeys. You then replace that hash with the one the user supplied. >-- is it possible to generate random challenges using opiechallenge No. The seed has to match the seed that was used to generate the hash with opiepasswd. --=20 Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. --rWhLK7VZz0iBluhq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhzT9YACgkQ/opHv/APuIexBwCfbj3Hwop1K8yVLJIhFNLENSMQ 4asAoIorEgEO0jPeacEcyeyTFVJFV/e5 =gO0Y -----END PGP SIGNATURE----- --rWhLK7VZz0iBluhq-- From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 20:04:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08DB4106566C; Wed, 9 Jul 2008 20:04:12 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from mail.ncircle.com (mail.ncircle.com [64.84.9.150]) by mx1.freebsd.org (Postfix) with ESMTP id D41CF8FC1A; Wed, 9 Jul 2008 20:04:11 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from CORP-MAIL.ad.ncircle.com (corpmail-02.ncircle.com [192.168.75.91]) by mail.ncircle.com (8.14.2/8.14.2) with ESMTP id m69K46M1026677; Wed, 9 Jul 2008 13:04:06 -0700 (PDT) (envelope-from astorms@ncircle.com) Received: from 192.168.75.200 ([192.168.75.200]) by CORP-MAIL.ad.ncircle.com ([192.168.75.94]) via Exchange Front-End Server webmail-01.ad.ncircle.com ([192.168.75.93]) with Microsoft Exchange Server HTTP-DAV ; Wed, 9 Jul 2008 20:04:07 +0000 User-Agent: Microsoft-Entourage/11.4.0.080122 Date: Wed, 09 Jul 2008 13:04:05 -0700 From: Andrew Storms To: Remko Lodder , "freebsd-security@freebsd.org" Message-ID: Thread-Topic: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] Thread-Index: Acjh/vBTLr7aRU3yEd2uDAARJIv+sA== In-Reply-To: <48750BF7.5040402@FreeBSD.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Score: -4.399 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 64.84.9.150 Cc: Doug Barton , secteam@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 20:04:12 -0000 Nice. Thanks Doug! On 7/9/08 12:05 PM, "Remko Lodder" wrote: > Dear all, > > Doug just updated the ports tree with the updated BIND ports. If you > urgently want to upgrade and really cannot wait for the advisory. Please > use the ports system to get up to speed. > > Thanks Doug for working on this on such short notice! > > Cheers, > remko From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 20:30:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 870081065671; Wed, 9 Jul 2008 20:30:08 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6079A8FC0A; Wed, 9 Jul 2008 20:30:08 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 383BF866A10; Wed, 9 Jul 2008 13:30:08 -0700 (PDT) Date: Wed, 9 Jul 2008 13:30:08 -0700 From: Chris Palmer To: Wesley Shields , freebsd-security@freebsd.org Message-ID: <20080709203008.GF55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <20080709183325.GE55473@noncombatant.org> <20080709185405.GJ92109@atarininja.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709185405.GJ92109@atarininja.org> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 20:30:08 -0000 Wesley Shields writes: > > Malware authors create exploits based on information they gleaned by > > reverse > > (legitimate businesses). I'm also not sure how this applies since the > project is open source - the fix is published at the time of the patch, My implicit (sorry about that) point was that if closed source software has no obscurity, there's no way open source software can have any. So we should not pretend that there is any, nor that it can help. The best course is to provide users full information about the risks they face and to respond with timely and correct fixes to those issues that introduce unnecessary risk. In this case, the BIND bug is already patched and publicly available anyway. From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 22:04:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A3C91065682 for ; Wed, 9 Jul 2008 22:04:02 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2683D8FC22 for ; Wed, 9 Jul 2008 22:04:02 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 9 Jul 2008 14:53:08 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20080709215308.C4A662B7C00@mx5.roble.com> Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 22:04:02 -0000 Jason Stone wrote: >I don't agree with the criticism of the security team; it takes a lot of >time to test things and make sure that changes and patches work within the >larger context of a complete system. There's that, but you also have to consider ISC's role. They certainly put a lot into testing named on all the common platforms. I'm pretty sure FreeBSD is still one of their test platforms. Not so sure it will continue to be though, given the resources our polished OS seems to be limited to. > And what I like about FreeBSD is that it's a complete system, > not just a collection of disjoint parts like some other popular > unix-like systems out there.... Don't know if I agree given the way dozens of port versions were unnecessarily incremented recently. http://unix.derkeiler.com/Newsgroups/comp.unix.bsd.freebsd.misc/2008-06/msg00231.html At least we _can_ easily update bind ports, I mean without waiting for maintainers or QA. But the real issue here is FreeBSD's response in comparison with other Unix/Linux operating systems. This is a critical time for FreeBSD. If we can't keep up, response-time-wise, patch-wise, finance-wise, or otherwise, our OS won't last long. The competition has gotten too good. Question is, OT but very relevant, how can FreeBSD get some decent corporate sponsorship? Roger Marquis From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 21:01:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C31AC106566C; Wed, 9 Jul 2008 21:01:53 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (mail.npubs.com [209.66.100.224]) by mx1.freebsd.org (Postfix) with ESMTP id 8494B8FC0C; Wed, 9 Jul 2008 21:01:53 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (avhost [209.66.100.194]) by mx.npubs.com (Postfix) with ESMTP id DD555F1835F; Wed, 9 Jul 2008 20:41:16 +0000 (UTC) Received: from northstar-srv2 (unknown [172.27.2.11]) by mx.npubs.com (Postfix) with ESMTP id 471A2F1835D; Wed, 9 Jul 2008 20:41:13 +0000 (UTC) From: Stef User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Andrew Storms References: Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20080709204114.471A2F1835D@mx.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Wed, 9 Jul 2008 20:41:16 +0000 (UTC) X-Mailman-Approved-At: Wed, 09 Jul 2008 22:16:24 +0000 Cc: "freebsd-security@freebsd.org" , Remko Lodder , Doug Barton , secteam@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 21:01:53 -0000 Thanks! Here are simple steps to use this instead of the base named (and easily go back later): # cd /usr/ports/dns/bind9 # make && make install # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf # /etc/rc.d/named restart LMK if I missed something. Cheers, Stef Andrew Storms wrote: > Nice. Thanks Doug! > > > On 7/9/08 12:05 PM, "Remko Lodder" wrote: > >> Dear all, >> >> Doug just updated the ports tree with the updated BIND ports. If you >> urgently want to upgrade and really cannot wait for the advisory. Please >> use the ports system to get up to speed. >> >> Thanks Doug for working on this on such short notice! >> >> Cheers, >> remko > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 23:41:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 082591065678 for ; Wed, 9 Jul 2008 23:41:23 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.kernel32.de (crivens.terrorteam.de [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id B14168FC13 for ; Wed, 9 Jul 2008 23:41:22 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from [192.168.100.142] (91-64-131-118-dynip.superkabel.de [91.64.131.118]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by crivens.kernel32.de (Postfix) with ESMTPSA id 2DED3B0297; Thu, 10 Jul 2008 01:21:34 +0200 (CEST) Message-ID: <4875481E.4000100@kernel32.de> Date: Thu, 10 Jul 2008 01:22:06 +0200 From: Marian Hettwer User-Agent: Thunderbird 1.5.0.12 (Macintosh/20070509) MIME-Version: 1.0 To: Chris Palmer References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> In-Reply-To: <20080709182340.GD55473@noncombatant.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 23:41:23 -0000 Hi Chris, Chris Palmer schrieb: > So I'm not too worried about the lack of urgency from the FreeBSD security > team on this particular issue. It's not news that DNS is insecure and that > BIND has a bug. Nobody should have been depending on the security of DNS or > on a bulletproof BIND. > > True words! However, since the SecTeam of FreeBSD always did a great job, in this specific case, which had quite a huge coverage in the "press", at least a Heads Up to freebsd-security@ saying something like "Stay tuned for a patch folks, we're investigating" would have been appropriate. When everybody tries to get mad, and that's what happened, a statement like that could have calmed things done in the first place. But maybe I missed that heads up, 'cause I jumped into this discussion quite late... Well, anyway, SecTeam, keep up the good work :) Cheers, ./Marian From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 23:45:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B706D1065676 for ; Wed, 9 Jul 2008 23:45:24 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 69A028FC32 for ; Wed, 9 Jul 2008 23:45:24 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m69NjNgf091485 for ; Thu, 10 Jul 2008 09:45:23 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807092345.m69NjNgf091485@drugs.dv.isc.org> To: freebsd-security@freebsd.org From: Mark Andrews In-reply-to: Your message of "Wed, 09 Jul 2008 14:53:08 MST." <20080709215308.C4A662B7C00@mx5.roble.com> Date: Thu, 10 Jul 2008 09:45:23 +1000 Sender: marka@isc.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 23:45:24 -0000 Well as a developer of BIND I will tell you that my development platform is FreeBSD. FreeBSD drugs.dv.isc.org 6.3-STABLE FreeBSD 6.3-STABLE #19: Fri Apr 25 13:07:00 EST 2008 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386 If Doug hasn't already updated the ports to use the -P1 I would expect him to do so shortly. Or you could all do it yourselves. It really is not that hard. Just check the PGP signatures on the tarball when you make the new checksums for the port. As for updating the base. There is still time to do this without panicing. Dan's method has not been released. Remember the only real solution to cache poisoning is to deploy DNSSEC. You can go out and do your part of that today. If you really cared about DNS security you would have done it already. It isn't that hard. Just use the defaults. http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf Talk to your member(s) of parliment about getting the root signed and your cctld signed (only 4 have been signed last time I checked). If .SE and .BR can do it then your cctld can do it. ORG is in the process of getting DNSSEC added. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 23:52:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 234061065670 for ; Wed, 9 Jul 2008 23:52:07 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id F04348FC12 for ; Wed, 9 Jul 2008 23:52:06 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m69Nq4I7072520; Wed, 9 Jul 2008 16:52:04 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m69Nq40I072519; Wed, 9 Jul 2008 16:52:04 -0700 (PDT) (envelope-from booloo) Date: Wed, 9 Jul 2008 16:52:04 -0700 From: Mark Boolootian To: Marian Hettwer Message-ID: <20080709235204.GB72293@root.ucsc.edu> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4875481E.4000100@kernel32.de> User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=-1.4 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME, DK_POLICY_SIGNSOME autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Cc: Chris Palmer , freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 23:52:07 -0000 > > Nobody should have been depending on the security of DNS or > > on a bulletproof BIND. Everyone that uses the Internet depends on the security of DNS. From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 00:27:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DEAF106567E for ; Thu, 10 Jul 2008 00:27:49 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 63EF78FC12 for ; Thu, 10 Jul 2008 00:27:49 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 3D3F5866957; Wed, 9 Jul 2008 17:27:49 -0700 (PDT) Date: Wed, 9 Jul 2008 17:27:49 -0700 From: Chris Palmer To: Mark Boolootian , freebsd-security@freebsd.org Message-ID: <20080710002749.GK55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709235204.GB72293@root.ucsc.edu> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 00:27:49 -0000 Mark Boolootian writes: > Everyone that uses the Internet depends on the security of DNS. That's too bad, because DNS never made any security guarantees. When you ask to resolve www.google.com, the answer does not mean "www.google.com is on the network at 74.125.19.104." It means "As far as we can tell at the moment, www.google.com might be on the network at 74.125.19.104, or that might be a total lie. Good luck! P.S.: Lying is very easy." There are no guarantees of authentication, authorization, or integrity. When I need to verify the identity of a host (really, the identity of an application server -- which is more relevant anyway), I use things like SSL certificates and SSH host keys. After all, you were going to need authentication and integrity -- and likely confidentiality, too -- at the application layer anyway. Right? From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 04:59:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9DF5106566B for ; Thu, 10 Jul 2008 04:59:34 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 971268FC17 for ; Thu, 10 Jul 2008 04:59:34 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 812 invoked by uid 1000); 10 Jul 2008 04:59:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Jul 2008 04:59:34 -0000 Date: Wed, 9 Jul 2008 21:59:33 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Chris Palmer In-Reply-To: <20080710002749.GK55473@noncombatant.org> Message-ID: References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> <20080710002749.GK55473@noncombatant.org> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mark Boolootian , freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 04:59:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Everyone that uses the Internet depends on the security of DNS. > That's too bad, because DNS never made any security guarantees. When you > ask to resolve www.google.com, the answer does not mean "www.google.com > is on the network at 74.125.19.104." It means "As far as we can tell at > the moment, www.google.com might be on the network at 74.125.19.104, or > that might be a total lie. Good luck! P.S.: Lying is very easy." > > There are no guarantees of authentication, authorization, or integrity. Yes, yes, DNS makes no security guarantees, it's always been vulnerable, this is old old news. But answer truthfully: have you never launched a browser and typed "www.google.com" into it? I suspect that you have. So this affects you too. So you say, "But I don't send important information over that connection, nor do I trust the information I get back?" Maybe. I think that the AOL data leak fiasco proved that, while people don't generally think of search queries as sensitive, they really kind of are. And you almost certainly place _some_ trust in the results you get back; I mean, you're not reading them purely as fiction. But let's leave that aside for a second and assume it's true: you genuinely don't care about privacy or tampering while you're just casually surfing. That's not what's at issue; what's at issue is that you're choosing to let unknown and untrusted sites inject arbitrary data into your web browser. And your browser has more exploitable bugs in it than you can shake a stick at. It doesn't matter which browser you use -- IE, Firefox, Safari, Opera, Lynx, w3m -- I guarantee you, it has more holes than you can shake a stick at. You could run it in a chroot, or with a different UID from your normal user... but you don't. So, if your DNS resolver is vulnerable to cache poisoning, then every time you casually surf the web, you're allowing for the possibility that you will get spoofed, surf to some malware site, get served a browser exploit, and get 0wned. This is not just theoretical; check old CERT advisories, attackers have been exploiting DNS cache vulnerabilities in home/soho routers/WAPs/firewalls for a while now. So a DNS vulnerability that would make it easy to poison the resolvers of very large numbers of clients is a huge deal. I agree that DNSSEC is the real solution. I also think that making it easy (or even possible) to sandbox the browsers is a real solution. I think that using strong crypto everywhere and making fine-grained capabilities and MAC systems ubiquitous is also a real solution. But that's just not the reality we have today. And having the reality we have today, it's absolutely critical to make the existing, insecure DNS system as secure as it can be. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIdZc1swXMWWtptckRAtFqAKCA++pDoal7FEr13hXIWJ9h+iYA2gCfTVyQ 5AXA7BRSqX0ToHayLgGB0PA= =c7gM -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:08:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 949D5106567D for ; Thu, 10 Jul 2008 05:08:37 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay00.pair.com (relay00.pair.com [209.68.5.9]) by mx1.freebsd.org (Postfix) with SMTP id 274DC8FC1B for ; Thu, 10 Jul 2008 05:08:36 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 32587 invoked from network); 10 Jul 2008 04:41:55 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 10 Jul 2008 04:41:55 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 9 Jul 2008 23:41:54 -0500 (CDT) From: Mike Silbersack To: Mike Tancsa In-Reply-To: <200807091209.m69C9Gsl030319@lava.sentex.ca> Message-ID: <20080709233650.B3813@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:08:37 -0000 On Wed, 9 Jul 2008, Mike Tancsa wrote: > At 06:54 AM 7/9/2008, Oliver Fromme wrote: >> Andrew Storms wrote: >> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> I'm just wondering ... >> >> ISC's patches cause source ports to be randomized, thus >> making it more difficult to spoof response packets. >> >> But doesn't FreeBSD already randomize source ports by >> default? So, do FreeBSD systems require to be patched >> at all? > > It doesnt seem to do a very good job of it with bind for some reason... > Perhaps because it picks a port and reuses it ? Yep, binding to a single query port and sticking to it is how BIND has operated for years. I just came up with a crazy idea, perhaps someone with more pf knowledge could answer this question: Can you make a pf rule that NATs all outgoing udp queries from BIND with random source ports? That seems like it would have exactly the same effect as BIND randomizing the source ports itself. Granted, updating BIND would probably be the better choice long term, but perhaps it'd be easier to push a new firewall rule out to a rack of machines. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:21:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EA701065680 for ; Thu, 10 Jul 2008 05:21:54 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id E33B38FC1A for ; Thu, 10 Jul 2008 05:21:53 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from blueberry-2.local (unknown [64.142.6.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by strawberry.noncombatant.org (Postfix) with ESMTPSA id 3D47586682E; Wed, 9 Jul 2008 22:21:53 -0700 (PDT) Message-ID: <48759C70.2060705@noncombatant.org> Date: Wed, 09 Jul 2008 22:21:52 -0700 From: Chris Palmer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Jason Stone , freebsd-security@freebsd.org References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> <20080710002749.GK55473@noncombatant.org> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:21:54 -0000 Jason Stone wrote: > So you say, "But I don't send important information over that > connection, nor do I trust the information I get back?" Maybe. I think > that the AOL data leak fiasco proved that, while people don't generally > think of search queries as sensitive, they really kind of are. And you > almost certainly place _some_ trust in the results you get back; I mean, > you're not reading them purely as fiction. I validate such unauthenticated information at the human layer. Have to -- even when nobody has tampered with DNS, BGP, or HTTP, the stuff at nytimes.com and wikipedia.org is still often false. > So, if your DNS resolver is vulnerable to cache poisoning, then every > time you casually surf the web, you're allowing for the possibility that > you will get spoofed, surf to some malware site, get served a browser > exploit, and get 0wned. That is already true, and is true regardless of the "security" of the DNS. Think hard on why this is possible: http://ex-parrot.com/~pete/upside-down-ternet.html :) Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky? > I agree that DNSSEC is the real solution. It won't, and can't, solve *any* of the problems you cited. Any attacker than can mangle my DNS traffic (and cache poisoning is hardly the only way to do that) can also just read and alter *any* non-secure-by-design plaintext network traffic. > I also think that making it easy (or even possible) to sandbox the > browsers is a real solution. I think that using strong crypto everywhere > and making fine-grained capabilities and MAC systems ubiquitous is also a > real solution. Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time anyway. From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:48:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC5AC1065681 for ; Thu, 10 Jul 2008 05:48:38 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from clewlow.org (clewlow.org [210.215.149.194]) by mx1.freebsd.org (Postfix) with ESMTP id 7E1708FC15 for ; Thu, 10 Jul 2008 05:48:38 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from 192.168.1.100 (localhost [127.0.0.1]) by clewlow.org (Postfix) with ESMTP id E28B81C0844; Thu, 10 Jul 2008 15:32:59 +1000 (EST) Received: from 192.168.1.10 (SquirrelMail authenticated user tim) by 192.168.1.100 with HTTP; Thu, 10 Jul 2008 15:33:00 +1000 (EST) Message-ID: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> In-Reply-To: <20080709233650.B3813@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> Date: Thu, 10 Jul 2008 15:33:00 +1000 (EST) From: "Tim Clewlow" To: "Mike Silbersack" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:48:39 -0000 > > On Wed, 9 Jul 2008, Mike Tancsa wrote: > >> At 06:54 AM 7/9/2008, Oliver Fromme wrote: >>> Andrew Storms wrote: >>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> I'm just wondering ... >>> >>> ISC's patches cause source ports to be randomized, thus >>> making it more difficult to spoof response packets. >>> >>> But doesn't FreeBSD already randomize source ports by >>> default? So, do FreeBSD systems require to be patched >>> at all? >> >> It doesnt seem to do a very good job of it with bind for some >> reason... >> Perhaps because it picks a port and reuses it ? > > Yep, binding to a single query port and sticking to it is how BIND > has > operated for years. > > I just came up with a crazy idea, perhaps someone with more pf > knowledge > could answer this question: > > Can you make a pf rule that NATs all outgoing udp queries from BIND > with > random source ports? That seems like it would have exactly the same > effect as BIND randomizing the source ports itself. > > Granted, updating BIND would probably be the better choice long > term, but > perhaps it'd be easier to push a new firewall rule out to a rack of > machines. > Assuming this is NOT a gateway, ie a single homed DNS. This has not been tested, and may not work, but anyway, how about: nic="network interface name" bind_port="source port number you have set bind to ALWAYS use" nat on $nic from any port $bind_port to any -> ($nic) This _should_ do a special nat of both udp and tcp traffic, ie keep the same source IP but randomly pick a new source port. I haven't had time to set up a jail/test DNS to try this on, maybe it wont work at all, but that should give you an idea. Cheers, Tim. We are BSD ... resistance is futile. http://www.freebsd.org/ - http://www.openbsd.org/ - http://www.netbsd.org/ From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:54:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45601106566C for ; Thu, 10 Jul 2008 05:54:18 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by mx1.freebsd.org (Postfix) with SMTP id F2DC08FC17 for ; Thu, 10 Jul 2008 05:54:17 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 18558 invoked from network); 10 Jul 2008 05:54:16 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 10 Jul 2008 05:54:16 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 10 Jul 2008 00:54:14 -0500 (CDT) From: Mike Silbersack To: Tim Clewlow In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> Message-ID: <20080710004835.S5394@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:54:18 -0000 On Thu, 10 Jul 2008, Tim Clewlow wrote: >> Can you make a pf rule that NATs all outgoing udp queries from BIND >> with >> random source ports? That seems like it would have exactly the same >> effect as BIND randomizing the source ports itself. > > Assuming this is NOT a gateway, ie a single homed DNS. > > This has not been tested, and may not work, but anyway, how about: > > nic="network interface name" > bind_port="source port number you have set bind to ALWAYS use" > nat on $nic from any port $bind_port to any -> ($nic) > > This _should_ do a special nat of both udp and tcp traffic, ie keep > the same source IP but randomly pick a new source port. > > I haven't had time to set up a jail/test DNS to try this on, maybe > it wont work at all, but that should give you an idea. > > Cheers, Tim. Yes, using pf's NAT seems to work, although doxpara's checker claims that it is not working. Here's what tcpdump on the external side of NAT shows me after I nat port 53 traffic: 06:05:56.469558 IP SILBYIP.60153 > 209.85.139.9.53: 9078% [1au] A? www.l.google.com. (45) 06:05:56.535407 IP 209.85.139.9.53 > SILBYIP.60153: 9078*- 3/0/0 A 64.233.167.99,[|domain] 06:06:03.767643 IP SILBYIP.59956 > 216.239.36.10.53: 21333% [1au] A? news.google.com. (44) 06:06:03.817520 IP 216.239.36.10.53 > SILBYIP.59956: 21333*- 1/7/8 CNAME news.l.google.com. (289) 06:06:03.818565 IP SILBYIP.55784 > 64.233.167.9.53: 61468% [1au] A? news.l.google.com. (46) 06:06:03.840510 IP 64.233.167.9.53 > SILBYIP.55784: 61468*- 2/0/0 A 72.14.207.104, (67) 06:06:16.830837 IP SILBYIP.59956 > 216.239.36.10.53: 59557% [1au] A? maps.google.com. (44) 06:06:16.880945 IP 216.239.36.10.53 > SILBYIP.59956: 59557*- 1/7/8 CNAME maps.l.google.com. (289) 06:06:16.881988 IP SILBYIP.63680 > 209.85.137.9.53: 11160% [1au] A? maps.l.google.com. (46) 06:06:17.025439 IP 209.85.137.9.53 > SILBYIP.63680: 11160*- 3/0/0 A 64.233.167.104,[|domain] As you can see, we get a different source port for each server that we connect to. I would assume that makes us secure. But the checker at doxpara doesn't think we're secure because it's just one server that we're connecting to repeatedly. 06:06:45.127850 IP SILBYIP.57575 > 209.200.168.66.53: 38156% [1au] A? 46e004a4f29d.toorrr.com. (52) 06:06:45.238227 IP 209.200.168.66.53 > SILBYIP.57575: 38156*- 1/0/0 CNAME[|domain] 06:06:45.239020 IP SILBYIP.57575 > 209.200.168.66.53: 11461% [1au][|domain] 06:06:45.351066 IP 209.200.168.66.53 > SILBYIP.57575: 11461*-[|domain] 06:06:45.351836 IP SILBYIP.57575 > 209.200.168.66.53: 57564% [1au][|domain] 06:06:45.466886 IP 209.200.168.66.53 > SILBYIP.57575: 57564*-[|domain] 06:06:45.467658 IP SILBYIP.57575 > 209.200.168.66.53: 31106% [1au][|domain] 06:06:45.580640 IP 209.200.168.66.53 > SILBYIP.57575: 31106*-[|domain] 06:06:45.581619 IP SILBYIP.57575 > 209.200.168.66.53: 4662% [1au][|domain] 06:06:45.692804 IP 209.200.168.66.53 > SILBYIP.57575: 4662*-[|domain] So there we go, we saved the internet with NAT. :) -Mike From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 06:06:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 439071065672 for ; Thu, 10 Jul 2008 06:06:29 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay00.pair.com (relay00.pair.com [209.68.5.9]) by mx1.freebsd.org (Postfix) with SMTP id C78EB8FC2B for ; Thu, 10 Jul 2008 06:06:28 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 45880 invoked from network); 10 Jul 2008 06:06:27 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 10 Jul 2008 06:06:27 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 10 Jul 2008 01:06:25 -0500 (CDT) From: Mike Silbersack To: Tim Clewlow In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> Message-ID: <20080710010119.K5394@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 06:06:29 -0000 On Thu, 10 Jul 2008, Tim Clewlow wrote: > Assuming this is NOT a gateway, ie a single homed DNS. nat on $ext_if proto udp from any to any port 53 -> ($ext_if) That's the rule that works for me. You don't need to worry about tcp because tcp is protected by its 32 bit initial sequence number. If someone wants to go propose this fix on bugtraq, please don't mention my name. I don't want to get dragged into it. :) -Mike From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 07:02:39 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F7191065687 for ; Thu, 10 Jul 2008 07:02:39 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 1E6D68FC15 for ; Thu, 10 Jul 2008 07:02:38 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6A72VV4011126; Thu, 10 Jul 2008 17:02:31 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807100702.m6A72VV4011126@drugs.dv.isc.org> To: Chris Palmer From: Mark Andrews In-reply-to: Your message of "Wed, 09 Jul 2008 22:21:52 MST." <48759C70.2060705@noncombatant.org> Date: Thu, 10 Jul 2008 17:02:31 +1000 Sender: marka@isc.org Cc: Jason Stone , freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 07:02:39 -0000 > Jason Stone wrote: > > > So you say, "But I don't send important information over that > > connection, nor do I trust the information I get back?" Maybe. I think > > that the AOL data leak fiasco proved that, while people don't generally > > think of search queries as sensitive, they really kind of are. And you > > almost certainly place _some_ trust in the results you get back; I mean, > > you're not reading them purely as fiction. > > I validate such unauthenticated information at the human layer. Have to -- > even when nobody has tampered with DNS, BGP, or HTTP, the stuff at > nytimes.com and wikipedia.org is still often false. > > > So, if your DNS resolver is vulnerable to cache poisoning, then every > > time you casually surf the web, you're allowing for the possibility that > > you will get spoofed, surf to some malware site, get served a browser > > exploit, and get 0wned. > > That is already true, and is true regardless of the "security" of the DNS. > > Think hard on why this is possible: > > http://ex-parrot.com/~pete/upside-down-ternet.html > > :) > > Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky? > > > I agree that DNSSEC is the real solution. > > It won't, and can't, solve *any* of the problems you cited. Any attacker > than can mangle my DNS traffic (and cache poisoning is hardly the only way > to do that) can also just read and alter *any* non-secure-by-design > plaintext network traffic. DNSSEC won't stop all attacks. It does however stop some attack vectors. Others, like the man in the middle attack above, it won't stop. > > I also think that making it easy (or even possible) to sandbox the > > browsers is a real solution. I think that using strong crypto everywhere > > and making fine-grained capabilities and MAC systems ubiquitous is also a > > real solution. > > Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time > anyway. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 15:05:57 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D4BA1065676; Thu, 10 Jul 2008 15:05:57 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id 2B6848FC0A; Thu, 10 Jul 2008 15:05:56 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.2/8.14.2) with ESMTP id m6AEfZ7l038897; Thu, 10 Jul 2008 18:41:38 +0400 (MSD) (envelope-from marck@rinet.ru) Date: Thu, 10 Jul 2008 18:41:35 +0400 (MSD) From: Dmitry Morozovsky To: stef@memberwebs.com In-Reply-To: <20080709204114.471A2F1835D@mx.npubs.com> Message-ID: <20080710183843.Q58331@woozle.rinet.ru> References: <20080709204114.471A2F1835D@mx.npubs.com> X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (woozle.rinet.ru [0.0.0.0]); Thu, 10 Jul 2008 18:41:38 +0400 (MSD) Cc: "freebsd-security@freebsd.org" , Remko Lodder , Doug Barton , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 15:05:57 -0000 On Wed, 9 Jul 2008, Stef wrote: S> Thanks! S> S> Here are simple steps to use this instead of the base named (and easily S> go back later): S> S> # cd /usr/ports/dns/bind9 S> # make && make install S> # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf S> # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf S> # /etc/rc.d/named restart S> S> LMK if I missed something. (or use NO_BIND= in /etc/make.conf and WITH_REPLACE_BASE= on port options, but be careful when upgrading configs...) Just to have you and other related parties informed of a pitfall I stepped into: -- 8< -- From: BIND9 Bugs via RT Subject: [ISC-Bugs #18265] AutoReply: bind update to 9.4.2.1: 'empty label' inconsistent check ------------------------------------------------------------------------- Dear Doug and ISC maintainers, just updated bind94 on our master server and found that together with vulnerability fixes there is at least one glitch in configuration checks History: we have automatic scripted system to secondary some zones from one of our partners. so, part of named.conf is auto-generated, then checked via named-checkconf and then applied. After today upgrade I found that new server failed to start, which is really a PITA, as it has 13k+ authoritative zones. Named-checkconf does not return an error. named reports 'empty label' without any reference to config file and/or line number. After some nervous minutes of binary search ;-) I found the offending line, which erroneously contains two dots instead of one. I suppose this should be fixed at least in named-checkconf. -- 8< -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 17:56:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8CD11065681 for ; Thu, 10 Jul 2008 17:56:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from mail.ipinc.net (mail.ipinc.net [65.75.192.11]) by mx1.freebsd.org (Postfix) with ESMTP id C54828FC12 for ; Thu, 10 Jul 2008 17:56:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from tedsdesk (tedsdesk.ipinc.net [65.75.206.111]) by mail.ipinc.net (8.13.8/8.13.8) with ESMTP id m6AHuEnP031062; Thu, 10 Jul 2008 10:56:14 -0700 (PDT) (envelope-from tedm@ipinc.net) From: "Ted Mittelstaedt" To: "'stakys'" Date: Thu, 10 Jul 2008 10:56:14 -0700 Organization: Internet Partners, Inc. Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6838 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: AcjicGzS8MNddCxQQIGSNCdVjpih2gAOL/Ug Importance: Normal In-Reply-To: <4875D67B.7010006@punktas.lt> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.ipinc.net [65.75.192.11]); Thu, 10 Jul 2008 10:56:14 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.2/7686/Thu Jul 10 08:27:03 2008 on mail.ipinc.net X-Virus-Status: Clean X-Spam-Status: No, score=-101.4 required=4.1 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net X-Mailman-Approved-At: Thu, 10 Jul 2008 18:15:04 +0000 Cc: freebsd-security@freebsd.org Subject: RE: Here is how to fix your nameserver - was Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 17:56:16 -0000 > -----Original Message----- > From: stakys [mailto:stakys@punktas.lt] > Sent: Thursday, July 10, 2008 2:30 AM > To: Ted Mittelstaedt > Subject: Re: Here is how to fix your nameserver - was Re: BIND update? > > > > > > According to your simple steps everything runs fine for now. > What about > later then the port will be available or the 6.4 is out? How > the update > procedure should look like, or it would be the same as always without > any hints for BIND? > Hi Stakys, I hope you don't mind I'm ccing this to the list as others may have questions. Incidentally, if you use my instructions there is one other thing you have to do, that is you have to put a copy of rndc.key into /etc because rndc out of the box defaults to looking there for it. With regards to the ports, yes you can do it that way if you want. I myself haven't used the BIND port in the ports directories so I am not aware of all implications of using it. I presume it replaces all the BIND utilities in the base system with updated versions. What isn't clear to me is what the port does with every other program in the system that is linked into the BIND resolver functions. If your admining a nameserver and you routinely use the BIND port, you should continue to do so, NOT use my instructions. If you have never used that port, then you might consider it. But, I would do it on a nameserver your prototyping, so you can learn how the port operates. Keep in mind that there is no "right" way to admin your system - it is your system, do as you want. Because FreeBSD is self-supported, the security patches, the ports, and ad-hoc instructions like mine are purely out there for people to use IF THEY WANT TO. You do not have to admin your server the way that -we- say to do it. ;-) Just as a bit of background on UNIX. There was NEVER a standardized place to put things in the UNIX filesystem. For example, Sun likes to use the /opt directory a lot, and no other UNIX does that I know of. There's de-facto places. That is why the ports directories are so important, because when a port for a utility is created it standardizes where everything goes. For example, if someone says to the list that they used the BIND port to install an updated version of named, we -know- for example that named.conf is going to be at /var/named/etc/namedb/named.conf because that is where the FreeBSD Release engineers decided to put it, and the person who created the port is of course going to honor that. BUT, that is a compile-time option in BIND and the defaults in the BIND source don't actually put it there. Instead they put it in /etc/namedb/named.conf When a UNIX vendor (and the FreeBSD Project is a UNIX vendor, they just don't get paid for it like a commercial UNIX vendor like Sun does) creates a UNIX distribution they draw software from all over the globe. Sendmail comes from here, gcc comes from there, named comes from this other place, etc. etc. etc. Each of those individual packages has their own places that they put things. Part of the job of the release engineer is deciding a logical structure on -their- UNIX release of where things go, and then putting in compile time options, or patching makefiles, or even patching source itself, of all these different utilities to force them to put their stuff where the release engineer has decided to put it. Back in the bad old days of UNIX, most of the Really Useful utilities -weren't- included in the UNIX distribution. For example ALL Solaris UNIX versions up until very recently didn't even have a compiler, you had to bootstrap gcc into your Solaris system. HP/UX, and Utek UNIX had compilers, but they were crappy ones and wouldn't compile most programs, so you had to use their crappy compilers to build a better compiler then use that compiler to build basic tools - things like Perl, Bash, php, and so on. Quite a lot of work, and nowadays we have it a lot easier - BUT the PROBLEM is that because so many basic utilities are now supplied stock out of the box, if you want to replace one of them, because of a security vulnerability like this named thing, for example, it becomes a MAJOR PIA. Looking at Perl for example illustrates this. Perl is a rather nasty program to have people build because it is so involved - but it is a fantastically useful program. In FreeBSD 4 days it became obvious that it would be Really Useful if Perl was included in FreeBSD, so they did so. Then it became even more obvious that it would be even more Really Useful if Perl -wasn't- included, precisely because of stuff like what is going on right now with BIND. So, they reverted to the old way of doing things, and Perl is back to being an add-on, one that virtually everyone who is setting up a FreeBSD system immediately installs as soon as they setup a new FreeBSD system. (hopefully, from the ports or packages system) So, getting back to BIND. Unfortunately, BIND isn't as easy to create as an add-on as Perl is. BIND is more than a simple program. BIND has 2 parts, there's a set of libraries, usually referred to, generically, as the "resolver libraries" There's a set of utilities, like named, named-xfer, rndc, and so on. Just about every network-aware program in ANY unix, ie: sendmail, nslookup, host, netstat, etc. etc. is compiled to link in the resolver library. If a flaw in the libraries is discovered, it affects -ALL- network-aware programs that are linked into the libraries. Thus, the only real fix is to update the source for the system and recompile every single utility that is linked into the resolver libraries in the entire system -including- additional utilities that are built by the user after the system is installed. (ie: do a make world) With FreeBSD, during the system build process, the BIND resolver routines are put into libc. (ie: /usr/lib/libc.a for the static library, and /usr/lib/libc.so for the dynamic one) While it is sometimes possible IF the utility is dynamically linked to simply recompile the resolver library, this is a Beware, There Be Dragons kind of thing to do because if the library has changed much, you can introduce problems that way. And, with FreeBSD, libc has a lot of -other- stuff -besides- the BIND stuff in /usr/src/lib/libc/resolv It's probably accurate to say that virtually everything in the system is linked into this library. Thus, "upgrading BIND" if your talking about -everything- that makes up BIND is not simple. HOWEVER, this particular issue ONLY affects systems that are acting as nameservers because it only affects named itself. Virtually all FreeBSD systems are NOT running as nameservers and thus do not need to worry about this particular notification. Systems that ARE running as nameservers almost always are doing that ONLY, ie: they are dedicated nameserver servers. Thus your not using most utilities in the system, sendmail, host, netstat, etc. Because, when named is built it -statically- links into it's libraries (which are also built when named is built), thus when you follow my instructions you are ending up with a system that has the -old- resolver libraries that are linked into every other program in the system, and a named program that is built with the -new- code. Since the vulnerability only affects named, it doesn't matter that the rest of the system is using the old code. And, by NOT replacing the old libraries, you avoid introducing potential instabilities into other programs. For example suppose in addition to nameserving your server is doing some analysis of traffic - if you recompile the world with the new resolver library and the analysis code your running breaks, well now you are stuck because you don't know if the problem is in the new resolver code or if it is that you improperly compiled it into the system, or if it is because some other utility that linked into libc has a problem. My instructions basically give the nameserver admin a way to patch their server in the most -minimally invasive- way possible and then run it that way until the next version of FreeBSD is released in August or September. Ted From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 00:33:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B0CA1065673 for ; Fri, 11 Jul 2008 00:33:04 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7198FC1D for ; Fri, 11 Jul 2008 00:33:04 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 21312 invoked by uid 399); 11 Jul 2008 00:06:24 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 00:06:24 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4876A3FE.1070407@FreeBSD.org> Date: Thu, 10 Jul 2008 17:06:22 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: stef@memberwebs.com References: <20080709204114.471A2F1835D@mx.npubs.com> In-Reply-To: <20080709204114.471A2F1835D@mx.npubs.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 00:33:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 First off, to those who were kind enough to offer thanks, "you're welcome." :) Second, one user wrote me privately to indicate that my statement in the first paragraph of my commit message was not clear. The point to this change is that for _each_ outgoing query a _new, random_ UDP source port is used, _as well as_ the standard query ID. (This is of course assuming that you do not have a port locked down in named.conf, which no one should at this point unless firewall rules outside of your control mandate it.) However, named is still picking a "random" UDP port on startup and locking it down (2 if you're also using IPv6) although it's not immediately clear to me why (I do have a query as to the reason in progress). Stef wrote: | Thanks! | | Here are simple steps to use this instead of the base named (and easily | go back later): | | # cd /usr/ports/dns/bind9 Actually I'd at least use bind94, and preferably bind95. Either of those two will have better memory management characteristics than the 9.3.x that is in dns/bind9. | # make && make install | # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf You will also need to do the same with the rndc.key file, and if you are running in the chroot (the default for the rc.d script) then you will need to create /var/named/usr/local/etc and repeat the exercise for both files. | # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf Personally my preference would be to edit the rc.conf[.local] file. | # /etc/rc.d/named restart I would actually do 'rndc stop' first, then '/etc/rc.d/named start' but for most purposes the differences there would be minor. You can also use the "replace base bind" option in the 'make config' step which would obviate editing named_program above. If you do that, add 'WITHOUT_BIND= yes' in /etc/src.conf for 7 or 8, and 'NO_BIND= yes' in /etc/make.conf in 6. hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkh2o/4ACgkQyIakK9Wy8PurfQCfeN7Vvme3PABgFWMPhQz1Kgu6 gVUAni9iCNt0Gzi2YntV6uQmmRI8MhQl =4Blu -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 05:05:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82F121065670 for ; Fri, 11 Jul 2008 05:05:38 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 126C18FC1E for ; Fri, 11 Jul 2008 05:05:37 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 12839 invoked by uid 399); 11 Jul 2008 05:05:37 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 05:05:37 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4876EA1E.9000804@FreeBSD.org> Date: Thu, 10 Jul 2008 22:05:34 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: stef@memberwebs.com References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> In-Reply-To: <4876A3FE.1070407@FreeBSD.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 05:05:38 -0000 Doug Barton wrote: > However, named is still picking a "random" UDP port on startup and > locking it down (2 if you're also using IPv6) although it's not > immediately clear to me why. And the answer is .... in order to make the -P1 releases as clean as possible, that part of the code was not touched (which I think is a very good decision) and that port may continue to see use down the road. hope this helps, Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 05:36:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 162A4106564A for ; Fri, 11 Jul 2008 05:36:33 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id CA3668FC19 for ; Fri, 11 Jul 2008 05:36:32 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so875806ana.13 for ; Thu, 10 Jul 2008 22:36:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=YIuiSWfQrE730NklFTOrJfiTg4NrcE31jSW02ma0qwk=; b=H+O3BRzF5n3CV7yd57ASfuWNcczUXcsLxya1KnKs2hBVdM5NwsKLPvsMHiuKmLADrV LJjdWC9/4Xd9nUAObslwI32RKH3MWnYu3R/rfUYLdhEJCdZbRrMNgRVyv/0LroI7gmsc 0i9eWcfyRZ1FBQ29UTAk9igrnQ1Fym72j7z6I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=IU8YJmn4DWrK1SYkzfayO1tMb306mz19q/IfxOHYpOa9Pe5O3Z6eLJJk9QiKXBjhcm r1dCptfiGpla7fOVDeopreVK/DAKTBcYt+lNYY6SmJr7Az7lB11ERaN35G3/YfJJYP7z y4TC8yK7Zaoly4iSdyecJkR49hp98wa7ZIcng= Received: by 10.100.3.4 with SMTP id 4mr7899923anc.54.1215752988897; Thu, 10 Jul 2008 22:09:48 -0700 (PDT) Received: by 10.100.253.17 with HTTP; Thu, 10 Jul 2008 22:09:48 -0700 (PDT) Message-ID: <9e20d71e0807102209k2b9cc638he76d8a2a82e986cf@mail.gmail.com> Date: Fri, 11 Jul 2008 08:09:48 +0300 From: "Artis Caune" To: freebsd-security@freebsd.org In-Reply-To: <48750BF7.5040402@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48750BF7.5040402@FreeBSD.org> Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 05:36:33 -0000 On Wed, Jul 9, 2008 at 10:05 PM, Remko Lodder wrote: > Dear all, > > Doug just updated the ports tree with the updated BIND ports. If you > urgently want to upgrade and really cannot wait for the advisory. Please use > the ports system to get up to speed. Has anyone tried to run bind95? I updated bind94-9.4.2_1 to bind95-9.5.0.1 and after couple of hours it eated all 2G of ram and 1G of swap and was killed. max-cache-size was set to 1500M, same problem with 64M. Looks like bind95 is leaking memory. FreeBSD-7.0/amd64, 2K queries/sec bind94-4.2.1 works just fine. thanks, Artis From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 15:06:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 484AD106566C; Fri, 11 Jul 2008 15:06:00 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id BC7E48FC0C; Fri, 11 Jul 2008 15:05:59 +0000 (UTC) (envelope-from brett@lariat.net) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id IAA18639; Fri, 11 Jul 2008 08:54:52 -0600 (MDT) Message-Id: <200807111454.IAA18639@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 11 Jul 2008 08:54:48 -0600 To: Doug Barton , stef@memberwebs.com From: Brett Glass In-Reply-To: <4876A3FE.1070407@FreeBSD.org> References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailman-Approved-At: Fri, 11 Jul 2008 15:09:20 +0000 Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 15:06:00 -0000 Is there a way to restrict the ports which BIND selects -- perhaps at the expense of a small amount of entropy -- such that it doesn't try to use UDP ports which are administratively blocked (e.g. ports used by worms, or insecure Microsoft network utilities)? We don't dare turn these port blocks off, or naive users will fall prey to security holes in Microsoft products. But if BIND doesn't know to work around them, lookups will occasionally (and infuriatingly!) fail. --Brett Glass At 06:06 PM 7/10/2008, Doug Barton wrote: >First off, to those who were kind enough to offer thanks, "you're >welcome." :) > >Second, one user wrote me privately to indicate that my statement in >the first paragraph of my commit message was not clear. The point to >this change is that for _each_ outgoing query a _new, random_ UDP >source port is used, _as well as_ the standard query ID. (This is of >course assuming that you do not have a port locked down in named.conf, >which no one should at this point unless firewall rules outside of >your control mandate it.) However, named is still picking a "random" >UDP port on startup and locking it down (2 if you're also using IPv6) >although it's not immediately clear to me why (I do have a query as to >the reason in progress). From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 15:29:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E74E106567D; Fri, 11 Jul 2008 15:29:03 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2995E8FC18; Fri, 11 Jul 2008 15:29:02 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 73C921CC092; Fri, 11 Jul 2008 08:12:28 -0700 (PDT) Date: Fri, 11 Jul 2008 08:12:28 -0700 From: Jeremy Chadwick To: Brett Glass Message-ID: <20080711151228.GA52385@eos.sc1.parodius.com> References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807111454.IAA18639@lariat.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 15:29:03 -0000 On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > Is there a way to restrict the ports which BIND selects -- perhaps > at the expense of a small amount of entropy -- such that it doesn't > try to use UDP ports which are administratively blocked (e.g. ports > used by worms, or insecure Microsoft network utilities)? We don't > dare turn these port blocks off, or naive users will fall prey to > security holes in Microsoft products. But if BIND doesn't know to > work around them, lookups will occasionally (and infuriatingly!) > fail. query-source has an argument called "port" which will do what you want. That option *only* affects UDP queries, however; TCP queries are always random. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 15:56:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76E54106567A; Fri, 11 Jul 2008 15:56:58 +0000 (UTC) (envelope-from alan@clegg.com) Received: from mx.isc.org (mx.isc.org [IPv6:2001:4f8:0:2::1c]) by mx1.freebsd.org (Postfix) with ESMTP id 6532F8FC15; Fri, 11 Jul 2008 15:56:58 +0000 (UTC) (envelope-from alan@clegg.com) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTPS id 279D7114050; Fri, 11 Jul 2008 15:56:56 +0000 (UTC) (envelope-from alan@clegg.com) Received: from [192.168.1.2] (cpe-066-057-017-110.nc.res.rr.com [66.57.17.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id C4FD4E6024; Fri, 11 Jul 2008 15:56:54 +0000 (UTC) (envelope-from alan@clegg.com) Message-ID: <487782C5.7050703@clegg.com> Date: Fri, 11 Jul 2008 11:56:53 -0400 From: Alan Clegg User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Jeremy Chadwick References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> In-Reply-To: <20080711151228.GA52385@eos.sc1.parodius.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=B5030987 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx.isc.org Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 15:56:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Chadwick wrote: > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: >> Is there a way to restrict the ports which BIND selects -- perhaps >> at the expense of a small amount of entropy -- such that it doesn't >> try to use UDP ports which are administratively blocked (e.g. ports >> used by worms, or insecure Microsoft network utilities)? We don't >> dare turn these port blocks off, or naive users will fall prey to >> security holes in Microsoft products. But if BIND doesn't know to >> work around them, lookups will occasionally (and infuriatingly!) >> fail. > > query-source has an argument called "port" which will do what you want. > That option *only* affects UDP queries, however; TCP queries are always > random. While query-source allows you to lock down to a single port, you DO NOT WANT TO DO THIS -- if you do, you will be vulnerable to the very thing that the patch made you immune (well, safer) from. What Brett (and others) need to do is risk the waters with the new beta code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" control for the UDP ports to be used. Please, PLEASE, do not introduce "query-source port XX" into your configurations. AlanC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFId4LEcKpYUrUDCYcRAiowAJ47bCASBmTszN8A7d1MbEvB9ZJq0wCWMZIK t8Uv4q/ro3MDpEP71GqtHg== =+SwG -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 16:28:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE5F3106564A; Fri, 11 Jul 2008 16:28:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 61CD88FC1B; Fri, 11 Jul 2008 16:28:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m6BGSJqa030626; Fri, 11 Jul 2008 17:28:19 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6BGSJqa030626 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1215793700; bh=aHUreu7XAc7qSx GNchPP+fi4IH4ApAdjAWpv0Lwv/i4=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48778A1B.4060504@infracaninophile.co.uk>|Date:=20Fri,=2 011=20Jul=202008=2017:28:11=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201 .0|To:=20Alan=20Clegg=20|CC:=20Jeremy=20Chadwick=20 ,=20Doug=20Barton=20,=20=0D= 0A=20stef@memberwebs.com,=20=0D=0A=20"freebsd-security@freebsd.org" =20,=0D=0A=20secteam@freebsd.org,=20B rett=20Glass=20,=20=0D=0A=20Remko=20Lodder=20,=0D=0A=20Andrew=20Storms=20|Su bject:=20Re:=20[Fwd:=20cvs=20commit:=20ports/dns/bind9=20Makefile=2 0distinfo=09ports/dns/bind94=0D=0A=20Makefile=20distinfo=20ports/dn s/bind95=20Makefile=09distinfo]|References:=20=09<20080709204114.471A2F1835D@mx.npubs.com>=09<487 6A3FE.1070407@FreeBSD.org>=09<200807111454.IAA18639@lariat.net>=09< 20080711151228.GA52385@eos.sc1.parodius.com>=20<487782C5.7050703@cl egg.com>|In-Reply-To:=20<487782C5.7050703@clegg.com>|X-Enigmail-Ver sion:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-s ha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20 boundary=3D"------------enig2148D20582FA7402A999D175"; b=bOR6126yDD H163xGDMT0qR57mJStBls5GVxIj6BiEm+1BevXw27MAA3hn2snwpaAsh1PY8dUH+1g7 8coRoCtHZ2kr9LIRWaKJqqJpDF2+kXmjMPa7SXUi16j8i3nh5FZm2Wy481tkn2Y9k8t 7E3AXKphvvVWTCRUeYttx+CAcX4= Message-ID: <48778A1B.4060504@infracaninophile.co.uk> Date: Fri, 11 Jul 2008 17:28:11 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080607) MIME-Version: 1.0 To: Alan Clegg References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> In-Reply-To: <487782C5.7050703@clegg.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig2148D20582FA7402A999D175" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 11 Jul 2008 17:28:20 +0100 (BST) X-Virus-Scanned: ClamAV 0.93.1/7692/Fri Jul 11 16:35:49 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: Doug Barton , stef@memberwebs.com, Jeremy Chadwick , "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 16:28:38 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2148D20582FA7402A999D175 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Alan Clegg wrote: > Jeremy Chadwick wrote: >> On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: >>> Is there a way to restrict the ports which BIND selects -- perhaps >>> at the expense of a small amount of entropy -- such that it doesn't >>> try to use UDP ports which are administratively blocked (e.g. ports >>> used by worms, or insecure Microsoft network utilities)? We don't=20 >>> dare turn these port blocks off, or naive users will fall prey to=20 >>> security holes in Microsoft products. But if BIND doesn't know to >>> work around them, lookups will occasionally (and infuriatingly!) >>> fail. >> query-source has an argument called "port" which will do what you want= =2E >> That option *only* affects UDP queries, however; TCP queries are alway= s >> random. =20 > While query-source allows you to lock down to a single port, you DO NOT= > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. >=20 > What Brett (and others) need to do is risk the waters with the new beta= > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. >=20 > Please, PLEASE, do not introduce "query-source port XX" into your > configurations. Probably what Brett is looking for are the avoid-v4-udp-ports and avoid-= v6-udp-ports options -- these just contain lists of UDP ports to avoid as the source of any DNS traffic. Details are available here (for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options but it's the same for all 9.x versions of BIND. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig2148D20582FA7402A999D175 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkh3iiMACgkQ8Mjk52CukIxpAQCgjm4KMcYVNHHQjMX5w7RuH784 sRsAn3V5fHGqgaIQVzkb054LcPp9RgTQ =hvxj -----END PGP SIGNATURE----- --------------enig2148D20582FA7402A999D175-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 16:29:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85E42106566B; Fri, 11 Jul 2008 16:29:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 7EAC88FC14; Fri, 11 Jul 2008 16:29:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 660D51CC09A; Fri, 11 Jul 2008 09:29:13 -0700 (PDT) Date: Fri, 11 Jul 2008 09:29:13 -0700 From: Jeremy Chadwick To: Alan Clegg Message-ID: <20080711162913.GA55187@eos.sc1.parodius.com> References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <487782C5.7050703@clegg.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 16:29:13 -0000 On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Chadwick wrote: > > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > >> Is there a way to restrict the ports which BIND selects -- perhaps > >> at the expense of a small amount of entropy -- such that it doesn't > >> try to use UDP ports which are administratively blocked (e.g. ports > >> used by worms, or insecure Microsoft network utilities)? We don't > >> dare turn these port blocks off, or naive users will fall prey to > >> security holes in Microsoft products. But if BIND doesn't know to > >> work around them, lookups will occasionally (and infuriatingly!) > >> fail. > > > > query-source has an argument called "port" which will do what you want. > > That option *only* affects UDP queries, however; TCP queries are always > > random. > > While query-source allows you to lock down to a single port, you DO NOT > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. > > What Brett (and others) need to do is risk the waters with the new beta > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. > > Please, PLEASE, do not introduce "query-source port XX" into your > configurations. The problem here is WRT network ACLs. The only solution is to bind BIND to a specific IP address and permit any outbound TCP or UDP traffic + any inbound TCP or UDP traffic to port 53. Most network administrators I know of won't like that, as they deny all incoming *and* outgoing traffic, then apply permit ACLs. There's no "clean" or "strict" permit ACL, while with port XX, you can at least narrow down things UDP-wise a bit more. I'll add that the stock src/etc/namedb/named.conf even advocates the use of query-source ... port 53. I'm sure this will be changed as a result of the recent security issue. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 17:44:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D8941065679 for ; Fri, 11 Jul 2008 17:44:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id D01B18FC1A for ; Fri, 11 Jul 2008 17:44:53 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 15431 invoked by uid 399); 11 Jul 2008 17:44:53 -0000 Received: from localhost (HELO ?192.168.0.18?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 17:44:53 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <48779C0E.2020807@FreeBSD.org> Date: Fri, 11 Jul 2008 10:44:46 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Jeremy Chadwick References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> <20080711162913.GA55187@eos.sc1.parodius.com> In-Reply-To: <20080711162913.GA55187@eos.sc1.parodius.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 17:44:54 -0000 Jeremy Chadwick wrote: > The problem here is WRT network ACLs. The only solution is to bind BIND > to a specific IP address and permit any outbound TCP or UDP traffic + > any inbound TCP or UDP traffic to port 53. Not quite any inbound traffic, named will pick a source port > 1024. In the current beta versions there is an option to restrict the ports chosen to a range. I'm also not quite sure what kind of server you're talking about here. If it's authoritative, then by definition you have to allow all inbound traffic to port 53. > Most network administrators > I know of won't like that, as they deny all incoming *and* outgoing > traffic, then apply permit ACLs. There's no "clean" or "strict" permit > ACL, while with port XX, you can at least narrow down things UDP-wise a > bit more. False economy. The "danger" of allowing inbound UDP traffic is infinitely less than the danger of having a recursive resolver's cache poisoned. The new way of things would be to define those UDP ports that run services other than named on the system, add those to the avoid-* option(s) in named.conf, and block those ports at the firewall, leaving everything else open. Of course, almost any modern firewall should have keep-state functionality for UDP, so all of this should be moot. > I'll add that the stock src/etc/namedb/named.conf even advocates the use > of query-source ... It doesn't advocate, it gives an example. This is the reason I am resistant to adding too many examples to our installed named.conf, it is too easy for people to misinterpret them. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 18:17:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10626106568D for ; Fri, 11 Jul 2008 18:17:37 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id ACDDD8FC27 for ; Fri, 11 Jul 2008 18:17:36 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 32659 invoked by uid 399); 11 Jul 2008 18:17:36 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 18:17:36 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4877A3BE.7040808@FreeBSD.org> Date: Fri, 11 Jul 2008 11:17:34 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: Artis Caune References: <48750BF7.5040402@FreeBSD.org> <9e20d71e0807102209k2b9cc638he76d8a2a82e986cf@mail.gmail.com> In-Reply-To: <9e20d71e0807102209k2b9cc638he76d8a2a82e986cf@mail.gmail.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 18:17:37 -0000 Artis Caune wrote: > I updated bind94-9.4.2_1 to bind95-9.5.0.1 and after couple of hours > it eated all 2G of ram and 1G of swap and was killed. The best place to report these issues is bind-users@isc.org. Good luck, Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 20:29:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8758106566B; Fri, 11 Jul 2008 20:29:16 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id B10748FC16; Fri, 11 Jul 2008 20:29:16 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 2951133D9003; Fri, 11 Jul 2008 13:14:10 -0700 (PDT) Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Mail Security) with ESMTP id 0775628095; Fri, 11 Jul 2008 13:14:10 -0700 (PDT) X-AuditID: 1180711d-a3ff9bb000000ece-b5-4877bf11457c Received: from cswiger1.apple.com (cswiger1.apple.com [17.227.140.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay13.apple.com (Apple SCV relay) with ESMTP id D0C8A2808F; Fri, 11 Jul 2008 13:14:09 -0700 (PDT) Message-Id: From: Chuck Swiger To: freebsd-security@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Fri, 11 Jul 2008 13:14:09 -0700 X-Mailer: Apple Mail (2.926) X-Brightmail-Tracker: AAAAAA== Cc: Doug Barton Subject: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 20:29:16 -0000 Hi, all-- Apropos of this security issue with BIND, I just tried updating a FreeBSD-6.3-STABLE system with dns/bind95, and it loudly complains about the OpenSSL version which comes with the system: > [ ... ] > config.status: creating include/isc/platform.h > config.status: creating config.h > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING > > WARNING > WARNING Your OpenSSL crypto library may be vulnerable > to WARNING > WARNING one or more of the the following known > security WARNING > WARNING > flaws: WARNING > WARNING > > WARNING > WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 > and WARNING > WARNING > CVE-2006-2940. WARNING > WARNING > > WARNING > WARNING It is recommended that you upgrade to > OpenSSL WARNING > WARNING version 0.9.8d/0.9.7l (or > greater). WARNING > WARNING > > WARNING > WARNING You can disable this warning by > specifying: WARNING > WARNING > > WARNING > WARNING --disable-openssl-version-check > WARNING > WARNING > > WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > ===> Building for bind95-base-9.5.0.1 Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e- p1) OK, or is it at risk as reported? Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 20:38:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50B7C106567F for ; Fri, 11 Jul 2008 20:38:54 +0000 (UTC) (envelope-from alan@clegg.com) Received: from mx.isc.org (mx.isc.org [IPv6:2001:4f8:0:2::1c]) by mx1.freebsd.org (Postfix) with ESMTP id 408768FC17 for ; Fri, 11 Jul 2008 20:38:54 +0000 (UTC) (envelope-from alan@clegg.com) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTPS id A5A33114027 for ; Fri, 11 Jul 2008 20:38:52 +0000 (UTC) (envelope-from alan@clegg.com) Received: from [192.168.1.2] (cpe-066-057-017-110.nc.res.rr.com [66.57.17.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 0436CE6023 for ; Fri, 11 Jul 2008 20:38:51 +0000 (UTC) (envelope-from alan@clegg.com) Message-ID: <4877C4DA.9070404@clegg.com> Date: Fri, 11 Jul 2008 16:38:50 -0400 From: Alan Clegg User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 CC: "freebsd-security@freebsd.org" References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> <48778A1B.4060504@infracaninophile.co.uk> In-Reply-To: <48778A1B.4060504@infracaninophile.co.uk> X-Enigmail-Version: 0.95.6 OpenPGP: id=B5030987 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.0 required=5.0 tests=AWL, BAYES_00, MISSING_HEADERS, RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx.isc.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 20:38:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Seaman wrote: > Probably what Brett is looking for are the avoid-v4-udp-ports and > avoid-v6-udp-ports options -- these just contain lists of UDP ports > to avoid as the source of any DNS traffic. Details are available here > (for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options > but it's the same for all 9.x versions of BIND. This is fine as long as you are not defining large numbers of "don't touch" ports. The added functionality of 9.5.1b1: use-v4-udp-ports { range 1024 65535; }; use-v6-udp-ports { range 1024 65535; }; Is what I was pointing people towards. AlanC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFId8TacKpYUrUDCYcRAhmHAJoCkQ3dxLfQhw1EamBJfNrLqwVZLwCfcfRg VTWMnJEfymL8TH7AV2MQ7y4= =mIl7 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 21:23:22 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4721E106566B for ; Fri, 11 Jul 2008 21:23:22 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id E23208FC0C for ; Fri, 11 Jul 2008 21:23:21 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 19257 invoked by uid 399); 11 Jul 2008 21:23:21 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 21:23:21 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4877CF47.2080208@FreeBSD.org> Date: Fri, 11 Jul 2008 14:23:19 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: Chuck Swiger References: In-Reply-To: X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 21:23:22 -0000 Chuck Swiger wrote: > Hi, all-- > > Apropos of this security issue with BIND, I just tried updating a > FreeBSD-6.3-STABLE system with dns/bind95, and it loudly complains about > the OpenSSL version which comes with the system: [snip] > Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) > OK, or is it at risk as reported? You're better off upgrading using the version in ports/security/openssl and adding WITH_OPENSSL_PORT to /etc/make.conf. hth, Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 22:19:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B81701065670; Fri, 11 Jul 2008 22:19:52 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 761DD8FC1C; Fri, 11 Jul 2008 22:19:52 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6BMJmLg042450; Sat, 12 Jul 2008 08:19:49 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807112219.m6BMJmLg042450@drugs.dv.isc.org> To: Brett Glass From: Mark Andrews In-reply-to: Your message of "Fri, 11 Jul 2008 08:54:48 CST." <200807111454.IAA18639@lariat.net> Date: Sat, 12 Jul 2008 08:19:48 +1000 Sender: marka@isc.org Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 22:19:52 -0000 > Is there a way to restrict the ports which BIND selects -- perhaps > at the expense of a small amount of entropy -- such that it doesn't > try to use UDP ports which are administratively blocked (e.g. ports > used by worms, or insecure Microsoft network utilities)? We don't > dare turn these port blocks off, or naive users will fall prey to > security holes in Microsoft products. But if BIND doesn't know to > work around them, lookups will occasionally (and infuriatingly!) > fail. % grep avoid doc/misc/options avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 22:48:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C843E106566C; Fri, 11 Jul 2008 22:48:52 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 2A77E8FC0C; Fri, 11 Jul 2008 22:48:51 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6BMmlkL042880; Sat, 12 Jul 2008 08:48:47 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807112248.m6BMmlkL042880@drugs.dv.isc.org> To: Jeremy Chadwick From: Mark Andrews In-reply-to: Your message of "Fri, 11 Jul 2008 08:12:28 MST." <20080711151228.GA52385@eos.sc1.parodius.com> Date: Sat, 12 Jul 2008 08:48:47 +1000 Sender: marka@isc.org Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 22:48:52 -0000 > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > > Is there a way to restrict the ports which BIND selects -- perhaps > > at the expense of a small amount of entropy -- such that it doesn't > > try to use UDP ports which are administratively blocked (e.g. ports > > used by worms, or insecure Microsoft network utilities)? We don't > > dare turn these port blocks off, or naive users will fall prey to > > security holes in Microsoft products. But if BIND doesn't know to > > work around them, lookups will occasionally (and infuriatingly!) > > fail. > > query-source has an argument called "port" which will do what you want. > That option *only* affects UDP queries, however; TCP queries are always > random. ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** Use avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 22:58:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2AC1106564A for ; Fri, 11 Jul 2008 22:58:32 +0000 (UTC) (envelope-from wildcard.name@gmail.com) Received: from ex.volia.net (ex.volia.net [82.144.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0258FC48 for ; Fri, 11 Jul 2008 22:58:32 +0000 (UTC) (envelope-from wildcard.name@gmail.com) Received: from em.volia.net ([82.144.192.9]) by ex.volia.net with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1KGb0t-000MZr-V4 for freebsd-security@freebsd.org; Wed, 09 Jul 2008 17:51:25 +0300 Received: from naturally-modesty.volia.net ([93.74.162.154] helo=ns.monotype.group) by em.volia.net with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1KGb0t-000OWV-OB for freebsd-security@freebsd.org; Wed, 09 Jul 2008 17:51:23 +0300 Received: from localhost (admin.monotype.group [192.168.0.2]) by ns.monotype.group (8.13.8/8.13.8) with ESMTP id m69EoVIP038762 for ; Wed, 9 Jul 2008 17:50:35 +0300 (EEST) (envelope-from wildcard.name@gmail.com) Date: Wed, 9 Jul 2008 17:50:27 +0300 From: bsd X-Mailer: The Bat! (v3.99.3) Professional X-Priority: 3 (Normal) Message-ID: <1444282990.20080709175027@gmail.com> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=4.0 required=4.5 tests=ALL_TRUSTED, LOCALPART_IN_SUBJECT,TVD_SPACE_RATIO autolearn=no version=3.2.5 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ns.monotype.group Subject: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 22:58:32 -0000 Hello freebsd-security, -- Best regards, bsd mailto:wildcard.name@gmail.com From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 05:20:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A054C106564A; Sat, 12 Jul 2008 05:20:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 0CF558FC14; Sat, 12 Jul 2008 05:20:52 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id OAA05486; Sat, 12 Jul 2008 14:49:18 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 12 Jul 2008 14:49:17 +1000 (EST) From: Ian Smith To: Mark Andrews In-Reply-To: <200807112219.m6BMJmLg042450@drugs.dv.isc.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2008 05:20:55 -0000 On Sat, 12 Jul 2008, Mark Andrews wrote: > > > Is there a way to restrict the ports which BIND selects -- perhaps > > at the expense of a small amount of entropy -- such that it doesn't > > try to use UDP ports which are administratively blocked (e.g. ports > > used by worms, or insecure Microsoft network utilities)? We don't > > dare turn these port blocks off, or naive users will fall prey to > > security holes in Microsoft products. But if BIND doesn't know to > > work around them, lookups will occasionally (and infuriatingly!) > > fail. > > % grep avoid doc/misc/options > avoid-v4-udp-ports { ; ... }; > avoid-v6-udp-ports { ; ... }; > % This seems to imply that you can't specify ranges of UDP ports to avoid here. For example perhaps, the range traceroute uses .. Doug responded with a new option for a range of ports to use, but an intersection of ports to use and ^ports to avoid, including range(s), would cover all the bases .. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 05:32:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C28671065672; Sat, 12 Jul 2008 05:32:53 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 19E588FC08; Sat, 12 Jul 2008 05:32:51 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id PAA06773; Sat, 12 Jul 2008 15:32:43 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 12 Jul 2008 15:32:41 +1000 (EST) From: Ian Smith To: Mark Andrews In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Doug Barton , freebsd-security@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2008 05:32:53 -0000 On Sat, 12 Jul 2008, Ian Smith wrote: > Doug responded with a new option My apologies, it was Alan. Second cup of tea hadn't kicked in .. Ian