From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 08:55:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCE9C1065672; Sun, 23 Nov 2008 08:55:49 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A0BE78FC1A; Sun, 23 Nov 2008 08:55:49 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (miwi@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAN8tnjs091505; Sun, 23 Nov 2008 08:55:49 GMT (envelope-from miwi@freefall.freebsd.org) Received: (from miwi@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAN8tmXo091500; Sun, 23 Nov 2008 08:55:48 GMT (envelope-from miwi) Date: Sun, 23 Nov 2008 08:55:48 GMT Message-Id: <200811230855.mAN8tmXo091500@freefall.freebsd.org> To: ports@freebsd.org, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru, miwi@FreeBSD.org, miwi@FreeBSD.org From: miwi@FreeBSD.org Cc: Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 08:55:49 -0000 Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 State-Changed-From-To: open->closed State-Changed-By: miwi State-Changed-When: Sun Nov 23 08:55:48 UTC 2008 State-Changed-Why: Committed. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=128999 From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 16:41:44 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53C1D1065670 for ; Sun, 23 Nov 2008 16:41:44 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 1AB5B8FC13 for ; Sun, 23 Nov 2008 16:41:44 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from [212.62.248.147] (helo=[192.168.2.10]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L4HQY-000Ngu-Oh for freebsd-security@freebsd.org; Sun, 23 Nov 2008 17:03:14 +0100 Message-Id: From: =?ISO-8859-1?Q?Eirik_=D8verby?= To: freebsd-security@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Sun, 23 Nov 2008 17:03:15 +0100 X-Mailer: Apple Mail (2.929.2) Subject: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 16:41:44 -0000 Hi all, I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen FreeBSD servers. Now we're required to run external security scans (nessus++) on some of the hosts, and they constantly come back with a "high" or "medium" severity problem: The host replies to TCP packets with SYN+FIN set. Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host in question (recent FreeBSD 7.2-PRERELEASE) have net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- issue. Have I missed something important? Apart from this the hosts and services get away without any serious issues, but the security audit company insists this so-called hole to be closed. Anyone? Thanks, /Eirik From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 18:44:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F03D106564A; Sun, 23 Nov 2008 18:44:53 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C2D598FC12; Sun, 23 Nov 2008 18:44:52 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=TLJBP9dijEYjQVAz/uAwLr9dqOkBNjAbw5dF2jFCREKVih3d+03MiWpEu8UAr28wDj7kCdo4kVRFxY526+HOgfe0c54qLA/Jqy1KoiwDMIBlFWmdSrdddqi+LbnOJsbvi1Av5faMS045XZEG+Q354EFaLzFDglzXmco1gpTwK1U=; Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L4Jww-000AJF-G0; Sun, 23 Nov 2008 21:44:50 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: amistry@am-productions.biz, tabthorpe@freebsd.org Message-Id: <20081123184449.6801AF181D@phoenix.codelabs.ru> Date: Sun, 23 Nov 2008 21:44:49 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 18:44:53 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Multiple vulnerabilities were discovered in the hplip 1.6.7 [1]. I had analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply "as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941) contains many fixes to the code that exists in 2.8.2_2 too. So, I am counting current FreeBSD port as vulnerable to both attacks. Moreover, I had traced the vulnerabilities through the release sources: proper device_uri handling was introduced in 2.8.4 and parser fragility in hpssd.py was eliminated in the same version, because hpssd was converted to a systray application. So, 2.8.4 and higher should not be vulnerable to the described attacks. [1] http://www.securityfocus.com/bid/30683 [2] https://bugzilla.redhat.com/show_bug.cgi?id=455235 [3] https://bugzilla.redhat.com/show_bug.cgi?id=457052 >How-To-Repeat: Look at the above references. >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- hplip -- multiple vulnerabilities in hpssd component hplip 2.8.4

SecurityFocus database says:

HP Linux Imaging and Printing System (HPLIP) is prone to multiple vulnerabilities, including privilege-escalation and denial-of-service issues.

Exploiting the privilege-escalation vulnerability may allow attackers to perform certain actions with elevated privileges. Successful exploits of the denial-of-service issue will cause the 'hpssd' process to crash, denying service to legitimate users.

These issues affect HPLIP 1.6.7; other versions may also be affected.

CVE-2008-2940 CVE-2008-2941 30683 https://bugzilla.redhat.com/show_bug.cgi?id=457052 https://bugzilla.redhat.com/show_bug.cgi?id=455235 2008-08-12
--- vuln.xml ends here --- From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 20:22:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AE0A1065675; Sun, 23 Nov 2008 20:22:27 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 854B48FC16; Sun, 23 Nov 2008 20:22:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=JSSd4OZogD5YA8Q2ncfTzAHrU+0hvB6VVNL1lEn5i9Edp+cga13WdxGNROuVOlNATLMylSfW01lTOn8f5f2BQd0sWmQcLjd75A/xcHbLlg4IXqnr2m6pmtPaTaU/6sxcRQNxtSwAG1E2aOo467FppZ9MmuNpD7fg6DUwsc5F/gI=; Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4LTM-000HNr-Lb; Sun, 23 Nov 2008 23:22:25 +0300 Date: Sun, 23 Nov 2008 23:22:21 +0300 From: Eygene Ryabinkin To: bug-followup@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org Message-ID: <6rQsez7wYkguGr+AMLr6LWOVTxk@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> References: <20081123184449.6801AF181D@phoenix.codelabs.ru> <200811231850.mANIo09F042711@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: <200811231850.mANIo09F042711@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 20:22:27 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Martin Wilke asked me if I am planning to update the port. My original intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to my regret, it contains no patch now), but as the quick fix I had ported RedHat's patches to the current port version. Please note that the handling of alerts had been changed: now all alert configuration is stored in /etc/hp/alers.conf and isn't user-controllable anymore. And I had to mention that whilst I had tested the port for building and daemon for starting properly, I have no real hardware to test the thing. So maintainer's testing is needed. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # --Dxnq1zWXvFF0Q93v Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="apply-fixes-for-CVE-2008-2940-and-CVE-2941.diff" Content-Transfer-Encoding: quoted-printable =46rom e8f2e991adcde572e1c08951c9b973ca6759455f Mon Sep 17 00:00:00 2001 =46rom: Eygene Ryabinkin Date: Sun, 23 Nov 2008 23:02:17 +0300 Subject: [PATCH] print/hplip: apply fixes for CVE-2008-2940 and CVE-2008-29= 41 Fix for CVE-2008-2940 was taken from [1] and was slightly modified to match the current code. Fix for CVE-2008-2941 was written by hand, but was based on the patch =66rom [2]. Note, that the mentioned patch fragility sits in the fact that the parsed values can represent string, integer, etc and this is user-controllable, but their values are manipulated as they are always strings, numbers, etc. So daemon gets some exceptions that he is not prepared to handle and dies. [1] https://bugzilla.redhat.com/show_bug.cgi?id=3D455235 [2] https://bugzilla.redhat.com/show_bug.cgi?id=3D457052 Signed-off-by: Eygene Ryabinkin --- print/hplip/Makefile | 2 +- print/hplip/files/patch-CVE-2008-2940 | 74 ++++++++++++ print/hplip/files/patch-CVE-2008-2941 | 210 +++++++++++++++++++++++++++++= ++++ 3 files changed, 285 insertions(+), 1 deletions(-) create mode 100644 print/hplip/files/patch-CVE-2008-2940 create mode 100644 print/hplip/files/patch-CVE-2008-2941 diff --git a/print/hplip/Makefile b/print/hplip/Makefile index 9845d37..683b285 100644 --- a/print/hplip/Makefile +++ b/print/hplip/Makefile @@ -7,7 +7,7 @@ =20 PORTNAME=3D hplip PORTVERSION=3D 2.8.2 -PORTREVISION=3D 2 +PORTREVISION=3D 3 CATEGORIES=3D print MASTER_SITES=3D ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR=3D hplip diff --git a/print/hplip/files/patch-CVE-2008-2940 b/print/hplip/files/patc= h-CVE-2008-2940 new file mode 100644 index 0000000..dbe14fa --- /dev/null +++ b/print/hplip/files/patch-CVE-2008-2940 @@ -0,0 +1,74 @@ +Patch for CVE-2008-2940 + +Please note that alerts are now system-wide and they live in +/etc/hp/alerts.conf + +See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2940 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=3D312878 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=3D312880 + +diff -up hplip-1.6.7/hpssd.py.validate-uri hplip-1.6.7/hpssd.py +--- hpssd.py.validate-uri 2008-07-29 12:48:28.000000000 +0100 ++++ hpssd.py 2008-07-29 13:41:29.000000000 +0100 +@@ -1021,6 +1021,9 @@ class hpssd_handler(dispatcher): + event_type =3D self.fields.get('event-type', 'event') + event_code =3D self.fields.get('event-code', 0) + device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'= , 'hp:') ++ result_code =3D self.__checkdevice(device_uri) ++ if result_code !=3D ERROR_SUCCESS: ++ return + log.debug("Device URI: %s" % device_uri) +=20 + try: +diff -up hplip-1.6.7/base/g.py.static-alerts-table hplip-1.6.7/base/g.py +--- base/g.py.orig 2008-01-18 02:10:29.000000000 +0300 ++++ base/g.py 2008-11-23 22:39:11.000000000 +0300 +@@ -134,6 +134,7 @@ + # Config file: directories and ports + prop.sys_config_file =3D '/etc/hp/hplip.conf' + prop.user_dir =3D os.path.expanduser('~/.hplip') ++prop.alerts_config_file =3D '/etc/hp/alerts.conf' +=20 + os.umask(0037) + try: +@@ -154,6 +155,7 @@ + =20 + sys_cfg =3D Config(prop.sys_config_file, True) + user_cfg =3D Config(prop.user_config_file) ++alerts_cfg =3D Config(prop.alerts_config_file) +=20 +=20 + # Language settings +diff -up hplip-1.6.7/hpssd.py.static-alerts-table hplip-1.6.7/hpssd.py +--- hpssd.py.static-alerts-table 2008-07-29 14:57:04.000000000 +0100 ++++ hpssd.py 2008-07-29 15:22:15.000000000 +0100 +@@ -71,6 +71,12 @@ from prnt import cups +=20 + # Per user alert settings + alerts =3D {} ++for user, cfg in alerts_cfg.iteritems (): ++ entry =3D {} ++ entry['email-alerts'] =3D utils.to_bool (cfg.get('email-alerts', 0)) ++ entry['email-from-address'] =3D cfg.get('email-from-address', '') ++ entry['email-to-addresses'] =3D cfg.get('email-to-addresses', '') ++ alerts[user] =3D entry +=20 + # Fax temp files + fax_file =3D {} +@@ -803,15 +809,10 @@ class hpssd_handler(dispatcher): + self.out_buffer =3D buildResultMessage('InjectValueResult', None,= result_code) + =20 +=20 +- # TODO: Need to load alerts at start-up + def handle_setalerts(self): + result_code =3D ERROR_SUCCESS +- username =3D self.fields.get('username', '') +=20 +- alerts[username] =3D {'email-alerts' : utils.to_bool(self.f= ields.get('email-alerts', '0')), +- 'email-from-address' : self.fields.get('email= -from-address', ''), +- 'email-to-addresses' : self.fields.get('email= -to-addresses', ''), +- } ++ # Do nothing. We use the alerts table in /etc/hp/alerts.conf. +=20 + self.out_buffer =3D buildResultMessage('SetAlertsResult', None, r= esult_code) +=20 diff --git a/print/hplip/files/patch-CVE-2008-2941 b/print/hplip/files/patc= h-CVE-2008-2941 new file mode 100644 index 0000000..f4bb8ee --- /dev/null +++ b/print/hplip/files/patch-CVE-2008-2941 @@ -0,0 +1,210 @@ +Patch for CVE-2008-2941 + +Fixes parser fragility: original code expects only strings or numbers as +the input values, but not both. And hpssd client has the full control +on the input data, so when number is tried to be transformed as string +(by calling lower() method, for example) the unhandled exception +terminates the daemon. + +Based on: https://bugzilla.redhat.com/attachment.cgi?id=3D312881 + +--- hpssd.py.orig 2008-11-23 22:41:08.000000000 +0300 ++++ hpssd.py 2008-11-23 22:57:51.000000000 +0300 +@@ -203,7 +203,7 @@ + log.debug(self.out_buffer) + return True +=20 +- msg_type =3D self.fields.get('msg', 'unknown').lower() ++ msg_type =3D str(self.fields.get('msg', 'unknown')).lower() + log.debug("Handling: %s %s %s" % ("*"*20, msg_type, "*"*20)) + log.debug(repr(self.in_buffer)) +=20 +@@ -260,9 +260,9 @@ +=20 +=20 + def handle_getvalue(self): +- device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'= , 'hp:') ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= fax:', 'hp:') + value =3D '' +- key =3D self.fields.get('key', '') ++ key =3D str(self.fields.get('key', '')) + result_code =3D self.__checkdevice(device_uri) +=20 + if result_code =3D=3D ERROR_SUCCESS: +@@ -274,9 +274,9 @@ + self.out_buffer =3D buildResultMessage('GetValueResult', value, r= esult_code) +=20 + def handle_setvalue(self): +- device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'= , 'hp:') +- key =3D self.fields.get('key', '') +- value =3D self.fields.get('value', '') ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= fax:', 'hp:') ++ key =3D str(self.fields.get('key', '')) ++ value =3D str(self.fields.get('value', '')) + result_code =3D self.__checkdevice(device_uri) +=20 + if result_code =3D=3D ERROR_SUCCESS: =20 +@@ -285,7 +285,7 @@ + self.out_buffer =3D buildResultMessage('SetValueResult', None, ER= ROR_SUCCESS) +=20 + def handle_queryhistory(self): +- device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'= , 'hp:') ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= fax:', 'hp:') + payload =3D '' + result_code =3D self.__checkdevice(device_uri) +=20 +@@ -305,8 +305,8 @@ +=20 + # EVENT + def handle_registerguievent(self): +- username =3D self.fields.get('username', '') +- typ =3D self.fields.get('type', 'unknown') ++ username =3D str(self.fields.get('username', '')) ++ typ =3D str(self.fields.get('type', 'unknown')) + self.typ =3D typ + self.username =3D username + self.send_events =3D True +@@ -314,13 +314,13 @@ +=20 + # EVENT + def handle_unregisterguievent(self): +- username =3D self.fields.get('username', '') ++ username =3D str(self.fields.get('username', '')) + self.send_events =3D False +=20 +=20 + def handle_test_email(self): + result_code =3D ERROR_SUCCESS +- username =3D self.fields.get('username', prop.username) ++ username =3D str(self.fields.get('username', prop.username)) + message =3D device.queryString('email_test_message') + subject =3D device.queryString('email_test_subject') + result_code =3D self.sendEmail(username, subject, message, True) +@@ -343,11 +343,14 @@ +=20 + # sent by hpfax: to indicate the start of a complete fax rendering job + def handle_hpfaxbegin(self): +- username =3D self.fields.get('username', prop.username) +- job_id =3D self.fields.get('job-id', 0) +- printer_name =3D self.fields.get('printer', '') +- device_uri =3D self.fields.get('device-uri', '').replace('hp:', '= hpfax:') +- title =3D self.fields.get('title', '') ++ username =3D str(self.fields.get('username', prop.username)) ++ try: ++ job_id =3D int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id =3D 0 ++ printer_name =3D str(self.fields.get('printer', '')) ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= :', 'hpfax:') ++ title =3D str(self.fields.get('title', '')) +=20 + log.debug("Creating data store for %s:%d" % (username, job_id)) + fax_file[(username, job_id)] =3D tempfile.NamedTemporaryFile(pref= ix=3D"hpfax") +@@ -360,8 +363,11 @@ +=20 + # sent by hpfax: to transfer completed fax rendering data + def handle_hpfaxdata(self): +- username =3D self.fields.get('username', prop.username) +- job_id =3D self.fields.get('job-id', 0) ++ username =3D str(self.fields.get('username', prop.username)) ++ try: ++ job_id =3D int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id =3D 0 +=20 + if self.payload and (username, job_id) in fax_file and \ + not fax_file_ready[(username, job_id)]: +@@ -373,12 +379,18 @@ +=20 + # sent by hpfax: to indicate the end of a complete fax rendering job + def handle_hpfaxend(self): +- username =3D self.fields.get('username', '') +- job_id =3D self.fields.get('job-id', 0) +- printer_name =3D self.fields.get('printer', '') +- device_uri =3D self.fields.get('device-uri', '').replace('hp:', '= hpfax:') +- title =3D self.fields.get('title', '') +- job_size =3D self.fields.get('job-size', 0) ++ username =3D str(self.fields.get('username', '')) ++ try: ++ job_id =3D int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id =3D 0 ++ printer_name =3D str(self.fields.get('printer', '')) ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= :', 'hpfax:') ++ title =3D str(self.fields.get('title', '')) ++ try: ++ job_size =3D int(self.fields.get('job-size', 0)) ++ except ValueError: ++ job_size =3D 0 +=20 + fax_file[(username, job_id)].seek(0) + fax_file_ready[(username, job_id)] =3D True +@@ -389,7 +401,7 @@ +=20 + # sent by hp-sendfax to see if any faxes have been printed and need t= o be picked up + def handle_faxcheck(self): +- username =3D self.fields.get('username', '') ++ username =3D str(self.fields.get('username', '')) + result_code =3D ERROR_NO_DATA_AVAILABLE + other_fields =3D {} +=20 +@@ -413,8 +425,11 @@ + # after being run with --job param, both after a hpfaxend message + def handle_faxgetdata(self): + result_code =3D ERROR_SUCCESS +- username =3D self.fields.get('username', '') +- job_id =3D self.fields.get('job-id', 0) ++ username =3D str(self.fields.get('username', '')) ++ try: ++ job_id =3D int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id =3D 0 +=20 + try: + fax_file[(username, job_id)] +@@ -442,15 +457,18 @@ + # EVENT + def handle_event(self): + gui_port, gui_host =3D None, None +- event_type =3D self.fields.get('event-type', 'event') ++ event_type =3D str(self.fields.get('event-type', 'event')) + =20 +- event_code =3D self.fields.get('event-code', STATUS_PRINTER_IDLE) ++ try: ++ event_code =3D int(self.fields.get('event-code', STATUS_PRINT= ER_IDLE)) ++ except ValueError: ++ event_code =3D STATUS_PRINTER_IDLE + =20 + # If event-code > 10001, its a PJL error code, so convert it + if event_code > EVENT_MAX_EVENT: + event_code =3D status.MapPJLErrorCode(event_code) + =20 +- device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'= , 'hp:') ++ device_uri =3D str(self.fields.get('device-uri', '')).replace('hp= fax:', 'hp:') + result_code =3D self.__checkdevice(device_uri) + if result_code !=3D ERROR_SUCCESS: + return +@@ -461,7 +479,10 @@ +=20 + log.debug("Short/Long: %s/%s" % (error_string_short, error_string= _long)) +=20 +- job_id =3D self.fields.get('job-id', 0) ++ try: ++ job_id =3D int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id =3D 0 +=20 + try: + username =3D self.fields['username'] +@@ -480,7 +501,10 @@ +=20 + no_fwd =3D utils.to_bool(self.fields.get('no-fwd', '0')) + log.debug("Username (jobid): %s (%d)" % (username, job_id)) +- retry_timeout =3D self.fields.get('retry-timeout', 0) ++ try: ++ retry_timeout =3D int(self.fields.get('retry-timeout', 0)) ++ except ValueError: ++ retry_timeout =3D 0 + user_alerts =3D alerts.get(username, {}) =20 +=20 + dup_event =3D False --=20 1.6.0.4 --Dxnq1zWXvFF0Q93v-- From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 20:43:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1B341065673 for ; Sun, 23 Nov 2008 20:43:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 50EA38FC16 for ; Sun, 23 Nov 2008 20:43:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=QTP25pzitPxJNv8QenbNewxrTsWil9CZdVIs/I8fm/7S//c4xtQ9DpbP0L6brKpBSlUtm7SkWMSh8Y4RgSfWWSdjBFceNIsWbFuS5R+Gwb2I+O6BH840Kytz3uwi1sSqCZLa0Rxags/l7m30evAzmOk/SNwZ9UkD0zPifPocP7g=; Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4LnN-000Ioa-M5; Sun, 23 Nov 2008 23:43:05 +0300 Date: Sun, 23 Nov 2008 23:43:03 +0300 From: Eygene Ryabinkin To: Eirik ?verby Message-ID: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Yylu36WmvOXNoKYn" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 20:43:07 -0000 --Yylu36WmvOXNoKYn Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Eirik, good day. Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen =20 > FreeBSD servers. Now we're required to run external security scans =20 > (nessus++) on some of the hosts, and they constantly come back with a =20 > "high" or "medium" severity problem: The host replies to TCP packets =20 > with SYN+FIN set. >=20 > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20 > host in question (recent FreeBSD 7.2-PRERELEASE) have =20 > net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a non-= =20 > issue. First of all, (if I am correct) your firewall's setting for drop_synfin isn't relevant for the packets that are traversing the firewall: TCP input layer drops these and firewall isn't using this layer. The easy way to identify if there are replies to SYN+FIN is to spawn tcpdump on the firewall and see what's going on. It may be well so that the some sort of scrubbing/modulation is done on the firewall, so when firewall notices that the SYN + FIN is blackholed, it generates RST by itself or just blocks SYN + FIN by itself, but sends RST. I am making guesses here, because I can't test it just now and I have no idea about your setup. If I remember correctly, pf is used on the pfSense, so you can easily block SYN + FIN on the ingress port(s): ----- block in quick on $ingress proto tcp from any to \ flags SF/ASF ----- --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --Yylu36WmvOXNoKYn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkpwFcACgkQthUKNsbL7YiV2QCeKurUukEsBycqUycqGGRfsSoc StoAn1BUpH0BY3ZHH6k6iaFa2nbgETcX =bkV6 -----END PGP SIGNATURE----- --Yylu36WmvOXNoKYn-- From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 17:53:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1828E1065673 for ; Sun, 23 Nov 2008 17:53:07 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id D3C8E8FC0C for ; Sun, 23 Nov 2008 17:53:06 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from [192.168.1.12] (s55915c9e.adsl.wanadoo.nl [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id E768A61C1D; Sun, 23 Nov 2008 18:53:04 +0100 (CET) Message-ID: <49299876.4020702@thelostparadise.com> Date: Sun, 23 Nov 2008 18:52:54 +0100 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Eirik_=D8verby?= References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 24 Nov 2008 02:31:16 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 17:53:07 -0000 Eirik Øverby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. I'd consider this at most a 'low' severity problem. > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host > in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a > non-issue. Given security tools' (including Nessus') track records of false positives, I wouldn't be surprised if this was one of them. > Have I missed something important? Apart from this the hosts and > services get away without any serious issues, but the security audit > company insists this so-called hole to be closed. It's not a hole, but could possibly aid in bypassing filtering rules (which is quite unlikely in this day and age). It may be wise to find a security company that knows how to interpret and verify Nessus output. If you want to do verification yourself, you could try the following: - Run tcpdump on one of the servers and on the firewall - Run nmap from an external host using the '--scanflags SYNFIN' flag with destination the server. You can let tcpdump only show specific ports and source/destination addresses. It's probably useful to use nmap to scan both ports you know to be open and in use and ports that are filtered. Using the -p option to nmap, you can specify which ports to scan. Perform the nmap scan and look at the tcpdump output to see how your firewall and/or server react. G'luck, Pieter From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 20:20:39 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E837E1065678 for ; Sun, 23 Nov 2008 20:20:39 +0000 (UTC) (envelope-from amistry@am-productions.biz) Received: from mail.united-ware.com (am-productions.biz [69.61.164.22]) by mx1.freebsd.org (Postfix) with ESMTP id A0EF68FC1B for ; Sun, 23 Nov 2008 20:20:39 +0000 (UTC) (envelope-from amistry@am-productions.biz) Received: from [192.168.1.100] (adsl-69-211-82-182.dsl.wotnoh.ameritech.net [69.211.82.182]) (authenticated bits=0) by mail.united-ware.com (8.14.2/8.14.2) with ESMTP id mANJqQDW013705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 23 Nov 2008 14:52:27 -0500 (EST) (envelope-from amistry@am-productions.biz) From: Anish Mistry Organization: AM Productions To: Eygene Ryabinkin Date: Sun, 23 Nov 2008 14:46:26 -0500 User-Agent: KMail/1.9.7 References: <20081123184449.6801AF181D@phoenix.codelabs.ru> In-Reply-To: <20081123184449.6801AF181D@phoenix.codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1462984.zUT7fY2mWr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200811231446.43728.amistry@am-productions.biz> X-Virus-Scanned: ClamAV 0.94.1/8666/Sun Nov 23 05:41:19 2008 on mail.united-ware.com X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 24 Nov 2008 02:31:24 +0000 Cc: freebsd-security@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 20:20:40 -0000 --nextPart1462984.zUT7fY2mWr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 23 November 2008, Eygene Ryabinkin wrote: > >Number: 129097 > >Category: ports > >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and > > CVE-2008-2941 Confidential: no > >Severity: serious > >Priority: high > >Responsible: freebsd-ports-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sun Nov 23 18:50:00 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Eygene Ryabinkin > >Release: FreeBSD 7.1-PRERELEASE i386 > >Organization: Commit it. =2D-=20 Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/ --nextPart1462984.zUT7fY2mWr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAkkpsxIACgkQxqA5ziudZT2s5gCbBXwqK3IFe1vQcxJ8a5/iGNjD rQEAoJAnaEw5NIkFO8Q9ZOXr7oMqaAFZ =HG/5 -----END PGP SIGNATURE----- --nextPart1462984.zUT7fY2mWr-- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 06:45:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A4101065670; Mon, 24 Nov 2008 06:45:58 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id D34A88FC1A; Mon, 24 Nov 2008 06:45:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=kbzeorTxzm9hvC5s8NWdnIlPFqW52n9sscn91xzw+cOrg6xdLCinVkqhjxIi0ezvI4nzFYlzyI0QEpn6WAFsFDMchNlTVww+8bv8kOaw/aXh43VtHXfgb7jUkH0zE3/VUE8O+vcVbNrCg3+f2UQ35B8VOIkMGPG1OvjwdEnf+t0=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4VCm-000AQJ-IA; Mon, 24 Nov 2008 09:45:56 +0300 Date: Mon, 24 Nov 2008 09:45:55 +0300 From: Eygene Ryabinkin To: Anish Mistry Message-ID: References: <20081123184449.6801AF181D@phoenix.codelabs.ru> <200811231446.43728.amistry@am-productions.biz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jFijuCULRDbBA23d" Content-Disposition: inline In-Reply-To: <200811231446.43728.amistry@am-productions.biz> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 06:45:58 -0000 --jFijuCULRDbBA23d Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Anish, good day. Sun, Nov 23, 2008 at 02:46:26PM -0500, Anish Mistry wrote: > On Sunday 23 November 2008, Eygene Ryabinkin wrote: > > >Number: 129097 > > >Category: ports > > >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and > > > CVE-2008-2941 Confidential: no > > >Severity: serious > > >Priority: high > > >Responsible: freebsd-ports-bugs > > >State: open > > >Quarter: > > >Keywords: > > >Date-Required: > > >Class: sw-bug > > >Submitter-Id: current-users > > >Arrival-Date: Sun Nov 23 18:50:00 UTC 2008 > > >Closed-Date: > > >Last-Modified: > > >Originator: Eygene Ryabinkin > > >Release: FreeBSD 7.1-PRERELEASE i386 > > >Organization: > > Commit it. That's fine, thanks. But yesterday I had sent a patch that fixes the vulnerabilities for 2.8.2. What do you think about it? Could you test the patch? The VuXML entry details depend on this: I wrote that hplip >=3D 2.8.4 aren't vulnerable, but if you'll approve the patch that upgrades to 2.8.2_3, then VuXML entry should be corrected. Thanks again! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --jFijuCULRDbBA23d Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkqTaMACgkQthUKNsbL7YiDMgCeIrW3GANQwaHSH77rUqKpu6Yd GZoAn3+QVO1JCozTuRkOOACJV3jNe9fh =1tQU -----END PGP SIGNATURE----- --jFijuCULRDbBA23d-- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 09:17:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDDA61065674 for ; Mon, 24 Nov 2008 09:17:51 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 7E90F8FC12 for ; Mon, 24 Nov 2008 09:17:51 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 468F86D449; Mon, 24 Nov 2008 09:17:50 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 204BF844AD; Mon, 24 Nov 2008 10:17:50 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Eirik =?utf-8?Q?=C3=98verby?= References: Date: Mon, 24 Nov 2008 10:17:50 +0100 In-Reply-To: ("Eirik =?utf-8?Q?=C3=98verby=22's?= message of "Sun, 23 Nov 2008 17:03:15 +0100") Message-ID: <86ej114h4x.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 09:17:51 -0000 Eirik =C3=98verby writes: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a > non- issue. I added drop_synfin for one reason and one reason only: it prevented nmap from reliably identifying a FreeBSD machine, and at the time, that was sufficient to ward off the kind of script kiddies that would regularly attack EFNet IRC servers. I don't think SYN+FIN packets were ever a security issue, and I'm surprised Nessus thinks they are. Perhaps someone read about drop_synfin and misunderstood its purpose? Back to the issue at hand: you should use tcpdump to double-check nessus's findings. Who knows, perhaps drop_synfin was broken in a network stack reorganization. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 09:57:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A415D10656D4 for ; Mon, 24 Nov 2008 09:57:26 +0000 (UTC) (envelope-from hans@stare.cz) Received: from mail.czechdata.cz (mail.czechdata.cz [79.98.73.121]) by mx1.freebsd.org (Postfix) with ESMTP id 0A8218FC1D for ; Mon, 24 Nov 2008 09:57:25 +0000 (UTC) (envelope-from hans@stare.cz) Received: from 172.17.4.37 ([172.17.4.37]) by mail.czechdata.cz (602LAN SUITE 2004) id 368f4bc1; Mon, 24 Nov 2008 10:44:28 +0100 Received: by www.stare.cz (Postfix, from userid 1000) id 7C5063174; Mon, 24 Nov 2008 10:44:25 +0100 (CET) Date: Mon, 24 Nov 2008 10:44:25 +0100 From: Jan Stary To: Eirik ?verby Message-ID: <20081124094425.GA29802@www.stare.cz> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 09:57:26 -0000 On Nov 23 17:03:15, Eirik ?verby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. Aparently, nessus thinks that replying to SYNFIN packets at all is a problem. But it thinks so because you configured it to thinks so, right? Or is this hardwired into nessus? Also, why would nessus sometimes think that it's a "high" severity problem, and at other times, it's a "medium" severity problem? > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- > issue. It you configured your firewall and servers to NOT reply to SYNFIN packets, and the still do, then this is a configuration issue itself. How you also checked with other tools to find whether your servers reply to SYNFIN, or do you trust nessus who says so? Jan From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 14:56:41 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A39CB106564A; Mon, 24 Nov 2008 14:56:41 +0000 (UTC) (envelope-from amistry@am-productions.biz) Received: from mail.united-ware.com (am-productions.biz [69.61.164.22]) by mx1.freebsd.org (Postfix) with ESMTP id 5EA9F8FC16; Mon, 24 Nov 2008 14:56:41 +0000 (UTC) (envelope-from amistry@am-productions.biz) Received: from [192.168.1.100] (adsl-69-211-82-182.dsl.wotnoh.ameritech.net [69.211.82.182]) (authenticated bits=0) by mail.united-ware.com (8.14.2/8.14.2) with ESMTP id mAOF0ufG009894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 24 Nov 2008 10:00:57 -0500 (EST) (envelope-from amistry@am-productions.biz) From: Anish Mistry Organization: AM Productions To: Eygene Ryabinkin Date: Mon, 24 Nov 2008 09:57:32 -0500 User-Agent: KMail/1.9.7 References: <20081123184449.6801AF181D@phoenix.codelabs.ru> <200811231446.43728.amistry@am-productions.biz> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1436324.ylxnvIu4xE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200811240957.33153.amistry@am-productions.biz> X-Virus-Scanned: ClamAV 0.94.1/8669/Mon Nov 24 03:21:48 2008 on mail.united-ware.com X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 24 Nov 2008 15:08:35 +0000 Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 14:56:41 -0000 --nextPart1436324.ylxnvIu4xE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 24 November 2008, Eygene Ryabinkin wrote: > Anish, good day. > > That's fine, thanks. But yesterday I had sent a patch that fixes > the vulnerabilities for 2.8.2. What do you think about it? Could > you test the patch? The VuXML entry details depend on this: I > wrote that hplip >=3D 2.8.4 aren't vulnerable, but if you'll approve > the patch that upgrades to 2.8.2_3, then VuXML entry should be > corrected. > > Thanks again! =46inally got a around to it. The patches look fine, and it passed my=20 basic testing. Commit. Thanks, =2D-=20 Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/ --nextPart1436324.ylxnvIu4xE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAkkqwN0ACgkQxqA5ziudZT2ADQCg0ICasZ0UzPreA5uQFVwi5YPX rbIAoM1e7bLqHyFWCierN86Ts3CmLpkg =KiT+ -----END PGP SIGNATURE----- --nextPart1436324.ylxnvIu4xE-- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 15:59:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A5F91065675; Mon, 24 Nov 2008 15:59:30 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 549008FC14; Mon, 24 Nov 2008 15:59:30 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=kY3eZY9U2pUlTYJhwMcx2vhCQJCurRbDdswdYeA5pPEqZGcqaOmqvpKwMJ6eNbjHF/7w1LFfs2Q4DRz4D7NLKw3Mre2BfLQlJ1Zw5WQ7QQPybkMv2n8PFDlFpfQbh63SmGCOjb8wTtvdq4umARnF8zg9vAFVlp1sZiuBAcFMjO8=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L4dqT-000OZX-7p; Mon, 24 Nov 2008 18:59:29 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: obrien@FreeBSD.org Message-Id: <20081124155929.073851AF41F@void.codelabs.ru> Date: Mon, 24 Nov 2008 18:59:28 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: [vuxml] editors/vim: document netrw issues X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 15:59:30 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] editors/vim: document netrw issues >Severity: serious >Priority: medium >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: A bunch of vulnerabilities were discovered in Vim: http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html Some of them affect Vim >=7.0 and < 7.2. >How-To-Repeat: Look at the above URLs and read Jan Lieskovsky summary: http://www.openwall.com/lists/oss-security/2008/10/16/2 >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- vim -- multiple vulnerabilities in the netrw module vim vim-lite vim-gtk2 vim-gnome 7.07.2

Jan Minar reports:

Applying the ``D'' to a file with a crafted file name, or inside a directory with a crafted directory name, can lead to arbitrary code execution.

Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name.

The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server.

http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html http://www.openwall.com/lists/oss-security/2008/10/16/2 CVE-2008-3076 2008-10-16 today
--- vuln.xml ends here --- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 17:47:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67D6B1065672; Mon, 24 Nov 2008 17:47:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5682F8FC12; Mon, 24 Nov 2008 17:47:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAOHlDlF034727; Mon, 24 Nov 2008 17:47:13 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAOHlDmZ034725; Mon, 24 Nov 2008 17:47:13 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 24 Nov 2008 17:47:13 GMT Message-Id: <200811241747.mAOHlDmZ034725@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 17:47:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08.11.arc4random Security Advisory The FreeBSD Project Topic: arc4random(9) predictable sequence vulnerability Category: core Module: sys Announced: 2008-11-24 Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov Affects: All supported versions of FreeBSD. Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE) 2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6) 2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE) 2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE) 2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6) CVE Name: CVE-2008-5162 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background arc4random(9) is a generic-purpose random number generator based on the key stream generator of the RC4 cipher. It is expected to be cryptographically strong, and used throughout the FreeBSD kernel for a variety of purposes, some of which rely on its cryptographic strength. arc4random(9) is periodically reseeded with entropy from the FreeBSD kernel's Yarrow random number generator, which gathers entropy from a variety of sources including hardware interrupts. During the boot process, additional entropy is provided to the Yarrow random number generator from userland, helping to ensure that adequate entropy is present for cryptographic purposes. II. Problem Description When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator. III. Impact All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes: * GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data. * GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split. * System processes started early after boot may receive predictable IDs. * The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure. * The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks. * The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks. IV. Workaround No workaround is available for affected systems. V. Solution NOTE WELL: Any GEOM shsec providers which were created or written to during the first 300 seconds after booting should be re-created after applying this security update. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/dev/random/randomdev.c 1.59.2.2 src/sys/dev/random/randomdev_soft.c 1.11.2.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.2 src/sys/dev/random/randomdev.c 1.59.2.1.8.2 src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.11 src/sys/conf/newvers.sh 1.69.2.15.2.10 src/sys/dev/random/randomdev.c 1.59.2.1.6.1 src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1 RELENG_7 src/sys/dev/random/randomdev.c 1.61.2.1 src/sys/dev/random/randomdev_soft.c 1.15.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.10 src/sys/conf/newvers.sh 1.72.2.5.2.10 src/sys/dev/random/randomdev.c 1.61.4.1 src/sys/dev/random/randomdev_soft.c 1.15.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1 N/cAoIjgcsh6sZG/upobud4TVme9QJPf =SKuK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 17:50:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F7E3106567A; Mon, 24 Nov 2008 17:50:37 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 08A3E8FC28; Mon, 24 Nov 2008 17:50:37 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from freefall.freebsd.org (stas@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAOHoaiL040506; Mon, 24 Nov 2008 17:50:36 GMT (envelope-from stas@freefall.freebsd.org) Received: (from stas@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAOHoaCK040495; Mon, 24 Nov 2008 17:50:36 GMT (envelope-from stas) Date: Mon, 24 Nov 2008 17:50:36 GMT Message-Id: <200811241750.mAOHoaCK040495@freefall.freebsd.org> To: freebsd-security@freebsd.org, stas@freebsd.org, rea-fbsd@codelabs.ru, stas@FreeBSD.org, stas@FreeBSD.org From: stas@FreeBSD.org Cc: Subject: Re: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 17:50:37 -0000 Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 State-Changed-From-To: open->closed State-Changed-By: stas State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 State-Changed-Why: Committed, with minor changes. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=129037 From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 18:28:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 151F4106564A for ; Mon, 24 Nov 2008 18:28:08 +0000 (UTC) (envelope-from aragon@phat.za.net) Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81]) by mx1.freebsd.org (Postfix) with ESMTP id AE6848FC0A for ; Mon, 24 Nov 2008 18:28:06 +0000 (UTC) (envelope-from aragon@phat.za.net) Received: by mail.geek.sh (Postfix, from userid 1000) id 7ECC724D22; Mon, 24 Nov 2008 20:08:59 +0200 (SAST) Date: Mon, 24 Nov 2008 20:08:59 +0200 From: Aragon Gouveia To: freebsd-security@freebsd.org Message-ID: <20081124180859.GA28462@phat.za.net> Mail-Followup-To: freebsd-security@freebsd.org References: <200811241747.mAOHlDSE034716@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200811241747.mAOHlDSE034716@freefall.freebsd.org> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.10-RELEASE-p2 i386 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 18:28:08 -0000 | By FreeBSD Security Advisories | [ 2008-11-24 19:48 +0200 ] > III. Impact > > All security-related kernel subsystems that rely on a quality random > number generator are subject to a wide range of possible attacks for the > 300 seconds after boot or until 64k of random data is consumed. The list > includes: I suppose this would affect the quality of SSH host keys generated at boot time by RC? Thanks, Aragon From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 18:18:39 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F0161065672 for ; Mon, 24 Nov 2008 18:18:39 +0000 (UTC) (envelope-from neldredge@math.ucsd.edu) Received: from euclid.ucsd.edu (euclid.ucsd.edu [132.239.145.52]) by mx1.freebsd.org (Postfix) with ESMTP id F3D0F8FC29 for ; Mon, 24 Nov 2008 18:18:38 +0000 (UTC) (envelope-from neldredge@math.ucsd.edu) Received: from zeno.ucsd.edu (zeno.ucsd.edu [132.239.145.22]) by euclid.ucsd.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mAOI7J627551 for ; Mon, 24 Nov 2008 10:07:19 -0800 (PST) Received: from localhost (neldredg@localhost) by zeno.ucsd.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mAOI7Jo12529 for ; Mon, 24 Nov 2008 10:07:19 -0800 (PST) X-Authentication-Warning: zeno.ucsd.edu: neldredg owned process doing -bs Date: Mon, 24 Nov 2008 10:07:18 -0800 (PST) From: Nate Eldredge X-X-Sender: neldredg@zeno.ucsd.edu To: freebsd-security@freebsd.org In-Reply-To: <200811241747.mAOHlDSE034716@freefall.freebsd.org> Message-ID: References: <200811241747.mAOHlDSE034716@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Mon, 24 Nov 2008 18:32:40 +0000 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 18:18:39 -0000 Upon reading this, my first question was whether the weakness applies to the random numbers supplied by /dev/random. If it does, then userspace has been getting non-random values, and things like PGP and SSH keys could be compromised. It might be good for secteam to clarify this, IMHO. On Mon, 24 Nov 2008, FreeBSD Security Advisories wrote: > FreeBSD-SA-08.11.arc4random Security Advisory > The FreeBSD Project ... -- Nate Eldredge neldredge@math.ucsd.edu From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 19:11:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0FF81065674 for ; Mon, 24 Nov 2008 19:11:05 +0000 (UTC) (envelope-from william@palfreman.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 52CB18FC0A for ; Mon, 24 Nov 2008 19:11:05 +0000 (UTC) (envelope-from william@palfreman.com) Received: by ey-out-2122.google.com with SMTP id 6so867319eyi.7 for ; Mon, 24 Nov 2008 11:11:04 -0800 (PST) Received: by 10.86.59.18 with SMTP id h18mr2362109fga.31.1227553526950; Mon, 24 Nov 2008 11:05:26 -0800 (PST) Received: by 10.86.81.4 with HTTP; Mon, 24 Nov 2008 11:05:26 -0800 (PST) Message-ID: <731a66520811241105h546db4c9yb3d9879f6c8baac3@mail.gmail.com> Date: Mon, 24 Nov 2008 20:05:26 +0100 From: "William Palfreman" To: stas@freebsd.org In-Reply-To: <200811241750.mAOHoaCK040495@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811241750.mAOHoaCK040495@freefall.freebsd.org> Cc: freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 19:11:05 -0000 2008/11/24 : > Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 > > State-Changed-From-To: open->closed > State-Changed-By: stas > State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 > State-Changed-Why: > Committed, with minor changes. Thanks! I can see no need for this on the Freebsd-security mailinglist. It amounts to spam. From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 19:18:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCF61106564A for ; Mon, 24 Nov 2008 19:18:05 +0000 (UTC) (envelope-from william@palfreman.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.191]) by mx1.freebsd.org (Postfix) with ESMTP id 764618FC19 for ; Mon, 24 Nov 2008 19:18:05 +0000 (UTC) (envelope-from william@palfreman.com) Received: by gv-out-0910.google.com with SMTP id n8so384652gve.39 for ; Mon, 24 Nov 2008 11:18:04 -0800 (PST) Received: by 10.86.72.15 with SMTP id u15mr2385383fga.45.1227552941937; Mon, 24 Nov 2008 10:55:41 -0800 (PST) Received: by 10.86.81.4 with HTTP; Mon, 24 Nov 2008 10:55:41 -0800 (PST) Message-ID: <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> Date: Mon, 24 Nov 2008 19:55:41 +0100 From: "William Palfreman" To: miwi@freebsd.org In-Reply-To: <200811230855.mAN8tmXo091500@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> Cc: ports@freebsd.org, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 19:18:05 -0000 2008/11/23 : > Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 Can we not have these on the freebsd-secuirty list please? I subscribe to freebsd-security to get security alerts, not to get emails every time a port is changed. William Palfreman From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 21:37:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC5A7106564A for ; Mon, 24 Nov 2008 21:37:26 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 8011E8FC13 for ; Mon, 24 Nov 2008 21:37:26 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from [212.62.248.146] (helo=[192.168.2.183]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L4j7S-000KY4-As; Mon, 24 Nov 2008 22:37:22 +0100 Message-Id: <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> From: =?ISO-8859-1?Q?Eirik_=D8verby?= To: freebsd-security@freebsd.org In-Reply-To: <49299876.4020702@thelostparadise.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v929.2) Date: Mon, 24 Nov 2008 22:37:23 +0100 References: <49299876.4020702@thelostparadise.com> X-Mailer: Apple Mail (2.929.2) Cc: Pieter de Boer Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 21:37:26 -0000 On Nov 23, 2008, at 18:52, Pieter de Boer wrote: > Eirik =D8verby wrote: > >> I have a FreeBSD based firewall (pfsense) and, behind it, a few =20 >> dozen FreeBSD servers. Now we're required to run external security =20= >> scans (nessus++) on some of the hosts, and they constantly come =20 >> back with a "high" or "medium" severity problem: The host replies =20 >> to TCP packets with SYN+FIN set. > I'd consider this at most a 'low' severity problem. Agreed. >> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20= >> host in question (recent FreeBSD 7.2-PRERELEASE) have =20 >> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a =20= >> non-issue. > Given security tools' (including Nessus') track records of false > positives, I wouldn't be surprised if this was one of them. They generate a lot of others, too, mostly due to insufficient or =20 downright bogus identification of services. Since when did "pound ssl =20= proxy" equal "aladdin web server"? And since when was it common to run =20= Apache 2.0.23 for Linux on FreeBSD 7.0? Not to mention all the windows-=20= specific vulnerabilities I'm supposedly open to. >> Have I missed something important? Apart from this the hosts and =20 >> services get away without any serious issues, but the security =20 >> audit company insists this so-called hole to be closed. > It's not a hole, but could possibly aid in bypassing filtering rules > (which is quite unlikely in this day and age). It may be wise to =20 > find a > security company that knows how to interpret and verify Nessus output. > > If you want to do verification yourself, you could try the following: > - Run tcpdump on one of the servers and on the firewall > - Run nmap from an external host using the '--scanflags SYNFIN' flag > with destination the server. > > You can let tcpdump only show specific ports and source/destination > addresses. It's probably useful to use nmap to scan both ports you =20 > know > to be open and in use and ports that are filtered. Using the -p option > to nmap, you can specify which ports to scan. > > Perform the nmap scan and look at the tcpdump output to see how your > firewall and/or server react. nmap command: nmap -PN -sT --scanflags SYNFIN -p anduin.net where was either 80 (open) or 8585 (closed). tcpdump command on firewall (which NATs to internal IPs): tcpdump -i -p -vvv host alge.anart.no and \(port 80 or =20 port 8585\) where was the publicly facing interface on the firewall. Results for port 80: IP (tos 0x0, ttl 59, id 12785, offset 0, flags [DF], proto: TCP =20 (6), length: 64) alge.anart.no.40283 > 213.225.74.230.http: S, cksum =20 0xa720 (correct), 3300467486:3300467486(0) win 16384 IP (tos 0x0, ttl 63, id 10914, offset 0, flags [DF], proto: TCP =20 (6), length: 60) 213.225.74.230.http > alge.anart.no.40283: S, cksum =20 0x8ef5 (correct), 347647336:347647336(0) ack 3300467487 win 65535 IP (tos 0x0, ttl 59, id 33877, offset 0, flags [DF], proto: TCP =20 (6), length: 52) alge.anart.no.40283 > 213.225.74.230.http: ., cksum =20 0x7dbd (correct), 1:1(0) ack 1 win 16384 IP (tos 0x0, ttl 59, id 31905, offset 0, flags [DF], proto: TCP =20 (6), length: 40) alge.anart.no.40283 > 213.225.74.230.http: R, cksum =20 0x7180 (correct), 1:1(0) ack 1 win 0 Results for port 8585: IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP =20 (6), length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum =20 0xf765 (correct), 1324215952:1324215952(0) win 16384 IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP =20 (6), length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum =20 0x52ef (correct), 0:0(0) ack 1324215953 win 0 I can't tell what's going on here, except I wouldn't have expected a =20 reply at all to the second one at least, and maybe not even the first. =20= However, I don't have enough experience to tell if nmap is doing the =20 "right thing" here at all. Thanks, /Eirik= From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:06:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66CD81065672 for ; Mon, 24 Nov 2008 22:06:58 +0000 (UTC) (envelope-from william@palfreman.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by mx1.freebsd.org (Postfix) with ESMTP id 08B798FC0C for ; Mon, 24 Nov 2008 22:06:57 +0000 (UTC) (envelope-from william@palfreman.com) Received: by ey-out-2122.google.com with SMTP id 6so898021eyi.7 for ; Mon, 24 Nov 2008 14:06:56 -0800 (PST) Received: by 10.86.74.4 with SMTP id w4mr2486413fga.2.1227564416693; Mon, 24 Nov 2008 14:06:56 -0800 (PST) Received: by 10.86.81.4 with HTTP; Mon, 24 Nov 2008 14:06:56 -0800 (PST) Message-ID: <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> Date: Mon, 24 Nov 2008 23:06:56 +0100 From: "William Palfreman" To: Volker In-Reply-To: <492B2242.4080102@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> Cc: ports@freebsd.org, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru, miwi@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:06:58 -0000 2008/11/24 Volker : > On 11/24/08 19:55, William Palfreman wrote: >> 2008/11/23 : >>> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 >> >> Can we not have these on the freebsd-secuirty list please? I >> subscribe to freebsd-security to get security alerts, not to get >> emails every time a port is changed. >> >> William Palfreman > > You should better head over to security-advisories@ if you're only > interested in SA's. Claiming about reading security related issues on a > security mailing list sounds like fun. > > I appreciate Eygenes' work. That's nice. I am sure it is very useful on the ports mailinglist where it belongs. I also greatly enjoy the frequent interesting and informed discussion on the security mailinglist - of which Eirik Overby's thread recently about syn+fin is one example. But all these ports announcements, raw patches, garbled html etc. I could really do without. It is why there are separate lists. From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:12:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 396151065672 for ; Mon, 24 Nov 2008 22:12:11 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 00CBA8FC16 for ; Mon, 24 Nov 2008 22:12:11 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from [192.168.1.12] (s55915c9e.adsl.wanadoo.nl [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id E5D6161C1D; Mon, 24 Nov 2008 23:12:09 +0100 (CET) Message-ID: <492B26B9.505@thedarkside.nl> Date: Mon, 24 Nov 2008 23:12:09 +0100 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Eirik_=D8verby?= References: <49299876.4020702@thelostparadise.com> <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> In-Reply-To: <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:12:11 -0000 Hi Eirik, >> Perform the nmap scan and look at the tcpdump output to see how your >> firewall and/or server react. > > nmap command: > nmap -PN -sT --scanflags SYNFIN -p anduin.net > where was either 80 (open) or 8585 (closed). > > tcpdump command on firewall (which NATs to internal IPs): > tcpdump -i -p -vvv host alge.anart.no and \(port 80 or port > 8585\) > where was the publicly facing interface on the firewall. > > Results for port 80: > IP (tos 0x0, ttl 59, id 12785, offset 0, flags [DF], proto: TCP (6), length: 64) alge.anart.no.40283 > 213.225.74.230.http: S, cksum 0xa720 (correct), 3300467486:3300467486(0) win 16384 > IP (tos 0x0, ttl 63, id 10914, offset 0, flags [DF], proto: TCP (6), length: 60) 213.225.74.230.http > alge.anart.no.40283: S, cksum 0x8ef5 (correct), 347647336:347647336(0) ack 3300467487 win 65535 > > Results for port 8585: > IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP (6), length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum 0xf765 (correct), 1324215952:1324215952(0) win 16384 > IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP (6), length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum 0x52ef (correct), 0:0(0) ack 1324215953 win 0 > > I can't tell what's going on here, except I wouldn't have expected a > reply at all to the second one at least, and maybe not even the first. > However, I don't have enough experience to tell if nmap is doing the > "right thing" here at all. First of all, this is not a scan with both the SYN and FIN flags set. This can be seen from the tcpdump output only showing the 'S' flag. You're using -sT, which makes nmap use connect(), and thus the regular SYN, SYN/ACK, ACK 3-way-handshake. For a SYN/FIN scan, you'll need root access. I tested this locally without supplying further TCP scan options to nmap. Could you retest and make sure you see 'SF' as flags in tcpdump? Secondly, it would be useful if you'd explain the following: is your firewall NATting port 8585 also, or is traffic sent to that port handled by the TCP/IP stack of the firewall itself? Furthermore, it appears the firewall is not actually filtering traffic to port 8585.. The strictest firewall configuration would be to have everything filtered except the ports you actually use. Those ports are either NATted to the back-end system or handled by the firewall itself (in case you want that functionality). From a security perspective, simply dropping incoming traffic is better than sending back RST's. In pf this is the default. Regards, Pieter From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:17:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFDAA1065675 for ; Mon, 24 Nov 2008 22:17:18 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from smtp.ht-systems.ru (mr0.ht-systems.ru [78.110.50.55]) by mx1.freebsd.org (Postfix) with ESMTP id 66EC98FC08 for ; Mon, 24 Nov 2008 22:17:18 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=orion.SpringDaemons.com) by smtp.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1L4jQp-0001hb-Uu; Tue, 25 Nov 2008 00:57:24 +0300 Received: from orion (localhost [127.0.0.1]) by orion.SpringDaemons.com (Postfix) with SMTP id 2A06F398F4; Tue, 25 Nov 2008 00:58:51 +0300 (MSK) Date: Tue, 25 Nov 2008 00:58:51 +0300 From: Stanislav Sedov To: "William Palfreman" Message-Id: <20081125005851.5e528e91.stas@FreeBSD.org> In-Reply-To: <731a66520811241105h546db4c9yb3d9879f6c8baac3@mail.gmail.com> References: <200811241750.mAOHoaCK040495@freefall.freebsd.org> <731a66520811241105h546db4c9yb3d9879f6c8baac3@mail.gmail.com> Organization: The FreeBSD Project X-XMPP: ssedov@jabber.ru X-Voice: +7 916 849 20 23 X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-Mailer: carrier-pigeon Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: stas@freebsd.org, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:17:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 20:05:26 +0100 "William Palfreman" mentioned: > 2008/11/24 : > > Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 > > > > State-Changed-From-To: open->closed > > State-Changed-By: stas > > State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 > > State-Changed-Why: > > Committed, with minor changes. Thanks! > > I can see no need for this on the Freebsd-security mailinglist. It > amounts to spam. This is generated automatically as this PR fixes a security issue. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkkrI5sACgkQK/VZk+smlYEQugCggWHZ+sROzYS9lZLRNpJ652hl +XcAniWPSlgdZKmyoY0fhtd2OuOCKJ8f =noDe -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:17:22 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EB4610656A5 for ; Mon, 24 Nov 2008 22:17:22 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from smtp.ht-systems.ru (mr0.ht-systems.ru [78.110.50.55]) by mx1.freebsd.org (Postfix) with ESMTP id C56558FC0A for ; Mon, 24 Nov 2008 22:17:21 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=orion.SpringDaemons.com) by smtp.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1L4jQ1-0001h4-8W; Tue, 25 Nov 2008 00:56:33 +0300 Received: from orion (localhost [127.0.0.1]) by orion.SpringDaemons.com (Postfix) with SMTP id A5530398F4; Tue, 25 Nov 2008 00:57:59 +0300 (MSK) Date: Tue, 25 Nov 2008 00:57:55 +0300 From: Stanislav Sedov To: Nate Eldredge Message-Id: <20081125005755.d962ddf0.stas@FreeBSD.org> In-Reply-To: References: <200811241747.mAOHlDSE034716@freefall.freebsd.org> Organization: The FreeBSD Project X-XMPP: ssedov@jabber.ru X-Voice: +7 916 849 20 23 X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-Mailer: carrier-pigeon Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:17:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 10:07:18 -0800 (PST) Nate Eldredge mentioned: > Upon reading this, my first question was whether the weakness applies to > the random numbers supplied by /dev/random. If it does, then userspace has > been getting non-random values, and things like PGP and SSH keys could be > compromised. It might be good for secteam to clarify this, IMHO. > Userland applications are unaffected ssh keys included. /dev/[u]?random receives entropy from Yarrow, not from arc4random and feeded with saved entropy upon boot by /etc/rc.d/initrandom. Only kernel services that rely on arc4random(9) is vulnerable. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkkrI2cACgkQK/VZk+smlYGvrwCfTEuy+4AIk/b6l6bxRX0tcVs0 PZMAniLO3ltjq5232cErhAtB7u5SJI4J =UmVN -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:17:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 485681065794 for ; Mon, 24 Nov 2008 22:17:34 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from smtp.ht-systems.ru (mr0.ht-systems.ru [78.110.50.55]) by mx1.freebsd.org (Postfix) with ESMTP id 006168FC1A for ; Mon, 24 Nov 2008 22:17:33 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=orion.SpringDaemons.com) by smtp.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1L4jQH-0001hF-Ky; Tue, 25 Nov 2008 00:56:49 +0300 Received: from orion (localhost [127.0.0.1]) by orion.SpringDaemons.com (Postfix) with SMTP id CF144398F5; Tue, 25 Nov 2008 00:58:16 +0300 (MSK) Date: Tue, 25 Nov 2008 00:58:16 +0300 From: Stanislav Sedov To: Aragon Gouveia Message-Id: <20081125005816.8f1993b8.stas@FreeBSD.org> In-Reply-To: <20081124180859.GA28462@phat.za.net> References: <200811241747.mAOHlDSE034716@freefall.freebsd.org> <20081124180859.GA28462@phat.za.net> Organization: The FreeBSD Project X-XMPP: ssedov@jabber.ru X-Voice: +7 916 849 20 23 X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-Mailer: carrier-pigeon Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:17:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 20:08:59 +0200 Aragon Gouveia mentioned: > | By FreeBSD Security Advisories > | [ 2008-11-24 19:48 +0200 ] > > III. Impact > > > > All security-related kernel subsystems that rely on a quality random > > number generator are subject to a wide range of possible attacks for the > > 300 seconds after boot or until 64k of random data is consumed. The list > > includes: > > I suppose this would affect the quality of SSH host keys generated at boot > time by RC? > Nope, userland is unaffected. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEUEARECAAYFAkkrI3gACgkQK/VZk+smlYFwWQCXSwYxHbUizxmriBT3pO1Ei8W7 GACff74X/J3b4c01zRkXmsYxE981hwk= =v+Xl -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:19:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 684E8106567B; Mon, 24 Nov 2008 22:19:03 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2101C8FC25; Mon, 24 Nov 2008 22:19:02 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cbe.q.ppp-pool.de [89.53.124.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 20F1E12883F; Mon, 24 Nov 2008 22:53:23 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BBF992E98C; Mon, 24 Nov 2008 22:52:55 +0100 (CET) Message-ID: <492B2242.4080102@vwsoft.com> Date: Mon, 24 Nov 2008 22:53:06 +0100 From: Volker User-Agent: Thunderbird 2.0.0.17 (X11/20080930) MIME-Version: 1.0 To: William Palfreman References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> In-Reply-To: <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1228168389.64224@SZkpbKakbb802+XMAm9Jmw X-MailScanner-ID: BBF992E98C.B703D X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: ports@freebsd.org, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru, miwi@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:19:03 -0000 On 11/24/08 19:55, William Palfreman wrote: > 2008/11/23 : >> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 > > Can we not have these on the freebsd-secuirty list please? I > subscribe to freebsd-security to get security alerts, not to get > emails every time a port is changed. > > William Palfreman You should better head over to security-advisories@ if you're only interested in SA's. Claiming about reading security related issues on a security mailing list sounds like fun. I appreciate Eygenes' work. Volker From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:35:43 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95BEC106564A for ; Mon, 24 Nov 2008 22:35:43 +0000 (UTC) (envelope-from davidski@deadheaven.com) Received: from geoff.deadheaven.com (geoff.deadheaven.com [216.162.200.43]) by mx1.freebsd.org (Postfix) with ESMTP id 6E19A8FC1B for ; Mon, 24 Nov 2008 22:35:43 +0000 (UTC) (envelope-from davidski@deadheaven.com) Received: from localhost (localhost [127.0.0.1]) by geoff.deadheaven.com (Postfix) with ESMTP id 30B2F1567C2C for ; Mon, 24 Nov 2008 14:20:33 -0800 (PST) X-Virus-Scanned: amavisd-new at deadheaven.com Received: from geoff.deadheaven.com ([127.0.0.1]) by localhost (geoff.deadheaven.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cQeT8nL6k6qm for ; Mon, 24 Nov 2008 14:20:30 -0800 (PST) Received: by geoff.deadheaven.com (Postfix, from userid 1001) id E09DE1567C29; Mon, 24 Nov 2008 14:20:29 -0800 (PST) Date: Mon, 24 Nov 2008 14:20:29 -0800 From: "David F. Severski" To: freebsd-security@freebsd.org Message-ID: <20081124222029.GM85200@geoff.deadheaven.com> References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:35:43 -0000 On Mon, Nov 24, 2008 at 11:06:56PM +0100, William Palfreman wrote: > That's nice. I am sure it is very useful on the ports mailinglist > where it belongs. I also greatly enjoy the frequent interesting and > informed discussion on the security mailinglist - of which Eirik > Overby's thread recently about syn+fin is one example. But all these > ports announcements, raw patches, garbled html etc. I could really do > without. It is why there are separate lists. Was there a discussion or even an announcement indicating that the security-related port commit messages would be sent to freebsd-security? This seems to have started just this month. Like William, I also find the explosion of commit messages and bug tracking minutia detracts from the low volume and high value of the freebsd-security list. The list description on mailman indicates the intent of the list is to be a 'high-signal, low-noise discussion of issues affecting the security of FreeBSD.' Including every single obliquely security related port commit seems counter to this intention. I'd very much like to see a separate list for the automated port postings, leaving this list to it's historical usage. David From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:40:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B5801065673 for ; Mon, 24 Nov 2008 22:40:45 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id F26D58FC27 for ; Mon, 24 Nov 2008 22:40:44 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from [212.62.248.146] (helo=[192.168.2.183]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L4k6i-000NMU-V0; Mon, 24 Nov 2008 23:40:41 +0100 Message-Id: <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net> From: =?ISO-8859-1?Q?Eirik_=D8verby?= To: Pieter de Boer In-Reply-To: <492B26B9.505@thedarkside.nl> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Mon, 24 Nov 2008 23:40:42 +0100 References: <49299876.4020702@thelostparadise.com> <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> <492B26B9.505@thedarkside.nl> X-Mailer: Apple Mail (2.929.2) Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:40:45 -0000 On Nov 24, 2008, at 23:12, Pieter de Boer wrote: > Hi Eirik, > >>> Perform the nmap scan and look at the tcpdump output to see how your >>> firewall and/or server react. >> nmap command: >> nmap -PN -sT --scanflags SYNFIN -p anduin.net >> where was either 80 (open) or 8585 (closed). >> tcpdump command on firewall (which NATs to internal IPs): >> tcpdump -i -p -vvv host alge.anart.no and \(port 80 or >> port 8585\) >> where was the publicly facing interface on the firewall. >> Results for port 80: >> IP (tos 0x0, ttl 59, id 12785, offset 0, flags [DF], proto: TCP >> (6), length: 64) alge.anart.no.40283 > 213.225.74.230.http: S, >> cksum 0xa720 (correct), 3300467486:3300467486(0) win 16384 > 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2747936488 0> >> IP (tos 0x0, ttl 63, id 10914, offset 0, flags [DF], proto: TCP >> (6), length: 60) 213.225.74.230.http > alge.anart.no.40283: S, >> cksum 0x8ef5 (correct), 347647336:347647336(0) ack 3300467487 win >> 65535 >> Results for port 8585: >> IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP >> (6), length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum >> 0xf765 (correct), 1324215952:1324215952(0) win 16384 > 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0> >> IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP >> (6), length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum >> 0x52ef (correct), 0:0(0) ack 1324215953 win 0 >> I can't tell what's going on here, except I wouldn't have expected >> a reply at all to the second one at least, and maybe not even the >> first. However, I don't have enough experience to tell if nmap is >> doing the "right thing" here at all. > > First of all, this is not a scan with both the SYN and FIN flags > set. This can be seen from the tcpdump output only showing the 'S' > flag. You're using -sT, which makes nmap use connect(), and thus the > regular SYN, SYN/ACK, ACK 3-way-handshake. For a SYN/FIN scan, > you'll need root access. I tested this locally without supplying > further TCP scan options to nmap. Could you retest and make sure you > see 'SF' as flags in tcpdump? I don't. With nmap --scanflags SYNFIN -p as root, I got, from what I can tell, exactly the same. May be this is filtered on the way out, so I need to find an unhampered box to try from? I could simply try crossing vlans through the firewall, I guess. > Secondly, it would be useful if you'd explain the following: is your > firewall NATting port 8585 also, or is traffic sent to that port > handled by the TCP/IP stack of the firewall itself? Furthermore, it > appears the firewall is not actually filtering traffic to port 8585.. This particular machine is behind 1:1 NATing. I usually do NAT+fwrules for needed ports only, but even in those cases I get the (false?) syn +fin alerts from (in this case) securityspace.com. > The strictest firewall configuration would be to have everything > filtered except the ports you actually use. Those ports are either > NATted to the back-end system or handled by the firewall itself (in > case you want that functionality). From a security perspective, > simply dropping incoming traffic is better than sending back RST's. > In pf this is the default. That is correct, however in this case I do 1:1 and no pf on the target host (it is in a DMZ). I ran the scan on this system out of curiosity only, however as stated above this problem is far from unique to this particular system. Thanks for your input, i'll keep trying to reproduce this.. /Eirik From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:54:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1141F1065677 for ; Mon, 24 Nov 2008 22:54:16 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id D514E8FC26 for ; Mon, 24 Nov 2008 22:54:15 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 5534 invoked by uid 1000); 24 Nov 2008 22:27:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Nov 2008 22:27:34 -0000 Date: Mon, 24 Nov 2008 14:27:34 -0800 (PST) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: freebsd-security@freebsd.org In-Reply-To: <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> Message-ID: References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: rea-fbsd@codelabs.ru, miwi@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:54:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> You should better head over to security-advisories@ if you're only >> interested in SA's. Claiming about reading security related issues on a >> security mailing list sounds like fun. >> >> I appreciate Eygenes' work. I also appreciate this work, but I agree that I don't think it's appropriate for freebsd-security@. It's much too noisy, and makes it harder to see real discussion in amongst the noise. If people really would like to see these kind of notifications (i.e., security-related PRs for ports) in mailing-list format, I think that a separate mailing list would be appropriate (e.g., freebsd-security-ports@). Thanks as always to the security team for their fine work. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFJKypWswXMWWtptckRAnxBAJ4lbTt4DzBwrfJQ9BMwUlNqY/b23gCfSN6u XUSM49KMxTBvBBDc6T12EOA= =98ll -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 23:30:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9942F1065670 for ; Mon, 24 Nov 2008 23:30:46 +0000 (UTC) (envelope-from fbsd06+37=ab02fec6@mlists.homeunix.com) Received: from fallback-in1.mxes.net (fallback-out1.mxes.net [216.86.168.190]) by mx1.freebsd.org (Postfix) with ESMTP id 69D7F8FC0C for ; Mon, 24 Nov 2008 23:30:46 +0000 (UTC) (envelope-from fbsd06+37=ab02fec6@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by fallback-in1.mxes.net (Postfix) with ESMTP id 290161648E2 for ; Mon, 24 Nov 2008 18:14:39 -0500 (EST) Received: from gumby.homeunix.com (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 7CAD723E3F7 for ; Mon, 24 Nov 2008 18:14:37 -0500 (EST) Date: Mon, 24 Nov 2008 23:14:35 +0000 From: Robert Woolley To: freebsd-security@freebsd.org Message-ID: <20081124231435.326fadc4@gumby.homeunix.com> In-Reply-To: References: <200811241747.mAOHlDSE034716@freefall.freebsd.org> X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 23:30:46 -0000 On Mon, 24 Nov 2008 10:07:18 -0800 (PST) Nate Eldredge wrote: > Upon reading this, my first question was whether the weakness applies > to the random numbers supplied by /dev/random. If it does, then > userspace has been getting non-random values, and things like PGP and > SSH keys could be compromised. It might be good for secteam to > clarify this, IMHO. I'm not from secteam, but I did submit the problem and suggest the solution. The primary problem is that the kernel version of arc4random is seeded from yarrow before yarrow itself is seeded. This does not affect /dev/random or userland arc4random, just the things mentioned in the advisory. However, there is a second problem that is fixed by the patch, but not documented in the advisory. Closing a write to /dev/random causes a yarrow reseed, but previously didn't flush the entropy queue first. The first 4kB of low-grade entropy that's fed into /dev/random before the entropy file causes the queue to saturate, leaving no space for the entropy file, which is tail-dropped. And without a flush any entropy in the queues isn't processed into the yarrow key until another reseed occurs, at which point it's redundant anyway. In short, the primary entropy file didn't previously do anything useful. Whether that's actually a problem isn't clear to me. On my desktop machine yarrow reseeds by itself before the entropy file is used, due to disk activity. There may however be some platforms where the entropy file is really needed, and /dev/random itself may have been a bit insecure until the stage in the boot process where /var is mounted and the secondary entropy files in /var/db/entropy/ are used. PGP and SSH keys are generated late in the boot process, or after boot, usually on machines with plenty of entropy, so there shouldn't be an issue there. From owner-freebsd-security@FreeBSD.ORG Mon Nov 24 22:53:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 531D6106564A for ; Mon, 24 Nov 2008 22:53:50 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-fx0-f21.google.com (mail-fx0-f21.google.com [209.85.220.21]) by mx1.freebsd.org (Postfix) with ESMTP id ADCAD8FC0A for ; Mon, 24 Nov 2008 22:53:49 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: by fxm14 with SMTP id 14so89410fxm.19 for ; Mon, 24 Nov 2008 14:53:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=S6Sr2tmLDoGvgrrHxE4clCUXSyLdlcdX7P8tTNwAXT8=; b=pm2I5vrIRJsy9KzSB5mJEvDFjqZd5jssL9F+iOONL4Md0HHzRVJ7H0VYehZ0v16Otu iq8GE9lHENca9YTnokVePEHfeYQY6ch8WJkmvlThhf3gg5+30p+nqhXYDeQS/NBXCYNK e9M4b4Kq2Zkh+XlVHWHswWAWFkuJJs87Z/SiI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=sjkP6b4+lSvHtni3KejFcuQJj7Er/g0WCwoLk4uEPeH03GJTGhMQ8HHm2qSX8WMOZu ZfFLGLq58kRn8AjCyR41TZS0JFVQ6GgHjL6CZuy6dpGhhbkKu9V2MPKhiUPZ/u/62ei5 Ac1xIeMITk3xDJ8TmEp7SoP3aPtEIw5bpGdjg= Received: by 10.181.203.11 with SMTP id f11mr1294216bkq.67.1227565980605; Mon, 24 Nov 2008 14:33:00 -0800 (PST) Received: by 10.181.31.13 with HTTP; Mon, 24 Nov 2008 14:33:00 -0800 (PST) Message-ID: <28283d910811241433w4a20ffe8mca58bc98d55b3ac3@mail.gmail.com> Date: Mon, 24 Nov 2008 17:33:00 -0500 From: "matt donovan" To: "William Palfreman" In-Reply-To: <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> MIME-Version: 1.0 References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> X-Mailman-Approved-At: Tue, 25 Nov 2008 00:20:27 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Volker , ports@freebsd.org, miwi@freebsd.org, rea-fbsd@codelabs.ru, freebsd-security@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 22:53:50 -0000 On Mon, Nov 24, 2008 at 5:06 PM, William Palfreman wrote: > 2008/11/24 Volker : > > On 11/24/08 19:55, William Palfreman wrote: > >> 2008/11/23 : > >>> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix > CVE-2008-4829 > >> > >> Can we not have these on the freebsd-secuirty list please? I > >> subscribe to freebsd-security to get security alerts, not to get > >> emails every time a port is changed. > >> > >> William Palfreman > > > > You should better head over to security-advisories@ if you're only > > interested in SA's. Claiming about reading security related issues on a > > security mailing list sounds like fun. > > > > I appreciate Eygenes' work. > > That's nice. I am sure it is very useful on the ports mailinglist > where it belongs. I also greatly enjoy the frequent interesting and > informed discussion on the security mailinglist - of which Eirik > Overby's thread recently about syn+fin is one example. But all these > ports announcements, raw patches, garbled html etc. I could really do > without. It is why there are separate lists. > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > you do know that the email your complaining about is about a security update correct? if you don't like it then you really need to use security-advisories instead of being subscribed to this one From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 05:51:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61BED1065670 for ; Tue, 25 Nov 2008 05:51:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id AA2298FC0C for ; Tue, 25 Nov 2008 05:51:32 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAP5UJj5069939; Tue, 25 Nov 2008 16:30:19 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 25 Nov 2008 16:30:19 +1100 (EST) From: Ian Smith To: "David F. Severski" In-Reply-To: <20081124222029.GM85200@geoff.deadheaven.com> Message-ID: <20081125153335.Q43853@sola.nimnet.asn.au> References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> <20081124222029.GM85200@geoff.deadheaven.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 05:51:33 -0000 On Mon, 24 Nov 2008, David F. Severski wrote: > On Mon, Nov 24, 2008 at 11:06:56PM +0100, William Palfreman wrote: > > That's nice. I am sure it is very useful on the ports mailinglist > > where it belongs. I also greatly enjoy the frequent interesting and > > informed discussion on the security mailinglist - of which Eirik > > Overby's thread recently about syn+fin is one example. But all these > > ports announcements, raw patches, garbled html etc. I could really do > > without. It is why there are separate lists. > > Was there a discussion or even an announcement indicating that the > security-related port commit messages would be sent to freebsd-security? Not that I could find. The other day I reviewed the last three months' archives looking for any notice I'd missed. These ports security issues and patches postings began on Nov 8; I've resisted commenting until now. > This seems to have started just this month. Like William, I also find the > explosion of commit messages and bug tracking minutia detracts from the > low volume and high value of the freebsd-security list. The list > description on mailman indicates the intent of the list is to be a > 'high-signal, low-noise discussion of issues affecting the security of > FreeBSD.' Including every single obliquely security related port commit > seems counter to this intention. > > I'd very much like to see a separate list for the automated port postings, > leaving this list to it's historical usage. I'm also finding these to be swamping S/N (as are these posts, I know!) and no, switching to security-advisories@ wouldn't cut it for me, for the same reasons William mentions above. We're heading towards 20,000 ports these days, and while I appreciate and rely on the vuxml database and portaudit for vulns and updates for those ports I use, and am glad to see such active work going on, I'm feeling the separation of base system (including contrib) from ports remains important - especially in the security context. My 2c (now scarcely U$1.3c), Ian From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 07:08:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9344D106564A; Tue, 25 Nov 2008 07:08:24 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 29E718FC12; Tue, 25 Nov 2008 07:08:24 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=F11Z6mOozKkbXlX/dbWYUMrul5rrcU+vRBnLFm2KJIgp+9a951kxgkmCd73ajW+FnEjVGYP5h5NXztzQ5Mme6u7LJr2PNYfEWWB4HXjoyl0NNVaMrqRvmrOl+JWk/rR5M6iN6PgiG0GlLbVVRqZxJkaEISbjq99aNmH6F5vGo+s=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4s22-000Bu7-0q; Tue, 25 Nov 2008 10:08:22 +0300 Date: Tue, 25 Nov 2008 10:08:20 +0300 From: Eygene Ryabinkin To: William Palfreman Message-ID: References: <200811241750.mAOHoaCK040495@freefall.freebsd.org> <731a66520811241105h546db4c9yb3d9879f6c8baac3@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GohmpbibSJzDFTQZ" Content-Disposition: inline In-Reply-To: <731a66520811241105h546db4c9yb3d9879f6c8baac3@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: stas@freebsd.org, freebsd-security@freebsd.org, miwi@freebsd.org Subject: Re: PR followups in the freebsd-security list [WAS: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 07:08:24 -0000 --GohmpbibSJzDFTQZ Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable William, everyone, good day. Mon, Nov 24, 2008 at 08:05:26PM +0100, William Palfreman wrote: > 2008/11/24 : > > Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 > > > > State-Changed-From-To: open->closed > > State-Changed-By: stas > > State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 > > State-Changed-Why: > > Committed, with minor changes. Thanks! >=20 > I can see no need for this on the Freebsd-security mailinglist. It > amounts to spam. Sorry for this. I used to put freebsd-security@ to the X-GNATS-Notify field of the PR, so followups were slipping to this list. Since the very last Sunday (or Saturday, don't remember well ;)), I am putting freebsd-security@freebsd.org to the CC field of the original PR. Thus, only initial posting will go into the list. I hope that such approach will be better for the list and its subscribers. If this still won't be a satisfying decision, I can completely drop freebsd-security@ =66rom the PR recipients, but in this case I could miss some important feedback from the community and I want to avoid this, if it will be possible. Once again, sorry for the noise. Old PR's will still produce some amount of follow-ups, but the new ones shouldn't do it anymore. While I am here: thanks for the appreciation of my work that was expressed by the people in the list ;)) Thanks for your patience! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --GohmpbibSJzDFTQZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkrpGQACgkQthUKNsbL7YgR3gCgnldghoUF3S5uQheVqg0LEds6 lqsAniSxVuiifm44SiOVZdVNmsH5VmXz =as4x -----END PGP SIGNATURE----- --GohmpbibSJzDFTQZ-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 11:52:25 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BF23106564A; Tue, 25 Nov 2008 11:52:25 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id AD2FD8FC1A; Tue, 25 Nov 2008 11:52:24 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id mAPBpnLl090686; Tue, 25 Nov 2008 11:51:58 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk mAPBpnLl090686 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1227613919; bh=20GbyT+SJdIFnM VIpy13aXZNn+r8gBxdsNOaWSA7TOU=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<492BE6CE.4040809@infracaninophile.co.uk>|Date:=20Tue,=2 025=20Nov=202008=2011:51:42=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.18=20(X11/20081125)|MIME-Version:=201 .0|To:=20Jason=20Stone=20|CC:=20freebsd- security@freebsd.org,=20rea-fbsd@codelabs.ru,=20miwi@freebsd.org|Su bject:=20Re:=20ports/128999:=20[vuxml]=20[patch]=20update=20audio/s treamripper=20to=201.64.0,=0D=0A=20fix=20CVE-2008-4829|References:= 20<200811230855.mAN8tmXo091500@freefall.freebsd.org>=09<731a6652081 1241055x62a013at71bc1d08bcc6bda8@mail.gmail.com>=09<492B2242.408010 2@vwsoft.com>=09<731a66520811241406r6269274ft8a41666efd85560d@mail. gmail.com>=20|In-Reply-To:=20|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed =3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-si gnature"=3B=0D=0A=20boundary=3D"------------enig36A545ABBD61A1162D6 EBD45"; b=rDYg43GSsBJwl9b0nARTNNrc5HHgUUrrnIiYvFTnB/tmosEYsUm1ceNwT bdWUBYtsQFTgx2Om7tCie1hnoQ66tR1LNWhIm6Fp8lkHJMT8+p/KyOhQceUEI8CS3hG pjU85g1kg+DIQNjxqzff5wPk64vb/xjTsvYtOZj4NGlPTjo= Message-ID: <492BE6CE.4040809@infracaninophile.co.uk> Date: Tue, 25 Nov 2008 11:51:42 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: Jason Stone References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig36A545ABBD61A1162D6EBD45" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 25 Nov 2008 11:51:59 +0000 (GMT) X-Virus-Scanned: ClamAV 0.94.1/8678/Tue Nov 25 10:43:37 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org, rea-fbsd@codelabs.ru, miwi@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 11:52:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig36A545ABBD61A1162D6EBD45 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Jason Stone wrote: > If people really would like to see these kind of notifications (i.e., > security-related PRs for ports) in mailing-list format, I think that a > separate mailing list would be appropriate (e.g., > freebsd-security-ports@). There's already a freebsd-vuxml@ list which hasn't seen any traffic for a long time... Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig36A545ABBD61A1162D6EBD45 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkkr5tUACgkQ8Mjk52CukIxwYACfbFAhCznbVeoVPQLv/pr5grse jFkAn3zxV8/OeVt4//PXDbG9oX7ilOvz =9yvH -----END PGP SIGNATURE----- --------------enig36A545ABBD61A1162D6EBD45-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 03:05:09 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DC1A106567F for ; Tue, 25 Nov 2008 03:05:02 +0000 (UTC) (envelope-from jesper@nohack.se) Received: from proxy2.bredband.net (proxy2.bredband.net [195.54.101.72]) by mx1.freebsd.org (Postfix) with ESMTP id 94B858FC2C for ; Tue, 25 Nov 2008 03:05:02 +0000 (UTC) (envelope-from jesper@nohack.se) Received: from ironport.bredband.com (195.54.101.120) by proxy2.bredband.net (7.3.127) id 48DC49FD012721BD for freebsd-security@freebsd.org; Tue, 25 Nov 2008 03:44:47 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnAvAPj1KklV4vw1PGdsb2JhbACBbZFnAQEBATW+CoJ8 Received: from c-35fce255.06-33-6f72652.cust.bredbandsbolaget.se (HELO zero.nohack.se) ([85.226.252.53]) by ironport1.bredband.com with ESMTP; 25 Nov 2008 03:44:47 +0100 Received: by zero.nohack.se (Postfix, from userid 1000) id 91B1311557; Tue, 25 Nov 2008 03:45:16 +0100 (CET) Date: Tue, 25 Nov 2008 03:45:16 +0100 From: Jesper Wallin To: Eygene Ryabinkin Message-ID: <20081125024516.GA81845@zero.nohack.se> Mail-Followup-To: Eygene Ryabinkin , freebsd-security@freebsd.org References: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> User-Agent: Mutt/1.4.2.3i X-Mailman-Approved-At: Tue, 25 Nov 2008 12:18:09 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 03:05:09 -0000 * Eygene Ryabinkin [2008-11-23 23:43:03 +0300]: > Eirik, good day. > > Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote: > > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > > FreeBSD servers. Now we're required to run external security scans > > (nessus++) on some of the hosts, and they constantly come back with a > > "high" or "medium" severity problem: The host replies to TCP packets > > with SYN+FIN set. > > > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > > host in question (recent FreeBSD 7.2-PRERELEASE) have > > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- > > issue. > > First of all, (if I am correct) your firewall's setting for drop_synfin > isn't relevant for the packets that are traversing the firewall: TCP > input layer drops these and firewall isn't using this layer. > > The easy way to identify if there are replies to SYN+FIN is to spawn > tcpdump on the firewall and see what's going on. It may be well so that > the some sort of scrubbing/modulation is done on the firewall, so when > firewall notices that the SYN + FIN is blackholed, it generates RST by > itself or just blocks SYN + FIN by itself, but sends RST. I am making > guesses here, because I can't test it just now and I have no idea about > your setup. > > If I remember correctly, pf is used on the pfSense, so you can easily > block SYN + FIN on the ingress port(s): > ----- > block in quick on $ingress proto tcp from any to \ > flags SF/ASF > ----- Might worth pointing out that if pfSense indeed uses pf, and it's setup to use the "scrub" option, a packet with SYN/FIN will simply have the FIN bit removed and the packet is delivered as a normal SYN packet. This will probably cause most pen-testing software to believe that the target host accepts packets with SYN/FIN set. Come to think of it, I wrote a similar post about this a few years ago: http://lists.freebsd.org/pipermail/freebsd-security/2005-July/003010.html Though, don't use that "patch" unless you know what you're doing, especially since it's written ages ago and the source has probably been modified both once or twice by now. :-) Regards, Jesper > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 12:49:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 781BB1065670; Tue, 25 Nov 2008 12:49:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 25D328FC14; Tue, 25 Nov 2008 12:49:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=KAKdKT5A8t87iLmtDsENrImtR7U83H7fkrnNc7Myq/49dXEA1kjhQGztVNmsQ9kGPqRJA2t7RLYiU7p24nlGrbO1m2SGLL4+BtK7Vhjd8ftQhMpScmiVuHiCzbL5sgVkV4xGUxX0jvetUxSOZFB94yxtHigXX/giZCVQpRdsj4s=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4xME-000Aa0-Sj; Tue, 25 Nov 2008 15:49:35 +0300 Date: Tue, 25 Nov 2008 15:49:33 +0300 From: Eygene Ryabinkin To: Matthew Seaman Message-ID: References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> <492BE6CE.4040809@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/0P/MvzTfyTu5j9Q" Content-Disposition: inline In-Reply-To: <492BE6CE.4040809@infracaninophile.co.uk> Sender: rea-fbsd@codelabs.ru Cc: Jason Stone , miwi@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 12:49:36 -0000 --/0P/MvzTfyTu5j9Q Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Matthew, good day. Tue, Nov 25, 2008 at 11:51:42AM +0000, Matthew Seaman wrote: > Jason Stone wrote: >=20 > > If people really would like to see these kind of notifications (i.e., > > security-related PRs for ports) in mailing-list format, I think that a > > separate mailing list would be appropriate (e.g., > > freebsd-security-ports@). >=20 > There's already a freebsd-vuxml@ list which hasn't seen any traffic > for a long time... Wow, thanks for information! So, I think I'll now CC my PRs to that list. But the question is: should I leave freebsd-security@ in the CC or people prefer not to see them here. Posting PRs to the dead list isn't a very good idea, you know, but () may be the list will be resurrected with my postings. Since freebsd-security is said to be "high-signal, low-noise discussion", then I'll refrain from CC'ing it for now, but if there will be any interest -- I can add CC back. Thanks! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --/0P/MvzTfyTu5j9Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkr9F0ACgkQthUKNsbL7YjnZgCfYJqCSs+FIoK0AC4i2He0+yfM HLIAnRhAOwJO0UaYhm096o50lxz03fPU =/gKX -----END PGP SIGNATURE----- --/0P/MvzTfyTu5j9Q-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 12:52:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AFF31065670 for ; Tue, 25 Nov 2008 12:52:40 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 84B958FC08 for ; Tue, 25 Nov 2008 12:52:39 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAPCpsNW084335; Tue, 25 Nov 2008 23:51:55 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 25 Nov 2008 23:51:54 +1100 (EST) From: Ian Smith To: =?ISO-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net> Message-ID: <20081125232938.C43853@sola.nimnet.asn.au> References: <49299876.4020702@thelostparadise.com> <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> <492B26B9.505@thedarkside.nl> <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1843294442-1227617514=:43853" Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 12:52:40 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1843294442-1227617514=:43853 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Mon, 24 Nov 2008, Eirik Øverby wrote: > On Nov 24, 2008, at 23:12, Pieter de Boer wrote: [..] > > > Results for port 8585: > > > IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP (6), > > > length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum 0xf765 > > > (correct), 1324215952:1324215952(0) win 16384 > > 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0> > > > IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP (6), > > > length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum 0x52ef > > > (correct), 0:0(0) ack 1324215953 win 0 > > > I can't tell what's going on here, except I wouldn't have expected a > > > reply at all to the second one at least, and maybe not even the first. > > > However, I don't have enough experience to tell if nmap is doing the > > > "right thing" here at all. [..] > > The strictest firewall configuration would be to have everything filtered > > except the ports you actually use. Those ports are either NATted to the > > back-end system or handled by the firewall itself (in case you want that > > functionality). From a security perspective, simply dropping incoming > > traffic is better than sending back RST's. In pf this is the default. > > That is correct, however in this case I do 1:1 and no pf on the target host > (it is in a DMZ). I ran the scan on this system out of curiosity only, > however as stated above this problem is far from unique to this particular > system. > > Thanks for your input, i'll keep trying to reproduce this.. Perhaps off to the side, but I wonder if net.inet.tcp.blackhole may be relevant? Here tcpdump was showing RSTs back to attempted connections to unused ports, despite these being dropped on ingress by the firewall, which I thought was unnecessarily informative :) # net.inet.tcp.blackhole: Do not send RST when dropping refused connections net.inet.tcp.blackhole=1 fixed that here. Caveats: that's on a 5.5-STABLE box using ipfw to drop such connections. I'd been surprised to see those RSTs too .. cheers, Ian --0-1843294442-1227617514=:43853-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 14:43:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BBA91065678; Tue, 25 Nov 2008 14:43:26 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 56F228FC17; Tue, 25 Nov 2008 14:43:26 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id D05125C18; Tue, 25 Nov 2008 09:26:01 -0500 (EST) Date: Tue, 25 Nov 2008 09:26:01 -0500 From: Wesley Shields To: Eygene Ryabinkin Message-ID: <20081125142601.GA73229@atarininja.org> References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> <492BE6CE.4040809@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, Jason Stone , miwi@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 14:43:26 -0000 On Tue, Nov 25, 2008 at 03:49:33PM +0300, Eygene Ryabinkin wrote: > Matthew, good day. > > Tue, Nov 25, 2008 at 11:51:42AM +0000, Matthew Seaman wrote: > > Jason Stone wrote: > > > > > If people really would like to see these kind of notifications (i.e., > > > security-related PRs for ports) in mailing-list format, I think that a > > > separate mailing list would be appropriate (e.g., > > > freebsd-security-ports@). > > > > There's already a freebsd-vuxml@ list which hasn't seen any traffic > > for a long time... > > Wow, thanks for information! So, I think I'll now CC my PRs to that > list. But the question is: should I leave freebsd-security@ in the CC > or people prefer not to see them here. Posting PRs to the dead list > isn't a very good idea, you know, but () may be the list > will be resurrected with my postings. The vuxml list is a much better place for this, based upon the description of the list: "entries in the FreeBSD VuXML document (new submissions, modifications, style, and so on)" > Since freebsd-security is said to be "high-signal, low-noise > discussion", then I'll refrain from CC'ing it for now, but if there will > be any interest -- I can add CC back. While I echo earlier statements about the appreciation for your work I do believe that the vuxml list is a more appropriate place to CC your submissions, if you feel the need to CC something. As someone who actively looks at incoming PRs I don't think you need to CC anything, but if you have to then the vuxml list is a better fit than this. -- WXS From owner-freebsd-security@FreeBSD.ORG Fri Nov 28 11:43:19 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 240E1106564A; Fri, 28 Nov 2008 11:43:19 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id B1FB58FC08; Fri, 28 Nov 2008 11:43:18 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=ndN7m9yR1qSCVkg7BNggoJwY5A+tuAH2pR8iHfrp6z8Wa56uI0NuVz6kN868njDyAYUhO0qw4INgOIL/lGCEifIIIy0i4xAB+YHuhE/WDV/vFea9vpGSSdcr28WdOy4CWQKStKnDHPvarqaP4UrnsIJ4xKYNNdVpcnhYOSL1PvM=; Received: from amnesiac.at.no.dns ([144.206.182.38]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L61kj-000Ce9-Tc; Fri, 28 Nov 2008 14:43:17 +0300 Date: Fri, 28 Nov 2008 14:43:16 +0300 From: Eygene Ryabinkin To: dinoex@FreeBSD.org Message-ID: <9LJUyqikTfkwbhp0EZ7XUmqhGu0@qm7gbYKMPO53E/nl+D5eD8YyL1A> References: <200811280812.mAS8Cl1I082793@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline In-Reply-To: <200811280812.mAS8Cl1I082793@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2008 11:43:19 -0000 --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dirk, good day. Fri, Nov 28, 2008 at 09:12:47AM +0100, dinoex@FreeBSD.org wrote: > Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference >=20 > State-Changed-From-To: feedback->closed > State-Changed-By: dinoex > State-Changed-When: Fri Nov 28 09:11:46 CET 2008 > State-Changed-Why:=20 > The patch was mangled again. In the interface that is provided by query-pr.cgi -- yes. But I had sent it to you directly. Was it mangled too? > committed, thanks. Thank you. Again, what about VuXML entry? --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkv2VMACgkQthUKNsbL7YgsTwCePCfTczMrDlx4ejpjS6J9jql6 sM8AoJVyvFplEBN+YRwuNxZ6eYems9R5 =3U43 -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 28 08:12:48 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C80AA1065672; Fri, 28 Nov 2008 08:12:48 +0000 (UTC) (envelope-from dinoex@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9A70D8FC0C; Fri, 28 Nov 2008 08:12:48 +0000 (UTC) (envelope-from dinoex@FreeBSD.org) Received: from freefall.freebsd.org (dinoex@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAS8CmHG082797; Fri, 28 Nov 2008 08:12:48 GMT (envelope-from dinoex@freefall.freebsd.org) Received: (from dinoex@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAS8Cl1I082793; Fri, 28 Nov 2008 09:12:47 +0100 (CET) (envelope-from dinoex) Date: Fri, 28 Nov 2008 09:12:47 +0100 (CET) Message-Id: <200811280812.mAS8Cl1I082793@freefall.freebsd.org> To: freebsd-security@freebsd.org, dinoex@freebsd.org, rea-fbsd@codelabs.ru, dinoex@FreeBSD.org, dinoex@FreeBSD.org From: dinoex@FreeBSD.org X-Mailman-Approved-At: Fri, 28 Nov 2008 12:27:02 +0000 Cc: Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2008 08:12:48 -0000 Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference State-Changed-From-To: feedback->closed State-Changed-By: dinoex State-Changed-When: Fri Nov 28 09:11:46 CET 2008 State-Changed-Why: The patch was mangled again. committed, thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=129001