From owner-freebsd-security@freebsd.org Tue Aug 25 21:27:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B492D9C24DA for ; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id AAAAD7E6; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id A9D8416BC; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:21.amd64 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150825212749.A9D8416BC@freefall.freebsd.org> Date: Tue, 25 Aug 2015 21:27:49 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 21:27:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:21.amd64 Security Advisory The FreeBSD Project Topic: Local privilege escalation in IRET handler Category: core Module: sys_amd64 Announced: 2015-08-25 Credits: Konstantin Belousov, Andrew Lutomirski Affects: FreeBSD 9.3 and FreeBSD 10.1 Corrected: 2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) CVE Name: CVE-2015-5675 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. The GS segment CPU register is used by both user processes and the kernel to conveniently access state data: 32-bit user processes use the register to manage per-thread data, while the kernel uses it to access per-processor data. The return from interrupt (IRET) instruction returns program control from an interrupt handler to the interrupted context. II. Problem Description If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler. III. Impact By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc # gpg --verify amd64.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r280877 releng/9.3/ r287147 stable/10/ r280875 releng/10.1/ r287146 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8 IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv 6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB 9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876 WYT9/yPSsyU1z/AkHJU7 =nHGY -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 25 21:27:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D19029C24DF for ; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BDD6C7EA; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id BD2C916C6; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150825212749.BD2C916C6@freefall.freebsd.org> Date: Tue, 25 Aug 2015 21:27:49 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 21:27:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:22.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-08-25 Affects: All supported versions of FreeBSD. Corrected: 2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. The default FreeBSD OpenSSH configuration has PAM interactive authentication enabled. Privilege separation is a technique in which a program is divided into multiple cooperating processes, each with a different task, where each process is limited to the specific privileges required to perform that specific task, while the privileged parent process acts as an arbiter. II. Problem Description A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection. III. Impact The first bug may allow a remote attacker who a) has already succeeded by other means in compromising the unprivileged pre-authentication child process and b) has valid credentials to one user on the target system to impersonate a different user. The second bug may allow a remote attacker who has already succeeded by other means in compromising the unprivileged pre-authentication child process to bypass PAM authentication entirely. The third bug is not exploitable, but can cause premature termination of a multiplexed ssh connection. IV. Workaround No workaround is available, but systems where ssh(1) and sshd(8) are not used are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the sshd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r287144 releng/9.3/ r287147 stable/10/ r287144 releng/10.1/ r287146 releng/10.2/ r287145 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rnxq8P/jW05a6zT9n78wxBuHwRJ9gx 7+CN9AsezavW4HmZF4GmWt6SjnJqpLDMwnhceo7po6ZMIxjyWwxBWWfvUwVqezwa kT+DS7oHKmeZAwCSFMj9K25NN+x7KAwXXiiANcj4U4iU+q0YrcEGVIBKVqCAn3ly pJAkMxdTbwlWR7MaPaTMbMenVOs87b6Xx/4gfSBWolFWz9bKfdTYCxK/AnULVIZq Q7lShezEvgyCb8b6QLvnrY4AwHtVduiYxnvNKv8ysbaatZCarkRS8nh68zGcdTBg IyzG5OEtUFokVkroJaLWFXL1mUp7tgn9+UNd0/53wFN2DTZKw9oTAkKn8xrbbOSa xQqYFhsmqsnKlBJMEMaoK9JgGZZ6xOGo3JZ6yrFfYxiZ9xFaR843rOUe0UVrxh+L +2DmALTyLWSkeqlcg66oKqYKMQuvUyd6VpPL0yHpB0AqBTjKjUmG9RgG8AT5MpqW P3weyD0n7rOCBfagofx8MIy15REwjcQSUptarWrMwhJPua95RJ/IAVIIThGrMzZ5 PxyWDFU7B/56FRlmX5+6mfi/NC60yIyR6lg0trBtuiiEfNV+HWz6QXOIUMYQvvo9 w8fXSy6MJ12jTFqm0+CXbx2wWEVxAZS/wtLDsa3nf2oGkO3upzFl0/fvsR1dZ/hl plo/3SMPpFFbfvIhy2V/ =2w70 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 25 23:02:21 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A89AC99AD9A for ; Tue, 25 Aug 2015 23:02:21 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 90C74C53; Tue, 25 Aug 2015 23:02:21 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 89B631211; Tue, 25 Aug 2015 23:02:21 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 308047DC0; Tue, 25 Aug 2015 23:02:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id sYZUjXZP8cyP; Tue, 25 Aug 2015 23:02:18 +0000 (UTC) Subject: Re: Quarterly packages and security updates... DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9675B7DBB To: Mason Loring Bliss References: <20150813202007.GC4093@blisses.org> <20150813204023.GJ24069@FreeBSD.org> <20150813210129.GF4093@blisses.org> <20150813211528.GK24069@FreeBSD.org> Cc: freebsd-security@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <55DCF3F9.4040304@FreeBSD.org> Date: Tue, 25 Aug 2015 16:02:17 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150813211528.GK24069@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2HLLCgnoMWmMvT4pfIvrn4CeN86wfkc2g" X-Mailman-Approved-At: Tue, 25 Aug 2015 23:21:34 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 23:02:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2HLLCgnoMWmMvT4pfIvrn4CeN86wfkc2g Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 8/13/2015 2:15 PM, Glen Barber wrote: > On Thu, Aug 13, 2015 at 05:01:29PM -0400, Mason Loring Bliss wrote: >> On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: >> >>> [info@ removed, not sure why that email address was included.] >> >> I'm hoping for pressure from above, as this is an important step that'= s >> evidently being taken without quarterly branch security being bumped u= p in >> priority. It seems to come as a surprise to many folks, and certainly = I >> wasn't aware of it until last week. (Also, board@ is now deprecated.) >> >=20 > "Putting pressure" isn't the role of the Foundation. >=20 > Quarterly package builds happen every few days (two, if I remember > correctly), and as I was writing this reply, and updated package set fo= r > 10.x i386 was made available. >=20 [I run the package builds] Correct, two. I think the biggest problem is just the frequency of builds. The items listed in the `pkg audit' output are normally backported to the quarterly branch quickly. I am exploring ways of making the quarterly builds run multiples times per day. --=20 Regards, Bryan Drewery --2HLLCgnoMWmMvT4pfIvrn4CeN86wfkc2g Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJV3PP6AAoJEDXXcbtuRpfPXxUH/29YKEcJr3/X08chPZOkL1Eg xKwaIIQ566GoXy2fbgrC719nCJ99CivpiPzoCWtoFUzFdVVOb7+e2yOYTpnAqA8Y FYD3jyVDKjcNQsONfU1/6SSGLVLWMYw/IiQFMAYAK/79NeE7EbTVIsaZeAiJzPB5 HhEBSHgfGRSzm7Yt8zxAzRGAVIvlMSMNK0aJeaCbTuTPZ3S5kIemytcbWCDy3y8S RN0iKUiAcvxAvIccGKhQ9uPKqqeCM8ray7o+9HyXwWye/HSFhpAMECZlHShR6ABy 5Rdnm9k5DgfoXFQoLBP3hNtFJxqUz8tkyMj1iw6LM9sAhZ+0qns4CKvz+EVNU1A= =Ub+S -----END PGP SIGNATURE----- --2HLLCgnoMWmMvT4pfIvrn4CeN86wfkc2g-- From owner-freebsd-security@freebsd.org Wed Aug 26 19:07:27 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B62D9C3AC1 for ; Wed, 26 Aug 2015 19:07:27 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2BC30388 for ; Wed, 26 Aug 2015 19:07:27 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.15.2/8.15.2) with ESMTP id t7QJ7QqZ077043 for ; Wed, 26 Aug 2015 15:07:26 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh To: freebsd-security@freebsd.org References: <20150825212749.C154016C9@freefall.freebsd.org> From: Mike Tancsa Organization: Sentex Communications Message-ID: <55DE0E74.4040000@sentex.net> Date: Wed, 26 Aug 2015 15:07:32 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150825212749.C154016C9@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2015 19:07:27 -0000 On 8/25/2015 5:27 PM, FreeBSD Security Advisories wrote: > ============================================================================= > > FreeBSD-SA-15:22.openssh Security Advisory > Topic: OpenSSH multiple vulnerabilities Affects: > All supported versions of FreeBSD. I know RELENG_8 is no longer supported, but does this issue impact FreeBSD 8.x ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Wed Aug 26 20:18:13 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0C8A9C3121 for ; Wed, 26 Aug 2015 20:18:13 +0000 (UTC) (envelope-from bryan-lists@shatow.net) Received: from mail.xzibition.com (mail.xzibition.com [52.11.127.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4D619EF for ; Wed, 26 Aug 2015 20:18:13 +0000 (UTC) (envelope-from bryan-lists@shatow.net) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 639E110806; Wed, 26 Aug 2015 20:18:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id nhKRwfu4yqQD; Wed, 26 Aug 2015 20:18:10 +0000 (UTC) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 0677A107FF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shatow.net; s=mxc204805312015; t=1440620290; bh=8tWtd/W8yneb28ibMAg5gMwPUojVe0McZRhkyhwuybY=; h=Subject:To:References:From:Date:In-Reply-To; b=Q07074bIKJ6SjSxIxY0IlMNl371Kzi0EAelMlp43DEk39lIrMTjp+K2QADxc/cwRL tJkM708ORdkmF7ZDnvf8tAQOUuKRfydwfPHT+3SLat5lG+huauPPrc+FpufgiyIKe5 bugQbYcGVTU50Bi5pj/wJWlxiI5sXzjYc8Ljge5ohFfiukHwc3qL/RAJZVLowBSNdr AnzjS0RRovV22MHyKc33FzyEBtaGTLJzKW49/Wt1Qv44XBKSF2OCLAHAnjUbPnNFxh 2toXJhRBmia3ZcttqQpHQfmB5dMa2Jt6kTuHwP4EkIBSZrVzmR/BzsekEWfmcwzKPi 3LPFLzMCKtFkg== To: Mike Tancsa , freebsd-security@freebsd.org References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> From: Bryan Drewery Message-ID: <55DE1F01.70907@shatow.net> Date: Wed, 26 Aug 2015 13:18:09 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55DE0E74.4040000@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2015 20:18:14 -0000 On 8/26/2015 12:07 PM, Mike Tancsa wrote: > On 8/25/2015 5:27 PM, FreeBSD Security Advisories wrote: >> ============================================================================= >> >> > FreeBSD-SA-15:22.openssh Security > Advisory >> Topic: OpenSSH multiple vulnerabilities Affects: >> All supported versions of FreeBSD. > > > > I know RELENG_8 is no longer supported, but does this issue impact > FreeBSD 8.x ? Yes. The port (not quarterly one) is fully updated to 7.1 with the fixes as a workaround. -- Regards, Bryan Drewery bdrewery@freenode/EFNet From owner-freebsd-security@freebsd.org Thu Aug 27 07:24:24 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 185E39C4678 for ; Thu, 27 Aug 2015 07:24:24 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D37E414E7 for ; Thu, 27 Aug 2015 07:24:23 +0000 (UTC) (envelope-from des@des.no) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 5CE85C837; Thu, 27 Aug 2015 07:24:17 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 1CBF351; Thu, 27 Aug 2015 09:24:16 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> Date: Thu, 27 Aug 2015 09:24:16 +0200 In-Reply-To: <55DE0E74.4040000@sentex.net> (Mike Tancsa's message of "Wed, 26 Aug 2015 15:07:32 -0400") Message-ID: <86h9nlqjmn.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 07:24:24 -0000 Mike Tancsa writes: > I know RELENG_8 is no longer supported, but does this issue impact > FreeBSD 8.x ? Note that of the three issues mentioned here, one is not exploitable by an attacker and the other two presuppose a compromised pre-auth child. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Aug 27 13:08:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4D4B9C4525 for ; Thu, 27 Aug 2015 13:08:16 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 72517891 for ; Thu, 27 Aug 2015 13:08:16 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.15.2/8.15.2) with ESMTP id t7RD88dd025747; Thu, 27 Aug 2015 09:08:08 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no> Cc: freebsd-security@freebsd.org From: Mike Tancsa Organization: Sentex Communications Message-ID: <55DF0BBD.1080206@sentex.net> Date: Thu, 27 Aug 2015 09:08:13 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <86h9nlqjmn.fsf@nine.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 13:08:16 -0000 On 8/27/2015 3:24 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> I know RELENG_8 is no longer supported, but does this issue impact >> FreeBSD 8.x ? > > Note that of the three issues mentioned here, one is not exploitable by > an attacker and the other two presuppose a compromised pre-auth child. For the latter two, I am trying to understand in the context of a shared hosting system. Could one user with sftp access to their own directory use these bugs to gain access to another user's account ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Thu Aug 27 13:19:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E91729C4AB1 for ; Thu, 27 Aug 2015 13:19:10 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com [195.16.151.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6A9C1518 for ; Thu, 27 Aug 2015 13:19:09 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop01.sare.net (Postfix) with ESMTPSA id 1F71E9DDD11; Thu, 27 Aug 2015 15:19:05 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=iso-8859-1 From: Borja Marcos In-Reply-To: <55DF0BBD.1080206@sentex.net> Date: Thu, 27 Aug 2015 15:19:04 +0200 Cc: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no> <55DF0BBD.1080206@sentex.net> To: Mike Tancsa X-Mailer: Apple Mail (2.1283) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 13:19:11 -0000 On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote: > On 8/27/2015 3:24 AM, Dag-Erling Sm=F8rgrav wrote: > For the latter two, I am trying to understand in the context of a = shared > hosting system. Could one user with sftp access to their own directory > use these bugs to gain access to another user's account ? Straghtforward Unix permissions aren't really suited to such an = application. You need everything to be world readable by an unprivileged WWW server.=20 In such a setup we were successful by using a combination of mac/biba = for integrity, ugidfw for effective user separation, and removing all the setuid permissions from = the system. Otherwise, a non-chrooted hosting user will have at least read only = access to the neighbors. Borja. From owner-freebsd-security@freebsd.org Thu Aug 27 13:27:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 174469C4F36 for ; Thu, 27 Aug 2015 13:27:16 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from nimbus.fccf.net (nimbus.fccf.net [77.77.144.35]) by mx1.freebsd.org (Postfix) with ESMTP id C848C353 for ; Thu, 27 Aug 2015 13:27:15 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from straylight.m.ringlet.net (unknown [46.233.30.128]) by nimbus.fccf.net (Postfix) with ESMTPSA id 403C949 for ; Thu, 27 Aug 2015 16:27:07 +0300 (EEST) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 2540212 by straylight.m.ringlet.net (DragonFly Mail Agent v0.9); Thu, 27 Aug 2015 16:27:06 +0300 Date: Thu, 27 Aug 2015 16:27:06 +0300 From: Peter Pentchev To: Borja Marcos Cc: Mike Tancsa , Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh Message-ID: <20150827132706.GB4751@straylight.m.ringlet.net> Mail-Followup-To: Borja Marcos , Mike Tancsa , Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no> <55DF0BBD.1080206@sentex.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 13:27:16 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 27, 2015 at 03:19:04PM +0200, Borja Marcos wrote: >=20 > On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote: >=20 > > On 8/27/2015 3:24 AM, Dag-Erling Sm=C3=B8rgrav wrote: > > For the latter two, I am trying to understand in the context of a shared > > hosting system. Could one user with sftp access to their own directory > > use these bugs to gain access to another user's account ? >=20 > Straghtforward Unix permissions aren't really suited to such an applicati= on. You need everything to be > world readable by an unprivileged WWW server.=20 >=20 > In such a setup we were successful by using a combination of mac/biba for= integrity, ugidfw for > effective user separation, and removing all the setuid permissions from t= he system. >=20 > Otherwise, a non-chrooted hosting user will have at least read only acces= s to the neighbors. Hmm, this doesn't necessarily need to be true. When I set up a shared hosting system some years ago, we put all the users in a single primary group, then all their home directories had u+rwx,g-a,o+x Unix access permissions. It seemed to work for keeping them out of each other's homes and for letting both the webserver and the SSH server peek inside. Of course, this would still allow somebody to explicitly modify the access permissions of her own home directory, but, first off, I don't think there ever was such a case, and we also had a periodic check for this as well as some other silly things that people always manage to do (and, yes, "people" here does include myself, too). G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --MW5yreqqjyrRcusr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV3xAqAAoJEGUe77AlJ98TQncP/i9bSDiqWvpCeX0673LYAPe/ c5pOTy/szWtfvVxbyineXout5hpxhkORvmtr7INukNOQMCDYFdZRcvb/IO4Ra7SL 8M3lUn0NAam6unXqqCCkps0E03JYGWR5f+4i+7S/o03IWeKeaAL66z8anGvbsOCa UPhnPtb0V3JdFWxnezRGv3TkibUpO9nkpbf9Syeu+zvHuSnKVTaQwBozQSXmvKUx pXwmLdkFrrp8LWkIoTl9cegdcUDkVYhyoSb0N03eXrGDTbAE5sLsCOt8uMQ/goVu vslTHfh6PTGOkycuVjPVfI6a1eKA4v9Wns9fuoVqyRmvse9IfkhwwGKfPiS9juoA B66r3dPTuELo/tvUSac4h8O00HRR3SBuiJ8CVl1duAvgeor0L+Di2cIacYaySC/g plbhprZNy+YsS6sdSdnnCuWeMVy4lj9Q111o0oxSbX2Cc0XXyHmLfrPjPykj3ai3 7lYS/d1ORtwsY+33vyXhDtiWL6WsOv3fYRUEDDTB6oSMDijqXv4GMlO7M3aP9E53 B5wUaXUR8PZ1NDQ6IQsIsDGTsvS2MvgkwhoayOnAcoJOFKAnlGkK3Pp93/8liGgV pV//WlilmKL9xb/xl+cnQab6cbJaoRhE4tcCgqHQrtCcN1YZSkNjiZYtqe8OH5zV jvY67NKzWPejAGlAnwuj =6Ufg -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr-- From owner-freebsd-security@freebsd.org Thu Aug 27 13:51:02 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CD199C287B for ; Thu, 27 Aug 2015 13:51:02 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E8FA21277 for ; Thu, 27 Aug 2015 13:51:01 +0000 (UTC) (envelope-from des@des.no) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 3491ACD5B; Thu, 27 Aug 2015 13:50:59 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 03B69717; Thu, 27 Aug 2015 15:50:58 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no> <55DF0BBD.1080206@sentex.net> Date: Thu, 27 Aug 2015 15:50:58 +0200 In-Reply-To: <55DF0BBD.1080206@sentex.net> (Mike Tancsa's message of "Thu, 27 Aug 2015 09:08:13 -0400") Message-ID: <864mjkrgal.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 13:51:02 -0000 Mike Tancsa writes: > For the latter two, I am trying to understand in the context of a shared > hosting system. Could one user with sftp access to their own directory > use these bugs to gain access to another user's account ? Once again: both of these are attacks on the main sshd process by the unprivileged child provess, so the attacker first has to gain control of said child using some other vulnerability. There is currently no known way to exploit them. The reason why an advisory was issued is that by definition, the unprivileged child is assumed to be hostile. http://blog.des.no/2015/08/openssh-pam-and-user-names/ DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Aug 27 18:01:44 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B69E79C25A4 for ; Thu, 27 Aug 2015 18:01:44 +0000 (UTC) (envelope-from robtsgt@sgt.com) Received: from diablo.sgt.com (diablo.SGT.COM [204.107.130.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "diablo.sgt.com", Issuer "SGT Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B5ADD64 for ; Thu, 27 Aug 2015 18:01:43 +0000 (UTC) (envelope-from robtsgt@sgt.com) Received: from w245.sgt.com (w245.sgt.com [192.168.1.245]) by diablo.sgt.com (8.15.2/8.14.9) with ESMTPS id t7RHtdjO009327 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Thu, 27 Aug 2015 17:55:42 GMT (envelope-from robtsgt@sgt.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sgt.com; s=tyiovccnntkuduv0ufufynlc0uskpdsgt; t=1440698142; bh=USEuFitpF55XrDGkH7wq6c4ySWQaudvEpCt9xDogHzQ=; h=From:Content-Type:Subject:Date:To:Mime-Version; b=EN6Bap0xoLWkA5A0cZPo/llGQOPbjVyI36VJxNsvGF7sxfdOOvboZfTf4Q+nFAnwL KR+iRfko0sCENxDtV+l00XwpRtIdN0MVKKxfacsPIPDFbYo6/wAboLuRzNjC86e2j9 kGGfvhAz7lb570FqoTnEWOjAZvBO+UgRhMNEJg1I= Message-Id: <201508271755.t7RHtdjO009327@sgt.com> Received: from knv3446mbp.sgt.com (knv3446mbp.sgt.com [192.168.1.9]) (authenticated bits=0) by w245.sgt.com (8.15.2/8.15.1) with ESMTPSA id t7RHtcDN011168 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 27 Aug 2015 17:55:39 GMT (envelope-from robtsgt@sgt.com) From: Robert Sargent Content-Type: multipart/mixed; boundary=Apple-Mail-17-681953737 Subject: sendmail server sending milter data after latest FreeBSD upgrade Date: Thu, 27 Aug 2015 13:55:37 -0400 To: freebsd-security@freebsd.org Mime-Version: 1.0 (Apple Message framework v1085) X-Mailer: Apple Mail (2.1085) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (diablo.sgt.com [192.168.1.202]); Thu, 27 Aug 2015 17:55:42 +0000 (UTC) X-Virus-Scanned: clamav-milter 0.98.7 at diablo.sgt.com X-Virus-Status: Clean X-Mailman-Approved-At: Thu, 27 Aug 2015 20:13:33 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 18:01:44 -0000 --Apple-Mail-17-681953737 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, After rebuilding my systems after the latest openssl/iret handler I = noticed some incoming email sessions were failing. The failures were = primarily from hotmail.com, outlook.com, google.com and me.com. The = SMTP server [sendmail v 8.15.2] logs contained lines like this: Aug 27 14:41:22 tusk sm-mta[18366]: t7REfKQd018366: = col004-omc4s12.hotmail.com [65.55.34.214] did not issue = MAIL/EXPN/VRFY/ETRN during connection to IPv4 I captured some packets with tcpdump and read them with wireshark. The = failed session packets' contents indicated after the SYN, SYN, ACK = 3-way handshake I would send out=20 Response: milter_negotiate(milter-regex): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n I then rec'd an ACK from the client and then I would send out more = milter data like: Response: milter_negotiate(milter-regex): received: version 6, fflags = 0x20, pflags 0x300\n Response: milter_negotiate(opendkim): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(opendkim): received: version 6, fflags 0x111, = pflags 0x100702\n Response: milter_negotiate(smf-spf): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(smf-spf): received: version 6, fflags 0x1d, = pflags 0x350\n Response: milter_negotiate(greylist): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(greylist): received: version 6, fflags 0x13, = pflags 0x100\n Response: milter_negotiate(clmilter): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(clmilter): received: version 6, fflags 0x31, = pflags 0x342\n The client would then ACK and I would send out my normal SMTP greeting: Response: 220 tusk.sgt.com ESMTP Sendmail 8.15.2/8.14.9; Thu, 27 Aug = 2015 12:24:38 GMT\r\n Then the client would send a FIN ------------------- Needless to say I was concerned and tried restarting sendmail and = associated milters, no change, I kept sending out milter data to the = client. I tried reinstalling sendmail from both pkgs and ports, no change. I finally rebooted the system and the problem "went away". There was no problem with incoming hotmail, google, apple emails prior = to this latest OS upgrade. uname -a: FreeBSD tusk.sgt.com 9.3-RELEASE-p24 FreeBSD 9.3-RELEASE-p24 = #10 r287147: Tue Aug 25 23:19:33 UTC 2015 = root@tusk.sgt.com:/usr/obj/usr/src/sys/SGT93AMD64ZFS amd64 Is this a known problem? Any ideas WTF is [was] going on? Any = suggestions on what to do next time it happens [short of rebooting]? Please do not publicly release any of my site/domain specific data. tcpdumpfile attached. Thanks, Rob --Apple-Mail-17-681953737 Content-Disposition: attachment; filename=tcpdumpfile Content-Type: application/octet-stream; name="tcpdumpfile" Content-Transfer-Encoding: base64 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAhgHfVcrPCwBCAAAAQgAAAAAfKdHikETTytSJ6AgARQAA NCIHQAAxBnTnQTciy8xrgmjd7AAZmX3jvQAAAACAAiAAQTUAAAIEBXgBAwMIAQEEAoYB31XjzwsA QgAAAEIAAABE08rUiegAHynR4pAIAEUAADQijEAAQAYAAMxrgmhBNyLLABnd7KP8XkaZfeO+gBL/ /7L8AAACBAV4AQMDBgQCAACGAd9VClwNADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoInNAADEG dIdBNyLLzGuCaN3sABmZfeO+o/xeR1AQAQGedwAAAAAAAAAAhgHfVRV3DgCFAAAAhQAAAETTytSJ 6AAfKdHikAgARQAAdyKyQABABgAAzGuCaEE3IssAGd3so/xeR5l9475QGAQEsz8AAG1pbHRlcl9u ZWdvdGlhdGUobWlsdGVyLXJlZ2V4KTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBm bGFncyAweDFmZmZmZgqHAd9VI+QDADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoJANAADEGcvdB NyLLzGuCaN3sABmZfeO+o/xellAQAQCeKQAAAAAAAAAAhwHfVTfkAwDfAgAA3wIAAETTytSJ6AAf KdHikAgARQAC0SK6QABABgAAzGuCaEE3IssAGd3so/xelpl9475QGAQEtZkAAG1pbHRlcl9uZWdv dGlhdGUobWlsdGVyLXJlZ2V4KTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MjAsIHBm bGFncyAweDMwMAptaWx0ZXJfbmVnb3RpYXRlKG9wZW5ka2ltKTogc2VuZDogdmVyc2lvbiA2LCBm ZmxhZ3MgMHgxZmYsIHBmbGFncyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKG9wZW5ka2ltKTog cmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MTExLCBwZmxhZ3MgMHgxMDA3MDIKbWlsdGVy X25lZ290aWF0ZShzbWYtc3BmKTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBmbGFn cyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKHNtZi1zcGYpOiByZWNlaXZlZDogdmVyc2lvbiA2 LCBmZmxhZ3MgMHgxZCwgcGZsYWdzIDB4MzUwCm1pbHRlcl9uZWdvdGlhdGUoZ3JleWxpc3QpOiBz ZW5kOiB2ZXJzaW9uIDYsIGZmbGFncyAweDFmZiwgcGZsYWdzIDB4MWZmZmZmCm1pbHRlcl9uZWdv dGlhdGUoZ3JleWxpc3QpOiByZWNlaXZlZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxMywgcGZsYWdz IDB4MTAwCm1pbHRlcl9uZWdvdGlhdGUoY2xtaWx0ZXIpOiBzZW5kOiB2ZXJzaW9uIDYsIGZmbGFn cyAweDFmZiwgcGZsYWdzIDB4MWZmZmZmCm1pbHRlcl9uZWdvdGlhdGUoY2xtaWx0ZXIpOiByZWNl aXZlZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgzMSwgcGZsYWdzIDB4MzQyCocB31X44wgAPAAAADwA AAAAHynR4pBE08rUiegIAEUAACgmZEAAMQZwlkE3IsvMa4Jo3ewAGZl9476j/GE/UBAA/puCAAAA AAAAAACIAd9Vjn4OAIQAAACEAAAARNPK1InoAB8p0eKQCABFAAB2IrxAAEAGAADMa4JoQTciywAZ 3eyj/GE/mX3jvlAYBASzPgAAMjIwIHR1c2suc2d0LmNvbSBFU01UUCBTZW5kbWFpbCA4LjE1LjIv OC4xNC45OyBUaHUsIDI3IEF1ZyAyMDE1IDEyOjI0OjM4IEdNVA0KiQHfVefQAAA8AAAAPAAAAAAf KdHikETTytSJ6AgARQAAKCleQAAxBm2cQTciy8xrgmjd7AAZmX3jvqP8YY1QEQD9mzQAAAAAAAAA AIkB31X40AAAPAAAADwAAABE08rUiegAHynR4pAIAEUAACgiv0AAQAYAAMxrgmhBNyLLABnd7KP8 YY2ZfeO/UBAEBLLwAAAAAAAAAACJAd9VRdEAADwAAAA8AAAARNPK1InoAB8p0eKQCABFAAAoIsBA AEAGAADMa4JoQTciywAZ3eyj/GGNmX3jv1ARBASy8AAAAAAAAAAAiQHfVedlAgA8AAAAPAAAAAAf KdHikETTytSJ6AgARQAAKCmRQAAxBm1pQTciy8xrgmjd7AAZmX3jv6P8YY5QEAD9mzMAAAAAAAAA AIkB31VGuQcAQgAAAEIAAAAAHynR4pBE08rUiegIAEUAADRVpEAAKwarvkE2vlfMa4JoxmEAGc9e NIgAAAAAgAIgADaJAAACBAV4AQMDCAEBBAKJAd9VWrkHAEIAAABCAAAARNPK1InoAB8p0eKQCABF AAA0IsxAAEAGAADMa4JoQTa+VwAZxmG1uQDFz140iYAS//9OiAAAAgQFeAEDAwYEAgAAiQHfVVMg CQA8AAAAPAAAAAAfKdHikETTytSJ6AgARQAAKFZDQAArBqsrQTa+V8xrgmjGYQAZz140ibW5AMZQ EAEB348AAAAAAAAAAIkB31UKSAoAhQAAAIUAAABE08rUiegAHynR4pAIAEUAAHci8kAAQAYAAMxr gmhBNr5XABnGYbW5AMbPXjSJUBgEBE7LAABtaWx0ZXJfbmVnb3RpYXRlKG1pbHRlci1yZWdleCk6 IHNlbmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgxZmZmZmYKiQHfVZLfDgA8 AAAAPAAAAAAfKdHikETTytSJ6AgARQAAKFhCQAArBqksQTa+V8xrgmjGYQAZz140ibW5ARVQEAEA 30EAAAAAAAAAAIkB31Wr3w4A3wIAAN8CAABE08rUiegAHynR4pAIAEUAAtEi+UAAQAYAAMxrgmhB Nr5XABnGYbW5ARXPXjSJUBgEBFElAABtaWx0ZXJfbmVnb3RpYXRlKG1pbHRlci1yZWdleCk6IHJl Y2VpdmVkOiB2ZXJzaW9uIDYsIGZmbGFncyAweDIwLCBwZmxhZ3MgMHgzMDAKbWlsdGVyX25lZ290 aWF0ZShvcGVuZGtpbSk6IHNlbmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgx ZmZmZmYKbWlsdGVyX25lZ290aWF0ZShvcGVuZGtpbSk6IHJlY2VpdmVkOiB2ZXJzaW9uIDYsIGZm bGFncyAweDExMSwgcGZsYWdzIDB4MTAwNzAyCm1pbHRlcl9uZWdvdGlhdGUoc21mLXNwZik6IHNl bmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgxZmZmZmYKbWlsdGVyX25lZ290 aWF0ZShzbWYtc3BmKTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWQsIHBmbGFncyAw eDM1MAptaWx0ZXJfbmVnb3RpYXRlKGdyZXlsaXN0KTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3Mg MHgxZmYsIHBmbGFncyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKGdyZXlsaXN0KTogcmVjZWl2 ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MTMsIHBmbGFncyAweDEwMAptaWx0ZXJfbmVnb3RpYXRl KGNsbWlsdGVyKTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBmbGFncyAweDFmZmZm ZgptaWx0ZXJfbmVnb3RpYXRlKGNsbWlsdGVyKTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdz IDB4MzEsIHBmbGFncyAweDM0MgqKAd9VoF8EADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoWXdA ACsGp/dBNr5XzGuCaMZhABnPXjSJtbkDvlAQAP7cmgAAAAAAAAAAiwHfVVVQCgCEAAAAhAAAAETT ytSJ6AAfKdHikAgARQAAdiL8QABABgAAzGuCaEE2vlcAGcZhtbkDvs9eNIlQGAQETsoAADIyMCB0 dXNrLnNndC5jb20gRVNNVFAgU2VuZG1haWwgOC4xNS4yLzguMTQuOTsgVGh1LCAyNyBBdWcgMjAx NSAxMjoyNDo0MSBHTVQNCosB31VYvQsAPAAAADwAAAAAHynR4pBE08rUiegIAEUAAChgLkAAKwah QEE2vlfMa4JoxmEAGc9eNIm1uQQMUBEA/dxMAAAAAAAAAACLAd9Var0LADwAAAA8AAAARNPK1Ino AB8p0eKQCABFAAAoIv5AAEAGAADMa4JoQTa+VwAZxmG1uQQMz140ilAQBAROfAAAAAAAAAAAiwHf Vbu9CwA8AAAAPAAAAETTytSJ6AAfKdHikAgARQAAKCL/QABABgAAzGuCaEE2vlcAGcZhtbkEDM9e NIpQEQQETnwAAAAAAAAAAIsB31VsKw0APAAAADwAAAAAHynR4pBE08rUiegIAEUAAChgwkAAKwag rEE2vlfMa4JoxmEAGc9eNIq1uQQNUBAA/dxLAAAAAAAAAAA= --Apple-Mail-17-681953737 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii --Apple-Mail-17-681953737-- From owner-freebsd-security@freebsd.org Sat Aug 29 16:29:23 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C22C19C5E5B for ; Sat, 29 Aug 2015 16:29:23 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5370D3B6 for ; Sat, 29 Aug 2015 16:29:22 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5083CCB5.dip0.t-ipconnect.de [80.131.204.181]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t7TGWfSX018446 for ; Sat, 29 Aug 2015 18:32:41 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t7TGTFS3007574 for ; Sat, 29 Aug 2015 18:29:15 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t7TGT3nn084958 for ; Sat, 29 Aug 2015 18:29:15 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201508291629.t7TGT3nn084958@fire.js.berklix.net> To: freebsd-security@freebsd.org Subject: Is there a policy to delay & batch errata security alerts ? From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Sat, 29 Aug 2015 18:29:02 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 16:29:23 -0000 Re. 8 Errata & Advisories since Fri, 14 Aug 2015 00:06:45 +0000 10.2-RELEASE announcement. eg Sender: owner-freebsd-announce@freebsd.org To: FreeBSD Errata Notices Each release, a wave of alerts flood after. The bigger the wave, the more users will have insufficient time, & skip the lot. Moving some of the flood away from after release weeks would increase their security. New bug alerts on new releases are OK immediately, but some alerts seem perhaps existing issues delayed to check & also include latest release, they add to the flood & could be alerted some earlier, some later ? Presumably there's no delays eg for PR, giving longer quiet periods before a release, slipping out bad news immediately after good. What else might be causing batch flooding of alerts ? Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Reply after previous text, like a play - Not before, which looses context. Indent previous text with "> " Insert new lines before 80 chars. Send plain text, Not quoted-printable, Not HTML, Not ms.doc, Not base64. Subsidise contraception V. Global warming, pollution, famine, migration. From owner-freebsd-security@freebsd.org Sat Aug 29 16:43:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0B659C5598 for ; Sat, 29 Aug 2015 16:43:51 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C516D5A for ; Sat, 29 Aug 2015 16:43:51 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190f-f79716d000002ea2-c6-55e1e01257bc Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 69.B8.11938.210E1E55; Sat, 29 Aug 2015 12:38:42 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t7TGcfiA008232; Sat, 29 Aug 2015 12:38:41 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7TGcb2j014562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 29 Aug 2015 12:38:40 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t7TGcbcW016215; Sat, 29 Aug 2015 12:38:37 -0400 (EDT) Date: Sat, 29 Aug 2015 12:38:36 -0400 (EDT) From: Benjamin Kaduk To: "Julian H. Stacey" cc: freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? In-Reply-To: <201508291629.t7TGT3nn084958@fire.js.berklix.net> Message-ID: References: <201508291629.t7TGT3nn084958@fire.js.berklix.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrCv04GGoQcMifoueTU/YLPasfcPu wOTx78YxNo8Zn+azBDBFcdmkpOZklqUW6dslcGVMf/qTteA/a8WKo51sDYyPWLoYOTkkBEwk FlxcwQ5hi0lcuLeerYuRi0NIYDGTxNeOyewQzkZGiS9vDrOBVAkJHGKS2PNABcJuYJS4t66q i5GDg0VAW+LddQOQMJuAisTMNxvBykUENCReHXoEZjMLKEi8f3ySCcQWFvCQuP5xESOIzSlg J3F4VQcriM0r4Chx/t1hVpCRQgK2En0fE0DCogI6Eqv3T2GBKBGUODnzCQvESC2J5dO3sUxg FJyFJDULSWoBI9MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXRO93MwSvdSU0k2M4CCV5N/B+O2g 0iFGAQ5GJR7eDb8ehAqxJpYVV+YeYpTkYFIS5d2c8DBUiC8pP6UyI7E4I76oNCe1+BCjBAez kgiv+jWgHG9KYmVValE+TEqag0VJnHfTD74QIYH0xJLU7NTUgtQimKwMB4eSBO/Te0CNgkWp 6akVaZk5JQhpJg5OkOE8QMOLQWp4iwsSc4sz0yHypxh1ORb8uL2WSYglLz8vVUqcdz1IkQBI UUZpHtwcWHJ5xSgO9JYwL/t9oCoeYGKCm/QKaAkT0BI/f7AlJYkIKakGxsLI5qNPV8/jW9OR Kno0R0DkvZzGT7bXi1z5PSqv/p+3gKlZea3O3cNnBOyXJldLH2/2vuPp63ji/Ja5z+OT2GOP Kv1VS9b/PEfwgcjU2W8O3KsQOvlZ9tcJE4u0dRl1IWa8izymvOtwnb8pZY/Um5Lyg2/FahXa NU15HeVDbdTsH15beNP+oRJLcUaioRZzUXEiABVyZg8JAwAA X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 16:43:52 -0000 On Sat, 29 Aug 2015, Julian H. Stacey wrote: > Presumably there's no delays eg for PR, giving longer quiet periods before > a release, slipping out bad news immediately after good. That seems highly unlikely. > What else might be causing batch flooding of alerts ? It's an awful lot of work to actually put all the pieces together to release security advisories; batching reduces the workload for the team. This is true no matter what project you look at, be it FreeBSD or MIT Kerberos (where I am on the security team and can speak from personal experience) or something else. This is why errata notices are delayed until they can go out with a security advisory; it's explicitly a way to reduce the workload on the security team. -Ben Kaduk