From owner-freebsd-security@freebsd.org Sat Jan 23 17:15:38 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41952A8EBBA; Sat, 23 Jan 2016 17:15:38 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0690313B6; Sat, 23 Jan 2016 17:15:38 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-ob0-x22e.google.com with SMTP id yo10so61677394obb.2; Sat, 23 Jan 2016 09:15:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=te6EBV6lvTesJvqPRwk1a299/rFdFg3WK4O9b1y/RI8=; b=AuBXXbKimsmhs7EIPkfqX0UJwvaw4Gj4I97YKGbTH8G2dozZB0xjhhKxk/rTx/90xO CFqbg4WNNeO3haC2cSSwQdU+SRqAgr3bPgFrQ2o89+GZ2A2vjGlzDy2eB9VJZ4alNU2M eu/TePVFuXKmdqP5a8qY9Hkr4j6FcgMnHM9BraBMSNdjx0aHKi4ABgBuAJXA5nX3JTbD 45Y83pqR50QVdouv0zGFPUBmXr+U4bXERBxMWZOcuksxgMttpyXbxk+xCt0+yZGcY84g eN8Qa/N5ZTMcXK/VdwounlyPpdZY33pHFAT6dcnFt0srkbXMrhpqZTYw83f3BKBj2EXj wQcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=te6EBV6lvTesJvqPRwk1a299/rFdFg3WK4O9b1y/RI8=; b=WyAet1D6tmMxG2vYxMQ37IaC4fgRAiuSLUq0ATZ1+WSVXbhzOu6bHnfrAot+m+YvZe 1YpGpEsPq7XPO2BW0oBsGZNLQGPtbGTEQuAhSu0c9Cx5eP0Uq30IwGzLTM44fILS1Ebj SUXcmibPX8ljqUxeZ2vlxb6+PELYhcIjGCfTYEzvvUQN80vsWvBTQHQNSgK8t+Ao10EA o35giv+sdLdWklPIiIwo3yG5xzxMSzdmr5obLw9GVELCe9WlqepVeDXpjt8xbYHDiDDc DAcH3izhPoU9JvKDnf9A9ZvulCMMzXuKGWCJ/B3AX42qPXVY6RnPFFexwgy/i77XCcvJ ExTQ== X-Gm-Message-State: AG10YOS5hPZ8MvcHlCuKyE5VHv9LEUvzJZqhWrl+sNHZ7DtBdUGvGFPnfBNYqvj91Yx+rQ5l5AhN38bGkkUeXQ== MIME-Version: 1.0 X-Received: by 10.182.254.34 with SMTP id af2mr7432415obd.60.1453569337032; Sat, 23 Jan 2016 09:15:37 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.202.98.131 with HTTP; Sat, 23 Jan 2016 09:15:36 -0800 (PST) In-Reply-To: <861t98e1el.fsf@desk.des.no> References: <86mvrxvg79.fsf@desk.des.no> <56A2DE54.6070603@freebsd.org> <861t98e1el.fsf@desk.des.no> Date: Sat, 23 Jan 2016 09:15:36 -0800 X-Google-Sender-Auth: YcJCvY639XWh9rYNm2-jkt97KFs Message-ID: Subject: Re: HPN and None options in OpenSSH From: Kevin Oberman To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: Julian Elischer , FreeBSD Current , FreeBSD-STABLE Mailing List , freebsd-security@freebsd.org X-Mailman-Approved-At: Sun, 24 Jan 2016 00:22:12 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2016 17:15:38 -0000 On Sat, Jan 23, 2016 at 7:55 AM, Dag-Erling Sm=C3=B8rgrav wrot= e: > Julian Elischer writes: > > what is the internal window size in the new ssh? > > 64 kB. > > DES > -- > Dag-Erling Sm=C3=B8rgrav - des@des.no Are you sure of this? I have not looked at the code, but my former colleagues at the high performance research network ESnet claim at http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/ that the internal buffers and effective window size have recently been increased from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN patches still significant over high latency paths. That said, scp still performed poorly when compared to other technologies (i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth links. (ESnet provides links of up to 400 Gbps between the US and Europe as well as within the US, so this sort of thing is quite important to them.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 From owner-freebsd-security@freebsd.org Sat Jan 23 21:23:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFE0AA8F118; Sat, 23 Jan 2016 21:23:29 +0000 (UTC) (envelope-from michael+lists@burnttofu.net) Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "burnttofu.net", Issuer "burnttofu.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C7ECC1F91; Sat, 23 Jan 2016 21:23:29 +0000 (UTC) (envelope-from michael+lists@burnttofu.net) Received: from kimberton.burnttofu.net ([IPv6:2601:643:8400:3e00::7777]) (authenticated bits=0) by burnttofu.net (8.15.2/8.14.9) with ESMTPSA id u0NLNOgi037999 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 23 Jan 2016 16:23:25 -0500 (EST) (envelope-from michael+lists@burnttofu.net) Subject: Re: HPN and None options in OpenSSH To: Kevin Oberman , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86mvrxvg79.fsf@desk.des.no> <56A2DE54.6070603@freebsd.org> <861t98e1el.fsf@desk.des.no> Cc: FreeBSD-STABLE Mailing List , FreeBSD Current , Julian Elischer , freebsd-security@freebsd.org From: Michael Sinatra X-Enigmail-Draft-Status: N1110 Message-ID: <56A3EF4C.20403@burnttofu.net> Date: Sat, 23 Jan 2016 13:23:24 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]); Sat, 23 Jan 2016 16:23:26 -0500 (EST) X-Mailman-Approved-At: Sun, 24 Jan 2016 00:28:04 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2016 21:23:30 -0000 On 01/23/16 09:15, Kevin Oberman wrote: > Are you sure of this? I have not looked at the code, but my former > colleagues at the high performance research network ESnet claim at > http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/ that the > internal buffers and effective window size have recently been increased > from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link > with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN > patches still significant over high latency paths. DES wrote: > The buffer code in 7.1 > supports dynamically-sized buffers with a hard limit of 128 MB. The > default window size for client sessions is 2 MB, or 1 MB if associated > with a tty. I'm not sure what the maximum size is. I'll try to do some cross-country or trans-Atlantic testing this weekend or next week, using a mix of ssh versions and HPN-patched versus not (and CentOS vs. FreeBSD vs. possibly Debian unstable with the 4.2+ kernel as yet another degree of freedom). I'll see what basic results I can get and we can update fasterdata.es.net as necessary. > That said, scp still performed poorly when compared to other technologies > (i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth > links. (ESnet provides links of up to 400 Gbps between the US and Europe as > well as within the US, so this sort of thing is quite important to them.) That it is! > scp is a horrible protocol, use sftp or (preferably) rsync over ssh. I still think over ssh transport is lousy for bulk-data transfers, but it is the one thing that's generally installed by default on every OS and and is allowed by many firewalls. And, of course, it encrypts in flight. Certainly gridFTP, aspera (if you can afford it!) and other packages optimized for bulk data transfer will work better. michael ESnet From owner-freebsd-security@freebsd.org Sun Jan 24 14:18:52 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E1529C2D9F; Sun, 24 Jan 2016 14:18:52 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3DD0424E; Sun, 24 Jan 2016 14:18:52 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNLVA-0009p4-18; Sun, 24 Jan 2016 17:18:48 +0300 Date: Sun, 24 Jan 2016 17:18:47 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124141847.GM37895@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86mvrxvg79.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 14:18:52 -0000 On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote: > The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend. Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerberoized NFS. For kerberoized NFS gssd need to find cache file "called /tmp/krb5cc_, where is the effective uid for the RPC caller" (from `man gssd`). sshd contrary create cache file for received ticket called /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is this strong security requirement or [FreeBSD/upstream] can be patched (or introduce option) to use /tmp/krb5cc_ as cache file for received ticket? From owner-freebsd-security@freebsd.org Sun Jan 24 14:50:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F7D47C4A; Sun, 24 Jan 2016 14:50:45 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6A1CFC7F; Sun, 24 Jan 2016 14:50:44 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 4E2C0500C; Sun, 24 Jan 2016 14:50:43 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 05F5E4831E; Sun, 24 Jan 2016 15:50:45 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> Date: Sun, 24 Jan 2016 15:50:45 +0100 In-Reply-To: <20160124141847.GM37895@zxy.spb.ru> (Slawa Olhovchenkov's message of "Sun, 24 Jan 2016 17:18:47 +0300") Message-ID: <86oacbc9q2.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 14:50:45 -0000 Slawa Olhovchenkov writes: > Can you do some small discurs about ssh+kerberos? > I am try to use FreeBSD with $HOME over kerberoized NFS. > For kerberoized NFS gssd need to find cache file "called > /tmp/krb5cc_, where is the effective uid for the RPC > caller" (from `man gssd`). > > sshd contrary create cache file for received ticket called > /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is > this strong security requirement or [FreeBSD/upstream] can be patched > (or introduce option) to use /tmp/krb5cc_ as cache file for > received ticket? I wasn't aware of that. It should be easy to patch, but in the meantime, you can try something like this in .bashrc or whatever: krb5cc_uid=3D"/tmp/krb5cc_$(id -u)" if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" !=3D "${krb5ccuid}" ] ; then if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then export KRB5CCNAME=3D"${krb5ccuid}" else=20=20=20=20=20=20=20=20 echo "Unable to rename krb5 credential cache" >&2 fi fi unset krb5ccuid DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Jan 24 15:02:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B38B9D233C; Sun, 24 Jan 2016 15:02:13 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C58FB70; Sun, 24 Jan 2016 15:02:13 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNMB9-000AjQ-9l; Sun, 24 Jan 2016 18:02:11 +0300 Date: Sun, 24 Jan 2016 18:02:11 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124150211.GQ88527@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86oacbc9q2.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:02:13 -0000 On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Can you do some small discurs about ssh+kerberos? > > I am try to use FreeBSD with $HOME over kerberoized NFS. > > For kerberoized NFS gssd need to find cache file "called > > /tmp/krb5cc_, where is the effective uid for the RPC > > caller" (from `man gssd`). > > > > sshd contrary create cache file for received ticket called > > /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is > > this strong security requirement or [FreeBSD/upstream] can be patched > > (or introduce option) to use /tmp/krb5cc_ as cache file for > > received ticket? > > I wasn't aware of that. It should be easy to patch, but in the Yes, I am already do ugly patch for me (2 files need to patch), but patch in upstream preffered. > meantime, you can try something like this in .bashrc or whatever: Imposible. For accessing .bashrc on kerberoized NFS need correct /tmp/krb5cc_. > krb5cc_uid="/tmp/krb5cc_$(id -u)" > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then > if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then > export KRB5CCNAME="${krb5ccuid}" > else > echo "Unable to rename krb5 credential cache" >&2 > fi > fi > unset krb5ccuid > > DES > -- > Dag-Erling Smørgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Jan 24 15:09:06 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4884F9D27B8; Sun, 24 Jan 2016 15:09:06 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 12C6C759; Sun, 24 Jan 2016 15:09:05 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id F1FAF53B7; Sun, 24 Jan 2016 15:09:04 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 839E248322; Sun, 24 Jan 2016 16:09:05 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> <20160124150211.GQ88527@zxy.spb.ru> Date: Sun, 24 Jan 2016 16:09:05 +0100 In-Reply-To: <20160124150211.GQ88527@zxy.spb.ru> (Slawa Olhovchenkov's message of "Sun, 24 Jan 2016 18:02:11 +0300") Message-ID: <86k2mzc8vi.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:09:06 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > In the meantime, you can try something like this in .bashrc or > > whatever: > Imposible. For accessing .bashrc on kerberoized NFS need correct > /tmp/krb5cc_. /etc/profile, then. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Jan 24 15:15:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84E069D2E21; Sun, 24 Jan 2016 15:15:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 44FDA8D1; Sun, 24 Jan 2016 15:15:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNMNg-000B0u-Cl; Sun, 24 Jan 2016 18:15:08 +0300 Date: Sun, 24 Jan 2016 18:15:08 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124151508.GR88527@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> <20160124150211.GQ88527@zxy.spb.ru> <86k2mzc8vi.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86k2mzc8vi.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:15:10 -0000 On Sun, Jan 24, 2016 at 04:09:05PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Smørgrav writes: > > > In the meantime, you can try something like this in .bashrc or > > > whatever: > > Imposible. For accessing .bashrc on kerberoized NFS need correct > > /tmp/krb5cc_. > > /etc/profile, then. OK, what about tcsh, zsh, fish and scp/sftp? From owner-freebsd-security@freebsd.org Sun Jan 24 15:21:17 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5852F7192; Sun, 24 Jan 2016 15:21:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 2129D179; Sun, 24 Jan 2016 15:21:16 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id CA69A5406; Sun, 24 Jan 2016 15:21:15 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 88B8F48325; Sun, 24 Jan 2016 16:21:17 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> <20160124150211.GQ88527@zxy.spb.ru> <86k2mzc8vi.fsf@desk.des.no> <20160124151508.GR88527@zxy.spb.ru> Date: Sun, 24 Jan 2016 16:21:17 +0100 In-Reply-To: <20160124151508.GR88527@zxy.spb.ru> (Slawa Olhovchenkov's message of "Sun, 24 Jan 2016 18:15:08 +0300") Message-ID: <86fuxnc8b6.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:21:17 -0000 Slawa Olhovchenkov writes: > OK, what about tcsh, zsh, fish and scp/sftp? I apologize for trying to help you out by suggesting a hack that works at least some of the time until I can get a permanent fix in. I should instead have hopped in my time machine, jumped back a few years, and fixed the bug before it affected you. No hard feelings? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Jan 24 15:29:36 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9971676EE; Sun, 24 Jan 2016 15:29:36 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59950AAE; Sun, 24 Jan 2016 15:29:36 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNMbd-000BK2-0C; Sun, 24 Jan 2016 18:29:33 +0300 Date: Sun, 24 Jan 2016 18:29:32 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124152932.GS88527@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> <20160124150211.GQ88527@zxy.spb.ru> <86k2mzc8vi.fsf@desk.des.no> <20160124151508.GR88527@zxy.spb.ru> <86fuxnc8b6.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86fuxnc8b6.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:29:36 -0000 On Sun, Jan 24, 2016 at 04:21:17PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > OK, what about tcsh, zsh, fish and scp/sftp? > > I apologize for trying to help you out by suggesting a hack that works > at least some of the time until I can get a permanent fix in. I should > instead have hopped in my time machine, jumped back a few years, and > fixed the bug before it affected you. No hard feelings? Sorry about not clear exposition. I think this is not hack nor permanent solution and decline modification ssh source. I am already have working solution (localy apllied patch at time `make release`). I can show my ugly patch, but I think his partially not clear and not all edge cases checked. From owner-freebsd-security@freebsd.org Wed Jan 27 08:20:30 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CF42A46577 for ; Wed, 27 Jan 2016 08:20:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 873BE1AB0; Wed, 27 Jan 2016 08:20:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 847B81477; Wed, 27 Jan 2016 08:20:30 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:08.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160127082030.847B81477@freefall.freebsd.org> Date: Wed, 27 Jan 2016 08:20:30 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 08:20:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:08.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2016-01-27 Credits: ISC Affects: FreeBSD 9.x Corrected: 2016-01-20 08:54:35 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2015-8704 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. Address Prefixes List (APL RR) is a type of DNS Resource Record defined in RFC 3123. II. Problem Description There is an off-by-one error in a buffer size check when performing certain string formatting operations. III. Impact Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master. Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message. Recursive resolvers are potentially vulnerable when debug logging is enabled and if they are fed a deliberately malformed record by a malicious server. A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r294405 releng/9.3/ r294905 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rngIkP/Ru1a5U14/iJKqGO2o+OQkk5 j9G3rwEQROlPhtHdUE3vtA2fZcsayJaK1CjU3j91VWlTXHfBnju6gbJVPntNQqe5 TxRFmRhRjcyreNdt6hKvFgDrXmWwrytRukJ/XafdYxoWFDTtrUScwrOH87U8ILcF gkWgzCQ7EnYqr7sEW1makDHmIOLukJo5pJOnUTRkraDP2oaKSros3GC+Fnh6Wf+q wYOkgl2gj96ubJW4SvdZCAKFtnMrhw0ZZyrVDuPojzWU+ZotzWvZz3xGvoSqXy5U rqqtUQNHMU0Aqhe9zurW4B2ioff6XALZPgRYqQRI8ezXTgDDhJSwa12mjTJuQmaR hQRJlW5u5/Ejj2NML6NkhvLuSApwZcAZ2G7cLGdR6nEKKVEb6mXgnL7T/CdhhTj8 2owIz1iIdI2sUmhv6vuxPxB1k/O7b76LTZ2AL6jx4/mEtOVeofpNej5w7qnvCSqV RcZsOYRXrMZ0YWuhBkKqnMGGIU0TBMDvjJL5gxf5RR14iLExcC1fKhkhbvRMag4Y ck7Ja45Ltpwtd0t7/AfzbeI4OVmos4NB36HK5pYJchmOUavm6im5V6781mYGZgQn HtOQEyi7tSeft+Fz21dmK6Z1GV6lRmrt52wAKyJ71nA/WESgma50WE49RX+cH1MH nmon5PYKLuMuzFVNYZWs =HYpu -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Jan 27 08:20:34 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 930DBA465AC for ; Wed, 27 Jan 2016 08:20:34 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8CC601ADB; Wed, 27 Jan 2016 08:20:34 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 8A58E148C; Wed, 27 Jan 2016 08:20:34 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:09.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160127082034.8A58E148C@freefall.freebsd.org> Date: Wed, 27 Jan 2016 08:20:34 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 08:20:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:09.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2016-01-27 Credits: Cisco ASIG / Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2016-01-22 15:55:21 UTC (stable/10, 10.2-STABLE) 2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11) 2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28) 2016-01-22 15:56:35 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Multiple vulnerabilities have been discovered in ntp 4.2.8p5: Potential Infinite Loop in ntpq. [CVE-2015-8158] A logic error would allow packets with an origin timestamp of zero to bypass this check whenever there is not an outstanding request to the server. [CVE-2015-8138] Off-path Denial of Service (DoS) attack on authenticated broadcast mode. [CVE-2015-7979] Stack exhaustion in recursive traversal of restriction list. [CVE-2015-7978] reslist NULL pointer dereference. [CVE-2015-7977] ntpq saveconfig command allows dangerous characters in filenames. [CVE-2015-7976] nextvar() missing length check. [CVE-2015-7975] Skeleton Key: Missing key check allows impersonation between authenticated peers. [CVE-2015-7974] Deja Vu: Replay attack on authenticated broadcast mode. [CVE-2015-7973] ntpq vulnerable to replay attacks. [CVE-2015-8140] Origin Leak: ntpq and ntpdc, disclose origin. [CVE-2015-8139] III. Impact A malicious NTP server, or an attacker who can conduct MITM attack by intercepting NTP query traffic, may be able to cause a ntpq client to infinitely loop. [CVE-2015-8158] A malicious NTP server, or an attacker who can conduct MITM attack by intercepting NTP query traffic, may be able to prevent a ntpd(8) daemon to distinguish between legitimate peer responses from forgeries. This can partially be mitigated by configuring multiple time sources. [CVE-2015-8138] An off-path attacker who can send broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to broadcast clients can cause these clients to tear down associations. [CVE-2015-7979] An attacker who can send unauthenticated 'reslist' command to a NTP server may cause it to crash, resulting in a denial of service condition due to stack exhaustion [CVE-2015-7978] or a NULL pointer dereference [CVE-2015-7977]. An attacker who can send 'modify' requests to a NTP server may be able to create file that contain dangerous characters in their name, which could cause dangerous behavior in a later shell invocation. [CVE-2015-7976] A remote attacker may be able to crash a ntpq client. [CVE-2015-7975] A malicious server which holds a trusted key may be able to impersonate other trusted servers in an authenticated configuration. [CVE-2015-7974] A man-in-the-middle attacker or a malicious participant that has the same trusted keys as the victim can replay time packets if the NTP network is configured for broadcast operations. [CVE-2015-7973] The ntpq protocol is vulnerable to replay attacks which may be used to e.g. re-establish an association to malicious server. [CVE-2015-8140] An attacker who can intercept NTP traffic can easily forge live server responses. [CVE-2015-8139] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:09/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-16:09/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r294570 releng/9.3/ r294905 stable/10/ r294569 releng/10.1/ r294904 releng/10.2/ r294904 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rnt9cP/2EtdEPX/oBJXKFWqQv5cwvY C4gmlK5MZok2an330XMPl0RO2RplsIw4Lo4BuUh7HPKhVa5loYasabKrULQ+4Pgv z9INxDTDO8iooHeTeNe/VAb5YcKFrD7sqajdc0cY11rLEw1o53IuULz9wZnczAe/ KnHDNUyYaSU2Ep+c3+ADSJqOk3ffhsGDS+0byoOBcUN+66MnBg19/rKomiN5a7Nt XSseoQgYISU8aaJDvPlGoaN/Xm5fnFZaKFlJ4y7h51sYYep0qgjQx+Gdakk0vNbh CwsjpBKqDpFpBcSgdEC/bYHnNpYUTJB/tPmG3YDO5jMWQISKGrrnuMYeh+7PjTDS vCrneztpVBscLG4ZKSlfmhpZ/Jfy31YPXm5P/w8NuA05i13K06P4gG5PKNyUMgsk AZQ4Vg8YlyS0Ci4ufdc+AIQI35QMrKvfecJVu49+sNhUA4PpTe7coEU9dks3Dtaw g2QbfnsEWzJ6RBJcw7aQDSgRoqrVQgMB8IIota+aMzeVurgyFxPm9LASk2RYjhmC Ep283cc+HPUnihKBZTwwkw5iznbmpyRYlPghEc7slgOZCbk9pefnsCMOZAqRW9fZ DUpt+HvZD5BKB4kCAUMIvKGS91cyBFaNcdJhlB8uUx2aP2UJmuzldk+x9K74wWGK lnP0IazzXnWFobfwr+qT =0ZhD -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Jan 27 08:20:44 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B903CA465FB for ; Wed, 27 Jan 2016 08:20:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id AC2A01E57; Wed, 27 Jan 2016 08:20:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id A9E00163C; Wed, 27 Jan 2016 08:20:44 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:10.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160127082044.A9E00163C@freefall.freebsd.org> Date: Wed, 27 Jan 2016 08:20:44 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 08:20:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:10.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer issetugid(2) system call vulnerability Category: core Module: kernel Announced: 2016-01-27 Credits: Isaac Dunham, Brent Cook, Warner Losh Affects: All supported versions of FreeBSD. Corrected: 2016-01-27 07:28:55 UTC (stable/10, 10.2-STABLE) 2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11) 2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28) 2016-01-27 07:34:23 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2016-1883 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information. III. Impact If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r294903 releng/9.3/ r294905 stable/10/ r294901 releng/10.1/ r294904 releng/10.2/ r294904 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rnsr0QAJtM4C+IgRcRHdNGL7vXp1NP u3sFyktcRGCR0p+lMOaFYPp/Vmu09NglhcaxYFbk4WONVSnZKOuiWsjOL9by/eof 77i8bXINlB/8Pp+34KpxDtz5wR3jVAApaL8xvS+/DaKj3RdQ63RrHgtQRTAk+VSO ISAXxF2U/XAcRlmBQ3oOtqeHads6M1LNG/D/I0FgpU2G17QoUpfa+AvOkS1wBw7d mdcnC4NDKKx3QnyD0FTrh4z444PwvE3IQ7OSm7VX4/oOZdH+CC9coLCV1BXALrfA WVmaUMDy8bWiv7JMsda2xl4KhcEx2Y0UN2hGYdMZJubqYcnUknMimW3b2fhsfgl1 UaQDD6xv9I4xZqo1NHh4/WiH33PvOmM+U0E6IMb5hTUbfSd0mXOn4yzTP5gJxe4h fPk5ZUj/HTKx6C8ERMknTDdn+ZrLLlQJAoDbipPZkRBMcsgvRYGjKquBnrW9N0z2 BUtuLODg/GxMmkQXYV7mT08xw7YLvIbfSwGvlOd/k5hB/0KMTRLBFGd6vc2lZ+CL dseeK59vUK50Arua8qbg6AlOYc9Dga/XeQ753za0zEm7LOXzjr7jlBex/04ZxvE/ N4OTxNYlASk1cwBcoytZ8da3D7Vqh7vw7QmUR8lAb/x5ijR1QjCApji+yRupCEG+ PGHIMcxSGeBx7Drd1eBE =PyM5 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Jan 27 14:33:07 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8B4AA6F07F for ; Wed, 27 Jan 2016 14:33:07 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 853621B3E for ; Wed, 27 Jan 2016 14:33:07 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-ig0-x22e.google.com with SMTP id z14so84565218igp.1 for ; Wed, 27 Jan 2016 06:33:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=k98vFOGsq5r5aAqmAFMDl9jC1kC3+CFluH+sQPhQV8g=; b=eXImR+vrLb0ZC6G78fUVGVwfpBICOybSmG7aZPTlDTaZyTkzK4HYjzhtSyoqMOySQ8 M09nsT1WFhTWXKxyuOr9TxM2KxQKsOnTP60ewEzLTr3ljvxnMySHo5bu66lAGjtaw6ax 4BknRD3FyfJ+7tQWu4jBKGb8xWhh+1L8ao2ZcHlUbcBFOUVORVVzJaiQCYQTTrjXxSj5 /XfDBNyZFLk78wz2yUSB9PVApAOQWyGqqD2lymeZ8qAiW87+crrfcF+5OTMjdHWYKnHd 7bVig+CfB6KsEctGpRtAKlht8da/mvdVRKWqe77V+vx4j8E0UAqU07ZDpF5dMShWPh3K X6xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=k98vFOGsq5r5aAqmAFMDl9jC1kC3+CFluH+sQPhQV8g=; b=HLkze4a7wPvEpPjCSkX5rQExTfxNfQGn+VSonV7aeVuOdYGcHXsTo9UngNjSha9Ix6 mrB94YFk6XpOXpJePwO4KTAIRqTUKidbGSJ/UZpA+cekcWHszOibvHeAJhgNwV+3K206 AxN8FHh+5C7/mFt5IxAUaUpRlQDzSqkmFCgdkM+r295BDHvZfOlCj6MRG3zCsYNvVC4D Rwf6VOahOt5xOdg5wvKAeNwXKx7KWe8Arq4PqJ+ekNyiF93szcxsuU4+gyf5EEZbLwNY 9VZgHpLCS1S7gWm3+eaUa3w19RG3eN+wKKKRw2Wi7rN0WkpJepu1rkvUlk4gZI7Po5dn ZZig== X-Gm-Message-State: AG10YORPD6xPBOju54mohMZP37lf+s6H4kC2Y5TUYsoSO/gEJutcPoONR8TzVy8kwQj8FMWsvIxdn/HJZzCRcg== X-Received: by 10.50.55.98 with SMTP id r2mr26734250igp.97.1453905186876; Wed, 27 Jan 2016 06:33:06 -0800 (PST) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.39.66 with HTTP; Wed, 27 Jan 2016 06:32:47 -0800 (PST) In-Reply-To: <20160127082044.A7509163A@freefall.freebsd.org> References: <20160127082044.A7509163A@freefall.freebsd.org> From: Ed Maste Date: Wed, 27 Jan 2016 09:32:47 -0500 X-Google-Sender-Auth: Ix2qdP6s2nCUdU_IAu-RKO5A_t0 Message-ID: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:10.linux To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 14:33:07 -0000 On 27 January 2016 at 03:20, FreeBSD Security Advisories wrote: > > The following command can be used to test if the Linux binary > compatibility layer is loaded: > > # kldstat -m linuxelf If it is not loaded, kldstat reports: kldstat: can't find module linuxelf: No such file or directory If it is loaded, the output will be similar to: Id Refs Name 500 1 linuxelf From owner-freebsd-security@freebsd.org Sat Jan 30 06:38:36 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C75E1A73050 for ; Sat, 30 Jan 2016 06:38:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BC863838; Sat, 30 Jan 2016 06:38:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id BC04E1C24; Sat, 30 Jan 2016 06:38:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:11.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160130063836.BC04E1C24@freefall.freebsd.org> Date: Sat, 30 Jan 2016 06:38:36 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2016 06:38:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:11.openssl Security Advisory The FreeBSD Project Topic: OpenSSL SSLv2 ciphersuite downgrade vulnerability Category: contrib Module: openssl Announced: 2016-01-30 Affects: All supported versions of FreeBSD. Corrected: 2016-01-28 21:42:10 UTC (stable/10, 10.2-STABLE) 2016-01-30 06:12:03 UTC (releng/10.2, 10.2-RELEASE-p12) 2016-01-30 06:12:03 UTC (releng/10.1, 10.1-RELEASE-p29) 2016-01-30 06:09:38 UTC (stable/9, 9.3-STABLE) 2016-01-30 06:12:03 UTC (releng/9.3, 9.3-RELEASE-p36) CVE Name: CVE-2015-3197 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. III. Impact An active MITM attacker may be able to force a protocol downgrade to SSLv2, which is a flawed protocol and intercept the communication between client and server. IV. Workaround No workaround is available, but only applications that do not explicitly disable SSLv2 are affected. To determine if a server have SSLv2 enabled, a system administrator can use the following command: % openssl s_client -ssl2 -connect : &1 | grep DONE which will print "DONE" if and only if SSLv2 is enabled. Note that this check will not work for services that uses STARTTLS or DTLS. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all deamons using the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch.asc # gpg --verify openssl-10.2.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch.asc # gpg --verify openssl-10.1.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r295060 releng/9.3/ r295061 stable/10/ r295016 releng/10.1/ r295061 releng/10.2/ r295061 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWrFhQAAoJEO1n7NZdz2rnzcwQAJJQvYkvHuVHHBHCuV576ceJ 39Ry8ooGsNquyThUndbDYOV+Vhpj62XEnI+PXUgZPKENglnf+rRu0CWfCs1SqFQE EGOSsiXmBFyvJ8AMoQfiBdCoNRCBafqhY637IG8FU7WSpg8vYJO3bGCLmsgVbeoz V2kHmUtGUNSgksvOjo2O6ezc6rYc5jPrpB11mUZ8xFoBE9YhLNRpfttCajKAYy+9 t7S3tuGnleWWmnLdFj0jNJXjg38h9gG18L4kr+z/mFFWKYmFNdKuoXlpseMFD7pb LP7RipHDh0WQqtVOQtyu0x6BuijiuIlByadcHZO1MfDNXnu1UR5OEESs0EYElh8O 6mR/i3MZ1m9DoIoRcR1eCNQN2NiWV4tVCflSTi2pUl3TTCBpYn+THMi17c4IzTNA kaMR7AUeXgJVAntfmAx4mdqdjTam2EfCNRoMS3WdfVCD8cZQDewxFmEY2FbHUzix WUBVTUzx2BTUQO7PKJ6UdEiojetJ+OmwlaAb8WfGQTypANKUfMcyXzfmtmM4dgJg NjNIUxA9T3unmWUg5nh7CACJVWcykyM1ORLqFTrrxAlIz3d1gPI2kqGiMGtEMbzI A42xSFfHVvUJ6MzXe98Sf6cDWs98qQBTLDxHo5COpq6zV4AFDqlvdyzcJ/SQTAfq tsPAVgWspt40dxnRQfku =DN5y -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Sat Jan 30 17:36:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E583DA73BD9 for ; Sat, 30 Jan 2016 17:36:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D58091B9D for ; Sat, 30 Jan 2016 17:36:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0UHaTxf090997 for ; Sat, 30 Jan 2016 17:36:29 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add Date: Sat, 30 Jan 2016 17:36:29 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 30 Jan 2016 18:02:35 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2016 17:36:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206761 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs-patch, needs-qa, | |security CC| |freebsd-security@FreeBSD.or | |g --=20 You are receiving this mail because: You are on the CC list for the bug.=