From owner-freebsd-security@FreeBSD.ORG Fri Dec 16 15:27:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3B2A106564A for ; Fri, 16 Dec 2011 15:27:30 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 384528FC08 for ; Fri, 16 Dec 2011 15:27:29 +0000 (UTC) Received: by eaaf13 with SMTP id f13so4312455eaa.13 for ; Fri, 16 Dec 2011 07:27:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=KWAcCwt2/wP77Yc1UuXcxT+/ntwWDyCPflKakf3TmSo=; b=Q1R5K0rElrl1z/wuCgw47UwxF/yEgSnoczr/gTIruhpr/mBcLnKLHRp3ZkbWi8IRMD kJWyLlpZ7JL6ttqWSNKdMkyDWk9DLBVjafV6SRIIp0mFbHIWulmXX1CRdsu9vBH+Ar+N /YvdE4A6E8si7UYU+MB3IK4xpjUNe5mx34bng= Received: by 10.205.81.141 with SMTP id zy13mr3027806bkb.50.1324047722796; Fri, 16 Dec 2011 07:02:02 -0800 (PST) Received: from green.tandem.local (utwig.xim.bz. [91.216.237.46]) by mx.google.com with ESMTPS id d2sm23495955bky.11.2011.12.16.07.02.00 (version=SSLv3 cipher=OTHER); Fri, 16 Dec 2011 07:02:01 -0800 (PST) Message-ID: <4EEB5D66.5090204@gmail.com> Date: Fri, 16 Dec 2011 17:01:58 +0200 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111111 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 18 Dec 2011 22:47:57 +0000 Subject: CVE-2011-1945 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 15:27:30 -0000 Hi all. Recently I started to recheck usability of ssh keys and found that ECDSA keys are already available. I've tried to make one and it points me about key bit length. Reading about this on http://en.wikipedia.org/wiki/Elliptic_Curve_DSA I also noticed that a timing attack is possible against OpenSSL. Quick checking the code shows that we haven't integrated the fix yet as current revision of http://svnweb.freebsd.org/base/stable/9/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup http://svnweb.freebsd.org/base/head/crypto/openssl/crypto/ecdsa/ecs_ossl.c?revision=225736&view=markup misses the fix from: http://cvs.openssl.org/chngview?cn=20892 And after latest OpenSSH import by des: http://svnweb.freebsd.org/base?view=revision&revision=221420 we are automatically creating (and using?) private ECDSA key: http://svnweb.freebsd.org/base/stable/9/etc/rc.d/sshd?r1=221419&r2=221420& Am I missing something? -- Sphinx of black quartz judge my vow. From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 19:41:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7B721065670 for ; Mon, 19 Dec 2011 19:41:46 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 8C9B58FC1F for ; Mon, 19 Dec 2011 19:41:46 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pBJJfihj054532 for ; Mon, 19 Dec 2011 14:41:44 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EEF9375.1010203@sentex.net> Date: Mon, 19 Dec 2011 14:41:41 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Subject: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:41:46 -0000 Are there any security reasons as to why http://www.freebsd.org/cgi/query-pr.cgi?pr=142258 ([patch] rtld(1): add ability to log or print rtld errors) would not have been committed to the tree ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 19:54:47 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1109106566B for ; Mon, 19 Dec 2011 19:54:47 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 70A648FC08 for ; Mon, 19 Dec 2011 19:54:47 +0000 (UTC) Received: by ggnp1 with SMTP id p1so6279580ggn.13 for ; Mon, 19 Dec 2011 11:54:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=eo9DpIFwWIVpKM7F7z+psQMVm9WSS+NGLZEz+40Qmzo=; b=xkboXlUx03W+5UffPGMxEadUtNFzUl+Tqae9fI01OnA+4lSix9TOlMGfMXz27fsGA7 j0JHnafbW7V55Lr7N5K8aidjMEFVDYFynAYjiILOQiP5TibQiiy5k7Z3bPLkmD+X+99A WwUV6ukIqPfSJQ/YeA4eTPJIYEHyekCmLqtHM= MIME-Version: 1.0 Received: by 10.182.42.37 with SMTP id k5mr11032698obl.40.1324324486842; Mon, 19 Dec 2011 11:54:46 -0800 (PST) Received: by 10.182.67.163 with HTTP; Mon, 19 Dec 2011 11:54:46 -0800 (PST) In-Reply-To: <4EEF9375.1010203@sentex.net> References: <4EEF9375.1010203@sentex.net> Date: Mon, 19 Dec 2011 11:54:46 -0800 Message-ID: From: Xin LI To: Mike Tancsa Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" , kib@freebsd.org Subject: Re: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:54:47 -0000 Hi, On Mon, Dec 19, 2011 at 11:41 AM, Mike Tancsa wrote: > Are there any security reasons as to why > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D142258 =C2=A0([patch] rtld(1= ): add > ability to log or print rtld errors) > > would not have been committed to the tree ? I've added kib@ to Cc list. It doesn't seem to me that this proposed change would do something with security? Personally I think the change is reasonable (but we may want printf be replaced with _rtld_error in rtld.c and use LD_UTRACE there?) Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 20:25:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89BAA1065676 for ; Mon, 19 Dec 2011 20:25:13 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 0235B8FC14 for ; Mon, 19 Dec 2011 20:25:12 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id pBJK142n059568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 22:01:04 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id pBJK140O069720; Mon, 19 Dec 2011 22:01:04 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id pBJK14K4069719; Mon, 19 Dec 2011 22:01:04 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 19 Dec 2011 22:01:04 +0200 From: Kostik Belousov To: Xin LI Message-ID: <20111219200104.GK50300@deviant.kiev.zoral.com.ua> References: <4EEF9375.1010203@sentex.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2lcUOdKuHx/sbuIt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-security@freebsd.org" Subject: Re: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 20:25:13 -0000 --2lcUOdKuHx/sbuIt Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 19, 2011 at 11:54:46AM -0800, Xin LI wrote: > Hi, >=20 > On Mon, Dec 19, 2011 at 11:41 AM, Mike Tancsa wrote: > > Are there any security reasons as to why > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D142258 =9A([patch] rtld(1)= : add > > ability to log or print rtld errors) > > > > would not have been committed to the tree ? >=20 > I've added kib@ to Cc list. >=20 > It doesn't seem to me that this proposed change would do something > with security? Personally I think the change is reasonable (but we > may want printf be replaced with _rtld_error in rtld.c and use > LD_UTRACE there?) I also think that UTRACE part is not bad, but will object against the LD_PRINT_ERROR part. FWIW, it should use rtld_printf() instead of printf(), but this is moot point. --2lcUOdKuHx/sbuIt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7vl/8ACgkQC3+MBN1Mb4isYgCbBQXBybwMYLZTabB9zUzSK0w5 sWEAoLKyXt3sw4hLuj6NFBWuNqAg41PM =d15s -----END PGP SIGNATURE----- --2lcUOdKuHx/sbuIt-- From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 20:27:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 019A3106566C; Mon, 19 Dec 2011 20:27:12 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id A284B8FC15; Mon, 19 Dec 2011 20:27:11 +0000 (UTC) Received: by ggnp1 with SMTP id p1so6311201ggn.13 for ; Mon, 19 Dec 2011 12:27:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WpkI2bysQqPxK+VlEg5fFPO+FMRGGzbwcd/OpyIq/iA=; b=DyHwcZ6A01H8XJDDiVCt7HeFTaBaFTnEb7ER1rhFtCmyuOxNsqnVXkxu2G4dT+7Wjv K3V+T6oqp7q0Jj6i1/cMDrbe5645XX8GJnF2VVM9vTgqu8o8kKD4KoZmuO15qQUfhod0 Hpen1W/eJ+oetgUbbYII5vhgudLnFZHQ1mRdU= MIME-Version: 1.0 Received: by 10.182.40.98 with SMTP id w2mr92203obk.36.1324324969957; Mon, 19 Dec 2011 12:02:49 -0800 (PST) Received: by 10.182.43.170 with HTTP; Mon, 19 Dec 2011 12:02:49 -0800 (PST) In-Reply-To: References: <4EEF9375.1010203@sentex.net> Date: Mon, 19 Dec 2011 21:02:49 +0100 Message-ID: From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= To: Xin LI Content-Type: text/plain; charset=ISO-8859-1 Cc: "freebsd-security@freebsd.org" , kib@freebsd.org Subject: Re: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 20:27:12 -0000 Hi, 2011/12/19 Xin LI : > Hi, > > On Mon, Dec 19, 2011 at 11:41 AM, Mike Tancsa wrote: >> Are there any security reasons as to why Dont know but the ld_printerror != '\0' in the patch should be *ld_printerror != '\0', no? ~clem From owner-freebsd-security@FreeBSD.ORG Tue Dec 20 00:44:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3769B106564A for ; Tue, 20 Dec 2011 00:44:14 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id BAD828FC0C for ; Tue, 20 Dec 2011 00:44:13 +0000 (UTC) Received: from mail15.syd.optusnet.com.au (mail15.syd.optusnet.com.au [211.29.132.196]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id pBJMaYdt019691 for ; Tue, 20 Dec 2011 09:36:34 +1100 Received: from server.vk2pj.dyndns.org (c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103]) by mail15.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id pBJMaUXt006083 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Dec 2011 09:36:31 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.5/8.14.4) with ESMTP id pBJMaS8C002453; Tue, 20 Dec 2011 09:36:28 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.5/8.14.4/Submit) id pBJMaScn002452; Tue, 20 Dec 2011 09:36:28 +1100 (EST) (envelope-from peter) Date: Tue, 20 Dec 2011 09:36:28 +1100 From: Peter Jeremy To: Kostik Belousov Message-ID: <20111219223627.GA2391@server.vk2pj.dyndns.org> References: <4EEF9375.1010203@sentex.net> <20111219200104.GK50300@deviant.kiev.zoral.com.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline In-Reply-To: <20111219200104.GK50300@deviant.kiev.zoral.com.ua> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "freebsd-security@freebsd.org" Subject: Re: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 00:44:14 -0000 --ibTvN161/egqYuK8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2011-Dec-19 22:01:04 +0200, Kostik Belousov wrote: >On Mon, Dec 19, 2011 at 11:54:46AM -0800, Xin LI wrote: >> It doesn't seem to me that this proposed change would do something >> with security? rtld is a fairly critical part of FreeBSD infrastructure and there have been several instances where rtld changes have resulted in security vulnerabilities. >I also think that UTRACE part is not bad, but will object against the >LD_PRINT_ERROR part. Could you please explain your objections to the LD_PRINT_ERROR part as I don't see an immediate problem with them. > FWIW, it should use rtld_printf() instead of printf(), >but this is moot point. Accepted. On 2011-Dec-19 21:02:49 +0100, Cl=E9ment Lecigne wrote: >Dont know but the ld_printerror !=3D '\0' in the patch should be >*ld_printerror !=3D '\0', no? Oops, my mistake. Yes, there is a missing '*'. --=20 Peter Jeremy --ibTvN161/egqYuK8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7vvGsACgkQ/opHv/APuIdG6wCdGygpY20erwvO4y2hSU4r2kTY lQYAn20Es5yqn6DFeX+ShnRbFn4qXwdn =HgJA -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 20 09:58:25 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A537A106567E for ; Tue, 20 Dec 2011 09:58:25 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 77B678FC0A for ; Tue, 20 Dec 2011 09:58:23 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id pBK9wExx036516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Dec 2011 11:58:14 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id pBK9wEek071975; Tue, 20 Dec 2011 11:58:14 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id pBK9wDCM071974; Tue, 20 Dec 2011 11:58:13 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 20 Dec 2011 11:58:13 +0200 From: Kostik Belousov To: Peter Jeremy Message-ID: <20111220095813.GM50300@deviant.kiev.zoral.com.ua> References: <4EEF9375.1010203@sentex.net> <20111219200104.GK50300@deviant.kiev.zoral.com.ua> <20111219223627.GA2391@server.vk2pj.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EhjvRVKassQj6c36" Content-Disposition: inline In-Reply-To: <20111219223627.GA2391@server.vk2pj.dyndns.org> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-security@freebsd.org" Subject: Re: logging _rtld errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 09:58:25 -0000 --EhjvRVKassQj6c36 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 20, 2011 at 09:36:28AM +1100, Peter Jeremy wrote: > On 2011-Dec-19 22:01:04 +0200, Kostik Belousov wrot= e: > >On Mon, Dec 19, 2011 at 11:54:46AM -0800, Xin LI wrote: > >> It doesn't seem to me that this proposed change would do something > >> with security? >=20 > rtld is a fairly critical part of FreeBSD infrastructure and there > have been several instances where rtld changes have resulted in > security vulnerabilities. [Removed]. >=20 > >I also think that UTRACE part is not bad, but will object against the > >LD_PRINT_ERROR part. >=20 > Could you please explain your objections to the LD_PRINT_ERROR part as > I don't see an immediate problem with them. The rtld is the low level facility, that shall silently do its work. It is the same kind of runtime glue as libc or libthr. It shall return errors to the caller. We do not change libc by adding knob to print errors if some libc function failed, so why shall we do this for rtld ? Adding utrace would ease the introspection (which in fact can be already deduced from the other ktrace output, but I agree that this require some knowledge of rtld internals, thus explicit error tracing make it more accessible). Also please note that rtld already has debug mode that is exactly designed for debugging dynamic linking problems. The fact that rtld returns string representation of the error instead of error codes like errno is mostly a mistake. >=20 > > FWIW, it should use rtld_printf() instead of printf(), > >but this is moot point. >=20 > Accepted. >=20 > On 2011-Dec-19 21:02:49 +0100, Cl?ment Lecigne wrote: > >Dont know but the ld_printerror !=3D '\0' in the patch should be > >*ld_printerror !=3D '\0', no? >=20 > Oops, my mistake. Yes, there is a missing '*'. >=20 > --=20 > Peter Jeremy --EhjvRVKassQj6c36 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7wXDUACgkQC3+MBN1Mb4hvAwCeI0wAvE2XwsAu7UAXsFLxi/xR Rb4AnRijaEgEVB0yxCcfV/hs/unwrk7p =0sB9 -----END PGP SIGNATURE----- --EhjvRVKassQj6c36-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:36:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCAFF106566C; Fri, 23 Dec 2011 15:36:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C837E8FC23; Fri, 23 Dec 2011 15:36:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaXor078824; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaXgU078822; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:33 GMT Message-Id: <201112231536.pBNFaXgU078822@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:06.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:06.bind Security Advisory The FreeBSD Project Topic: Remote packet Denial of Service against named(8) servers Category: contrib Module: bind Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-11-17 01:10:16 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-11-17 00:36:10 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-01 21:13:41 UTC (RELENG_9, 9.0-STABLE) 2011-12-01 21:17:59 UTC (RELENG_9_0, 9.0-RC3) 2011-11-16 23:41:13 UTC (ports tree) CVE Name: CVE-2011-4313 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried. III. Impact An attacker that is able to send an specifically crafted response to the BIND daemon can cause it to crash, resulting in a denial of service. Note that due to the nature of this vulnerability, the attacker does not necessarily have to have query access to the victim server. The vulnerability can be triggered by tricking legitimate clients, for instance spam filtering systems or an end user browser, which can be made to the query on their behalf. IV. Workaround No workaround is available, but systems not running the BIND resolving name server are not affected. Servers that are running in authoritative-only mode appear not to be affected by this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3-RELEASE and 7.4-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch.asc [FreeBSD 8.1-RELEASE and 8.2-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind/ # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection already have the mitigation measure: bind96-9.6.3.1.ESV.R5.1 bind97-9.7.4.1 bind98-9.8.1.1 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.9 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.8 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.6.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.6.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.3.2.2 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.3.2.2 RELENG_8 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.9 src/contrib/bind9/bin/named/query.c 1.3.2.8 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.5.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.5.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.3.2.1 RELENG_9 src/contrib/bind9/lib/dns/rbtdb.c 1.13.2.1 src/contrib/bind9/bin/named/query.c 1.11.2.1 RELENG_9_0 src/contrib/bind9/lib/dns/rbtdb.c 1.13.4.1 src/contrib/bind9/bin/named/query.c 1.11.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r227603 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r227599 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228189 releng/9.0/ r228190 - ------------------------------------------------------------------------- VII. References https://www.isc.org/software/bind/advisories/cve-2011-4313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37K18wCeLYPkREXJsMXYdzt+guRFcPZR VY4AoII3kmCzRX/gYRmPW7lwGqWIgwlM =wMSJ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:36:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20F59106566C; Fri, 23 Dec 2011 15:36:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 037A48FC20; Fri, 23 Dec 2011 15:36:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFacMh078858; Fri, 23 Dec 2011 15:36:38 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFacCE078857; Fri, 23 Dec 2011 15:36:38 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:38 GMT Message-Id: <201112231536.pBNFacCE078857@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:07.chroot Security Advisory The FreeBSD Project Topic: Code execution via chrooted ftpd Category: core Module: libc Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Chroot is an operation that changes the apparent root directory for the current process and its children. The chroot(2) system call is widely used in many applications as a measure of limiting a process's access to the file system, as part of implementing privilege separation. The nsdispatch(3) API implementation has a feature to reload its configuration on demand. This feature may also load shared libraries and run code provided by the library when requested by the configuration file. II. Problem Description The nsdispatch(3) API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and also uses the nsdispatch(3) API. III. Impact If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code with elevated ("root") privileges. IV. Workaround Don't use ftpd with the chroot option. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3 and 7.4] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc [FreeBSD 8.1 and 8.2] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode() to the C library, which completely disables loading of shared libraries upon return. Applications doing chroot(2) jails need to be updated to call this API explicitly right after the chroot(2) operation as a safety measure. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/include/unistd.h 1.80.2.4 src/lib/libc/include/libc_private.h 1.17.2.4 src/lib/libc/Versions.def 1.3.2.3 src/lib/libc/net/nsdispatch.c 1.14.2.3 src/lib/libc/gen/Symbol.map 1.6.2.7 src/lib/libc/gen/Makefile.inc 1.128.2.6 src/lib/libc/gen/libc_dlopen.c 1.2.2.2 src/libexec/ftpd/popen.c 1.26.10.2 src/libexec/ftpd/ftpd.c 1.212.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/include/unistd.h 1.80.2.3.4.2 src/lib/libc/include/libc_private.h 1.17.2.3.4.2 src/lib/libc/Versions.def 1.3.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.14.2.2.2.2 src/lib/libc/gen/Symbol.map 1.6.2.6.4.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.4.2 src/lib/libc/gen/libc_dlopen.c 1.2.4.2 src/libexec/ftpd/popen.c 1.26.10.1.2.2 src/libexec/ftpd/ftpd.c 1.212.2.1.6.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/include/unistd.h 1.80.2.3.2.2 src/lib/libc/include/libc_private.h 1.17.2.3.2.2 src/lib/libc/Versions.def 1.3.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.14.2.1.6.2 src/lib/libc/gen/Symbol.map 1.6.2.6.2.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.2.1 src/libexec/ftpd/popen.c 1.26.24.2 src/libexec/ftpd/ftpd.c 1.212.2.1.4.2 RELENG_8 src/include/unistd.h 1.95.2.2 src/lib/libc/include/libc_private.h 1.20.2.3 src/lib/libc/Versions.def 1.8.2.3 src/lib/libc/net/nsdispatch.c 1.18.2.3 src/lib/libc/gen/Symbol.map 1.21.2.6 src/lib/libc/gen/Makefile.inc 1.144.2.7 src/lib/libc/gen/libc_dlopen.c 1.1.4.2 src/libexec/ftpd/popen.c 1.26.22.3 src/libexec/ftpd/ftpd.c 1.214.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/include/unistd.h 1.95.2.1.6.2 src/lib/libc/include/libc_private.h 1.20.2.2.4.2 src/lib/libc/Versions.def 1.8.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.18.2.2.2.2 src/lib/libc/gen/Symbol.map 1.21.2.5.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.6.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.8.2 src/libexec/ftpd/popen.c 1.26.22.2.4.2 src/libexec/ftpd/ftpd.c 1.214.2.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/include/unistd.h 1.95.2.1.4.2 src/lib/libc/include/libc_private.h 1.20.2.2.2.2 src/lib/libc/Versions.def 1.8.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.18.2.1.4.2 src/lib/libc/gen/Symbol.map 1.21.2.3.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.4.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.10.2 src/libexec/ftpd/popen.c 1.26.22.2.2.2 src/libexec/ftpd/ftpd.c 1.214.2.1.4.2 RELENG_9 src/include/unistd.h 1.101.2.2 src/lib/libc/include/libc_private.h 1.26.2.2 src/lib/libc/Versions.def 1.9.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.2 src/lib/libc/gen/Symbol.map 1.38.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.2 src/libexec/ftpd/popen.c 1.27.2.2 src/libexec/ftpd/ftpd.c 1.220.2.2 RELENG_9_0 src/include/unistd.h 1.101.2.1.2.2 src/lib/libc/include/libc_private.h 1.26.2.1.2.2 src/lib/libc/Versions.def 1.9.2.1.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.1.2.2 src/lib/libc/gen/Symbol.map 1.38.2.1.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.1.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.1.2.2 src/libexec/ftpd/popen.c 1.27.2.1.2.2 src/libexec/ftpd/ftpd.c 1.220.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37ILmgCgjVxRH+NsPpnXOVdwWmuxlSDp h9wAniE0tokORcqQlFJim5Pc1Z65ybwl =45yE -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:36:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E5951065700; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 39C0B8FC15; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFahLe078893; Fri, 23 Dec 2011 15:36:43 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFahVT078892; Fri, 23 Dec 2011 15:36:43 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:43 GMT Message-Id: <201112231536.pBNFahVT078892@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:08.telnetd Security Advisory The FreeBSD Project Topic: telnetd code execution vulnerability Category: core Module: contrib Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. The TELNET protocol has a mechanism for encryption of the data stream (but it is not cryptographically strong and should not be relied upon in any security-critical applications). II. Problem Description When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. III. Impact An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser). IV. Workaround No workaround is available, but systems not running the telnet daemon are not vulnerable. Note that the telnet daemon is usually run via inetd, and consequently will not show up in a process listing unless a connection is currently active; to determine if it is enabled, run $ ps ax | grep telnetd | grep -v grep $ grep telnetd /etc/inetd.conf | grep -vE '^#' If any output is produced, your system may be vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2, and 8.1 systems. a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libtelnet # make obj && make depend && make && make install # cd /usr/src/libexec/telnetd # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2 RELENG_8 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2 RELENG_9 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2 RELENG_9_0 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u =dcyj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:36:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C64A1065881; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 581B08FC1C; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaoAE078927; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaoj3078926; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:50 GMT Message-Id: <201112231536.pBNFaoj3078926@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:09.pam_ssh Security Advisory The FreeBSD Project Topic: pam_ssh improperly grants access when user account has unencrypted SSH private keys Category: contrib Module: pam Announced: 2011-12-23 Credits: Guy Helmer, Dag-Erling Smorgrav Affects: All supported versions of FreeBSD. Corrected: 2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE) 2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A "nullok" option exists to allow these keys. II. Problem Description The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. III. Impact If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys. IV. Workaround No workaround is available, but systems that do not have the pam_ssh module enabled are not vulnerable. The pam_ssh module is not enabled in any of the default policies provided in the base system. The system administrator can use the following procedure to inspect all PAM policy files to determine whether the pam_ssh module is enabled. If the following command produces any output, the system may be vulnerable: # egrep -r '^[^#].*\' /etc/pam.* /usr/local/etc/pam.* The following command will disable the pam_ssh module in all PAM policies present in the system: # sed -i '' -e '/^[^#].*pam_ssh/s/^/#/' /etc/pam.conf /etc/pam.d/* \ /usr/local/etc/pam.conf /usr/local/etc/pam.d/* V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam/modules/pam_ssh # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.8.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.6.2 RELENG_8 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.4.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.2.2 RELENG_9 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.2 RELENG_9_0 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228421 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228420 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228410 releng/9.0/ r228414 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37JTSwCfS+bmWBxv5hote7Hrcl7VZjjk vKMAn116aLADxmdYsyZ5WdSrfFTRt3Xm =Y+ar -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:36:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A8101065A31; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 864728FC1F; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFavAL078973; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFav27078972; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:57 GMT Message-Id: <201112231536.pBNFav27078972@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:10.pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:10.pam Security Advisory The FreeBSD Project Topic: pam_start() does not validate service names Category: contrib Module: pam Announced: 2011-12-23 Credits: Matthias Drochner Affects: All supported versions of FreeBSD. Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules. III. Impact If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges. There are no vulnerable applications in the base system. IV. Workaround No workaround is available, but systems without untrusted users are not vulnerable. Inspect any third-party setuid / setgid binaries which use the PAM library and ascertain whether they allow the user to specify the policy name, then either change the binary's permissions to prevent its use or remove it altogether. The following command will output a non-zero number if a dynamically linked binary uses libpam: # ldd /usr/local/bin/suspicious_binary | grep -c libpam The following command will output a non-zero number if a statically linked binary uses libpam: # grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.8.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.6.1 RELENG_8 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.8.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.6.1 RELENG_9 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.10.1 RELENG_9_0 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.12.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228467 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228466 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228464 releng/9.0/ r228465 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb =9COS -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 15:55:56 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 435061065675 for ; Fri, 23 Dec 2011 15:55:56 +0000 (UTC) (envelope-from bounces+73574-f30d-freebsd-security=freebsd.org@sendgrid.me) Received: from o2.shared.sendgrid.net (o2.shared.sendgrid.net [74.63.235.152]) by mx1.freebsd.org (Postfix) with SMTP id E64D08FC2F for ; Fri, 23 Dec 2011 15:55:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:reply-to:mime-version:to:subject :content-type:content-transfer-encoding; s=smtpapi; bh=o9egWwO1A 5ASnxqUfKgGjDaNzbM=; b=rSpJ/1DX1v89oOspMXZsFtyLKHkVKoWOpc/cq+7Ri Yy4PvCLGkjtGupCHgS08xF2BRkVENA9QRXmEBi4wpeMAemezW17GGc9O/fb/G9lg exOzn3Y5szRKPjzBoeAbrj6GzBkhhaCYjVV8H8mkERQsV8lQQvyKJEKEDha3vdv9 Dw= Received: by 10.41.149.161 with SMTP id f04-26.22365.4EF4A106D Fri, 23 Dec 2011 15:40:54 +0000 (UTC) Received: from mail.tarsnap.com (unknown [10.41.149.212]) by i04-01 (SG) with ESMTP id 4ef4a053.5ecc.208b3b1 for ; Fri, 23 Dec 2011 15:37:55 +0000 (UTC) Received: (qmail 74105 invoked from network); 23 Dec 2011 15:41:29 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 23 Dec 2011 15:41:29 -0000 Received: (qmail 60846 invoked from network); 23 Dec 2011 15:41:20 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Dec 2011 15:41:20 -0000 Message-ID: <4EF4A120.1000305@freebsd.org> Date: Fri, 23 Dec 2011 07:41:20 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111112 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: 5qVSvszVOIE6PbdhSmXigMotnDv2KVF2pFB0fKg9Jzq2syuD2XJCVRnNIJhoirEw7gUo9D5tPiMQSfiIMa5zmbO5rEtmnmKiHfeUFzISWNhLy2NOaoo2WtXzsc5mcoeZLbyE9kQ4StohwTR0uig2WvU9Y1BF1lEd1iGpvo30obU= Subject: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:55:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70oR8ACgkQFdaIBMps37IHEwCeNT8dws04qyJ8yuOz7g2xd9Xs IsoAn0QfaSE6i90zFBuk1k0isvrDMYO3 =p94J -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 17:25:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72AF51065679; Fri, 23 Dec 2011 17:25:00 +0000 (UTC) (envelope-from zingelman@fnal.gov) Received: from gateway02.fnal.gov (gateway02.fnal.gov [131.225.104.19]) by mx1.freebsd.org (Postfix) with ESMTP id 46B448FC0A; Fri, 23 Dec 2011 17:25:00 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway02.fnal.gov (Postfix) with ESMTP id CA0651710B82; Fri, 23 Dec 2011 11:08:05 -0600 (CST) X-Virus-Scanned: amavisd-new at fnal.gov Received: from gateway02.fnal.gov ([127.0.0.1]) by localhost (gateway02.fnal.gov [127.0.0.1]) (amavisd-new, port 10024) with LMTP id M2QkS3CJB4Bu; Fri, 23 Dec 2011 11:08:05 -0600 (CST) X-Mailgw-Auth: no Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by gateway02.fnal.gov (Postfix) with SMTP id 9D9F81710B51; Fri, 23 Dec 2011 11:08:05 -0600 (CST) Received: from nova.fnal.gov (localhost [127.0.0.1]) by nova.fnal.gov (8.14.4+Sun/8.14.4) with ESMTP id pBNH85AW023979; Fri, 23 Dec 2011 11:08:05 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.14.4+Sun/8.14.4/Submit) with ESMTP id pBNH85sr023976; Fri, 23 Dec 2011 11:08:05 -0600 (CST) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Fri, 23 Dec 2011 11:08:05 -0600 (CST) From: Tim Zingelman X-X-Sender: tez@nova.fnal.gov To: security-officer@freebsd.org In-Reply-To: <4EF4A120.1000305@freebsd.org> Message-ID: References: <4EF4A120.1000305@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tim Zingelman List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 17:25:00 -0000 On Fri, 23 Dec 2011, FreeBSD Security Officer wrote: > Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > is a remote root vulnerability which is being actively exploited in the wild; > bugs really don't come any worse than this. On the positive side, most people > have moved past telnet and on to SSH by now; but this is still not an issue we > could postpone until a more convenient time. Is there any reason this does would not apply to telnetd from most other vendors? In particular MIT Kerberos & heimdal? Thanks, - Tim From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 17:35:38 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A95181065678 for ; Fri, 23 Dec 2011 17:35:38 +0000 (UTC) (envelope-from bounces+73574-f30d-freebsd-security=freebsd.org@sendgrid.me) Received: from o1.shared.sendgrid.net (o1.shared.sendgrid.net [74.63.231.244]) by mx1.freebsd.org (Postfix) with SMTP id 411D38FC1E for ; Fri, 23 Dec 2011 17:35:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; s=smtpapi; bh=ZJ0XTUjmy0Uk+0D4aRlQRaYNNDw=; b=Un5CcJvWYZxKxbvTgSp/BDYiO4y7 SnpxgCA2TWFlKNh9yX+RYTBp5VJYcZGf9NQMtabBC5trjAJHmDqn1zI3GCWWTSic qrx7XTRsEALH/v3rKjfW7Vp8bO2DX/8qVCTHT8INtaEBYnrDuh/OAIhuzX62ESG7 O9y5WmBjMFSkdz4= Received: by 10.41.149.159 with SMTP id f04-24.32761.4EF4BBD33 Fri, 23 Dec 2011 17:35:15 +0000 (UTC) Received: from mail.tarsnap.com (unknown [10.41.149.212]) by i04-03 (SG) with ESMTP id 4ef4bbc4.3a9d.1c0048d for ; Fri, 23 Dec 2011 17:35:00 +0000 (UTC) Received: (qmail 75229 invoked from network); 23 Dec 2011 17:34:54 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 23 Dec 2011 17:34:54 -0000 Received: (qmail 61406 invoked from network); 23 Dec 2011 17:34:45 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Dec 2011 17:34:45 -0000 Message-ID: <4EF4BBB5.2030900@freebsd.org> Date: Fri, 23 Dec 2011 09:34:45 -0800 From: Colin Percival User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111112 Thunderbird/8.0 MIME-Version: 1.0 To: Tim Zingelman References: <4EF4A120.1000305@freebsd.org> In-Reply-To: X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: 5qVSvszVOIE6PbdhSmXigMotnDv2KVF2pFB0fKg9Jzq2syuD2XJCVRnNIJhoirEwzBESx9PrCFvddaHBDa2OxUMUAIQNSvJzp9v0GazDqpKwoYzxLnZTeee3W40nGumnKZEs/UBdYOFJv8QccsQ1WrcnDSXpIbWd1z96qDUIG+A= Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 17:35:38 -0000 On 12/23/11 09:08, Tim Zingelman wrote: > On Fri, 23 Dec 2011, FreeBSD Security Officer wrote: >> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) >> is a remote root vulnerability which is being actively exploited in the wild; >> bugs really don't come any worse than this. On the positive side, most people >> have moved past telnet and on to SSH by now; but this is still not an issue we >> could postpone until a more convenient time. > > Is there any reason this does would not apply to telnetd from most other > vendors? In particular MIT Kerberos & heimdal? It probably applies to everyone shipping BSD telnetd -- I notified the projects I could think of, but I'm sure I missed a few. Heimdal is definitely affected. I don't think MIT Kerberos ships telnetd any more... at least, I looked in their SVN tree and didn't find it. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 17:49:22 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03B1D10656D1; Fri, 23 Dec 2011 17:49:22 +0000 (UTC) (envelope-from zingelman@fnal.gov) Received: from gateway01.fnal.gov (gateway01.fnal.gov [131.225.104.18]) by mx1.freebsd.org (Postfix) with ESMTP id 830128FC17; Fri, 23 Dec 2011 17:49:21 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway01.fnal.gov (Postfix) with ESMTP id 787A8E30584; Fri, 23 Dec 2011 11:49:20 -0600 (CST) X-Virus-Scanned: amavisd-new at fnal.gov Received: from gateway01.fnal.gov ([127.0.0.1]) by localhost (gateway01.fnal.gov [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BNaX4XD88V6l; Fri, 23 Dec 2011 11:49:20 -0600 (CST) X-Mailgw-Auth: no Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by gateway01.fnal.gov (Postfix) with SMTP id 4A33BE30580; Fri, 23 Dec 2011 11:49:20 -0600 (CST) Received: from nova.fnal.gov (localhost [127.0.0.1]) by nova.fnal.gov (8.14.4+Sun/8.14.4) with ESMTP id pBNHnKdh024478; Fri, 23 Dec 2011 11:49:20 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.14.4+Sun/8.14.4/Submit) with ESMTP id pBNHnKwG024475; Fri, 23 Dec 2011 11:49:20 -0600 (CST) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Fri, 23 Dec 2011 11:49:20 -0600 (CST) From: Tim Zingelman X-X-Sender: tez@nova.fnal.gov To: Colin Percival In-Reply-To: <4EF4BBB5.2030900@freebsd.org> Message-ID: References: <4EF4A120.1000305@freebsd.org> <4EF4BBB5.2030900@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tim Zingelman List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 17:49:22 -0000 On Fri, 23 Dec 2011, Colin Percival wrote: > On 12/23/11 09:08, Tim Zingelman wrote: >> On Fri, 23 Dec 2011, FreeBSD Security Officer wrote: >>> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) >>> is a remote root vulnerability which is being actively exploited in the wild; >>> bugs really don't come any worse than this. On the positive side, most people >>> have moved past telnet and on to SSH by now; but this is still not an issue we >>> could postpone until a more convenient time. >> >> Is there any reason this does would not apply to telnetd from most other >> vendors? In particular MIT Kerberos & heimdal? > > It probably applies to everyone shipping BSD telnetd -- I notified the projects > I could think of, but I'm sure I missed a few. > > Heimdal is definitely affected. I don't think MIT Kerberos ships telnetd any > more... at least, I looked in their SVN tree and didn't find it. As of version krb5-1.8 MIT Kerberos stripped all the applications out into a separate krb5-appl bundle. Current version is krb5-appl-1.0.2 and it ships with an apparently vulnerable telnetd. There is a FreeBSD package security/krb5-appl of this maintained by cy. Is there any test code available that could be run against a telnetd to determine if it might be vulnerable or if it is patched against this issue? Thanks, - Tim From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 19:57:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EEA2106564A for ; Fri, 23 Dec 2011 19:57:16 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from mail26.syd.optusnet.com.au (mail26.syd.optusnet.com.au [211.29.133.167]) by mx1.freebsd.org (Postfix) with ESMTP id 334828FC12 for ; Fri, 23 Dec 2011 19:57:15 +0000 (UTC) Received: from server.vk2pj.dyndns.org (c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103]) by mail26.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id pBNJvDDu011845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Dec 2011 06:57:14 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.5/8.14.4) with ESMTP id pBNJvDJu063857; Sat, 24 Dec 2011 06:57:13 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.5/8.14.4/Submit) id pBNJvDMv063856; Sat, 24 Dec 2011 06:57:13 +1100 (EST) (envelope-from peter) Date: Sat, 24 Dec 2011 06:57:13 +1100 From: Peter Jeremy To: security-officer@freebsd.org Message-ID: <20111223195713.GA61589@server.vk2pj.dyndns.org> References: <4EF4A120.1000305@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <4EF4A120.1000305@freebsd.org> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 19:57:16 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2011-Dec-23 07:41:20 -0800, FreeBSD Security Officer wrote: >The timing, to put it bluntly, sucks. Since it's Saturday here, at the start of an extended holiday season, I would tend to agree. That said, thanks for the explanation and I think you made the right call. > On the positive side, most people >have moved past telnet and on to SSH by now; I thought everyone had but an acquaintance explained that he has to run telnet because his employer doesn't permit any encrypted outside access so the employer can monitor all traffic. Merry Christmas to the security team. Thanks for your efforts during 2011 and I hope you have a quiet and uneventful holiday period and 2012. --=20 Peter Jeremy --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk703RkACgkQ/opHv/APuIcsqgCfdTgselXFD2atr0FLXDVY4+t0 xqYAn1jz7UhaZ9VB9kZdUOaLL32kXXCy =aFQq -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 23 22:41:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DF34106566C; Fri, 23 Dec 2011 22:41:19 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id F21708FC18; Fri, 23 Dec 2011 22:41:18 +0000 (UTC) Received: by yhfq46 with SMTP id q46so7818866yhf.13 for ; Fri, 23 Dec 2011 14:41:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ai6s+nfZLWrwBWnWNre70S4jc/Wx1Ep/7Wae1EaQ3r4=; b=Zomga0miNlv5M2tMoiCaWB+vYSfD9vGD+9/Jj4qjL7eCKFCWrJn9CS8GNueUtIvmcN Atj6yjqSeitcGwyhyg+ozryvvaHwdJfo9a0riOKR5bkFawyLN1y7ueMJrltI9c59SdYm vnLJG+W67Y0JxS1cLfzn0sZD6BrfAp0LTHiOY= MIME-Version: 1.0 Received: by 10.236.128.138 with SMTP id f10mr24167847yhi.2.1324678333485; Fri, 23 Dec 2011 14:12:13 -0800 (PST) Received: by 10.236.174.66 with HTTP; Fri, 23 Dec 2011 14:12:13 -0800 (PST) In-Reply-To: <20111223195713.GA61589@server.vk2pj.dyndns.org> References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> Date: Fri, 23 Dec 2011 23:12:13 +0100 Message-ID: From: Oliver Pinter To: Peter Jeremy Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 22:41:19 -0000 On 12/23/11, Peter Jeremy wrote: > On 2011-Dec-23 07:41:20 -0800, FreeBSD Security Officer > wrote: >>The timing, to put it bluntly, sucks. > > Since it's Saturday here, at the start of an extended holiday season, I > would tend to agree. That said, thanks for the explanation and I think > you made the right call. > >> On the positive side, most people >>have moved past telnet and on to SSH by now; > > I thought everyone had but an acquaintance explained that he has to run > telnet because his employer doesn't permit any encrypted outside access > so the employer can monitor all traffic. The solution for this situation is BalaBit SCB. http://www.balabit.com/network-security/scb > > Merry Christmas to the security team. Thanks for your efforts during > 2011 and I hope you have a quiet and uneventful holiday period and 2012. > > -- > Peter Jeremy > From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 00:32:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9820106564A for ; Sat, 24 Dec 2011 00:32:57 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 89B578FC13 for ; Sat, 24 Dec 2011 00:32:57 +0000 (UTC) Received: from WildRover.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id RAA24110 for ; Fri, 23 Dec 2011 17:19:25 -0700 (MST) Message-Id: <201112240019.RAA24110@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 23 Dec 2011 17:19:18 -0700 To: freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <201112231536.pBNFacgx078849@freefall.freebsd.org> References: <201112231536.pBNFacgx078849@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Sat, 24 Dec 2011 01:08:27 +0000 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 00:32:58 -0000 What ports, etc. must one recompile after applying this patch? It appears to modify libc. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 05:57:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BD281065670 for ; Sat, 24 Dec 2011 05:57:02 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0A7728FC08 for ; Sat, 24 Dec 2011 05:57:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id pBO5feix093209; Sat, 24 Dec 2011 16:41:41 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 24 Dec 2011 16:41:40 +1100 (EST) From: Ian Smith To: Colin Percival In-Reply-To: <4EF4BBB5.2030900@freebsd.org> Message-ID: <20111224161408.R64681@sola.nimnet.asn.au> References: <4EF4A120.1000305@freebsd.org> <4EF4BBB5.2030900@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 05:57:03 -0000 On Fri, 23 Dec 2011 09:34:45 -0800, Colin Percival wrote: > On 12/23/11 09:08, Tim Zingelman wrote: > > On Fri, 23 Dec 2011, FreeBSD Security Officer wrote: > >> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) > >> is a remote root vulnerability which is being actively exploited in the wild; > >> bugs really don't come any worse than this. On the positive side, most people > >> have moved past telnet and on to SSH by now; but this is still not an issue we > >> could postpone until a more convenient time. > > > > Is there any reason this does would not apply to telnetd from most other > > vendors? In particular MIT Kerberos & heimdal? > > It probably applies to everyone shipping BSD telnetd -- I notified the projects > I could think of, but I'm sure I missed a few. OS/2 Warp? Or do you figure IBM is big enough to look after itself? :) On a less frivolous but probably too picky note, I guess it's obvious enough that in the case of named (and telnet, if not run from inetd), one needs to restart the server after patching as advised? On behalf of Scrooges everywhere, thanks for these and all your work! Solsticial cheers, Ian From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 10:56:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B37F1065675 for ; Sat, 24 Dec 2011 10:56:39 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 320B68FC0C for ; Sat, 24 Dec 2011 10:56:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [62.12.173.4]) (authenticated bits=0) by batman.home4u.ch (8.14.4/8.14.4) with ESMTP id pBOAuYZK051000 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 24 Dec 2011 11:56:36 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <4EF5AFE2.8060708@wenks.ch> Date: Sat, 24 Dec 2011 11:56:34 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <201112231536.pBNFacgx078849@freefall.freebsd.org> <201112240019.RAA24110@lariat.net> In-Reply-To: <201112240019.RAA24110@lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 10:56:39 -0000 Hello Brett On 24.12.2011 01:19, Brett Glass wrote: > What ports, etc. must one recompile after applying this patch? It > appears to modify libc. Recompiling of ports is only needed when the port (the program) is statically linked and those includes the libraries. Usually program binaries are dynamically linked to the libraries, so a program loads the library when they are needed. In this case the reboot takes care of the running daemons / programs to use the new build of libc. bye Fabian From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 11:22:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6BBE1065673 for ; Sat, 24 Dec 2011 11:22:50 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7ED188FC08 for ; Sat, 24 Dec 2011 11:22:50 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so8607876obb.13 for ; Sat, 24 Dec 2011 03:22:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8cvCZJ4eDZilVIVWSbaSEq6xG2vgAQyG56cmAUQIxNs=; b=mtg2tsqWNWU1/OIn6jOiNl69nbVH/VpizUtrdor85/cttARIjBNxFbE4Wexx1Vq91o EGjR23xL6C1zH1nnVZSPogizWnYdAec5FUvvfA+vcDXqzTJQDE0e/AA+xWLxTGhLM0RV +D1wlbWIm07P3RqNnYLT5/JNv+WvbbUfQsXx0= MIME-Version: 1.0 Received: by 10.182.15.104 with SMTP id w8mr15896068obc.20.1324725768503; Sat, 24 Dec 2011 03:22:48 -0800 (PST) Received: by 10.182.67.163 with HTTP; Sat, 24 Dec 2011 03:22:48 -0800 (PST) In-Reply-To: <201112240019.RAA24110@lariat.net> References: <201112231536.pBNFacgx078849@freefall.freebsd.org> <201112240019.RAA24110@lariat.net> Date: Sat, 24 Dec 2011 03:22:48 -0800 Message-ID: From: Xin LI To: Brett Glass Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 11:22:50 -0000 On Fri, Dec 23, 2011 at 4:19 PM, Brett Glass wrote: > What ports, etc. must one recompile after applying this patch? It appears to > modify libc. proftpd has to be rebuilt with a new patch which is currently available from portsnap. pureftpd and vsftpd are safe as far as I have tested. Cheers, -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 07:17:17 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A02C106564A for ; Sat, 24 Dec 2011 07:17:17 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntqsrv02p.mx.bigpond.com (nskntqsrv02p.mx.bigpond.com [61.9.168.234]) by mx1.freebsd.org (Postfix) with ESMTP id C6B908FC13 for ; Sat, 24 Dec 2011 07:17:16 +0000 (UTC) Received: from nskntcmgw08p ([61.9.169.168]) by nskntmtas03p.mx.bigpond.com with ESMTP id <20111224015503.PUUZ2063.nskntmtas03p.mx.bigpond.com@nskntcmgw08p> for ; Sat, 24 Dec 2011 01:55:03 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.112.204]) by nskntcmgw08p with BigPond Outbound id Cpv11i0014QfL3601pv3lx; Sat, 24 Dec 2011 01:55:03 +0000 X-Authority-Analysis: v=2.0 cv=FKSZNpUs c=1 sm=1 a=3gUU17yAEl4T7pnfkUDLuw==:17 a=H5T4dRW_n8wA:10 a=twTT4oUKOlYA:10 a=kj9zAlcOel0A:10 a=MHLd1x0a_l6Ip8jNihkA:9 a=CjuIK1q_8ugA:10 a=3gUU17yAEl4T7pnfkUDLuw==:117 Received: from white (white.hs [10.0.5.2]) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id pBO1sgEg069229 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Sat, 24 Dec 2011 12:54:42 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: References: <201112231536.pBNFadWk078864@freefall.freebsd.org> Date: Sat, 24 Dec 2011 12:54:41 +1100 Message-ID: <14084D15E2C949D5ACD68E678F704286@white> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <201112231536.pBNFadWk078864@freefall.freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Thread-Index: AczBjh81BJetd+OHQqWAq2y4eCphLQAUCesg X-Mailman-Approved-At: Sat, 24 Dec 2011 12:38:02 +0000 Subject: RE: FreeBSD Security Advisory FreeBSD-SA-11:07.chroot - gcc 4.2.2+ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 07:17:17 -0000 Do the changes to libc imply that community members that install and build their system using gcc 4.2.2+ will remain vulnerable? If so, should the /usr/src/UPDATING reflect this ongoing exposure? (I note that 8.2S uses gcc version 4.2.2 20070831 prerelease [FreeBSD] 9.0S has gcc 4.2.1) Kind regards, Dewayne From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 21:49:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 928AB106564A for ; Sat, 24 Dec 2011 21:49:55 +0000 (UTC) (envelope-from stuartb@4gh.net) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 564DC8FC08 for ; Sat, 24 Dec 2011 21:49:55 +0000 (UTC) Received: from mr16.lnh.mail.rcn.net ([207.172.157.36]) by smtp02.lnh.mail.rcn.net with ESMTP; 24 Dec 2011 16:21:06 -0500 Received: from smtp04.lnh.mail.rcn.net (smtp04.lnh.mail.rcn.net [207.172.157.104]) by mr16.lnh.mail.rcn.net (MOS 4.3.4-GA) with ESMTP id BMN88264; Sat, 24 Dec 2011 16:21:06 -0500 X-Auth-ID: stuartb.4gh@starpower.net Received: from unknown (HELO freeman.4gh.net) ([208.58.6.134]) by smtp04.lnh.mail.rcn.net with ESMTP; 24 Dec 2011 16:21:06 -0500 Received: by freeman.4gh.net (Postfix, from userid 1001) id 47129130DA9; Sat, 24 Dec 2011 16:21:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by freeman.4gh.net (Postfix) with ESMTP id 41917130CF4 for ; Sat, 24 Dec 2011 16:21:06 -0500 (EST) Date: Sat, 24 Dec 2011 16:21:06 -0500 (EST) From: Stuart Barkley To: freebsd-security@freebsd.org In-Reply-To: Message-ID: References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Sat, 24 Dec 2011 21:59:48 +0000 Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 21:49:55 -0000 On 12/23/11, Peter Jeremy wrote: > I thought everyone had but an acquaintance explained that he has to > run telnet because his employer doesn't permit any encrypted outside > access so the employer can monitor all traffic. It is possible to run ssh on port 23. This can be a good way to run a "more secure telnet" service. This might not work if the firewall does deep packet inspection on the telnet traffic. As usual, be cautious in doing this. On Fri, 23 Dec 2011 at 17:12 -0000, Oliver Pinter wrote: > The solution for this situation is BalaBit SCB. > > http://www.balabit.com/network-security/scb This had me scared for a bit, but it looks like an interesting box. It seems intended to control/audit/log ssh (and other protocol) administrative access to systems you own and control. It can play man-in-the-middle if you are willing to give it your host private keys. It looks like it can also man-in-the-middle if you accept it's own host keys (e.g. don't already have the host public key or don't verify the fingerprint on a new public key). In other modes of operation you know you are connecting to this device and it then forwards connection on to the remote systems. It could probably be abused to used on outgoing connections, but I doubt is has the necessary capacity for large traffic volumes. Since outside systems shouldn't give out their private keys, it should be obvious if something like this is in use. Stuart Barkley -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 22:48:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD5D41065672 for ; Sat, 24 Dec 2011 22:48:33 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from zimbra.iongroup.lu (zimbra.iongroup.lu [85.93.212.20]) by mx1.freebsd.org (Postfix) with ESMTP id 9A81E8FC16 for ; Sat, 24 Dec 2011 22:48:33 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.iongroup.lu (Postfix) with ESMTP id 86EC671E10A; Sat, 24 Dec 2011 23:31:13 +0100 (CET) Received: from zimbra.iongroup.lu ([127.0.0.1]) by localhost (zimbra.iongroup.lu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNwz+f325Mk7; Sat, 24 Dec 2011 23:31:12 +0100 (CET) Received: from [192.168.178.37] (unknown [94.252.118.123]) by zimbra.iongroup.lu (Postfix) with ESMTPSA id C286971E0B4; Sat, 24 Dec 2011 23:31:12 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Steve Clement In-Reply-To: Date: Sat, 24 Dec 2011 23:31:11 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <35589C3B-0C5F-4260-A2AD-386C2B19756C@localhost.lu> References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> To: Stuart Barkley X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 22:48:33 -0000 On Dec 24, 2011, at 10:21 PM, Stuart Barkley wrote: >> The solution for this situation is BalaBit SCB. >>=20 >> http://www.balabit.com/network-security/scb >=20 > This had me scared for a bit, but it looks like an interesting box. This scare me too. And IMHO reading your logs would help as well. Putting another layer on top of it (which might have additional vulns = etc etc) only makes it more obscure. It also won't save you if you never read your logs until now. So rock over to: /var/log and have fun ;) cheers, Steve --=20 The Hackerspace in Luxembourg! SYN2cat Hackerspace.lu A.S.B.L. 11, rue du Cimeti=E8re | L-8018 Strassen http://www.hacker.lu xmpp:SteveClement@jabber.hackerspaces.org mailto:steve@localhost.lu https://www.twitter.com/SteveClement .lu: +352 20 333 55 65