From owner-freebsd-security@freebsd.org Sun Jul 9 03:00:00 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6053CDA998F for ; Sun, 9 Jul 2017 03:00:00 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 253BE74F68 for ; Sun, 9 Jul 2017 02:59:59 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id v692xwb7000991 for ; Sat, 8 Jul 2017 22:59:58 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id v692xwYg000990; Sat, 8 Jul 2017 22:59:58 -0400 (EDT) (envelope-from wollman) Message-ID: <22881.39939.778691.526731@hergotha.csail.mit.edu> Date: Sat, 8 Jul 2017 22:59:15 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: VM 8.2.0b under 25.1.1 (amd64-portbld-freebsd10.3) From: Garrett Wollman To: freebsd-security@freebsd.org Subject: ports/security/openssh-portable X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (hergotha.csail.mit.edu [127.0.0.1]); Sat, 08 Jul 2017 22:59:58 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 09 Jul 2017 03:24:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jul 2017 03:00:00 -0000 I'm thinking right about now that it would be really nice if we could go back to having a security/openssh-gssapi port that was completely independent of security/openssh-portable so that it didn't break for months on end after a new upstream release. Is there anyone else here who cares about this functionality and would be willing to share maintenance duties? Could just use Debian or RedHat (or one of the other Linux distributors who actually maintain the functionality as an official supported feature) as upstream.... -GAWollman From owner-freebsd-security@freebsd.org Tue Jul 11 00:41:22 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4A4ADB4358 for ; Tue, 11 Jul 2017 00:41:22 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 785A67DC31; Tue, 11 Jul 2017 00:41:22 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (unknown [127.0.1.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id AC9784CDB; Tue, 11 Jul 2017 00:41:21 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 6087985C6; Tue, 11 Jul 2017 00:41:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id jDL_VRgNBQYa; Tue, 11 Jul 2017 00:41:17 +0000 (UTC) Subject: Re: ports/security/openssh-portable [GSSAPI] DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9900C85C0 To: Garrett Wollman , freebsd-security@freebsd.org References: <22881.39939.778691.526731@hergotha.csail.mit.edu> From: Bryan Drewery Organization: FreeBSD Message-ID: <647fa949-a2db-bee2-f1cf-0489efaaf0a7@FreeBSD.org> Date: Mon, 10 Jul 2017 17:41:16 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <22881.39939.778691.526731@hergotha.csail.mit.edu> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dGi4lsTwGlP228foWEn1XdRGA1lEVUo3F" X-Mailman-Approved-At: Tue, 11 Jul 2017 10:37:42 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 00:41:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --dGi4lsTwGlP228foWEn1XdRGA1lEVUo3F Content-Type: multipart/mixed; boundary="b3PRAWpHwD3GO23EApU52HvJluklFu3pF"; protected-headers="v1" From: Bryan Drewery To: Garrett Wollman , freebsd-security@freebsd.org Message-ID: <647fa949-a2db-bee2-f1cf-0489efaaf0a7@FreeBSD.org> Subject: Re: ports/security/openssh-portable [GSSAPI] References: <22881.39939.778691.526731@hergotha.csail.mit.edu> In-Reply-To: <22881.39939.778691.526731@hergotha.csail.mit.edu> --b3PRAWpHwD3GO23EApU52HvJluklFu3pF Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 7/8/17 7:59 PM, Garrett Wollman wrote: > I'm thinking right about now that it would be really nice if we could > go back to having a security/openssh-gssapi port that was completely > independent of security/openssh-portable so that it didn't break for > months on end after a new upstream release. Is there anyone else here > who cares about this functionality and would be willing to share > maintenance duties? Could just use Debian or RedHat (or one of the > other Linux distributors who actually maintain the functionality as an > official supported feature) as upstream.... I'm open to committing patches to openssh-portable to support it that people send via PR or email. I just have no means to test it or motivation to maintain the GSS patch myself. --=20 Regards, Bryan Drewery --b3PRAWpHwD3GO23EApU52HvJluklFu3pF-- --dGi4lsTwGlP228foWEn1XdRGA1lEVUo3F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJZZB6sAAoJEDXXcbtuRpfPZxwH/2p84l2D46C7eS3UD0QGgcmR F9Q3yvW8cwWJtHknxLRGo5YVglfP5jTHWf2LqyM5coeRirMLzyM+DTPjWq9sLQfZ vvk466SR6jHiEgdHpRaV9w5JEyUkoJ+GiOMeLPRsgnKOheb9knRG/97ra2EneDpt aLayhNJdP5BXzCCjzA6ZpH9/dk6kQY5fw7LyCAr+jT7jkb461UKTmVkNmK5uQ0el 8zgBKkmEpOwY+RNgIxKNM0yQnBzfp5CP03Ja2AR3WzkCuork+6zV6D/eKnFkZaJk DPoIecIVjPg4WtUi5jWpqNsx0XAPY5DJ9hH/iQMmfG2Hr5JMpf46CfJp6MI37QY= =t6Jt -----END PGP SIGNATURE----- --dGi4lsTwGlP228foWEn1XdRGA1lEVUo3F-- From owner-freebsd-security@freebsd.org Tue Jul 11 02:14:13 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5EA4D8DFC5 for ; Tue, 11 Jul 2017 02:14:13 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7BDCA80701; Tue, 11 Jul 2017 02:14:13 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id v6B2EAi1008592; Mon, 10 Jul 2017 22:14:10 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id v6B2EAa3008591; Mon, 10 Jul 2017 22:14:10 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22884.13426.541545.996203@hergotha.csail.mit.edu> Date: Mon, 10 Jul 2017 22:14:10 -0400 From: Garrett Wollman To: Bryan Drewery Cc: freebsd-security@freebsd.org Subject: Re: ports/security/openssh-portable [GSSAPI] In-Reply-To: <647fa949-a2db-bee2-f1cf-0489efaaf0a7@FreeBSD.org> References: <22881.39939.778691.526731@hergotha.csail.mit.edu> <647fa949-a2db-bee2-f1cf-0489efaaf0a7@FreeBSD.org> X-Mailer: VM 8.2.0b under 25.2.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (hergotha.csail.mit.edu [127.0.0.1]); Mon, 10 Jul 2017 22:14:11 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 11 Jul 2017 10:46:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 02:14:13 -0000 < said: > I'm open to committing patches to openssh-portable to support it that > people send via PR or email. I just have no means to test it or > motivation to maintain the GSS patch myself. In all honesty, I'd really just like the official package builds to include at least *an* openssh package that I can point to as "the one that interoperates with your (Debian|Ubuntu|CentOS|RHEL|Fedora) systems and does Kerberos right". I don't care about having the latest official OpenSSH release; those other guys are already backporting security patches, and since Simon seems to have handed off maintenance of the GSSAPI patch to them as well, I would just as soon stick with the version that's in $OTHER_OS. -GAWollman From owner-freebsd-security@freebsd.org Wed Jul 12 15:20:23 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4FD9D99FBE for ; Wed, 12 Jul 2017 15:20:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 987BD66399; Wed, 12 Jul 2017 15:20:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id EC6CB6AB5; Wed, 12 Jul 2017 15:20:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:05.heimdal Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20170712152022.EC6CB6AB5@freefall.freebsd.org> Date: Wed, 12 Jul 2017 15:20:22 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2017 15:20:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:05.heimdal Security Advisory The FreeBSD Project Topic: heimdal KDC-REP service name validation vulnerability Category: contrib Module: heimdal Announced: 2017-07-12 Affects: All supported versions of FreeBSD. Corrected: 2017-07-12 07:26:07 UTC (stable/11, 11.1-PRERELEASE) 2017-07-12 08:07:16 UTC (releng/11.1, 11.1-RC2-p1) 2017-07-12 08:07:16 UTC (releng/11.1, 11.1-RC1-p1) 2017-07-12 07:26:07 UTC (stable/11, 11.1-BETA3-p1) 2017-07-12 08:07:36 UTC (releng/11.0, 11.0-RELEASE-p11) 2017-07-12 07:26:07 UTC (stable/10, 10.3-STABLE) 2017-07-12 15:16:01 UTC (releng/10.3, 10.3-RELEASE-p20) CVE Name: CVE-2017-11103 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Heimdal implements the Kerberos 5 network authentication protocols. The Kerberos protocol uses "tickets" to authenticate a client to a service. A Key Distribution Center (KDC) is trusted by all principals registered in that administrative "realm" to store a secret key in confidence, of which, the proof of knowledge is used to verify the authenticity of a principal. II. Problem Description There is a programming error in the Heimdal implementation that used an unauthenticated, plain-text version of the KDC-REP service name found in a ticket. III. Impact An attacker who has control of the network between a client and the service it talks to will be able to impersonate the service, allowing a successful man-in-the-middle (MITM) attack that circumvents the mutual authentication. IV. Workaround No workaround is available, but only Kerberos enabled clients are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is recommended. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is recommended. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:05/heimdal.patch # fetch https://security.FreeBSD.org/patches/SA-17:05/heimdal.patch.asc # gpg --verify heimdal.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r320907 releng/10.3/ r320915 stable/11/ r320907 releng/11.0/ r320911 releng/11.1/ r320910 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.21 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAllmPXgACgkQ7Wfs1l3P audcIhAAz/QvL+4RPmTUvCLi8apSyHUCIlgiazrip0k77AQ19k9iLljJJijZu/ol 4f4VPmBh2iAiBsxvALvhljIEQnj4ApeAQrkqzY8ims/4SPJlYw0mBzchAnaJ8MzK 6UbQLWtqfhK67GXnjxXOtUa8LXno4GgOaeaFYYtf3Px0QHoJlMgQ6u1F5upReBur Ux5PGm3aRnjz124ZyW23wdAlZ5I8Y+hWcRQkyfTkFajIBrSjG+VIz2cRbvu1su9N nwCbxFpDt+6qeatmIsfSj7RFcpyYwMwZJXgMcVc0nVR59XhYyya/4GVYu/3mLNpx hDgKoyHiM6olVkB+9mvRi07fjs333fHcRM3z6UeJtGHkCkdCMgm3vElkvi+ubenH vpCrJApOr/qklT/mqlpRuVJ/nlEa/ueyaP4zyi8ts7gM/0Hue+zelHRt7XsfAK6n pwwZqIrZQHq7sxyhaZxgCUb56wc8+O1cxXZK6qSE3DeoE5YYPSqcm5a5tZtLbxI+ e4Bt/DtonZfxS/UEiuSgrg8LAiYAakBh45rmSsMKvz5+fRN+ecPKyMCI//R7uI/c 7sSQnT7A3WC3yHDZDvcYs0XrKNWvv28lZZGM/aVxrPGAiOunijMgORZw4fkoeCFO MmcpIFvJ3LDmkngwmvZjj4gF6Wpw6Lav4zYQWG8NG1sjdciCUkw= =QQ1C -----END PGP SIGNATURE-----