From owner-freebsd-security Tue Sep 23 14:49:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA07554 for security-outgoing; Tue, 23 Sep 1997 14:49:33 -0700 (PDT) Received: from roguetrader.com (brandon@cold.org [206.81.134.103]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA07544 for ; Tue, 23 Sep 1997 14:49:31 -0700 (PDT) Received: from localhost (brandon@localhost) by roguetrader.com (8.8.5/8.8.5) with SMTP id PAA01817 for ; Tue, 23 Sep 1997 15:50:15 -0600 (MDT) Date: Tue, 23 Sep 1997 15:50:15 -0600 (MDT) From: Brandon Gillespie To: freebsd-security@freebsd.org Subject: SHA-1 encryption for crypt() Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Just curious, I am the one who is crufting up crypt(), and I'm (and have been) near committing it for a while, but I've been trying to dig up more information on SHA-1 encryption. I havn't even been able to hear back from the author of the library I'm using! (Paul Kocher wrote the library, and his web pages are at http://www.cryptography.com). I would like to dig up more information on SHA-1 encryption, before I commit it. Anybody who can help would be greatly appreciated. In the meantime I may just integrate blowfish too.. -Brandon Gillespie From owner-freebsd-security Tue Sep 23 17:17:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA15818 for security-outgoing; Tue, 23 Sep 1997 17:17:56 -0700 (PDT) Received: from ns.ineco.ryazan.su (root@ns.ineco.ryazan.su [194.58.169.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA15789 for ; Tue, 23 Sep 1997 17:17:10 -0700 (PDT) Received: from dialup.galion.ryazan.su (dialup.galion.ryazan.su [194.58.169.238]) by ns.ineco.ryazan.su (8.7.5.R.ML.S/Relcom-2A) with ESMTP id EAA11804 for ;Wed, 24 Sep 1997 04:16:01 +0400 Received: from mutant.galion.ryazan.su by server.galion.ryazan.su with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id TM3C139T; Wed, 24 Sep 1997 04:15:52 +0400 Received: from localhost (romanp@localhost.galion.ryazan.su [127.0.0.1]) by mutant.galion.ryazan.su (8.8.7/Relcom-2A) with SMTP id EAA03613 for ;Wed, 24 Sep 1997 04:17:47 +0400 (MSD) X-SMTP-RCPT: Date: Wed, 24 Sep 1997 04:17:46 +0400 (MSD) From: "Roman V. Palagin" To: freebsd-security@freebsd.org Subject: IPv6 sources w/out export restriction Message-ID: Organization: Systems Integrator "RIGHT" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello everybody! I live outside of US and can't download NRL's release of IPv6 software. Could somebody tell me where I can find IPv6 distribution for *BSD w/out export restriction? Regards, Roman. ------------------------------------------------------------------------------- Roman V. Palagin Systems Integrator "RIGHT" Network Administrator http://www.galion.ryazan.su Internet Mail: romanp@mutant.galion.ryazan.su Tel: +7 (0912) 725638 ------------------------------------------------------------------------------- From owner-freebsd-security Tue Sep 23 20:16:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA25144 for security-outgoing; Tue, 23 Sep 1997 20:16:13 -0700 (PDT) Received: from androcles.com (androcles.com [204.57.240.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA25131 for ; Tue, 23 Sep 1997 20:16:06 -0700 (PDT) Received: (from dhh@localhost) by androcles.com (8.8.7/8.8.7) id UAA21950; Tue, 23 Sep 1997 20:13:11 -0700 (PDT) Message-ID: X-Mailer: XFMail 1.1 [p0] on FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 23 Sep 1997 20:04:05 -0700 (PDT) From: "Duane H. Hesser" To: Brandon Gillespie Subject: RE: SHA-1 encryption for crypt() Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 23-Sep-97 Brandon Gillespie wrote: >Just curious, I am the one who is crufting up crypt(), and I'm (and have >been) near committing it for a while, but I've been trying to dig up more >information on SHA-1 encryption. I havn't even been able to hear back >from the author of the library I'm using! (Paul Kocher wrote the library, >and his web pages are at http://www.cryptography.com). > >I would like to dig up more information on SHA-1 encryption, before I >commit it. Anybody who can help would be greatly appreciated. In the >meantime I may just integrate blowfish too.. > >-Brandon Gillespie > Take a look at http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ I just happened across this site today, and it is permanently bookmarked now. The "author" of the site provides a "cryptlib" which includes just about every crytpographic technique which appears useful today (downloadable, free, NON-US SITE). If you select "algorthms" from the page index, you will get a table of algorithms included in cryptlib, each linked to "somewhere". The SHA entry is linked to a copy of the FIPS standard for SHA, which I presume should be what you need. -------------- Duane H. Hesser dhh@androcles.com From owner-freebsd-security Wed Sep 24 00:04:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA09281 for security-outgoing; Wed, 24 Sep 1997 00:04:12 -0700 (PDT) Received: from Campino.Informatik.RWTH-Aachen.DE (campino.Informatik.RWTH-Aachen.DE [137.226.116.240]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA09271 for ; Wed, 24 Sep 1997 00:04:07 -0700 (PDT) Received: from gil.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by Campino.Informatik.RWTH-Aachen.DE (8.8.7/RBI-Z13) with ESMTP id JAA11154 for ; Wed, 24 Sep 1997 09:04:04 +0200 (MET DST) Received: (from kuku@localhost) by gil.physik.rwth-aachen.de (8.8.5/8.6.9) id JAA05527 for security@freebsd.org; Wed, 24 Sep 1997 09:10:40 +0200 (MEST) Date: Wed, 24 Sep 1997 09:10:40 +0200 (MEST) From: Christoph Kukulies Message-Id: <199709240710.JAA05527@gil.physik.rwth-aachen.de> To: security@freebsd.org Subject: FreeBSD listed ... Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Just FYI: The following site lists a couple of FreeBSD holes - may they still apply or not. Just wanted to let you know. http://sunshine.nextra.ro/FUN/New -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de From owner-freebsd-security Wed Sep 24 00:53:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA12658 for security-outgoing; Wed, 24 Sep 1997 00:53:48 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA12653 for ; Wed, 24 Sep 1997 00:53:43 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA26241; Wed, 24 Sep 1997 03:49:47 -0400 (EDT) From: Adam Shostack Message-Id: <199709240749.DAA26241@homeport.org> Subject: Re: SHA-1 encryption for crypt() In-Reply-To: from "Duane H. Hesser" at "Sep 23, 97 08:04:05 pm" To: dhh@androcles.com (Duane H. Hesser) Date: Wed, 24 Sep 1997 03:49:46 -0400 (EDT) Cc: brandon@roguetrader.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I maintain a list of free crypto libraries in a variety of languages. See www.homeport.org/~adam/crypto/ Bruce Schneier's Applied Cryptography is a good place to start learning about this stuff. I'll note that both SHA and Blowfish have test vectors available. Adam Duane H. Hesser wrote: | | On 23-Sep-97 Brandon Gillespie wrote: | >Just curious, I am the one who is crufting up crypt(), and I'm (and have | >been) near committing it for a while, but I've been trying to dig up more | >information on SHA-1 encryption. I havn't even been able to hear back | >from the author of the library I'm using! (Paul Kocher wrote the library, | >and his web pages are at http://www.cryptography.com). | > | >I would like to dig up more information on SHA-1 encryption, before I | >commit it. Anybody who can help would be greatly appreciated. In the | >meantime I may just integrate blowfish too.. | > | >-Brandon Gillespie | > | | Take a look at | | http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ | | I just happened across this site today, and it is permanently bookmarked now. | The "author" of the site provides a "cryptlib" which includes just about | every crytpographic technique which appears useful today (downloadable, | free, NON-US SITE). If you select "algorthms" from the page index, you | will get a table of algorithms included in cryptlib, each linked to "somewhere". | The SHA entry is linked to a copy of the FIPS standard for SHA, which I | presume should be what you need. | -------------- | Duane H. Hesser | dhh@androcles.com | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Wed Sep 24 09:33:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA08808 for security-outgoing; Wed, 24 Sep 1997 09:33:02 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA08792 for ; Wed, 24 Sep 1997 09:32:57 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id SAA07242 for ; Wed, 24 Sep 1997 18:32:44 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.6/brasil-1.2) with UUCP id SAA27042 for freebsd-security@FreeBSD.ORG; Wed, 24 Sep 1997 18:32:39 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.7/keltia-2.10/nospam) id HAA21804; Wed, 24 Sep 1997 07:59:52 +0200 (CEST) Message-ID: <19970924075951.46946@keltia.freenix.fr> Date: Wed, 24 Sep 1997 07:59:51 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: IPv6 sources w/out export restriction References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: ; from Roman V. Palagin on Wed, Sep 24, 1997 at 04:17:46AM +0400 X-Operating-System: FreeBSD 3.0-CURRENT Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Roman V. Palagin: > I live outside of US and can't download NRL's release of IPv6 software. > Could somebody tell me where I can find IPv6 distribution for *BSD w/out > export restriction? You can find it on RIPE's site at ftp.ripe.net althought it is an old version (not checked recently). The INRIA code in ftp.inria.fr:/network/IPv6 is well maintained, runs on 2.2.2 and is massively used in the french IPv6 community. I'll try to see how much work is it to integrate it into CURRENT. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #35: Sun Sep 21 19:28:07 CEST 1997 From owner-freebsd-security Wed Sep 24 12:29:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20391 for security-outgoing; Wed, 24 Sep 1997 12:29:14 -0700 (PDT) Received: from ftpbox.mot.com (ftpbox.mot.com [129.188.136.101]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA20386 for ; Wed, 24 Sep 1997 12:29:11 -0700 (PDT) Received: from mothost.mot.com (mothost.mot.com [129.188.137.101]) by ftpbox.mot.com (8.8.5/8.6.10/MOT-3.8) with ESMTP id OAA02764 for ; Wed, 24 Sep 1997 14:28:19 -0500 (CDT) Comments: ( Received on ftpbox.mot.com from client mothost.mot.com, sender west@cig.mot.com ) Received: from po_box.cig.mot.com (po_box.cig.mot.com [136.182.15.5]) by mothost.mot.com (8.8.5/8.6.10/MOT-3.8) with SMTP id OAA18605 for ; Wed, 24 Sep 1997 14:28:47 -0500 (CDT) Message-Id: <199709241933.PAA16711@po_box.cig.mot.com> Received: (west@localhost) by osprey.cig.mot.com (8.6.11/SCERG-1.12-MPC2) id TAA26076 for freebsd-security@FreeBSD.ORG; Wed, 24 Sep 1997 19:28:42 GMT Date: Wed, 24 Sep 1997 19:28:42 GMT From: "Jeffrey A. West" X-Mailer: Z-Mail (3.2.1 10apr95) To: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe -- ******************************************************************** * Jeffrey West email: west@cig.mot.com * * Motorola Inc. phone: 847-435-9675 * * Cellular Infrastructure Group fax: 847-632-6658 * * Information Technology Services maildrop: IL27 3B4 * * 1501 W.Shure Drive * * Arlington Heights, Il 60004 USA * ******************************************************************** From owner-freebsd-security Wed Sep 24 12:33:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20776 for security-outgoing; Wed, 24 Sep 1997 12:33:26 -0700 (PDT) Received: from silver.sms.fi (silver.sms.fi [194.111.122.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA20758 for ; Wed, 24 Sep 1997 12:33:20 -0700 (PDT) Received: (from pete@localhost) by silver.sms.fi (8.8.7/8.7.3) id WAA21582; Wed, 24 Sep 1997 22:32:32 +0300 (EEST) Date: Wed, 24 Sep 1997 22:32:32 +0300 (EEST) Message-Id: <199709241932.WAA21582@silver.sms.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Petri Helenius To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPv6 sources w/out export restriction In-Reply-To: <19970924075951.46946@keltia.freenix.fr> References: <19970924075951.46946@keltia.freenix.fr> X-Mailer: VM 6.22 under 19.15p7 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert writes: > According to Roman V. Palagin: > > I live outside of US and can't download NRL's release of IPv6 software. > > Could somebody tell me where I can find IPv6 distribution for *BSD w/out > > export restriction? > > You can find it on RIPE's site at ftp.ripe.net althought it is an old > version (not checked recently). The INRIA code in > ftp.inria.fr:/network/IPv6 is well maintained, runs on 2.2.2 and is > massively used in the french IPv6 community. > > I'll try to see how much work is it to integrate it into CURRENT. Having that would be great! I've been using the code and apart from the fact that it does not fit in top of anything else than 2.2.2 it seems great. Pete From owner-freebsd-security Thu Sep 25 06:54:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA17290 for security-outgoing; Thu, 25 Sep 1997 06:54:14 -0700 (PDT) Received: from relay15.jaring.my (relay15.jaring.my [192.228.128.126]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA17283 for ; Thu, 25 Sep 1997 06:54:09 -0700 (PDT) Received: from jaring.jaring.my (j14.ptl41.jaring.my [161.142.116.88]) by relay15.jaring.my (8.8.7/8.8.7) with ESMTP id VAA11551 for ; Thu, 25 Sep 1997 21:53:09 +0800 (MYT) Message-ID: <342A61FF.D01DCDF8@pc.jaring.my> Date: Thu, 25 Sep 1997 20:07:12 +0700 From: Griffin X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: How to subscribe? X-Priority: 3 (Normal) References: <203609030840.MAA14571@paranoid.convey.ru> <19970905233103.64953@dyn.ml.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sorry for the intrusion, but how do I subscribe to this list? Thanks. Grif. From owner-freebsd-security Thu Sep 25 07:55:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA20484 for security-outgoing; Thu, 25 Sep 1997 07:55:17 -0700 (PDT) Received: from hawk.gnome.co.uk (gnome.gw.cerbernet.co.uk [193.243.224.22]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA20462 for ; Thu, 25 Sep 1997 07:54:48 -0700 (PDT) Received: from hawk.gnome.co.uk (localhost [127.0.0.1]) by hawk.gnome.co.uk (8.8.7/8.8.7) with ESMTP id PAA06399 for ; Thu, 25 Sep 1997 15:54:25 +0100 (BST) Message-Id: <199709251454.PAA06399@hawk.gnome.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: security@freebsd.org Subject: rc.firewall weakness? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Sep 1997 15:54:25 +0100 From: Chris Stenton Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have just been looking at the latest rc.firewall for 2.2.2-stable and it appears to me that it is somewhat weak. As far as I can see the following rules:- # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 allows anyone from outside to connect to any udp port and get a reply if they can get their hacking prog to connect from port 53 or 123 on their own machine? The whole area of UDP as far as I can see is difficult to administer under ipfw. What I feel is required is "dynamic packet filtering" on UDP connections so that ipfw remembers the outgoing UDP packets it has seen. It can then let in corresponding packets from the host and port that has been sent to. This I think is the case for products from Morning Star et. al. Just my thoughts ... no flames required if I am totally wrong:-) Chris From owner-freebsd-security Thu Sep 25 08:26:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA22287 for security-outgoing; Thu, 25 Sep 1997 08:26:47 -0700 (PDT) Received: from roguetrader.com (brandon@cold.org [206.81.134.103]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA22282 for ; Thu, 25 Sep 1997 08:26:42 -0700 (PDT) Received: from localhost (brandon@localhost) by roguetrader.com (8.8.5/8.8.5) with SMTP id JAA10252; Thu, 25 Sep 1997 09:27:31 -0600 (MDT) Date: Thu, 25 Sep 1997 09:27:31 -0600 (MDT) From: Brandon Gillespie To: Adam Shostack cc: "Duane H. Hesser" , freebsd-security@FreeBSD.ORG Subject: Legal issues of SHS encryption... (Re: SHA-1 encryption for crypt()) In-Reply-To: <199709240749.DAA26241@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On a related note, from Paul Kocher's notes: In informal discussions, the U.S. National Security Agency has indicated to me that source code for can be exported from the U.S. freely, but programs using or incorporating this code may be restricted. Please make sure you understand the applicable export regulations before doing any work with cryptography. Anybody know how SHS would fit with being incorported in FreeBSD? Anybody know who I would contact about this? -Brandon From owner-freebsd-security Thu Sep 25 09:20:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA25574 for security-outgoing; Thu, 25 Sep 1997 09:20:53 -0700 (PDT) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA25564 for ; Thu, 25 Sep 1997 09:20:46 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id KAA10285; Thu, 25 Sep 1997 10:20:38 -0600 (MDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id KAA18291; Thu, 25 Sep 1997 10:20:37 -0600 (MDT) Date: Thu, 25 Sep 1997 10:20:37 -0600 (MDT) Message-Id: <199709251620.KAA18291@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Chris Stenton Cc: security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: <199709251454.PAA06399@hawk.gnome.co.uk> References: <199709251454.PAA06399@hawk.gnome.co.uk> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I have just been looking at the latest rc.firewall for 2.2.2-stable > and it appears to me that it is somewhat weak. As far as I can see > the following rules:- > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > allows anyone from outside to connect to any udp port and get a reply if they > can get their hacking prog to connect from port 53 or 123 on their own machine? > Yes, that is true. This is also the case with TCP ports that have similar rulesets, most notably FTP-DATA. > The whole area of UDP as far as I can see is difficult to administer > under ipfw. What I feel is required is "dynamic packet filtering" on > UDP connections so that ipfw remembers the outgoing UDP packets it has > seen. I think the above solution is adequate, so both the source/destination port are the same. > It can then let in corresponding packets from the host and port > that has been sent to. This I think is the case for products from > Morning Star et. al. It wasn't that way when I first used MorningStar, but that was a couple of years ago. Nate From owner-freebsd-security Thu Sep 25 09:32:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA26276 for security-outgoing; Thu, 25 Sep 1997 09:32:07 -0700 (PDT) Received: from miles.gaertner.de (martin@miles.gaertner.de [194.45.135.101]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id JAA26267 for ; Thu, 25 Sep 1997 09:32:03 -0700 (PDT) Received: (from martin@localhost) by miles.gaertner.de (8.6.12/8.6.12) id SAA15176; Thu, 25 Sep 1997 18:31:50 +0200 Date: Thu, 25 Sep 1997 18:31:50 +0200 From: Martin Neitzel Message-Id: <199709251631.SAA15176@miles.gaertner.de> To: freebsd-security@FreeBSD.ORG, lpchiew@pc.jaring.my Subject: Re: How to subscribe? Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk mail to majordomo@freebsd.org with a line saying help in the body, and you'll get every kind of information you'll ever need. Martin From owner-freebsd-security Thu Sep 25 17:14:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA24090 for security-outgoing; Thu, 25 Sep 1997 17:14:15 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA24081 for ; Thu, 25 Sep 1997 17:14:11 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id RAA10089; Thu, 25 Sep 1997 17:09:09 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA11739; Thu, 25 Sep 1997 17:09:08 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA19119; Thu, 25 Sep 1997 17:09:07 -0700 (PDT) From: Don Lewis Message-Id: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> Date: Thu, 25 Sep 1997 17:09:07 -0700 In-Reply-To: Nate Williams "Re: rc.firewall weakness?" (Sep 25, 10:20am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Nate Williams , Chris Stenton Subject: Re: rc.firewall weakness? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sep 25, 10:20am, Nate Williams wrote: } Subject: Re: rc.firewall weakness? } > I have just been looking at the latest rc.firewall for 2.2.2-stable } > and it appears to me that it is somewhat weak. As far as I can see } > the following rules:- } > } > # Allow DNS queries out in the world } > $fwcmd add pass udp from any 53 to ${oip} } > $fwcmd add pass udp from ${oip} to any 53 } > } > # Allow NTP queries out in the world } > $fwcmd add pass udp from any 123 to ${oip} } > $fwcmd add pass udp from ${oip} to any 123 } > } > allows anyone from outside to connect to any udp port and get a reply if they } > can get their hacking prog to connect from port 53 or 123 on their own machine? } > You've got it, which is why I only permit UDP 53<->53 and 123<->123. You loose the ability to point a DNS client at an external DNS server (though you can still do this safely for testing purposes if you use TCP queries), and you can't query external NTP servers. The server to server traffic for DNS and NTP still works fine. } Yes, that is true. This is also the case with TCP ports that have } similar rulesets, most notably FTP-DATA. Unless you ban that and only allow passive FTP. From owner-freebsd-security Thu Sep 25 19:17:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA29846 for security-outgoing; Thu, 25 Sep 1997 19:17:19 -0700 (PDT) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA29835 for ; Thu, 25 Sep 1997 19:17:09 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id UAA14105; Thu, 25 Sep 1997 20:17:00 -0600 (MDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id UAA20908; Thu, 25 Sep 1997 20:16:54 -0600 (MDT) Date: Thu, 25 Sep 1997 20:16:54 -0600 (MDT) Message-Id: <199709260216.UAA20908@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Don Lewis Cc: Nate Williams , Chris Stenton , security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> References: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > You've got it, which is why I only permit UDP 53<->53 and 123<->123. How do you do that? You must not be using IPFW, since it really doesn't allow the ability to permit -. Nate From owner-freebsd-security Thu Sep 25 19:40:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA01070 for security-outgoing; Thu, 25 Sep 1997 19:40:40 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA01064 for ; Thu, 25 Sep 1997 19:40:35 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id TAA11023; Thu, 25 Sep 1997 19:39:52 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id TAA14103; Thu, 25 Sep 1997 19:39:51 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id TAA19427; Thu, 25 Sep 1997 19:39:50 -0700 (PDT) From: Don Lewis Message-Id: <199709260239.TAA19427@salsa.gv.tsc.tdk.com> Date: Thu, 25 Sep 1997 19:39:50 -0700 In-Reply-To: Nate Williams "Re: rc.firewall weakness?" (Sep 25, 8:16pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Nate Williams , Don Lewis Subject: Re: rc.firewall weakness? Cc: Chris Stenton , security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sep 25, 8:16pm, Nate Williams wrote: } Subject: Re: rc.firewall weakness? } > You've got it, which is why I only permit UDP 53<->53 and 123<->123. } } How do you do that? You must not be using IPFW, since it really doesn't } allow the ability to permit -. I'm using cisco access lists, but can't you do this with IPFW like this: # Allow DNS queries out in the world /sbin/ipfw add pass udp from any 53 to ${oip} 53 /sbin/ipfw add pass udp from ${oip} 53 to any 53 In most cases you don't gain much by filtering on the port number of packets from an untrusted source (and the above rule doesn't allow other hosts to send queries from ports other than 53), so can't you do: /sbin/ipfw add pass udp from any to ${oip} 53 /sbin/ipfw add pass udp from ${oip} 53 to any From owner-freebsd-security Thu Sep 25 20:16:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA02919 for security-outgoing; Thu, 25 Sep 1997 20:16:14 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA02887 for ; Thu, 25 Sep 1997 20:15:53 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id NAA16000; Fri, 26 Sep 1997 13:13:56 +1000 (EST) Date: Fri, 26 Sep 1997 13:13:55 +1000 (EST) From: "Daniel O'Callaghan" To: Nate Williams cc: Don Lewis , Nate Williams , Chris Stenton , security@FreeBSD.ORG Subject: Re: rc.firewall weakness? In-Reply-To: <199709260216.UAA20908@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 25 Sep 1997, Nate Williams wrote: > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > How do you do that? You must not be using IPFW, since it really doesn't > allow the ability to permit -. What about: ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in Danny From owner-freebsd-security Thu Sep 25 22:38:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA09695 for security-outgoing; Thu, 25 Sep 1997 22:38:13 -0700 (PDT) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA09690 for ; Thu, 25 Sep 1997 22:38:08 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id XAA15200; Thu, 25 Sep 1997 23:37:43 -0600 (MDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id XAA21334; Thu, 25 Sep 1997 23:37:40 -0600 (MDT) Date: Thu, 25 Sep 1997 23:37:40 -0600 (MDT) Message-Id: <199709260537.XAA21334@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Daniel O'Callaghan" Cc: Nate Williams , Don Lewis , security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: References: <199709260216.UAA20908@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > How do you do that? You must not be using IPFW, since it really doesn't > > allow the ability to permit -. > > What about: > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in It doesn't work that way. ;( Nate From owner-freebsd-security Thu Sep 25 23:03:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA11187 for security-outgoing; Thu, 25 Sep 1997 23:03:51 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA11171 for ; Thu, 25 Sep 1997 23:03:45 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id QAA16883; Fri, 26 Sep 1997 16:03:34 +1000 (EST) Date: Fri, 26 Sep 1997 16:03:33 +1000 (EST) From: "Daniel O'Callaghan" To: Nate Williams cc: security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: <199709260537.XAA21334@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 25 Sep 1997, Nate Williams wrote: > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > How do you do that? You must not be using IPFW, since it really doesn't > > > allow the ability to permit -. > > > > What about: > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > It doesn't work that way. ;( No? My cursory reading of ip_fw.c indicates that it does, but I'm happy to be shown otherwise, as I don't consider myself to be a C expert. Or are you referring to the fact that you need a more comprehensive ruleset to be effective? Danny From owner-freebsd-security Thu Sep 25 23:09:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA11405 for security-outgoing; Thu, 25 Sep 1997 23:09:19 -0700 (PDT) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA11398 for ; Thu, 25 Sep 1997 23:09:16 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id AAA15430; Fri, 26 Sep 1997 00:09:09 -0600 (MDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id AAA21538; Fri, 26 Sep 1997 00:09:07 -0600 (MDT) Date: Fri, 26 Sep 1997 00:09:07 -0600 (MDT) Message-Id: <199709260609.AAA21538@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Daniel O'Callaghan" Cc: Nate Williams , security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: References: <199709260537.XAA21334@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > What about: > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > It doesn't work that way. ;( > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > to be shown otherwise, as I don't consider myself to be a C expert. > Or are you referring to the fact that you need a more comprehensive > ruleset to be effective? I had a discussion with Alex a while back, and if my memory isn't failing me this didn't work. I don't know why either, and I haven't looked at the sources. Perhaps it's been fixed to work, but I haven't seen anything significant since the discussion. Nate From owner-freebsd-security Thu Sep 25 23:21:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA12121 for security-outgoing; Thu, 25 Sep 1997 23:21:16 -0700 (PDT) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA12104 for ; Thu, 25 Sep 1997 23:21:10 -0700 (PDT) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.7/8.8.5) id IAA14479; Fri, 26 Sep 1997 08:20:14 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199709260620.IAA14479@oskar.nanoteq.co.za> Subject: Re: rc.firewall weakness? In-Reply-To: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> from Don Lewis at "Sep 25, 97 05:09:07 pm" To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Fri, 26 Sep 1997 08:20:14 +0200 (SAT) Cc: nate@mt.sri.com, jacs@gnome.co.uk, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi ... > } > $fwcmd add pass udp from ${oip} to any 123 > } > > } > allows anyone from outside to connect to any udp port and get a reply if they > } > can get their hacking prog to connect from port 53 or 123 on their own machine? > } > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. You > loose the ability to point a DNS client at an external DNS server (though > you can still do this safely for testing purposes if you use TCP queries), > and you can't query external NTP servers. The server to server traffic > for DNS and NTP still works fine. > > } Yes, that is true. This is also the case with TCP ports that have > } similar rulesets, most notably FTP-DATA. > > Unless you ban that and only allow passive FTP. The ftp data port is really a bad case (if you allow active connections). I once re-compiled a kernel with the low port set to 20 (or 19 , I can't remember) and was able to telnet through a firewall to a machines telnet port. Since then, we have added the followinf rule to our packet filtering: add 100 deny tcp from any 20 to 1.2.3.4 1-1023 in recv , because they should not be going to low port numbers. How about this idea ... letting the ftp daemon be able to manipulate the packet filtering rules. Thus, when it knows WHERE and on what PORT the data connection is arriving, let it open the data port for that period for that ip. When the data connection closes, it removes the rule from the table again ... The same might be true even for the DNS ... when the DNS wants to do a query, let it open the ports and when it is finished, let it close them again ... This is only if you're REALLY into having more security, it doesn't give you more of an advantage, but it closes down the window for an attack. Reinier ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za # # # ################################################################### From owner-freebsd-security Thu Sep 25 23:33:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA12805 for security-outgoing; Thu, 25 Sep 1997 23:33:44 -0700 (PDT) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA12799 for ; Thu, 25 Sep 1997 23:33:40 -0700 (PDT) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.7/8.8.5) id IAA14725; Fri, 26 Sep 1997 08:32:49 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199709260632.IAA14725@oskar.nanoteq.co.za> Subject: Re: rc.firewall weakness? In-Reply-To: <199709260609.AAA21538@rocky.mt.sri.com> from Nate Williams at "Sep 26, 97 00:09:07 am" To: nate@mt.sri.com (Nate Williams) Date: Fri, 26 Sep 1997 08:32:49 +0200 (SAT) Cc: danny@panda.hilink.com.au, nate@mt.sri.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi ... > > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > > > What about: > > > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > > > It doesn't work that way. ;( > > > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > > to be shown otherwise, as I don't consider myself to be a C expert. > > Or are you referring to the fact that you need a more comprehensive > > ruleset to be effective? > > I had a discussion with Alex a while back, and if my memory isn't > failing me this didn't work. I don't know why either, and I haven't > looked at the sources. Perhaps it's been fixed to work, but I haven't > seen anything significant since the discussion. > Aren't we just having an communications gap here ??? ... I thought the 53<->53 just meant a rule like this .. accept udp from any 53 to any 53 Which is possible to configure ... I use it often for routing info to be exchanged ... e.g. accept udp from any 520 to 1.2.3.4 520 in recv ed0 and that works fine .... Reinier From owner-freebsd-security Thu Sep 25 23:49:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA13941 for security-outgoing; Thu, 25 Sep 1997 23:49:06 -0700 (PDT) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA13919 for ; Thu, 25 Sep 1997 23:48:48 -0700 (PDT) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.7/8.8.5) id IAA15067; Fri, 26 Sep 1997 08:45:42 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199709260645.IAA15067@oskar.nanoteq.co.za> Subject: Re: rc.firewall weakness? In-Reply-To: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> from Don Lewis at "Sep 25, 97 05:09:07 pm" To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Fri, 26 Sep 1997 08:45:42 +0200 (SAT) Cc: nate@mt.sri.com, jacs@gnome.co.uk, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Oops ... Sorry guys .. looks like I was a bit late with the dynamic packet filtering :)... I didn't see that you already did mention it. What we have for our firewalling system is a daemon that manges the packet filtering rules. Rules are grouped together e.g. you could get a block reading 2000 to 3000 reserved for ftp connections. Then a program e.g. ftpd can only add rules in that block and no where else. Rules are then added via a daemon that keeps track of all the rules. User level applications then have the ability to dynamically add and delete rules via this daemon, and this daemon could also inforce certain policy rules, e.g. refusing to add any rule reading "allow all from any to any" expect if done by root. Reinier ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za # # # ################################################################### From owner-freebsd-security Fri Sep 26 02:27:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA24206 for security-outgoing; Fri, 26 Sep 1997 02:27:12 -0700 (PDT) Received: from gatekeeper.kpmg.co.uk (gatekeeper.kpmg.co.uk [158.177.32.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA24201 for ; Fri, 26 Sep 1997 02:27:08 -0700 (PDT) Received: by gatekeeper.kpmg.co.uk; id KAA04309; Fri, 26 Sep 1997 10:27:18 +0100 (BST) Received: from unknown(158.174.24.70) by gatekeeper.kpmg.co.uk via smap (V3.1) id xma004224; Fri, 26 Sep 97 10:26:48 +0100 Received: from ccMail by ccgate.kpmg.co.uk (IMA Internet Exchange 2.1 Enterprise) id 00067CF9; Fri, 26 Sep 97 10:25:58 +0100 Mime-Version: 1.0 Date: Fri, 26 Sep 1997 10:14:21 +0100 Message-ID: <00067CF9.3043@kpmg.co.uk> From: Gary.Davitt@kpmg.co.uk (Gary Davitt) To: freebsd-security@freeBSD.ORG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: owner-freebsd-security@freeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Fri Sep 26 21:07:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id VAA21873 for security-outgoing; Fri, 26 Sep 1997 21:07:17 -0700 (PDT) Received: from mail.san.rr.com (san.rr.com [204.210.0.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA21856 for ; Fri, 26 Sep 1997 21:07:10 -0700 (PDT) Received: from dt5h1n61.san.rr.com (dt5h1n61.san.rr.com [204.210.31.97]) by mail.san.rr.com (8.8.7/8.8.7) with SMTP id UAA27890 for ; Fri, 26 Sep 1997 20:19:24 -0700 (PDT) Message-Id: <199709270319.UAA27890@mail.san.rr.com> From: "Studded" To: "freebsd-security@freebsd.org" Date: Fri, 26 Sep 97 20:19:09 -0700 Reply-To: "Studded" Priority: Normal X-Mailer: PMMail 1.92 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: samba security fix going into 2.2.5? Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I saw this on bugtraq today, and haven't noticed any comments about it. Yes, I know that the freebsd team members read bugtraq, I just wanted to be sure it was getting attention. :) Doug ==================BEGIN FORWARDED MESSAGE================== >Date: Sat, 27 Sep 1997 00:07:19 +1000 >Reply-To: Andrew.Tridgell@anu.edu.au >Sender: Bugtraq List >From: Andrew Tridgell >Subject: Security bugfix for Samba >To: BUGTRAQ@NETSPACE.ORG Security bugfix for Samba ------------------------- A security hole in all versions of Samba has been recently discovered. The security hole allows unauthorized remote users to obtain root access on the Samba server. An exploit for this security hole has been posted to the internet so system administrators should assume that this hole is being actively exploited. The exploit for the security hole is very architecture specific and has been only demonstrated to work for Samba servers running on Intel based platforms. The exploit posted to the internet is specific to Intel Linux servers. It would be very difficult to produce an exploit for other architectures but it may be possible. A new release of Samba has now been made that fixes the security hole. The new release is version 1.9.17p2 and is available from ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz This release also adds a routine which logs a message if anyone attempts to take advantage of the security hole. The message (in the Samba log files) will look like this: ERROR: Invalid password length 999 you're machine may be under attack by a user exploiting an old bug Attack was from IP=aaa.bbb.ccc.ddd where aaa.bbb.ccc.ddd is the IP address of the machine performing the attack. The Samba Team samba-bugs@samba.anu.edu.au ===================END FORWARDED MESSAGE=================== Do thou amend thy face, and I'll amend my life. -Shakespeare, "Henry V" From owner-freebsd-security Fri Sep 26 21:58:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id VAA25337 for security-outgoing; Fri, 26 Sep 1997 21:58:22 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA25304 for ; Fri, 26 Sep 1997 21:57:39 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id VAA07721; Fri, 26 Sep 1997 21:53:38 -0700 (PDT) Message-Id: <199709270453.VAA07721@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd007718; Sat Sep 27 04:53:37 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: "Studded" cc: "freebsd-security@freebsd.org" Subject: Re: samba security fix going into 2.2.5? In-reply-to: Your message of "Fri, 26 Sep 1997 20:19:09 PDT." <199709270319.UAA27890@mail.san.rr.com> Date: Fri, 26 Sep 1997 21:53:36 -0700 From: Cy Schubert Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm sure it will. Upgrading the port in the collection is trivial. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > I saw this on bugtraq today, and haven't noticed any comments > about it. Yes, I know that the freebsd team members read bugtraq, I > just wanted to be sure it was getting attention. :) > > Doug > > ==================BEGIN FORWARDED MESSAGE================== > >Date: Sat, 27 Sep 1997 00:07:19 +1000 > >Reply-To: Andrew.Tridgell@anu.edu.au > >Sender: Bugtraq List > >From: Andrew Tridgell > >Subject: Security bugfix for Samba > >To: BUGTRAQ@NETSPACE.ORG > > Security bugfix for Samba > ------------------------- > > A security hole in all versions of Samba has been recently > discovered. The security hole allows unauthorized remote users to > obtain root access on the Samba server. > > An exploit for this security hole has been posted to the internet so > system administrators should assume that this hole is being actively > exploited. > > The exploit for the security hole is very architecture specific and > has been only demonstrated to work for Samba servers running on Intel > based platforms. The exploit posted to the internet is specific to > Intel Linux servers. It would be very difficult to produce an exploit > for other architectures but it may be possible. > > A new release of Samba has now been made that fixes the security > hole. The new release is version 1.9.17p2 and is available from > ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz > > This release also adds a routine which logs a message if anyone > attempts to take advantage of the security hole. The message (in the > Samba log files) will look like this: > > ERROR: Invalid password length 999 > you're machine may be under attack by a user exploiting an old > bug > Attack was from IP=aaa.bbb.ccc.ddd > > where aaa.bbb.ccc.ddd is the IP address of the machine performing the > attack. > > The Samba Team > samba-bugs@samba.anu.edu.au > > > ===================END FORWARDED MESSAGE=================== > > > Do thou amend thy face, > and I'll amend my life. > -Shakespeare, "Henry V" > > From owner-freebsd-security Fri Sep 26 22:10:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA26273 for security-outgoing; Fri, 26 Sep 1997 22:10:26 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA26262 for ; Fri, 26 Sep 1997 22:10:18 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id WAA07862; Fri, 26 Sep 1997 22:10:07 -0700 (PDT) Message-Id: <199709270510.WAA07862@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd007855; Sat Sep 27 05:09:58 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: "Studded" cc: "freebsd-security@freebsd.org" Subject: Re: samba security fix going into 2.2.5? In-reply-to: Your message of "Fri, 26 Sep 1997 20:19:09 PDT." <199709270319.UAA27890@mail.san.rr.com> From: "Cy Schubert - ITSD Open Systems Group" Date: Fri, 26 Sep 1997 22:09:58 -0700 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm sure it will. Upgrading the port in the collection is trivial. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > I saw this on bugtraq today, and haven't noticed any comments > about it. Yes, I know that the freebsd team members read bugtraq, I > just wanted to be sure it was getting attention. :) > > Doug > > ==================BEGIN FORWARDED MESSAGE================== > >Date: Sat, 27 Sep 1997 00:07:19 +1000 > >Reply-To: Andrew.Tridgell@anu.edu.au > >Sender: Bugtraq List > >From: Andrew Tridgell > >Subject: Security bugfix for Samba > >To: BUGTRAQ@NETSPACE.ORG > > Security bugfix for Samba > ------------------------- > > A security hole in all versions of Samba has been recently > discovered. The security hole allows unauthorized remote users to > obtain root access on the Samba server. > > An exploit for this security hole has been posted to the internet so > system administrators should assume that this hole is being actively > exploited. > > The exploit for the security hole is very architecture specific and > has been only demonstrated to work for Samba servers running on Intel > based platforms. The exploit posted to the internet is specific to > Intel Linux servers. It would be very difficult to produce an exploit > for other architectures but it may be possible. > > A new release of Samba has now been made that fixes the security > hole. The new release is version 1.9.17p2 and is available from > ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz > > This release also adds a routine which logs a message if anyone > attempts to take advantage of the security hole. The message (in the > Samba log files) will look like this: > > ERROR: Invalid password length 999 > you're machine may be under attack by a user exploiting an old > bug > Attack was from IP=aaa.bbb.ccc.ddd > > where aaa.bbb.ccc.ddd is the IP address of the machine performing the > attack. > > The Samba Team > samba-bugs@samba.anu.edu.au > > > ===================END FORWARDED MESSAGE=================== > > > Do thou amend thy face, > and I'll amend my life. > -Shakespeare, "Henry V" > > From owner-freebsd-security Fri Sep 26 23:10:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA00704 for security-outgoing; Fri, 26 Sep 1997 23:10:26 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id XAA00699 for ; Fri, 26 Sep 1997 23:10:21 -0700 (PDT) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0xEq4v-0004CW-00; Sat, 27 Sep 1997 00:10:09 -0600 Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.8.7/8.8.3) with ESMTP id AAA28482; Sat, 27 Sep 1997 00:10:20 -0600 (MDT) Message-Id: <199709270610.AAA28482@harmony.village.org> To: cschuber@uumail.gov.bc.ca Subject: Re: samba security fix going into 2.2.5? Cc: "Studded" , "freebsd-security@freebsd.org" In-reply-to: Your message of "Fri, 26 Sep 1997 22:09:58 PDT." <199709270510.WAA07862@cwsys.cwent.com> References: <199709270510.WAA07862@cwsys.cwent.com> Date: Sat, 27 Sep 1997 00:10:20 -0600 From: Warner Losh Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199709270510.WAA07862@cwsys.cwent.com> "Cy Schubert - ITSD Open Systems Group" writes: : I'm sure it will. Upgrading the port in the collection is trivial. I just saw a commit message go by that seemed to be this exact fix. Warner From owner-freebsd-security Sat Sep 27 12:30:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA08505 for security-outgoing; Sat, 27 Sep 1997 12:30:37 -0700 (PDT) Received: from mail.san.rr.com (san.rr.com [204.210.0.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA08499 for ; Sat, 27 Sep 1997 12:30:35 -0700 (PDT) Received: from dt5h1n61.san.rr.com (dt5h1n61.san.rr.com [204.210.31.97]) by mail.san.rr.com (8.8.7/8.8.7) with SMTP id MAA01459 for ; Sat, 27 Sep 1997 12:30:04 -0700 (PDT) Message-Id: <199709271930.MAA01459@mail.san.rr.com> From: "Studded" To: "freebsd-security@freebsd.org" Date: Sat, 27 Sep 97 12:29:49 -0700 Reply-To: "Studded" Priority: Normal X-Mailer: PMMail 1.92 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: samba security fix going into 2.2.5? Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 27 Sep 1997 00:10:20 -0600, Warner Losh wrote: >I just saw a commit message go by that seemed to be this exact fix. Yep... this was confirmed to me in private mail. :) Thanks to all those that responded. And for those keeping score, yes, I did mean to say "going into the 2.2.5 cd" since samba is not in the base, but is a port. I will try to be more clear next time. :) Doug Do thou amend thy face, and I'll amend my life. -Shakespeare, "Henry V" From owner-freebsd-security Sat Sep 27 18:38:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA25877 for security-outgoing; Sat, 27 Sep 1997 18:38:22 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA25872 for ; Sat, 27 Sep 1997 18:38:20 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id SAA26598; Sat, 27 Sep 1997 18:38:05 -0700 (PDT) To: "Studded" cc: "freebsd-security@freebsd.org" Subject: Re: samba security fix going into 2.2.5? In-reply-to: Your message of "Fri, 26 Sep 1997 20:19:09 PDT." <199709270319.UAA27890@mail.san.rr.com> Date: Sat, 27 Sep 1997 18:38:05 -0700 Message-ID: <26594.875410685@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I saw this on bugtraq today, and haven't noticed any comments > about it. Yes, I know that the freebsd team members read bugtraq, I You need to subscribe to the cvs-all mailing list - this was fixed in a commit yesterday. Jordan From owner-freebsd-security Sat Sep 27 18:47:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA26289 for security-outgoing; Sat, 27 Sep 1997 18:47:54 -0700 (PDT) Received: from mail.san.rr.com (san.rr.com [204.210.0.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA26281 for ; Sat, 27 Sep 1997 18:47:46 -0700 (PDT) Received: from dt5h1n61.san.rr.com (dt5h1n61.san.rr.com [204.210.31.97]) by mail.san.rr.com (8.8.7/8.8.7) with SMTP id SAA03871 for ; Sat, 27 Sep 1997 18:47:15 -0700 (PDT) Message-Id: <199709280147.SAA03871@mail.san.rr.com> From: "Studded" To: "freebsd-security@freebsd.org" Date: Sat, 27 Sep 97 18:47:01 -0700 Reply-To: "Studded" Priority: Normal X-Mailer: PMMail 1.92 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: samba security fix going into 2.2.5? Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 27 Sep 1997 18:38:05 -0700, Jordan K. Hubbard wrote: >> I saw this on bugtraq today, and haven't noticed any comments >> about it. Yes, I know that the freebsd team members read bugtraq, I > >You need to subscribe to the cvs-all mailing list *Laugh* Not on a bet. I get way too many e-mails per day already. > - this was fixed in a commit yesterday. Actually my hope was that the people who do these kind of commits would be more proactive about posting these kinds of things. Every time something is posted to bugtraq (et al) that affects freebsd someone asks, usually on this list. It would be nice if the person who had comitted the samba fix had sent a 2 or 3 line e-mail to that effect, but I know y'all are volunteers so I'll take what I can get. Thanks for the info, Doug Do thou amend thy face, and I'll amend my life. -Shakespeare, "Henry V" From owner-freebsd-security Sat Sep 27 20:14:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA02113 for security-outgoing; Sat, 27 Sep 1997 20:14:48 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA02106 for ; Sat, 27 Sep 1997 20:14:46 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id UAA27606; Sat, 27 Sep 1997 20:14:32 -0700 (PDT) To: "Studded" cc: "freebsd-security@freebsd.org" Subject: Re: samba security fix going into 2.2.5? In-reply-to: Your message of "Sat, 27 Sep 1997 18:47:01 PDT." <199709280147.SAA03871@mail.san.rr.com> Date: Sat, 27 Sep 1997 20:14:32 -0700 Message-ID: <27603.875416472@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Actually my hope was that the people who do these kind of > commits would be more proactive about posting these kinds of things. Nope. You have to follow the commits if you really want to stay on top of things - people are already overloaded as it is just in trying to get things committed before they go stale. Jordan