From owner-freebsd-security Sun Nov 5 0:54:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.wertep.com (relay2.wertep.com [194.44.90.130]) by hub.freebsd.org (Postfix) with ESMTP id 2E9F937B479 for ; Sun, 5 Nov 2000 00:54:11 -0800 (PST) Received: from She.wertep.com (she-tun-proxy [192.168.252.2]) by relay2.wertep.com (8.9.3/8.9.3) with ESMTP id KAA56159 for ; Sun, 5 Nov 2000 10:54:07 +0200 (EET) (envelope-from petro@She.wertep.com) Received: from localhost (petro@localhost) by She.wertep.com (8.9.3/8.9.3) with ESMTP id KAA32617 for ; Sun, 5 Nov 2000 10:59:23 +0200 (EET) (envelope-from petro@She.wertep.com) Date: Sun, 5 Nov 2000 10:59:23 +0200 (EET) From: petro To: freebsd-security@FreeBSD.ORG Subject: Strange problem!!!! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! During last 3 days I receive such message in /var/log/messages Hostname last message repeated 80 times Hostname last message repeated 56 times Hostname last message repeated 32 times Hostname last message repeated 57 times ..... Where hostname is the name of my host... Please if someone can give me the answer... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 5 1: 6:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 4B25D37B4C5 for ; Sun, 5 Nov 2000 01:06:31 -0800 (PST) Received: (from tim@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id DAA08501 for freebsd-security@FreeBSD.ORG; Sun, 5 Nov 2000 03:06:30 -0600 (CST) Date: Sun, 5 Nov 2000 03:06:30 -0600 From: Tim Tsai To: freebsd-security@FreeBSD.ORG Subject: Re: pine 4.30 improvements Message-ID: <20001105030630.A8453@futuresouth.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Sat, Nov 04, 2000 at 02:12:35PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Nov 04, 2000 at 02:12:35PM -0600, Mike Silbersack wrote: > However, if they keep moving in this direction, it seems likely that pine > will be able to be considered safe within a release or two. They've been saying that for years. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 5 1:39:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from dns1.rz.fh-heilbronn.de (dns1.rz.fh-heilbronn.de [141.7.1.18]) by hub.freebsd.org (Postfix) with ESMTP id ACA8F37B4CF for ; Sun, 5 Nov 2000 01:39:19 -0800 (PST) Received: from lara.stud.fh-heilbronn.de (lara.stud.fh-heilbronn.de [141.7.11.12]) by dns1.rz.fh-heilbronn.de (8.9.3/8.9.3) with ESMTP id KAA28247; Sun, 5 Nov 2000 10:39:08 +0100 (MET) Received: from abyss.stuwo.fh-heilbronn.de (IDENT:root@abyss.stuwo.fh-heilbronn.de [141.7.150.24]) by lara.stud.fh-heilbronn.de (8.9.3/8.9.3) with ESMTP id KAA02260; Sun, 5 Nov 2000 10:39:07 +0100 Received: from abyss.stuwo.fh-heilbronn.de (IDENT:jkerle@abyss.stuwo.fh-heilbronn.de [141.7.150.24]) by abyss.stuwo.fh-heilbronn.de (8.11.0/8.8.7) with ESMTP id eA59aJr00569; Sun, 5 Nov 2000 10:36:19 +0100 Date: Sun, 5 Nov 2000 10:36:18 +0100 (CET) From: jkerle@gmx.net X-Sender: jkerle@abyss.stuwo.fh-heilbronn.de To: petro Cc: freebsd-security@FreeBSD.ORG Subject: Re: Strange problem!!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi to avoid fill of /var partition, syslog does not write every messages if these coming fast, and are always the same So take a look, which was before the repeat message. this one came many times. cu, Jens On Sun, 5 Nov 2000, petro wrote: > Hello! > > During last 3 days I receive such message in /var/log/messages > Hostname last message repeated 80 times > Hostname last message repeated 56 times > Hostname last message repeated 32 times > Hostname last message repeated 57 times > ..... > > Where hostname is the name of my host... > > Please if someone can give me the answer... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 5 10:30:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id 6AFC137B4CF for ; Sun, 5 Nov 2000 10:30:34 -0800 (PST) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 13sUYr-0002lI-00; Sun, 5 Nov 2000 19:30:33 +0100 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.0/8.11.0) id eA5HuFg92516 for freebsd-security@freebsd.org; Sun, 5 Nov 2000 18:56:15 +0100 (CET) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: pine 4.30 improvements Date: Sun, 5 Nov 2000 17:56:14 +0000 (UTC) Message-ID: <8u46vu$2omv$4@kemoauc.mips.inka.de> References: <20001104143525.A9010@citusc17.usc.edu> <000b01c046b4$5f3d89e0$775e78cb@garychang> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Lim wrote: [nano] > Besides an editor, it is also an email client. No, it's not. nano is a plain editor, nothing more. -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 5 17:35:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe35.pav0.hotmail.com [64.4.32.115]) by hub.freebsd.org (Postfix) with ESMTP id 2D38137B4CF; Sun, 5 Nov 2000 17:35:41 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 5 Nov 2000 17:35:41 -0800 X-Originating-IP: [209.187.170.44] From: "Jonathan M. Slivko" To: Subject: Pine 4.30 Date: Sun, 5 Nov 2000 20:36:15 -0500 MIME-Version: 1.0 X-Mailer: MSN Explorer 6.00.0009.1102 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0005_01C04768.0B634580" Message-ID: X-OriginalArrivalTime: 06 Nov 2000 01:35:41.0160 (UTC) FILETIME=[DF7B3E80:01C04791] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------=_NextPart_001_0005_01C04768.0B634580 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable According to this list, there is a new version of UW Pine, version 4.30. = I'm wondering: Does this new version fix the problem that made the commit= ting team (Kris Kennaway in particular) mark the port as forbidden? I wou= ld like to know so I can get the fixed version and offer it to my users i= nstead of elm, etc. that I am offering now. Thanks. -- Jonathan M. Slivko= ___________________________________________________________ Get more from your time online. FREE MSN Explorer download : http://expl= orer.msn.com ------=_NextPart_001_0005_01C04768.0B634580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
According to this li= st, there is a new version of UW Pine, version 4.30. I'm wondering: Does = this new version fix the problem that made the committing team (Kris Kenn= away in particular) mark the port as forbidden? I would like to know= so I can get the fixed version and offer it to my users instead of elm, = etc. that I am offering now. Thanks. -- Jonathan M. Slivko

___________________________________________________________
Get= more from your time online. FREE MSN Explorer download : http://explore= r.msn.com ------=_NextPart_001_0005_01C04768.0B634580-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 5 17:39:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 2CDB537B4CF for ; Sun, 5 Nov 2000 17:39:33 -0800 (PST) Received: (qmail 40220 invoked by uid 1000); 6 Nov 2000 01:39:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Nov 2000 01:39:32 -0000 Date: Sun, 5 Nov 2000 19:39:32 -0600 (CST) From: Mike Silbersack To: "Jonathan M. Slivko" Cc: freebsd-security@freebsd.org, freebsd-isp@freebsd.org Subject: Re: Pine 4.30 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 5 Nov 2000, Jonathan M. Slivko wrote: > According to this list, there is a new version of UW Pine, version 4.30. I'm wondering: Does this new version fix the problem that made the committing team (Kris Kennaway in particular) mark the port as forbidden? I would like to know so I can get the fixed version and offer it to my users instead of elm, etc. that I am offering now. Thanks. -- Jonathan M. Slivko___________________________________________________________ The forbidden marking was due to the general bad coding style of pine. This has not changed sufficiently with 4.30. However, there are no (publically) known security issues with the latest 4.21 from ports or 4.30. So, the question of whether it's safe or not depends on your level of paranoia. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 11:58:47 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5C6BA37B4CF; Mon, 6 Nov 2000 11:58:27 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump [REISSUED] Reply-To: security-advisories@freebsd.org Message-Id: <20001106195827.5C6BA37B4CF@hub.freebsd.org> Date: Mon, 6 Nov 2000 11:58:27 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:61 Security Advisory FreeBSD, Inc. Topic: tcpdump contains remote vulnerabilities [REISSUED] Category: core Module: tcpdump Announced: 2000-10-31 Reissued: 2000-11-06 Credits: Discovered during internal auditing. Affects: All releases of FreeBSD 3.x, 4.x prior to 4.2 FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date Corrected: 2000-10-04 (FreeBSD 4.1.1-STABLE) 2000-10-05 (FreeBSD 3.5.1-STABLE) Vendor status: Patch released FreeBSD only: NO 0. Revision History v1.0 2000-10-31 Initial release v1.1 2000-11-06 Corrected patch I. Background tcpdump is a tool for monitoring network activity. II. Problem Description Several overflowable buffers were discovered in the version of tcpdump included in FreeBSD, during internal source code auditing. Some simply allow the remote attacker to crash the local tcpdump process, but there is a more serious vulnerability in the decoding of AFS ACL packets in the more recent version of tcpdump (tcpdump 3.5) included in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow a remote attacker to execute arbitrary code on the local system (usually root, since root privileges are required to run tcpdump). The former issue may be a problem for systems using tcpdump as a form of intrusion detection system, i.e. to monitor suspicious network activity: after the attacker crashes any listening tcpdump processes their subsequent activities will not be observed. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are vulnerable to the "remote crash" problems, and FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the "remote execution" vulnerability. Both problems were corrected in 4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users can cause the local tcpdump process to crash, and (under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior to the correction date) may be able to cause arbitrary code to be executed as the user running tcpdump, usually root. IV. Workaround Do not use vulnerable versions of tcpdump in network environments which may contain packets from untrusted sources. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2a) FreeBSD 3.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install 2b) FreeBSD 4.x systems prior to the correction date NOTE: The patch distributed with the original version of this advisory was incomplete and did not include all of the security fixes made to the tcpdump utility. In particular, it did not address the remote code execution vulnerability. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgcNKFUuHi5z0oilAQGYQAP9F00eE4rd0M46f8WMWTO7uFb1gV2p4Y0l KV0vT1wMy+PdmFNpo7SVrb/tdpa4Wtxb/Q/tu7RDZQqFI29yBPTFnE1iu8T2BSAm cO/dE5ypkjJkEjf8QjxqQXVhTbtIVVQa3Tosw3AdUFP0gKHUkZ36ryCQVxbqRMQK c0ZkdbwESp8= =uaOo -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 12: 1:47 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 03CE337B4CF; Mon, 6 Nov 2000 12:01:10 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED] Reply-To: security-advisories@freebsd.org Message-Id: <20001106200110.03CE337B4CF@hub.freebsd.org> Date: Mon, 6 Nov 2000 12:01:10 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:62 Security Advisory FreeBSD, Inc. Topic: top allows reading of kernel memory [REISSUED] Category: core Module: top Announced: 2000-11-01 Reissued: 2000-11-06 Credits: vort@wiretapped.net via OpenBSD Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-11-04 (FreeBSD 4.1.1-STABLE) 2000-11-05 (FreeBSD 3.5.1-STABLE) FreeBSD only: NO 0. Revision History v1.0 2000-11-01 Initial release v1.1 2000-11-06 Updated patch released. I. Background top is a utility for displaying current system resource statistics such as process CPU and memory use. It is externally-maintained, contributed software which is included in FreeBSD by default. II. Problem Description A "format string vulnerability" was discovered in the top(1) utility which allows unprivileged local users to cause the top process to execute arbitrary code. The top utility runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges. All released versions of FreeBSD prior to the correction date including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem, but it was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. III. Impact Local users can read privileged data from kernel memory which may provide information allowing them to further increase their local or remote system access privileges. IV. Workaround Remove the setgid bit on the top utilities. This has the side-effect that users who are not a member of the kmem group or who are not the superuser cannot use the top utility. # chmod g-s /usr/bin/top V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2) Apply the patch below and recompile the relevant files: NOTE: The original version of this advisory contained an incomplete patch which does not fully eliminate the security vulnerability. The additional vulnerability was pointed out by Przemyslaw Frasunek . Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/top.patch.v1.1 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/top.patch.v1.1.asc Execute the following commands as root: # cd /usr/src/contrib/top # patch -p < /path/to/patch_or_advisory # cd /usr/src/usr.bin/top # make depend && make all install Patch for vulnerable systems: Index: display.c =================================================================== RCS file: /mnt/ncvs/src/contrib/top/display.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- display.c 1999/01/09 20:20:33 1.4 +++ display.c 2000/10/04 23:34:16 1.5 @@ -829,7 +831,7 @@ register int i; /* first, format the message */ - (void) sprintf(next_msg, msgfmt, a1, a2, a3); + (void) snprintf(next_msg, sizeof(next_msg), msgfmt, a1, a2, a3); if (msglen > 0) { Index: top.c =================================================================== RCS file: /mnt/ncvs/src/contrib/top/top.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- top.c 1999/01/09 20:20:34 1.4 +++ top.c 2000/10/04 23:34:16 1.5 @@ -807,7 +809,7 @@ { if ((errmsg = kill_procs(tempbuf2)) != NULL) { - new_message(MT_standout, errmsg); + new_message(MT_standout, "%s", errmsg); putchar('\r'); no_command = Yes; } Index: top.c =================================================================== RCS file: /mnt/ncvs/src/contrib/top/top.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- top.c 2000/10/04 23:34:16 1.5 +++ top.c 2000/11/03 22:00:10 1.6 @@ -826,7 +826,7 @@ { if ((errmsg = renice_procs(tempbuf2)) != NULL) { - new_message(MT_standout, errmsg); + new_message(MT_standout, "%s", errmsg); putchar('\r'); no_command = Yes; } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgcN7lUuHi5z0oilAQFqJgP/bn4SN6FaNvazYMaVzypsEgWzofK/kdlu iWXcdZVkoFZlF4J7e6M/wRn0xS1lvNPlv5yNF4bYa7lnZHeNzS/58v94+Sze2ooV bgML9JzhfaM0Ps+/mAXO4FzGi+WryTkdZGl9KVkwT+QwuRer/bz4GoJvnrsGuBpf dXoovvpgwiA= =hVPb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 12:13:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id C22FC37B479 for ; Mon, 6 Nov 2000 12:13:47 -0800 (PST) Received: from sarenet.es (sollube.sarenet.es [192.148.167.16]) by orhi.sarenet.es (Postfix) with SMTP id 030ADD061F for ; Mon, 6 Nov 2000 21:11:41 +0000 (WET) Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Mon, 06 Nov 2000 21:13:38 +0100 Message-ID: <3A071104.7DADD90D@sarenet.es> Date: Mon, 06 Nov 2000 21:13:56 +0100 From: Borja Marcos X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Correction to tcpdump advisory Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I don't know if my previous message was lost... One of the useful features in FreeBSD is that you don't need to be root to use tcpdump, or any BPF program. It is a simple matter of having permission to access /dev/bpf?. The arvisory states that root privileges are *required* and it is not correct. I use tcpdump and snort as a normal user. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 12:14:27 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5C3C337B661; Mon, 6 Nov 2000 12:14:04 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:64.global Reply-To: security-advisories@freebsd.org Message-Id: <20001106201404.5C3C337B661@hub.freebsd.org> Date: Mon, 6 Nov 2000 12:14:04 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:64 Security Advisory FreeBSD, Inc. Topic: global port allows remote compromise through CGI script Category: ports Module: global Announced: 2000-11-06 Credits: Shigio Yamaguchi Affects: Ports collection prior to the correction date. Corrected: 2000-10-09 Vendor status: Updated version released FreeBSD only: NO I. Background global is a source-code tagging system for indexing and searching large bodies of source code. II. Problem Description The global port, versions 3.5 through to 3.55, contains a vulnerability in the CGI script generated by the htags utility which allows a remote attacker to execute code on the local system as the user running the script, typically user 'nobody' in most installations. There is no vulnerability in the default installation of the port, but if an administrator uses the 'htags -f' command to generate a CGI script enabling the browsing of source code, then the system is vulnerable to attack caused by incorrect validation of input. An older version of global was included in previous releases of FreeBSD; this is not vulnerable to the problem described here. The global port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If the 'htags -f' command is used to generate a CGI script which is then installed under a webserver, then remote users may execute arbitrary commands on the local system as the user which runs the CGI script. If you have not chosen to install the global port/package, or you have not used the 'htags -f' command to produce a CGI script, then your system is not vulnerable to this problem. IV. Workaround Deinstall the global port/package, if you you have installed it, or remove the 'global.cgi' file installed on the website. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the global port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/global-4.0.1.tgz 3) download a new port skeleton for the cvsweb port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgcQslUuHi5z0oilAQHKXAP/Wz2SmgOAIYFOquE3z+++5nbNxKYmKS/J Tb1ClUtPSSk6s/dfX3t17O1o0a/Pmj3u+CxAdRXdIka1XAQE9lY2pL4uhEVr0nXT /+I4Hap17OZVdNTTiF/a6LYd/WYbJkMrRbADnZjvRp5zrOpPwbzc1ZwIn9GRqiHc XYA/cWGGWXg= =+ex8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 14:18:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from gandalf.innoverity.com (unknown [141.154.27.35]) by hub.freebsd.org (Postfix) with ESMTP id CFD9A37B4CF for ; Mon, 6 Nov 2000 14:18:10 -0800 (PST) Received: from innoverity.com (nickb@localhost.innoverity.com [127.0.0.1]) by gandalf.innoverity.com (8.9.3/8.9.3) with ESMTP id RAA53770 for ; Mon, 6 Nov 2000 17:18:47 -0500 (EST) (envelope-from nicholas@innoverity.com) Message-ID: <3A072E46.201ACD0E@innoverity.com> Date: Mon, 06 Nov 2000 17:18:46 -0500 From: nicholas bernstein X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: OPEN SSH Weirdness Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK- I hope someone can help with this, 'cause I have no IDEA. :) ------------------ PLATFORMS: Client(s): Mac OS8.6 using niftyterm 1.1 ssh r3 Linux using ssh 1.2.29 Server: FBSD 4.1 Stable using open ssh. ------------------ Error: nickb@thorin:~ > ssh 141.154.27.35 Bad remote protocol version identification: 'You are not welcome to use sshd from thorin.innoverity.com. ------------------ sshd_config: # This is ssh server systemwide configuration file. # # $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.1 2000/06/09 07:10:22 kris Ex p $ Port 22 Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostDsaKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 60 KeyRegenerationInterval 3600 PermitRootLogin yes #AllowUsers * # Rate-limit sshd connections to 5 connections per 10 seconds ConnectionsPerPeriod 5/10 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail yes #UseLogin no ------------------- sshd errors: gandalf# sshd error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 2 -- Nicholas Bernstein, Technologist, Artist, Etc. nicholas@innoverity.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 14:19:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 9487037B479 for ; Mon, 6 Nov 2000 14:19:41 -0800 (PST) Received: by pluto.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Mon, 6 Nov 2000 14:19:41 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02425C@goofy.epylon.lan> From: Jason DiCioccio To: 'nicholas bernstein' , freebsd-security@freebsd.org Subject: RE: OPEN SSH Weirdness Date: Mon, 6 Nov 2000 14:19:39 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0483F.A7EA8D00" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0483F.A7EA8D00 Content-Type: text/plain; charset="iso-8859-1" cat /etc/hosts.allow ------- Jason DiCioccio Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com OK, so you're a Ph.D. Just don't touch anything. -----Original Message----- From: nicholas bernstein [mailto:nicholas@innoverity.com] Sent: Monday, November 06, 2000 2:19 PM To: freebsd-security@freebsd.org Subject: OPEN SSH Weirdness OK- I hope someone can help with this, 'cause I have no IDEA. :) ------------------ PLATFORMS: Client(s): Mac OS8.6 using niftyterm 1.1 ssh r3 Linux using ssh 1.2.29 Server: FBSD 4.1 Stable using open ssh. ------------------ Error: nickb@thorin:~ > ssh 141.154.27.35 Bad remote protocol version identification: 'You are not welcome to use sshd from thorin.innoverity.com. ------------------ sshd_config: # This is ssh server systemwide configuration file. # # $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.1 2000/06/09 07:10:22 kris Ex p $ Port 22 Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostDsaKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 60 KeyRegenerationInterval 3600 PermitRootLogin yes #AllowUsers * # Rate-limit sshd connections to 5 connections per 10 seconds ConnectionsPerPeriod 5/10 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail yes #UseLogin no ------------------- sshd errors: gandalf# sshd error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 2 -- Nicholas Bernstein, Technologist, Artist, Etc. nicholas@innoverity.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_000_01C0483F.A7EA8D00 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C0483F.A7EA8D00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 15:44:38 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6903437B479; Mon, 6 Nov 2000 15:44:19 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:65.xfce Reply-To: security-advisories@freebsd.org Message-Id: <20001106234419.6903437B479@hub.freebsd.org> Date: Mon, 6 Nov 2000 15:44:19 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:65 Security Advisory FreeBSD, Inc. Topic: xfce allows local X session compromise Category: ports Module: xfce Announced: 2000-11-06 Credits: Nicholas Brawn Affects: Ports collection prior to the correction date. Corrected: 2000-11-01 Vendor status: Updated version released FreeBSD only: NO I. Background xfce is a window manager/desktop environment for the X Windows system. II. Problem Description Versions of xfce prior to 3.52 contain a startup script which incorrectly allows access to the X display to all other users on the local system. Such users are able to monitor and control the contents of the display window as well as monitoring input from keyboard and mouse devices. For example, this allows them to monitor passphrases typed into a terminal window, among other possibilities. The xfce port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 are vulnerable to this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can monitor and control the contents of the X display running xfce, as well as input devices such as mice and keyboards. IV. Workaround Deinstall the xfce port/package, if you you have installed it, or remove the lines containing 'xhost +$HOSTNAME' in the following files: /usr/X11R6/etc/xfce/xinitrc /usr/X11R6/etc/xfce/xinitrc.mwm V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the xfce port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11-wm/xfce-3.12.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11-wm/xfce-3.12.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11-wm/xfce-3.12.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11-wm/xfce-3.12.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11-wm/xfce-3.12.tgz 3) download a new port skeleton for the xfce port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgdCalUuHi5z0oilAQEwxwP+OoowcV51kn3hHjcFWZRk2GAIw/mu6gxP GsLscf2IMAX+dyJG+sNtpzktsrMsIFcv5ADjNjhW+WAqqGhNCosV6cQ8/BNi0+m4 o4Mqyc3jsYBkWzzXd/W6y4EWStup+7/iz/68DPdIUHs1IyfFQ7DiCgWXzZBo8GG1 6muI/XYYm6Q= =Ioj2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 15:45:55 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 11EB637B65F; Mon, 6 Nov 2000 15:45:41 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:66.netscape Reply-To: security-advisories@freebsd.org Message-Id: <20001106234541.11EB637B65F@hub.freebsd.org> Date: Mon, 6 Nov 2000 15:45:41 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:66 Security Advisory FreeBSD, Inc. Topic: Client vulnerability in Netscape Category: ports Module: netscape Announced: 2000-11-06 Credits: Michal Zalewski Affects: Ports collection prior to the correction date. Corrected: 2000-10-29 Vendor status: Updated version released FreeBSD only: NO I. Background Netscape is a popular web browser, available in several versions in the FreeBSD ports collection. II. Problem Description Versions of netscape prior to 4.76 allow a client-side exploit through a buffer overflow in html code. A malicious website operator can cause arbitrary code to be executed by the user running the netscape client. The netscape ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 are vulnerable to this problem since it was discovered after the release, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote attackers can execute arbitrary code on the local system by convincing users to visit a malicious website. If you have not chosen to install the netscape port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the netscape port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the relevant netscape port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/ Since there are so many variations of the netscape ports in the FreeBSD ports collection they are not listed separately here. Localized versions are also available in the respective language subdirectory. 3) download a new port skeleton for the netscape port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgdCqFUuHi5z0oilAQFMFgQAjrqHzfVCD2oLCya0budGincSy+e6onfi XCMqyf8sAeEO5Bg4klVhkTMKCCPo9MEeLNWm3EwQHU4bN8wxD9NUHkYrVgNCsD8b rN34aAogoJR1fsfN960OW9EHWH8trPJDlC6IS1KYOmpOL8AuBfmbahL1vSx5TtZP vPFky0dFwKg= =mKdp -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 17: 7:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 1946C37B479 for ; Mon, 6 Nov 2000 17:07:34 -0800 (PST) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.1/8.11.0) with ESMTP id eA712oT02764; Tue, 7 Nov 2000 01:02:50 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.1/8.11.1) with ESMTP id eA713DT79969; Tue, 7 Nov 2000 01:03:13 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200011070103.eA713DT79969@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: "Tolpanov, Dmitry" Cc: "'freebsd-security@FreeBSD.ORG'" , brian@Awfulhak.org Subject: Re: MPPE. In-Reply-To: Message from "Tolpanov, Dmitry" of "Mon, 30 Oct 2000 13:23:41 +0700." <807044A67EA3D211B11D00A024E91A45F2D218@exch.stack.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 07 Nov 2000 01:03:13 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello. > > I have the FreeBSD 4.1, recently compile and install poptop-1.0.0. Then i > chose pppd for PPP link. Everything is working fine, but I can't make > support for MPPE. As i understand I should upgrade the kernel. > Don't anybody know where i can find info about this or may be there are some > patches especially for FreeBSD 4.1. Sorry this is a bit late, but MPPE support was committed to ppp(8) in -current a few weeks ago. You can get the latest ppp via http://www.Awfulhak.org/ppp.html. > Thanks. > > Dmitry. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 18: 0: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe24.pav0.hotmail.com [64.4.32.104]) by hub.freebsd.org (Postfix) with ESMTP id A474237B4C5 for ; Mon, 6 Nov 2000 18:00:00 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 6 Nov 2000 18:00:00 -0800 X-Originating-IP: [209.187.203.9] From: "Jonathan M. Slivko" To: "FreeBSD Security Mailing List" Subject: Please Repost Pine Advisories? Date: Mon, 6 Nov 2000 21:00:37 -0500 MIME-Version: 1.0 X-Mailer: MSN Explorer 6.00.0009.1102 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0000_01C04834.9D1E6CD0" Message-ID: X-OriginalArrivalTime: 07 Nov 2000 02:00:00.0577 (UTC) FILETIME=[6FC65B10:01C0485E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------=_NextPart_001_0000_01C04834.9D1E6CD0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Could someone please repost to me the Pine Advisories on FreeBSD-Security= ? Thanks in advance. -- Jonathan M. Slivko ------=_NextPart_001_0000_01C04834.9D1E6CD0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Could someone please= repost to me the Pine Advisories on FreeBSD-Security? Thanks in advance.= -- Jonathan M. Slivko
------=_NextPart_001_0000_01C04834.9D1E6CD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 6 18: 3:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id AFC9E37B479 for ; Mon, 6 Nov 2000 18:03:34 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id B53CA1360E; Mon, 6 Nov 2000 21:03:38 -0500 (EST) Date: Mon, 6 Nov 2000 21:03:38 -0500 From: Chris Faulhaber To: "Jonathan M. Slivko" Cc: FreeBSD Security Mailing List Subject: Re: Please Repost Pine Advisories? Message-ID: <20001106210338.B50442@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Jonathan M. Slivko" , FreeBSD Security Mailing List References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jmslivko@msn.com on Mon, Nov 06, 2000 at 09:00:37PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 06, 2000 at 09:00:37PM -0500, Jonathan M. Slivko wrote: > Could someone please repost to me the Pine Advisories on FreeBSD-Security? Thanks in advance. -- Jonathan M. Slivko http://www.FreeBSD.org/security/#adv or ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/ -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 0:17:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id 7E4F037B4CF for ; Tue, 7 Nov 2000 00:17:31 -0800 (PST) Received: from [129.250.38.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 13t3wh-0004YF-00 for freebsd-security@freebsd.org; Tue, 07 Nov 2000 08:17:31 +0000 Received: from [209.43.128.27] (helo=gazelle) by dfw-mmp2.email.verio.net with smtp id 13t3wf-0005yl-00 for freebsd-security@freebsd.org; Tue, 07 Nov 2000 08:17:30 +0000 Message-Id: <3.0.5.32.20001107002217.009641f0@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 07 Nov 2000 00:22:17 -0800 To: FreeBSD Security Mailing List From: Bengt Richter Subject: [FAQ] Ideas for automatic FAQ extraction? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a pretty goodsized archive from this mailing list, with a lot of valuable Q's and A's, but it would take a *lot* of editing to make a FAQ out of it all. So I thought to ask: (see Q: below, after topic header ...) [T: Markup syntax for automatic FAQ extraction from posted text.] [C: The above T: item defines the beginning a topic scope. This is a comment to be included in the extracted FAQ material.] [Q: Has anyone defined a simple markup syntax that would let people delimit *parts* of their posting so that a simple script could extract material to generate a FAQ document automatically? ] [A: I am proposing this as a straw man, but there are probably others. ] This is a comment that wouldn't show up in the output FAQ. Only stuff inside [] brackets gets extracted. [Q: What about followup questions? ] [A: They'd alternate, like a normal dialog, unless they narrowed in on something. Then nesting might be called for, like usenet threads.] [Q: How does topic scope end?] [A: With start of another, or EOF. Nesting Q: and A: scopes within a T: is permitted, but then it takes X: to exclude text. [X: This is inside an A: scope, so it takes the X: at the beginnig of this to exclude this.] ] This is not inside brackets, so it doesn't get extracted for a FAQ. This represents the parts of postings that you don't want in the FAQ, so you don't bracket it. [Q: How much thought has gone into this?] [A: Not whole lot, but it's pretty simple. [C: This is a comment that is not an answer, but would get carried along, and it has nested scope. Extracted material would be pretty-printed.] [Q: What should this question refer to by its position?] [A: It should have been a nested follow-on question about the amount of thought or something in the answer, or something like that.] [X: Inside the outermost brackets, it takes X: bracketing to exclude text like this. This is still inside an A: scope. ] ] <- ends the A: above, with its nested C:, Q:, A: and X:. This part is outside, and excluded. Even something as trivial ( well, the nesting/threading makes it a little less trivial, but still ) as the above markup might have a lot of effect. It's cheap to try. A little perl could easily make HTML or text FAQ output. [C: Maybe there should be an optional [K: keywords] form to support searching and indexing? BTW the C: makes the [K: ...]'s here be included, but not 'evaluated' since they're inside the C: (comment) scope.] [C: Maybe a special alternate to [T: ...] could designate a final version arrived at by consensus, say add an exclamation point after the colon on things, like [T:! ...] or [A:! ...], etc. or else just use the latest date posting containing a particular [T: ...] topic. To update a [T: Topic line] you'd follow it immediately with its replacement, and leave the old, to tie the new into the same succession. ] [C: We could start with just the T:, Q:, and A: forms and no nesting, and see how it feels. E-mail quoting syntax will complicate extraction a little, but not that bad, I'd guess. ] Thoughts? Regards, Bengt Richter (MOIB - Member of Idea Brigade ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 1: 4:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 69B2937B479 for ; Tue, 7 Nov 2000 01:04:01 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eA793rE20149; Tue, 7 Nov 2000 04:03:53 -0500 (EST) Date: Tue, 7 Nov 2000 04:03:53 -0500 (EST) From: Trevor Johnson To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a draft of an advisory. ============================================================================= FreeBSD-SA-00:67 Security Advisory FreeBSD, Inc. Topic: ncurses library is subject to buffer overflows Category: core Modules: contrib_ncurses libncurses ncurses Announced: 2000-10-09 Credits: Jouko_Pynnonen Affects: FreeBSD 4.x and 5.0 systems from after 2000-07-03 but prior to the correction date; probably earlier 4.x and 5.0 systems or systems with the ncurses port installed; possibly 2.x and 3.x systems Corrected: 2000-10-11 (FreeBSD 5.0-CURRENT) 2000-10-12 (FreeBSD 4.1.1-STABLE) Vendor status: Patch released FreeBSD only: NO I. Background The ncurses library is a set of routines for working with character-mode terminals in a portable, device-independent way. In FreeBSD, it is distributed as part of the base system and also in the ports collection (devel/ncurses). Version 5.1-20000701 of ncurses is known to have buffer overflows. It was added to the RELENG_4 and -CURRENT sources on 2000-07-03. Older versions of ncurses have been reported as having the same vulnerabilities. In particular, ncurses 4.2 has been reported to be vulnerable. It is present in the ncurses port. Also, ncurses 5.0 has reported to be vulnerable. It was introduced to FreeBSD 4.0-CURRENT on 1999-08-24. The older libcurses present in FreeBSD 2.x and 3.x has not been sufficiently tested for the vulnerabilities discussed in this advisory. However, according to a report by Valentin Nechayev, FreeBSD 3.5-STABLE does not exhibit them. II. Problem Description Due to use of the strcpy() function, data from a malformed terminfo file placed in a user's ~/.terminfo/ directory can overflow a buffer used by the ncurses library. III. Impact If an SGID/SUID command is linked to the library, the bug can be exploited to give the user elevated privilege. Reportedly, the telnet daemon in OpenBSD could be made to disclose the contents of read-protected files, or to cause a denial of service, by setting the TERMCAP environmental variable. Although FreeBSD's telnet daemon also is linked to libncurses, it has not been found to have this problem. An exploit is available for the systat command, which is part of the FreeBSD base system. Other commands, both in the base system and in the ports collection, may be vulnerable. Examples are /usr/bin/top and /usr/sbin/lpc in the base system, /usr/local/bin/mutt_dotlock from the mail/mutt port, and /usr/X11R6/bin/xterm from various XFree86 ports. IV. Workaround Remove SUID or SGID bits from, or deinstall, ncurses-based commands which have such privileges. V. Solution Upgrade your vulnerable FreeBSD 4.x or 5.0 system to a version of FreeBSD from after the correction date (see http://www.freebsd.org/handbook/makeworld.html for more information about upgrading FreeBSD from source). If you have installed the ncurses port and linked any privileged commands to it, deinstall the port and recompile the commands against the fixed ncurses in the base system. =============================================================================== On Tue, 10 Oct 2000, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > ------- Forwarded Message > > [headers deleted] > Message-ID: i> > Date: Mon, 9 Oct 2000 22:42:49 +0300 > Reply-To: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= > Sender: Bugtraq List > From: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= > Subject: ncurses buffer overflows > To: BUGTRAQ@SECURITYFOCUS.COM > X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by > passer.osg.gov.bc.ca id e99LWVm00922 > Resent-To: cy@passer.osg.gov.bc.ca > Resent-Date: Mon, 09 Oct 2000 14:32:31 -0700 > Resent-From: Cy Schubert > X-MIME-Autoconverted: from 8bit to quoted-printable by > passer.osg.gov.bc.ca id e99LXWh00934 > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by cwsys.cwsent.com > id e99LXpR01317 > > OVERVIEW > > The CRT screen handling library ncurses contains buffer overflows, > making programs using it vulnerable. If the programs are setuid or > setgid, a local user may elevate their privilege. The problem exists in > ncurses versions 4.2 and 5.0, probably earlier, and libocurses. The > overflows can be exploited if the library implementation supports > loading of user defined terminfo files from ~/.terminfo. > > The problem has been tested and found on > > * SuSE Linux 6.4, Red Hat Linux 6.1. A setuid program using ncurses > ("cda" in the xmcd package) was successfully exploited to spawn a > root shell. > > * FreeBSD, the program /usr/bin/systat is setgid and uses libncurses. > An exploit was made which gives a shell with egid=kmem. The kmem > group has read access to /dev/kmem and memory of all processes via > /proc//mem, and could be used to read e.g. crypted or > cleartext passwords, authorization keys, or any other info that > might be in programs' memory space. > > * OpenBSD, having /usr/bin/systat setgid kmem too. No test exploit > was made, but the program segfaults when given an "evil" terminfo > file. Making a similar exploit is probably possible. This applies to > other BSD systems as well, but haven't been tested or confirmed. > > All programs using ncurses aren't necessarily vulnerable, e.g. "screen" > is setuid root on some systems and uses ncurses, but it doesn't seem to > use the vulnerable functions at least directly (investigated on Red Hat > Linux, other systems may vary). > > When using telnet to connect to a remote system, telnetd on some > platforms doesn't ignore TERMINFO_DIRS or TERMCAP environment variables > (e.g. OpenBSD). This means the problem could be remotely exploitable > under some conditions on some platforms. This hasn't been confirmed with > an exploit, however by setting TERMCAP the OpenBSD telnetd can be made > read any file as root. If the file is something like /dev/zero, the > telnetd process reads it infinitely until the system runs out of memory. > > > > BUG DETAILS > > The file ncurses/tty/lib_mvcur.c contains functions for moving around > the cursor. Some of the functions contain calls to strcpy() without > bound checking. The target of the strcpy's is a local fixed size buffer > in onscreen_mvcur(): > > static inline int > onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw) > /* onscreen move from (yold, xold) to (ynew, xnew) */ > { > char use[OPT_SIZE], *sp; > > > ... a few lines later: > > sp = tparm(SP->_address_cursor, ynew, xnew); > if (sp) > { > tactic = 0; > (void) strcpy(use, sp); > > > The function tparm() returns a control string for screen manipulation, > originating from the terminfo file read according to the environment > variables TERM and TERMINFO_DIRS. Even though ncurses implementations > on some platforms reportedly ignore TERMINFO_DIRS while running > setuid/setgid, they check ~/.terminfo/ for the capability files in any > case. > > OPT_SIZE seems to be defined as 512. tparm() can be made return a > string of arbitrary length containing arbitrary data, so exploitation is > usually quite trivial. There are a few of similar strcpy() calls in > other functions in the file. Many other ncurses functions may also call > the cursor moving functions (e.g. endwin()) so in order to be > vulnerable, a program needn't call mvcur(). > > > > SOLUTION > > The authors of ncurses and OS vendors have been informed over a week > ago and they have, or will release fix packages shortly. > > > > TEMPORARY WORKAROUND > > A temporary solution is to remove the setuid/setgid bits of programs > using ncurses. To check if a program uses ncurses, type (on most > systems): > > ldd /path/to/program > > If libncurses or libocurses is mentioned in the library listing and the > program is setuid/setgid, then there's a possibility for it to be > exploited. If 'ldd' doesn't exist on the system (or the program is > statically linked) you can try something like > > grep -li TERMINFO /path/to/program > > If it outputs the file path, the program probably uses ncurses or > derivative. > > To remove the setuid/setgid bits, issue the command: > > chmod ug-s /path/to/file > > > > CREDITS AND ACKNOWLEDGEMENTS > > Vulnerability discovered by: Jouko Pynnönen > > Thanks and greets to: Emil Valsson (for providing a FreeBSD test box), > Esa Etelävuori, ncurses people, cc-opers@IRCNet > > > > - -- > Jouko Pynnönen Online Solutions Ltd Secure your Linux - > jouko@solutions.fi http://www.secmod.com > > ------- End of Forwarded Message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 1:20:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 20D5537B6B9 for ; Tue, 7 Nov 2000 01:20:39 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eA79Kbg20696; Tue, 7 Nov 2000 04:20:37 -0500 (EST) Date: Tue, 7 Nov 2000 04:20:37 -0500 (EST) From: Trevor Johnson To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A few minutes ago, I wrote: > The older libcurses present in FreeBSD 2.x > and 3.x has not been sufficiently tested for the vulnerabilities discussed in > this advisory. However, according to a report by Valentin Nechayev, FreeBSD > 3.5-STABLE does not exhibit them. Now I notice http://www.securityfocus.com/templates/advisory.html?id=2269 which says that ncurses 1.8.6 in FreeBSD 3.4 has a problem which sounds like the same one. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 3:10:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from odin.localnet (c193.150.204.186.cm-upc.chello.se [193.150.204.186]) by hub.freebsd.org (Postfix) with ESMTP id 1DF8037B4CF for ; Tue, 7 Nov 2000 03:10:52 -0800 (PST) Received: (from gunnark@localhost) by odin.localnet (8.11.1/8.11.1) id eA7BAna65685 for freebsd-security@freebsd.org; Tue, 7 Nov 2000 12:10:49 +0100 (CET) (envelope-from gunnark) Date: Tue, 7 Nov 2000 12:10:49 +0100 From: Gunnar Kreitz To: freebsd-security@freebsd.org Subject: Re: OPEN SSH Weirdness Message-ID: <20001107121049.A65595@chello.se> References: <3A072E46.201ACD0E@innoverity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <3A072E46.201ACD0E@innoverity.com>; from nicholas@innoverity.com on Mon, Nov 06, 2000 at 05:18:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 06, 2000 at 05:18:46PM -0500, nicholas bernstein wrote: > sshd errors: > gandalf# sshd > error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key > Disabling protocol version 2 Perhaps you generated the DSA host key with a password, which results in exactly this error message. -- Gunnar Kreitz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 4:56:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id 982E237B4D7; Tue, 7 Nov 2000 04:56:28 -0800 (PST) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.9.3/8.9.3) with ESMTP id NAA01058; Tue, 7 Nov 2000 13:56:21 +0100 (CET) (envelope-from kheuer@gwdu60.gwdg.de) Date: Tue, 7 Nov 2000 13:56:21 +0100 (CET) From: Konrad Heuer To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: TCPDUMP patch v1.1 and AppleTalk Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This morning I applied the tcpdump v1.1 patch for 4.x-R on a 4.1-R system with following configuration: ti0=09Gigabit-Link=09IPv4 interface xl0=09Fast Ethernet=09AppleTalk interface options NETATALK is included in the kernel config since the host uses the netatalk package exports the home directories for MAC users (the system does a good job since August). After patching and installing, tcpdump can't be used anymore since it puts very heavy load onto the network via xl0 and AppleTalk broadcast messages (one message each 0.2 ms). Sorry, in the moment I don't know more details =2E.. Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 8:21:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by hub.freebsd.org (Postfix) with ESMTP id D7CEF37B4C5 for ; Tue, 7 Nov 2000 08:21:48 -0800 (PST) Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21) id ; Tue, 7 Nov 2000 11:21:47 -0500 Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D7108136@rerun.lucentctc.com> From: "Cambria, Mike" To: "'freebsd-security@freebsd.org'" Subject: IPSec policy vs. next hop route Date: Tue, 7 Nov 2000 11:21:40 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When a packet arrives on a FreeBSD 4.1.1-Stable machine, what takes precedence, the IP forwarding table's next hop or the IPSec policy? I have an (ESP) tunnel defined between two FreeBSD machines. Subnets (addresses changed) 192.168.8.0/24 and 192.168.6.0/24 currently use a tunnel setup over 10.1.1.1-10.1.1.2 (interface xl0). Things are working. 192.168.6.0 --|-- 192.168.6.1 -- FreeBSD -- 10.1.1.1 -- | Left | -- 10.1.1.2 -- FreeBSD -- 192.168.8.1 -- | 192.168.8.0 Right Shortly, I'll enable routing on the machines as well as other interfaces that are not shown above (e.g. Subnet 172.16.6.1 on FreeBSD left, 172.16.8.0 on FreeBSD Right.) Also not shown is the existing connectivity between these Subnets. When routing is enabled, *if* packets from 172.16.6.0 destined to 192.168.8.0 arrive at FreeBSD Left (since I have not tried to figure out how to have route updates sent over the tunnel yet), what does FreeBSD do? When the packet arrives, does FreeBSD follow the next hop in the routing table to 192.168.8.0 or does the IPSec policy (use the tunnel for packets from 192.168.6.0 to 192.168.8.0) get used? Thanks, MikeC Michael C. Cambria Avaya Inc. Former Enterprise Networks Group of Lucent Technologies Voice: (978) 287 - 2807 300 Baker Avenue Fax: (978) 287 - 2810 Concord, Massachusetts 01742 Internet: mcambria@avaya.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 10:27:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id 8F60837B479 for ; Tue, 7 Nov 2000 10:27:27 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13tDTk-0000KO-00 for security@freebsd.org; Tue, 07 Nov 2000 11:28:16 -0700 Message-ID: <3A0849C0.750F0EF6@softweyr.com> Date: Tue, 07 Nov 2000 11:28:16 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump [REISSUED] References: <20001106195827.5C6BA37B4CF@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD Security Advisories wrote: > > II. Problem Description > > Several overflowable buffers were discovered in the version of tcpdump > included in FreeBSD, during internal source code auditing. Does this problem manifest itself in the ethereal port as well? I don't know how closely related the code between the two might be. I've taken a cursory look and it isn't identical, but tcpdump is mentioned several places in the source. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 15:14: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id EE6EC37B479 for ; Tue, 7 Nov 2000 15:14:01 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13tHw5-000234-00 for security@freebsd.org; Wed, 08 Nov 2000 01:13:49 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id BAA06279 for ; Wed, 8 Nov 2000 01:12:43 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 6257; Wed Nov 8 01:12:13 2000 Received: from bofh.fw.uunet.co.za (bofh.fw.uunet.co.za [172.16.3.35]) by kg.fw.uunet.co.za (Postfix) with ESMTP id 2505E1AEBA for ; Wed, 8 Nov 2000 01:12:13 +0200 (SAST) Received: from localhost (localhost [127.0.0.1]) by bofh.fw.uunet.co.za (Postfix) with ESMTP id C91A75C2C for ; Wed, 8 Nov 2000 01:12:12 +0200 (SAST) Date: Wed, 8 Nov 2000 01:11:23 +0200 (SAST) From: Khetan Gajjar X-Sender: khetan@bofh.fw.uunet.co.za To: security@freebsd.org Subject: FreeBSD ftpd and PAM_Radius Message-ID: X-Cell: +27 82 416 0160 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I'm trying to setup secure ftp access to a particular host, where the users exist in a Radius database, and on the local machine, but I want their Radius username/password to be used to authenticate them, and I want them to effectively be chrooted to a particular directory on the machine. I don't want their system password to allow them ftp access, and when they do ftp in I want them chrooted to one specific directory. I can't have them chrooted to their home directory, because that's not the directory they should be chrooted to. i.e anyone who ftp's into the box must have their ftp session chrooted to one directory, and their system username/password must not let them on, only their Radius password should let them on. I'm trying to do this with the pam_radius module, but I'm not sure how to specify to which directory they should be chrooted to with ftpd. I don't want to use proftpd or wu-ftpd due to the high incidence of problems found in the two programs over the last 18 months. Does anyone have any ideas ? Khetan Gajjar. --- khetan@uunet.co.za * Direct -> +27 21 658 8723 UUNET South Africa * Mobile -> +27 82 416 0105 http://www.uunet.co.za * Info Centre-> 08600 UUNET (88638) System Administration * PGP Key -> kg+details@uunet.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 20:39:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 511ED37B479; Tue, 7 Nov 2000 20:39:02 -0800 (PST) Received: from johnny5 ([64.229.55.24]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001108043852.NMGR20301.tomts7-srv.bellnexxia.net@johnny5>; Tue, 7 Nov 2000 23:38:52 -0500 Message-ID: <000e01c0493d$403d8460$0100000a@johnny5> Reply-To: "John Telford" From: "John Telford" To: , , References: <20001103215005.3885737B479@hub.freebsd.org> Subject: Re: Help with natd redirect address Please ???? Date: Tue, 7 Nov 2000 23:34:58 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the tips, here's what happened: Lukasz Dudek suggested I recompile without the IPFILTER options and I also changed rc.conf so that the NIC's were initialized first. See below for my new settings. This got the redirect working fine at my office on a DSL connection but when I took the box on-site it just wouldn't work with the other ISP's numbers. It's a wireless ISP, but that shouldn't matter according to the ISP. My initial plan was that since we really just wanted our other site on the same ISP to have access to the inside servers and not public traffic I was going to get them setup on a quick (yeah right) redirect then move them to a VPN solution after I gathered some information on it, see my post at net@freebsd.org "Re: Tips, How-To on VPN ?" So I set up a VPN tunnel using pipsec and its working fine. I didn't get to research it as much as I wanted and will have scrounge some test boxes to try it with ipsec but the users are happy they can move files across at 1mbs rather than 56k modems. Regards, John. P.S. to the E man at the Big O the -u didn't help at tempo either, oh well just hope Dave doesn't want to access the Mac server from home anytime soon. Here's my configs that redirect worked with on the DSL: TEMfw3# more rc.conf network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. ifconfig_fxp0="inet 216.208.171.XXX netmask 255.255.255.224" ifconfig_fxp1="inet 10.150.0.241 netmask 255.255.255.0" # named_enable="YES" # Run named, the DNS server (or NO). defaultrouter="216.208.171.XXX" sendmail_enable="NO" gateway_enable="YES" sshd_enable="YES" inetd_enable="YES" ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname="TEMfw3" # Set this! firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="YES" natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="-f /etc/natd.conf" # TEMfw3# TEMfw3# more natd.conf redirect_address 10.150.0.143 216.208.171.XXX TEMfw3# kernel settings: # options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options TCPDEBUG # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options "ICMP_BANDLIM" options DUMMYNET options BRIDGE TEMfw3# eot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 22:38:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 09FFB37B479 for ; Tue, 7 Nov 2000 22:38:51 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA86d6I41382; Tue, 7 Nov 2000 22:39:06 -0800 (PST) (envelope-from kris) Date: Tue, 7 Nov 2000 22:39:05 -0800 From: Kris Kennaway To: Wes Peters Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump [REISSUED] Message-ID: <20001107223905.A41350@citusc17.usc.edu> References: <20001106195827.5C6BA37B4CF@hub.freebsd.org> <3A0849C0.750F0EF6@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A0849C0.750F0EF6@softweyr.com>; from wes@softweyr.com on Tue, Nov 07, 2000 at 11:28:16AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 07, 2000 at 11:28:16AM -0700, Wes Peters wrote: > FreeBSD Security Advisories wrote: > >=20 > > II. Problem Description > >=20 > > Several overflowable buffers were discovered in the version of tcpdump > > included in FreeBSD, during internal source code auditing. >=20 > Does this problem manifest itself in the ethereal port as well? I don't= =20 > know how closely related the code between the two might be. I've taken > a cursory look and it isn't identical, but tcpdump is mentioned several > places in the source. Could be - I haven't checked. Someone should do that. Kris --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoI9QkACgkQWry0BWjoQKUwkgCffnrLeImUDTumYHrgBMfQLczF XUsAoL4JnWN7gpI+9cH1rFRQjStdoTRx =4V/I -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 7 22:39: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 64A9737B479; Tue, 7 Nov 2000 22:39:00 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA86e0P41395; Tue, 7 Nov 2000 22:40:00 -0800 (PST) (envelope-from kris) Date: Tue, 7 Nov 2000 22:39:59 -0800 From: Kris Kennaway To: Konrad Heuer Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCPDUMP patch v1.1 and AppleTalk Message-ID: <20001107223959.B41350@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kheuer@gwdu60.gwdg.de on Tue, Nov 07, 2000 at 01:56:21PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 07, 2000 at 01:56:21PM +0100, Konrad Heuer wrote: > After patching and installing, tcpdump can't be used anymore since it puts > very heavy load onto the network via xl0 and AppleTalk broadcast messages > (one message each 0.2 ms). Sorry, in the moment I don't know more details > ... tcpdump shouldn't be sending any appletalk packets, I thought (I may be wrong, never used it on an appletalk network). Are you sure this is the problem? Kris --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoI9T8ACgkQWry0BWjoQKUG8QCcD+cR/YwWPe+eDTTsUZfv0ldu yJQAoLDxYY4xSxE04sbvoH8V6GPWHL5R =CSXv -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 2: 4: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id E909437B479; Wed, 8 Nov 2000 02:03:55 -0800 (PST) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 479291DC03; Wed, 8 Nov 2000 02:06:25 -0800 (PST) From: Dragos Ruiu Organization: kyx.net To: Kris Kennaway , Konrad Heuer Subject: Re: TCPDUMP patch v1.1 and AppleTalk Date: Wed, 8 Nov 2000 02:00:40 -0800 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20001107223959.B41350@citusc17.usc.edu> In-Reply-To: <20001107223959.B41350@citusc17.usc.edu> MIME-Version: 1.0 Message-Id: <0011080203080F.00551@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 07 Nov 2000, Kris Kennaway wrote: > > On Tue, Nov 07, 2000 at 01:56:21PM +0100, Konrad Heuer wrote: > > > After patching and installing, tcpdump can't be used anymore since it puts > > very heavy load onto the network via xl0 and AppleTalk broadcast messages > > (one message each 0.2 ms). Sorry, in the moment I don't know more details > > ... > > tcpdump shouldn't be sending any appletalk packets, I thought (I may > be wrong, never used it on an appletalk network). Are you sure this is > the problem? I've never run this kind of a scenario here so I'm speaking from a vacuum of knowledge and pure conjecture... ;-) but could it be generating packets through name resolutions.... ??? Does it still generate the packets with -n ? cheers, --dr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 2: 4:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id 7EECB37B479; Wed, 8 Nov 2000 02:04:44 -0800 (PST) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.9.3/8.9.3) with ESMTP id LAA05953; Wed, 8 Nov 2000 11:04:42 +0100 (CET) (envelope-from kheuer@gwdu60.gwdg.de) Date: Wed, 8 Nov 2000 11:04:42 +0100 (CET) From: Konrad Heuer To: Kris Kennaway Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCPDUMP patch v1.1 and AppleTalk In-Reply-To: <20001107223959.B41350@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 7 Nov 2000, Kris Kennaway wrote: > On Tue, Nov 07, 2000 at 01:56:21PM +0100, Konrad Heuer wrote: > > > After patching and installing, tcpdump can't be used anymore since it puts > > very heavy load onto the network via xl0 and AppleTalk broadcast messages > > (one message each 0.2 ms). Sorry, in the moment I don't know more details > > ... > > tcpdump shouldn't be sending any appletalk packets, I thought (I may > be wrong, never used it on an appletalk network). Are you sure this is > the problem? > > Kris > Well, I don't know exactly what happens but I seems to be more complex than I thought first. It doesn't happen each time I start tcpdump but when some circumstances meet which I don't know my FreeBSD host begins to flood the network with AppelTalk broadcast requests as long as tcpdump keeps running. Killing tcpdump kills this flooding, too. I've never observed such a situation before I applied the last patch, and I use tcpdump frequently to analyze the one or other problem. On the other hand, our network environment isn't static, of course, and I can't be sure about other things that may have been changed from day to day. Konrad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 4: 7:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A085537B479; Wed, 8 Nov 2000 04:07:24 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA58160; Wed, 8 Nov 2000 13:07:21 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "John Telford" Cc: , , Subject: Re: Help with natd redirect address Please ???? References: <20001103215005.3885737B479@hub.freebsd.org> <000e01c0493d$403d8460$0100000a@johnny5> From: Dag-Erling Smorgrav Date: 08 Nov 2000 13:07:21 +0100 In-Reply-To: "John Telford"'s message of "Tue, 7 Nov 2000 23:34:58 -0500" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "John Telford" writes: > Lukasz Dudek suggested I recompile without the IPFILTER options and I also > changed rc.conf so that the NIC's were initialized first. The order in which variables are assigned in rc.conf has absolutely no significance. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 7: 4:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from css-1.cs.iastate.edu (css-1.cs.iastate.edu [129.186.3.24]) by hub.freebsd.org (Postfix) with ESMTP id F01E137B4C5; Wed, 8 Nov 2000 07:04:44 -0800 (PST) Received: from popeye.cs.iastate.edu (ghelmer@popeye.cs.iastate.edu [129.186.3.4]) by css-1.cs.iastate.edu (8.9.0/8.9.0) with ESMTP id JAA12259; Wed, 8 Nov 2000 09:04:44 -0600 (CST) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.9.0/8.9.0) with ESMTP id JAA06305; Wed, 8 Nov 2000 09:04:41 -0600 (CST) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Wed, 8 Nov 2000 09:04:41 -0600 (CST) From: Guy Helmer To: Konrad Heuer Cc: Kris Kennaway , freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCPDUMP patch v1.1 and AppleTalk In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Nov 2000, Konrad Heuer wrote: > > On Tue, 7 Nov 2000, Kris Kennaway wrote: > > > On Tue, Nov 07, 2000 at 01:56:21PM +0100, Konrad Heuer wrote: > > > > > After patching and installing, tcpdump can't be used anymore since it puts > > > very heavy load onto the network via xl0 and AppleTalk broadcast messages > > > (one message each 0.2 ms). Sorry, in the moment I don't know more details > > > ... > > > > tcpdump shouldn't be sending any appletalk packets, I thought (I may > > be wrong, never used it on an appletalk network). Are you sure this is > > the problem? > > > > Kris > > Well, I don't know exactly what happens but I seems to be more complex > than I thought first. It doesn't happen each time I start tcpdump but when > some circumstances meet which I don't know my FreeBSD host begins to flood > the network with AppelTalk broadcast requests as long as tcpdump keeps > running. Killing tcpdump kills this flooding, too. I've never observed > such a situation before I applied the last patch, and I use tcpdump > frequently to analyze the one or other problem. On the other hand, our > network environment isn't static, of course, and I can't be sure about > other things that may have been changed from day to day. If you are running the daemon that supports Appletalk (is it netatalk?), perhaps the Appletalk daemon becomes confused when tcpdump puts the Ethernet interface into promiscuous mode. It may be that the daemon expects to see only the Appletalk traffic directed to it, and seeing *all* Appletalk traffic on the wire makes it go nuts. Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 8:46:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id CA48537B4C5 for ; Wed, 8 Nov 2000 08:46:01 -0800 (PST) Received: from frankenputer (frankenputer [172.29.58.2]) by aussie.org (8.11.1/8.11.1) with SMTP id eA8GjiV01486 for ; Thu, 9 Nov 2000 03:45:58 +1100 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <015601c049a3$5dd17980$023a1dac@dsat.net.au> From: "Chris Cason" To: Subject: IPSEC tunnels fail with -stable kernel? Date: Thu, 9 Nov 2000 03:44:56 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm in a bit of a spot. I upgraded several FreeBSD 4.1 boxes via cvsup (tracking stable) and rebuilt, and now my previously-working IPSEC VPN's have stopped. The new kernel is at 4.2-BETA on the boxen in question, the old varied but one was as recent as October 14. I've done extensive testing and can find no obvious fault. The transport mode works fine, I have no problems with that. But the tunnels only seem to work one way; the packets leave the sending box and arrive at the receiving one (according to tcpdump), and are decoded by the kernel (according to netstat -sn there are no errors and the counters increment as expected). Yet the packets never seem to make it out of the kernel (or if they do, I can't find out what happens to them). Nothing else had changed in terms of my system configuration. Forwarding is still enabled and ipfw is not blocking the data. Has anyone else seen this ? Any suggestions ? -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 9: 2:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 89BC037B479 for ; Wed, 8 Nov 2000 09:02:53 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.0/8.11.0) with ESMTP id eA8H2VQ59690; Wed, 8 Nov 2000 12:02:32 -0500 (EST) Message-Id: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 08 Nov 2000 11:56:56 -0500 To: "Chris Cason" , From: Mike Tancsa Subject: Re: IPSEC tunnels fail with -stable kernel? In-Reply-To: <015601c049a3$5dd17980$023a1dac@dsat.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:44 AM 11/9/00 +1100, Chris Cason wrote: >Has anyone else seen this ? Any suggestions ? I havent tested it in a week or so. What sort of keying are you using ? Manual or racoon ? I am just rebuilding my two test boxes so I cant test it just yet. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 11:41:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from modemcable101.200-201-24.mtl.mc.videotron.ca (modemcable140.61-201-24.mtl.mc.videotron.ca [24.201.61.140]) by hub.freebsd.org (Postfix) with SMTP id 800FE37B479 for ; Wed, 8 Nov 2000 11:41:08 -0800 (PST) Received: (qmail 60807 invoked from network); 8 Nov 2000 19:41:04 -0000 Received: from patrak.local.mindstep.com (HELO PATRAK) (192.168.10.4) by jacuzzi.local.mindstep.com with SMTP; 8 Nov 2000 19:41:04 -0000 Message-ID: <06e701c049bb$df3a8440$040aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: References: Subject: Re: TCPDUMP patch v1.1 and AppleTalk Date: Wed, 8 Nov 2000 14:41:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > If you are running the daemon that supports Appletalk (is it netatalk?), > perhaps the Appletalk daemon becomes confused when tcpdump puts the > Ethernet interface into promiscuous mode. It may be that the daemon > expects to see only the Appletalk traffic directed to it, and seeing *all* > Appletalk traffic on the wire makes it go nuts. > > This is very unlikely. I use a couple of machines with the netatalk+asun package installed and I never ever had the problems described above. None of the machines I use have the recent tcpdump patches so I can not check the bug. However I am positive that puting the interface in promiscuous mode does not confuse netatalk. Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 14:32:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34]) by hub.freebsd.org (Postfix) with SMTP id 89DF537B4C5 for ; Wed, 8 Nov 2000 14:32:09 -0800 (PST) Received: (qmail 44273 invoked from network); 8 Nov 2000 22:29:26 -0000 Received: from unknown (HELO smartsoft.cc) (192.168.0.73) by digitaldaemon.com with SMTP; 8 Nov 2000 22:29:26 -0000 Message-ID: <3A09D41D.B14D809C@smartsoft.cc> Date: Wed, 08 Nov 2000 17:30:53 -0500 From: Jan Knepper Organization: Smartsoft, LLC X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: loopback: 127.0.0.0/8 or 127.0.0.0/16 or 127.0.0.0/24??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have been monitoring some network traffic lately and figured that at a certain moment my system wanted to send a package out to 127.0.0.2:25 via the interface that is connected to the internet (the external interface). Actually, my firewall blocked the packets, but I wondered why the heck it would try something like that to begin with. Next to that I wondered, since 127.0.0.0/8 is the loopback interface what is really going on and wether or not packets to or from 127.0.0.0/8 traveling through the external interface should be blocked or not. Should it be something else than 127.0.0.0/8 (/16? /24?). I know there are unregistered IP ranges RFC1918, but I didn't read anything about 127.0.0.0... Can anyone shed any light? Jan -- Jan Knepper Smartsoft, LLC 88 Petersburg Road Petersburg, NJ 08270 U.S.A. http://www.smartsoft.cc/ http://www.mp3.com/pianoprincess Phone : 609-628-4260 FAX : 609-628-1267 FAX : 303-845-6415 http://www.fax4free.com/ Phone : 020-873-3837 http://www.xoip.nl/ (Dutch) FAX : 020-873-3837 http://www.xoip.nl/ (Dutch) In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 16:51:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 66DAA37B4C5 for ; Wed, 8 Nov 2000 16:51:13 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id A20B219BE; Wed, 8 Nov 2000 19:51:03 -0500 (EST) Date: Wed, 8 Nov 2000 19:51:03 -0500 From: Will Andrews To: Jan Knepper Cc: FreeBSD Security Subject: Re: loopback: 127.0.0.0/8 or 127.0.0.0/16 or 127.0.0.0/24??? Message-ID: <20001108195103.B12659@puck.firepipe.net> Reply-To: Will Andrews References: <3A09D41D.B14D809C@smartsoft.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A09D41D.B14D809C@smartsoft.cc>; from jan@smartsoft.cc on Wed, Nov 08, 2000 at 05:30:53PM -0500 X-Operating-System: FreeBSD 4.1-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ redirecting to -questions ] On Wed, Nov 08, 2000 at 05:30:53PM -0500, Jan Knepper wrote: > I have been monitoring some network traffic lately and figured > that at a certain moment my system wanted to send a package out > to 127.0.0.2:25 via the interface that is connected to the > internet (the external interface). Actually, my firewall blocked > the packets, but I wondered why the heck it would try something > like that to begin with. > Next to that I wondered, since 127.0.0.0/8 is the loopback > interface what is really going on and wether or not packets to > or from 127.0.0.0/8 traveling through the external interface > should be blocked or not. Should it be something else than > 127.0.0.0/8 (/16? /24?). I know there are unregistered IP ranges > RFC1918, but I didn't read anything about 127.0.0.0... > > Can anyone shed any light? It's 127.0.0.0/8, designated as a loopback IP block.. meaning that most any good firewall will block all data with an IP in this block, but allow it through lo0 (loopback interface). -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 16:54:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 4921537B479; Wed, 8 Nov 2000 16:54:15 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id E007019DF; Wed, 8 Nov 2000 19:54:14 -0500 (EST) Date: Wed, 8 Nov 2000 19:54:14 -0500 From: Will Andrews To: Jan Knepper Cc: FreeBSD questions Subject: Re[2]: loopback: 127.0.0.0/8 or 127.0.0.0/16 or 127.0.0.0/24??? Message-ID: <20001108195414.C12659@puck.firepipe.net> Reply-To: Will Andrews Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.1-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ actually redirect to -questions, sorry for dupe ] On Wed, Nov 08, 2000 at 05:30:53PM -0500, Jan Knepper wrote: > I have been monitoring some network traffic lately and figured > that at a certain moment my system wanted to send a package out > to 127.0.0.2:25 via the interface that is connected to the > internet (the external interface). Actually, my firewall blocked > the packets, but I wondered why the heck it would try something > like that to begin with. > Next to that I wondered, since 127.0.0.0/8 is the loopback > interface what is really going on and wether or not packets to > or from 127.0.0.0/8 traveling through the external interface > should be blocked or not. Should it be something else than > 127.0.0.0/8 (/16? /24?). I know there are unregistered IP ranges > RFC1918, but I didn't read anything about 127.0.0.0... > > Can anyone shed any light? It's 127.0.0.0/8, designated as a loopback IP block.. meaning that most any good firewall will block all data with an IP in this block, but allow it through lo0 (loopback interface). -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 18: 6:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 06BAF37B479 for ; Wed, 8 Nov 2000 18:06:44 -0800 (PST) Received: from frankenputer (frankenputer [172.29.58.2]) by aussie.org (8.11.1/8.11.1) with SMTP id eA926bV02754; Thu, 9 Nov 2000 13:06:39 +1100 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <003c01c049f1$b24bec40$023a1dac@dsat.net.au> From: "Chris Cason" To: Cc: "Mike Tancsa" References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> Subject: Re: IPSEC tunnels fail with -stable kernel? Date: Thu, 9 Nov 2000 13:04:19 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I havent tested it in a week or so. What sort of keying are you using ? > Manual or racoon ? I am just rebuilding my two test boxes so I cant test it > just yet. Manual. Everything is done using the setkey utility; I don't use GIF or anything else. The tunnels just *stopped* the instant I put in the new kernel. As far as I can tell there's nothing wrong with sending data (e.g. a 'new' kernel system can ping an 'old' kernel system via an IPSEC tunnel and the old system will receive and reply to the ping with its own ESP packet going back to the originator, but it is then 'lost' in the sending system's kernel). A 'new' system talking to another 'new' system is just one way - the ESP gets to the destination but never emerges from it. If anyone else can confirm this problem and/or suggest a work-around I'd appreciate it. -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 18:11:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id CBE9437B4C5 for ; Wed, 8 Nov 2000 18:11:37 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA92CYZ01786; Wed, 8 Nov 2000 18:12:34 -0800 (PST) (envelope-from kris) Date: Wed, 8 Nov 2000 18:12:34 -0800 From: Kris Kennaway To: Chris Cason Cc: freebsd-security@FreeBSD.ORG, Mike Tancsa Subject: Re: IPSEC tunnels fail with -stable kernel? Message-ID: <20001108181234.A1768@citusc17.usc.edu> References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003c01c049f1$b24bec40$023a1dac@dsat.net.au>; from casonc@netplex.aussie.org on Thu, Nov 09, 2000 at 01:04:19PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 09, 2000 at 01:04:19PM +1100, Chris Cason wrote: > > I havent tested it in a week or so. What sort of keying are you using ?= =20 > > Manual or racoon ? I am just rebuilding my two test boxes so I cant tes= t it=20 > > just yet. >=20 > Manual. Everything is done using the setkey utility; I don't use GIF or > anything else. The tunnels just *stopped* the instant I put in the new > kernel. Did you build world with the same sources? It may be one of the usual class of problems with userland/kernel being out of sync. Kris --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoKCBEACgkQWry0BWjoQKULrACgterjh8F1awum96OQ/XfXKn2P onoAoMcEpdUf6lnfmyEB8PqBw4J31Jwa =fZXl -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 18:43:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 4259B37B4C5; Wed, 8 Nov 2000 18:43:04 -0800 (PST) Received: from frankenputer (frankenputer [172.29.58.2]) by aussie.org (8.11.1/8.11.1) with SMTP id eA92gsV02821; Thu, 9 Nov 2000 13:43:00 +1100 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <001501c049f6$c578baa0$023a1dac@dsat.net.au> From: "Chris Cason" To: "Kris Kennaway" Cc: References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> <20001108181234.A1768@citusc17.usc.edu> Subject: Re: IPSEC tunnels fail with -stable kernel? Date: Thu, 9 Nov 2000 13:42:49 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Manual. Everything is done using the setkey utility; I don't use GIF or >> anything else. The tunnels just *stopped* the instant I put in the new >> kernel. >Did you build world with the same sources? It may be one of the usual >class of problems with userland/kernel being out of sync. Yes, I used cvsup to grab the latest stable sources immediately before doing the build on all of the systems, and did a buildkernel, installkernel and make world as per normal. -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 8 23:30:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4888A37B479 for ; Wed, 8 Nov 2000 23:30:30 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 8 Nov 2000 23:29:05 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eA97UH287648; Wed, 8 Nov 2000 23:30:17 -0800 (PST) (envelope-from cjc) Date: Wed, 8 Nov 2000 23:30:16 -0800 From: "Crist J . Clark" To: Jan Knepper Cc: FreeBSD Security Subject: Re: loopback: 127.0.0.0/8 or 127.0.0.0/16 or 127.0.0.0/24??? Message-ID: <20001108233016.P75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A09D41D.B14D809C@smartsoft.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A09D41D.B14D809C@smartsoft.cc>; from jan@smartsoft.cc on Wed, Nov 08, 2000 at 05:30:53PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 08, 2000 at 05:30:53PM -0500, Jan Knepper wrote: > Hi! > > I have been monitoring some network traffic lately and figured > that at a certain moment my system wanted to send a package out > to 127.0.0.2:25 via the interface that is connected to the > internet (the external interface). Actually, my firewall blocked > the packets, but I wondered why the heck it would try something > like that to begin with. > Next to that I wondered, since 127.0.0.0/8 is the loopback > interface what is really going on and wether or not packets to > or from 127.0.0.0/8 traveling through the external interface > should be blocked or not. Should it be something else than > 127.0.0.0/8 (/16? /24?). I know there are unregistered IP ranges > RFC1918, but I didn't read anything about 127.0.0.0... > > Can anyone shed any light? $ whois -a 127.0.0.0 IANA (LOOPBACK) Netname: LOOPBACK Netnumber: 127.0.0.0 Coordinator: Internet Corporation for Assigned Names and Numbers (IANA-ARIN) iana@IANA.ORG (310) 823-9358 Record last updated on 02-Mar-1998. Database last updated on 8-Nov-2000 18:13:25 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. Since loopback dates back to the days of network classes, and it is a Class A address, the mask is 255.0.0.0. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 4:48:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 4D2BE37B479 for ; Thu, 9 Nov 2000 04:48:26 -0800 (PST) Received: from frankenputer (frankenputer [172.29.58.2]) by aussie.org (8.11.1/8.11.1) with SMTP id eA9CmOh00462 for ; Thu, 9 Nov 2000 23:48:24 +1100 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <001f01c04a4b$57ff84e0$023a1dac@dsat.net.au> From: "Chris Cason" To: References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> <20001108181234.A1768@citusc17.usc.edu> <001501c049f6$c578baa0$023a1dac@dsat.net.au> Subject: [solved] Re: IPSEC tunnels fail with -stable kernel? Date: Thu, 9 Nov 2000 23:48:19 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'm in a bit of a spot. I upgraded several FreeBSD 4.1 boxes via >cvsup (tracking stable) and rebuilt, and now my previously-working >IPSEC VPN's have stopped. The new kernel is at 4.2-BETA on the boxen >in question, the old varied but one was as recent as October 14. I have found & solved this problem (at least from my point of view). Version 1.7 of netinet6/ipsec.c (v1.3.2.3 of RELENG_4) which was put into CVS a few days ago had the following added to the function ipsec4_tunnel_validate () (at line 3151) if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) return 0; Since my SAD entries were configured to mode ANY (the default, which is exactly what I want since I encrypt both the tunneled traffic for the VPN and the normal transport-level traffic between the gateways), the received tunneled traffic was all being dropped. While I could work around this by not using mode ANY I chose to patch instead - removing the above code from ipsec.c and rebuilding the kernel solved the problem. The question I have (and it's probably best asked in -bugs) is if this is a bug or not. The change shown above was the only change (along with ipsec6_tunnel_validate) between v1.6 and 1.7 of ipsec.c, so it must have some logic behind it. -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 7: 3: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id E84F037B479; Thu, 9 Nov 2000 07:03:02 -0800 (PST) Received: from billy-club.village.org (billy-club.village.org [10.0.0.3]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eA9F2xg20453; Thu, 9 Nov 2000 08:03:00 -0700 (MST) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (localhost [127.0.0.1]) by billy-club.village.org (8.11.1/8.8.3) with ESMTP id eA9F3lG19578; Thu, 9 Nov 2000 08:03:47 -0700 (MST) Message-Id: <200011091503.eA9F3lG19578@billy-club.village.org> To: freebsd-announce@freebsd.org Cc: security@freebsd.org, BUGTRAQ@securityfocus.com Subject: New FreeBSD security Officer Date: Thu, 09 Nov 2000 08:03:47 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Greetings! I am resigning as FreeBSD's Security Officer. Over the past several years I have enjoyed watching FreeBSD's security improve. The change in attitude towards security issues of FreeBSD has been refreshing to see. This improvement could not have happened without the support of the FreeBSD committers. I will be succeeded by Kris Kennaway. He has been my deputy for the past ten months in charge of the ports system. As many of you have noticed, he has been responsible for the FreeBSD project taking security of the entire system to the next level. He has done an excellent job coordinating the securing of the ports and the dissemination of vulnerabilities to the public. The FreeBSD project will be in good hands with Kris at the Security helm. I will continue to be involved with FreeBSD and the FreeBSD security team. Over the years this team has grown from the Security Officer and his deputy to include key security personnel in the FreeBSD project who have the time and energy to help maintain FreeBSD's security. This team now consists of emeritus Security Officers, key security architects of the FreeBSD project as well as project administrative personnel. The team has grown to 7 members who contribute on a regular basis. Warner Losh FreeBSD core Former FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBOgq8sFUuHi5z0oilAQGJMQP9Gd98qtkmzyra5qkv7efSc5GWcFKfQiHH OazSi9CIBV7ZXGvDXOOkMStYIg+j9xzNAaIRlITM3W06nqbv3g5o7rD+MnPxi9ul 3Dd5v0uIc6IMFoHLN+QmJGD8FPug7aG+v3o+cZcZAKStJnqZrNqlsvrZAQybmk44 f+mZCgUPILw= =j/bE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 8:10:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ping.ru (ping.ping.ru [195.161.90.157]) by hub.freebsd.org (Postfix) with SMTP id 71C1F37B4C5 for ; Thu, 9 Nov 2000 08:10:10 -0800 (PST) Received: (qmail 2022 invoked from network); 9 Nov 2000 16:10:08 -0000 Received: from unknown (HELO zal) (192.168.0.150) by ping.ping.ru with SMTP; 9 Nov 2000 16:10:08 -0000 Message-ID: <001101c04a67$87b88e40$9600a8c0@zal.ping.ru> From: "Aleksey Zvyagin" To: Subject: About FreeBSD securelevel Date: Thu, 9 Nov 2000 21:10:08 +0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I have read the security FreeBSD document (http://people.freebsd.org/~jkb/howto.html) and would like to improve the doc about securelevel I found some "exploits" for securelevel what it desribes. My language is bad thus i will be brief. If a system administrator will set FreeBSD (FreeBSD 2.2.6 and more) with these the advises then a hacker will low securelevel following ways: 1. to correct the file /etc/default/rc.conf and to low securelevel there 2. to move /etc to /foo and then to create a copy of /etc without schg flags and then restart FreeBSD (after a correction of /etc/rc.conf file) 3. To correct /etc/rc.conf 4. To move /usr/bin & /usr/sbin directories to /usr/foo1 /usr/foo2 and then to fake the system progs 5. To correct some /etc/rc.* files so as the /etc/rc exits at error of shell before the setting kern.securelevel > 0 6. All above changes come into effect at restart FreeBSD by hacker command "shutdown -r now" for example. From the above exploits i see the following resolves: chflags schg to: /boot.config /kernel /boot/* /etc/rc* /etc/defaults/* /bin/* /sbin/* /usr/bin/* /usr/sbin/* /usr/lib/* chflags sunlnk to: /etc /boot /bin /sbin /usr/bin /usr/sbin /usr/lib /etc/defaults And i would like to offer you for a publication at FreeBSD my toolkit for a lowing securelevel at remote server of system administrator by password file. Thus the hacker of remote server (at ISP for example) will not be able to low securelevelbut the system administrator will be able to low securelevel (far from server). Do anybode need this toolkit? P.S. Please to forward me your letters to zal@ping.ru address (or reply to "From" address) Thank you Aleksey Zvyagin, Russia, system administrator and web programmer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 9:59: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64]) by hub.freebsd.org (Postfix) with ESMTP id 6422337B4C5 for ; Thu, 9 Nov 2000 09:59:01 -0800 (PST) Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202]) by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id JAA06966 for ; Thu, 9 Nov 2000 09:58:56 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3A0AE5DF.39893E59@ursine.com> Date: Thu, 09 Nov 2000 09:58:55 -0800 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: DOS vulnerability in BIND 8.2.2-P5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those who haven't yet seen the messages in BugTraq, there is a DOS vulnerability in BIND 8.2.2-P5. Sending a ZXFR request to a server can cause it to crash. (The crash might happen a few minutes after the ZXFR request, as it sets something up for a later failure.) If BIND is setup to restrict zone transfers to only those hosts that you trust, only those hosts can trigger the bug, so that's the easiest way to protect yourself. Sites that don't have an "allow-transfer" acl restriction on zone transfers are wide open to this DOS attack, though, and there are apparently a lot of sites which are wide open like this. The original BugTraq article is here: http://www.securityfocus.com/archive/1/143843 It appears that 8.2.3-T5B, 8.2.3-T6B and 9.0.0 are not vulnerable, but 8.2.2-P3 and 8.2.2-P5 have been confirmed to be vulnerable under FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 10:16:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 4BC3E37B4D7 for ; Thu, 9 Nov 2000 10:16:31 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id SAA00383; Thu, 9 Nov 2000 18:18:38 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Thu, 9 Nov 2000 20:18:32 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Michael Bryan Cc: freebsd-security@freebsd.org Subject: Re: DOS vulnerability in BIND 8.2.2-P5 In-Reply-To: <3A0AE5DF.39893E59@ursine.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I could not get my 4.1.1-STABLE machine's named to crash no matter what I did. Reports indicate any of the 4.x-STABLE branch are not vulnerable. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Thu, 9 Nov 2000, Michael Bryan wrote: > > For those who haven't yet seen the messages in BugTraq, there is > a DOS vulnerability in BIND 8.2.2-P5. Sending a ZXFR request to > a server can cause it to crash. (The crash might happen a few > minutes after the ZXFR request, as it sets something up for a later > failure.) If BIND is setup to restrict zone transfers to only those > hosts that you trust, only those hosts can trigger the bug, so that's > the easiest way to protect yourself. Sites that don't have an > "allow-transfer" acl restriction on zone transfers are wide open to > this DOS attack, though, and there are apparently a lot of sites > which are wide open like this. > > > The original BugTraq article is here: > > http://www.securityfocus.com/archive/1/143843 > > It appears that 8.2.3-T5B, 8.2.3-T6B and 9.0.0 are not vulnerable, > but 8.2.2-P3 and 8.2.2-P5 have been confirmed to be vulnerable under > FreeBSD. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 10:26:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64]) by hub.freebsd.org (Postfix) with ESMTP id 0EA8C37B479 for ; Thu, 9 Nov 2000 10:26:36 -0800 (PST) Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202]) by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id KAA08064; Thu, 9 Nov 2000 10:26:20 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3A0AEC4C.6778898B@ursine.com> Date: Thu, 09 Nov 2000 10:26:20 -0800 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Justin Stanford Cc: freebsd-security@FreeBSD.ORG Subject: Re: DOS vulnerability in BIND 8.2.2-P5 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Stanford wrote: > > I could not get my 4.1.1-STABLE machine's named to crash no matter what I > did. Reports indicate any of the 4.x-STABLE branch are not vulnerable. Yes, 4.x (from at least 4.1-RELEASE on) uses BIND 8.2.3-T5B, which does not appear to be vulnerable. I'm not sure what version of BIND was in the various 3.x FreeBSD releases, but I think 8.1.2 was on many of them, and a lot of people have upgraded to BIND 8.2.2-P5 on those systems as well. (I haven't heard yet if 8.1.2 is vulnerable to this DOS vulnerability). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 10:29:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from copper.americanisp.net (copper.americanisp.net [208.244.174.41]) by hub.freebsd.org (Postfix) with SMTP id 2ADA737B479 for ; Thu, 9 Nov 2000 10:29:35 -0800 (PST) Received: (qmail 16519 invoked from network); 9 Nov 2000 18:29:19 -0000 Received: from unknown (HELO oxygen.americanisp.net) (208.244.174.10) by copper.americanisp.net with SMTP; 9 Nov 2000 18:29:19 -0000 Date: Thu, 9 Nov 2000 11:28:51 -0700 (MST) From: Peter To: Justin Stanford Cc: Michael Bryan , freebsd-security@freebsd.org Subject: Re: DOS vulnerability in BIND 8.2.2-P5 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I bought the 4.0=Release version, cvsup to 4.1.1 stable (folling RELENG_4), did that update BIND also? Or will I have to cvsup my ports and then build BIND from /usr/ports/whatever/BIND ? On another note when I cvsup using the RELENG_4, that upgrades exactly what? I know the kernel but what else? compiler? **Random Fortune for this instance of pine** To be intoxicated is to feel sophisticated but not be able to say it. --- www.nul.cjb.net --- The Power to Crash! --- www.FreeBSD.org --- The Power to Serve! On Thu, 9 Nov 2000, Justin Stanford wrote: > I could not get my 4.1.1-STABLE machine's named to crash no matter what I > did. Reports indicate any of the 4.x-STABLE branch are not vulnerable. > > > > -- > Justin Stanford > 082 7402741 > jus@security.za.net > www.security.za.net > IT Security and Solutions > > > On Thu, 9 Nov 2000, Michael Bryan wrote: > > > > > For those who haven't yet seen the messages in BugTraq, there is > > a DOS vulnerability in BIND 8.2.2-P5. Sending a ZXFR request to > > a server can cause it to crash. (The crash might happen a few > > minutes after the ZXFR request, as it sets something up for a later > > failure.) If BIND is setup to restrict zone transfers to only those > > hosts that you trust, only those hosts can trigger the bug, so that's > > the easiest way to protect yourself. Sites that don't have an > > "allow-transfer" acl restriction on zone transfers are wide open to > > this DOS attack, though, and there are apparently a lot of sites > > which are wide open like this. > > > > > > The original BugTraq article is here: > > > > http://www.securityfocus.com/archive/1/143843 > > > > It appears that 8.2.3-T5B, 8.2.3-T6B and 9.0.0 are not vulnerable, > > but 8.2.2-P3 and 8.2.2-P5 have been confirmed to be vulnerable under > > FreeBSD. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 11:33: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from outbound.lightshipmail.net (outbound.lightshipmail.net [216.204.0.39]) by hub.freebsd.org (Postfix) with SMTP id 4239437B479 for ; Thu, 9 Nov 2000 11:33:01 -0800 (PST) Received: (qmail 3168 invoked from network); 9 Nov 2000 19:28:08 -0000 Received: from gauss.lightship.net (HELO nrmail.com) (216.204.1.222) by outbound.lightshipmail.net with SMTP; 9 Nov 2000 19:28:08 -0000 Message-ID: <3A0AFAC7.E5A7D470@nrmail.com> Date: Thu, 09 Nov 2000 14:28:07 -0500 From: Bill Munger X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DOS vulnerability in BIND 8.2.2-P5 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This DoS has no effect on my FreeBSD 4.1-RC2 machine running bind-8.2.2-P5. Bind was compiled from source retrieved from the ISC website, it is not the FreeBSD integrated version. All compile time options are the defaults. The only effect this attack had on the target machine was to place the following in the logs each time: Nov 9 13:14:18 hermes named[112]: approved ZXFR from [172.23.200.3].1602 for "zonehead.org" Nov 9 13:14:18 hermes named[112]: unsupported XFR (type ZXFR) of "zonehead.org" (IN) to [172.23.200.3].1602 The transfer is allowed by the "allow-transfer" directive, but ZXFR is unsupported, and named continues to function normally. Again, bind-8.2.2-P5 direct from ISC does not seem to be vulnerable in this configuration. That is all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 19:14:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from netbox.com (home.netbox.com [206.24.105.130]) by hub.freebsd.org (Postfix) with ESMTP id B1AF537B479; Thu, 9 Nov 2000 19:14:47 -0800 (PST) Received: from localhost (jwgray@localhost) by netbox.com (8.8.8/8.8.7) with ESMTP id TAA16207; Thu, 9 Nov 2000 19:14:44 -0800 (PST) (envelope-from jwgray@netbox.com) Date: Thu, 9 Nov 2000 19:14:44 -0800 (PST) From: Jeff Gray To: Warner Losh Cc: freebsd-announce@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: New FreeBSD security Officer In-Reply-To: <200011091503.eA9F3lG19578@billy-club.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner, Thanks so much for your all your help and good work. It has not gone unnoticed by lurkers such as myself. Best Regards jeff On Thu, 9 Nov 2000, Warner Losh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > Greetings! > > I am resigning as FreeBSD's Security Officer. Over the past > several years I have enjoyed watching FreeBSD's security improve. The > change in attitude towards security issues of FreeBSD has been > refreshing to see. This improvement could not have happened without > the support of the FreeBSD committers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 19:50:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe12.pav0.hotmail.com [64.4.32.92]) by hub.freebsd.org (Postfix) with ESMTP id A7FB237B479; Thu, 9 Nov 2000 19:50:00 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 9 Nov 2000 19:50:00 -0800 X-Originating-IP: [209.187.203.136] From: "Jonathan M. Slivko" To: "Jeff Gray" , "Warner Losh" Cc: , Subject: Re: New FreeBSD security Officer Date: Thu, 9 Nov 2000 22:50:42 -0500 MIME-Version: 1.0 X-Mailer: MSN Explorer 6.00.0010.0900 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0002_01C04A9F.7D1BC000" Message-ID: X-OriginalArrivalTime: 10 Nov 2000 03:50:00.0375 (UTC) FILETIME=[4CCCDC70:01C04AC9] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------=_NextPart_001_0002_01C04A9F.7D1BC000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Warner/Jeff: I fully agree with what you said. However, let me add this: = FreeBSD-Security will never be the same without ya. Just my two cents. --= Jonathan M. Slivko ----- Original Message ----- From: Jeff Gray Sent: Thursday, November 09, 2000 10:23 PM To: Warner Losh Cc: freebsd-announce@FreeBSD.ORG; security@FreeBSD.ORG Subject: Re: New FreeBSD security Officer Warner, Thanks so much for your all your help and good work. It has not gone unnoticed by lurkers such as myself. Best Regards jeff On Thu, 9 Nov 2000, Warner Losh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > Greetings! > > I am resigning as FreeBSD's Security Officer. Over the past > several years I have enjoyed watching FreeBSD's security improve. The > change in attitude towards security issues of FreeBSD has been > refreshing to see. This improvement could not have happened without > the support of the FreeBSD committers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message___________= ________________________________________________ Get more from your time online. FREE MSN Explorer download : http://expl= orer.msn.com ------=_NextPart_001_0002_01C04A9F.7D1BC000 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Warner/Jeff: I= fully agree with what you said. However, let me add this: FreeBSD-Securi= ty will never be the same without ya. Just my two cents. -- Jonathan M. S= livko

----- Original Message --= ---
From: Jeff Gray
To: Warner Losh
Cc: freebsd-announce@FreeBSD.ORG; security@Fre= eBSD.ORG
Subject: Re: N= ew FreeBSD security Officer

Warner,

Thanks so= much for your all your help and good work.  It has not gone
unno= ticed by lurkers such as myself.

Best Regards
jeff


<= BR>On Thu, 9 Nov 2000, Warner Losh wrote:

> -----BEGIN PGP SIGN= ED MESSAGE-----
>
>
> Greetings!
>
> I am r= esigning as FreeBSD's Security Officer.  Over the past
> sever= al years I have enjoyed watching FreeBSD's security improve.  The> change in attitude towards security issues of FreeBSD has been
&= gt; refreshing to see.  This improvement could not have happened wit= hout
> the support of the FreeBSD committers.



To Uns= ubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd= -security" in the body of the message


_____________________________________________________= ______
Get more from your time online. FREE MSN Explorer download : h= ttp://explorer.msn.com
------=_NextPart_001_0002_01C04A9F.7D1BC000-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 20: 3:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6887D37B479 for ; Thu, 9 Nov 2000 20:03:43 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id XAA55096; Thu, 9 Nov 2000 23:03:34 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Thu, 9 Nov 2000 23:03:34 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Aleksey Zvyagin Cc: freebsd-security@freebsd.org Subject: Re: About FreeBSD securelevel In-Reply-To: <001101c04a67$87b88e40$9600a8c0@zal.ping.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org These are well-known vulnerabilities that have been discussed in detail previously: it is widely recognized that securelevels are a flawed scheme that (in effect) attempts to be a subset of a mandatory integrity policy + some diminished privilege availability. The securelevel(8) man page should be updated to indicate that it is not supported, and recent commits to enable the securelevel in sysinstall's higher security profiles should be reverted. The securelevel functionality is inherited from BSD 4.4lite. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 22:58:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from kyra.unloved.org (unknown [62.58.62.162]) by hub.freebsd.org (Postfix) with ESMTP id 8040B37B479 for ; Thu, 9 Nov 2000 22:58:17 -0800 (PST) Received: from ashp by kyra.unloved.org with local (Exim 3.15 #1) id 13u89C-000Fbi-00 for freebsd-security@freebsd.org; Fri, 10 Nov 2000 07:58:50 +0100 Date: Fri, 10 Nov 2000 07:58:50 +0100 From: Ashley Penney To: freebsd-security@freebsd.org Subject: Re: New FreeBSD security Officer Message-ID: <20001110075850.A57276@kyra.unloved.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jmslivko@msn.com on Thu, Nov 09, 2000 at 10:50:42PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 09, 2000 at 10:50:42PM -0500, Jonathan M. Slivko said: > Warner/Jeff: I fully agree with what you said. However, let me add this: FreeBSD-Security will never be the same without ya. Just my two cents. -- Jonathan M. Slivko Yeah, now the nightmares in the middle of the night about eight remote root exploits will slowly fade away to a memory! You lucky.. lucky... bugger! -- [Jacquie(jacquie@electronicwhore.com)] ashpee is cuyute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 9 23:25:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from evilcode.com (evilcode.com [63.228.228.140]) by hub.freebsd.org (Postfix) with SMTP id 8CB9937B479 for ; Thu, 9 Nov 2000 23:25:55 -0800 (PST) Received: (qmail 12809 invoked by uid 1000); 10 Nov 2000 07:25:49 -0000 Date: Thu, 9 Nov 2000 23:25:49 -0800 From: James To: freebsd-security@freebsd.org Subject: Re: New FreeBSD security Officer Message-ID: <20001109232549.A11448@evilcode.com> Mail-Followup-To: James , freebsd-security@freebsd.org References: <20001110075850.A57276@kyra.unloved.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001110075850.A57276@kyra.unloved.org>; from ashp@unloved.org on Fri, Nov 10, 2000 at 07:58:50AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 10, 2000 at 07:58:50AM +0100, Ashley Penney wrote: > Yeah, now the nightmares in the middle of the night about eight remote root > exploits will slowly fade away to a memory! You lucky.. lucky... bugger! I thought I was the only one that had those... and I'm not under any pressure like the FreeBSD Security team is. I would hate to imagine how many more I'd have if I were on it. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 0:55:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from web2904.mail.yahoo.com (web2904.mail.yahoo.com [128.11.68.47]) by hub.freebsd.org (Postfix) with SMTP id 57DED37B4CF for ; Fri, 10 Nov 2000 00:55:27 -0800 (PST) Received: (qmail 19658 invoked by uid 60001); 10 Nov 2000 08:55:26 -0000 Message-ID: <20001110085526.19657.qmail@web2904.mail.yahoo.com> Received: from [195.167.118.206] by web2904.mail.yahoo.com; Fri, 10 Nov 2000 00:55:26 PST Date: Fri, 10 Nov 2000 00:55:26 -0800 (PST) From: "Angelo a.k.a shagy" Subject: stunnel, outlook express and qpopper To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings i'm trying to wrap pop3 with stunnell (ssl) I'm using FreeBSD 3.4 stunnel 3.4a (from the ports) qpopper 3.1 I start qpopper with the following options "qpopper 192.168.5.1:110 -S" Then stunnel starts up like so "stunnel -d pop3s -r 192.168.5.1:pop3" When trying to access mail through outlook express I get the following message. "The server you are connected to is using a security certificate that does not match its internet address. Do you want to continue using this server?" I've read that IE and Netscape have a hard coded list of Certificate Authorities. And you can get this message if you haven't had your server certificate signed by a CA such as verisign. Is this an absolute truth *or* is there a way around this? Or am I just way off?! Any help would be appreciated Thanks in advance, Ang __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 0:57:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id ABBD137B4C5; Fri, 10 Nov 2000 00:57:24 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA68123; Fri, 10 Nov 2000 09:57:21 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Peter Cc: questions@freebsd.org Subject: Re: DOS vulnerability in BIND 8.2.2-P5 References: From: Dag-Erling Smorgrav Date: 10 Nov 2000 09:57:21 +0100 In-Reply-To: Peter's message of "Thu, 9 Nov 2000 11:28:51 -0700 (MST)" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter writes: > On another note when I cvsup using the RELENG_4, that upgrades exactly > what? I know the kernel but what else? compiler? Everything, provided you 'make world' after cvsuping. RTFM, and next time, ask your question on -questions. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 1: 6:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5993037B479 for ; Fri, 10 Nov 2000 01:06:40 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 10 Nov 2000 01:05:13 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAA96a796439; Fri, 10 Nov 2000 01:06:36 -0800 (PST) (envelope-from cjc) Date: Fri, 10 Nov 2000 01:06:35 -0800 From: "Crist J . Clark" To: "Angelo a.k.a shagy" Cc: freebsd-security@FreeBSD.ORG Subject: Re: stunnel, outlook express and qpopper Message-ID: <20001110010635.Z75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001110085526.19657.qmail@web2904.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001110085526.19657.qmail@web2904.mail.yahoo.com>; from shagy@rocketmail.com on Fri, Nov 10, 2000 at 12:55:26AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 10, 2000 at 12:55:26AM -0800, Angelo a.k.a shagy wrote: > Greetings i'm trying to wrap pop3 with stunnell (ssl) > I'm using FreeBSD 3.4 > stunnel 3.4a (from the ports) > qpopper 3.1 > > I start qpopper with the following options > "qpopper 192.168.5.1:110 -S" > > Then stunnel starts up like so > "stunnel -d pop3s -r 192.168.5.1:pop3" > > When trying to access mail through outlook express I > get the following message. > "The server you are connected to is using a security > certificate that does not match its internet address. > Do you want to continue using this server?" > > I've read that IE and Netscape have a hard coded list > of Certificate Authorities. And you can get this > message if you haven't had your server certificate > signed by a CA such as verisign. Is this an absolute > truth *or* is there a way around this? Or am I just > way off?! > > Any help would be appreciated A self-signed certificate worked fine for me back when I used to run a similar setup (UW-IMAP and POP3, stunnel, and MS OE). How did you make your cert? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 1:44:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 0930D37B479 for ; Fri, 10 Nov 2000 01:44:04 -0800 (PST) Received: from ts12-a138.dial.sovam.com ([195.239.1.138]:3390 "EHLO pentium" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Fri, 10 Nov 2000 12:43:40 +0300 Reply-To: From: "Vladimir I. Kulakov" To: "Michael Bryan" , Subject: Re: DOS vulnerability in BIND 8.2.2-P5 Date: Fri, 10 Nov 2000 12:44:07 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20001110094353Z836051-5940+45509@ajax1.sovam.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > For those who haven't yet seen the messages in BugTraq, there is > a DOS vulnerability in BIND 8.2.2-P5. Sending a ZXFR request to > a server can cause it to crash. (The crash might happen a few > minutes after the ZXFR request, as it sets something up for a later > failure.) If BIND is setup to restrict zone transfers to only those > hosts that you trust, only those hosts can trigger the bug, so that's > the easiest way to protect yourself. Sites that don't have an > "allow-transfer" acl restriction on zone transfers are wide open to > this DOS attack, though, and there are apparently a lot of sites > which are wide open like this. Yesterday, November, 9, ISC already released fixed version 8.2.2-P7 without this vulnerability (see http://www.isc.org/ ). ----------------------------------------------------- Vladimir I. Kulakov http://www.kudesniki.ru/ VK9-RIPN kulakov@kudesniki.ru 2:5020/779.27@fidonet.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 5:42:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from web2904.mail.yahoo.com (web2904.mail.yahoo.com [128.11.68.47]) by hub.freebsd.org (Postfix) with SMTP id A1EEC37B479 for ; Fri, 10 Nov 2000 05:42:31 -0800 (PST) Received: (qmail 29330 invoked by uid 60001); 10 Nov 2000 13:42:30 -0000 Message-ID: <20001110134230.29329.qmail@web2904.mail.yahoo.com> Received: from [212.205.226.6] by web2904.mail.yahoo.com; Fri, 10 Nov 2000 05:42:30 PST Date: Fri, 10 Nov 2000 05:42:30 -0800 (PST) From: "Angelo a.k.a shagy" Subject: Re: stunnel, outlook express and qpopper To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Nov 10, 2000 at 12:55:26AM -0800, Angelo > a.k.a shagy wrote: > > Greetings i'm trying to wrap pop3 with stunnell > (ssl) > > I'm using FreeBSD 3.4 > > stunnel 3.4a (from the ports) > > qpopper 3.1 > > > > I start qpopper with the following options > > "qpopper 192.168.5.1:110 -S" > > > > Then stunnel starts up like so > > "stunnel -d pop3s -r 192.168.5.1:pop3" > > > > When trying to access mail through outlook express > I > > get the following message. > > "The server you are connected to is using a > security > > certificate that does not match its internet > address. > > Do you want to continue using this server?" > > > > I've read that IE and Netscape have a hard coded > list > > of Certificate Authorities. And you can get this > > message if you haven't had your server certificate > > signed by a CA such as verisign. Is this an > absolute > > truth *or* is there a way around this? Or am I > just > > way off?! > > > > Any help would be appreciated > > A self-signed certificate worked fine for me back > when I used to run a > similar setup (UW-IMAP and POP3, stunnel, and MS > OE). How did you make > your cert? > -- Hi, here is how I created the certificate.... First I generated the unencrypted server key "openssl genrsa -out server.key 1024" Then I created a server certificate request with the unencrypted key "openssl req -new -days 365 -key server.key -out newreq.pem" Created my own Certificate Authority and self-signed. (I used CA.pl to do this) "perl CA.pl -newca" #made a certificate authority "perl CA.pl -sign" #self-signed the request #(I got a file named "newcert.pem" as a result) Then I generated a dh file for stunnel "openssl gendh -out dh 1024" Put it all together like so "cat server.key newcert.pem dh > stunnel.pem" I also removed non operational text from stunnel.pem.....the end result was simmilar to this. ---BEGIN RSA PRIVATE KEY--- [encoded key] ---END RSA PRIVATE KEY--- [empty line here] ---BEGIN CERTIFICATE--- [encoded certificate] ---END CERTIFICATE--- [empty line here] ---BEGIN DH PARAMETERS--- [encoded key] ---END DH PARAMETERS--- Everything seems to be working fine except for message that I get from outlook. Thanks, Ang __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 5:49:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.it-netservice.de (mail.it-netservice.de [213.179.64.4]) by hub.freebsd.org (Postfix) with ESMTP id 05E9037B479 for ; Fri, 10 Nov 2000 05:49:53 -0800 (PST) Received: from phase2.intern.itns.de (phase2.intern.itns.de [192.168.2.209]) by mail.it-netservice.de (8.9.3/8.9.3) with ESMTP id OAA22049; Fri, 10 Nov 2000 14:51:49 +0100 Date: Fri, 10 Nov 2000 14:50:59 +0100 (CET) From: Christian Ruediger Bahls X-Sender: christian@phase2.intern.it-netservice.de To: Aleksey Zvyagin Cc: freebsd-security@FreeBSD.ORG Subject: Re: About FreeBSD securelevel In-Reply-To: <001101c04a67$87b88e40$9600a8c0@zal.ping.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you certainly forgot: chflags schg / this implies chflags sunlnk /etc and is always a good idea .. securelevel should be higher than 1 anyway (ever spend a thought about an evil attacker that just erases your hardisk with a single newfs ?) chflags schg /etc/*wd* is sometimes a good idea too .. prevents an attacker from creating a user with uid=0 or a throw_away-account .. also a chflags -R sappnd /root as this closes some holes in ssh (authentification by ~/.ssh/authorized keys [schg would be better] which can be faked after intrusion, known_hosts should be sappnd as well) /etc/inetd.conf should be schg as well (trojan horses;Backdoors) sshd_config, ssh_config as well ok to make it short: chflags -P -R schg /bin /sbin /etc/* /modules* /misc /kernel* /boot* chflags -P -R sappnd /root chflags nosappnd,schg /root/.ssh/authorized_keys /root/.* chflags -P -R schg /usr be carefull not to include /home [where ever this is linked] (in my case it has its own partition together with all user-writeable tmp's so i have only one disk with qoutas /usr is mounted ro anyway) chflags -P -R sunlnk /var chflags -P -R schg /var/lib /var/games /var/crash /var/preserve chflags sappnd /var/quotas chflags -P -R sappnd /var/log PS: never set /etc to sappnd because you will certainly get problems with an undeleteable /etc/nologin thus preventing you from logging in remote after a reboot PPS: use a securelevel > 1 if this machine is a firewall this prevents an intruder from changing your firewall ruleset on the fly, also make everything that has to do with your firewall schg .. :) PPPS: for the real paranoid .. if you exspect user to be able to use the console mark /dev/console[ or better /dev/tty* as well] insecure and disable kerneldebugger yours .. tiptoe .. On Thu, 9 Nov 2000, Aleksey Zvyagin wrote: > Hello! > > I have read the security FreeBSD document > (http://people.freebsd.org/~jkb/howto.html) and would > like to improve the doc about securelevel > > I found some "exploits" for securelevel what it desribes. My language is bad > thus i will be brief. > > If a system administrator will set FreeBSD (FreeBSD 2.2.6 and more) with > these the advises then a hacker will low securelevel following ways: > > 1. to correct the file /etc/default/rc.conf and to low securelevel there > 2. to move /etc to /foo and then to create a copy of /etc without schg flags > and then restart FreeBSD (after a correction of /etc/rc.conf file) > 3. To correct /etc/rc.conf > 4. To move /usr/bin & /usr/sbin directories to /usr/foo1 /usr/foo2 and then > to fake the system progs > 5. To correct some /etc/rc.* files so as the /etc/rc exits at error of shell > before the setting kern.securelevel > 0 > 6. All above changes come into effect at restart FreeBSD by hacker command > "shutdown -r now" for example. > > >From the above exploits i see the following resolves: > > chflags schg to: > /boot.config > /kernel > /boot/* > /etc/rc* > /etc/defaults/* > /bin/* > /sbin/* > /usr/bin/* > /usr/sbin/* > /usr/lib/* > > chflags sunlnk to: > /etc > /boot > /bin > /sbin > /usr/bin > /usr/sbin > /usr/lib > /etc/defaults > > And i would like to offer you for a publication at FreeBSD my toolkit for a > lowing securelevel at remote server of system administrator by password > file. Thus the hacker of remote server (at ISP for example) will not be able > to low securelevelbut the system administrator will be able to low > securelevel (far from server). Do anybode need this toolkit? > > P.S. Please to forward me your letters to zal@ping.ru address (or reply to > "From" address) > > Thank you > Aleksey Zvyagin, Russia, system administrator and web programmer. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Christian Bahls Networking Dep. iT-netservice GmbH Leipzig, Germany  To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 10: 2:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.whc.net (ns.whc.net [204.90.111.5]) by hub.freebsd.org (Postfix) with ESMTP id 5CF4137B479 for ; Fri, 10 Nov 2000 10:02:29 -0800 (PST) Received: from null ([206.249.222.250]) by smtp.whc.net (8.10.1/8.10.1/kbp) with SMTP id for ; Fri, 10 Nov 2000 11:01:39 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: sshd error's (new at this) Date: Fri, 10 Nov 2000 11:00:57 -0700 Message-ID: <000001c04b40$2de2c3c0$fadef9ce@copyco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay so I want to have a machine be accessible only by ssh 2 and OpenSSH has the license that works for my company. I tried to load the OpenSSH that came with 4.1.1 port's but it said that I needed openssl installed. OpenSSL was supposedly in the system and it would not install from the ports. So I removed it and installed the newest OpenSSL (.9 something), no problems with that. I then installed OpenSSH 2.3 (portable) and as far as I can see it installed fine. So when I try to ssh as root to my own machine I get the following : Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service and then the connection closes when I try to ssh from a Win98 machine (using puTTY) I get the same errors: Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service Nov 10 10:53:54 bsd sshd[229]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:53:54 bsd sshd[229]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:53:54 bsd sshd[229]: fatal: PAM session setup failed[6]: Permission denied Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service Nov 10 10:53:54 bsd sshd[229]: no modules loaded for 'sshd' service So did I do something wrong to not use the 2.1.1 from FreeBSD? ps -auwx | grep sshd returns : pid 140 so I have no clue where the 221 and 229 come from. sigh I thought it would just work(tm)... Thanks in advance for any help, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 11:52:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from pike.osd.bsdi.com (pike.osd.bsdi.com [204.216.28.222]) by hub.freebsd.org (Postfix) with ESMTP id 636AC37B4C5; Fri, 10 Nov 2000 11:52:20 -0800 (PST) Received: from laptop.baldwin.cx (john@dhcp241.osd.bsdi.com [204.216.28.241]) by pike.osd.bsdi.com (8.11.0/8.9.3) with ESMTP id eAAJq6H78698; Fri, 10 Nov 2000 11:52:06 -0800 (PST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Fri, 10 Nov 2000 11:52:42 -0800 (PST) From: John Baldwin To: Robert Watson Subject: Re: About FreeBSD securelevel Cc: freebsd-security@FreeBSD.org, Aleksey Zvyagin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10-Nov-00 Robert Watson wrote: > > These are well-known vulnerabilities that have been discussed in detail > previously: it is widely recognized that securelevels are a flawed scheme > that (in effect) attempts to be a subset of a mandatory integrity policy + > some diminished privilege availability. The securelevel(8) man page > should be updated to indicate that it is not supported, and recent commits > to enable the securelevel in sysinstall's higher security profiles should > be reverted. The securelevel functionality is inherited from BSD 4.4lite. We don't have MAC's yet though. If you can provide a replacement for it, then go ahead and axe it, otherwise, I wouldn't kill it yet. When do you expect to be able to replace its functionality? If you will have it in by 5.0, then you can go ahead and say it is deprecated in 5.0 and 4.x now. If not until 6.0, then just say it is deprecated in 5.0 only. Regardless, I wouldn't axe the functionality or the sysinstall hooks until the replacement functionality is committed. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 14: 4:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id C641B37B479; Fri, 10 Nov 2000 14:04:29 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAAM5dW79171; Fri, 10 Nov 2000 14:05:39 -0800 (PST) (envelope-from kris) Date: Fri, 10 Nov 2000 14:05:39 -0800 From: Kris Kennaway To: Robert Watson Cc: Aleksey Zvyagin , freebsd-security@FreeBSD.ORG Subject: Re: About FreeBSD securelevel Message-ID: <20001110140539.A79150@citusc17.usc.edu> References: <001101c04a67$87b88e40$9600a8c0@zal.ping.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Thu, Nov 09, 2000 at 11:03:34PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 09, 2000 at 11:03:34PM -0500, Robert Watson wrote: >=20 > These are well-known vulnerabilities that have been discussed in detail > previously: it is widely recognized that securelevels are a flawed scheme > that (in effect) attempts to be a subset of a mandatory integrity policy + > some diminished privilege availability. The securelevel(8) man page > should be updated to indicate that it is not supported, and recent commits > to enable the securelevel in sysinstall's higher security profiles should > be reverted. The securelevel functionality is inherited from BSD 4.4lite. Well, even though securelevel doesn't prevent security breaches, it imposes a road block in order to get around them, and this can and does stop some (admittedly not very bright) attackers. Since it's also the best we have for now, I think the manpage should be updated to document the failings of the system and that they will hopefully be addressed in 5.0 with the trustedbsd MAC implementation. I'll try and write something up over the weekend. Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoMcTMACgkQWry0BWjoQKXm4QCgpuD5s7MjGzWdxad70j3wR4TC kO0AoIDfNEmMZCbhazpNS1ngCRId5nRy =9TMh -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 10 14:45:29 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id ACB9237B4C5; Fri, 10 Nov 2000 14:45:11 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:67.gnupg Reply-To: security-advisories@freebsd.org Message-Id: <20001110224511.ACB9237B4C5@hub.freebsd.org> Date: Fri, 10 Nov 2000 14:45:11 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:67 Security Advisory FreeBSD, Inc. Topic: gnupg fails to correctly verify signatures Category: ports Module: gnupg Announced: 2000-11-10 Credits: Jim Small Affects: Ports collection prior to the correction date. Corrected: 2000-10-18 Vendor status: Updated version released FreeBSD only: NO I. Background GnuPG is an implementation of the PGP digital signature/encryption protocol. II. Problem Description Versions of gnupg prior to 1.04 fail to correctly verify multiple signatures contained in a single document. Only the first signature encountered is actually verified, meaning that other data with invalid signatures (e.g. data which has been tampered with by an attacker) will not be verified, and the entire document will be treated as having valid signatures. The gnupg port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 are vulnerable to this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Documents containing multiple signed regions of data can be corrupted or tampered with by an attacker without detection, as long as the first signature in the document remains valid. IV. Workaround Deinstall the gnupg port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the gnupg port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/gnupg-1.04.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/gnupg-1.04.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/gnupg-1.04.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/gnupg-1.04.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/gnupg-1.04.tgz 3) download a new port skeleton for the gnupg port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgx6dlUuHi5z0oilAQEGaAP+KXIJlLBgF7tXXtLWcyJkhI6mAxgMyHEJ y+9RkI22mz7etMN1Nqm22Rj1cYBO99Q35lx4qJpuGftuRV+D9P6f5FbXMp+qhw24 K1t07eQhgiiNO1y9snvvEwwWtsHiosMFyIleFdbJwXoioqNsDFcByOwbG7zoEOOU BfDBTmKtPvQ= =1ZMA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 10:39:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from garm.bart.nl (garm.bart.nl [194.158.170.13]) by hub.freebsd.org (Postfix) with ESMTP id 767D937B479 for ; Sat, 11 Nov 2000 10:39:12 -0800 (PST) Received: from daemon.chronias.ninth-circle.org (daemon.ninth-circle.org [195.38.210.81]) by garm.bart.nl (8.10.1/8.10.1) with ESMTP id eABIbnp23820; Sat, 11 Nov 2000 19:38:06 +0100 (CET) Received: (from asmodai@localhost) by daemon.chronias.ninth-circle.org (8.11.0/8.11.0) id eABIauG74250; Sat, 11 Nov 2000 19:36:56 +0100 (CET) (envelope-from asmodai) Date: Sat, 11 Nov 2000 19:36:55 +0100 From: Jeroen Ruigrok/Asmodai To: Michael Bryan Cc: freebsd-security@freebsd.org Subject: Re: DOS vulnerability in BIND 8.2.2-P5 Message-ID: <20001111193655.D67634@daemon.ninth-circle.org> References: <3A0AE5DF.39893E59@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3A0AE5DF.39893E59@ursine.com>; from fbsd-secure@ursine.com on Thu, Nov 09, 2000 at 09:58:55AM -0800 Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -On [20001109 19:01], Michael Bryan (fbsd-secure@ursine.com) wrote: >It appears that 8.2.3-T5B, 8.2.3-T6B and 9.0.0 are not vulnerable, >but 8.2.2-P3 and 8.2.2-P5 have been confirmed to be vulnerable under >FreeBSD. It seems to be one of those bugs which has different effects on different platforms. However, I will try to get the security updates in as soon as possible, just to be on the safe side of things. -- Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] Documentation nutter/C-rated Coder BSD: Technical excellence at its best The BSD Programmer's Documentation Project I know you have tried, to feel... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 14:53: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 5535837B479 for ; Sat, 11 Nov 2000 14:53:07 -0800 (PST) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id OAA17412 for ; Sat, 11 Nov 2000 14:53:01 -0800 Date: Sat, 11 Nov 2000 14:53:01 -0800 (PST) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: SSH Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, I've noticed recently that the latest releases of FreeBSD have SSH running out-of-the-box. I would like to upgrade previous FreeBSD boxes from SSH 1.2x to a later copy that supports SSH protocol 1 & 2. I hear the SSH-1.2x series may have a buffer overflow problem. Where do I find in the ports the SSH version that is currently in use? I see there is a ssh-1.2.27 package but is this what's being installed now by default? is it OpenSSH or other? Thanks John C. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 15: 3:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 7344537B479 for ; Sat, 11 Nov 2000 15:03:52 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eABN53G50900; Sat, 11 Nov 2000 15:05:03 -0800 (PST) (envelope-from kris) Date: Sat, 11 Nov 2000 15:05:03 -0800 From: Kris Kennaway To: John F Cuzzola Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20001111150503.A50871@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vdrifter@ocis.ocis.net on Sat, Nov 11, 2000 at 02:53:01PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 11, 2000 at 02:53:01PM -0800, John F Cuzzola wrote: >=20 > Hello Everyone, > I've noticed recently that the latest releases of FreeBSD have SSH running > out-of-the-box. I would like to upgrade previous FreeBSD boxes from SSH > 1.2x to a later copy that supports SSH protocol 1 & 2. I hear the SSH-1.2x > series may have a buffer overflow problem. Where do I find in the ports > the SSH version that is currently in use? I see there is a ssh-1.2.27 > package but is this what's being installed now by default? is it OpenSSH > or other?=20 It's OpenSSH 2.2.0 in the base system. SSH 1.2.27 doesn't have any known security issues except for the endemic weaknesses in the protocol. Either SSH 2.x or OpenSSH talk the SSH2 protocols. Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoN0J8ACgkQWry0BWjoQKUIZgCeIBjZyJQnIWSZInY7VrmhCCBz NmsAoOQHmCk/fuDvzd3BRMmS39jOUPY6 =AJBE -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 15:18:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 5837237B479 for ; Sat, 11 Nov 2000 15:18:32 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eABNI5v20924; Sat, 11 Nov 2000 18:18:05 -0500 (EST) Date: Sat, 11 Nov 2000 18:18:04 -0500 (EST) From: Trevor Johnson To: John F Cuzzola Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Where do I find in the ports > the SSH version that is currently in use? security/openssh/ > I see there is a ssh-1.2.27 > package but is this what's being installed now by default? is it OpenSSH > or other? SSH 1.2.12 begat OpenSSH. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 15:45:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 9949D37B479 for ; Sat, 11 Nov 2000 15:45:56 -0800 (PST) Received: (qmail 53902 invoked by uid 1000); 11 Nov 2000 23:45:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Nov 2000 23:45:55 -0000 Date: Sat, 11 Nov 2000 17:45:55 -0600 (CST) From: Mike Silbersack To: Kris Kennaway Cc: John F Cuzzola , freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: <20001111150503.A50871@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 11 Nov 2000, Kris Kennaway wrote: > It's OpenSSH 2.2.0 in the base system. SSH 1.2.27 doesn't have any > known security issues except for the endemic weaknesses in the > protocol. Either SSH 2.x or OpenSSH talk the SSH2 protocols. > > Kris Er, old 1.2.27 with old rsaref is root-exploitable. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 16: 6:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 2235C37B479; Sat, 11 Nov 2000 16:06:35 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAC07gv52905; Sat, 11 Nov 2000 16:07:42 -0800 (PST) (envelope-from kris) Date: Sat, 11 Nov 2000 16:07:42 -0800 From: Kris Kennaway To: Mike Silbersack Cc: Kris Kennaway , John F Cuzzola , freebsd-security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20001111160742.A52887@citusc17.usc.edu> References: <20001111150503.A50871@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Sat, Nov 11, 2000 at 05:45:55PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 11, 2000 at 05:45:55PM -0600, Mike Silbersack wrote: >=20 > On Sat, 11 Nov 2000, Kris Kennaway wrote: >=20 > > It's OpenSSH 2.2.0 in the base system. SSH 1.2.27 doesn't have any > > known security issues except for the endemic weaknesses in the > > protocol. Either SSH 2.x or OpenSSH talk the SSH2 protocols. > >=20 > > Kris >=20 > Er, old 1.2.27 with old rsaref is root-exploitable. Wasn't that 1.2.26? Anyway, I meant the FreeBSD port, which is fixed. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoN304ACgkQWry0BWjoQKVzfACggm5H5Z1DVtigkkVUOHzqRTjP 7RsAn1i6GFmklyVE0w7YF1yKZKuw3vq9 =+gMo -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 16:18:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id A6DE537B479 for ; Sat, 11 Nov 2000 16:18:24 -0800 (PST) Received: (qmail 53945 invoked by uid 1000); 12 Nov 2000 00:18:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Nov 2000 00:18:23 -0000 Date: Sat, 11 Nov 2000 18:18:23 -0600 (CST) From: Mike Silbersack To: Kris Kennaway Cc: John F Cuzzola , freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: <20001111160742.A52887@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 11 Nov 2000, Kris Kennaway wrote: > On Sat, Nov 11, 2000 at 05:45:55PM -0600, Mike Silbersack wrote: > > > > Er, old 1.2.27 with old rsaref is root-exploitable. > > Wasn't that 1.2.26? Anyway, I meant the FreeBSD port, which is fixed. > > Kris 1.2.27 and before was affected. Both the ssh port and rsaref port were patched in short order, I recall. However, we have no clue what age the 1.2.27 binary in question is. So, while new installs aren't vulnerable, the original poster's system may be at risk. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 18: 9: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 84DD037B479 for ; Sat, 11 Nov 2000 18:09:06 -0800 (PST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id eAC2B3E90578; Sat, 11 Nov 2000 20:11:03 -0600 (CST) Date: Sat, 11 Nov 2000 20:11:03 -0600 (CST) From: Alex Charalabidis To: John F Cuzzola Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: <20001111160742.A52887@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 11 Nov 2000, Kris Kennaway wrote: > On Sat, Nov 11, 2000 at 05:45:55PM -0600, Mike Silbersack wrote: > > > > On Sat, 11 Nov 2000, Kris Kennaway wrote: > > > > > It's OpenSSH 2.2.0 in the base system. SSH 1.2.27 doesn't have any > > > known security issues except for the endemic weaknesses in the > > > protocol. Either SSH 2.x or OpenSSH talk the SSH2 protocols. > > > > > > Kris > > > > Er, old 1.2.27 with old rsaref is root-exploitable. > > Wasn't that 1.2.26? Anyway, I meant the FreeBSD port, which is fixed. > I'm pretty sure the 1.2.27 port is patched even if the actual ssh release isn't (though I remember something being said about 1.2.27 and rsaref, maybe it was the UseLogin bug). Anyway, you can always get 1.2.30 and install it manually if, for some reason, you don't like the idea of OpenSSH. Or pay for ssh 2.0.x. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 19: 4: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id DB2F237B479 for ; Sat, 11 Nov 2000 19:04:03 -0800 (PST) Received: (qmail 54087 invoked by uid 1000); 12 Nov 2000 03:03:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Nov 2000 03:03:59 -0000 Date: Sat, 11 Nov 2000 21:03:58 -0600 (CST) From: Mike Silbersack To: Alex Charalabidis Cc: John F Cuzzola , freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 11 Nov 2000, Alex Charalabidis wrote: > I'm pretty sure the 1.2.27 port is patched even if the actual ssh release > isn't (though I remember something being said about 1.2.27 and rsaref, > maybe it was the UseLogin bug). Anyway, you can always get 1.2.30 and > install it manually if, for some reason, you don't like the idea of > OpenSSH. Or pay for ssh 2.0.x. The UseLogin problem was OpenSSH specific, if I recall correctly. (If not specific, it certainly affected OpenSSH as well.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 11 20: 0:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 600B037B4C5 for ; Sat, 11 Nov 2000 20:00:57 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA33966; Sat, 11 Nov 2000 23:00:49 -0500 (EST) (envelope-from wollman) Date: Sat, 11 Nov 2000 23:00:49 -0500 (EST) From: Garrett Wollman Message-Id: <200011120400.XAA33966@khavrinen.lcs.mit.edu> To: Alex Charalabidis Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: References: <20001111160742.A52887@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I'm pretty sure the 1.2.27 port is patched even if the actual ssh release The patent having expired, ports/security/ssh no longer includes support for RSAREF. Therefore, there is no longer any need to work around its bugs. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message